From eugeniacandida at gmail.com Mon Oct 2 12:44:54 2006 From: eugeniacandida at gmail.com (Eugenia Candida Oliveira de Moura) Date: Mon, 2 Oct 2006 10:44:54 -0200 Subject: [Fedora-directory-users] [HELP] Creating database link and root suffix Message-ID: <4503404b0610020544s53d8d0f9jed4303c3a26df5ad@mail.gmail.com> Hi, How to create one database link in the command line? How to create one root suffix in the command line? Eug?nia Moura. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Oct 2 13:21:05 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 02 Oct 2006 07:21:05 -0600 Subject: [Fedora-directory-users] [HELP] Creating database link and root suffix In-Reply-To: <4503404b0610020544s53d8d0f9jed4303c3a26df5ad@mail.gmail.com> References: <4503404b0610020544s53d8d0f9jed4303c3a26df5ad@mail.gmail.com> Message-ID: <45211241.4080003@redhat.com> Eugenia Candida Oliveira de Moura wrote: > Hi, > > How to create one database link in the command line? http://www.redhat.com/docs/manuals/dir-server/ag/7.1/entry_dist.html#21180 > > How to create one root suffix in the command line? http://www.redhat.com/docs/manuals/dir-server/ag/7.1/entry_dist.html#19968 > > Eug?nia Moura. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Oct 2 13:25:12 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 02 Oct 2006 07:25:12 -0600 Subject: [Fedora-directory-users] FDS and AD In-Reply-To: <1159599441.4176.14.camel@oslec> References: <1159599441.4176.14.camel@oslec> Message-ID: <45211338.8080106@redhat.com> Sergio Diaz wrote: > Hi People, > > Its Possible Sync only in One Way ? > > Users Windows AD -> FDS. No, not really. > > Or the other scenario its like OpenLDAP have a Meta Backend (2 LDAPs, > 1 AD), its possible with FDS ? It's possible. What does the meta backend do? > > > Regards, > Sergio > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From sergio.diaze at gmail.com Mon Oct 2 14:27:12 2006 From: sergio.diaze at gmail.com (Sergio Diaz) Date: Mon, 02 Oct 2006 09:27:12 -0500 Subject: [Fedora-directory-users] FDS and AD In-Reply-To: <45211338.8080106@redhat.com> References: <1159599441.4176.14.camel@oslec> <45211338.8080106@redhat.com> Message-ID: <1159799232.2511.4.camel@oslec> Hi Richard; Openldap: The meta backend to slapd(8) performs basic LDAP proxying with respect to a set of remote LDAP servers, called "targets". The information contained in these servers can be presented as belonging to a single Directory Information Tree (DIT). Its possible with FDS ?? Regards!! Sergio On Mon, 2006-10-02 at 07:25 -0600, Richard Megginson wrote: > Sergio Diaz wrote: > > Hi People, > > > > Its Possible Sync only in One Way ? > > > > Users Windows AD -> FDS. > No, not really. > > > > Or the other scenario its like OpenLDAP have a Meta Backend (2 LDAPs, > > 1 AD), its possible with FDS ? > It's possible. What does the meta backend do? > > > > > > Regards, > > Sergio > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ABliss at preferredcare.org Mon Oct 2 15:21:15 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Mon, 2 Oct 2006 11:21:15 -0400 Subject: [Fedora-directory-users] Quick question on querying ldap database Message-ID: As a rule of thumb, when users leave our company, via the admin interface I set their accounts to be inactive; is there a way to query the ldap to see what objects are inactive; I guess what I'm really asking is, what attribute do I look for when querying the database. Thanks. Aaron Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Oct 2 16:01:18 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 02 Oct 2006 10:01:18 -0600 Subject: [Fedora-directory-users] Quick question on querying ldap database In-Reply-To: References: Message-ID: <452137CE.20008@redhat.com> Bliss, Aaron wrote: > > As a rule of thumb, when users leave our company, via the admin > interface I set their accounts to be inactive; is there a way to query > the ldap to see what objects are inactive; I guess what I'm really > asking is, what attribute do I look for when querying the database. > Thanks. > The nsAccountLock attribute. > > Aaron > > Confidentiality Notice: > The information contained in this electronic message is intended for > the exclusive use of the individual or entity named above and may > contain privileged or confidential information. If the reader of this > message is not the intended recipient or the employee or agent > responsible to deliver it to the intended recipient, you are hereby > notified that dissemination, distribution or copying of this > information is prohibited. If you have received this communication in > error, please notify the sender immediately by telephone and destroy > the copies you received. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Oct 2 16:01:55 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 02 Oct 2006 10:01:55 -0600 Subject: [Fedora-directory-users] FDS and AD In-Reply-To: <1159799232.2511.4.camel@oslec> References: <1159599441.4176.14.camel@oslec> <45211338.8080106@redhat.com> <1159799232.2511.4.camel@oslec> Message-ID: <452137F3.70309@redhat.com> Sergio Diaz wrote: > Hi Richard; > > Openldap: > > The *meta* backend to *slapd(8) > * > performs basic LDAP proxying with respect > to a set of remote LDAP servers, called "targets". The information > contained in these servers can be presented as belonging to a single > Directory Information Tree (DIT). > > Its possible with FDS ?? > FDS has a chaining backend which allows you to use another LDAP server to store the data. > > Regards!! > Sergio > > > > On Mon, 2006-10-02 at 07:25 -0600, Richard Megginson wrote: >> Sergio Diaz wrote: >> > Hi People, >> > >> > Its Possible Sync only in One Way ? >> > >> > Users Windows AD -> FDS. >> No, not really. >> > >> > Or the other scenario its like OpenLDAP have a Meta Backend (2 LDAPs, >> > 1 AD), its possible with FDS ? >> It's possible. What does the meta backend do? >> > >> > >> > Regards, >> > Sergio >> > >> > ------------------------------------------------------------------------ >> > >> > -- >> > Fedora-directory-users mailing list >> > Fedora-directory-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From hyc at symas.com Mon Oct 2 16:24:07 2006 From: hyc at symas.com (Howard Chu) Date: Mon, 02 Oct 2006 09:24:07 -0700 Subject: [Fedora-directory-users] FDS and AD In-Reply-To: <20061002160005.378F57324C@hormel.redhat.com> References: <20061002160005.378F57324C@hormel.redhat.com> Message-ID: <45213D27.6050707@symas.com> > Date: Mon, 02 Oct 2006 10:01:55 -0600 > From: Richard Megginson > Sergio Diaz wrote: >> Hi Richard; >> >> Openldap: >> >> The *meta* backend to *slapd(8) >> * >> performs basic LDAP proxying with respect >> to a set of remote LDAP servers, called "targets". The information >> contained in these servers can be presented as belonging to a single >> Directory Information Tree (DIT). >> >> Its possible with FDS ?? >> > FDS has a chaining backend which allows you to use another LDAP server > to store the data. It sounds like the FDS chaining backend is similar to OpenLDAP back-ldap and/or the chaining overlay. In OpenLDAP back-ldap forwards a request to one other server (at a time; multiple servers can be configured but the others will only be used if the first server cannot be contacted). The back-meta backend is a superset of back-ldap, it can fanout single requests to multiple servers in parallel and aggregate the results. (There's also attribute mapping and DN rewriting, but those capabilities are no longer unique to back-meta, having been moved into the rewrite overlay.) With these modules you can stitch together a variety of heterogeneous directories into a coherent virtual directory. >> Regards!! >> Sergio >> >> >> >> On Mon, 2006-10-02 at 07:25 -0600, Richard Megginson wrote: >>> Sergio Diaz wrote: >>>> Hi People, >>>> >>>> Its Possible Sync only in One Way ? >>>> >>>> Users Windows AD -> FDS. >>> No, not really. >>>> Or the other scenario its like OpenLDAP have a Meta Backend (2 LDAPs, >>>> 1 AD), its possible with FDS ? >>> It's possible. What does the meta backend do? >>>> >>>> Regards, >>>> Sergio -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/ From brian.smith at worldpub.net Mon Oct 2 18:12:37 2006 From: brian.smith at worldpub.net (Brian Smith) Date: Mon, 02 Oct 2006 14:12:37 -0400 Subject: [Fedora-directory-users] FDS and AD In-Reply-To: <45213D27.6050707@symas.com> References: <20061002160005.378F57324C@hormel.redhat.com> <45213D27.6050707@symas.com> Message-ID: <45215695.7000404@worldpub.net> Hello all, I've been working on getting chaining working with an active directory back end for a week now. Has anyone successfully done this or have directions on setting this up? Brian Smith Howard Chu wrote: > >> Date: Mon, 02 Oct 2006 10:01:55 -0600 >> From: Richard Megginson > >> Sergio Diaz wrote: >>> Hi Richard; >>> >>> Openldap: >>> >>> The *meta* backend to *slapd(8) >>> * >>> performs basic LDAP proxying with respect >>> to a set of remote LDAP servers, called "targets". The >>> information >>> contained in these servers can be presented as belonging >>> to a single >>> Directory Information Tree (DIT). >>> >>> Its possible with FDS ?? >>> >> FDS has a chaining backend which allows you to use another LDAP >> server to store the data. > > It sounds like the FDS chaining backend is similar to OpenLDAP > back-ldap and/or the chaining overlay. In OpenLDAP back-ldap forwards > a request to one other server (at a time; multiple servers can be > configured but the others will only be used if the first server cannot > be contacted). The back-meta backend is a superset of back-ldap, it > can fanout single requests to multiple servers in parallel and > aggregate the results. (There's also attribute mapping and DN > rewriting, but those capabilities are no longer unique to back-meta, > having been moved into the rewrite overlay.) With these modules you > can stitch together a variety of heterogeneous directories into a > coherent virtual directory. > >>> Regards!! >>> Sergio >>> >>> >>> On Mon, 2006-10-02 at 07:25 -0600, Richard Megginson wrote: >>>> Sergio Diaz wrote: >>>>> Hi People, >>>>> >>>>> Its Possible Sync only in One Way ? >>>>> Users Windows AD -> FDS. >>>> No, not really. >>>>> Or the other scenario its like OpenLDAP have a Meta Backend (2 >>>>> LDAPs, 1 AD), its possible with FDS ? >>>> It's possible. What does the meta backend do? >>>>> >>>>> Regards, >>>>> Sergio > > From sergio.diaze at gmail.com Mon Oct 2 18:17:17 2006 From: sergio.diaze at gmail.com (Sergio Diaz) Date: Mon, 02 Oct 2006 13:17:17 -0500 Subject: [Fedora-directory-users] FDS and AD In-Reply-To: <45215695.7000404@worldpub.net> References: <20061002160005.378F57324C@hormel.redhat.com> <45213D27.6050707@symas.com> <45215695.7000404@worldpub.net> Message-ID: <1159813037.2474.3.camel@oslec> FDS, OpenLDAP and AD One Directory FDS.....i want this directions to... Chaining Backend... Regards, Sergio On Mon, 2006-10-02 at 14:12 -0400, Brian Smith wrote: > Hello all, I've been working on getting chaining working with an active > directory back end for a week now. Has anyone successfully done this or > have directions on setting this up? > > Brian Smith > > Howard Chu wrote: > > > >> Date: Mon, 02 Oct 2006 10:01:55 -0600 > >> From: Richard Megginson > > > >> Sergio Diaz wrote: > >>> Hi Richard; > >>> > >>> Openldap: > >>> > >>> The *meta* backend to *slapd(8) > >>> * > >>> performs basic LDAP proxying with respect > >>> to a set of remote LDAP servers, called "targets". The > >>> information > >>> contained in these servers can be presented as belonging > >>> to a single > >>> Directory Information Tree (DIT). > >>> > >>> Its possible with FDS ?? > >>> > >> FDS has a chaining backend which allows you to use another LDAP > >> server to store the data. > > > > It sounds like the FDS chaining backend is similar to OpenLDAP > > back-ldap and/or the chaining overlay. In OpenLDAP back-ldap forwards > > a request to one other server (at a time; multiple servers can be > > configured but the others will only be used if the first server cannot > > be contacted). The back-meta backend is a superset of back-ldap, it > > can fanout single requests to multiple servers in parallel and > > aggregate the results. (There's also attribute mapping and DN > > rewriting, but those capabilities are no longer unique to back-meta, > > having been moved into the rewrite overlay.) With these modules you > > can stitch together a variety of heterogeneous directories into a > > coherent virtual directory. > > > >>> Regards!! > >>> Sergio > >>> > >>> > >>> On Mon, 2006-10-02 at 07:25 -0600, Richard Megginson wrote: > >>>> Sergio Diaz wrote: > >>>>> Hi People, > >>>>> > >>>>> Its Possible Sync only in One Way ? > >>>>> Users Windows AD -> FDS. > >>>> No, not really. > >>>>> Or the other scenario its like OpenLDAP have a Meta Backend (2 > >>>>> LDAPs, 1 AD), its possible with FDS ? > >>>> It's possible. What does the meta backend do? > >>>>> > >>>>> Regards, > >>>>> Sergio > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian.smith at worldpub.net Mon Oct 2 19:52:08 2006 From: brian.smith at worldpub.net (Brian Smith) Date: Mon, 02 Oct 2006 15:52:08 -0400 Subject: [Fedora-directory-users] FDS and AD In-Reply-To: <1159813037.2474.3.camel@oslec> References: <20061002160005.378F57324C@hormel.redhat.com> <45213D27.6050707@symas.com> <45215695.7000404@worldpub.net> <1159813037.2474.3.camel@oslec> Message-ID: <45216DE8.10507@worldpub.net> All, Here's what I've now done to enable the AD Back end DB for a sub tree: 1. Click configuration and select the "dc=domain,dc=com" tree. 2. Right click "dc=domain,dc=com" tree and select new sub suffix 3. In New Suffix box, typed "ou=subsuffix1" and unchecked create associated database automatically and click OK. 4. Open "dc=domain,dc=com" and right click "ou=subsuffix1,dc=domain,dc=com, and select "new database link. 5. Here, I put Database link name "subsuffix1", put the bind dn and password of a domain user account in my AD, and put the domain controller ip in the remote server box and clicked save. (I can connect to my AD with the DN I provided here) 6. Check enable this suffix under ou=subsuffix1,dc=worldpub,dc=corp now subsuffix1 database appears under ou=subsuffix1,dc=domain,dc=com. If I now go to the directory tab, and select the directory entry, i get critical extension unavailable and if i use an ldap browser i get list failed on the main tree. Did i miss a step? If I disable the ou=subsuffix1,dc=domain,dc=com suffix i can browse the tree no problem. Thanks! Brian Smith Sergio Diaz wrote: > > FDS, OpenLDAP and AD > > One Directory FDS.....i want this directions to... > Chaining Backend... > > Regards, > Sergio > > On Mon, 2006-10-02 at 14:12 -0400, Brian Smith wrote: >> Hello all, I've been working on getting chaining working with an active >> directory back end for a week now. Has anyone successfully done this or >> have directions on setting this up? >> >> Brian Smith >> >> Howard Chu wrote: >> > >> >> Date: Mon, 02 Oct 2006 10:01:55 -0600 >> >> From: Richard Megginson > >> > >> >> Sergio Diaz wrote: >> >>> Hi Richard; >> >>> >> >>> Openldap: >> >>> >> >>> The *meta* backend to *slapd(8) >> >>> >* >> >>> performs basic LDAP proxying with respect >> >>> to a set of remote LDAP servers, called "targets". The >> >>> information >> >>> contained in these servers can be presented as belonging >> >>> to a single >> >>> Directory Information Tree (DIT). >> >>> >> >>> Its possible with FDS ?? >> >>> >> >> FDS has a chaining backend which allows you to use another LDAP >> >> server to store the data. >> > >> > It sounds like the FDS chaining backend is similar to OpenLDAP >> > back-ldap and/or the chaining overlay. In OpenLDAP back-ldap forwards >> > a request to one other server (at a time; multiple servers can be >> > configured but the others will only be used if the first server cannot >> > be contacted). The back-meta backend is a superset of back-ldap, it >> > can fanout single requests to multiple servers in parallel and >> > aggregate the results. (There's also attribute mapping and DN >> > rewriting, but those capabilities are no longer unique to back-meta, >> > having been moved into the rewrite overlay.) With these modules you >> > can stitch together a variety of heterogeneous directories into a >> > coherent virtual directory. >> > >> >>> Regards!! >> >>> Sergio >> >>> >> >>> >> >>> On Mon, 2006-10-02 at 07:25 -0600, Richard Megginson wrote: >> >>>> Sergio Diaz wrote: >> >>>>> Hi People, >> >>>>> >> >>>>> Its Possible Sync only in One Way ? >> >>>>> Users Windows AD -> FDS. >> >>>> No, not really. >> >>>>> Or the other scenario its like OpenLDAP have a Meta Backend (2 >> >>>>> LDAPs, 1 AD), its possible with FDS ? >> >>>> It's possible. What does the meta backend do? >> >>>>> >> >>>>> Regards, >> >>>>> Sergio >> > >> > >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Oct 2 20:02:51 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 02 Oct 2006 14:02:51 -0600 Subject: [Fedora-directory-users] FDS and AD In-Reply-To: <45216DE8.10507@worldpub.net> References: <20061002160005.378F57324C@hormel.redhat.com> <45213D27.6050707@symas.com> <45215695.7000404@worldpub.net> <1159813037.2474.3.camel@oslec> <45216DE8.10507@worldpub.net> Message-ID: <4521706B.50300@redhat.com> It may be that AD doesn't support proxied auth, in which case you should tell chaining to disable it. See http://www.redhat.com/docs/manuals/dir-server/ag/7.1/entry_dist.html#21180 for more information - the pertinent attribute is nsProxiedAuthorization Brian Smith wrote: > All, > Here's what I've now done to enable the AD Back end DB for a sub tree: > 1. Click configuration and select the "dc=domain,dc=com" tree. > 2. Right click "dc=domain,dc=com" tree and select new sub suffix > 3. In New Suffix box, typed "ou=subsuffix1" and unchecked create > associated database automatically and click OK. > 4. Open "dc=domain,dc=com" and right click > "ou=subsuffix1,dc=domain,dc=com, and select "new database link. > 5. Here, I put Database link name "subsuffix1", put the bind dn and > password of a domain user account in my AD, and put the domain > controller ip in the remote server box and clicked save. (I can > connect to my AD with the DN I provided here) > 6. Check enable this suffix under ou=subsuffix1,dc=worldpub,dc=corp > > now subsuffix1 database appears under ou=subsuffix1,dc=domain,dc=com. > If I now go to the directory tab, and select the directory entry, i > get critical extension unavailable and if i use an ldap browser i get > list failed on the main tree. Did i miss a step? If I disable the > ou=subsuffix1,dc=domain,dc=com suffix i can browse the tree no > problem. Thanks! > Brian Smith > > > > Sergio Diaz wrote: >> >> FDS, OpenLDAP and AD >> >> One Directory FDS.....i want this directions to... >> Chaining Backend... >> >> Regards, >> Sergio >> >> On Mon, 2006-10-02 at 14:12 -0400, Brian Smith wrote: >>> Hello all, I've been working on getting chaining working with an active >>> directory back end for a week now. Has anyone successfully done this or >>> have directions on setting this up? >>> >>> Brian Smith >>> >>> Howard Chu wrote: >>> > >>> >> Date: Mon, 02 Oct 2006 10:01:55 -0600 >>> >> From: Richard Megginson > >>> > >>> >> Sergio Diaz wrote: >>> >>> Hi Richard; >>> >>> >>> >>> Openldap: >>> >>> >>> >>> The *meta* backend to *slapd(8) >>> >>> >* >>> >>> performs basic LDAP proxying with respect >>> >>> to a set of remote LDAP servers, called "targets". The >>> >>> information >>> >>> contained in these servers can be presented as belonging >>> >>> to a single >>> >>> Directory Information Tree (DIT). >>> >>> >>> >>> Its possible with FDS ?? >>> >>> >>> >> FDS has a chaining backend which allows you to use another LDAP >>> >> server to store the data. >>> > >>> > It sounds like the FDS chaining backend is similar to OpenLDAP >>> > back-ldap and/or the chaining overlay. In OpenLDAP back-ldap forwards >>> > a request to one other server (at a time; multiple servers can be >>> > configured but the others will only be used if the first server cannot >>> > be contacted). The back-meta backend is a superset of back-ldap, it >>> > can fanout single requests to multiple servers in parallel and >>> > aggregate the results. (There's also attribute mapping and DN >>> > rewriting, but those capabilities are no longer unique to back-meta, >>> > having been moved into the rewrite overlay.) With these modules you >>> > can stitch together a variety of heterogeneous directories into a >>> > coherent virtual directory. >>> > >>> >>> Regards!! >>> >>> Sergio >>> >>> >>> >>> >>> >>> On Mon, 2006-10-02 at 07:25 -0600, Richard Megginson wrote: >>> >>>> Sergio Diaz wrote: >>> >>>>> Hi People, >>> >>>>> >>> >>>>> Its Possible Sync only in One Way ? >>> >>>>> Users Windows AD -> FDS. >>> >>>> No, not really. >>> >>>>> Or the other scenario its like OpenLDAP have a Meta Backend (2 >>> >>>>> LDAPs, 1 AD), its possible with FDS ? >>> >>>> It's possible. What does the meta backend do? >>> >>>>> >>> >>>>> Regards, >>> >>>>> Sergio >>> > >>> > >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From linuxkarthi at gmail.com Wed Oct 4 09:04:09 2006 From: linuxkarthi at gmail.com (osk) Date: Wed, 04 Oct 2006 14:34:09 +0530 Subject: [Fedora-directory-users] fedoraDS will replace ADS Message-ID: <45237909.3020006@gmail.com> Hi, we are tring to replace with ADS with Fedora DS, In ADS the following can do, when the client login into ADS domain. 1) Right click disable for clients 2) Block/Allow the specific software installation 3) Can override the users local setting by group policy eg) password expire, if the local user set the password expire date to 5 days, the ADS can override to 3 days. 4) Disable the client to change the internet options-> to modify the proxy server name. 5) Do the software updates to clients from ADS, if the client not updated properly. 6) Block/Allow the regedit from ADS. now we are able to PDC with samba using FedoraDS, and each user can able to login and their profile can create in either common storage or localstorage of FedoraDS server. Can any one suggest howto fullfill the above points. regards Karthikeyan.N From dan.hawker at astrium.eads.net Wed Oct 4 09:57:16 2006 From: dan.hawker at astrium.eads.net (HAWKER, Dan) Date: Wed, 4 Oct 2006 10:57:16 +0100 Subject: [Fedora-directory-users] fedoraDS will replace ADS Message-ID: <7F6B06837A5DBD49AC6E1650EFF549060122307A@auk52177.ukr.astrium.corp> > Hi, > we are tring to replace with ADS with Fedora DS, In ADS the > following can do, when the client login into ADS domain. > > 1) Right click disable for clients > 2) Block/Allow the specific software installation > 3) Can override the users local setting by group policy eg) password > expire, if the local user set the password expire date to 5 days, the > ADS can override to 3 days. > 4) Disable the client to change the internet options-> to modify the > proxy server name. > 5) Do the software updates to clients from ADS, if the client not > updated properly. > 6) Block/Allow the regedit from ADS. > > now we are able to PDC with samba using FedoraDS, and each > user can able > to login and their profile can create in either common storage or > localstorage of FedoraDS server. > > > Can any one suggest howto fullfill the above points. Stick with ADS... :) Seriously, that's a lot of the reasons ppl like and use ADS, that you're trying to re-engineer. As much as I hate to admit it and despite my best efforts, I actually quite like ADS and the features it brings when managing a fairly large Windows shop (used to do so in a previous life). Anyhow on with the questions... 1) - Don't understand what you are asking here... 3,4,6) - All of this can be *managed* by either using a 3rd party product (a few available, but not usually cheap) or with some clever use of original NT4 style policies. Old-school NT4 poledit.exe had many of the *regular* features that W2K based GPOs introduced, indeed GPO is just an evolutionary step in this. The main difference was in how you could apply them. Ie against a group and centrally using the AD. Some extra functionality was introduced, both initially and in subsequent updates (SP's and now 2003). 2 & 5) Installing software with the GPO took quite a bit of initial care anyway, but once working it does do its job (within its limited remit). Again other apps can do this instead, however once again none are cheap. Most are also targeted towards large installations. Updates and patch management apps are everywhere now. MS have SUS (or is it WUS now) which is free but has some limitations. Lots of software management options out there. Options OTTOMH are MS SMS, ZenWorks, Altiris... Google is your friend :) HTH Dan -- Dan Hawker Linux System Administrator Astrium -- This email is for the intended addressee only. If you have received it in error then you must not use, retain, disseminate or otherwise deal with it. Please notify the sender by return email. The views of the author may not necessarily constitute the views of Astrium Limited. Nothing in this email shall bind Astrium Limited in any contract or obligation. Astrium Limited, Registered in England and Wales No. 2449259 Registered Office: Gunnels Wood Road, Stevenage, Hertfordshire, SG1 2AS, England From rmeggins at redhat.com Wed Oct 4 14:32:14 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 04 Oct 2006 08:32:14 -0600 Subject: [Fedora-directory-users] fedoraDS will replace ADS In-Reply-To: <45237909.3020006@gmail.com> References: <45237909.3020006@gmail.com> Message-ID: <4523C5EE.6090707@redhat.com> osk wrote: > Hi, > we are tring to replace with ADS with Fedora DS, In ADS the > following can do, when the client login into ADS domain. > > 1) Right click disable for clients I'm not sure what this means, but the Fedora DS console allows you to right click on a user and inactivate/disable without removing. > 2) Block/Allow the specific software installation Nope. This is a feature of Windows + AD - very complex to implement in the linux world. > 3) Can override the users local setting by group policy eg) password > expire, if the local user set the password expire date to 5 days, the > ADS can override to 3 days. FDS has per-user/per-subtree password policy. > 4) Disable the client to change the internet options-> to modify the > proxy server name. > 5) Do the software updates to clients from ADS, if the client not > updated properly. > 6) Block/Allow the regedit from ADS. Nope. None of these. See 2) above. > > now we are able to PDC with samba using FedoraDS, and each user can > able to login and their profile can create in either common storage or > localstorage of FedoraDS server. That's about it. Until Samba4 is released, there is no viable alternative to everything that AD + Windows can do, especially with group policy. > > > Can any one suggest howto fullfill the above points. > > regards > Karthikeyan.N > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rinconsystems at yahoo.com Wed Oct 4 16:22:05 2006 From: rinconsystems at yahoo.com (Scott Roberts) Date: Wed, 4 Oct 2006 09:22:05 -0700 (PDT) Subject: [Fedora-directory-users] max file descriptor setting in fds Message-ID: <20061004162205.29897.qmail@web34112.mail.mud.yahoo.com> In the console I noticed a setting for max number of file descriptors. configuration > performance tab Max number of file descriptors: 1024 Should I leave it at the default of 1024? Or should I try to match what I did in performance tuning that was on the page below? Maybe theyre not even related. I just dont want to have conflicting settings. http://directory.fedora.redhat.com/wiki/Performance_Tuning __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From stpierre at NebrWesleyan.edu Wed Oct 4 19:03:25 2006 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Wed, 4 Oct 2006 14:03:25 -0500 (CDT) Subject: [Fedora-directory-users] Replication errors: "Incremental Update Failed" In-Reply-To: <20061004162205.29897.qmail@web34112.mail.mud.yahoo.com> References: <20061004162205.29897.qmail@web34112.mail.mud.yahoo.com> Message-ID: I have four machines in an MMR setup. One recently died (got accidentally unplugged; d'oh!). When I started it back up, it recovered the database and then dumped errors like the following in the errors log: [04/Oct/2006:13:59:03 -0500] NSMMReplicationPlugin - agmt="cn="Replication to zeppo.nebrwesleyan.edu"" (zeppo:389): Missing data encountered [04/Oct/2006:13:59:04 -0500] NSMMReplicationPlugin - agmt="cn="Replication to zeppo.nebrwesleyan.edu"" (zeppo:389): Incremental update failed and requires administrator action The only info I found on this via Google was for Sun DS, and it just recommended updating to the latest hotfix. Obviously not terribly helpful. Anyhow have any ideas how I might fix this, short of re-initializing my directory on this machine? Thanks! I'm running: Name : fedora-ds Relocations: /opt/fedora-ds Version : 1.0.2 Vendor: (none) Release : 1.RHEL4 Build Date: Wed 01 Mar 2006 01:21:46 PM CST I used the mmr.pl script to set up replication, and it's been running fine for about 9 months now. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University From rmeggins at redhat.com Wed Oct 4 21:48:06 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 04 Oct 2006 15:48:06 -0600 Subject: [Fedora-directory-users] Replication errors: "Incremental Update Failed" In-Reply-To: References: <20061004162205.29897.qmail@web34112.mail.mud.yahoo.com> Message-ID: <45242C16.2070107@redhat.com> Chris St. Pierre wrote: > I have four machines in an MMR setup. One recently died (got > accidentally unplugged; d'oh!). When I started it back up, it > recovered the database and then dumped errors like the following in > the errors log: > > [04/Oct/2006:13:59:03 -0500] NSMMReplicationPlugin - > agmt="cn="Replication to zeppo.nebrwesleyan.edu"" (zeppo:389): Missing > data encountered > [04/Oct/2006:13:59:04 -0500] NSMMReplicationPlugin - > agmt="cn="Replication to zeppo.nebrwesleyan.edu"" (zeppo:389): > Incremental update failed and requires administrator action > > The only info I found on this via Google was for Sun DS, and it just > recommended updating to the latest hotfix. Obviously not terribly > helpful. > There is a very small window of time between when the update is written to the main database and when it is written to the changelog database. If you kill the power during this window, the changelog db will be out of sync with the main database. The only solution is to reinit the server which has this problem. > Anyhow have any ideas how I might fix this, short of re-initializing > my directory on this machine? Thanks! > > I'm running: > > Name : fedora-ds Relocations: /opt/fedora-ds > Version : 1.0.2 Vendor: (none) > Release : 1.RHEL4 Build Date: Wed 01 Mar 2006 01:21:46 PM CST > > I used the mmr.pl script to set up replication, and it's been running > fine for about 9 months now. > > Chris St. Pierre > Unix Systems Administrator > Nebraska Wesleyan University > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From gennaro.tortone at na.infn.it Thu Oct 5 07:20:28 2006 From: gennaro.tortone at na.infn.it (Gennaro Tortone) Date: Thu, 5 Oct 2006 09:20:28 +0200 Subject: [Fedora-directory-users] multiple naming attributes in DN Message-ID: <20061005072028.GA14242@na.infn.it> Hi, I'm setting up a Fedora Directory Server for user authentication; Currently users are stored as the following: dn: uid=user01,ou=People,dc=na,dc=infn,dc=it dn: uid=user02,ou=People,dc=na,dc=infn,dc=it Is it possible to publish each user entry as: dn: uid=user01,ou=People,dc=na,dc=infn,dc=it and also with: dn: email=user01 at domain.it,ou=People,dc=na,dc=infn,dc=it Thanks in advance, -- Gennaro Tortone INFN Napoli Italy tel: +39 81 676169 "Computer Science is no more about computers than astronomy is about telescopes." - Edsger Dijkstra From jo.de.troy at gmail.com Thu Oct 5 08:06:23 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Thu, 5 Oct 2006 10:06:23 +0200 Subject: [Fedora-directory-users] trying to build Message-ID: Hello, I'm trying to build FDS myself and I'm using the steps documented on the wiki. When I start compiling perlldap I get the question below: PerLDAP - Perl 5 Module for LDAP ================================ Directory containing 'include' and 'lib' directory of the Mozilla LDAP Software Developer Kit (default: /opt/mozldap) I know the SDK is checked out in mozilla/directory/c-sdk but I don't see the lib directories there, the include directory is there. Which is the directory I should enter? Thanks again, Jo From oliver.hookins at anchor.com.au Thu Oct 5 09:29:42 2006 From: oliver.hookins at anchor.com.au (Oliver Hookins) Date: Thu, 5 Oct 2006 19:29:42 +1000 Subject: [Fedora-directory-users] RPM/SRPM issues and old RHEL In-Reply-To: <44AE7968.5020809@redhat.com> References: <44AB1627.8050906@anchor.com.au> <44AE7968.5020809@redhat.com> Message-ID: <20061005092941.GB32078@captain.bridge.anchor.net.au> On Fri Jul 07, 2006 at 09:10:32 -0600, Richard Megginson wrote: >It's going to be a few weeks until we have a buildable srpm. In the >meantime, I suggest you try >http://directory.fedora.redhat.com/wiki/Building#One-Step_Build Has any progress been made on the srpm packages? I have been skimming the list traffic and nothing has caught my eye. -- Regards, Oliver Hookins Anchor Systems From patrick.morris at hp.com Thu Oct 5 09:56:14 2006 From: patrick.morris at hp.com (Morris, Patrick) Date: Thu, 5 Oct 2006 05:56:14 -0400 Subject: [Fedora-directory-users] multiple naming attributes in DN In-Reply-To: <20061005072028.GA14242@na.infn.it> Message-ID: > I'm setting up a Fedora Directory Server for user authentication; > > Currently users are stored as the following: > > dn: uid=user01,ou=People,dc=na,dc=infn,dc=it > > > dn: uid=user02,ou=People,dc=na,dc=infn,dc=it > > > Is it possible to publish each user entry as: > > dn: uid=user01,ou=People,dc=na,dc=infn,dc=it > > > and also with: > > dn: email=user01 at domain.it,ou=People,dc=na,dc=infn,dc=it > While it's theoretically possible using something like aliased records, DNs are, by definition, a single specifier per entry. What exectly are you trying to accomplish? Are you sure you need multiple DNs per entry? From stpierre at NebrWesleyan.edu Thu Oct 5 12:30:10 2006 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Thu, 5 Oct 2006 07:30:10 -0500 (CDT) Subject: [Fedora-directory-users] Replication errors: "Incremental Update Failed" In-Reply-To: <45242C16.2070107@redhat.com> References: <20061004162205.29897.qmail@web34112.mail.mud.yahoo.com> <45242C16.2070107@redhat.com> Message-ID: On Wed, 4 Oct 2006, Richard Megginson wrote: > There is a very small window of time between when the update is written to the > main database and when it is written to the changelog database. If you kill > the power during this window, the changelog db will be out of sync with the > main database. The only solution is to reinit the server which has this > problem. Thanks. Next question: what's the best (quickest, easiest) way to reinitialize the server? I can think of a few ways (e.g., reinstall), but can't shake the feeling that there must be a better way. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University From tortone at na.infn.it Thu Oct 5 13:07:14 2006 From: tortone at na.infn.it (gennaro.tortone@na.infn.it) Date: Thu, 5 Oct 2006 15:07:14 +0200 (CEST) Subject: [Fedora-directory-users] multiple naming attributes in DN In-Reply-To: References: Message-ID: Hi, ok, suppose a company has various site in the world, and each site has its own LDAP Directory in order to authenticate local users (e.g. Fedora Directory Server) now, suppose that this company has a set of "collective services" (e.g. mailing lists, web portal, ...) available to all sites; I study a solution to provide a "global autentication" for all users of this company that authenticate themself to use "collective services"; The solution I'm studing is based on Oracle Virtual Directory; this software aggregates various LDAP datasources and publish them in a global LDAP tree: As example: SITE 1 ------ authentication server: fds-auth.site1.company.com site1 users basedn: ou=People,dc=site1,dc=company,dc=com SITE 2 ------ authentication server: fds-auth.site2.company.com site2 users basedn: ou=People,dc=site2,dc=company,dc=com VIRTUAL DIRECTORY ----------------- aggregates users from: - ou=People,dc=site1,dc=company,dc=com - ou=People,dc=site2,dc=company,dc=com in a "virtual LDAP server" under the basedn: - ou=People,dc=company,dc=com If the company has an Apache webserver available to all site, it should be possible to use the Virtual Directory Server as authentication source for all users; but the problem is: each site LDAP tree is merged on a single _virtual_ LDAP tree... what happen if there are two users on two different sites with the same "uid=..." ? ok, we can use a _natively_ unique attributes like "mail" to publish DN for each users; then the users "smith": - uid=smith,ou=People,dc=site1,dc=company,dc=com will be: - mail=smith at site1.company.com,ou=People,dc=site1,dc=company,dc=com" (this is a simple changing of DN naming attributes on Fedora Console for the user "smith") but this _quick_ solution create a problem on local site that use, as example, PAM on their Linux systems; with this change the account that "smith" uses to log in will be changed in "smith at site1.company.com" then I'm looking for a way to have different DN for the same user entry... (or for a different solution....) Regards, On Thu, 5 Oct 2006, Morris, Patrick wrote: >> I'm setting up a Fedora Directory Server for user authentication; >> >> Currently users are stored as the following: >> >> dn: uid=user01,ou=People,dc=na,dc=infn,dc=it >> >> >> dn: uid=user02,ou=People,dc=na,dc=infn,dc=it >> >> >> Is it possible to publish each user entry as: >> >> dn: uid=user01,ou=People,dc=na,dc=infn,dc=it >> >> >> and also with: >> >> dn: email=user01 at domain.it,ou=People,dc=na,dc=infn,dc=it >> > > While it's theoretically possible using something like aliased records, > DNs are, by definition, a single specifier per entry. > > What exectly are you trying to accomplish? Are you sure you need > multiple DNs per entry? > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- Gennaro Tortone INFN Napoli Italy tel: +39 81 676169 "Computer Science is no more about computers than astronomy is about telescopes." - Edsger Dijkstra From msapsara at TrustedCS.com Thu Oct 5 13:14:57 2006 From: msapsara at TrustedCS.com (Mike Sapsara) Date: Thu, 5 Oct 2006 09:14:57 -0400 Subject: [Fedora-directory-users] Help with PassSync / FDS Bind DN user Message-ID: <36282A1733C57546BE392885C06185920107CDD3@chaos.tcs.tcs-sec.com> Hi, I have Password sync working well between a 2003 AD server and FDS, but only if I use the Directory Manager account as my Bind DN as defined in the PassSync options on Windows. If I don't use that I can't overcome some of the password aging contraints we are using for FDS users. Does anyone have less powerful Bind DN account that they specifically defined for AD -> FDS password sync, or pointers on how to define one ? thanks, Mike From rmeggins at redhat.com Thu Oct 5 13:51:47 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 05 Oct 2006 07:51:47 -0600 Subject: [Fedora-directory-users] Replication errors: "Incremental Update Failed" In-Reply-To: References: <20061004162205.29897.qmail@web34112.mail.mud.yahoo.com> <45242C16.2070107@redhat.com> Message-ID: <45250DF3.7060100@redhat.com> Chris St. Pierre wrote: > On Wed, 4 Oct 2006, Richard Megginson wrote: > > >> There is a very small window of time between when the update is written to the >> main database and when it is written to the changelog database. If you kill >> the power during this window, the changelog db will be out of sync with the >> main database. The only solution is to reinit the server which has this >> problem. >> > > Thanks. Next question: what's the best (quickest, easiest) way to > reinitialize the server? I can think of a few ways (e.g., reinstall), > but can't shake the feeling that there must be a better way. > Do you have another master? If so, just perform a replica initialization (using the console). > Chris St. Pierre > Unix Systems Administrator > Nebraska Wesleyan University > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Oct 5 13:57:41 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 05 Oct 2006 07:57:41 -0600 Subject: [Fedora-directory-users] RPM/SRPM issues and old RHEL In-Reply-To: <20061005092941.GB32078@captain.bridge.anchor.net.au> References: <44AB1627.8050906@anchor.com.au> <44AE7968.5020809@redhat.com> <20061005092941.GB32078@captain.bridge.anchor.net.au> Message-ID: <45250F55.6080505@redhat.com> Oliver Hookins wrote: > On Fri Jul 07, 2006 at 09:10:32 -0600, Richard Megginson wrote: > > >> It's going to be a few weeks until we have a buildable srpm. In the >> meantime, I suggest you try >> http://directory.fedora.redhat.com/wiki/Building#One-Step_Build >> > > Has any progress been made on the srpm packages? I have been skimming the > list traffic and nothing has caught my eye. > We're still working on it (funny how a few weeks has become many weeks :-P We are making progress. Note that the next major (i.e. not patch) release of the product will use discrete RPM packaging, and each discrete RPM will have a buildable SRPM. http://directory.fedora.redhat.com/wiki/Discrete_Packaging -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Oct 5 13:58:59 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 05 Oct 2006 07:58:59 -0600 Subject: [Fedora-directory-users] trying to build In-Reply-To: References: Message-ID: <45250FA3.40002@redhat.com> Jo De Troy wrote: > Hello, > > I'm trying to build FDS myself and I'm using the steps documented on > the wiki. > When I start compiling perlldap I get the question below: > > PerLDAP - Perl 5 Module for LDAP > ================================ > Directory containing 'include' and 'lib' directory of the Mozilla > LDAP Software Developer Kit (default: /opt/mozldap) > > I know the SDK is checked out in mozilla/directory/c-sdk but I don't > see the lib directories there, the include directory is there. Have you built it already? All of the mozilla components put their release files under mozilla/dist. Perldap should automatically find everything under there. Just hit "enter" at the perldap prompts. > Which > is the directory I should enter? > > Thanks again, > Jo > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Oct 5 14:05:59 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 05 Oct 2006 08:05:59 -0600 Subject: [Fedora-directory-users] multiple naming attributes in DN In-Reply-To: References: Message-ID: <45251147.4010205@redhat.com> gennaro.tortone at na.infn.it wrote: > > Hi, > > ok, > suppose a company has various site in the world, > and each site has its own LDAP Directory in order to authenticate > local users (e.g. Fedora Directory Server) > > now, > suppose that this company has a set of "collective services" > (e.g. mailing lists, web portal, ...) available to all sites; > > I study a solution to provide a "global autentication" for all users > of this company that authenticate themself to use "collective services"; > > The solution I'm studing is based on Oracle Virtual Directory; > this software aggregates various LDAP datasources and publish > them in a global LDAP tree: > > As example: > > SITE 1 > ------ > authentication server: fds-auth.site1.company.com > site1 users basedn: ou=People,dc=site1,dc=company,dc=com > > SITE 2 > ------ > authentication server: fds-auth.site2.company.com > site2 users basedn: ou=People,dc=site2,dc=company,dc=com > > VIRTUAL DIRECTORY > ----------------- > > aggregates users from: > - ou=People,dc=site1,dc=company,dc=com > - ou=People,dc=site2,dc=company,dc=com > > in a "virtual LDAP server" under the basedn: > - ou=People,dc=company,dc=com > > If the company has an Apache webserver available to all site, > it should be possible to use the Virtual Directory Server > as authentication source for all users; > > but the problem is: > each site LDAP tree is merged on a single _virtual_ LDAP tree... Why do you need to have everyone under a single ou=People under dc=company,dc=com? Unless I misunderstand something, almost all authentication apps should be able search for a unique attribute under dc=company,dc=com that has two or more dc=siteX under it. > what happen if there are two users on two different sites > with the same "uid=..." ? Aye, there's the rub. This really boils down to an application problem. Each application doing authentication against the DS (apache, pam, etc.) needs to be able to specify a unique attribute during login (e.g. have to type in the email address at the login prompt rather than a uid). You can still easily allow uid for some logins if your application is site specific and you will never have anyone from another site try to login - e.g. for all machines in the site1.company.com domain, you can configure PAM to lookup uid's under dc=site1,dc=company,dc=com. But as soon as you want to allow users from other sites to login, you can no longer use uid. I don't know if there is a way to tell PAM to do a multi stage lookup e.g. First, look for uid under dc=site1. If that fails, look for uid under dc=company. If that fails, or returns multiple entries, look for email under dc=company. > > ok, > we can use a _natively_ unique attributes like "mail" to > publish DN for each users; then the users "smith": > > - uid=smith,ou=People,dc=site1,dc=company,dc=com > > will be: > > - mail=smith at site1.company.com,ou=People,dc=site1,dc=company,dc=com" > > (this is a simple changing of DN naming attributes on Fedora Console > for the user "smith") > > but this _quick_ solution create a problem on local site that use, as > example, PAM on their Linux systems; with this change the account > that "smith" uses to log in will be changed in "smith at site1.company.com" > > then I'm looking for a way to have different DN for the same user > entry... > (or for a different solution....) > > Regards, > > On Thu, 5 Oct 2006, Morris, Patrick wrote: > >>> I'm setting up a Fedora Directory Server for user authentication; >>> >>> Currently users are stored as the following: >>> >>> dn: uid=user01,ou=People,dc=na,dc=infn,dc=it >>> >>> >>> dn: uid=user02,ou=People,dc=na,dc=infn,dc=it >>> >>> >>> Is it possible to publish each user entry as: >>> >>> dn: uid=user01,ou=People,dc=na,dc=infn,dc=it >>> >>> >>> and also with: >>> >>> dn: email=user01 at domain.it,ou=People,dc=na,dc=infn,dc=it >>> >> >> While it's theoretically possible using something like aliased records, >> DNs are, by definition, a single specifier per entry. >> >> What exectly are you trying to accomplish? Are you sure you need >> multiple DNs per entry? >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From lemsx1 at gmail.com Thu Oct 5 14:53:10 2006 From: lemsx1 at gmail.com (Luis) Date: Thu, 5 Oct 2006 10:53:10 -0400 Subject: [Fedora-directory-users] Add user (Perl) CGI script Message-ID: Hello all, I just wrote a CGI script that allows adding users to Fedora Directory Server (FDS) very easily. The script is attached to this email. Future revisions can be downloaded from: http://lems.kiskeyix.org/toolbox/?f=adduser-ldap.cgi The license is GPL. So feel free to add it to other projects. Features: * Simple to use and to install * E-Mail is sent to the user that was created (templated) and CC to another email * Uses readily available Perl modules: Net::LDAP, CGI, Net::SMTP * XHTML 1.0 and CSS plus javascript to avoid typing much (fields get automagically populated as you type) Installation: copy cgi script to your cgi-bin dir: cp adduser-ldap.cgi /var/www/cgi-bin/ make sure it's executable: chmod ugo+rx /var/www/cgi-bin/adduser-ldap.cgi create a "secret" file: echo "password" > /etc/adduser-ldap.secret chmod 0400 /etc/adduser-ldap.secret chown apache /etc/adduser-ldap.secret make sure that the needed Perl modules are installed (hint: perl adduser-ldap.cgi) modify the variables on top of the script to taste. The script assumes that you will be using "admin" as your bind dn: my $LDAPADMINCN = "uid=admin,ou=Administrators,ou=TopologyManagement,o=netscapeRoot"; TLS is supported, but can be easily turned off if you are using it in the same box as the server is running. (Just comment out the start_tls() call). Feel free to post this script to the wiki page. (I couldn't figure out how to do that ;-)) I made this script to allow creating accounts by non-technical personnel to the LDAP directory (used by Wildfire Jabber Server). Everything works like a charm! Enjoy -- ----)(----- Luis Mondesi *NIX Guru Kiskeyix.org "We think basically you watch television to turn your brain off, and you work on your computer when you want to turn your brain on" -- Steve Jobs in an interview for MacWorld Magazine 2004-Feb No .doc: http://www.gnu.org/philosophy/no-word-attachments.es.html -------------- next part -------------- A non-text attachment was scrubbed... Name: adduser-ldap.cgi.gz Type: application/x-gzip Size: 5305 bytes Desc: not available URL: From stpierre at NebrWesleyan.edu Thu Oct 5 14:55:09 2006 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Thu, 5 Oct 2006 09:55:09 -0500 (CDT) Subject: [Fedora-directory-users] Replication errors: "Incremental Update Failed" In-Reply-To: <45250DF3.7060100@redhat.com> References: <20061004162205.29897.qmail@web34112.mail.mud.yahoo.com> <45242C16.2070107@redhat.com> <45250DF3.7060100@redhat.com> Message-ID: On Thu, 5 Oct 2006, Richard Megginson wrote: > Do you have another master? If so, just perform a replica initialization > (using the console). We've got three other masters, but we don't use the console -- or have X installed or heads on the machines. Can this be done from the CLI, maybe with mmr.pl? Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University From jo.de.troy at gmail.com Thu Oct 5 15:02:51 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Thu, 5 Oct 2006 17:02:51 +0200 Subject: [Fedora-directory-users] trying to build Message-ID: >> Hello, >> >> I'm trying to build FDS myself and I'm using the steps documented on the wiki. >> >> When I start compiling perlldap I get the question below: >> >> PerLDAP - Perl 5 Module for LDAP >> ================================ >> Directory containing 'include' and 'lib' directory of the Mozilla >> LDAP Software Developer Kit (default: /opt/mozldap) >> I know the SDK is checked out in mozilla/directory/c-sdk but I don't >> see the lib directories there, the include directory is there. >Have you built it already? All of the mozilla components put their release files under >mozilla/dist. Perldap should automatically find everything under there. Just hit "enter" at >the >perldap prompts. Hello Rich, the default value is /opt/mozldap. This surely isn't correct. I'll add /mozilla/dist/Linux2.6_x86_glibc_PTH_OPT.OBJ instead Bye, Jo From rmeggins at redhat.com Thu Oct 5 15:15:14 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 05 Oct 2006 09:15:14 -0600 Subject: [Fedora-directory-users] Replication errors: "Incremental Update Failed" In-Reply-To: References: <20061004162205.29897.qmail@web34112.mail.mud.yahoo.com> <45242C16.2070107@redhat.com> <45250DF3.7060100@redhat.com> Message-ID: <45252182.8020508@redhat.com> Chris St. Pierre wrote: > On Thu, 5 Oct 2006, Richard Megginson wrote: > > >> Do you have another master? If so, just perform a replica initialization >> (using the console). >> > > We've got three other masters, but we don't use the console -- or have > X installed or heads on the machines. Can this be done from the CLI, > maybe with mmr.pl? > Not sure about mmr.pl, but yes, this can be done via ldapmodify. First, you have to find the DN of the replication agreement from another master to the one you want to initialize. ldapsearch -x -h othermaster -D "cn=directory manager" -w password -s sub -b cn=config "objectclass=nsDS5ReplicationAgreement" cn nsDS5ReplicaHost nsDS5ReplicaPort There may be several, you'll have to figure out which one goes to the master you want to initialize Next, use ldapmodify to start the repl init: ldapmodify -x -h othermaster -D "cn=directory manager" -w password dn: dn of the repl agreement changetype: modify replace: nsds5BeginReplicaRefresh nsds5BeginReplicaRefresh: start Then check the error logs for both masters to see when repl init is completed. > Chris St. Pierre > Unix Systems Administrator > Nebraska Wesleyan University > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Oct 5 15:16:19 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 05 Oct 2006 09:16:19 -0600 Subject: [Fedora-directory-users] trying to build In-Reply-To: References: Message-ID: <452521C3.4040502@redhat.com> Jo De Troy wrote: >>> Hello, >>> > >> I'm trying to build FDS myself and I'm using the steps > documented on the wiki. >>> >>> When I start compiling perlldap I get the question below: >>> >>> PerLDAP - Perl 5 Module for LDAP >>> ================================ >>> Directory containing 'include' and 'lib' directory of the Mozilla >>> LDAP Software Developer Kit (default: /opt/mozldap) > >>> I know the SDK is checked out in mozilla/directory/c-sdk but I >>> don't >>> see the lib directories there, the include directory is there. > >> Have you built it already? All of the mozilla components put their > release files under >mozilla/dist. Perldap should automatically find > everything under there. Just hit "enter" at >the >perldap prompts. > > Hello Rich, > > the default value is /opt/mozldap. This surely isn't correct. I'll add > /mozilla/dist/Linux2.6_x86_glibc_PTH_OPT.OBJ instead Ok, but you shouldn't have to, you should just be able to hit "enter" at that prompt. If it doesn't find /opt/mozldap, it will search under mozilla/dist. > > Bye, > Jo > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Thu Oct 5 15:40:12 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Thu, 5 Oct 2006 17:40:12 +0200 Subject: [Fedora-directory-users] trying to build Message-ID: Hi Rich, I get an error when compiling the directoryserver gmake[2]: *** [../../../built/RHEL4_x86_gcc3_OPT.OBJ/dsadmin/obj/ux-dialog.o] Error 1 Do you know what's causing this? Bye, Jo From rmeggins at redhat.com Thu Oct 5 15:45:52 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 05 Oct 2006 09:45:52 -0600 Subject: [Fedora-directory-users] trying to build In-Reply-To: References: Message-ID: <452528B0.9060605@redhat.com> Jo De Troy wrote: > Hi Rich, > > I get an error when compiling the directoryserver > > gmake[2]: *** > [../../../built/RHEL4_x86_gcc3_OPT.OBJ/dsadmin/obj/ux-dialog.o] > Error 1 > Do you know what's causing this? It probably can't find setuputil. Can you post more make output? > > Bye, > Jo > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Thu Oct 5 15:45:42 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Thu, 5 Oct 2006 17:45:42 +0200 Subject: [Fedora-directory-users] trying to build Message-ID: Hi Rich, is this enough? Bye, Jo ux-dialog.cc: In function `int isAValidDN(const char*)': ux-dialog.cc:186: error: `ldap_explode_dn' was not declared in this scope ux-dialog.cc:194: error: `ldap_value_free' was not declared in this scope ux-dialog.cc:194: warning: unused variable 'ldap_value_free' ux-dialog.cc:196: error: `ldap_value_free' was not declared in this scope ux-dialog.cc:196: warning: unused variable 'ldap_value_free' ux-dialog.cc:203: error: `UTF8ToLocal' was not declared in this scope ux-dialog.cc:206: error: `NSString' was not declared in this scope ux-dialog.cc:206: error: expected `;' before "msg" ux-dialog.cc:210: error: `msg' was not declared in this scope ux-dialog.cc:211: error: `nsSetupFree' was not declared in this scope ux-dialog.cc:206: warning: unused variable 'NSString' ux-dialog.cc:210: warning: unused variable 'msg' ux-dialog.cc: In function `int isValid(const char*)': ux-dialog.cc:253: error: `ldap_utf8isspace' was not declared in this scope ux-dialog.cc:254: error: `LDAP_UTF8INC' was not declared in this scope ux-dialog.cc:253: warning: unused variable 'ldap_utf8isspace' ux-dialog.cc:254: warning: unused variable 'LDAP_UTF8INC' ux-dialog.cc: At global scope: ux-dialog.cc:317: error: `Dialog' was not declared in this scope ux-dialog.cc:317: error: `me' was not declared in this scope ux-dialog.cc:317: error: expected primary-expression before "const" ux-dialog.cc:317: error: expected primary-expression before "const" ux-dialog.cc:318: error: initializer expression list treated as compound expression ux-dialog.cc:318: error: expected `,' or `;' before '{' token ux-dialog.cc:342: error: `DialogInput' does not name a type ux-dialog.cc:358: error: `DialogAction' does not name a type ux-dialog.cc:424: error: `DialogAction' does not name a type ux-dialog.cc:474: error: `DialogInput' does not name a type ux-dialog.cc:487: error: `DialogAction' does not name a type ux-dialog.cc:556: error: `DialogAction' does not name a type ux-dialog.cc:621: error: `DialogInput' does not name a type ux-dialog.cc:634: error: `DialogAction' does not name a type ux-dialog.cc:692: error: `DialogAction' does not name a type ux-dialog.cc:787: error: `DialogInput' does not name a type ux-dialog.cc:799: error: `DialogAction' does not name a type ux-dialog.cc:824: error: `DialogAction' does not name a type ux-dialog.cc:853: error: `DialogInput' does not name a type ux-dialog.cc:869: error: `DialogAction' does not name a type ux-dialog.cc:886: error: `DialogAction' does not name a type ux-dialog.cc:984: error: `DialogYesNo' does not name a type ux-dialog.cc:997: error: `DialogAction' does not name a type ux-dialog.cc:1015: error: `DialogAction' does not name a type ux-dialog.cc:1034: error: `DialogYesNo' does not name a type ux-dialog.cc:1054: error: `DialogAction' does not name a type ux-dialog.cc:1084: error: `DialogAction' does not name a type ux-dialog.cc:1130: error: `DialogInput' does not name a type ux-dialog.cc:1143: error: `DialogAction' does not name a type ux-dialog.cc:1167: error: `DialogAction' does not name a type ux-dialog.cc:1208: error: `DialogYesNo' does not name a type ux-dialog.cc:1223: error: `DialogAction' does not name a type ux-dialog.cc:1236: error: `DialogAction' does not name a type ux-dialog.cc:1261: error: `DialogYesNo' does not name a type ux-dialog.cc:1278: error: `DialogAction' does not name a type ux-dialog.cc:1296: error: `DialogAction' does not name a type ux-dialog.cc:1326: error: `DialogYesNo' does not name a type ux-dialog.cc:1343: error: `DialogAction' does not name a type ux-dialog.cc:1361: error: `DialogAction' does not name a type ux-dialog.cc:1391: error: `DialogInput' does not name a type ux-dialog.cc:1403: error: `DialogAction' does not name a type ux-dialog.cc:1425: error: `DialogAction' does not name a type ux-dialog.cc:1455: error: `DialogInput' does not name a type ux-dialog.cc:1467: error: `DialogAction' does not name a type ux-dialog.cc:1494: error: `DialogAction' does not name a type ux-dialog.cc:1536: error: `DialogInput' does not name a type ux-dialog.cc:1550: error: `DialogAction' does not name a type ux-dialog.cc:1573: error: `DialogAction' does not name a type ux-dialog.cc:1641: error: `DialogInput' does not name a type ux-dialog.cc:1653: error: `DialogAction' does not name a type ux-dialog.cc:1676: error: `DialogAction' does not name a type ux-dialog.cc:1740: error: `DialogYesNo' does not name a type ux-dialog.cc:1752: error: `DialogAction' does not name a type ux-dialog.cc:1771: error: `DialogAction' does not name a type ux-dialog.cc:1794: error: `DialogInput' does not name a type ux-dialog.cc:1809: error: `DialogAction' does not name a type ux-dialog.cc:1832: error: `DialogAction' does not name a type ux-dialog.cc:1871: error: `DialogInput' does not name a type ux-dialog.cc:1884: error: `DialogAction' does not name a type ux-dialog.cc:1906: error: `DialogAction' does not name a type ux-dialog.cc:1938: error: `DialogInput' does not name a type ux-dialog.cc:1952: error: `DialogAction' does not name a type ux-dialog.cc:1979: error: `DialogAction' does not name a type ux-dialog.cc:2005: error: `DialogInput' does not name a type ux-dialog.cc:2021: error: `DialogAction' does not name a type ux-dialog.cc:2044: error: `DialogAction' does not name a type ux-dialog.cc:2129: error: `DialogInput' does not name a type ux-dialog.cc:2148: error: `DialogAction' does not name a type ux-dialog.cc:2171: error: `DialogAction' does not name a type ux-dialog.cc:2263: error: `DialogInput' does not name a type ux-dialog.cc:2275: error: `DialogAction' does not name a type ux-dialog.cc:2297: error: `DialogAction' does not name a type ux-dialog.cc:2327: error: `DialogInput' does not name a type ux-dialog.cc:2339: error: `DialogAction' does not name a type ux-dialog.cc:2366: error: `DialogAction' does not name a type ux-dialog.cc:2408: error: `DialogInput' does not name a type ux-dialog.cc:2423: error: `DialogAction' does not name a type ux-dialog.cc:2446: error: `DialogAction' does not name a type ux-dialog.cc:2514: error: `DialogInput' does not name a type ux-dialog.cc:2526: error: `DialogAction' does not name a type ux-dialog.cc:2549: error: `DialogAction' does not name a type ux-dialog.cc:2613: error: `DialogYesNo' does not name a type ux-dialog.cc:2625: error: `DialogAction' does not name a type ux-dialog.cc:2644: error: `DialogAction' does not name a type ux-dialog.cc:2667: error: `DialogInput' does not name a type ux-dialog.cc:2684: error: `DialogAction' does not name a type ux-dialog.cc:2712: error: `DialogAction' does not name a type ux-dialog.cc:2785: error: `DialogInput' does not name a type ux-dialog.cc:2802: error: `DialogAction' does not name a type ux-dialog.cc:2830: error: `DialogAction' does not name a type ux-dialog.cc:2902: error: `DialogInput' does not name a type ux-dialog.cc:2919: error: `DialogAction' does not name a type ux-dialog.cc:2942: error: `DialogAction' does not name a type ux-dialog.cc:3029: error: `DialogInput' does not name a type ux-dialog.cc:3046: error: `DialogAction' does not name a type ux-dialog.cc:3069: error: `DialogAction' does not name a type ux-dialog.cc:3156: error: `DialogYesNo' does not name a type ux-dialog.cc:3179: error: `DialogAction' does not name a type ux-dialog.cc:3228: error: `DialogAction' does not name a type ux-dialog.cc:3253: error: `DialogInput' does not name a type ux-dialog.cc:3266: error: `DialogAction' does not name a type ux-dialog.cc:3284: error: `DialogAction' does not name a type ux-dialog.cc:3318: error: `DialogInput' does not name a type ux-dialog.cc:3330: error: `DialogAction' does not name a type ux-dialog.cc:3348: error: `DialogAction' does not name a type ux-dialog.cc:3389: error: `DialogInput' does not name a type ux-dialog.cc:3404: error: `DialogAction' does not name a type ux-dialog.cc:3424: error: `DialogAction' does not name a type ux-dialog.cc:3558: error: `DialogYesNo' does not name a type ux-dialog.cc:3574: error: `DialogAction' does not name a type ux-dialog.cc:3587: error: `DialogAction' does not name a type ux-dialog.cc:3606: error: `DialogInput' does not name a type ux-dialog.cc:3625: error: `DialogAction' does not name a type ux-dialog.cc:3659: error: `DialogAction' does not name a type ux-dialog.cc:3728: error: `DialogInput' does not name a type ux-dialog.cc:3747: error: `DialogAction' does not name a type ux-dialog.cc:3776: error: `DialogAction' does not name a type ux-dialog.cc:3808: error: `DialogYesNo' does not name a type ux-dialog.cc:3823: error: `DialogAction' does not name a type ux-dialog.cc:3872: error: `DialogAction' does not name a type ux-dialog.cc:3897: error: `DialogInput' does not name a type ux-dialog.cc:3909: error: `DialogAction' does not name a type ux-dialog.cc:3929: error: `DialogAction' does not name a type ux-dialog.cc:3963: error: `DialogInput' does not name a type ux-dialog.cc:3974: error: `DialogAction' does not name a type ux-dialog.cc:3994: error: `DialogAction' does not name a type ux-dialog.cc:4035: error: `DialogInput' does not name a type ux-dialog.cc:4050: error: `DialogAction' does not name a type ux-dialog.cc:4070: error: `DialogAction' does not name a type ux-dialog.cc:4162: error: `DialogInput' does not name a type ux-dialog.cc:4173: error: `DialogAction' does not name a type ux-dialog.cc:4193: error: `DialogAction' does not name a type ux-dialog.cc:4225: error: `DialogInput' does not name a type ux-dialog.cc:4235: error: `DialogAction' does not name a type ux-dialog.cc:4259: error: `DialogAction' does not name a type ux-dialog.cc:80: warning: 'DEFAULT_SLAPDUSER' defined but not used ux-dialog.cc:177: warning: 'int isAValidDN(const char*)' defined but not used ux-dialog.cc:236: warning: 'int rootDNPwdIsValid(const char*)' defined but not used ux-dialog.cc:264: warning: 'int isValidServerID(const char*)' defined but not used ux-dialog.cc:289: warning: 'int isValidYesNo(const char*)' defined but not used ux-dialog.cc:317: warning: 'dialogSetup' defined but not used gmake[2]: *** [../../../built/RHEL4_x86_gcc3_OPT.OBJ/dsadmin/obj/ux-dialog.o] Error 1 gmake[2]: Leaving directory `/home/ldap/ds71/ldapserver/ldap/cm/newinst' gmake[1]: *** [ldapprogs] Error 2 gmake[1]: Leaving directory `/home/ldap/ds71/ldapserver/ldap' gmake: *** [buildDirectory] Error 2 From rmeggins at redhat.com Thu Oct 5 15:59:56 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 05 Oct 2006 09:59:56 -0600 Subject: [Fedora-directory-users] trying to build In-Reply-To: References: Message-ID: <45252BFC.9090609@redhat.com> Jo De Troy wrote: > Hi Rich, > > is this enough? This just means it's not finding anything - no ldapsdk nor setuputil. Can you post the gcc command line and the gmake command line? > > Bye, > Jo > > ux-dialog.cc: In function `int isAValidDN(const char*)': > ux-dialog.cc:186: error: `ldap_explode_dn' was not declared in this scope > ux-dialog.cc:194: error: `ldap_value_free' was not declared in this scope > ux-dialog.cc:194: warning: unused variable 'ldap_value_free' > ux-dialog.cc:196: error: `ldap_value_free' was not declared in this scope > ux-dialog.cc:196: warning: unused variable 'ldap_value_free' > ux-dialog.cc:203: error: `UTF8ToLocal' was not declared in this scope > ux-dialog.cc:206: error: `NSString' was not declared in this scope > ux-dialog.cc:206: error: expected `;' before "msg" > ux-dialog.cc:210: error: `msg' was not declared in this scope > ux-dialog.cc:211: error: `nsSetupFree' was not declared in this scope > ux-dialog.cc:206: warning: unused variable 'NSString' > ux-dialog.cc:210: warning: unused variable 'msg' > ux-dialog.cc: In function `int isValid(const char*)': > ux-dialog.cc:253: error: `ldap_utf8isspace' was not declared in this > scope > ux-dialog.cc:254: error: `LDAP_UTF8INC' was not declared in this scope > ux-dialog.cc:253: warning: unused variable 'ldap_utf8isspace' > ux-dialog.cc:254: warning: unused variable 'LDAP_UTF8INC' > ux-dialog.cc: At global scope: > ux-dialog.cc:317: error: `Dialog' was not declared in this scope > ux-dialog.cc:317: error: `me' was not declared in this scope > ux-dialog.cc:317: error: expected primary-expression before "const" > ux-dialog.cc:317: error: expected primary-expression before "const" > ux-dialog.cc:318: error: initializer expression list treated as > compound expression > ux-dialog.cc:318: error: expected `,' or `;' before '{' token > ux-dialog.cc:342: error: `DialogInput' does not name a type > ux-dialog.cc:358: error: `DialogAction' does not name a type > ux-dialog.cc:424: error: `DialogAction' does not name a type > ux-dialog.cc:474: error: `DialogInput' does not name a type > ux-dialog.cc:487: error: `DialogAction' does not name a type > ux-dialog.cc:556: error: `DialogAction' does not name a type > ux-dialog.cc:621: error: `DialogInput' does not name a type > ux-dialog.cc:634: error: `DialogAction' does not name a type > ux-dialog.cc:692: error: `DialogAction' does not name a type > ux-dialog.cc:787: error: `DialogInput' does not name a type > ux-dialog.cc:799: error: `DialogAction' does not name a type > ux-dialog.cc:824: error: `DialogAction' does not name a type > ux-dialog.cc:853: error: `DialogInput' does not name a type > ux-dialog.cc:869: error: `DialogAction' does not name a type > ux-dialog.cc:886: error: `DialogAction' does not name a type > ux-dialog.cc:984: error: `DialogYesNo' does not name a type > ux-dialog.cc:997: error: `DialogAction' does not name a type > ux-dialog.cc:1015: error: `DialogAction' does not name a type > ux-dialog.cc:1034: error: `DialogYesNo' does not name a type > ux-dialog.cc:1054: error: `DialogAction' does not name a type > ux-dialog.cc:1084: error: `DialogAction' does not name a type > ux-dialog.cc:1130: error: `DialogInput' does not name a type > ux-dialog.cc:1143: error: `DialogAction' does not name a type > ux-dialog.cc:1167: error: `DialogAction' does not name a type > ux-dialog.cc:1208: error: `DialogYesNo' does not name a type > ux-dialog.cc:1223: error: `DialogAction' does not name a type > ux-dialog.cc:1236: error: `DialogAction' does not name a type > ux-dialog.cc:1261: error: `DialogYesNo' does not name a type > ux-dialog.cc:1278: error: `DialogAction' does not name a type > ux-dialog.cc:1296: error: `DialogAction' does not name a type > ux-dialog.cc:1326: error: `DialogYesNo' does not name a type > ux-dialog.cc:1343: error: `DialogAction' does not name a type > ux-dialog.cc:1361: error: `DialogAction' does not name a type > ux-dialog.cc:1391: error: `DialogInput' does not name a type > ux-dialog.cc:1403: error: `DialogAction' does not name a type > ux-dialog.cc:1425: error: `DialogAction' does not name a type > ux-dialog.cc:1455: error: `DialogInput' does not name a type > ux-dialog.cc:1467: error: `DialogAction' does not name a type > ux-dialog.cc:1494: error: `DialogAction' does not name a type > ux-dialog.cc:1536: error: `DialogInput' does not name a type > ux-dialog.cc:1550: error: `DialogAction' does not name a type > ux-dialog.cc:1573: error: `DialogAction' does not name a type > ux-dialog.cc:1641: error: `DialogInput' does not name a type > ux-dialog.cc:1653: error: `DialogAction' does not name a type > ux-dialog.cc:1676: error: `DialogAction' does not name a type > ux-dialog.cc:1740: error: `DialogYesNo' does not name a type > ux-dialog.cc:1752: error: `DialogAction' does not name a type > ux-dialog.cc:1771: error: `DialogAction' does not name a type > ux-dialog.cc:1794: error: `DialogInput' does not name a type > ux-dialog.cc:1809: error: `DialogAction' does not name a type > ux-dialog.cc:1832: error: `DialogAction' does not name a type > ux-dialog.cc:1871: error: `DialogInput' does not name a type > ux-dialog.cc:1884: error: `DialogAction' does not name a type > ux-dialog.cc:1906: error: `DialogAction' does not name a type > ux-dialog.cc:1938: error: `DialogInput' does not name a type > ux-dialog.cc:1952: error: `DialogAction' does not name a type > ux-dialog.cc:1979: error: `DialogAction' does not name a type > ux-dialog.cc:2005: error: `DialogInput' does not name a type > ux-dialog.cc:2021: error: `DialogAction' does not name a type > ux-dialog.cc:2044: error: `DialogAction' does not name a type > ux-dialog.cc:2129: error: `DialogInput' does not name a type > ux-dialog.cc:2148: error: `DialogAction' does not name a type > ux-dialog.cc:2171: error: `DialogAction' does not name a type > ux-dialog.cc:2263: error: `DialogInput' does not name a type > ux-dialog.cc:2275: error: `DialogAction' does not name a type > ux-dialog.cc:2297: error: `DialogAction' does not name a type > ux-dialog.cc:2327: error: `DialogInput' does not name a type > ux-dialog.cc:2339: error: `DialogAction' does not name a type > ux-dialog.cc:2366: error: `DialogAction' does not name a type > ux-dialog.cc:2408: error: `DialogInput' does not name a type > ux-dialog.cc:2423: error: `DialogAction' does not name a type > ux-dialog.cc:2446: error: `DialogAction' does not name a type > ux-dialog.cc:2514: error: `DialogInput' does not name a type > ux-dialog.cc:2526: error: `DialogAction' does not name a type > ux-dialog.cc:2549: error: `DialogAction' does not name a type > ux-dialog.cc:2613: error: `DialogYesNo' does not name a type > ux-dialog.cc:2625: error: `DialogAction' does not name a type > ux-dialog.cc:2644: error: `DialogAction' does not name a type > ux-dialog.cc:2667: error: `DialogInput' does not name a type > ux-dialog.cc:2684: error: `DialogAction' does not name a type > ux-dialog.cc:2712: error: `DialogAction' does not name a type > ux-dialog.cc:2785: error: `DialogInput' does not name a type > ux-dialog.cc:2802: error: `DialogAction' does not name a type > ux-dialog.cc:2830: error: `DialogAction' does not name a type > ux-dialog.cc:2902: error: `DialogInput' does not name a type > ux-dialog.cc:2919: error: `DialogAction' does not name a type > ux-dialog.cc:2942: error: `DialogAction' does not name a type > ux-dialog.cc:3029: error: `DialogInput' does not name a type > ux-dialog.cc:3046: error: `DialogAction' does not name a type > ux-dialog.cc:3069: error: `DialogAction' does not name a type > ux-dialog.cc:3156: error: `DialogYesNo' does not name a type > ux-dialog.cc:3179: error: `DialogAction' does not name a type > ux-dialog.cc:3228: error: `DialogAction' does not name a type > ux-dialog.cc:3253: error: `DialogInput' does not name a type > ux-dialog.cc:3266: error: `DialogAction' does not name a type > ux-dialog.cc:3284: error: `DialogAction' does not name a type > ux-dialog.cc:3318: error: `DialogInput' does not name a type > ux-dialog.cc:3330: error: `DialogAction' does not name a type > ux-dialog.cc:3348: error: `DialogAction' does not name a type > ux-dialog.cc:3389: error: `DialogInput' does not name a type > ux-dialog.cc:3404: error: `DialogAction' does not name a type > ux-dialog.cc:3424: error: `DialogAction' does not name a type > ux-dialog.cc:3558: error: `DialogYesNo' does not name a type > ux-dialog.cc:3574: error: `DialogAction' does not name a type > ux-dialog.cc:3587: error: `DialogAction' does not name a type > ux-dialog.cc:3606: error: `DialogInput' does not name a type > ux-dialog.cc:3625: error: `DialogAction' does not name a type > ux-dialog.cc:3659: error: `DialogAction' does not name a type > ux-dialog.cc:3728: error: `DialogInput' does not name a type > ux-dialog.cc:3747: error: `DialogAction' does not name a type > ux-dialog.cc:3776: error: `DialogAction' does not name a type > ux-dialog.cc:3808: error: `DialogYesNo' does not name a type > ux-dialog.cc:3823: error: `DialogAction' does not name a type > ux-dialog.cc:3872: error: `DialogAction' does not name a type > ux-dialog.cc:3897: error: `DialogInput' does not name a type > ux-dialog.cc:3909: error: `DialogAction' does not name a type > ux-dialog.cc:3929: error: `DialogAction' does not name a type > ux-dialog.cc:3963: error: `DialogInput' does not name a type > ux-dialog.cc:3974: error: `DialogAction' does not name a type > ux-dialog.cc:3994: error: `DialogAction' does not name a type > ux-dialog.cc:4035: error: `DialogInput' does not name a type > ux-dialog.cc:4050: error: `DialogAction' does not name a type > ux-dialog.cc:4070: error: `DialogAction' does not name a type > ux-dialog.cc:4162: error: `DialogInput' does not name a type > ux-dialog.cc:4173: error: `DialogAction' does not name a type > ux-dialog.cc:4193: error: `DialogAction' does not name a type > ux-dialog.cc:4225: error: `DialogInput' does not name a type > ux-dialog.cc:4235: error: `DialogAction' does not name a type > ux-dialog.cc:4259: error: `DialogAction' does not name a type > ux-dialog.cc:80: warning: 'DEFAULT_SLAPDUSER' defined but not used > ux-dialog.cc:177: warning: 'int isAValidDN(const char*)' defined but > not used > ux-dialog.cc:236: warning: 'int rootDNPwdIsValid(const char*)' defined > but not used > ux-dialog.cc:264: warning: 'int isValidServerID(const char*)' defined > but not used > ux-dialog.cc:289: warning: 'int isValidYesNo(const char*)' defined but > not used > ux-dialog.cc:317: warning: 'dialogSetup' defined but not used > gmake[2]: *** > [../../../built/RHEL4_x86_gcc3_OPT.OBJ/dsadmin/obj/ux-dialog.o] > Error 1 > gmake[2]: Leaving directory `/home/ldap/ds71/ldapserver/ldap/cm/newinst' > gmake[1]: *** [ldapprogs] Error 2 > gmake[1]: Leaving directory `/home/ldap/ds71/ldapserver/ldap' > gmake: *** [buildDirectory] Error 2 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Thu Oct 5 15:57:09 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Thu, 5 Oct 2006 17:57:09 +0200 Subject: [Fedora-directory-users] trying to build Message-ID: Hi Rich, seems like it's going wrong when starting to build the new unix installer # new unix installer cd cm/newinst; gmake BUILD_OPT=1 NO_JAVA=1 -w all In file included from /usr/lib/gcc/i386-redhat-linux/3.4.6/../../../../include/c++/3.4.6/b ackward/iostream.h:31, from ux-dialog.cc:53: /usr/lib/gcc/i386-redhat-linux/3.4.6/../../../../include/c++/3.4.6/backward/backward_warni ng.h:32:2: warning: #warning This file includes at least one deprecated or antiquated head er. Please consider using one of the 32 headers found in section 17.4.1.2 of the C++ stand ard. Examples include substituting the header for the header for C++ includes, o r instead of the deprecated header . To disable this warning use -W no-deprecated. ux-dialog.cc:68:18: utf8.h: No such file or directory ux-dialog.cc:69:21: ux-util.h: No such file or directory ux-dialog.cc:70:20: dialog.h: No such file or directory In file included from ux-dialog.cc:71: ux-dialog.h:43: error: `DialogYesNo' does not name a type In file included from ux-dialog.cc:72: ux-config.h:159: error: expected class-name before '{' token ux-config.h:168: error: `Dialog' has not been declared Thanks again, Jo From jo.de.troy at gmail.com Thu Oct 5 15:58:40 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Thu, 5 Oct 2006 17:58:40 +0200 Subject: [Fedora-directory-users] trying to build Message-ID: Hi Rich, here's the gmake command # new unix installer cd cm/newinst; gmake BUILD_OPT=1 NO_JAVA=1 -w all gmake[2]: Entering directory `/home/ldap/ds71/ldapserver/ldap/cm/newinst' /usr/bin/g++ -Wall -DNO_DBM -DLINUX -DLINUX2_2 -DLINUX2_4 -fPIC -D_REENTRANT -DNO_NODELOC K -DNO_LIBLCACHE -DXP_UNIX -DLinux -O2 -DMCC_HTTPD -DNS_DOMESTIC -DNET_SSL -DCLIENT_AUTH -DSERVER_BUILD -DNSPR20 -DNS_DS -DSPAPI20 -DBUILD_NUM=\"2006.304.843\" -DUPGRADEDB -DLINU X -DLINUX2_0 -DLINUX2_2 -DLinux -DLDAP_DEBUG -DLDAP_REFERRALS -DLDAP_LDBM -DLDA P_LDIF -DLDBM_USE_DBBTREE -DSLAPD_PASSWD_SHA1 -DLDAP_SSLIO_HOOKS -D__DBINTERFACE_PRIVATE -DNO_LIBLCACHE -DNS_DIRECTORY -O -I../../../ldap/include -I../../../built/RHEL4_x86_gc c3_OPT.OBJ/include -I../../../include -I../../../include -I../../../../mozilla/dist/Linux2 .6_x86_glibc_PTH_OPT.OBJ/include -I../../../../mozilla/dist/public/dbm -I../../../../mozil la/dist/public/nss -I../../../../mozilla/dist/public/svrcore -I../../../../mozilla/dist/pu blic/ldap -I/usr/include/sasl -I../../../../setuputil/built/package/RHEL4_x86_gcc3_OPT.OBJ /include -I../../../ldap/admin/include -I../../../ldap/admin/lib -I../../../ldap/admin/src -c ux-dialog.cc -o ../../../built/RHEL4_x86_gcc3_OPT.OBJ/dsadmin/obj/ux-dialog.o In file included from /usr/lib/gcc/i386-redhat-linux/3.4.6/../../../../include/c++/3.4.6/b ackward/iostream.h:31, from ux-dialog.cc:53: Thanks again, Jo From rmeggins at redhat.com Thu Oct 5 16:05:33 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 05 Oct 2006 10:05:33 -0600 Subject: [Fedora-directory-users] trying to build In-Reply-To: References: Message-ID: <45252D4D.9050807@redhat.com> Jo De Troy wrote: > Hi Rich, > > here's the gmake command > > # new unix installer > cd cm/newinst; gmake BUILD_OPT=1 NO_JAVA=1 -w all > gmake[2]: Entering directory `/home/ldap/ds71/ldapserver/ldap/cm/newinst' > /usr/bin/g++ -Wall -DNO_DBM -DLINUX -DLINUX2_2 -DLINUX2_4 -fPIC > -D_REENTRANT -DNO_NODELOC > K -DNO_LIBLCACHE -DXP_UNIX -DLinux -O2 -DMCC_HTTPD -DNS_DOMESTIC > -DNET_SSL -DCLIENT_AUTH > -DSERVER_BUILD -DNSPR20 -DNS_DS -DSPAPI20 > -DBUILD_NUM=\"2006.304.843\" -DUPGRADEDB -DLINU > X -DLINUX2_0 -DLINUX2_2 -DLinux -DLDAP_DEBUG -DLDAP_REFERRALS > -DLDAP_LDBM -DLDA > P_LDIF -DLDBM_USE_DBBTREE -DSLAPD_PASSWD_SHA1 -DLDAP_SSLIO_HOOKS > -D__DBINTERFACE_PRIVATE > -DNO_LIBLCACHE -DNS_DIRECTORY -O -I../../../ldap/include > -I../../../built/RHEL4_x86_gc > c3_OPT.OBJ/include -I../../../include -I../../../include > -I../../../../mozilla/dist/Linux2 > .6_x86_glibc_PTH_OPT.OBJ/include -I../../../../mozilla/dist/public/dbm > -I../../../../mozil > la/dist/public/nss -I../../../../mozilla/dist/public/svrcore > -I../../../../mozilla/dist/pu > blic/ldap -I/usr/include/sasl > -I../../../../setuputil/built/package/RHEL4_x86_gcc3_OPT.OBJ > /include -I../../../ldap/admin/include -I../../../ldap/admin/lib > -I../../../ldap/admin/src > -c ux-dialog.cc -o > ../../../built/RHEL4_x86_gcc3_OPT.OBJ/dsadmin/obj/ux-dialog.o > In file included from > /usr/lib/gcc/i386-redhat-linux/3.4.6/../../../../include/c++/3.4.6/b > ackward/iostream.h:31, > from ux-dialog.cc:53: Are you using the 1.0.2 sources, or are you trying to build from CVS HEAD? Are you using the dsbuild/one step build method, or manual? > > Thanks again, > Jo > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From oscar.valdez at duraflex-politex.com Thu Oct 5 16:16:56 2006 From: oscar.valdez at duraflex-politex.com (Oscar A. Valdez) Date: Thu, 05 Oct 2006 10:16:56 -0600 Subject: [Fedora-directory-users] RPM/SRPM issues and old RHEL In-Reply-To: <45250F55.6080505@redhat.com> References: <44AB1627.8050906@anchor.com.au> <44AE7968.5020809@redhat.com> <20061005092941.GB32078@captain.bridge.anchor.net.au> <45250F55.6080505@redhat.com> Message-ID: <1160065017.2117.16.camel@wzowski.duraflex-politex.com> El jue, 05-10-2006 a las 07:57 -0600, Richard Megginson escribi?: > We are making progress. Note that the next major (i.e. not patch) > release of the product will use discrete RPM packaging, and each > discrete RPM will have a buildable SRPM. > http://directory.fedora.redhat.com/wiki/Discrete_Packaging Thanks for the info. 1) When do you expect the packages to be available? 2) Will the FC5 packages conform to the FHS? -- Oscar A. Valdez From rmeggins at redhat.com Thu Oct 5 16:32:54 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 05 Oct 2006 10:32:54 -0600 Subject: [Fedora-directory-users] RPM/SRPM issues and old RHEL In-Reply-To: <1160065017.2117.16.camel@wzowski.duraflex-politex.com> References: <44AB1627.8050906@anchor.com.au> <44AE7968.5020809@redhat.com> <20061005092941.GB32078@captain.bridge.anchor.net.au> <45250F55.6080505@redhat.com> <1160065017.2117.16.camel@wzowski.duraflex-politex.com> Message-ID: <452533B6.2010301@redhat.com> Oscar A. Valdez wrote: > El jue, 05-10-2006 a las 07:57 -0600, Richard Megginson escribi?: > >> We are making progress. Note that the next major (i.e. not patch) >> release of the product will use discrete RPM packaging, and each >> discrete RPM will have a buildable SRPM. >> http://directory.fedora.redhat.com/wiki/Discrete_Packaging >> > > Thanks for the info. > > 1) When do you expect the packages to be available? > Don't know. We are hoping to have a beta in the next couple of weeks. > 2) Will the FC5 packages conform to the FHS? > We have proposed this to the Fedora DS community. There has been much, much heated debate on both sides of this issue. Some people vehemently oppose FHS package, some welcome and encourage it. The Fedora DS developers are still trying to figure out a way to do what's right for the community. We can certainly make it easy to build your own package from source using either FHS or self-contained style packaging. The real problem is that it is very difficult to provide binary packages and documentation for both formats . . . -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From steflik at binghamton.edu Thu Oct 5 17:42:04 2006 From: steflik at binghamton.edu (Dick Steflik) Date: Thu, 05 Oct 2006 13:42:04 -0400 Subject: [Fedora-directory-users] Trying to run FDS on Core 5 Message-ID: <452543EC.4030800@binghamton.edu> All, I'm trying to run FDS for a class I teach, I have previously used the Netscape Directory Server on NT but the hard drive on that machine went belly up this last summer. I decided that Linux would be the way to go for a replacement machine. Anyway, I downloaded the fedora-ds-1.0.2-1FC5.i386.opt.rpm and proceded with the install. Install seemed to go OK; I started slapd and tried a test query and it worked. I want to load a doctored up version of the old Airius.ldif file so I started looking for the admin-server. Anyway it seems like there are supposed to be start/stop scripts on /opt/fedora-ds but there aren't....any ideas what might have happened to them? or where I get them from. Also, I'm running a 512Mb machine which should be OK; but when I try to start up the Java based console I get an "out of memory" message. I would like to think that since only about 30 people are ever going to be doing ldap queries against it that 512Mb of RAM should be OK (it was for the old Netscape Directory Server). I could live without the Java based console if I could get the admin server running as that is the way I always administerd the old machine. Dick Steflik Binghamton University Binghamton, New York From Justin.Crawford at cusys.edu Thu Oct 5 17:51:40 2006 From: Justin.Crawford at cusys.edu (Justin Crawford) Date: Thu, 5 Oct 2006 11:51:40 -0600 Subject: [Fedora-directory-users] Delete an nsPwPolicyContainer? Message-ID: <7315857F21D51B449CC55ADE3A5683182BFDE9@ex2k3.ad.cusys.edu> Howdy, Is it possible to manually delete this entry using command-line LDAP tools? dn: cn=nsPwPolicyContainer,ou=the_ou,dc=our,dc=domain objectClass: nsContainer objectClass: top cn: nsPwPolicyContainer pwdpolicysubentry: cn="cn=nsPwPolicyEntry,ou=the_ou,dc=our,dc=domain",cn=nsPwPolicyContaine r,ou=the_ou,dc=our,dc=domain When I try to delete it with ldapdelete, the error indicates that the entry contains other entries: $ ldapdelete ... cn=nspwpolicycontainer,ou=the_ou,dc=our,dc=domain Delete Result: Operation not allowed on non-leaf (66) Furthermore, when I view it in the console, it _appears_ to contain other entries (cn=nsPwPolicyEntry and cn=nsPwTemplateEntry). However, it doesn't appear to contain other entries when I search from the command line. How do I get at its subtree, if indeed it has a real subtree? TIA, Justin Crawford justin.crawford at cusys.edu From rmeggins at redhat.com Thu Oct 5 18:03:57 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 05 Oct 2006 12:03:57 -0600 Subject: [Fedora-directory-users] Delete an nsPwPolicyContainer? In-Reply-To: <7315857F21D51B449CC55ADE3A5683182BFDE9@ex2k3.ad.cusys.edu> References: <7315857F21D51B449CC55ADE3A5683182BFDE9@ex2k3.ad.cusys.edu> Message-ID: <4525490D.8070608@redhat.com> Justin Crawford wrote: > Howdy, > > Is it possible to manually delete this entry using command-line LDAP > tools? > > dn: cn=nsPwPolicyContainer,ou=the_ou,dc=our,dc=domain > objectClass: nsContainer > objectClass: top > cn: nsPwPolicyContainer > pwdpolicysubentry: > cn="cn=nsPwPolicyEntry,ou=the_ou,dc=our,dc=domain",cn=nsPwPolicyContaine > r,ou=the_ou,dc=our,dc=domain > > When I try to delete it with ldapdelete, the error indicates that the > entry contains other entries: > > $ ldapdelete ... cn=nspwpolicycontainer,ou=the_ou,dc=our,dc=domain > Delete Result: Operation not allowed on non-leaf (66) > > Furthermore, when I view it in the console, it _appears_ to contain > other entries (cn=nsPwPolicyEntry and cn=nsPwTemplateEntry). However, > it doesn't appear to contain other entries when I search from the > command line. Try adding |(objectclass=ldapSubentry) to your search filter e.g. (|(objectclass=*)(objectclass=ldapSubentry)) > How do I get at its subtree, if indeed it has a real > subtree? > > TIA, > > Justin Crawford > justin.crawford at cusys.edu > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Oct 5 18:05:21 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 05 Oct 2006 12:05:21 -0600 Subject: [Fedora-directory-users] Trying to run FDS on Core 5 In-Reply-To: <452543EC.4030800@binghamton.edu> References: <452543EC.4030800@binghamton.edu> Message-ID: <45254961.1060903@redhat.com> Dick Steflik wrote: > All, > I'm trying to run FDS for a class I teach, I have previously used the > Netscape Directory Server on NT but the hard drive on that machine > went belly up this last summer. I decided that Linux would be the way > to go for a replacement machine. Anyway, I downloaded the > fedora-ds-1.0.2-1FC5.i386.opt.rpm and proceded with the install. > Install seemed to go OK; I started slapd and tried a test query and it > worked. I want to load a doctored up version of the old Airius.ldif > file so I started looking for the admin-server. Anyway it seems like > there are supposed to be start/stop scripts on /opt/fedora-ds but > there aren't....any ideas what might have happened to them? or where I > get them from. Sounds like install did not go OK. Try removing and installing from scratch, then run setup and capture the output. > Also, I'm running a 512Mb machine which should be OK; but when I try > to start up the Java based console I get an "out of memory" message. I > would like to think that since only about 30 people are ever going to > be doing ldap queries against it that 512Mb of RAM should be OK (it > was for the old Netscape Directory Server). I could live without the > Java based console if I could get the admin server running as that is > the way I always administerd the old machine. > > Dick Steflik > Binghamton University > Binghamton, New York > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Thu Oct 5 18:05:44 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 05 Oct 2006 11:05:44 -0700 Subject: [Fedora-directory-users] Trying to run FDS on Core 5 In-Reply-To: <452543EC.4030800@binghamton.edu> References: <452543EC.4030800@binghamton.edu> Message-ID: <45254978.4040203@redhat.com> Dick Steflik wrote: > All, > I'm trying to run FDS for a class I teach, I have previously used the > Netscape Directory Server on NT but the hard drive on that machine > went belly up this last summer. I decided that Linux would be the way > to go for a replacement machine. Anyway, I downloaded the > fedora-ds-1.0.2-1FC5.i386.opt.rpm and proceded with the install. > Install seemed to go OK; I started slapd and tried a test query and it > worked. I want to load a doctored up version of the old Airius.ldif > file so I started looking for the admin-server. Anyway it seems like > there are supposed to be start/stop scripts on /opt/fedora-ds but > there aren't....any ideas what might have happened to them? or where I > get them from. As Rich said, it sounds like the install did not complete successfully. Most times this is due to incorrect DNS / hostname resolution configuration. > Also, I'm running a 512Mb machine which should be OK; but when I try > to start up the Java based console I get an "out of memory" message. I > would like to think that since only about 30 people are ever going to > be doing ldap queries against it that 512Mb of RAM should be OK (it > was for the old Netscape Directory Server). I could live without the > Java based console if I could get the admin server running as that is > the way I always administerd the old machine. The memory errors you are seeing are likely caused by the JVM you are using. It sounds like you are using gcj, which is not supported. You need to download either the IBM or the Sun JRE. -NGK > > Dick Steflik > Binghamton University > Binghamton, New York > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From stpierre at NebrWesleyan.edu Thu Oct 5 18:06:28 2006 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Thu, 5 Oct 2006 13:06:28 -0500 (CDT) Subject: [Fedora-directory-users] Replication errors: "Incremental Update Failed" In-Reply-To: <45252182.8020508@redhat.com> References: <20061004162205.29897.qmail@web34112.mail.mud.yahoo.com> <45242C16.2070107@redhat.com> <45250DF3.7060100@redhat.com> <45252182.8020508@redhat.com> Message-ID: I went through and re-init both of the databases on the problem machine, but still get the same errors. Also, if I restart FDS on the box, it claims to have been shutdown in a disorderly manner, even when I use stop-slapd. There are no errors related to the shutdown. It sounds like the BDB backend is pretty hosed, and even the auto recovery isn't completely handling it. Ideas? Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University On Thu, 5 Oct 2006, Richard Megginson wrote: > Chris St. Pierre wrote: >> On Thu, 5 Oct 2006, Richard Megginson wrote: >> >> >> > Do you have another master? If so, just perform a replica initialization >> > (using the console). >> > >> >> We've got three other masters, but we don't use the console -- or have >> X installed or heads on the machines. Can this be done from the CLI, >> maybe with mmr.pl? >> > Not sure about mmr.pl, but yes, this can be done via ldapmodify. > First, you have to find the DN of the replication agreement from another master > to the one you want to initialize. > ldapsearch -x -h othermaster -D "cn=directory manager" -w password -s sub -b > cn=config "objectclass=nsDS5ReplicationAgreement" cn nsDS5ReplicaHost > nsDS5ReplicaPort > There may be several, you'll have to figure out which one goes to the master > you want to initialize > > Next, use ldapmodify to start the repl init: > ldapmodify -x -h othermaster -D "cn=directory manager" -w password > dn: dn of the repl agreement > changetype: modify > replace: nsds5BeginReplicaRefresh > nsds5BeginReplicaRefresh: start > > Then check the error logs for both masters to see when repl init is completed. >> Chris St. Pierre >> Unix Systems Administrator >> Nebraska Wesleyan University >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > From steflik at binghamton.edu Thu Oct 5 18:08:36 2006 From: steflik at binghamton.edu (Dick Steflik) Date: Thu, 05 Oct 2006 14:08:36 -0400 Subject: [Fedora-directory-users] Trying to run FDS on Core 5 In-Reply-To: <45254978.4040203@redhat.com> References: <452543EC.4030800@binghamton.edu> <45254978.4040203@redhat.com> Message-ID: <45254A24.6000107@binghamton.edu> Nate, I'm using the Sun jdk 1.5 09, JAVA_HOME is pointing here. Dick Nathan Kinder wrote: > Dick Steflik wrote: > >> All, >> I'm trying to run FDS for a class I teach, I have previously used the >> Netscape Directory Server on NT but the hard drive on that machine >> went belly up this last summer. I decided that Linux would be the way >> to go for a replacement machine. Anyway, I downloaded the >> fedora-ds-1.0.2-1FC5.i386.opt.rpm and proceded with the install. >> Install seemed to go OK; I started slapd and tried a test query and >> it worked. I want to load a doctored up version of the old >> Airius.ldif file so I started looking for the admin-server. Anyway it >> seems like there are supposed to be start/stop scripts on >> /opt/fedora-ds but there aren't....any ideas what might have happened >> to them? or where I get them from. > > As Rich said, it sounds like the install did not complete > successfully. Most times this is due to incorrect DNS / hostname > resolution configuration. > >> Also, I'm running a 512Mb machine which should be OK; but when I try >> to start up the Java based console I get an "out of memory" message. >> I would like to think that since only about 30 people are ever going >> to be doing ldap queries against it that 512Mb of RAM should be OK >> (it was for the old Netscape Directory Server). I could live without >> the Java based console if I could get the admin server running as >> that is the way I always administerd the old machine. > > The memory errors you are seeing are likely caused by the JVM you are > using. It sounds like you are using gcj, which is not supported. You > need to download either the IBM or the Sun JRE. > > -NGK > >> >> Dick Steflik >> Binghamton University >> Binghamton, New York >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Oct 5 18:22:37 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 05 Oct 2006 12:22:37 -0600 Subject: [Fedora-directory-users] Replication errors: "Incremental Update Failed" In-Reply-To: References: <20061004162205.29897.qmail@web34112.mail.mud.yahoo.com> <45242C16.2070107@redhat.com> <45250DF3.7060100@redhat.com> <45252182.8020508@redhat.com> Message-ID: <45254D6D.1040605@redhat.com> Chris St. Pierre wrote: > I went through and re-init both of the databases on the problem > machine, but still get the same errors. Also, if I restart FDS on the > box, it claims to have been shutdown in a disorderly manner, even when > I use stop-slapd. There are no errors related to the shutdown. > > It sounds like the BDB backend is pretty hosed, and even the auto > recovery isn't completely handling it. Ideas? > Does this happen every time with restarting the server, the disorderly shutdown in the errors log? If so, does it recover the main database? If so, I think perhaps the changelog db is corrupted. Try shutting down the server and removing the changelog db. > Chris St. Pierre > Unix Systems Administrator > Nebraska Wesleyan University > > On Thu, 5 Oct 2006, Richard Megginson wrote: > > >> Chris St. Pierre wrote: >> >>> On Thu, 5 Oct 2006, Richard Megginson wrote: >>> >>> >>> >>>> Do you have another master? If so, just perform a replica initialization >>>> (using the console). >>>> >>>> >>> We've got three other masters, but we don't use the console -- or have >>> X installed or heads on the machines. Can this be done from the CLI, >>> maybe with mmr.pl? >>> >>> >> Not sure about mmr.pl, but yes, this can be done via ldapmodify. >> First, you have to find the DN of the replication agreement from another master >> to the one you want to initialize. >> ldapsearch -x -h othermaster -D "cn=directory manager" -w password -s sub -b >> cn=config "objectclass=nsDS5ReplicationAgreement" cn nsDS5ReplicaHost >> nsDS5ReplicaPort >> There may be several, you'll have to figure out which one goes to the master >> you want to initialize >> >> Next, use ldapmodify to start the repl init: >> ldapmodify -x -h othermaster -D "cn=directory manager" -w password >> dn: dn of the repl agreement >> changetype: modify >> replace: nsds5BeginReplicaRefresh >> nsds5BeginReplicaRefresh: start >> >> Then check the error logs for both masters to see when repl init is completed. >> >>> Chris St. Pierre >>> Unix Systems Administrator >>> Nebraska Wesleyan University >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Thu Oct 5 18:21:22 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 05 Oct 2006 11:21:22 -0700 Subject: [Fedora-directory-users] Trying to run FDS on Core 5 In-Reply-To: <45254A24.6000107@binghamton.edu> References: <452543EC.4030800@binghamton.edu> <45254978.4040203@redhat.com> <45254A24.6000107@binghamton.edu> Message-ID: <45254D22.9080602@redhat.com> Dick Steflik wrote: > Nate, > I'm using the Sun jdk 1.5 09, JAVA_HOME is pointing here. What does `which java` report? I'd also like to see the memory errors that are being reported. -NGK > > Dick > > > Nathan Kinder wrote: >> Dick Steflik wrote: >>> All, >>> I'm trying to run FDS for a class I teach, I have previously used >>> the Netscape Directory Server on NT but the hard drive on that >>> machine went belly up this last summer. I decided that Linux would >>> be the way to go for a replacement machine. Anyway, I downloaded the >>> fedora-ds-1.0.2-1FC5.i386.opt.rpm and proceded with the install. >>> Install seemed to go OK; I started slapd and tried a test query and >>> it worked. I want to load a doctored up version of the old >>> Airius.ldif file so I started looking for the admin-server. Anyway >>> it seems like there are supposed to be start/stop scripts on >>> /opt/fedora-ds but there aren't....any ideas what might have >>> happened to them? or where I get them from. >> As Rich said, it sounds like the install did not complete >> successfully. Most times this is due to incorrect DNS / hostname >> resolution configuration. >>> Also, I'm running a 512Mb machine which should be OK; but when I try >>> to start up the Java based console I get an "out of memory" message. >>> I would like to think that since only about 30 people are ever >>> going to be doing ldap queries against it that 512Mb of RAM should >>> be OK (it was for the old Netscape Directory Server). I could live >>> without the Java based console if I could get the admin server >>> running as that is the way I always administerd the old machine. >> The memory errors you are seeing are likely caused by the JVM you are >> using. It sounds like you are using gcj, which is not supported. >> You need to download either the IBM or the Sun JRE. >> >> -NGK >>> >>> Dick Steflik >>> Binghamton University >>> Binghamton, New York >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From rinconsystems at yahoo.com Thu Oct 5 18:28:20 2006 From: rinconsystems at yahoo.com (Scott Roberts) Date: Thu, 5 Oct 2006 11:28:20 -0700 (PDT) Subject: [Fedora-directory-users] Trying to run FDS on Core 5 In-Reply-To: <452543EC.4030800@binghamton.edu> Message-ID: <20061005182821.2331.qmail@web34109.mail.mud.yahoo.com> Be sure httpd is running. selinux is permissive mode. /ect/alternatives soft link needs to point to new jre. AFAIK there are no scripts like old versions, just the commands themselves. # cd /opt/fedora-ds # cd slapd-host2 # ./start-slapd # cd .. # ./start-admin $ ./startconsole --- Dick Steflik wrote: > All, > I'm trying to run FDS for a class I teach, I have > previously used the > Netscape Directory Server on NT but the hard drive > on that machine went > belly up this last summer. I decided that Linux > would be the way to go > for a replacement machine. Anyway, I downloaded the > fedora-ds-1.0.2-1FC5.i386.opt.rpm and proceded with > the install. Install > seemed to go OK; I started slapd and tried a test > query and it worked. I > want to load a doctored up version of the old > Airius.ldif file so I > started looking for the admin-server. Anyway it > seems like there are > supposed to be start/stop scripts on /opt/fedora-ds > but there > aren't....any ideas what might have happened to > them? or where I get > them from. > > Also, I'm running a 512Mb machine which should be > OK; but when I try to > start up the Java based console I get an "out of > memory" message. I > would like to think that since only about 30 people > are ever going to > be doing ldap queries against it that 512Mb of RAM > should be OK (it was > for the old Netscape Directory Server). I could live > without the Java > based console if I could get the admin server > running as that is the way > I always administerd the old machine. > > Dick Steflik > Binghamton University > Binghamton, New York > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From stpierre at NebrWesleyan.edu Thu Oct 5 18:55:21 2006 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Thu, 5 Oct 2006 13:55:21 -0500 (CDT) Subject: [Fedora-directory-users] fdsgraph: an rrdtool-based graphing utility for FDS In-Reply-To: <45254D6D.1040605@redhat.com> References: <20061004162205.29897.qmail@web34112.mail.mud.yahoo.com> <45242C16.2070107@redhat.com> <45250DF3.7060100@redhat.com> <45252182.8020508@redhat.com> <45254D6D.1040605@redhat.com> Message-ID: If any of you are familiar with mailgraph for Postfix-based mail servers, I've created something similar for Fedora DS. fdsgraph tails the access log and creates rrdtool-based graphs of the number of connections and operations, organized by connection security and op type respectively. You can see some screenshots and find the tarball at: http://www.nebrwesleyan.edu/people/stpierre/fdsgraph/fdsgraph.html Enjoy! Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University From jo.de.troy at gmail.com Thu Oct 5 19:02:19 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Thu, 5 Oct 2006 21:02:19 +0200 Subject: [Fedora-directory-users] trying to build Message-ID: Hi Rich, it's a manual build using the cvs code [cvs co -r FedoraDirSvr102 ldapserver]. I'm trying to f succeed in building it myself and afterwards rebuilding it with the patch that will stop crashing the ldapserver when doing an ldappasswd. Thanks again, Jo From rmeggins at redhat.com Thu Oct 5 19:12:26 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 05 Oct 2006 13:12:26 -0600 Subject: [Fedora-directory-users] trying to build In-Reply-To: References: Message-ID: <4525591A.9070105@redhat.com> Jo De Troy wrote: > Hi Rich, > > it's a manual build using the cvs code [cvs co -r FedoraDirSvr102 > ldapserver]. > I'm trying to f succeed in building it myself and afterwards > rebuilding it with the patch that will stop crashing the ldapserver > when doing an ldappasswd. Ok. When you are in the ldap/cm/newinst directory, try to see if the following directories exist and have files in them: ../../../../mozilla/dist/Linux2.6_x86_glibc_PTH_OPT.OBJ/include ../../../../mozilla/dist/public/dbm ../../../../mozilla/dist/public/nss ../../../../mozilla/dist/public/svrcore ../../../../mozilla/dist/public/ldap ../../../../setuputil/built/package/RHEL4_x86_gcc3_OPT.OBJ/include I apologize that it's so hard to build this thing - we are working on it (even as I type this). > > Thanks again, > Jo > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Thu Oct 5 19:17:32 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Thu, 5 Oct 2006 21:17:32 +0200 Subject: [Fedora-directory-users] trying to build Message-ID: Hi Rich, all directories exist except for the setuputil directory. It's indeed pretty hard to build it, but that's what the list is for, right ;-) Thx, Jo From rmeggins at redhat.com Thu Oct 5 19:55:51 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 05 Oct 2006 13:55:51 -0600 Subject: [Fedora-directory-users] trying to build In-Reply-To: References: Message-ID: <45256347.7070202@redhat.com> Jo De Troy wrote: > Hi Rich, > > all directories exist except for the setuputil directory. So, according to http://directory.fedora.redhat.com/wiki/Building#External_Requirements you should have a setuputil directory at the same level as your ldapserver directory. Do you have this? If not, please see http://directory.fedora.redhat.com/wiki/SetupUtil If so, do you have setuputil/built? setuputil/built/package? > It's indeed pretty hard to build it, but that's what the list is for, > right ;-) > > Thx, > Jo > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Fri Oct 6 10:13:35 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Fri, 6 Oct 2006 12:13:35 +0200 Subject: [Fedora-directory-users] trying to build Message-ID: Hi Rich, I've installed all extra components and while compiling the adminserver I got the error that I needed icu v3.4, so that's what I did. Afterwards while again trying to compile the ldapserver. I get an error at the point where it tries to compile LDAP server console What am I still missing? Thanks again, Jo ==== Starting LDAP Server Console ========== gmake BUILD_OPT=1 NO_JAVA=1 buildDirectoryConsole gmake[1]: Entering directory `/home/ldap/ds71/ldapserver' cd ldap/admin/src/java/com/netscape/xmltools; gmake BUILD_OPT=1 NO_JAVA=1 -w package gmake[2]: Entering directory `/home/ldap/ds71/ldapserver/ldap/admin/src/java/com/netscape/xmltools' javac -deprecation -classpath "/home/ldap/ds71/ldapserver/ldap/admin/src/java:../../../../../../../../dist/classes/ldapjdk.jar:../../../../../../../built/java/optimize/xmltools:../../../../../../../../dist/classes/crimson.jar" -d ../../../../../../../built/java/optimize/xmltools DSML2LDIF.java DSML2LDIF.java:44: package netscape.ldap does not exist From rmeggins at redhat.com Fri Oct 6 13:46:10 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 06 Oct 2006 07:46:10 -0600 Subject: [Fedora-directory-users] trying to build In-Reply-To: References: Message-ID: <45265E22.5040909@redhat.com> Jo De Troy wrote: > Hi Rich, > > I've installed all extra components and while compiling the > adminserver I got the error that I needed icu v3.4, so that's what I > did. Afterwards while again trying to compile the ldapserver. > I get an error at the point where it tries to compile LDAP server console > What am I still missing? Your best bet is to simply build without the dsml related code. make ... USE_DSMLGW= USE_JAVATOOLS= > > Thanks again, > Jo > > ==== Starting LDAP Server Console ========== > > gmake BUILD_OPT=1 NO_JAVA=1 buildDirectoryConsole > gmake[1]: Entering directory `/home/ldap/ds71/ldapserver' > cd ldap/admin/src/java/com/netscape/xmltools; gmake BUILD_OPT=1 > NO_JAVA=1 -w package > gmake[2]: Entering directory > `/home/ldap/ds71/ldapserver/ldap/admin/src/java/com/netscape/xmltools' > javac -deprecation -classpath > "/home/ldap/ds71/ldapserver/ldap/admin/src/java:../../../../../../../../dist/classes/ldapjdk.jar:../../../../../../../built/java/optimize/xmltools:../../../../../../../../dist/classes/crimson.jar" > > -d ../../../../../../../built/java/optimize/xmltools DSML2LDIF.java > DSML2LDIF.java:44: package netscape.ldap does not exist At the top level directory, in which you have your ldapserver directory, there should be a directory called dist, and in this directory should be a directory called classes, and in this directory you should have several jar files which are listed in the classpath above (e.g. ../../../../../../../../dist/classes/ldapjdk.jar:../../../../../../../../dist/classes/crimson.jar") The dsmlgw requires even more jar files - activation.jar axis.jar jaxrpc.jar saaj.jar xercesImpl.jar xml-apis.jar jakarta-commons-codec.jar you can get all of them from here - > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jwgreene at megalink.net Sat Oct 7 01:27:02 2006 From: jwgreene at megalink.net (James Greene) Date: Fri, 06 Oct 2006 21:27:02 -0400 Subject: [Fedora-directory-users] Fedora directory and solaris 10 Message-ID: Hello, Just joined the list. I want to compile fedora directory on Solaris 10 (sparc). Anyone have any good docs on it? I am using gcc. Thanks Jim From mj at sci.fi Sat Oct 7 06:58:13 2006 From: mj at sci.fi (Mike Jackson) Date: Sat, 07 Oct 2006 09:58:13 +0300 Subject: [Fedora-directory-users] Fedora directory and solaris 10 In-Reply-To: References: Message-ID: <45275005.7030201@sci.fi> James Greene wrote: > Hello, > Just joined the list. I want to compile fedora directory on Solaris 10 > (sparc). Anyone have any good docs on it? I am using gcc. Thanks I wouldn't try to compile for Solaris unless you are willing to spend a few weeks of effort making modifications. Your best bet is to take the last version which was compiled for Solaris: FDS 7.1. It was compiled for Solaris "2.9", but works fine on Solaris 10. You can download it here, just agree to the license, drop down the box and choose either plain or 64-bit: http://directory.fedora.redhat.com/wiki/Special:Download I setup a RHEL 4 machine doing multi-master with two Solaris 10 machines using 7.1, which has been working smoothly for more than half a year now. BR, Mike -- http://www.netauth.com - LDAP Directory Consulting From johnsimcall at gmail.com Sat Oct 7 09:39:34 2006 From: johnsimcall at gmail.com (John Call) Date: Fri, 6 Oct 2006 23:39:34 -1000 Subject: [Fedora-directory-users] DB object limit question Message-ID: <2f05bdbb0610070239y59193580l7b7445914805d7c1@mail.gmail.com> Aloha list, Is there a known limit of objects / db? I've recently encountered strange behaviour in my FDS. The strange behaviour exhibits itself by not allowing searchs within ou containers. Although if I bind as "Directory Manager" I can search, but it takes a painfully long time for the results to come... on average about 10 minutes. Let me elaborate a little bit about my setup. I have three ou containers. The largest container has 253603 entries, the other two containers have 9625, and 4846 objects. All three of these containers use the same userRoot db. Through some random tinkering I created another FDS, but instead of userRoot I gave each ou its own db. The results of each ou having its own db have been positive. I'm able to search and all expected funcionality is available. Thanks for your time, John -------------- next part -------------- An HTML attachment was scrubbed... URL: From mj at sci.fi Sat Oct 7 10:16:42 2006 From: mj at sci.fi (Mike Jackson) Date: Sat, 07 Oct 2006 13:16:42 +0300 Subject: [Fedora-directory-users] DB object limit question In-Reply-To: <2f05bdbb0610070239y59193580l7b7445914805d7c1@mail.gmail.com> References: <2f05bdbb0610070239y59193580l7b7445914805d7c1@mail.gmail.com> Message-ID: <45277E8A.8030407@sci.fi> John Call wrote: > Aloha list, > > Is there a known limit of objects / db? I've recently encountered > strange behaviour in my FDS. The strange behaviour exhibits itself by > not allowing searchs within ou containers. Although if I bind as > "Directory Manager" I can search, but it takes a painfully long time for > the results to come... on average about 10 minutes. I have tested 10 million entries on a 2.4Ghz P4 machine with 512MB RAM, and it worked just fine. You need to tune the administrative search limits, lookthrough limits, cache sizes, etc for larger databases. The defaults are too small to be useful for anything serious. BR, Mike -- http://www.netauth.com - LDAP Directory Consulting From david_list at boreham.org Sat Oct 7 15:16:00 2006 From: david_list at boreham.org (David Boreham) Date: Sat, 07 Oct 2006 09:16:00 -0600 Subject: [Fedora-directory-users] DB object limit question In-Reply-To: <2f05bdbb0610070239y59193580l7b7445914805d7c1@mail.gmail.com> References: <2f05bdbb0610070239y59193580l7b7445914805d7c1@mail.gmail.com> Message-ID: <4527C4B0.8040506@boreham.org> John Call wrote: > > Is there a known limit of objects / db? A few billion. > I've recently encountered strange behaviour in my FDS. The strange > behaviour exhibits itself by not allowing searchs within ou > containers. Although if I bind as "Directory Manager" I can search, > but it takes a painfully long time for the results to come... on > average about 10 minutes. > This sounds like an unindexed search is being done (you can tell from looking in the access log). Directory manager is not subject to the lookthrough limit, so ploughs on through the entries. Other users are subject to the lookthrough limit and the search ends quickly without results when the limit is hit (your client _should_ tell you that the LT limit was seen though). > Let me elaborate a little bit about my setup. I have three ou > containers. The largest container has 253603 entries, the other two > containers have 9625, and 4846 objects. All three of these containers > use the same userRoot db. Through some random tinkering I created > another FDS, but instead of userRoot I gave each ou its own db. The > results of each ou having its own db have been positive. I'm able to > search and all expected funcionality is available. You've probably been able to fox the query planner such that it uses the 'wrong' index first. Sometimes you can re-order your filter to achieve the result you want (use the most useful index first). The DS doesn't have the fancy statistically driven index choice query planners that you might see in a high end RDBMS for example. From tung.tman at gmail.com Mon Oct 9 09:44:29 2006 From: tung.tman at gmail.com (VSEC Saigon) Date: Mon, 9 Oct 2006 16:44:29 +0700 Subject: [Fedora-directory-users] Cannot Setup PDC use Samba with FDS! Message-ID: <200610091644.30134.security@vsec.info> Hi everybody, I've got a problems when I setup PDC use Samba3 with FDS. I've followed HOWTO:Samba in Documentation Section. But when I map ntgroup to unix group, It's state like : "[root@~]# net groupmap add ntgroup="Domain Admins" unixgroup=DomainAdmins rid=512 adding entry for group Domain Admins failed!" I've tried to look around, and found some info. I will post here: 1. Kernel message: "audit(1160332356.611:65): avc: denied { bind } for pid=5752 comm="net" scontext=root:system_r:samba_net_t:s0-s0:c0.c255 tcontext=root:system_r:samba_net_t:s0-s0:c0.c255 tclass=netlink_route_socket audit(1160332356.611:66): avc: denied { getattr } for pid=5752 comm="net" scontext=root:system_r:samba_net_t:s0-s0:c0.c255 tcontext=root:system_r:samba_net_t:s0-s0:c0.c255 tclass=netlink_route_socket audit(1160332356.611:67): avc: denied { write } for pid=5752 comm="net" scontext=root:system_r:samba_net_t:s0-s0:c0.c255 tcontext=root:system_r:samba_net_t:s0-s0:c0.c255 tclass=netlink_route_socket audit(1160332356.611:68): avc: denied { nlmsg_read } for pid=5752 comm="net" scontext=root:system_r:samba_net_t:s0-s0:c0.c255 tcontext=root:system_r:samba_net_t:s0-s0:c0.c255 tclass=netlink_route_socket audit(1160332356.611:69): avc: denied { read } for pid=5752 comm="net" scontext=root:system_r:samba_net_t:s0-s0:c0.c255 tcontext=root:system_r:samba_net_t:s0-s0:c0.c255 tclass=netlink_route_socket " 2. Error when I've try to use webmin to add NTgroups "Failed to save group : /usr/bin/net failed : [2006/10/09 02:44:37, 0] utils/net.c:net_maxrid(789) can't get current maximum rid " Thanks, th3tm4n From triswimjoe at hotmail.com Mon Oct 9 15:19:21 2006 From: triswimjoe at hotmail.com (Joe Sheehan) Date: Mon, 09 Oct 2006 11:19:21 -0400 Subject: [Fedora-directory-users] LDAP run in verbose mode? Message-ID: Is there anyway to start LDAP in a verbose mode? LDAP is periodically dieing and unfortunately the log file gives nothing more than "LDAP died". Thanks Joe From rmeggins at redhat.com Mon Oct 9 15:33:31 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 09 Oct 2006 09:33:31 -0600 Subject: [Fedora-directory-users] LDAP run in verbose mode? In-Reply-To: References: Message-ID: <452A6BCB.1060508@redhat.com> Joe Sheehan wrote: > Is there anyway to start LDAP in a verbose mode? start-slapd -d 1 & You can also turn on verbose mode in a server that's already running. See http://directory.fedora.redhat.com/wiki/FAQ#Troubleshooting > LDAP is periodically dieing and unfortunately the log file gives > nothing more than "LDAP died". > > Thanks > > Joe > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jonebird at gmail.com Mon Oct 9 19:51:55 2006 From: jonebird at gmail.com (Jon Miller) Date: Mon, 9 Oct 2006 15:51:55 -0400 Subject: [Fedora-directory-users] WindowsSync - Replica has no update vector. It has never been initialized. It has never been initialized. Message-ID: <589a24260610091251j3a96132bg471b957ad7874117@mail.gmail.com> Hello All, I have just installed and setup Fedora DS 1.0.2 on a RHEL 4.0 machine. I am interested in using the Windows Sync, but am running into one last issue that I can not seem to solve. I am getting the following error in my "errors" log file: [09/Oct/2006:14:54:43 -0400] NSMMReplicationPlugin - agmt="cn=Infrapoc Sync" (iwpoccorsrv01:636): Replica has no update vector. It has never been initialized. At this point, neither the incremental updates or the full sync work. Could someone please shed some light on this error and how to resolve it? Additionally, I have already attempted to research and solve this issue on my own. Restarting the Admin Server [1] did not help. Have also restarted my DS multiple times. -- Any help is appreciated, Jon [1] http://www.redhat.com/archives/fedora-directory-users/2006-June/msg00075.html From triswimjoe at hotmail.com Mon Oct 9 20:04:49 2006 From: triswimjoe at hotmail.com (Joe Sheehan) Date: Mon, 09 Oct 2006 16:04:49 -0400 Subject: [Fedora-directory-users] LDAP run in verbose mode? Message-ID: Thanks - did noticed that the performance does decrease substantially with debug on though. Thanks - hopefully we'll be able to figure out why the instability in our env. Joe >From: Richard Megginson >Reply-To: "General discussion list for the Fedora Directory server >project." >To: "General discussion list for the Fedora Directory server project." > >Subject: Re: [Fedora-directory-users] LDAP run in verbose mode? >Date: Mon, 09 Oct 2006 09:33:31 -0600 > >Joe Sheehan wrote: >>Is there anyway to start LDAP in a verbose mode? >start-slapd -d 1 & >You can also turn on verbose mode in a server that's already running. See >http://directory.fedora.redhat.com/wiki/FAQ#Troubleshooting >>LDAP is periodically dieing and unfortunately the log file gives nothing >>more than "LDAP died". >> >>Thanks >> >>Joe >> >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users ><< smime.p7s >> >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Mon Oct 9 20:44:22 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 09 Oct 2006 14:44:22 -0600 Subject: [Fedora-directory-users] LDAP run in verbose mode? In-Reply-To: References: Message-ID: <452AB4A6.2030205@redhat.com> Joe Sheehan wrote: > Thanks - did noticed that the performance does decrease substantially > with debug on though. Yes. You can turn log output on and off at run time - see the Troubleshooting link. If you can narrow down the cause, you could enable debug logging just before the problem and disable it just after. > > Thanks - hopefully we'll be able to figure out why the instability in > our env. > > Joe > > >> From: Richard Megginson >> Reply-To: "General discussion list for the Fedora Directory server >> project." >> To: "General discussion list for the Fedora Directory server >> project." >> Subject: Re: [Fedora-directory-users] LDAP run in verbose mode? >> Date: Mon, 09 Oct 2006 09:33:31 -0600 >> >> Joe Sheehan wrote: >>> Is there anyway to start LDAP in a verbose mode? >> start-slapd -d 1 & >> You can also turn on verbose mode in a server that's already >> running. See >> http://directory.fedora.redhat.com/wiki/FAQ#Troubleshooting >>> LDAP is periodically dieing and unfortunately the log file gives >>> nothing more than "LDAP died". >>> >>> Thanks >>> >>> Joe >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >> << smime.p7s >> > > > > >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Tue Oct 10 12:12:23 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Tue, 10 Oct 2006 14:12:23 +0200 Subject: [Fedora-directory-users] admin-server SSL restart Message-ID: Hello, I've setup the admin-server to use SSL. But I fail to get it restarted without asking me for the internal token password. I have created password.conf in /opt/fedora-ds/alias with I think the correct ownerships. The contents of password.conf is "internal:", should this work? Thanks in advance, Jo From jamsda_1 at yahoo.com Mon Oct 9 22:31:39 2006 From: jamsda_1 at yahoo.com (jamsda) Date: Mon, 9 Oct 2006 15:31:39 -0700 (PDT) Subject: [Fedora-directory-users] Command-line Consumer Initialization Message-ID: <20061009223139.7037.qmail@web50913.mail.yahoo.com> Does anybody know if there's a way to initialize a consumer in a multi-master config from the command-line? Thanks, Jim __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From jonebird at gmail.com Mon Oct 9 22:33:40 2006 From: jonebird at gmail.com (Jon Miller) Date: Mon, 9 Oct 2006 18:33:40 -0400 Subject: [Fedora-directory-users] Re: WindowsSync - Replica has no update vector. It has never been initialized. It has never been initialized. In-Reply-To: <589a24260610091251j3a96132bg471b957ad7874117@mail.gmail.com> References: <589a24260610091251j3a96132bg471b957ad7874117@mail.gmail.com> Message-ID: <589a24260610091533v57fd0e86vcceac686359e8bd3@mail.gmail.com> I should have included this snippet of the error log in my first email, but I didn't catch it at first... [09/Oct/2006:17:29:05 -0400] - _csngen_parse_state: replica id mismatch; current id - 5, replica id in the state - 1 [09/Oct/2006:17:29:05 -0400] NSMMReplicationPlugin - _replica_init_from_config: failed to create csn generator for replica (cn=replica,cn=\22ou=People,dc=poc,dc=net\22,cn=mapping tree, cn=config) [09/Oct/2006:17:29:05 -0400] NSMMReplicationPlugin - Unable to configure replica ou=People,dc=poc,dc=net: failed to create csn generator for replica (cn=replica,cn=\22ou=People,dc=poc,dc=net\22,cn=mapping tree, cn=config) [09/Oct/2006:17:29:05 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [09/Oct/2006:17:29:05 -0400] - Listening on All Interfaces port 636 for LDAPS requests [09/Oct/2006:17:31:04 -0400] NSMMReplicationPlugin - agmtlist_add_callback: Can't start agreement "cn=infrapoc ad sync,cn=replica,cn="ou=people,dc=poc,dc=net",cn=mapping tree,cn=config" After seeing this error, I have gone back and deleted the windows sync agreement, disabled and then re-enabled the single master replication with a Replica ID of '1' and finally re-created the windows sync. Still no luck. :-( -- Jon On 10/9/06, Jon Miller wrote: > Hello All, > I have just installed and setup Fedora DS 1.0.2 on a RHEL 4.0 > machine. I am interested in using the Windows Sync, but am running > into one last issue that I can not seem to solve. I am getting the > following error in my "errors" log file: > [09/Oct/2006:14:54:43 -0400] NSMMReplicationPlugin - agmt="cn=Infrapoc > Sync" (iwpoccorsrv01:636): Replica has no update vector. It has never > been initialized. > At this point, neither the incremental updates or the full sync work. > Could someone please shed some light on this error and how to resolve it? > > Additionally, I have already attempted to research and solve this > issue on my own. > Restarting the Admin Server [1] did not help. > Have also restarted my DS multiple times. > -- > Any help is appreciated, > Jon > > > [1] http://www.redhat.com/archives/fedora-directory-users/2006-June/msg00075.html > -- Later, Jon From rcritten at redhat.com Tue Oct 10 12:46:18 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 10 Oct 2006 08:46:18 -0400 Subject: [Fedora-directory-users] admin-server SSL restart In-Reply-To: References: Message-ID: <452B961A.5050900@redhat.com> Jo De Troy wrote: > Hello, > > I've setup the admin-server to use SSL. But I fail to get it restarted > without asking me for the internal token password. > I have created password.conf in /opt/fedora-ds/alias with I think the > correct ownerships. > The contents of password.conf is "internal:", should this work? > > Thanks in advance, > Jo You need to set NSSPassPhraseDialog to file:/opt/fedora-ds/alias in /opt/fedora-ds/admin-serv/config rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From wiskbroom at hotmail.com Tue Oct 10 13:33:06 2006 From: wiskbroom at hotmail.com (Vadim Pushkin) Date: Tue, 10 Oct 2006 13:33:06 +0000 Subject: [Fedora-directory-users] Need Pointers For Migrating To FDS from NIS In-Reply-To: Message-ID: Hello All; My current environment is using NIS (not NIS+) on Sparc Solaris 8/10 and x86 Linux, with a separate AD structure. My goal is to migrate my Solaris and Linux machines onto the AD structure for user, group, hosts, networks and netgroups map use (perhaps other maps later). My questions are: 1. Am I correct in believing that Fedora Dir Server is able to allow me to auth to my AD DC's? Or does FDS only perform as a conduit to the AD structure, either fine by me. 2. What and where do I change to aloow this on my pam.conf on my Solaris and Linux servers? 3. Where do I get the PAM modules to allow this to work? 4. What additional software must I run on my RH/FC FDS server? Should I, or can I, run two servers in case one fails? 5. Finally, does anyone have any written docs or a site that can help me? Thanks very much in advance, .vadim From mj at sci.fi Tue Oct 10 14:07:03 2006 From: mj at sci.fi (Mike Jackson) Date: Tue, 10 Oct 2006 17:07:03 +0300 Subject: [Fedora-directory-users] Command-line Consumer Initialization In-Reply-To: <20061009223139.7037.qmail@web50913.mail.yahoo.com> References: <20061009223139.7037.qmail@web50913.mail.yahoo.com> Message-ID: <452BA907.3020808@sci.fi> jamsda wrote: > Does anybody know if there's a way to initialize a > consumer in a multi-master config from the > command-line? Use mmr.pl : http://www.netauth.com/~jacksonm/ldap/mmr.pl It handles initialization as well as creating and deleting agreements. BR, -- mike From koippa at gmail.com Tue Oct 10 15:13:42 2006 From: koippa at gmail.com (Kimmo Koivisto) Date: Tue, 10 Oct 2006 18:13:42 +0300 Subject: [Fedora-directory-users] Command-line Consumer Initialization In-Reply-To: <452BA907.3020808@sci.fi> References: <20061009223139.7037.qmail@web50913.mail.yahoo.com> <452BA907.3020808@sci.fi> Message-ID: <200610101813.42778.koippa@gmail.com> Mike Jackson wrote: > > Does anybody know if there's a way to initialize a > > consumer in a multi-master config from the > > command-line? > > Use mmr.pl : > > http://www.netauth.com/~jacksonm/ldap/mmr.pl Hello Mike I have used your mmr.pl script to deploy about 10 multimaster replicated FDS installations, it always worked fine. Those deployments have had two servers and I know that in near future I need to deploy four-way mmr. Your script's has the following options: --host1 FQDN of host 1 --host2 FQDN of host 2 --host1_id Replication ID number of host 1 --host2_id Replication ID number of host 2 When deploying four-way mmr, is it possible to define options --host3 and --host4 (and _id) options or how one should initialize four-way mmr? Best Regards Kimmo From jo.de.troy at gmail.com Tue Oct 10 15:37:43 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Tue, 10 Oct 2006 17:37:43 +0200 Subject: [Fedora-directory-users] password policy Message-ID: Hello, is it possible to query the LDAP server to get back the active password policies? Thanks in advance, Jo From mj at sci.fi Tue Oct 10 15:59:24 2006 From: mj at sci.fi (Mike Jackson) Date: Tue, 10 Oct 2006 18:59:24 +0300 Subject: [Fedora-directory-users] password policy In-Reply-To: References: Message-ID: <452BC35C.8020005@sci.fi> Jo De Troy wrote: > Hello, > > is it possible to query the LDAP server to get back the active > password policies? Of course. All configuration information is stored in cn=config or o=netscaperoot. Most of what you are interested is in cn=config. BR, -- mike From tung.tman at gmail.com Tue Oct 10 17:36:24 2006 From: tung.tman at gmail.com (th3tm4n) Date: Wed, 11 Oct 2006 00:36:24 +0700 Subject: [Fedora-directory-users] [samba3+fds1.0.2/fc5] Can't map ntgroup to unixgroup Message-ID: <200610110036.24194.tung.tman@gmail.com> I try to setup Samba 3 integrate with FDS 1.0.2 on FC5 follow this howto: http://directory.fedora.redhat.com/wiki/Howto:Samba Everything seemed go on the right way until I mapped ntgroup to unixgroup 1. Here's my case: [root at dsat ~]# net groupmap list [root at dsat ~]# net groupmap add rid=512 ntgroup="Domain Admins" unixgroup=domainadmins adding entry for group Domain Admins failed! 2. Here's samba log: [root at dsat ~]# tail /var/log/smbd.log [2006/10/10 08:51:23, 0] lib/smbldap.c:smbldap_connect_system(851) ? ldap_connect_system: Failed to retrieve password from secrets.tdb [2006/10/10 08:51:23, 1] lib/smbldap.c:another_ldap_try(1051) ? Connection to LDAP server failed for the 15 try! [2006/10/10 08:51:24, 0] passdb/secrets.c:fetch_ldap_pw(629) ? fetch_ldap_pw: neither ldap secret retrieved! [2006/10/10 08:51:24, 0] lib/smbldap.c:smbldap_connect_system(851) ? ldap_connect_system: Failed to retrieve password from secrets.tdb [2006/10/10 08:51:24, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(2170) ? ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (unknown) (Time limit exceeded) Here's some setting in smb.conf security = user passdb backend = ldapsam:ldap://localhost ldap admin dn = cn=admin ldap suffix = dc=local,dc=atc ldap user suffix = ou=People ldap machine suffix = ou=Computers ldap group suffix = ou=Groups From gholbert at broadcom.com Tue Oct 10 17:44:29 2006 From: gholbert at broadcom.com (George Holbert) Date: Tue, 10 Oct 2006 10:44:29 -0700 Subject: [Fedora-directory-users] Need Pointers For Migrating To FDS from NIS In-Reply-To: References: Message-ID: <452BDBFD.705@broadcom.com> Vadim, This is a pretty big topic. Gary Tay has put together some docs that are a great starting point: http://web.singnet.com.sg/~garyttt/ Sun's docs regarding Solaris clients will also be useful for you: http://docs.sun.com/app/docs/doc/816-4556 One other thing: > My goal is to migrate my Solaris and Linux machines onto the AD > structure for user, group, hosts, networks and netgroups map use > (perhaps other maps later). If you mean that you will be using AD as your directory server, you won't necessarily need to run a separate directory server like FDS. Good luck! Vadim Pushkin wrote: > Hello All; > > My current environment is using NIS (not NIS+) on Sparc Solaris 8/10 > and x86 Linux, with a separate AD structure. My goal is to migrate my > Solaris and Linux machines onto the AD structure for user, group, > hosts, networks and netgroups map use (perhaps other maps later). > > My questions are: > > 1. Am I correct in believing that Fedora Dir Server is able to allow > me to auth to my AD DC's? Or does FDS only perform as a conduit to > the AD structure, either fine by me. > > 2. What and where do I change to aloow this on my pam.conf on my > Solaris and Linux servers? > > 3. Where do I get the PAM modules to allow this to work? > > 4. What additional software must I run on my RH/FC FDS server? Should > I, or can I, run two servers in case one fails? > > 5. Finally, does anyone have any written docs or a site that can help > me? > > > Thanks very much in advance, > > .vadim > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From wiskbroom at hotmail.com Tue Oct 10 18:54:39 2006 From: wiskbroom at hotmail.com (Vadim Pushkin) Date: Tue, 10 Oct 2006 18:54:39 +0000 Subject: [Fedora-directory-users] Need Pointers For Migrating To FDSfrom NIS In-Reply-To: <452BDBFD.705@broadcom.com> Message-ID: Hello George; Thank you for the reply. May I ask how then may I auth users and use a Windows DC for AD? .vp >From: "George Holbert" >Reply-To: "General discussion list for the Fedora Directory server >project." >Vadim, >This is a pretty big topic. >Gary Tay has put together some docs that are a great starting point: >http://web.singnet.com.sg/~garyttt/ > >Sun's docs regarding Solaris clients will also be useful for you: >http://docs.sun.com/app/docs/doc/816-4556 > >One other thing: > >>My goal is to migrate my Solaris and Linux machines onto the AD structure >>for user, group, hosts, networks and netgroups map use (perhaps other maps >>later). > >If you mean that you will be using AD as your directory server, you won't >necessarily need to run a separate directory server like FDS. > >Good luck! > > >Vadim Pushkin wrote: >>Hello All; >> >>My current environment is using NIS (not NIS+) on Sparc Solaris 8/10 and >>x86 Linux, with a separate AD structure. My goal is to migrate my Solaris >>and Linux machines onto the AD structure for user, group, hosts, networks >>and netgroups map use (perhaps other maps later). >> >>My questions are: >> >>1. Am I correct in believing that Fedora Dir Server is able to allow me >>to auth to my AD DC's? Or does FDS only perform as a conduit to the AD >>structure, either fine by me. >> >>2. What and where do I change to aloow this on my pam.conf on my Solaris >>and Linux servers? >> >>3. Where do I get the PAM modules to allow this to work? >> >>4. What additional software must I run on my RH/FC FDS server? Should I, >>or can I, run two servers in case one fails? >> >>5. Finally, does anyone have any written docs or a site that can help me? >> >> >>Thanks very much in advance, >> >>.vadim From jo.de.troy at gmail.com Tue Oct 10 19:47:32 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Tue, 10 Oct 2006 21:47:32 +0200 Subject: [Fedora-directory-users] Re: password policy Message-ID: Hello, indeed I can see the entries via de console, but I haven't been able yet to get these back via an ldapsearch command # ldapsearch -x -h localhost '(cn=config)' returns nothing Any ideas what I'm doing wrong? Thanks again, Jo From koippa at gmail.com Tue Oct 10 19:55:19 2006 From: koippa at gmail.com (Kimmo Koivisto) Date: Tue, 10 Oct 2006 22:55:19 +0300 Subject: [Fedora-directory-users] Re: password policy In-Reply-To: References: Message-ID: <200610102255.20119.koippa@gmail.com> Jo De Troy wrote: > Hello, > > indeed I can see the entries via de console, but I haven't been able > yet to get these back via an ldapsearch command > # ldapsearch -x -h localhost '(cn=config)' > returns nothing > > Any ideas what I'm doing wrong? Hello cn=config is search base, so try something like this: # ldapsearch -x -b cn=config or # ldapsearch -x -b cn=config your-search-filter-and-other-options BR Kimmo Koivisto From rmeggins at redhat.com Tue Oct 10 20:01:31 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 10 Oct 2006 14:01:31 -0600 Subject: [Fedora-directory-users] Re: password policy In-Reply-To: References: Message-ID: <452BFC1B.1020807@redhat.com> Jo De Troy wrote: > Hello, > > indeed I can see the entries via de console, but I haven't been able > yet to get these back via an ldapsearch command > # ldapsearch -x -h localhost '(cn=config)' > returns nothing > > Any ideas what I'm doing wrong? I don't think cn=config is searchable by anonymous by default - try -D "cn=directory manager" -w password > > Thanks again, > Jo > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From gennaro.tortone at na.infn.it Wed Oct 11 07:17:10 2006 From: gennaro.tortone at na.infn.it (Gennaro Tortone) Date: Wed, 11 Oct 2006 09:17:10 +0200 Subject: [Fedora-directory-users] usertools Message-ID: <20061011071710.GA13304@na.infn.it> Hi, I'm migrating our NIS authentication server to Fedora Directory Server; my problem is that all "classic" commands (useradd, userdel, chage, ...) don't work on users migrated on LDAP (FDS)... Is there something to configure ? (PAM, ...) I tried with pwdutils (http://www.thkukuk.de/pam/pwdutils/) but there are some authentication problems and the project seems to be not so "active" Any idea ? Regards, -- Gennaro Tortone INFN Napoli Italy tel: +39 81 676169 "Computer Science is no more about computers than astronomy is about telescopes." - Edsger Dijkstra From stefan.hogdahl at multifi.net Wed Oct 11 12:42:01 2006 From: stefan.hogdahl at multifi.net (=?iso-8859-1?Q?Stefan_H=F6gdahl?=) Date: Wed, 11 Oct 2006 15:42:01 +0300 Subject: [Fedora-directory-users] How do I allow a certain admin user to administrate a directory? Message-ID: Hi. I'm trying to to configure fds102 so that it will allow a certain user to administrate a directory, but I cannot get it to work. I can bind anonymously and do searches from anywhere, but I cannot bind with any of the names I've specified during setup so that I would be able to modify, create and delete reccords from the directory. If I want to administrate anything, I have to use the admin-console that ships with fds. What should I do in order to grant full-administration privilegies for a certain user to the directory? I've tried to add users through the the "Set access permissions..." administration process, but when I try to search for a certain user from a specific directory no results are returned. Feedback and tips will be greatly appreciated :) With best regards, /Stefan Hogdahl. From jo.de.troy at gmail.com Wed Oct 11 12:45:30 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Wed, 11 Oct 2006 14:45:30 +0200 Subject: [Fedora-directory-users] trying to build Message-ID: Hello, I'm trying to build FedoraDS 1.0.2 again on RHEL4 and following all the docs on the wiki. I successfully compiled all prereq's on the wiki. I'm trying to compile the other modules from the directoryserver (mod_admserv, mod_restartd, adminserver,directoryconsole) On the page explaining how to build mod_admserv only the configure part is written, don't I need to compile mod_admserv? The same question for mod_nss and mod_restartd? How exactly can I build without the dsml code? make USE_DSMLGW=0 USE_JAVATOOLS=0 ? Thanks again, Jo From rmeggins at redhat.com Wed Oct 11 12:51:56 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 11 Oct 2006 06:51:56 -0600 Subject: [Fedora-directory-users] trying to build In-Reply-To: References: Message-ID: <452CE8EC.1090201@redhat.com> Jo De Troy wrote: > Hello, > > I'm trying to build FedoraDS 1.0.2 again on RHEL4 and following all > the docs on the wiki. > I successfully compiled all prereq's on the wiki. > I'm trying to compile the other modules from the directoryserver > (mod_admserv, mod_restartd, adminserver,directoryconsole) > On the page explaining how to build mod_admserv only the configure > part is written, don't I need to compile mod_admserv? The same > question for mod_nss and mod_restartd? It should be just "make". configure takes care of the hard parts. > > How exactly can I build without the dsml code? > make USE_DSMLGW=0 USE_JAVATOOLS=0 ? Yes, that should do it. > > Thanks again, > Jo > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Oct 11 12:58:19 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 11 Oct 2006 06:58:19 -0600 Subject: [Fedora-directory-users] How do I allow a certain admin user to administrate a directory? In-Reply-To: References: Message-ID: <452CEA6B.3060406@redhat.com> Stefan H?gdahl wrote: > Hi. > > I'm trying to to configure fds102 so that it will allow a certain user to administrate a directory, but I cannot get it to work. I can bind anonymously and do searches from anywhere, but I cannot bind with any of the names I've specified during setup You mean the admin user or cn=Directory Manager? Note that the full bind DN for the former is usually something like this: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot try ldapsearch -x -D "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" -w password -s base -b "cn=config" "objectclass=*" > so that I would be able to modify, create and delete reccords from the directory. If I want to administrate anything, I have to use the admin-console that ships with fds. > > What should I do in order to grant full-administration privilegies for a certain user to the directory? I've tried to add users through the the "Set access permissions..." administration process, but when I try to search for a certain user from a specific directory no results are returned. > > Feedback and tips will be greatly appreciated :) > > > With best regards, > /Stefan Hogdahl. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Wed Oct 11 13:06:39 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Wed, 11 Oct 2006 15:06:39 +0200 Subject: [Fedora-directory-users] trying to build Message-ID: Hello, I get an error when building the adminserver. I have completely followed the wiki pages and installed all other components cd console; gmake BUILD_OPT=1 NO_MOCHA=1 NO_JAVA=1 NSPR_BASENAME=libnspr4 USE_PTHREADS=1 SECURITY=domestic BUILD_MODE=ext BUILD_MODULE=HTTP_ADMIN -w gmake[4]: Entering directory `/home/ldap/ds102/adminserver/admserv/console' The console jar files are missing from ../../../built/release/package/java - please build or download them gmake[4]: *** [nmcjdk] Error 1 gmake[4]: Leaving directory `/home/ldap/ds102/adminserver/admserv/console' gmake[3]: *** [do-console] Error 2 gmake[3]: Leaving directory `/home/ldap/ds102/adminserver/admserv' gmake[2]: *** [httpAdmin] Error 2 gmake[2]: Leaving directory `/home/ldap/ds102/adminserver' gmake[1]: *** [buildAdmin_r] Error 2 gmake[1]: Leaving directory `/home/ldap/ds102/adminserver' make: *** [buildAdmin] Error 2 Anybody? Thanks again, Jo From rmeggins at redhat.com Wed Oct 11 13:46:32 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 11 Oct 2006 07:46:32 -0600 Subject: [Fedora-directory-users] trying to build In-Reply-To: References: Message-ID: <452CF5B8.6030001@redhat.com> Jo De Troy wrote: > Hello, > > I get an error when building the adminserver. I have completely > followed the wiki pages and installed all other components > > cd console; gmake BUILD_OPT=1 NO_MOCHA=1 NO_JAVA=1 > NSPR_BASENAME=libnspr4 USE_PTHREADS=1 SECURITY=domestic BUILD_MODE=ext > BUILD_MODULE=HTTP_ADMIN -w > gmake[4]: Entering directory > `/home/ldap/ds102/adminserver/admserv/console' > The console jar files are missing from > ../../../built/release/package/java - please build or download them Did you build the console? > gmake[4]: *** [nmcjdk] Error 1 > gmake[4]: Leaving directory > `/home/ldap/ds102/adminserver/admserv/console' > gmake[3]: *** [do-console] Error 2 > gmake[3]: Leaving directory `/home/ldap/ds102/adminserver/admserv' > gmake[2]: *** [httpAdmin] Error 2 > gmake[2]: Leaving directory `/home/ldap/ds102/adminserver' > gmake[1]: *** [buildAdmin_r] Error 2 > gmake[1]: Leaving directory `/home/ldap/ds102/adminserver' > make: *** [buildAdmin] Error 2 > > Anybody? > > Thanks again, > Jo > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Wed Oct 11 14:00:54 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Wed, 11 Oct 2006 16:00:54 +0200 Subject: [Fedora-directory-users] trying to build Message-ID: Hi Rich, yes I did build the console. But it doesn't write anything in /home/ldap/ds102/built/release/package/java where the build of adminserver goes looking. In fact the java directory above does not exist, the package directory does. Thanks again, Jo [root at ldapsvr console]# ant -Dimports.file=imports.FC3 /usr/bin/build-classpath: error: could not find jaxp_parser_impl Java extension for this JVM /usr/bin/build-classpath: error: All specified jars were not found Buildfile: build.xml prepare_imports: prepare_build: import_ldapjdk: import_jss_jar: build: prepare_jars: build_jars: [jar] Building jar: /home/ldap/ds102/built/release/jars/fedora-mcc-1.0_en.jar BUILD SUCCESSFUL Total time: 3 seconds From rmeggins at redhat.com Wed Oct 11 14:12:45 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 11 Oct 2006 08:12:45 -0600 Subject: [Fedora-directory-users] trying to build In-Reply-To: References: Message-ID: <452CFBDD.4030206@redhat.com> Jo De Troy wrote: > Hi Rich, > > yes I did build the console. > But it doesn't write anything in > /home/ldap/ds102/built/release/package/java where the build of > adminserver goes looking. In fact the java directory above does not > exist, the package directory does. > > Thanks again, > Jo > > [root at ldapsvr console]# ant -Dimports.file=imports.FC3 Try ant -Dimports.file=imports.FC3 package > /usr/bin/build-classpath: error: could not find jaxp_parser_impl Java > extension for this JVM > /usr/bin/build-classpath: error: All specified jars were not found > Buildfile: build.xml > > prepare_imports: > > prepare_build: > > import_ldapjdk: > > import_jss_jar: > > build: > > prepare_jars: > > build_jars: > [jar] Building jar: > /home/ldap/ds102/built/release/jars/fedora-mcc-1.0_en.jar > > BUILD SUCCESSFUL > Total time: 3 seconds > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From stpierre at NebrWesleyan.edu Wed Oct 11 14:56:34 2006 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Wed, 11 Oct 2006 09:56:34 -0500 (CDT) Subject: [Fedora-directory-users] Command-line Consumer Initialization In-Reply-To: <200610101813.42778.koippa@gmail.com> References: <20061009223139.7037.qmail@web50913.mail.yahoo.com> <452BA907.3020808@sci.fi> <200610101813.42778.koippa@gmail.com> Message-ID: On Tue, 10 Oct 2006, Kimmo Koivisto wrote: >Hello Mike > >I have used your mmr.pl script to deploy about 10 multimaster replicated FDS >installations, it always worked fine. Those deployments have had two servers >and I know that in near future I need to deploy four-way mmr. > >Your script's has the following options: > --host1 FQDN of host 1 > --host2 FQDN of host 2 > --host1_id Replication ID number of host 1 > --host2_id Replication ID number of host 2 > >When deploying four-way mmr, is it possible to define options --host3 >and --host4 (and _id) options or how one should initialize four-way mmr? > >Best Regards >Kimmo You'll want to set up two-way replication agreements between each pair of hosts in your setup. So if you had A, B, C, and D, you'd set up agreements between A-B, A-C, A-D, B-C, B-D, and C-D. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University From jo.de.troy at gmail.com Wed Oct 11 15:02:25 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Wed, 11 Oct 2006 17:02:25 +0200 Subject: [Fedora-directory-users] trying to build Message-ID: Hi Rich, thanks that helped. Now I'm stuck during the ldapserver build # [root at tc191 ldapserver]# make BUILD_BOMB="" PUMPKIN_AGE="" BUILD_DEBUG=optimize after some time I get ../../built/RHEL4_x86_gcc3_OPT.OBJ/nsinstall -t -m 644 ../../../directoryconsole /built/package/ds10.jar ../../built/release/RHEL4_x86_gcc3_OPT.OBJ/java/jars ../../built/RHEL4_x86_gcc3_OPT.OBJ/nsinstall: cannot access ../../../directoryco nsole/built/package/ds10.jar: No such file or directory gmake[1]: *** [releaseDirectory] Error 1 gmake[1]: Leaving directory `/home/ldap/ds102/ldapserver/ldap/cm' make: *** [setupDirectory] Error 2 So what's missing? Which did I do wrong? I will document all of this and upload it to the Wiki of course Thanks again, Jo From stpierre at NebrWesleyan.edu Wed Oct 11 15:04:58 2006 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Wed, 11 Oct 2006 10:04:58 -0500 (CDT) Subject: [Fedora-directory-users] usertools In-Reply-To: <20061011071710.GA13304@na.infn.it> References: <20061011071710.GA13304@na.infn.it> Message-ID: On Wed, 11 Oct 2006, Gennaro Tortone wrote: >Hi, >I'm migrating our NIS authentication server to Fedora Directory Server; > >my problem is that all "classic" commands (useradd, userdel, chage, ...) >don't work on users migrated on LDAP (FDS)... > >Is there something to configure ? (PAM, ...) > >I tried with pwdutils (http://www.thkukuk.de/pam/pwdutils/) but there are >some authentication problems and the project seems to be not so "active" > >Any idea ? I think most people write their own scripts to create users, or do it through the console. However, I believe that many modern Linuxes will Do The Right Thing WRT the "classic" commands if you configure everything correctly. Try 'man ldap.conf'; I *think* that if you give it a bind password, etc., it'll try to add accounts. (It's quite possible that I'm totally and completely wrong about that.) There are two to three problems with that approach, though. First, it probably won't create the account the way you want it to, especially if you have anything beyond the most basic of environments. I've never used this before, but I doubt it'll add, e.g., Samba attributes. If you do anything beyond the bare minimum with POSIX attributes, it'll be insufficient. Second, /etc/ldap.conf has to be world-readable if you want other users to be able to run 'finger,' or even get proper results from 'ls' and 'stat'. If you specify your directory manager password in there, your directory has just been pwned. Thirdly, it assumes that you're running a recent Linux. For all I know, you could be on OS/2. :) So, while I think this might be possible, I'd recommend either using the console if you have a small number of accounts to create, or bust out the ol' Net::LDAP. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University From jrussler at helix.nih.gov Wed Oct 11 15:08:21 2006 From: jrussler at helix.nih.gov (Jason Russler) Date: Wed, 11 Oct 2006 11:08:21 -0400 Subject: [Fedora-directory-users] usertools In-Reply-To: <20061011071710.GA13304@na.infn.it> References: <20061011071710.GA13304@na.infn.it> Message-ID: <452D08E5.5000900@helix.nih.gov> You'll need to use some LDAP client system to manage users. For starters, there the directory console that comes with FDS, there are several others that some seem to like better such as PHP LDAP Admin, and there are the openldap command line tools. The usual UNIX tools don't know anything about LDAP. Poke around the HowTos on the FDS site... Gennaro Tortone wrote: > Hi, > I'm migrating our NIS authentication server to Fedora Directory Server; > > my problem is that all "classic" commands (useradd, userdel, chage, ...) > don't work on users migrated on LDAP (FDS)... > > Is there something to configure ? (PAM, ...) > > I tried with pwdutils (http://www.thkukuk.de/pam/pwdutils/) but there are > some authentication problems and the project seems to be not so "active" > > Any idea ? > > Regards, > > From jo.de.troy at gmail.com Wed Oct 11 15:17:00 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Wed, 11 Oct 2006 17:17:00 +0200 Subject: [Fedora-directory-users] trying to build Message-ID: Hi Rich, solved that one myself. I created an extra symlink from within directoryconsole to the built directory above. Now how would I go about getting the patch that solves the ldapserver crash when doing an ldappasswd? Could I just fetch the 2 changed files form cvs and rebuild it? Thanks again, Jo From rmeggins at redhat.com Wed Oct 11 15:39:44 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 11 Oct 2006 09:39:44 -0600 Subject: [Fedora-directory-users] trying to build In-Reply-To: References: Message-ID: <452D1040.7050805@redhat.com> Jo De Troy wrote: > Hi Rich, > > solved that one myself. > I created an extra symlink from within directoryconsole to the built > directory above. Ok. When you built directoryconsole, did you do ant -D... package? > Now how would I go about getting the patch that solves the ldapserver > crash when doing an ldappasswd? Could I just fetch the 2 changed files > form cvs and rebuild it? Yes. > > Thanks again, > Jo > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From gmessmer at u.washington.edu Wed Oct 11 15:40:39 2006 From: gmessmer at u.washington.edu (Gordon Messmer) Date: Wed, 11 Oct 2006 08:40:39 -0700 Subject: [Fedora-directory-users] Command-line Consumer Initialization In-Reply-To: References: <20061009223139.7037.qmail@web50913.mail.yahoo.com> <452BA907.3020808@sci.fi> <200610101813.42778.koippa@gmail.com> Message-ID: <452D1077.1090101@u.washington.edu> Chris St. Pierre wrote: > You'll want to set up two-way replication agreements between each pair > of hosts in your setup. So if you had A, B, C, and D, you'd set up > agreements between A-B, A-C, A-D, B-C, B-D, and C-D. > The documentation contradicts you. Look at the second figure in the "Multi-Master Replication" section of the admin manual (hard to see), and the section "Configuring 4-Way Multi-Master Replication" several pages below it: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/replicat.html#1101818 The admin manual suggests a ring topology (and two agreements per set of peers) for multi-master agreements. You should have agreements between A->B, A->D, B->A, B->C, C->B, C->D, D->C, and D->A. From david.bogen at icecube.wisc.edu Wed Oct 11 15:59:04 2006 From: david.bogen at icecube.wisc.edu (David Bogen) Date: Wed, 11 Oct 2006 10:59:04 -0500 Subject: [Fedora-directory-users] Replacing buggy NSS libraries Message-ID: <452D14C8.3010604@icecube.wisc.edu> All: In replacing the buggy NSS 3.11 libraries, the instructions we've been given are to replace the libraries in /opt/fedora-ds/bin/slapd/lib and /opt/fedora-ds/bin/admin/lib. However, it appears that many of the same libraries are also found in /opt/fedora-ds/shared/lib. Should I replace those libraries, as well? David -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3298 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Oct 11 16:10:23 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 11 Oct 2006 10:10:23 -0600 Subject: [Fedora-directory-users] Replacing buggy NSS libraries In-Reply-To: <452D14C8.3010604@icecube.wisc.edu> References: <452D14C8.3010604@icecube.wisc.edu> Message-ID: <452D176F.9080708@redhat.com> David Bogen wrote: > All: > > In replacing the buggy NSS 3.11 libraries, the instructions we've been > given are to replace the libraries in /opt/fedora-ds/bin/slapd/lib and > /opt/fedora-ds/bin/admin/lib. > > However, it appears that many of the same libraries are also found in > /opt/fedora-ds/shared/lib. Should I replace those libraries, as well? > You can, but those libs are only used for the command line tools, and fixing a memory leak in ldapsearch is not as important as a memory leak in the server. > David > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From mj at sci.fi Wed Oct 11 17:00:22 2006 From: mj at sci.fi (Mike Jackson) Date: Wed, 11 Oct 2006 20:00:22 +0300 Subject: [Fedora-directory-users] Command-line Consumer Initialization In-Reply-To: <452D1077.1090101@u.washington.edu> References: <20061009223139.7037.qmail@web50913.mail.yahoo.com> <452BA907.3020808@sci.fi> <200610101813.42778.koippa@gmail.com> <452D1077.1090101@u.washington.edu> Message-ID: <452D2326.5060503@sci.fi> Gordon Messmer wrote: > Chris St. Pierre wrote: > >> You'll want to set up two-way replication agreements between each pair >> of hosts in your setup. So if you had A, B, C, and D, you'd set up >> agreements between A-B, A-C, A-D, B-C, B-D, and C-D. >> > > > The documentation contradicts you. Look at the second figure in the > "Multi-Master Replication" section of the admin manual (hard to see), > and the section "Configuring 4-Way Multi-Master Replication" several > pages below it: > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/replicat.html#1101818 > > The admin manual suggests a ring topology (and two agreements per set of > peers) for multi-master agreements. You should have agreements between > A->B, A->D, B->A, B->C, C->B, C->D, D->C, and D->A. Ring-topology survives 1 server failure, but not two. You need to understand your high-availability requirements to decide which is right for you. Full-mesh replication supports 2 servers failing at the same time, but increases replication traffic. Mininum level of agreements for 4-way MMR: 1 <-> 2 1 <-> 3 2 <-> 4 Maximum level of agreements (full-mesh) for 4-way MMR (each machine replicates to 3 targets): 1 <-> 2 1 <-> 3 1 <-> 4 2 <-> 3 2 <-> 4 3 <-> 4 Again, it's much easier to visualize when you draw numbered boxes on paper and connect the dots :-) The systems I design require high-availability for writes, so I use full-mesh MMR. -- mike From sergio.diaze at gmail.com Wed Oct 11 19:25:23 2006 From: sergio.diaze at gmail.com (Sergio Diaz) Date: Wed, 11 Oct 2006 14:25:23 -0500 Subject: [Fedora-directory-users] FDS and AD Message-ID: <1160594723.2486.0.camel@oslec> Hi People, Its Possible Sync only in One Way ? Users Windows AD -> FDS. Or the other scenario its like OpenLDAP have a Meta Backend (2 LDAPs, 1 AD), its possible with FDS ? Regards, Sergio -------------- next part -------------- An HTML attachment was scrubbed... URL: From rinconsystems at yahoo.com Wed Oct 11 20:07:56 2006 From: rinconsystems at yahoo.com (Scott Roberts) Date: Wed, 11 Oct 2006 13:07:56 -0700 (PDT) Subject: [Fedora-directory-users] Fedora directory and solaris 10 In-Reply-To: Message-ID: <20061011200756.34709.qmail@web34108.mail.mud.yahoo.com> Why? I know I will get kicked in the face for mentioning this... but the major OS's have their own directory servers, Red Hat has one now as we all know, and Sun has one too. Just use the sun directory server on solaris, its free, the support is not. --- James Greene wrote: > Hello, > Just joined the list. I want to compile fedora > directory on Solaris 10 > (sparc). Anyone have any good docs on it? I am using > gcc. Thanks > > Jim > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From jwgreene at megalink.net Wed Oct 11 21:09:48 2006 From: jwgreene at megalink.net (James Greene) Date: Wed, 11 Oct 2006 17:09:48 -0400 Subject: [Fedora-directory-users] Fedora directory and solaris 10 In-Reply-To: <20061011200756.34709.qmail@web34108.mail.mud.yahoo.com> Message-ID: I can do that, but I guess my question is can I use Sun directory server on one box as master, then another box (doing the multi-master replication) running fedora directory? I know they both are based on the same code, but not sure if that would work or not. On 10/11/06 4:07 PM, "Scott Roberts" wrote: > Why? I know I will get kicked in the face for > mentioning this... but the major OS's have their own > directory servers, Red Hat has one now as we all know, > and Sun has one too. Just use the sun directory server > on solaris, its free, the support is not. > > --- James Greene wrote: > >> Hello, >> Just joined the list. I want to compile fedora >> directory on Solaris 10 >> (sparc). Anyone have any good docs on it? I am using >> gcc. Thanks >> >> Jim >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From gholbert at broadcom.com Wed Oct 11 21:18:04 2006 From: gholbert at broadcom.com (George Holbert) Date: Wed, 11 Oct 2006 14:18:04 -0700 Subject: [Fedora-directory-users] Fedora directory and solaris 10 In-Reply-To: References: Message-ID: <452D5F8C.4090205@broadcom.com> > > I guess my question is can I use Sun directory server on > one box as master, then another box (doing the multi-master replication) > running fedora directory? My understanding is that would not work. You would want all servers running either SunDS or FDS. James Greene wrote: > I can do that, but I guess my question is can I use Sun directory server on > one box as master, then another box (doing the multi-master replication) > running fedora directory? I know they both are based on the same code, but > not sure if that would work or not. > > > On 10/11/06 4:07 PM, "Scott Roberts" wrote: > > >> Why? I know I will get kicked in the face for >> mentioning this... but the major OS's have their own >> directory servers, Red Hat has one now as we all know, >> and Sun has one too. Just use the sun directory server >> on solaris, its free, the support is not. >> >> --- James Greene wrote: >> From rmeggins at redhat.com Wed Oct 11 23:07:27 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 11 Oct 2006 17:07:27 -0600 Subject: [Fedora-directory-users] Fedora directory and solaris 10 In-Reply-To: <452D5F8C.4090205@broadcom.com> References: <452D5F8C.4090205@broadcom.com> Message-ID: <452D792F.50909@redhat.com> George Holbert wrote: >> >> I guess my question is can I use Sun directory server on >> one box as master, then another box (doing the multi-master replication) >> running fedora directory? > > My understanding is that would not work. You would want all servers > running either SunDS or FDS. FDS replication is compatible with SunDS 5.1 and earlier replication. I believe SunDS 5.2 has some sort of legacy replication mode that lets it talk to SunDS 5.1. So it is possible. > > > > James Greene wrote: >> I can do that, but I guess my question is can I use Sun directory >> server on >> one box as master, then another box (doing the multi-master replication) >> running fedora directory? I know they both are based on the same >> code, but >> not sure if that would work or not. >> >> >> On 10/11/06 4:07 PM, "Scott Roberts" wrote: >> >> >>> Why? I know I will get kicked in the face for >>> mentioning this... but the major OS's have their own >>> directory servers, Red Hat has one now as we all know, >>> and Sun has one too. Just use the sun directory server >>> on solaris, its free, the support is not. >>> >>> --- James Greene wrote: >>> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rresnick at fit.edu Wed Oct 11 23:55:29 2006 From: rresnick at fit.edu (Rhian Resnick) Date: Wed, 11 Oct 2006 19:55:29 -0400 Subject: [Fedora-directory-users] Fedora directory and solaris 10 In-Reply-To: <452D792F.50909@redhat.com> References: <452D5F8C.4090205@broadcom.com> <452D792F.50909@redhat.com> Message-ID: We are running that setup as in a test environment. It works great you just need to out for schema complications. But we are running the Sun Directory Server on Linux. - Rhian On Oct 11, 2006, at 7:07 PM, Richard Megginson wrote: > George Holbert wrote: >>> >>> I guess my question is can I use Sun directory server on >>> one box as master, then another box (doing the multi-master >>> replication) >>> running fedora directory? >> >> My understanding is that would not work. You would want all >> servers running either SunDS or FDS. > FDS replication is compatible with SunDS 5.1 and earlier > replication. I believe SunDS 5.2 has some sort of legacy > replication mode that lets it talk to SunDS 5.1. So it is possible. >> >> >> >> James Greene wrote: >>> I can do that, but I guess my question is can I use Sun directory >>> server on >>> one box as master, then another box (doing the multi-master >>> replication) >>> running fedora directory? I know they both are based on the same >>> code, but >>> not sure if that would work or not. >>> >>> >>> On 10/11/06 4:07 PM, "Scott Roberts" >>> wrote: >>> >>> >>>> Why? I know I will get kicked in the face for >>>> mentioning this... but the major OS's have their own >>>> directory servers, Red Hat has one now as we all know, >>>> and Sun has one too. Just use the sun directory server >>>> on solaris, its free, the support is not. >>>> >>>> --- James Greene wrote: >>>> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From timothy at jupiter.stcl.edu Thu Oct 12 03:10:20 2006 From: timothy at jupiter.stcl.edu (Timothy) Date: Wed, 11 Oct 2006 22:10:20 -0500 Subject: [Fedora-directory-users] Fedora directory and solaris 10 In-Reply-To: References: Message-ID: <200610112210.20366.timothy@jupiter.stcl.edu> On Wednesday 11 October 2006 16:09, James Greene wrote: > I can do that, but I guess my question is can I use Sun directory server on > one box as master, then another box (doing the multi-master replication) > running fedora directory? I know they both are based on the same code, but > not sure if that would work or not. I just built 2 solaris10 ds52 servers (x86). One is a hub that gets updates from a win2k based sun ds51 server and the second is a consumer that receives updates from the hub. I tried FedoraDS 1.0.2 on el4 first. Replication worked, but slapd kept dying on the FDS consumer. So there is some differences. Debug showed nothing. I was in a crunch, so I gave up and did the Sun thingy. It is free, does the job. I use a customized IPlanet/Calander/DS from Sungard so there's a good chance it's something they are doing or could be something with the windoze variant of sun ds. Never enough time.... > > On 10/11/06 4:07 PM, "Scott Roberts" wrote: > > Why? I know I will get kicked in the face for > > mentioning this... but the major OS's have their own > > directory servers, Red Hat has one now as we all know, > > and Sun has one too. Just use the sun directory server > > on solaris, its free, the support is not. > > > > --- James Greene wrote: > >> Hello, > >> Just joined the list. I want to compile fedora > >> directory on Solaris 10 > >> (sparc). Anyone have any good docs on it? I am using > >> gcc. Thanks > >> > >> Jim > >> > >> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam protection around > > http://mail.yahoo.com > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Thu Oct 12 03:20:55 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 11 Oct 2006 21:20:55 -0600 Subject: [Fedora-directory-users] Fedora directory and solaris 10 In-Reply-To: <200610112210.20366.timothy@jupiter.stcl.edu> References: <200610112210.20366.timothy@jupiter.stcl.edu> Message-ID: <452DB497.3000400@redhat.com> Timothy wrote: > On Wednesday 11 October 2006 16:09, James Greene wrote: > >> I can do that, but I guess my question is can I use Sun directory server on >> one box as master, then another box (doing the multi-master replication) >> running fedora directory? I know they both are based on the same code, but >> not sure if that would work or not. >> > > I just built 2 solaris10 ds52 servers (x86). One is a hub that gets updates > from a win2k based sun ds51 server and the second is a consumer that receives > updates from the hub. > > I tried FedoraDS 1.0.2 on el4 first. Replication worked, but slapd kept dying > on the FDS consumer. I would very much like to get some information about this, like access and error log lines from around the time of the crash. Did you try sun ds51 to fds 1.0.2 replication? > So there is some differences. Debug showed nothing. I > was in a crunch, so I gave up and did the Sun thingy. It is free, does the > job. I use a customized IPlanet/Calander/DS from Sungard so there's a good > chance it's something they are doing or could be something with the windoze > variant of sun ds. > > Never enough time.... > >> On 10/11/06 4:07 PM, "Scott Roberts" wrote: >> >>> Why? I know I will get kicked in the face for >>> mentioning this... but the major OS's have their own >>> directory servers, Red Hat has one now as we all know, >>> and Sun has one too. Just use the sun directory server >>> on solaris, its free, the support is not. >>> >>> --- James Greene wrote: >>> >>>> Hello, >>>> Just joined the list. I want to compile fedora >>>> directory on Solaris 10 >>>> (sparc). Anyone have any good docs on it? I am using >>>> gcc. Thanks >>>> >>>> Jim >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> __________________________________________________ >>> Do You Yahoo!? >>> Tired of spam? Yahoo! Mail has the best spam protection around >>> http://mail.yahoo.com >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From timothy at jupiter.stcl.edu Thu Oct 12 03:39:48 2006 From: timothy at jupiter.stcl.edu (Timothy) Date: Wed, 11 Oct 2006 22:39:48 -0500 Subject: [Fedora-directory-users] Fedora directory and solaris 10 In-Reply-To: <452DB497.3000400@redhat.com> References: <200610112210.20366.timothy@jupiter.stcl.edu> <452DB497.3000400@redhat.com> Message-ID: <200610112239.48218.timothy@jupiter.stcl.edu> On Wednesday 11 October 2006 22:20, Richard Megginson wrote: > Timothy wrote: > > On Wednesday 11 October 2006 16:09, James Greene wrote: > >> I can do that, but I guess my question is can I use Sun directory server > >> on one box as master, then another box (doing the multi-master > >> replication) running fedora directory? I know they both are based on the > >> same code, but not sure if that would work or not. > > > > I just built 2 solaris10 ds52 servers (x86). One is a hub that gets > > updates from a win2k based sun ds51 server and the second is a consumer > > that receives updates from the hub. > > > > I tried FedoraDS 1.0.2 on el4 first. Replication worked, but slapd kept > > dying on the FDS consumer. > > I would very much like to get some information about this, like access > and error log lines from around the time of the crash. There was no error log lines. Nada. Slapd would just quit. I turned on debug and same thing, nada. Access logs, I could provide if I still had the box running, but I was in a crunch and just had to find something that worked. I would like to test this out further though, maybe on FC5 versus EL4 to see if it behaves any differently. When I can find the time I'll give her another tire kickin'. > > Did you try sun ds51 to fds 1.0.2 replication? Yes. It works. Slapd just wouldn't reliably stay up. > > > So there is some differences. Debug showed nothing. I > > was in a crunch, so I gave up and did the Sun thingy. It is free, does > > the job. I use a customized IPlanet/Calander/DS from Sungard so there's > > a good chance it's something they are doing or could be something with > > the windoze variant of sun ds. > > > > Never enough time.... > > > >> On 10/11/06 4:07 PM, "Scott Roberts" wrote: > >>> Why? I know I will get kicked in the face for > >>> mentioning this... but the major OS's have their own > >>> directory servers, Red Hat has one now as we all know, > >>> and Sun has one too. Just use the sun directory server > >>> on solaris, its free, the support is not. > >>> > >>> --- James Greene wrote: > >>>> Hello, > >>>> Just joined the list. I want to compile fedora > >>>> directory on Solaris 10 > >>>> (sparc). Anyone have any good docs on it? I am using > >>>> gcc. Thanks > >>>> > >>>> Jim > >>>> > >>>> > >>>> -- > >>>> Fedora-directory-users mailing list > >>>> Fedora-directory-users at redhat.com > >>> > >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>> > >>> > >>> > >>> __________________________________________________ > >>> Do You Yahoo!? > >>> Tired of spam? Yahoo! Mail has the best spam protection around > >>> http://mail.yahoo.com > >>> > >>> -- > >>> Fedora-directory-users mailing list > >>> Fedora-directory-users at redhat.com > >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users From jrussler at helix.nih.gov Thu Oct 12 18:57:00 2006 From: jrussler at helix.nih.gov (Jason Russler) Date: Thu, 12 Oct 2006 14:57:00 -0400 Subject: [Fedora-directory-users] Account lockout Message-ID: <452E8FFC.30404@helix.nih.gov> Hi all, I have two FDS 1.0.2 systems in a master/slave set-up (for redundancy purposes rather than load) that are for authenticating a small number of high-capacity systems (many users). The client systems are configured to access the slave system first and fail-over to the master if the slave is unavailable. Add/modify/delete requests posted to the slave (which are frequent) are referred along to the master and then replicated back. It all works normally. The problem is that when the slave server makes an update to itself, such as when user login attempt fails, the appropriate attribute is updated (in this case, passwordretrycount) rather than referred to the master - which makes sense I guess. I'd like these updates referred to the master because all of my user administration tools talk to the master - things like failed login attempts and temporally locked accounts never show up on the master. Is there a way I can do this (short of writing plugins) or do I have to work around it? Thanks, Jason From rmeggins at redhat.com Thu Oct 12 19:45:15 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 12 Oct 2006 13:45:15 -0600 Subject: [Fedora-directory-users] Account lockout In-Reply-To: <452E8FFC.30404@helix.nih.gov> References: <452E8FFC.30404@helix.nih.gov> Message-ID: <452E9B4B.70002@redhat.com> Jason Russler wrote: > Hi all, I have two FDS 1.0.2 systems in a master/slave set-up (for > redundancy purposes rather than load) that are for authenticating a > small number of high-capacity systems (many users). The client > systems are configured to access the slave system first and fail-over > to the master if the slave is unavailable. Add/modify/delete > requests posted to the slave (which are frequent) are referred along > to the master and then replicated back. It all works normally. > > The problem is that when the slave server makes an update to itself, > such as when user login attempt fails, the appropriate attribute is > updated (in this case, passwordretrycount) rather than referred to the > master - which makes sense I guess. I'd like these updates referred > to the master because all of my user administration tools talk to the > master - things like failed login attempts and temporally locked > accounts never show up on the master. Is there a way I can do this > (short of writing plugins) or do I have to work around it? Thanks, > Jason I think you'd have to use something like Chain on Update, which allows the replica to follow the referral to the master itself. http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From sergio.diaze at gmail.com Fri Oct 13 06:29:32 2006 From: sergio.diaze at gmail.com (Sergio Diaz) Date: Fri, 13 Oct 2006 01:29:32 -0500 Subject: [Fedora-directory-users] FDS and AD In-Reply-To: <4521706B.50300@redhat.com> References: <20061002160005.378F57324C@hormel.redhat.com> <45213D27.6050707@symas.com> <45215695.7000404@worldpub.net> <1159813037.2474.3.camel@oslec> <45216DE8.10507@worldpub.net> <4521706B.50300@redhat.com> Message-ID: Hi all, I successfully connect the AD Back End DB to FDS like Brian Smith, i disable the nsProxiedAuthorization (comment by Richard Meggison) in Plugins->Chaining Database->AD (is the name of my Sub Suffix), but i cant Browse the Directory "Critical Extension unavailable". - In the Console i can search Users, Groups of my AD and FDS =) Happy!! Two Questions: Its possible to Map the Attributes like: map attribute uid sAMAaccountname map attribute cn name map attribute mail userprincipalname map attribute account user Its possible to Link the Database of the AD only for Read ? I like to write a Howto for this settings. Regards, Sergio On 10/2/06, Richard Megginson wrote: > > It may be that AD doesn't support proxied auth, in which case you should > tell chaining to disable it. See > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/entry_dist.html#21180 > for more information - the pertinent attribute is nsProxiedAuthorization > > Brian Smith wrote: > > All, > > Here's what I've now done to enable the AD Back end DB for a sub tree: > > 1. Click configuration and select the "dc=domain,dc=com" tree. > > 2. Right click "dc=domain,dc=com" tree and select new sub suffix > > 3. In New Suffix box, typed "ou=subsuffix1" and unchecked create > > associated database automatically and click OK. > > 4. Open "dc=domain,dc=com" and right click > > "ou=subsuffix1,dc=domain,dc=com, and select "new database link. > > 5. Here, I put Database link name "subsuffix1", put the bind dn and > > password of a domain user account in my AD, and put the domain > > controller ip in the remote server box and clicked save. (I can > > connect to my AD with the DN I provided here) > > 6. Check enable this suffix under ou=subsuffix1,dc=worldpub,dc=corp > > > > now subsuffix1 database appears under ou=subsuffix1,dc=domain,dc=com. > > If I now go to the directory tab, and select the directory entry, i > > get critical extension unavailable and if i use an ldap browser i get > > list failed on the main tree. Did i miss a step? If I disable the > > ou=subsuffix1,dc=domain,dc=com suffix i can browse the tree no > > problem. Thanks! > > Brian Smith > > > > > > > > Sergio Diaz wrote: > >> > >> FDS, OpenLDAP and AD > >> > >> One Directory FDS.....i want this directions to... > >> Chaining Backend... > >> > >> Regards, > >> Sergio > >> > >> On Mon, 2006-10-02 at 14:12 -0400, Brian Smith wrote: > >>> Hello all, I've been working on getting chaining working with an > active > >>> directory back end for a week now. Has anyone successfully done this > or > >>> have directions on setting this up? > >>> > >>> Brian Smith > >>> > >>> Howard Chu wrote: > >>> > > >>> >> Date: Mon, 02 Oct 2006 10:01:55 -0600 > >>> >> From: Richard Megginson rmeggins at redhat.com>> > >>> > > >>> >> Sergio Diaz wrote: > >>> >>> Hi Richard; > >>> >>> > >>> >>> Openldap: > >>> >>> > >>> >>> The *meta* backend to *slapd(8) > >>> >>> < > http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8< > http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8 > >>* > >>> >>> performs basic LDAP proxying with respect > >>> >>> to a set of remote LDAP servers, called "targets". The > >>> >>> information > >>> >>> contained in these servers can be presented as belonging > >>> >>> to a single > >>> >>> Directory Information Tree (DIT). > >>> >>> > >>> >>> Its possible with FDS ?? > >>> >>> > >>> >> FDS has a chaining backend which allows you to use another LDAP > >>> >> server to store the data. > >>> > > >>> > It sounds like the FDS chaining backend is similar to OpenLDAP > >>> > back-ldap and/or the chaining overlay. In OpenLDAP back-ldap > forwards > >>> > a request to one other server (at a time; multiple servers can be > >>> > configured but the others will only be used if the first server > cannot > >>> > be contacted). The back-meta backend is a superset of back-ldap, it > >>> > can fanout single requests to multiple servers in parallel and > >>> > aggregate the results. (There's also attribute mapping and DN > >>> > rewriting, but those capabilities are no longer unique to back-meta, > >>> > having been moved into the rewrite overlay.) With these modules you > >>> > can stitch together a variety of heterogeneous directories into a > >>> > coherent virtual directory. > >>> > > >>> >>> Regards!! > >>> >>> Sergio > >>> >>> > >>> >>> > >>> >>> On Mon, 2006-10-02 at 07:25 -0600, Richard Megginson wrote: > >>> >>>> Sergio Diaz wrote: > >>> >>>>> Hi People, > >>> >>>>> > >>> >>>>> Its Possible Sync only in One Way ? > >>> >>>>> Users Windows AD -> FDS. > >>> >>>> No, not really. > >>> >>>>> Or the other scenario its like OpenLDAP have a Meta Backend (2 > >>> >>>>> LDAPs, 1 AD), its possible with FDS ? > >>> >>>> It's possible. What does the meta backend do? > >>> >>>>> > >>> >>>>> Regards, > >>> >>>>> Sergio > >>> > > >>> > > >>> > >>> -- > >>> Fedora-directory-users mailing list > >>> Fedora-directory-users at redhat.com Fedora-directory-users at redhat.com> > >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>> > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Oct 13 13:07:53 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 13 Oct 2006 07:07:53 -0600 Subject: [Fedora-directory-users] FDS and AD In-Reply-To: References: <20061002160005.378F57324C@hormel.redhat.com> <45213D27.6050707@symas.com> <45215695.7000404@worldpub.net> <1159813037.2474.3.camel@oslec> <45216DE8.10507@worldpub.net> <4521706B.50300@redhat.com> Message-ID: <452F8FA9.9000805@redhat.com> Sergio Diaz wrote: > Hi all, > > I successfully connect the AD Back End DB to FDS like Brian Smith, i > disable the nsProxiedAuthorization (comment by Richard Meggison) in > Plugins->Chaining Database->AD (is the name of my Sub Suffix), but i > cant Browse the Directory "Critical Extension unavailable". I don't understand. You can't "Browse" the directory, but you can search Users and Groups? > > - In the Console i can search Users, Groups of my AD and FDS =) Happy!! > > Two Questions: > Its possible to Map the Attributes like: > > map attribute uid sAMAaccountname > map attribute cn name > map attribute mail userprincipalname > map attribute account user No. > > Its possible to Link the Database of the AD only for Read ? You might be able to set the Chaining Database to be readonly in its settings. > > I like to write a Howto for this settings. > > Regards, > Sergio > > > > > > > On 10/2/06, *Richard Megginson* > wrote: > > It may be that AD doesn't support proxied auth, in which case you > should > tell chaining to disable it. See > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/entry_dist.html#21180 > > for more information - the pertinent attribute is > nsProxiedAuthorization > > Brian Smith wrote: > > All, > > Here's what I've now done to enable the AD Back end DB for a sub > tree: > > 1. Click configuration and select the "dc=domain,dc=com" tree. > > 2. Right click "dc=domain,dc=com" tree and select new sub suffix > > 3. In New Suffix box, typed "ou=subsuffix1" and unchecked create > > associated database automatically and click OK. > > 4. Open "dc=domain,dc=com" and right click > > "ou=subsuffix1,dc=domain,dc=com, and select "new database link. > > 5. Here, I put Database link name "subsuffix1", put the bind > dn and > > password of a domain user account in my AD, and put the domain > > controller ip in the remote server box and clicked save. (I can > > connect to my AD with the DN I provided here) > > 6. Check enable this suffix under > ou=subsuffix1,dc=worldpub,dc=corp > > > > now subsuffix1 database appears under > ou=subsuffix1,dc=domain,dc=com. > > If I now go to the directory tab, and select the directory entry, i > > get critical extension unavailable and if i use an ldap browser > i get > > list failed on the main tree. Did i miss a step? If I disable the > > ou=subsuffix1,dc=domain,dc=com suffix i can browse the tree no > > problem. Thanks! > > Brian Smith > > > > > > > > Sergio Diaz wrote: > >> > >> FDS, OpenLDAP and AD > >> > >> One Directory FDS.....i want this directions to... > >> Chaining Backend... > >> > >> Regards, > >> Sergio > >> > >> On Mon, 2006-10-02 at 14:12 -0400, Brian Smith wrote: > >>> Hello all, I've been working on getting chaining working with > an active > >>> directory back end for a week now. Has anyone successfully > done this or > >>> have directions on setting this up? > >>> > >>> Brian Smith > >>> > >>> Howard Chu wrote: > >>> > > >>> >> Date: Mon, 02 Oct 2006 10:01:55 -0600 > >>> >> From: Richard Megginson >> > >>> > > >>> >> Sergio Diaz wrote: > >>> >>> Hi Richard; > >>> >>> > >>> >>> Openldap: > >>> >>> > >>> >>> The *meta* backend to *slapd(8) > >>> >>> < > http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8 > > < > http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8 > >>* > >>> >>> performs basic LDAP proxying with respect > >>> >>> to a set of remote LDAP > servers, called "targets". The > >>> >>> information > >>> >>> contained in these servers can be presented as > belonging > >>> >>> to a single > >>> >>> Directory Information Tree (DIT). > >>> >>> > >>> >>> Its possible with FDS ?? > >>> >>> > >>> >> FDS has a chaining backend which allows you to use another LDAP > >>> >> server to store the data. > >>> > > >>> > It sounds like the FDS chaining backend is similar to OpenLDAP > >>> > back-ldap and/or the chaining overlay. In OpenLDAP back-ldap > forwards > >>> > a request to one other server (at a time; multiple servers > can be > >>> > configured but the others will only be used if the first > server cannot > >>> > be contacted). The back-meta backend is a superset of > back-ldap, it > >>> > can fanout single requests to multiple servers in parallel and > >>> > aggregate the results. (There's also attribute mapping and DN > >>> > rewriting, but those capabilities are no longer unique to > back-meta, > >>> > having been moved into the rewrite overlay.) With these > modules you > >>> > can stitch together a variety of heterogeneous directories > into a > >>> > coherent virtual directory. > >>> > > >>> >>> Regards!! > >>> >>> Sergio > >>> >>> > >>> >>> > >>> >>> On Mon, 2006-10-02 at 07:25 -0600, Richard Megginson wrote: > >>> >>>> Sergio Diaz wrote: > >>> >>>>> Hi People, > >>> >>>>> > >>> >>>>> Its Possible Sync only in One Way ? > >>> >>>>> Users Windows AD -> FDS. > >>> >>>> No, not really. > >>> >>>>> Or the other scenario its like OpenLDAP have a Meta > Backend (2 > >>> >>>>> LDAPs, 1 AD), its possible with FDS ? > >>> >>>> It's possible. What does the meta backend do? > >>> >>>>> > >>> >>>>> Regards, > >>> >>>>> Sergio > >>> > > >>> > > >>> > >>> -- > >>> Fedora-directory-users mailing list > >>> Fedora-directory-users at redhat.com > > > > >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>> > > > ------------------------------------------------------------------------ > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jrussler at helix.nih.gov Fri Oct 13 13:33:06 2006 From: jrussler at helix.nih.gov (Jason Russler) Date: Fri, 13 Oct 2006 09:33:06 -0400 Subject: [Fedora-directory-users] Account lockout In-Reply-To: <452E9B4B.70002@redhat.com> References: <452E8FFC.30404@helix.nih.gov> <452E9B4B.70002@redhat.com> Message-ID: <452F9592.3060709@helix.nih.gov> That's what I want! Thanks. Richard Megginson wrote: > Jason Russler wrote: >> Hi all, I have two FDS 1.0.2 systems in a master/slave set-up (for >> redundancy purposes rather than load) that are for authenticating a >> small number of high-capacity systems (many users). The client >> systems are configured to access the slave system first and fail-over >> to the master if the slave is unavailable. Add/modify/delete >> requests posted to the slave (which are frequent) are referred along >> to the master and then replicated back. It all works normally. >> >> The problem is that when the slave server makes an update to itself, >> such as when user login attempt fails, the appropriate attribute is >> updated (in this case, passwordretrycount) rather than referred to >> the master - which makes sense I guess. I'd like these updates >> referred to the master because all of my user administration tools >> talk to the master - things like failed login attempts and temporally >> locked accounts never show up on the master. Is there a way I can do >> this (short of writing plugins) or do I have to work around it? >> Thanks, Jason > I think you'd have to use something like Chain on Update, which allows > the replica to follow the referral to the master itself. > http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate > From jo.de.troy at gmail.com Fri Oct 13 13:41:23 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Fri, 13 Oct 2006 15:41:23 +0200 Subject: [Fedora-directory-users] trying to build Message-ID: Hi Rich, I checked out the head version and copied over pw.c and passwd_extop.c to the 1.0.2 tree, but the compilation fails. I also tried to completely build the head tree, but no success. Thanks again, Jo From jo.de.troy at gmail.com Fri Oct 13 13:45:28 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Fri, 13 Oct 2006 15:45:28 +0200 Subject: [Fedora-directory-users] DS Gateway error Message-ID: Hello, I've installed FedoraDS 1.0.2 on RHEL4 and when I connect to the gateway with a browser and try to do a search I get An error occurred while contacting the LDAP server. (Can't connect to the LDAP server) A connection to the server could not be opened. Contact your server administrator for assistance. Any ideas? I looked in /opt/fedora-ds/admin-server/logs/error but besides admserv_host_ip_check : ap_get_remote_host could not resolve I see nothing strange. Via command line I can query the ldapserver Thanks in advance, Jo From rmeggins at redhat.com Fri Oct 13 13:57:24 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 13 Oct 2006 07:57:24 -0600 Subject: [Fedora-directory-users] trying to build In-Reply-To: References: Message-ID: <452F9B44.7020004@redhat.com> Jo De Troy wrote: > Hi Rich, > > I checked out the head version and copied over pw.c and passwd_extop.c > to the 1.0.2 tree, but the compilation fails. Can you post the messages? > I also tried to completely build the head tree, but no success. cvs HEAD is in a state of flux right now. I'm almost done with FDS 1.0.3 - you might try pulling the CVS tag FedoraDirSvr103. > > Thanks again, > Jo > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Oct 13 13:58:28 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 13 Oct 2006 07:58:28 -0600 Subject: [Fedora-directory-users] DS Gateway error In-Reply-To: References: Message-ID: <452F9B84.4010403@redhat.com> Jo De Troy wrote: > Hello, > > I've installed FedoraDS 1.0.2 on RHEL4 and when I connect to the > gateway with a browser and try to do a search I get > > An error occurred while contacting the LDAP server. > (Can't connect to the LDAP server) > > A connection to the server could not be opened. Contact your server > administrator for assistance. > > Any ideas? I looked in /opt/fedora-ds/admin-server/logs/error but besides > admserv_host_ip_check > : ap_get_remote_host could not resolve > I see nothing strange. > > Via command line I can query the ldapserver Check the settings in /opt/fedora-ds/clients/dsgw/context/*.conf > > Thanks in advance, > Jo > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Fri Oct 13 14:08:29 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Fri, 13 Oct 2006 16:08:29 +0200 Subject: [Fedora-directory-users] trying to build Message-ID: Hi Rich, here's the error message gmake[3]: Entering directory `/home/ldap/ds102/ldapserver/ldap/servers/slapd' gmake BUILD_OPT=1 NO_JAVA=1 -f libmakefile -w all gmake[4]: Entering directory `/home/ldap/ds102/ldapserver/ldap/servers/slapd' /usr/bin/gcc -c -Wall -DNO_DBM -DLINUX -DLINUX2_2 -DLINUX2_4 -fPIC -D_REENTRANT -DNO_NODELOCK -DNO_LIBLCACHE -DXP_UNIX -DLinux -O2 -DMCC_HTTPD -DNS_DOMESTIC -D NET_SSL -DCLIENT_AUTH -DSERVER_BUILD -DNSPR20 -DNS_DS -DSPAPI20 -DBUILD_NUM=\"2 006.286.146\" -DUPGRADEDB -DLINUX -DLINUX2_0 -DLINUX2_2 -DLinux -DLDAP_DEBUG -DLDAP_REFERRALS -DLDAP_LDBM -DLDAP_LDIF -DLDBM_USE_DBBTREE -DSLAPD_PA SSWD_SHA1 -DLDAP_SSLIO_HOOKS -D__DBINTERFACE_PRIVATE -DNO_LIBLCACHE -DNS_DIRECT ORY -O -I../../../ldap/include -I../../../built/RHEL4_x86_gcc3_OPT.OBJ/include -I../../../../db-4.2.52.NC/built -I. -I../../../lib -fpic -I../../../include -I ../../../include -I../../../../mozilla/dist/Linux2.6_x86_glibc_PTH_OPT.OBJ/inclu de -I../../../../mozilla/dist/public/dbm -I../../../../mozilla/dist/public/nss - I../../../../mozilla/dist/public/svrcore -I../../../../mozilla/dist/public/ldap -I/usr/include/sasl pw.c -o ../../../built/RHEL4_x86_gcc3_OPT.OBJ/servers/obj/pw .o pw.c:1640: error: syntax error before "ber_int_t" pw.c: In function `slapi_pwpolicy_make_response_control': pw.c:1641: error: number of arguments doesn't match prototype slapi-plugin.h:823: error: prototype declaration pw.c:1670: error: `seconds' undeclared (first use in this function) pw.c:1670: error: (Each undeclared identifier is reported only once pw.c:1670: error: for each function it appears in.) pw.c:1670: error: `logins' undeclared (first use in this function) pw.c:1682: error: `error' undeclared (first use in this function) pw.c:1700: error: `pb' undeclared (first use in this function) gmake[4]: *** [../../../built/RHEL4_x86_gcc3_OPT.OBJ/servers/obj/pw.o] Error 1 gmake[4]: Leaving directory `/home/ldap/ds102/ldapserver/ldap/servers/slapd' gmake[3]: *** [libslapd] Error 2 gmake[3]: Leaving directory `/home/ldap/ds102/ldapserver/ldap/servers/slapd' gmake[2]: *** [_slapd] Error 2 gmake[2]: Leaving directory `/home/ldap/ds102/ldapserver/ldap/servers' gmake[1]: *** [ldapprogs] Error 2 gmake[1]: Leaving directory `/home/ldap/ds102/ldapserver/ldap' gmake: *** [buildDirectory] Error 2 [root at svr ldapserver]# From rmeggins at redhat.com Fri Oct 13 14:41:02 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 13 Oct 2006 08:41:02 -0600 Subject: [Fedora-directory-users] trying to build In-Reply-To: References: Message-ID: <452FA57E.7020502@redhat.com> Jo De Troy wrote: > Hi Rich, > > here's the error message > > gmake[3]: Entering directory > `/home/ldap/ds102/ldapserver/ldap/servers/slapd' > gmake BUILD_OPT=1 NO_JAVA=1 -f libmakefile -w all > gmake[4]: Entering directory > `/home/ldap/ds102/ldapserver/ldap/servers/slapd' > /usr/bin/gcc -c -Wall -DNO_DBM -DLINUX -DLINUX2_2 -DLINUX2_4 -fPIC > -D_REENTRANT -DNO_NODELOCK -DNO_LIBLCACHE > -DXP_UNIX -DLinux -O2 -DMCC_HTTPD -DNS_DOMESTIC -D > NET_SSL -DCLIENT_AUTH -DSERVER_BUILD -DNSPR20 -DNS_DS -DSPAPI20 > -DBUILD_NUM=\"2 006.286.146\" -DUPGRADEDB -DLINUX > -DLINUX2_0 -DLINUX2_2 -DLinux -DLDAP_DEBUG > -DLDAP_REFERRALS -DLDAP_LDBM -DLDAP_LDIF -DLDBM_USE_DBBTREE > -DSLAPD_PA SSWD_SHA1 -DLDAP_SSLIO_HOOKS > -D__DBINTERFACE_PRIVATE -DNO_LIBLCACHE -DNS_DIRECT > ORY -O -I../../../ldap/include > -I../../../built/RHEL4_x86_gcc3_OPT.OBJ/include > -I../../../../db-4.2.52.NC/built -I. -I../../../lib -fpic > -I../../../include -I ../../../include > -I../../../../mozilla/dist/Linux2.6_x86_glibc_PTH_OPT.OBJ/inclu > de -I../../../../mozilla/dist/public/dbm > -I../../../../mozilla/dist/public/nss - > I../../../../mozilla/dist/public/svrcore > -I../../../../mozilla/dist/public/ldap > -I/usr/include/sasl pw.c -o > ../../../built/RHEL4_x86_gcc3_OPT.OBJ/servers/obj/pw > .o > pw.c:1640: error: syntax error before "ber_int_t" > pw.c: In function `slapi_pwpolicy_make_response_control': > pw.c:1641: error: number of arguments doesn't match prototype > slapi-plugin.h:823: error: prototype declaration > pw.c:1670: error: `seconds' undeclared (first use in this function) > pw.c:1670: error: (Each undeclared identifier is reported only once > pw.c:1670: error: for each function it appears in.) > pw.c:1670: error: `logins' undeclared (first use in this function) > pw.c:1682: error: `error' undeclared (first use in this function) > pw.c:1700: error: `pb' undeclared (first use in this function) > gmake[4]: *** [../../../built/RHEL4_x86_gcc3_OPT.OBJ/servers/obj/pw.o] > Error 1 > gmake[4]: Leaving directory > `/home/ldap/ds102/ldapserver/ldap/servers/slapd' > gmake[3]: *** [libslapd] Error 2 > gmake[3]: Leaving directory > `/home/ldap/ds102/ldapserver/ldap/servers/slapd' > gmake[2]: *** [_slapd] Error 2 > gmake[2]: Leaving directory `/home/ldap/ds102/ldapserver/ldap/servers' > gmake[1]: *** [ldapprogs] Error 2 > gmake[1]: Leaving directory `/home/ldap/ds102/ldapserver/ldap' > gmake: *** [buildDirectory] Error 2 Yep. This version has been ported to use the new Mozilla LDAP C SDK which uses the LDAP "standard" API ber types instead of int, long, etc. You could try to build the new mozldap - http://wiki.mozilla.org/LDAP_C_SDK - but you might be better off checking the CVS revisions for the files you are interested in and using an earlier revision. That is, use cvs log on the files in question to figure out which revision contains the fixes you want, then use cvs checkout -r or cvs update -r to grab the revision you want. I apologize that this is such a pain. You've caught us at a bad time. The source code is being reorganized to make it easier to build, which unfortunately makes it harder to build in the old way. We are making progress. If you check fedora-directory-commits or fedora-directory-devel there are lots of beneficial changes going in. > [root at svr ldapserver]# > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Fri Oct 13 15:06:27 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Fri, 13 Oct 2006 17:06:27 +0200 Subject: [Fedora-directory-users] trying to build Message-ID: Hi Rich, thanks for helping me out. I finally succeeded in building it with these patches in I needed v1.10 for pw.c and v1.8 for passwd_extop.c Is there an easy way to modify the release the RPM has to eg 1.0.2-2 instead of 1.0.2-1? Thanks again, Jo From rmeggins at redhat.com Fri Oct 13 15:16:38 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 13 Oct 2006 09:16:38 -0600 Subject: [Fedora-directory-users] trying to build In-Reply-To: References: Message-ID: <452FADD6.9020001@redhat.com> Jo De Troy wrote: > Hi Rich, > > thanks for helping me out. I finally succeeded in building it with > these patches in > I needed v1.10 for pw.c and v1.8 for passwd_extop.c > Is there an easy way to modify the release the RPM has to eg 1.0.2-2 > instead of 1.0.2-1? I think you just need to edit ldapserver/ldapserver.spec.tmpl - change the Release: field. > > Thanks again, > Jo > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Fri Oct 13 15:22:33 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Fri, 13 Oct 2006 17:22:33 +0200 Subject: [Fedora-directory-users] DS Gateway error Message-ID: Hi Rich, what exactly should I be looking at. The lines pointing to the baseurl, location-suffix and dirmgr seems to be correct. The securitypath is pointing to a nonexisting file. Anything else I should check? Thanks again, Jo From rmeggins at redhat.com Fri Oct 13 15:32:04 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 13 Oct 2006 09:32:04 -0600 Subject: [Fedora-directory-users] DS Gateway error In-Reply-To: References: Message-ID: <452FB174.1080400@redhat.com> Jo De Troy wrote: > Hi Rich, > > what exactly should I be looking at. > The lines pointing to the baseurl, location-suffix and dirmgr seems to > be correct. > The securitypath is pointing to a nonexisting file. That all seems to be fine. Where do you get the error? When you try to do a search from the phonebook/gateway? Do any of the other apps work, like orgchart or the Admin Express? > > Anything else I should check? > > Thanks again, > Jo > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Fri Oct 13 15:46:08 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Fri, 13 Oct 2006 17:46:08 +0200 Subject: [Fedora-directory-users] DS Gateway error Message-ID: Hi Rich, I get the error when trying to do a search. I get the same error on the Admin Express. Thanks again, Jo From rmeggins at redhat.com Fri Oct 13 16:09:42 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 13 Oct 2006 10:09:42 -0600 Subject: [Fedora-directory-users] DS Gateway error In-Reply-To: References: Message-ID: <452FBA46.7010005@redhat.com> Jo De Troy wrote: > Hi Rich, > > I get the error when trying to do a search. > I get the same error on the Admin Express. Check the ldap related settings in admin-serv/config/adm.conf and shared/config/dbswitch.conf > > Thanks again, > Jo > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From sergio.diaze at gmail.com Fri Oct 13 16:10:57 2006 From: sergio.diaze at gmail.com (Sergio Diaz) Date: Fri, 13 Oct 2006 11:10:57 -0500 Subject: [Fedora-directory-users] FDS and AD In-Reply-To: <452F8FA9.9000805@redhat.com> References: <20061002160005.378F57324C@hormel.redhat.com> <45213D27.6050707@symas.com> <45215695.7000404@worldpub.net> <1159813037.2474.3.camel@oslec> <45216DE8.10507@worldpub.net> <4521706B.50300@redhat.com> <452F8FA9.9000805@redhat.com> Message-ID: On 10/13/06, Richard Megginson wrote: > > Sergio Diaz wrote: > > Hi all, > > > > I successfully connect the AD Back End DB to FDS like Brian Smith, i > > disable the nsProxiedAuthorization (comment by Richard Meggison) in > > Plugins->Chaining Database->AD (is the name of my Sub Suffix), but i > > cant Browse the Directory "Critical Extension unavailable". > I don't understand. You can't "Browse" the directory, but you can > search Users and Groups? Yes. Look the ScreenShots -> SearchAD.png and BrowseCritical.png In the Console i can Search Users from AD or FDS. In the Directory Sever in TAB Directory i cant Browse the Settings of my Domain (Critical Extension Unavailable) Map Attributes No. OK > > > > Its possible to Link the Database of the AD only for Read ? > You might be able to set the Chaining Database to be readonly in its > settings. In wich part i can do this ? Regards, Sergio > I like to write a Howto for this settings. > > > > Regards, > > Sergio > > > > > > > > > > > > > > On 10/2/06, *Richard Megginson* > > wrote: > > > > It may be that AD doesn't support proxied auth, in which case you > > should > > tell chaining to disable it. See > > > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/entry_dist.html#21180 > > < > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/entry_dist.html#21180 > > > > for more information - the pertinent attribute is > > nsProxiedAuthorization > > > > Brian Smith wrote: > > > All, > > > Here's what I've now done to enable the AD Back end DB for a sub > > tree: > > > 1. Click configuration and select the "dc=domain,dc=com" tree. > > > 2. Right click "dc=domain,dc=com" tree and select new sub suffix > > > 3. In New Suffix box, typed "ou=subsuffix1" and unchecked create > > > associated database automatically and click OK. > > > 4. Open "dc=domain,dc=com" and right click > > > "ou=subsuffix1,dc=domain,dc=com, and select "new database link. > > > 5. Here, I put Database link name "subsuffix1", put the bind > > dn and > > > password of a domain user account in my AD, and put the domain > > > controller ip in the remote server box and clicked save. (I can > > > connect to my AD with the DN I provided here) > > > 6. Check enable this suffix under > > ou=subsuffix1,dc=worldpub,dc=corp > > > > > > now subsuffix1 database appears under > > ou=subsuffix1,dc=domain,dc=com. > > > If I now go to the directory tab, and select the directory entry, > i > > > get critical extension unavailable and if i use an ldap browser > > i get > > > list failed on the main tree. Did i miss a step? If I disable > the > > > ou=subsuffix1,dc=domain,dc=com suffix i can browse the tree no > > > problem. Thanks! > > > Brian Smith > > > > > > > > > > > > Sergio Diaz wrote: > > >> > > >> FDS, OpenLDAP and AD > > >> > > >> One Directory FDS.....i want this directions to... > > >> Chaining Backend... > > >> > > >> Regards, > > >> Sergio > > >> > > >> On Mon, 2006-10-02 at 14:12 -0400, Brian Smith wrote: > > >>> Hello all, I've been working on getting chaining working with > > an active > > >>> directory back end for a week now. Has anyone successfully > > done this or > > >>> have directions on setting this up? > > >>> > > >>> Brian Smith > > >>> > > >>> Howard Chu wrote: > > >>> > > > >>> >> Date: Mon, 02 Oct 2006 10:01:55 -0600 > > >>> >> From: Richard Megginson > > >> > > >>> > > > >>> >> Sergio Diaz wrote: > > >>> >>> Hi Richard; > > >>> >>> > > >>> >>> Openldap: > > >>> >>> > > >>> >>> The *meta* backend to *slapd(8) > > >>> >>> < > > > http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8 > > < > http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8 > > > > < > > > http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8 > > < > http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8 > >>>* > > >>> >>> performs basic LDAP proxying with respect > > >>> >>> to a set of remote LDAP > > servers, called "targets". The > > >>> >>> information > > >>> >>> contained in these servers can be presented as > > belonging > > >>> >>> to a single > > >>> >>> Directory Information Tree (DIT). > > >>> >>> > > >>> >>> Its possible with FDS ?? > > >>> >>> > > >>> >> FDS has a chaining backend which allows you to use another > LDAP > > >>> >> server to store the data. > > >>> > > > >>> > It sounds like the FDS chaining backend is similar to OpenLDAP > > >>> > back-ldap and/or the chaining overlay. In OpenLDAP back-ldap > > forwards > > >>> > a request to one other server (at a time; multiple servers > > can be > > >>> > configured but the others will only be used if the first > > server cannot > > >>> > be contacted). The back-meta backend is a superset of > > back-ldap, it > > >>> > can fanout single requests to multiple servers in parallel and > > >>> > aggregate the results. (There's also attribute mapping and DN > > >>> > rewriting, but those capabilities are no longer unique to > > back-meta, > > >>> > having been moved into the rewrite overlay.) With these > > modules you > > >>> > can stitch together a variety of heterogeneous directories > > into a > > >>> > coherent virtual directory. > > >>> > > > >>> >>> Regards!! > > >>> >>> Sergio > > >>> >>> > > >>> >>> > > >>> >>> On Mon, 2006-10-02 at 07:25 -0600, Richard Megginson wrote: > > >>> >>>> Sergio Diaz wrote: > > >>> >>>>> Hi People, > > >>> >>>>> > > >>> >>>>> Its Possible Sync only in One Way ? > > >>> >>>>> Users Windows AD -> FDS. > > >>> >>>> No, not really. > > >>> >>>>> Or the other scenario its like OpenLDAP have a Meta > > Backend (2 > > >>> >>>>> LDAPs, 1 AD), its possible with FDS ? > > >>> >>>> It's possible. What does the meta backend do? > > >>> >>>>> > > >>> >>>>> Regards, > > >>> >>>>> Sergio > > >>> > > > >>> > > > >>> > > >>> -- > > >>> Fedora-directory-users mailing list > > >>> Fedora-directory-users at redhat.com > > > > > > > > >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >>> > > > > > > ------------------------------------------------------------------------ > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: SearchAD.png Type: image/png Size: 90003 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: BrowseCritical.png Type: image/png Size: 146245 bytes Desc: not available URL: From rmeggins at redhat.com Fri Oct 13 16:27:49 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 13 Oct 2006 10:27:49 -0600 Subject: [Fedora-directory-users] FDS and AD In-Reply-To: References: <20061002160005.378F57324C@hormel.redhat.com> <45213D27.6050707@symas.com> <45215695.7000404@worldpub.net> <1159813037.2474.3.camel@oslec> <45216DE8.10507@worldpub.net> <4521706B.50300@redhat.com> <452F8FA9.9000805@redhat.com> Message-ID: <452FBE85.10402@redhat.com> Sergio Diaz wrote: > On 10/13/06, *Richard Megginson* > wrote: > > Sergio Diaz wrote: > > Hi all, > > > > I successfully connect the AD Back End DB to FDS like Brian > Smith, i > > disable the nsProxiedAuthorization (comment by Richard Meggison) in > > Plugins->Chaining Database->AD (is the name of my Sub Suffix), > but i > > cant Browse the Directory "Critical Extension unavailable". > I don't understand. You can't "Browse" the directory, but you can > search Users and Groups? > > > Yes. Look the ScreenShots -> SearchAD.png and BrowseCritical.png > In the Console i can Search Users from AD or FDS. > In the Directory Sever in TAB Directory i cant Browse the Settings of > my Domain (Critical Extension Unavailable) I see. The browser uses lots of tricks to make the display look correct - manage dsait, sorting, vlv. I'm not sure which of these AD is complaining about. You might try to first disable manage dsait. Go to the View menu and make sure Sort and Follow Referrals are unchecked. Then again, it may be that there is so much Fedora DS specific stuff in the console directory browser that you may not be able to use it with AD. > > Map Attributes No. > OK > > > > > > Its possible to Link the Database of the AD only for Read ? > You might be able to set the Chaining Database to be readonly in its > settings. > > > In wich part i can do this ? > > > Regards, > Sergio > > > I like to write a Howto for this settings. > > > > Regards, > > Sergio > > > > > > > > > > > > > > On 10/2/06, *Richard Megginson* > > >> wrote: > > > > It may be that AD doesn't support proxied auth, in which > case you > > should > > tell chaining to disable it. See > > > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/entry_dist.html#21180 > > < > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/entry_dist.html#21180> > > for more information - the pertinent attribute is > > nsProxiedAuthorization > > > > Brian Smith wrote: > > > All, > > > Here's what I've now done to enable the AD Back end DB for > a sub > > tree: > > > 1. Click configuration and select the "dc=domain,dc=com" > tree. > > > 2. Right click "dc=domain,dc=com" tree and select new > sub suffix > > > 3. In New Suffix box, typed "ou=subsuffix1" and > unchecked create > > > associated database automatically and click OK. > > > 4. Open "dc=domain,dc=com" and right click > > > "ou=subsuffix1,dc=domain,dc=com, and select "new database > link. > > > 5. Here, I put Database link name "subsuffix1", put the bind > > dn and > > > password of a domain user account in my AD, and put the > domain > > > controller ip in the remote server box and clicked save. > (I can > > > connect to my AD with the DN I provided here) > > > 6. Check enable this suffix under > > ou=subsuffix1,dc=worldpub,dc=corp > > > > > > now subsuffix1 database appears under > > ou=subsuffix1,dc=domain,dc=com. > > > If I now go to the directory tab, and select the directory > entry, i > > > get critical extension unavailable and if i use an ldap > browser > > i get > > > list failed on the main tree. Did i miss a step? If I > disable the > > > ou=subsuffix1,dc=domain,dc=com suffix i can browse the tree no > > > problem. Thanks! > > > Brian Smith > > > > > > > > > > > > Sergio Diaz wrote: > > >> > > >> FDS, OpenLDAP and AD > > >> > > >> One Directory FDS.....i want this directions to... > > >> Chaining Backend... > > >> > > >> Regards, > > >> Sergio > > >> > > >> On Mon, 2006-10-02 at 14:12 -0400, Brian Smith wrote: > > >>> Hello all, I've been working on getting chaining working > with > > an active > > >>> directory back end for a week now. Has anyone successfully > > done this or > > >>> have directions on setting this up? > > >>> > > >>> Brian Smith > > >>> > > >>> Howard Chu wrote: > > >>> > > > >>> >> Date: Mon, 02 Oct 2006 10:01:55 -0600 > > >>> >> From: Richard Megginson < rmeggins at redhat.com > > > > > > > >>> > > >>> > > > >>> >> Sergio Diaz wrote: > > >>> >>> Hi Richard; > > >>> >>> > > >>> >>> Openldap: > > >>> >>> > > >>> >>> The *meta* backend to *slapd(8) > > >>> >>> < > > > http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8 > > > < > http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8 > > > > < > > > http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8 > > > > >>>* > > >>> >>> performs basic LDAP proxying with respect > > >>> >>> to a set of remote LDAP > > servers, called "targets". The > > >>> >>> information > > >>> >>> contained in these servers can be > presented as > > belonging > > >>> >>> to a single > > >>> >>> Directory Information Tree (DIT). > > >>> >>> > > >>> >>> Its possible with FDS ?? > > >>> >>> > > >>> >> FDS has a chaining backend which allows you to use > another LDAP > > >>> >> server to store the data. > > >>> > > > >>> > It sounds like the FDS chaining backend is similar to > OpenLDAP > > >>> > back-ldap and/or the chaining overlay. In OpenLDAP > back-ldap > > forwards > > >>> > a request to one other server (at a time; multiple > servers > > can be > > >>> > configured but the others will only be used if the first > > server cannot > > >>> > be contacted). The back-meta backend is a superset of > > back-ldap, it > > >>> > can fanout single requests to multiple servers in > parallel and > > >>> > aggregate the results. (There's also attribute mapping > and DN > > >>> > rewriting, but those capabilities are no longer unique to > > back-meta, > > >>> > having been moved into the rewrite overlay.) With these > > modules you > > >>> > can stitch together a variety of heterogeneous > directories > > into a > > >>> > coherent virtual directory. > > >>> > > > >>> >>> Regards!! > > >>> >>> Sergio > > >>> >>> > > >>> >>> > > >>> >>> On Mon, 2006-10-02 at 07:25 -0600, Richard Megginson > wrote: > > >>> >>>> Sergio Diaz wrote: > > >>> >>>>> Hi People, > > >>> >>>>> > > >>> >>>>> Its Possible Sync only in One Way ? > > >>> >>>>> Users Windows AD -> FDS. > > >>> >>>> No, not really. > > >>> >>>>> Or the other scenario its like OpenLDAP have a Meta > > Backend (2 > > >>> >>>>> LDAPs, 1 AD), its possible with FDS ? > > >>> >>>> It's possible. What does the meta backend do? > > >>> >>>>> > > >>> >>>>> Regards, > > >>> >>>>> Sergio > > >>> > > > >>> > > > >>> > > >>> -- > > >>> Fedora-directory-users mailing list > > >>> Fedora-directory-users at redhat.com > > > > > > > > >> > > >>> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > >>> > > > > > > ------------------------------------------------------------------------ > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > ------------------------------------------------------------------------ > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Mon Oct 16 13:03:38 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Mon, 16 Oct 2006 15:03:38 +0200 Subject: [Fedora-directory-users] DS Gateway error Message-ID: Hi Rich, I checked these, I see nothing strange. I enabled debug logging in httpd.conf The setup is not totally default eg it runs as ldap user and not as nobody The admin domain is 1 level above of the actual domain of the server. Any idea what could be causing this error? [Mon Oct 16 15:01:06 2006] [notice] [client 10.131.238.21] admserv_host_ip_check: ap_get_remote_host could not resolve 10.131.238.21 [Mon Oct 16 15:01:06 2006] [debug] mod_admserv.c(2518): [client 10.131.238.21] checking user cache for: uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot [Mon Oct 16 15:01:06 2006] [debug] mod_admserv.c(2521): [client 10.131.238.21] user found in cache uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot [Mon Oct 16 15:01:06 2006] [debug] mod_admserv.c(1480): [client 10.131.238.21] admserv_check_authz: request for uri [/admin-serv/tasks/operation/StatusPing] [Mon Oct 16 15:01:06 2006] [debug] mod_admserv.c(1692): [client 10.131.238.21] admserv_check_authz: uri [tasks/operation/StatusPing] did not begin with [commands/] - not a command [Mon Oct 16 15:01:06 2006] [debug] mod_admserv.c(1741): [client 10.131.238.21] admserv_check_authz: execute CGI [/opt/fedora-ds/bin/admin/admin/bin/statusping] args [(null)] [Mon Oct 16 15:01:21 2006] [notice] [client 10.131.238.21] admserv_host_ip_check: ap_get_remote_host could not resolve 10.131.238.21 [Mon Oct 16 15:01:21 2006] [debug] mod_admserv.c(2518): [client 10.131.238.21] checking user cache for: uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot [Mon Oct 16 15:01:21 2006] [debug] mod_admserv.c(2521): [client 10.131.238.21] user found in cache uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot [Mon Oct 16 15:01:21 2006] [debug] mod_admserv.c(1480): [client 10.131.238.21] admserv_check_authz: request for uri [/admin-serv/tasks/operation/StatusPing] [Mon Oct 16 15:01:21 2006] [debug] mod_admserv.c(1692): [client 10.131.238.21] admserv_check_authz: uri [tasks/operation/StatusPing] did not begin with [commands/] - not a command [Mon Oct 16 15:01:21 2006] [debug] mod_admserv.c(1741): [client 10.131.238.21] admserv_check_authz: execute CGI [/opt/fedora-ds/bin/admin/admin/bin/statusping Thanks again, Jo From rmeggins at redhat.com Mon Oct 16 14:22:38 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 16 Oct 2006 08:22:38 -0600 Subject: [Fedora-directory-users] DS Gateway error In-Reply-To: References: Message-ID: <453395AE.6010102@redhat.com> Jo De Troy wrote: > Hi Rich, > > I checked these, I see nothing strange. > I enabled debug logging in httpd.conf > > The setup is not totally default eg it runs as ldap user and not as > nobody > The admin domain is 1 level above of the actual domain of the server. > Any idea what could be causing this error? The log entries below are benign or informational. Look at your ldap server access log - see if there are any connection or bind attempts from the phonebook/gateway app. I think something is mis-configured, but I'm not sure where. I thought the only dsgw configuration was in clients/dsgw/context/*.conf. But you have confirmed that all of those files are configured correctly. Next, look at admin-serv/config/adm.conf and shared/config/dbswitch.conf to make sure those are also correctly configured. Also look at admin-serv/config/local.conf, but you cannot edit that file directly, you'll have to edit the information in LDAP. > > [Mon Oct 16 15:01:06 2006] [notice] [client 10.131.238.21] > admserv_host_ip_check: ap_get_remote_host could not resolve > 10.131.238.21 > [Mon Oct 16 15:01:06 2006] [debug] mod_admserv.c(2518): [client > 10.131.238.21] checking user cache for: uid=admin, ou=Administrators, > ou=TopologyManagement, o=NetscapeRoot > [Mon Oct 16 15:01:06 2006] [debug] mod_admserv.c(2521): [client > 10.131.238.21] user found in cache uid=admin, ou=Administrators, > ou=TopologyManagement, o=NetscapeRoot > [Mon Oct 16 15:01:06 2006] [debug] mod_admserv.c(1480): [client > 10.131.238.21] admserv_check_authz: request for uri > [/admin-serv/tasks/operation/StatusPing] > [Mon Oct 16 15:01:06 2006] [debug] mod_admserv.c(1692): [client > 10.131.238.21] admserv_check_authz: uri [tasks/operation/StatusPing] > did not begin with [commands/] - not a command > [Mon Oct 16 15:01:06 2006] [debug] mod_admserv.c(1741): [client > 10.131.238.21] admserv_check_authz: execute CGI > [/opt/fedora-ds/bin/admin/admin/bin/statusping] args [(null)] > [Mon Oct 16 15:01:21 2006] [notice] [client 10.131.238.21] > admserv_host_ip_check: ap_get_remote_host could not resolve > 10.131.238.21 > [Mon Oct 16 15:01:21 2006] [debug] mod_admserv.c(2518): [client > 10.131.238.21] checking user cache for: uid=admin, ou=Administrators, > ou=TopologyManagement, o=NetscapeRoot > [Mon Oct 16 15:01:21 2006] [debug] mod_admserv.c(2521): [client > 10.131.238.21] user found in cache uid=admin, ou=Administrators, > ou=TopologyManagement, o=NetscapeRoot > [Mon Oct 16 15:01:21 2006] [debug] mod_admserv.c(1480): [client > 10.131.238.21] admserv_check_authz: request for uri > [/admin-serv/tasks/operation/StatusPing] > [Mon Oct 16 15:01:21 2006] [debug] mod_admserv.c(1692): [client > 10.131.238.21] admserv_check_authz: uri [tasks/operation/StatusPing] > did not begin with [commands/] - not a command > [Mon Oct 16 15:01:21 2006] [debug] mod_admserv.c(1741): [client > 10.131.238.21] admserv_check_authz: execute CGI > [/opt/fedora-ds/bin/admin/admin/bin/statusping > > Thanks again, > Jo > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Mon Oct 16 14:56:47 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Mon, 16 Oct 2006 16:56:47 +0200 Subject: [Fedora-directory-users] DS Gateway error Message-ID: Hi Rich, I found the issue. It's resolved now, the host was sitting in another DNS domain and that domain was still in the config files. Thanks again, Jo From rmeggins at redhat.com Mon Oct 16 19:57:34 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 16 Oct 2006 13:57:34 -0600 Subject: [Fedora-directory-users] Help beta test Fedora DS 1.0.3 Message-ID: <4533E42E.3000404@redhat.com> If you are interested in beta testing 1.0.3, contact me off list. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jamsda_1 at yahoo.com Mon Oct 16 22:15:13 2006 From: jamsda_1 at yahoo.com (jamsda) Date: Mon, 16 Oct 2006 15:15:13 -0700 (PDT) Subject: [Fedora-directory-users] Command-line Consumer Initialization In-Reply-To: <452D2326.5060503@sci.fi> Message-ID: <20061016221513.36838.qmail@web50909.mail.yahoo.com> Hi Mike, Thanks for the responses. You mentioned earlier in the thread I could use mmr.pl to initialize (only) a consumer. I don't see that option with the tool; only "create", "remove" and "display". I noticed the create function calls three other functions, "config_supplier", "add_rep_agreement", and then "initialize". If I want to initialize only, do I need to re-create the agreements? I tried modifying it to have an --init option with only the "initialize($host1, $host2) function being called, but kept getting the mmr usage, and wasn't sure if its possible to do an initialize only. Thanks, Jim --- Mike Jackson wrote: > Gordon Messmer wrote: > > Chris St. Pierre wrote: > > > >> You'll want to set up two-way replication > agreements between each pair > >> of hosts in your setup. So if you had A, B, C, > and D, you'd set up > >> agreements between A-B, A-C, A-D, B-C, B-D, and > C-D. > >> > > > > > > The documentation contradicts you. Look at the > second figure in the > > "Multi-Master Replication" section of the admin > manual (hard to see), > > and the section "Configuring 4-Way Multi-Master > Replication" several > > pages below it: > > > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/replicat.html#1101818 > > > > The admin manual suggests a ring topology (and two > agreements per set of > > peers) for multi-master agreements. You should > have agreements between > > A->B, A->D, B->A, B->C, C->B, C->D, D->C, and > D->A. > > Ring-topology survives 1 server failure, but not > two. You need to > understand your high-availability requirements to > decide which is right > for you. > > Full-mesh replication supports 2 servers failing at > the same time, but > increases replication traffic. > > Mininum level of agreements for 4-way MMR: > 1 <-> 2 > 1 <-> 3 > 2 <-> 4 > > > Maximum level of agreements (full-mesh) for 4-way > MMR (each machine > replicates to 3 targets): > 1 <-> 2 > 1 <-> 3 > 1 <-> 4 > 2 <-> 3 > 2 <-> 4 > 3 <-> 4 > > Again, it's much easier to visualize when you draw > numbered boxes on > paper and connect the dots :-) > > The systems I design require high-availability for > writes, so I use > full-mesh MMR. > > -- > mike > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From blaze at elewise.com Tue Oct 17 05:42:57 2006 From: blaze at elewise.com (Pavel 'Blaze' Vinogradov) Date: Tue, 17 Oct 2006 10:42:57 +0500 Subject: [Fedora-directory-users] Ldap api for moving entries Message-ID: <45346D61.9040607@elewise.com> Hello, I write LdapManager on java, and use FDS 1.0.2 as Ldap-server and Novell jLDAP library to work with LDAP-server. All work good, except entry moving. I try to make LdapModifyDNRequest to server, but get answer: Error: LDAPException: Unwilling To Perform (53) Unwilling To Perform LDAPException: Server Message: server does not support moving of entries LDAPException: Matched DN: I don't find any information about features of moving entryes in FDS. Can you help me with this question? From rmeggins at redhat.com Tue Oct 17 13:51:54 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 17 Oct 2006 07:51:54 -0600 Subject: [Fedora-directory-users] Ldap api for moving entries In-Reply-To: <45346D61.9040607@elewise.com> References: <45346D61.9040607@elewise.com> Message-ID: <4534DFFA.1020308@redhat.com> Pavel 'Blaze' Vinogradov wrote: > Hello, > > I write LdapManager on java, and use FDS 1.0.2 as Ldap-server and > Novell jLDAP library to work with LDAP-server. > All work good, except entry moving. I try to make LdapModifyDNRequest > to server, but get answer: > > Error: LDAPException: Unwilling To Perform (53) Unwilling To Perform > LDAPException: Server Message: server does not support moving of > entries > LDAPException: Matched DN: > > I don't find any information about features of moving entryes in > FDS. Can you help me with this question? ModifyDN with new superior is not supported by Fedora DS. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From GCopeland at efjohnson.com Wed Oct 18 17:11:36 2006 From: GCopeland at efjohnson.com (Greg Copeland) Date: Wed, 18 Oct 2006 12:11:36 -0500 Subject: [Fedora-directory-users] Root changing user password Message-ID: <273A72C669F45B4996896A031B88CCEF2E08D1@EFJDFWMX01.EFJDFW.local> I've quickly checked the archive and I can find people having trouble with users changing their own password but not the other way around. Here, users can change their own password without issue but root fails. What do I need to do to allow root, using the passwd command on RHES 4, to change user passwords? I've tried setting rootbinddn in my /etc/ldap.conf file. Without an /etc/ldap.secret file, I observe an error in my logs, complaining about the missing ldap.secret file. When I create it, the error goes away but the passwd command still fails with, "passwd: Authentication token manipulation error". In the logs I can observe, "passwd[23689]: pam_ldap: error trying to bind (Invalid credentials)." I've tried placing the admin password in cleartext, and base64 in the ldap.secret file. Frankly, I'd rather root be prompted for the LDAP admin password than the password be stored in a file anyways. Is this possible? Best Regards, Greg Copeland -------------- next part -------------- An HTML attachment was scrubbed... URL: From oliver.hookins at anchor.com.au Sun Oct 15 10:44:44 2006 From: oliver.hookins at anchor.com.au (Oliver Hookins) Date: Sun, 15 Oct 2006 20:44:44 +1000 Subject: [Fedora-directory-users] RPM/SRPM issues and old RHEL In-Reply-To: <452533B6.2010301@redhat.com> References: <44AB1627.8050906@anchor.com.au> <44AE7968.5020809@redhat.com> <20061005092941.GB32078@captain.bridge.anchor.net.au> <45250F55.6080505@redhat.com> <1160065017.2117.16.camel@wzowski.duraflex-politex.com> <452533B6.2010301@redhat.com> Message-ID: <20061015104444.GA15307@captain.bridge.anchor.net.au> On Thu Oct 05, 2006 at 10:32:54 -0600, Richard Megginson wrote: >> >We have proposed this to the Fedora DS community. There has been much, >much heated debate on both sides of this issue. Some people vehemently >oppose FHS package, some welcome and encourage it. The Fedora DS >developers are still trying to figure out a way to do what's right for >the community. We can certainly make it easy to build your own package >from source using either FHS or self-contained style packaging. The >real problem is that it is very difficult to provide binary packages and >documentation for both formats . . . > OK well aside from this issue, has anyone got FDS running on RHEL 2.1? -- Regards, Oliver Hookins Anchor Systems From sigidwu at gmail.com Thu Oct 19 01:15:57 2006 From: sigidwu at gmail.com (sigid@JINLab) Date: Thu, 19 Oct 2006 08:15:57 +0700 Subject: [Fedora-directory-users] fdsgraph: an rrdtool-based graphing utility for FDS In-Reply-To: References: <20061004162205.29897.qmail@web34112.mail.mud.yahoo.com> <45242C16.2070107@redhat.com> <45250DF3.7060100@redhat.com> <45252182.8020508@redhat.com> <45254D6D.1040605@redhat.com> Message-ID: <4536D1CD.2040006@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris St. Pierre wrote: > If any of you are familiar with mailgraph for Postfix-based mail > servers, I've created something similar for Fedora DS. fdsgraph tails > the access log and creates rrdtool-based graphs of the number of > connections and operations, organized by connection security and op > type respectively. You can see some screenshots and find the tarball > at: > > http://www.nebrwesleyan.edu/people/stpierre/fdsgraph/fdsgraph.html i've tried your tools but i'm having some error when starting fdsgraph service. ====================== [root at jstsvr fdsgraph]# service fdsgraph start Starting fdsgraph Can't locate File/Tail.pm in @INC (@INC contains: /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_perl/5.8.6 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.8/i386-linux-thread-multi /usr/lib/perl5/5.8.8 .) at /usr/local/bin/fdsgraph.pl line 189. BEGIN failed--compilation aborted at /usr/local/bin/fdsgraph.pl line 189. ========================= is there any package that i should install? sigid -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFFNtHNqiPNNgPlDu0RAv+0AJ45cz6s81cC2qB8zhEaW5m6mHHvRACgmgp5 rUzqjejDsqDcVZI7F3WJI7Q= =pSYk -----END PGP SIGNATURE----- From pbruna at it-linux.cl Thu Oct 19 11:18:22 2006 From: pbruna at it-linux.cl (Patricio Bruna V.) Date: Thu, 19 Oct 2006 08:18:22 -0300 Subject: [Fedora-directory-users] fdsgraph: an rrdtool-based graphing utility for FDS In-Reply-To: <4536D1CD.2040006@gmail.com> References: <20061004162205.29897.qmail@web34112.mail.mud.yahoo.com> <45242C16.2070107@redhat.com> <45250DF3.7060100@redhat.com> <45252182.8020508@redhat.com> <45254D6D.1040605@redhat.com> <4536D1CD.2040006@gmail.com> Message-ID: <45375EFE.7050708@it-linux.cl> sigid at JINLab escribi?: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Chris St. Pierre wrote: > >> If any of you are familiar with mailgraph for Postfix-based mail >> servers, I've created something similar for Fedora DS. fdsgraph tails >> the access log and creates rrdtool-based graphs of the number of >> connections and operations, organized by connection security and op >> type respectively. You can see some screenshots and find the tarball >> at: >> >> http://www.nebrwesleyan.edu/people/stpierre/fdsgraph/fdsgraph.html >> > i've tried your tools but i'm having some error when starting fdsgraph > service. > ====================== > [root at jstsvr fdsgraph]# service fdsgraph start > Starting fdsgraph > Can't locate File/Tail.pm in @INC (@INC contains: > /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi > /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.8/i386-linux-thread-multi > /usr/lib/perl5/5.8.8 .) at /usr/local/bin/fdsgraph.pl line 189. > BEGIN failed--compilation aborted at /usr/local/bin/fdsgraph.pl line 189. > ========================= > > is there any package that i should install? > what about perl-File-Tail? From cairc at glennies.com.au Thu Oct 19 06:58:41 2006 From: cairc at glennies.com.au (cj) Date: Thu, 19 Oct 2006 16:58:41 +1000 Subject: [Fedora-directory-users] (no subject) Message-ID: <005601c6f34c$030b63e0$f0c8a8c0@summit> Hi all I have just install Fedora 5 and installed Fedora Directory Server 1.0.2-1 and samba 3.0.21b-2 I went through the instruction on the provided link below http://directory.fedora.redhat.com/wiki/Howto:Samba When it came to net groupmap add rid=512 ntgroup='Domain Admins' unixgroup='Domain Admins' I get the following error Can't lookup UNIX group Domain Admins Below is the net groupmap add rid=512 ntgroup='Domain Admins' unixgroup='Domain Admins' -d 4 command [2006/10/19 16:58:04, 3] param/loadparm.c:lp_load(4211) lp_load: refreshing parameters [2006/10/19 16:58:04, 3] param/loadparm.c:init_globals(1385) Initialising global parameters [2006/10/19 16:58:04, 3] param/params.c:pm_process(574) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2006/10/19 16:58:04, 3] param/loadparm.c:do_section(3666) Processing section "[global]" doing parameter workgroup = GLENNIES doing parameter security = user doing parameter passdb backend = ldapsam:ldap://ldapserver.glennies.com.au doing parameter ldap admin dn = cn=Directory Manager doing parameter ldap suffix = dc=glennies,dc=com,dc=au doing parameter ldap user suffix = ou=People doing parameter ldap machine suffix = ou=Computers doing parameter ldap group suffix = ou=Groups doing parameter add group script = /usr/sbin/groupadd %g doing parameter log file = /var/log/%m.log doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 doing parameter os level = 33 doing parameter domain logons = yes doing parameter domain master = yes doing parameter local master = yes doing parameter preferred master = yes doing parameter wins support = yes doing parameter logon home = \\%L\%u\profiles doing parameter logon path = \\%L\profiles\%u doing parameter logon drive = H: doing parameter template shell = /bin/false doing parameter winbind use default domain = no [2006/10/19 16:58:04, 4] param/loadparm.c:lp_load(4242) pm_process() returned Yes [2006/10/19 16:58:04, 2] lib/interface.c:add_interface(81) added interface ip=192.168.200.150 bcast=192.168.200.255 nmask=255.255.255.0 Can't lookup UNIX group Domain Admins [2006/10/19 16:58:04, 2] utils/net.c:main(878) return code = -1 If I add Domain Admins to the file /etc/group I get the following error adding entry for group Domain Admins failed! Below is the net groupmap add rid=512 ntgroup='Domain Admins' unixgroup='Domain Admins' -d 4 command [2006/10/19 16:56:26, 3] param/loadparm.c:lp_load(4211) lp_load: refreshing parameters [2006/10/19 16:56:26, 3] param/loadparm.c:init_globals(1385) Initialising global parameters [2006/10/19 16:56:26, 3] param/params.c:pm_process(574) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2006/10/19 16:56:26, 3] param/loadparm.c:do_section(3666) Processing section "[global]" doing parameter workgroup = GLENNIES doing parameter security = user doing parameter passdb backend = ldapsam:ldap://ldapserver.glennies.com.au doing parameter ldap admin dn = cn=Directory Manager doing parameter ldap suffix = dc=glennies,dc=com,dc=au doing parameter ldap user suffix = ou=People doing parameter ldap machine suffix = ou=Computers doing parameter ldap group suffix = ou=Groups doing parameter add group script = /usr/sbin/groupadd %g doing parameter log file = /var/log/%m.log doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 doing parameter os level = 33 doing parameter domain logons = yes doing parameter domain master = yes doing parameter local master = yes doing parameter preferred master = yes doing parameter wins support = yes doing parameter logon home = \\%L\%u\profiles doing parameter logon path = \\%L\profiles\%u doing parameter logon drive = H: doing parameter template shell = /bin/false doing parameter winbind use default domain = no [2006/10/19 16:56:26, 4] param/loadparm.c:lp_load(4242) pm_process() returned Yes [2006/10/19 16:56:26, 2] lib/interface.c:add_interface(81) added interface ip=192.168.200.150 bcast=192.168.200.255 nmask=255.255.255.0 [2006/10/19 16:56:26, 2] lib/smbldap_util.c:smbldap_search_domain_info(228) Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=GLENNIES))] [2006/10/19 16:56:26, 2] lib/smbldap.c:smbldap_open_connection(722) smbldap_open_connection: connection opened [2006/10/19 16:56:26, 3] lib/smbldap.c:smbldap_connect_system(905) ldap_connect_system: succesful connection to the LDAP server [2006/10/19 16:56:26, 4] lib/smbldap.c:smbldap_open(969) The LDAP server is succesfully connected [2006/10/19 16:56:26, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2305) ldapsam_getgroup: Did not find group [2006/10/19 16:56:26, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2305) ldapsam_getgroup: Did not find group [2006/10/19 16:56:26, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2305) ldapsam_getgroup: Did not find group [2006/10/19 16:56:26, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2305) ldapsam_getgroup: Did not find group [2006/10/19 16:56:26, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2305) ldapsam_getgroup: Did not find group [2006/10/19 16:56:26, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2305) ldapsam_getgroup: Did not find group [2006/10/19 16:56:26, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2305) ldapsam_getgroup: Did not find group [2006/10/19 16:56:26, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2305) ldapsam_getgroup: Did not find group [2006/10/19 16:56:26, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2305) ldapsam_getgroup: Did not find group [2006/10/19 16:56:26, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2305) ldapsam_getgroup: Did not find group [2006/10/19 16:56:26, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2305) ldapsam_getgroup: Did not find group [2006/10/19 16:56:26, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2305) ldapsam_getgroup: Did not find group [2006/10/19 16:56:26, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2305) ldapsam_getgroup: Did not find group adding entry for group Domain Admins failed! [2006/10/19 16:56:26, 2] utils/net.c:main(878) return code = -1 I have looked on the net for the good part of this week trying to find an answer to my problem, It seems a few other people are having a similar issue, but real no concrete solutions to the problem. If any one knows what the cause this error is and how to fix it, It would be appreciated. Regards CJ -------------- next part -------------- An HTML attachment was scrubbed... URL: From davea at support.kcm.org Thu Oct 19 20:36:15 2006 From: davea at support.kcm.org (Dave Augustus) Date: Thu, 19 Oct 2006 15:36:15 -0500 Subject: [Fedora-directory-users] userPassword versus Password Message-ID: <1161290175.4525.3.camel@kcm40202> I have an external applet that authenticates via LDAP. However, it will only use the userPassword attribute, not the Password attribute. How can I tell FDS to use the Password attribute for Passwords? Thanks, Dave From gholbert at broadcom.com Thu Oct 19 22:32:53 2006 From: gholbert at broadcom.com (George Holbert) Date: Thu, 19 Oct 2006 15:32:53 -0700 Subject: [Fedora-directory-users] userPassword versus Password In-Reply-To: <1161290175.4525.3.camel@kcm40202> References: <1161290175.4525.3.camel@kcm40202> Message-ID: <4537FD15.1030206@broadcom.com> > > However, it will > only use the userPassword attribute, not the Password attribute. You're in luck: userPassword already is the standard password attribute in FDS. Dave Augustus wrote: > I have an external applet that authenticates via LDAP. However, it will > only use the userPassword attribute, not the Password attribute. > > How can I tell FDS to use the Password attribute for Passwords? > > Thanks, > Dave > From davea at support.kcm.org Thu Oct 19 23:02:24 2006 From: davea at support.kcm.org (Dave Augustus) Date: Thu, 19 Oct 2006 18:02:24 -0500 Subject: [Fedora-directory-users] userPassword versus Password In-Reply-To: <4537FD15.1030206@broadcom.com> References: <1161290175.4525.3.camel@kcm40202> <4537FD15.1030206@broadcom.com> Message-ID: <1161298945.4525.6.camel@kcm40202> Right-clicking on advanced and *show attribute names* revealed that *userpassword* is the attribute and its description is *Password*. Thanks, Dave On Thu, 2006-10-19 at 15:32 -0700, George Holbert wrote: > > > > However, it will > > only use the userPassword attribute, not the Password attribute. > > You're in luck: userPassword already is the standard password attribute > in FDS. > > > Dave Augustus wrote: > > I have an external applet that authenticates via LDAP. However, it will > > only use the userPassword attribute, not the Password attribute. > > > > How can I tell FDS to use the Password attribute for Passwords? > > > > Thanks, > > Dave > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From sigidwu at gmail.com Fri Oct 20 01:16:02 2006 From: sigidwu at gmail.com (sigid@JINLab) Date: Fri, 20 Oct 2006 08:16:02 +0700 Subject: [Fedora-directory-users] integrating FDS+Postfix+Dovecot+squirrelmail Message-ID: <45382352.4090806@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 dear friends, i'm working on configuring mail server that authenticate using FDS. refering to http://directory.fedora.redhat.com/wiki/Howto:Postfix it seems the FDS need to load schema for supporting postfix MTA, where can i find it? is there any howto similar to url above? thanks sigid -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFFOCNSqiPNNgPlDu0RAthBAKC/ni/0ZE9li0YnIKJTlyhseuHlOACffShJ 8VvzgCvzUWfjFjQGuHxv3xE= =0Nm9 -----END PGP SIGNATURE----- From pkime at Shopzilla.com Fri Oct 20 03:55:51 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Thu, 19 Oct 2006 20:55:51 -0700 Subject: [Fedora-directory-users] pam_ldap doesn't follow referrals Message-ID: <9C0091F428E697439E7A773FFD083427435AC9@szexchange.Shopzilla.inc> Any pointers welcome. This is on RHEL4 and FDS 1.0.2. pam_ldap moans about referrals when the first LDAP server in ldap.conf is a consumer-only. No problem if it's talking to a read-write master. # passwd test Changing password for user test. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information update failed: Referral I tried nss_ldap-226 and nss-ldap-253 which comes with an updated pam_ldap. I have referrals yes in ldap.conf I can do a manual ldappasswd update to the consumer and it works, presumably referring to a writable master ok (thought I can't see anything about referrals in the ldappasswd debugging output, nor nothing in the master logs). PK -- Philip Kime NOPS Systems Architect 310 401 0407 -------------- next part -------------- An HTML attachment was scrubbed... URL: From cairc at glennies.com.au Fri Oct 20 05:33:16 2006 From: cairc at glennies.com.au (cj) Date: Fri, 20 Oct 2006 15:33:16 +1000 Subject: [Fedora-directory-users] Fedora Directory Server not allowing me to map group names Message-ID: <00a101c6f409$3ed4bc10$f0c8a8c0@summit> Hi all I sent this previously but I sent it from the wrong email address So I think it was rejected my apologies for that. I have just install Fedora 5 and installed Fedora Directory Server 1.0.2-1 and samba 3.0.21b-2 I went through the instruction on the provided link below http://directory.fedora.redhat.com/wiki/Howto:Samba When it came to net groupmap add rid=512 ntgroup='Domain Admins' unixgroup='Domain Admins' I get the following error Can't lookup UNIX group Domain Admins Below is the net groupmap add rid=512 ntgroup='Domain Admins' unixgroup='Domain Admins' -d 4 command [2006/10/19 16:58:04, 3] param/loadparm.c:lp_load(4211) lp_load: refreshing parameters [2006/10/19 16:58:04, 3] param/loadparm.c:init_globals(1385) Initialising global parameters [2006/10/19 16:58:04, 3] param/params.c:pm_process(574) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2006/10/19 16:58:04, 3] param/loadparm.c:do_section(3666) Processing section "[global]" doing parameter workgroup = GLENNIES doing parameter security = user doing parameter passdb backend = ldapsam:ldap://ldapserver.glennies.com.au doing parameter ldap admin dn = cn=Directory Manager doing parameter ldap suffix = dc=glennies,dc=com,dc=au doing parameter ldap user suffix = ou=People doing parameter ldap machine suffix = ou=Computers doing parameter ldap group suffix = ou=Groups doing parameter add group script = /usr/sbin/groupadd %g doing parameter log file = /var/log/%m.log doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 doing parameter os level = 33 doing parameter domain logons = yes doing parameter domain master = yes doing parameter local master = yes doing parameter preferred master = yes doing parameter wins support = yes doing parameter logon home = \\%L\%u\profiles doing parameter logon path = \\%L\profiles\%u doing parameter logon drive = H: doing parameter template shell = /bin/false doing parameter winbind use default domain = no [2006/10/19 16:58:04, 4] param/loadparm.c:lp_load(4242) pm_process() returned Yes [2006/10/19 16:58:04, 2] lib/interface.c:add_interface(81) added interface ip=192.168.200.150 bcast=192.168.200.255 nmask=255.255.255.0 Can't lookup UNIX group Domain Admins [2006/10/19 16:58:04, 2] utils/net.c:main(878) return code = -1 If I add Domain Admins to the file /etc/group I get the following error adding entry for group Domain Admins failed! Below is the net groupmap add rid=512 ntgroup='Domain Admins' unixgroup='Domain Admins' -d 4 command [2006/10/19 16:56:26, 3] param/loadparm.c:lp_load(4211) lp_load: refreshing parameters [2006/10/19 16:56:26, 3] param/loadparm.c:init_globals(1385) Initialising global parameters [2006/10/19 16:56:26, 3] param/params.c:pm_process(574) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2006/10/19 16:56:26, 3] param/loadparm.c:do_section(3666) Processing section "[global]" doing parameter workgroup = GLENNIES doing parameter security = user doing parameter passdb backend = ldapsam:ldap://ldapserver.glennies.com.au doing parameter ldap admin dn = cn=Directory Manager doing parameter ldap suffix = dc=glennies,dc=com,dc=au doing parameter ldap user suffix = ou=People doing parameter ldap machine suffix = ou=Computers doing parameter ldap group suffix = ou=Groups doing parameter add group script = /usr/sbin/groupadd %g doing parameter log file = /var/log/%m.log doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 doing parameter os level = 33 doing parameter domain logons = yes doing parameter domain master = yes doing parameter local master = yes doing parameter preferred master = yes doing parameter wins support = yes doing parameter logon home = \\%L\%u\profiles doing parameter logon path = \\%L\profiles\%u doing parameter logon drive = H: doing parameter template shell = /bin/false doing parameter winbind use default domain = no [2006/10/19 16:56:26, 4] param/loadparm.c:lp_load(4242) pm_process() returned Yes [2006/10/19 16:56:26, 2] lib/interface.c:add_interface(81) added interface ip=192.168.200.150 bcast=192.168.200.255 nmask=255.255.255.0 [2006/10/19 16:56:26, 2] lib/smbldap_util.c:smbldap_search_domain_info(228) Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=GLENNIES))] [2006/10/19 16:56:26, 2] lib/smbldap.c:smbldap_open_connection(722) smbldap_open_connection: connection opened [2006/10/19 16:56:26, 3] lib/smbldap.c:smbldap_connect_system(905) ldap_connect_system: succesful connection to the LDAP server [2006/10/19 16:56:26, 4] lib/smbldap.c:smbldap_open(969) The LDAP server is succesfully connected [2006/10/19 16:56:26, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2305) ldapsam_getgroup: Did not find group [2006/10/19 16:56:26, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2305) ldapsam_getgroup: Did not find group [2006/10/19 16:56:26, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2305) ldapsam_getgroup: Did not find group [2006/10/19 16:56:26, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2305) ldapsam_getgroup: Did not find group [2006/10/19 16:56:26, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2305) ldapsam_getgroup: Did not find group [2006/10/19 16:56:26, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2305) ldapsam_getgroup: Did not find group [2006/10/19 16:56:26, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2305) ldapsam_getgroup: Did not find group [2006/10/19 16:56:26, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2305) ldapsam_getgroup: Did not find group [2006/10/19 16:56:26, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2305) ldapsam_getgroup: Did not find group [2006/10/19 16:56:26, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2305) ldapsam_getgroup: Did not find group [2006/10/19 16:56:26, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2305) ldapsam_getgroup: Did not find group [2006/10/19 16:56:26, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2305) ldapsam_getgroup: Did not find group [2006/10/19 16:56:26, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2305) ldapsam_getgroup: Did not find group adding entry for group Domain Admins failed! [2006/10/19 16:56:26, 2] utils/net.c:main(878) return code = -1 I have looked on the net for the good part of this week trying to find an answer to my problem, It seems a few other people are having a similar issue, but real no concrete solutions to the problem. If any one knows what the cause this error is and how to fix it, It would be appreciated. Regards CJ -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigidwu at gmail.com Fri Oct 20 05:56:53 2006 From: sigidwu at gmail.com (sigid@JINLab) Date: Fri, 20 Oct 2006 12:56:53 +0700 Subject: [Fedora-directory-users] fdsgraph: an rrdtool-based graphing utility for FDS In-Reply-To: <45375EFE.7050708@it-linux.cl> References: <20061004162205.29897.qmail@web34112.mail.mud.yahoo.com> <45242C16.2070107@redhat.com> <45250DF3.7060100@redhat.com> <45252182.8020508@redhat.com> <45254D6D.1040605@redhat.com> <4536D1CD.2040006@gmail.com> <45375EFE.7050708@it-linux.cl> Message-ID: <45386525.5070907@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Patricio Bruna V. wrote: > sigid at JINLab escribi?: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Chris St. Pierre wrote: >> >>> If any of you are familiar with mailgraph for Postfix-based mail >>> servers, I've created something similar for Fedora DS. fdsgraph tails >>> the access log and creates rrdtool-based graphs of the number of >>> connections and operations, organized by connection security and op >>> type respectively. You can see some screenshots and find the tarball >>> at: >>> >>> http://www.nebrwesleyan.edu/people/stpierre/fdsgraph/fdsgraph.html >>> >> i've tried your tools but i'm having some error when starting fdsgraph >> service. >> ====================== >> [root at jstsvr fdsgraph]# service fdsgraph start >> Starting fdsgraph >> Can't locate File/Tail.pm in @INC (@INC contains: >> /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi >> /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.8/i386-linux-thread-multi >> /usr/lib/perl5/5.8.8 .) at /usr/local/bin/fdsgraph.pl line 189. >> BEGIN failed--compilation aborted at /usr/local/bin/fdsgraph.pl line 189. >> ========================= >> >> is there any package that i should install? >> > what about perl-File-Tail? hmm perl-File-tail is not installed yet. but after i installed above packet, on browser doesn't appear any graph (only the header daily, weeky, so on) btw before i start the browser when starting the fdsgraph after installing perl-File-Tail, an error comes up [root at jstsvr fdsgraph]# service fdsgraph start Starting fdsgraph fdsgraph: can't chdir to /var/lib/fdsgraph: No such file or directory at /usr/local/bin/fdsgraph.pl line 251. as an action i created the directory /var/lib/fdsgraph. then the service could runs but there is no graph appears am i missing some configuration? because i already follow the guide. thanks sigid -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFFOGUlqiPNNgPlDu0RAutBAKCtHblDDJiWv7AnnjNQcAq/z60Z2wCbBSRa PBg0X0Rpgs7+NWWzOa8GdWw= =vSoy -----END PGP SIGNATURE----- From blaze at elewise.com Fri Oct 20 07:35:13 2006 From: blaze at elewise.com (Pavel 'Blaze' Vinogradov) Date: Fri, 20 Oct 2006 12:35:13 +0500 Subject: [Fedora-directory-users] Ldap api for moving entries In-Reply-To: <4534DFFA.1020308@redhat.com> References: <45346D61.9040607@elewise.com> <4534DFFA.1020308@redhat.com> Message-ID: <45387C31.6050902@elewise.com> Richard Megginson wrote: >> All work good, except entry moving. I try to make >> LdapModifyDNRequest to server, but get answer: >> >> Error: LDAPException: Unwilling To Perform (53) Unwilling To Perform >> LDAPException: Server Message: server does not support moving of >> entries >> LDAPException: Matched DN: > > ModifyDN with new superior is not supported by Fedora DS. How can i move/rename entry? Is entry coping the best choise in this situation? From mj at sci.fi Fri Oct 20 09:08:08 2006 From: mj at sci.fi (Mike Jackson) Date: Fri, 20 Oct 2006 12:08:08 +0300 Subject: [Fedora-directory-users] Command-line Consumer Initialization In-Reply-To: <20061016221513.36838.qmail@web50909.mail.yahoo.com> References: <20061016221513.36838.qmail@web50909.mail.yahoo.com> Message-ID: <453891F8.8030301@sci.fi> jamsda wrote: > Hi Mike, > > Thanks for the responses. You mentioned earlier in the > thread I could use mmr.pl to initialize (only) a > consumer. I don't see that option with the tool; only > "create", "remove" and "display". I noticed the create > function calls three other functions, > "config_supplier", "add_rep_agreement", and then > "initialize". > If I want to initialize only, do I need to re-create > the agreements? > I tried modifying it to have an --init option with > only the "initialize($host1, $host2) function being > called, but kept getting the mmr usage, and wasn't > sure if its possible to do an initialize only. Hi Jim, First remove the agreement and then create it again. No need for an --init option. BR, -- mike From stpierre at NebrWesleyan.edu Fri Oct 20 13:13:48 2006 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Fri, 20 Oct 2006 08:13:48 -0500 (CDT) Subject: [Fedora-directory-users] fdsgraph: an rrdtool-based graphing utility for FDS In-Reply-To: <45386525.5070907@gmail.com> References: <20061004162205.29897.qmail@web34112.mail.mud.yahoo.com> <45242C16.2070107@redhat.com> <45250DF3.7060100@redhat.com> <45252182.8020508@redhat.com> <45254D6D.1040605@redhat.com> <4536D1CD.2040006@gmail.com> <45375EFE.7050708@it-linux.cl> <45386525.5070907@gmail.com> Message-ID: On Fri, 20 Oct 2006, sigid at JINLab wrote: >hmm perl-File-tail is not installed yet. >but after i installed above packet, on browser doesn't appear any graph >(only the header daily, weeky, so on) >btw before i start the browser when starting the fdsgraph after >installing perl-File-Tail, an error comes up > >[root at jstsvr fdsgraph]# service fdsgraph start >Starting fdsgraph >fdsgraph: can't chdir to /var/lib/fdsgraph: No such file or directory at >/usr/local/bin/fdsgraph.pl line 251. > >as an action i created the directory /var/lib/fdsgraph. then the service >could runs but there is no graph appears >am i missing some configuration? because i already follow the guide. > >thanks >sigid Check the ownership on /var/lib/fdsgraph. It has to be readable by your web server. Also, check Apache's error logs; you should find error messages in there pointing you to what needs to be done. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University From david_list at boreham.org Fri Oct 20 13:29:04 2006 From: david_list at boreham.org (David Boreham) Date: Fri, 20 Oct 2006 07:29:04 -0600 Subject: [Fedora-directory-users] fdsgraph: an rrdtool-based graphing utility for FDS In-Reply-To: References: <20061004162205.29897.qmail@web34112.mail.mud.yahoo.com> <45242C16.2070107@redhat.com> <45250DF3.7060100@redhat.com> <45252182.8020508@redhat.com> <45254D6D.1040605@redhat.com> Message-ID: <4538CF20.5040500@boreham.org> Chris St. Pierre wrote: >If any of you are familiar with mailgraph for Postfix-based mail >servers, I've created something similar for Fedora DS. fdsgraph tails > > For anyone that uses an SNMP based grapher like cricket or cacti, note that most of this information is also available via SNMP (and LDAP too in the monitor entry). There's quite a bit of potentially useful data in the montitor entries that does not show up in the access log also (database activity for example). From rmeggins at redhat.com Fri Oct 20 14:25:24 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 20 Oct 2006 08:25:24 -0600 Subject: [Fedora-directory-users] Ldap api for moving entries In-Reply-To: <45387C31.6050902@elewise.com> References: <45346D61.9040607@elewise.com> <4534DFFA.1020308@redhat.com> <45387C31.6050902@elewise.com> Message-ID: <4538DC54.3080801@redhat.com> Pavel 'Blaze' Vinogradov wrote: > Richard Megginson wrote: > >>> All work good, except entry moving. I try to make >>> LdapModifyDNRequest to server, but get answer: >>> >>> Error: LDAPException: Unwilling To Perform (53) Unwilling To Perform >>> LDAPException: Server Message: server does not support moving of >>> entries >>> LDAPException: Matched DN: >> >> ModifyDN with new superior is not supported by Fedora DS. > > How can i move/rename entry? Is entry coping the best choise in this > situation? Yes, that's how the directory server console does it - copy/add new/delete old. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jamsda_1 at yahoo.com Fri Oct 20 16:19:38 2006 From: jamsda_1 at yahoo.com (jamsda) Date: Fri, 20 Oct 2006 09:19:38 -0700 (PDT) Subject: [Fedora-directory-users] Command-line Consumer Initialization In-Reply-To: <453891F8.8030301@sci.fi> Message-ID: <20061020161938.61335.qmail@web50914.mail.yahoo.com> Ok, so I'm guessing this is what happens behind the scenes (remove/re-create) when I do an "initialize consumer" from the GUI right? Thanks for the response, Jim --- Mike Jackson wrote: > jamsda wrote: > > Hi Mike, > > > > Thanks for the responses. You mentioned earlier in > the > > thread I could use mmr.pl to initialize (only) a > > consumer. I don't see that option with the tool; > only > > "create", "remove" and "display". I noticed the > create > > function calls three other functions, > > "config_supplier", "add_rep_agreement", and then > > "initialize". > > If I want to initialize only, do I need to > re-create > > the agreements? > > I tried modifying it to have an --init option with > > only the "initialize($host1, $host2) function > being > > called, but kept getting the mmr usage, and wasn't > > sure if its possible to do an initialize only. > > Hi Jim, > First remove the agreement and then create it > again. No need for an > --init option. > > BR, > -- > mike > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From davea at support.kcm.org Fri Oct 20 16:35:57 2006 From: davea at support.kcm.org (Dave Augustus) Date: Fri, 20 Oct 2006 11:35:57 -0500 Subject: [Fedora-directory-users] integrating FDS+Postfix+Dovecot+squirrelmail In-Reply-To: <45382352.4090806@gmail.com> References: <45382352.4090806@gmail.com> Message-ID: <1161362157.8560.4.camel@kcm40202> Here is an article about what I think you need from your post: http://www.linuxjournal.com/article/5917 I references various schemas that may are included in the courier packages. LDAP doesn't care about the source of the schemas, just that they are properly formed. Hope it helps! Dave On Fri, 2006-10-20 at 08:16 +0700, sigid at JINLab wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > dear friends, > > i'm working on configuring mail server that authenticate using FDS. > refering to http://directory.fedora.redhat.com/wiki/Howto:Postfix it > seems the FDS need to load schema for supporting postfix MTA, where can > i find it? is there any howto similar to url above? > > thanks > sigid > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2.2 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iD8DBQFFOCNSqiPNNgPlDu0RAthBAKC/ni/0ZE9li0YnIKJTlyhseuHlOACffShJ > 8VvzgCvzUWfjFjQGuHxv3xE= > =0Nm9 > -----END PGP SIGNATURE----- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From gholbert at broadcom.com Fri Oct 20 18:04:20 2006 From: gholbert at broadcom.com (George Holbert) Date: Fri, 20 Oct 2006 11:04:20 -0700 Subject: [Fedora-directory-users] pam_ldap doesn't follow referrals In-Reply-To: <9C0091F428E697439E7A773FFD083427435AC9@szexchange.Shopzilla.inc> References: <9C0091F428E697439E7A773FFD083427435AC9@szexchange.Shopzilla.inc> Message-ID: <45390FA4.8030804@broadcom.com> This is a shot in the dark, but have you tried specifying: pam_password exop ..in /etc/ldap.conf? I suggest this because you mention ldappasswd seems to do the job, and ldappasswd uses the password change extended operation to do its work. Philip Kime wrote: > Any pointers welcome. This is on RHEL4 and FDS 1.0.2. pam_ldap moans > about referrals when the first LDAP server in ldap.conf is a > consumer-only. No problem if it's talking to a read-write master. > > # passwd test > Changing password for user test. > Enter login(LDAP) password: > New UNIX password: > Retype new UNIX password: > LDAP password information update failed: Referral > > I tried nss_ldap-226 and nss-ldap-253 which comes with an updated > pam_ldap. I have > > referrals yes > > in ldap.conf > > I can do a manual ldappasswd update to the consumer and it works, > presumably referring to a writable master ok (thought I can't see > anything about referrals in the ldappasswd debugging output, nor > nothing in the master logs). > > PK > > > -- > Philip Kime > NOPS Systems Architect > 310 401 0407 > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From mj at sci.fi Fri Oct 20 18:40:17 2006 From: mj at sci.fi (Mike Jackson) Date: Fri, 20 Oct 2006 21:40:17 +0300 Subject: [Fedora-directory-users] Command-line Consumer Initialization In-Reply-To: <20061020161938.61335.qmail@web50914.mail.yahoo.com> References: <20061020161938.61335.qmail@web50914.mail.yahoo.com> Message-ID: <45391811.2010708@sci.fi> jamsda wrote: > Ok, so I'm guessing this is what happens behind the > scenes (remove/re-create) when I do an "initialize > consumer" from the GUI right? > It is, for all intents and purposes, the functional equivalent. -- mike From rmeggins at redhat.com Fri Oct 20 20:14:20 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 20 Oct 2006 14:14:20 -0600 Subject: [Fedora-directory-users] Command-line Consumer Initialization In-Reply-To: <45391811.2010708@sci.fi> References: <20061020161938.61335.qmail@web50914.mail.yahoo.com> <45391811.2010708@sci.fi> Message-ID: <45392E1C.7010600@redhat.com> Mike Jackson wrote: > jamsda wrote: >> Ok, so I'm guessing this is what happens behind the >> scenes (remove/re-create) when I do an "initialize >> consumer" from the GUI right? > > It is, for all intents and purposes, the functional equivalent. Not exactly. Do perform a replica init, all you need is the DN of the replication agreement. Step 1 - find the DN of the replication agreement with ldapsearch: ldapsearch -D "cn=directory manager" -w password -s sub -b cn=config '(objectclass=nsds5ReplicationAgreement)' cn Then choose the repl agreement you are interested in Step 2 - initiate repl init using ldapmodify ldapmodify -D "cn=directory manager" -w password dn: dn of your repl agreement from step 1 changetype: modify replace: nsds5BeginReplicaRefresh nsds5BeginReplicaRefresh: start That starts the replica refresh (init). Step 3 - view repl init status with ldapsearch - remember to escape or quote the quotes in the repl agreement DN ldapsearch -D "cn=directory manager" -w password -s base -b "dn of your repl agreement" "objectclass=*" nsds5BeginReplicaRefresh nsds5replicaUpdateInProgress nsds5ReplicaLastInitStart nsds5ReplicaLastInitEnd nsds5ReplicaLastInitStatus The init is complete when the nsds5BeginReplicaRefresh attribute is absent. Then you can check the status with nsds5ReplicaLastInitStatus, which should contain the string "Total update succeeded" if successful. If there are errors, check the error logs on the supplier and consumer. > > -- > mike > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From kylet at panix.com Sat Oct 21 19:45:09 2006 From: kylet at panix.com (Kyle Tucker) Date: Sat, 21 Oct 2006 15:45:09 -0400 (EDT) Subject: [Fedora-directory-users] Can add with GUI, not with ldapmodify Message-ID: <200610211945.k9LJj9H15430@panix3.panix.com> Hi, New clean installation of Fedora DS 1.0.2 on FC5. I added a first user with the admin console, exported it to see its attributes and made a template to add a new user via LDIF like below. If I try to add it with ldapmodify, I get this: ldapmodify -x -a -W -D "cn=Manager,dc=testdom,dc=net" -h \ localhost -f addtester.ldif Enter LDAP Password: ldap_bind: No such object (32) matched DN: dc=testdom,dc=net If import the exact same LDIF file with the admin console, it goes right in and all the attributes are fine. Any ideas? Thanks. dn: uid=tester, ou=People, dc=testdom,dc=net changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount ou: People cn: Tony Tester sn: Tester givenName: Tony uid: tester telephoneNumber: 603-555-1212 loginShell: /bin/sh gidNumber: 100 uidNumber: 503 mail: tester at testdom.net gecos: Tony Tester homeDirectory: /usr/local/home/tester userPassword: {SSHA}yYUVdAn95yDfzbIK92SuL0jK0cCnU//A -- - Kyle --------------------------------------------- kylet at panix.com http://www.panix.com/~kylet --------------------------------------------- From stpierre at NebrWesleyan.edu Sat Oct 21 23:09:51 2006 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Sat, 21 Oct 2006 18:09:51 -0500 (CDT) Subject: [Fedora-directory-users] Can add with GUI, not with ldapmodify In-Reply-To: <200610211945.k9LJj9H15430@panix3.panix.com> References: <200610211945.k9LJj9H15430@panix3.panix.com> Message-ID: What happens if you try to bind as the directory manager to create Tony Tester's entry? I.e., ldapmodify -x -a -W -D "cn=directory manager" -h -f addtester.ldif Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University On Sat, 21 Oct 2006, Kyle Tucker wrote: >Hi, > New clean installation of Fedora DS 1.0.2 on FC5. I >added a first user with the admin console, exported it to see >its attributes and made a template to add a new user via LDIF >like below. If I try to add it with ldapmodify, I get this: > >ldapmodify -x -a -W -D "cn=Manager,dc=testdom,dc=net" -h \ >localhost -f addtester.ldif >Enter LDAP Password: >ldap_bind: No such object (32) > matched DN: dc=testdom,dc=net > >If import the exact same LDIF file with the admin console, it >goes right in and all the attributes are fine. > >Any ideas? Thanks. > >dn: uid=tester, ou=People, dc=testdom,dc=net >changetype: add >objectClass: top >objectClass: person objectClass: organizationalPerson >objectClass: inetorgperson >objectClass: posixAccount >ou: People cn: Tony Tester >sn: Tester >givenName: Tony >uid: tester telephoneNumber: 603-555-1212 >loginShell: /bin/sh >gidNumber: 100 >uidNumber: 503 mail: tester at testdom.net >gecos: Tony Tester >homeDirectory: /usr/local/home/tester >userPassword: {SSHA}yYUVdAn95yDfzbIK92SuL0jK0cCnU//A > >-- >- Kyle >--------------------------------------------- >kylet at panix.com http://www.panix.com/~kylet >--------------------------------------------- > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > From pkime at Shopzilla.com Sun Oct 22 04:23:25 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Sat, 21 Oct 2006 21:23:25 -0700 Subject: [Fedora-directory-users] Re: pam_ldap doesn't follow referrals Message-ID: <9C0091F428E697439E7A773FFD083427435AD0@szexchange.Shopzilla.inc> > This is a shot in the dark, > but have you tried specifying: > pam_password exop > ..in /etc/ldap.conf? > I suggest this because you mention ldappasswd seems to do the job, and > ldappasswd uses the password change extended operation to do its work. Good shot! It works now. Many thanks - I had looked at exop but for some reason didn't try it ... PK From kylet at panix.com Sun Oct 22 14:35:51 2006 From: kylet at panix.com (Kyle Tucker) Date: Sun, 22 Oct 2006 10:35:51 -0400 Subject: [Fedora-directory-users] Can add with GUI, not with ldapmodify In-Reply-To: References: <200610211945.k9LJj9H15430@panix3.panix.com> Message-ID: <20061022143551.GA18893@panix.com> On Sat, Oct 21, 2006 at 06:09:51PM -0500, Chris St. Pierre wrote: > What happens if you try to bind as the directory manager to create > Tony Tester's entry? I.e., > > ldapmodify -x -a -W -D "cn=directory manager" -h -f addtester.ldif I named my directory manager just "Manager" instead of "Directory Manager" so I could use the same scripts and templates with OpenLDAP as I am comparing the two to decide on which to implement. Is that a problem? > On Sat, 21 Oct 2006, Kyle Tucker wrote: > > >Hi, > > New clean installation of Fedora DS 1.0.2 on FC5. I > >added a first user with the admin console, exported it to see > >its attributes and made a template to add a new user via LDIF > >like below. If I try to add it with ldapmodify, I get this: > > > >ldapmodify -x -a -W -D "cn=Manager,dc=testdom,dc=net" -h \ > >localhost -f addtester.ldif > >Enter LDAP Password: > >ldap_bind: No such object (32) > > matched DN: dc=testdom,dc=net > > > >If import the exact same LDIF file with the admin console, it > >goes right in and all the attributes are fine. > > > >Any ideas? Thanks. > > > >dn: uid=tester, ou=People, dc=testdom,dc=net > >changetype: add > >objectClass: top > >objectClass: person objectClass: organizationalPerson > >objectClass: inetorgperson > >objectClass: posixAccount > >ou: People cn: Tony Tester > >sn: Tester > >givenName: Tony > >uid: tester telephoneNumber: 603-555-1212 > >loginShell: /bin/sh > >gidNumber: 100 > >uidNumber: 503 mail: tester at testdom.net > >gecos: Tony Tester > >homeDirectory: /usr/local/home/tester > >userPassword: {SSHA}yYUVdAn95yDfzbIK92SuL0jK0cCnU//A > > > >-- > >- Kyle > >--------------------------------------------- > >kylet at panix.com http://www.panix.com/~kylet > >--------------------------------------------- > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- - Kyle --------------------------------------------- kylet at panix.com http://www.panix.com/~kylet --------------------------------------------- From kylet at panix.com Sun Oct 22 17:02:40 2006 From: kylet at panix.com (Kyle Tucker) Date: Sun, 22 Oct 2006 13:02:40 -0400 (EDT) Subject: [Fedora-directory-users] Can add with GUI, not with ldapmodify In-Reply-To: Message-ID: <200610221702.k9MH2e624951@panix3.panix.com> I reinstalled FDS with directory manager set as "Directory Manager" and I can now add LDIF files. I don't know if that was the issue, but the problem went away. -- - Kyle --------------------------------------------- kylet at panix.com http://www.panix.com/~kylet --------------------------------------------- From gmessmer at u.washington.edu Sun Oct 22 23:57:36 2006 From: gmessmer at u.washington.edu (Gordon Messmer) Date: Sun, 22 Oct 2006 16:57:36 -0700 Subject: [Fedora-directory-users] Can add with GUI, not with ldapmodify In-Reply-To: <200610211945.k9LJj9H15430@panix3.panix.com> References: <200610211945.k9LJj9H15430@panix3.panix.com> Message-ID: <453C0570.6070404@u.washington.edu> Kyle Tucker wrote: > > ldapmodify -x -a -W -D "cn=Manager,dc=testdom,dc=net" -h \ > localhost -f addtester.ldif > Enter LDAP Password: > ldap_bind: No such object (32) > matched DN: dc=testdom,dc=net That means that "cn=Manager,dc=testdom,dc=net" doesn't exist. Normally, your "manager" user isn't within the base DN for the rest of your data. I'm not sure if it must be that way or not. You can, however, create an entry at "cn=Manager,dc=testdom,dc=net" after installation, and add that user to the managers group so that you can use the same scripts that you already use with OpenLDAP. From ando at sys-net.it Mon Oct 23 12:32:15 2006 From: ando at sys-net.it (Pierangelo Masarati) Date: Mon, 23 Oct 2006 14:32:15 +0200 (CEST) Subject: [Fedora-directory-users] Can add with GUI, not with ldapmodify In-Reply-To: <20061022143551.GA18893@panix.com> References: <200610211945.k9LJj9H15430@panix3.panix.com> <20061022143551.GA18893@panix.com> Message-ID: <48864.131.175.154.56.1161606735.squirrel@131.175.154.56> > On Sat, Oct 21, 2006 at 06:09:51PM -0500, Chris St. Pierre wrote: >> What happens if you try to bind as the directory manager to create >> Tony Tester's entry? I.e., >> >> ldapmodify -x -a -W -D "cn=directory manager" -h -f addtester.ldif > > I named my directory manager just "Manager" instead of "Directory > Manager" so I could use the same scripts and templates with OpenLDAP > as I am comparing the two to decide on which to implement. Is that > a problem? In OpenLDAP the rootdn can be whatever valid DN; maybe you should exploit flexibility where it's easier, not the opposite ;). p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati at sys-net.it ------------------------------------------ From rmeggins at redhat.com Mon Oct 23 14:22:43 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 23 Oct 2006 08:22:43 -0600 Subject: [Fedora-directory-users] Can add with GUI, not with ldapmodify In-Reply-To: <48864.131.175.154.56.1161606735.squirrel@131.175.154.56> References: <200610211945.k9LJj9H15430@panix3.panix.com> <20061022143551.GA18893@panix.com> <48864.131.175.154.56.1161606735.squirrel@131.175.154.56> Message-ID: <453CD033.2040801@redhat.com> Pierangelo Masarati wrote: >> On Sat, Oct 21, 2006 at 06:09:51PM -0500, Chris St. Pierre wrote: >> >>> What happens if you try to bind as the directory manager to create >>> Tony Tester's entry? I.e., >>> >>> ldapmodify -x -a -W -D "cn=directory manager" -h -f addtester.ldif >>> >> I named my directory manager just "Manager" instead of "Directory >> Manager" Did you try -D "cn=Manager" in that case? That should have worked. >> so I could use the same scripts and templates with OpenLDAP >> as I am comparing the two to decide on which to implement. Is that >> a problem? >> > > In OpenLDAP the rootdn can be whatever valid DN; maybe you should exploit > flexibility where it's easier, not the opposite ;). > > p. > > > > Ing. Pierangelo Masarati > OpenLDAP Core Team > > SysNet s.n.c. > Via Dossi, 8 - 27100 Pavia - ITALIA > http://www.sys-net.it > ------------------------------------------ > Office: +39.02.23998309 > Mobile: +39.333.4963172 > Email: pierangelo.masarati at sys-net.it > ------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From seriv at omniti.com Mon Oct 23 20:19:41 2006 From: seriv at omniti.com (Sergey Ivanov) Date: Mon, 23 Oct 2006 16:19:41 -0400 Subject: [Fedora-directory-users] how to set up Fedora Ds on a multinetwork host Message-ID: <453D23DD.4010705@omniti.com> Hi, I have installed Fedora Directory Server or a machine, which belongs to 2 different networks. One is local network with 192.168. prefix, and other is a real IP I've got from Internet Service provider. I want to have Directory Server, listening to both interfaces, with SSL certificates. How can I set up Directory Server to use different certificates for different IP addresses (and different hostnames)? Is it possible? I have not find the answer in documentation and in the internet. I tried to set up another Directory Server instance on the same host, but also I failed, because it refuses to share the same port number, and to bind to that port only on one of IP addresses. Please, help me. With best regards, Sergey Ivanov. From gholbert at broadcom.com Mon Oct 23 20:32:21 2006 From: gholbert at broadcom.com (George Holbert) Date: Mon, 23 Oct 2006 13:32:21 -0700 Subject: [Fedora-directory-users] how to set up Fedora Ds on a multinetwork host In-Reply-To: <453D23DD.4010705@omniti.com> References: <453D23DD.4010705@omniti.com> Message-ID: <453D26D5.3010902@broadcom.com> Sergey, Do you want to have both interfaces talk to the same LDAP directory? Or do you want an entirely separate LDAP directory for each? -- George Sergey Ivanov wrote: > Hi, > I have installed Fedora Directory Server or a machine, which belongs to > 2 different networks. One is local network with 192.168. prefix, and > other is a real IP I've got from Internet Service provider. > > I want to have Directory Server, listening to both interfaces, with SSL > certificates. How can I set up Directory Server to use different > certificates for different IP addresses (and different hostnames)? Is it > possible? > > I have not find the answer in documentation and in the internet. I tried > to set up another Directory Server instance on the same host, but also I > failed, because it refuses to share the same port number, and to bind to > that port only on one of IP addresses. > > Please, help me. > > With best regards, > Sergey Ivanov. > From seriv at omniti.com Mon Oct 23 20:36:05 2006 From: seriv at omniti.com (Sergey Ivanov) Date: Mon, 23 Oct 2006 16:36:05 -0400 Subject: [Fedora-directory-users] how to set up Fedora Ds on a multinetwork host In-Reply-To: <453D26D5.3010902@broadcom.com> References: <453D23DD.4010705@omniti.com> <453D26D5.3010902@broadcom.com> Message-ID: <453D27B5.5090606@omniti.com> Hi George, I want to have the same LDAP directory for both interfaces, but with different SSL certificates. -- Sergey. George Holbert wrote: > Sergey, > Do you want to have both interfaces talk to the same LDAP directory? > Or do you want an entirely separate LDAP directory for each? > -- George > > Sergey Ivanov wrote: >> Hi, >> I have installed Fedora Directory Server or a machine, which belongs to >> 2 different networks. One is local network with 192.168. prefix, and >> other is a real IP I've got from Internet Service provider. >> >> I want to have Directory Server, listening to both interfaces, with SSL >> certificates. How can I set up Directory Server to use different >> certificates for different IP addresses (and different hostnames)? Is it >> possible? >> >> I have not find the answer in documentation and in the internet. I tried >> to set up another Directory Server instance on the same host, but also I >> failed, because it refuses to share the same port number, and to bind to >> that port only on one of IP addresses. >> >> Please, help me. >> >> With best regards, >> Sergey Ivanov. From mj at sci.fi Mon Oct 23 20:33:06 2006 From: mj at sci.fi (Mike Jackson) Date: Mon, 23 Oct 2006 23:33:06 +0300 Subject: [Fedora-directory-users] how to set up Fedora Ds on a multinetwork host In-Reply-To: <453D27B5.5090606@omniti.com> References: <453D23DD.4010705@omniti.com> <453D26D5.3010902@broadcom.com> <453D27B5.5090606@omniti.com> Message-ID: <453D2702.2050004@sci.fi> Sergey Ivanov wrote: > Hi George, > I want to have the same LDAP directory for both interfaces, but with > different SSL certificates. Probably the fastest and easiest way to do it: 1. Setup directory server to only listen to interface1 (hostname1) 2. Install SSL cert for hostname1 3. Setup directory server to only listen to interface2 (hostname2) 4. Install SSL cert for hostname2 5. Setup multimaster replication between the two directory servers 6. Populate data Mike -- http://www.netauth.com - LDAP Directory Consulting From gholbert at broadcom.com Mon Oct 23 21:15:17 2006 From: gholbert at broadcom.com (George Holbert) Date: Mon, 23 Oct 2006 14:15:17 -0700 Subject: [Fedora-directory-users] how to set up Fedora Ds on a multinetwork host In-Reply-To: <453D2702.2050004@sci.fi> References: <453D23DD.4010705@omniti.com> <453D26D5.3010902@broadcom.com> <453D27B5.5090606@omniti.com> <453D2702.2050004@sci.fi> Message-ID: <453D30E5.3080904@broadcom.com> Sergey, Mike's recipe would do the trick. If you try that, also look into the nsslapd-listenhost and nsslapd-securelistenhost config variables (in directory server docs). These will allow you to arrange for each directory server instance to only listen on a single interface. I believe the default is to listen on all interfaces. -- George Mike Jackson wrote: > Sergey Ivanov wrote: >> Hi George, >> I want to have the same LDAP directory for both interfaces, but with >> different SSL certificates. > > Probably the fastest and easiest way to do it: > > 1. Setup directory server to only listen to interface1 (hostname1) > 2. Install SSL cert for hostname1 > 3. Setup directory server to only listen to interface2 (hostname2) > 4. Install SSL cert for hostname2 > 5. Setup multimaster replication between the two directory servers > 6. Populate data > > > > Mike > From seriv at omniti.com Mon Oct 23 21:42:51 2006 From: seriv at omniti.com (Sergey Ivanov) Date: Mon, 23 Oct 2006 17:42:51 -0400 Subject: [Fedora-directory-users] how to set up Fedora Ds on a multinetwork host In-Reply-To: <453D30E5.3080904@broadcom.com> References: <453D23DD.4010705@omniti.com> <453D26D5.3010902@broadcom.com> <453D27B5.5090606@omniti.com> <453D2702.2050004@sci.fi> <453D30E5.3080904@broadcom.com> Message-ID: <453D375B.8020001@omniti.com> Thank you! -- With best regards, Sergey Ivanov. George Holbert wrote: > Sergey, > Mike's recipe would do the trick. If you try that, also look into the > nsslapd-listenhost and nsslapd-securelistenhost config variables (in > directory server docs). These will allow you to arrange for each > directory server instance to only listen on a single interface. I > believe the default is to listen on all interfaces. > -- George > > Mike Jackson wrote: >> Sergey Ivanov wrote: >>> Hi George, >>> I want to have the same LDAP directory for both interfaces, but with >>> different SSL certificates. >> >> Probably the fastest and easiest way to do it: >> >> 1. Setup directory server to only listen to interface1 (hostname1) >> 2. Install SSL cert for hostname1 >> 3. Setup directory server to only listen to interface2 (hostname2) >> 4. Install SSL cert for hostname2 >> 5. Setup multimaster replication between the two directory servers >> 6. Populate data >> >> >> >> Mike >> From pkime at Shopzilla.com Wed Oct 25 04:06:59 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Tue, 24 Oct 2006 21:06:59 -0700 Subject: [Fedora-directory-users] Windows Syn - PassSync holds service password in clear text in registry Message-ID: <9C0091F428E697439E7A773FFD083427435AE3@szexchange.Shopzilla.inc> I asked our AD admins to install PassSync for testing and they refused as they claim that it holds the service password in the registry in clear text. Anybody know anything about this? PK -- Philip Kime NOPS Systems Architect 310 401 0407 -------------- next part -------------- An HTML attachment was scrubbed... URL: From nkinder at redhat.com Wed Oct 25 04:52:33 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Tue, 24 Oct 2006 21:52:33 -0700 Subject: [Fedora-directory-users] Windows Syn - PassSync holds service password in clear text in registry In-Reply-To: <9C0091F428E697439E7A773FFD083427435AE3@szexchange.Shopzilla.inc> References: <9C0091F428E697439E7A773FFD083427435AE3@szexchange.Shopzilla.inc> Message-ID: <453EED91.4080500@redhat.com> Philip Kime wrote: > I asked our AD admins to install PassSync for testing and they refused > as they claim that it holds the service password in the registry in > clear text. Anybody know anything about this? Yes, the password for the replication bind DN configured in Fedora Directory Server must be stored in the registry on the domain controller. Why not just restrict access to the specific registry key that contains the password to the "Administrator" user? -NGK > > PK > > -- > Philip Kime > NOPS Systems Architect > 310 401 0407 > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From kylet at panix.com Wed Oct 25 09:23:46 2006 From: kylet at panix.com (Kyle Tucker) Date: Wed, 25 Oct 2006 05:23:46 -0400 Subject: [Fedora-directory-users] Can add with GUI, not with ldapmodify In-Reply-To: <453CD033.2040801@redhat.com> References: <200610211945.k9LJj9H15430@panix3.panix.com> <20061022143551.GA18893@panix.com> <48864.131.175.154.56.1161606735.squirrel@131.175.154.56> <453CD033.2040801@redhat.com> Message-ID: <20061025092346.GB26736@panix.com> On Mon, Oct 23, 2006 at 08:22:43AM -0600, Richard Megginson wrote: > >>>ldapmodify -x -a -W -D "cn=directory manager" -h -f addtester.ldif > >>> > >>I named my directory manager just "Manager" instead of "Directory > >>Manager" > Did you try -D "cn=Manager" in that case? That should have worked. I am quite certain I had but can't duplicate my issues since I reinstalled. In hindsight, it may have been as simple as an bad password as the requirement to have at least 8 characters on the Directory Manager account when I did the reinstall brought with it the potentially embarassing realization. - Kyle --------------------------------------------- kylet at panix.com http://www.panix.com/~kylet --------------------------------------------- From seriv at omniti.com Wed Oct 25 17:15:37 2006 From: seriv at omniti.com (Sergey Ivanov) Date: Wed, 25 Oct 2006 13:15:37 -0400 Subject: [Fedora-directory-users] how to set up Fedora Ds on a multinetwork host In-Reply-To: <453D30E5.3080904@broadcom.com> References: <453D23DD.4010705@omniti.com> <453D26D5.3010902@broadcom.com> <453D27B5.5090606@omniti.com> <453D2702.2050004@sci.fi> <453D30E5.3080904@broadcom.com> Message-ID: <453F9BB9.1030605@omniti.com> I have a little problem with this advice. I have installed fedora-ds rpm, then configured admin server and first directory server to listen for local network and populated it with data. With nsslapd-listenhost and nsslapd-securelistenhost I binded this directory server to listen at this particular IP only. Then, using Fedora Management Console, I created new instance of directory server. When creating, it was listening on 0.0.0.0 at different port. When I have added bindning to external IP address by adding nsslapd-listenhost and nsslapd-securelistenhost to it's config/dse.ldif, I got into problem with communication between Fedora Management Console and this new server. I can stop/start it with command line, and see that it is binding to IP addresses correctly. I can do ldapsearch in this new server from internet by this IP and port. But Fedora Management Console, as I'm guessing, is still looking for this server to appear at local network. So, it can not start/stop/connect it and reporting it as "Stopped". May be, there is some attribute to add to NetscapeRoot/{mydomain}/{myhost}/Server Group/Fedora Directory Server/slapd-{newname} to change expectation of Admin server about this newly created Directory Server? How to find out, which attribute it can be? -- Sergey. George Holbert wrote: > Sergey, > Mike's recipe would do the trick. If you try that, also look into the > nsslapd-listenhost and nsslapd-securelistenhost config variables (in > directory server docs). These will allow you to arrange for each > directory server instance to only listen on a single interface. I > believe the default is to listen on all interfaces. > -- George > > Mike Jackson wrote: >> Sergey Ivanov wrote: >>> Hi George, >>> I want to have the same LDAP directory for both interfaces, but with >>> different SSL certificates. >> >> Probably the fastest and easiest way to do it: >> >> 1. Setup directory server to only listen to interface1 (hostname1) >> 2. Install SSL cert for hostname1 >> 3. Setup directory server to only listen to interface2 (hostname2) >> 4. Install SSL cert for hostname2 >> 5. Setup multimaster replication between the two directory servers >> 6. Populate data >> >> >> >> Mike From JFGamsby at lbl.gov Wed Oct 25 19:05:31 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Wed, 25 Oct 2006 12:05:31 -0700 Subject: [Fedora-directory-users] getent group not working WindowsSync Message-ID: <453FB57B.7040802@lbl.gov> I have setup WindowsSync which works fine, but it seems that in order for LDAP groups to sync they must live in ou=People. This works fine on the Windows side, but not on the Linux side. 'getent group' only returns local groups. I am thinking that I can add an entry to /etc/ldap.conf to fix this but when I change nss_base_group ou=People, it doesn't work. I'm not sure what I'm doing wrong, is this the right way to do this? Thanks, Jeff G. From jo.de.troy at gmail.com Wed Oct 25 20:14:04 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Wed, 25 Oct 2006 22:14:04 +0200 Subject: [Fedora-directory-users] modify userPassword via perl-ldap? Message-ID: Hello, I'm trying to modify the userPassword value from within a perl script using Perl::LDAP. I generate an encrypted pwd in perl and then write it to FedoraDS via ldap->modify The update seems successfull but when I query FedoraDS afterwards the string in userPassword is not the same as the one I generated. What exactly is happening in the background giving this result? I tried writing the same value to another attribute (eg mail) and then it is as expected. What's the best way to update the userPassword from within perl? Thanks again, Jo From gholbert at broadcom.com Wed Oct 25 20:17:57 2006 From: gholbert at broadcom.com (George Holbert) Date: Wed, 25 Oct 2006 13:17:57 -0700 Subject: [Fedora-directory-users] modify userPassword via perl-ldap? In-Reply-To: References: Message-ID: <453FC675.5020707@broadcom.com> Are you prefixing the password with the hash you're using to encrypt the password? e.g., {crypt} or {ssha} Jo De Troy wrote: > Hello, > > I'm trying to modify the userPassword value from within a perl script > using Perl::LDAP. > I generate an encrypted pwd in perl and then write it to FedoraDS via > ldap->modify > The update seems successfull but when I query FedoraDS afterwards the > string in userPassword is not the same as the one I generated. What > exactly is happening in the background giving this result? I tried > writing the same value to another attribute (eg mail) and then it is > as expected. > What's the best way to update the userPassword from within perl? > > Thanks again, > Jo > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From mj at sci.fi Wed Oct 25 20:16:53 2006 From: mj at sci.fi (Mike Jackson) Date: Wed, 25 Oct 2006 23:16:53 +0300 Subject: [Fedora-directory-users] modify userPassword via perl-ldap? In-Reply-To: References: Message-ID: <453FC635.30709@sci.fi> Jo De Troy wrote: > Hello, > > I'm trying to modify the userPassword value from within a perl script > using Perl::LDAP. > I generate an encrypted pwd in perl and then write it to FedoraDS via > ldap->modify > The update seems successfull but when I query FedoraDS afterwards the > string in userPassword is not the same as the one I generated. What > exactly is happening in the background giving this result? I tried > writing the same value to another attribute (eg mail) and then it is > as expected. > What's the best way to update the userPassword from within perl? When the server is set to do password hashing, then it hashes the value you send unless you prefix it with {sha} or similar. When prefixed, the server assumes that you know what you are doing. -- mike From Justin.Crawford at cusys.edu Wed Oct 25 20:38:12 2006 From: Justin.Crawford at cusys.edu (Justin Crawford) Date: Wed, 25 Oct 2006 14:38:12 -0600 Subject: [Fedora-directory-users] modify userPassword via perl-ldap? In-Reply-To: Message-ID: <7315857F21D51B449CC55ADE3A5683182BFEA7@ex2k3.ad.cusys.edu> > I'm trying to modify the userPassword value from within a > perl script using Perl::LDAP. > I generate an encrypted pwd in perl and then write it to FedoraDS via > ldap->modify > The update seems successfull but when I query FedoraDS > afterwards the string in userPassword is not the same as the > one I generated. What exactly is happening in the background > giving this result? I tried writing the same value to another > attribute (eg mail) and then it is as expected. > What's the best way to update the userPassword from within perl? This page offers some advice for creating SHA and SSHA passwords (which your directory is likely doing) using various languages: http://www.openldap.org/faq/data/cache/347.html You could use one of those snippets to do your own hashing prior to updating the userPassword attribute. You could also use one of those snippets in your verification routine: Generate a hash in perl using the same algorithm used by your directory, and compare the perl-generated hash to the one stored in the userPassword attribute. If the two hashes are the same, it is extremely probable (almost certain) that the passwords they obscure are the same. (Note to crypto geniuses: please be gentle if I am wrong ;) Justin From jo.de.troy at gmail.com Wed Oct 25 20:56:26 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Wed, 25 Oct 2006 22:56:26 +0200 Subject: [Fedora-directory-users]modify userPassword via perl-ldap? Message-ID: Hello, thanks for all the info. I've tried adding {crypt} in front of the password but now I get invalid syntax for userPassword. Here's what exactly I do, it must be something stupid ... $password = "{crypt}".$hashedpwd; $mesg=$ldap->modify($dn, changes => [ replace => [ 'userPassword' => [ $password ] ]] ); Thanks again, Jo From elias at hi.is Wed Oct 25 20:57:19 2006 From: elias at hi.is (=?ISO-8859-1?Q?El=EDas_Halld=F3r_=C1g=FAstsson?=) Date: Wed, 25 Oct 2006 20:57:19 +0000 Subject: [Fedora-directory-users] modify userPassword via perl-ldap? In-Reply-To: References: Message-ID: <453FCFAF.9020209@hi.is> Jo De Troy wrote: > What's the best way to update the userPassword from within perl? Either you write it directly in the form of {ENCRYPTION_METHOD}CRYPT_TEXT where ENCRYPTION_METHOD is e.g. SSHA or MD5 or CRYPT and CRYPT_TEXT is the password, crypted with said method, or you use the "Modify Password" extended LDAPv3 operation as described in RFC 3062 which is implemented in Net::LDAP::Extension::SetPassword. The example cited in the Net::LDAP::Extension::SetPassword manpage makes the server autogenerate the password, which I'm not sure if FDS can do, but it can be changed, either by binding as the user himself or as the directory administrator (or whatever your ACLs allow). Net::LDAP::Extension::SetPassword has the added benefit of that password chances replicate to Active Directory replication agreements, if there be any. -- ___ El?as Halld?r ?g?stsson ___ Elias Halldor Agustsson ___ {o,o} Yfirkerfisfr??ingur {o.o} Senior Systems Analyst {o,o} |)__) Reiknistofnun H?sk?lans |)_(| University of Iceland (__(| -"-"- http://elias.rhi.hi.is/ -"-"- elias at hi.is +3545254903 -"-"- From gmessmer at u.washington.edu Wed Oct 25 20:59:04 2006 From: gmessmer at u.washington.edu (Gordon Messmer) Date: Wed, 25 Oct 2006 13:59:04 -0700 Subject: [Fedora-directory-users] modify userPassword via perl-ldap? In-Reply-To: <7315857F21D51B449CC55ADE3A5683182BFEA7@ex2k3.ad.cusys.edu> References: <7315857F21D51B449CC55ADE3A5683182BFEA7@ex2k3.ad.cusys.edu> Message-ID: <453FD018.6090906@u.washington.edu> Justin Crawford wrote: > This page offers some advice for creating SHA and SSHA passwords (which > your directory is likely doing) using various languages: > http://www.openldap.org/faq/data/cache/347.html > > You could use one of those snippets to do your own hashing prior to > updating the userPassword attribute. > If I understand things correctly, it's probably best to set passwords plain-text and let the server hash them for you. I believe that you *must* do this if you want to use PassSync to sync passwords with AD. e.g.: dn: uid=user,ou=people,dc=example,dc=com changetype: modify replace: userPassword userpassword: theNewPassword If you don't specify a hash, the directory server should hash the password on your behalf. > You could also use one of those snippets in your verification routine: > Generate a hash in perl using the same algorithm used by your directory, > and compare the perl-generated hash to the one stored in the > userPassword attribute. If the two hashes are the same, it is extremely > probable (almost certain) that the passwords they obscure are the same. > (Note to crypto geniuses: please be gentle if I am wrong ;) > For security purposes, no one should be able to see the userPassword attribute. The proper way to validate a password is to search for the user's entry in LDAP, save the DN of that entry, and then attempt to bind as that DN using the password from the user. If the bind is successful, then the password is correct. From ianmmeyer at gmail.com Wed Oct 25 21:25:46 2006 From: ianmmeyer at gmail.com (Ian Meyer) Date: Wed, 25 Oct 2006 17:25:46 -0400 Subject: [Fedora-directory-users] Issue with fine-grained password policy Message-ID: Hello all, I set up FDS 1.0.2 on a server and got everything configured and imported etc etc.. things work great, I can authenticate against it, make updates.. but I can not get our linux clients to warn me about changing my password, expiration, length, etc.. I followed the instructions on http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1074672 to set up a global config, and a user config. Is there anything on the client side for PAM that needs to be configured? I've been pouring over this for a couple of days now so I may just be blind to a small detail I may have missed. Any help/insight would be appreciated. Thanks in advance, Ian From mj at sci.fi Wed Oct 25 21:31:27 2006 From: mj at sci.fi (Mike Jackson) Date: Thu, 26 Oct 2006 00:31:27 +0300 Subject: [Fedora-directory-users] Issue with fine-grained password policy In-Reply-To: References: Message-ID: <453FD7AF.10306@sci.fi> Ian Meyer wrote: > Hello all, > > I set up FDS 1.0.2 on a server and got everything configured and > imported etc etc.. things > work great, I can authenticate against it, make updates.. but I can > not get our linux > clients to warn me about changing my password, expiration, length, > etc.. I followed the instructions on > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1074672 > to set up a global config, and a user config. Is there anything on the > client side for PAM that needs to be configured? I've been pouring > over this for a couple of days now so I may just be blind to a small > detail I may have missed. Any help/insight would be appreciated. This functionality (returning requested password policy response message in conjunction with password change extop) needs support from two sides, pam_ldap and slapd. The functionality is missing from the current version of slapd, but should be available in the next version afaik. I am unsure of pam_ldap's support for password change extop or parsing password policy control response messages. Clearly, this is a piece of missing basic functionality, as a whole, that makes linux itself look incapable compared to windows. -- mike From gholbert at broadcom.com Wed Oct 25 21:40:45 2006 From: gholbert at broadcom.com (George Holbert) Date: Wed, 25 Oct 2006 14:40:45 -0700 Subject: [Fedora-directory-users] Issue with fine-grained password policy In-Reply-To: References: Message-ID: <453FD9DD.1020207@broadcom.com> Last time I looked at this, I vaguely recall finding that pam_ldap doesn't pay too much attention to FDS password metadata for expiration warnings or strength restrictions. So what you're seeing may be the norm. Hopefully someone else out there will have better news for you on this. Ian Meyer wrote: > Hello all, > > I set up FDS 1.0.2 on a server and got everything configured and > imported etc etc.. things > work great, I can authenticate against it, make updates.. but I can > not get our linux > clients to warn me about changing my password, expiration, length, > etc.. I followed the instructions on > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1074672 > > to set up a global config, and a user config. Is there anything on the > client side for PAM that needs to be configured? I've been pouring > over this for a couple of days now so I may just be blind to a small > detail I may have missed. Any help/insight would be appreciated. > > Thanks in advance, > Ian > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From seriv at omniti.com Wed Oct 25 22:08:02 2006 From: seriv at omniti.com (Sergey Ivanov) Date: Wed, 25 Oct 2006 18:08:02 -0400 Subject: [Fedora-directory-users] how to set up Fedora Ds on a multinetwork host In-Reply-To: <453F9BB9.1030605@omniti.com> References: <453D23DD.4010705@omniti.com> <453D26D5.3010902@broadcom.com> <453D27B5.5090606@omniti.com> <453D2702.2050004@sci.fi> <453D30E5.3080904@broadcom.com> <453F9BB9.1030605@omniti.com> Message-ID: <453FE042.4010102@omniti.com> I managed to workaround this problem, copying fresh installed directory structure of fedora-ds to another folder, then running there setup/setup and using the option to store configuration information in existing ldap server. But still interested in the right way to do it. -- Sergey. Sergey Ivanov wrote: > I have a little problem with this advice. > I have installed fedora-ds rpm, then configured admin server and first > directory server to listen for local network and populated it with data. > With nsslapd-listenhost and nsslapd-securelistenhost I binded this > directory server to listen at this particular IP only. > Then, using Fedora Management Console, I created new instance of > directory server. When creating, it was listening on 0.0.0.0 at > different port. > When I have added bindning to external IP address by adding > nsslapd-listenhost and nsslapd-securelistenhost to it's config/dse.ldif, > I got into problem with communication between Fedora Management Console > and this new server. I can stop/start it with command line, and see that > it is binding to IP addresses correctly. I can do ldapsearch in this new > server from internet by this IP and port. But Fedora Management Console, > as I'm guessing, is still looking for this server to appear at local > network. So, it can not start/stop/connect it and reporting it as "Stopped". > May be, there is some attribute to add to > NetscapeRoot/{mydomain}/{myhost}/Server Group/Fedora Directory > Server/slapd-{newname} to change expectation of Admin server about this > newly created Directory Server? How to find out, which attribute it can be? From JFGamsby at lbl.gov Wed Oct 25 23:41:29 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Wed, 25 Oct 2006 16:41:29 -0700 Subject: [Fedora-directory-users] WindowsSync password not synced when changed via ldapmodify Message-ID: <453FF629.6030601@lbl.gov> I came across this problem today. When changing passwords from the Fedora console, it works and syncs across to AD. When changing passwords using 'passwd', it does not sync until pam_password is changed to ssha in ldap.conf. Then it syncs fine. When changing passwords via ldapmodify in SSHA form, passwords do not sync. Has anyone experienced this behavior? Does anyone have a solution? I'd like to change passwords via a PHP web interface. Thanks, Jeff From nkinder at redhat.com Wed Oct 25 23:42:01 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Wed, 25 Oct 2006 16:42:01 -0700 Subject: [Fedora-directory-users] WindowsSync password not synced when changed via ldapmodify In-Reply-To: <453FF629.6030601@lbl.gov> References: <453FF629.6030601@lbl.gov> Message-ID: <453FF649.3090600@redhat.com> Jeff Gamsby wrote: > > > I came across this problem today. > > When changing passwords from the Fedora console, it works and syncs > across to AD. > When changing passwords using 'passwd', it does not sync until > pam_password is changed to ssha in ldap.conf. Then it syncs fine. > When changing passwords via ldapmodify in SSHA form, passwords do not > sync. FDS needs the clear text password in order to sync it to AD. The solution is to let FDS hash the password instead of doing it on the client side. -NGK > > Has anyone experienced this behavior? > > Does anyone have a solution? > > I'd like to change passwords via a PHP web interface. > > Thanks, > Jeff > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From hyc at symas.com Wed Oct 25 23:52:23 2006 From: hyc at symas.com (Howard Chu) Date: Wed, 25 Oct 2006 16:52:23 -0700 Subject: [Fedora-directory-users] Issue with fine-grained password policy In-Reply-To: <20061025234208.9BF7D730FD@hormel.redhat.com> References: <20061025234208.9BF7D730FD@hormel.redhat.com> Message-ID: <453FF8B7.9010704@symas.com> > Date: Wed, 25 Oct 2006 14:40:45 -0700 > From: "George Holbert" > Last time I looked at this, I vaguely recall finding that pam_ldap > doesn't pay too much attention to FDS password metadata for expiration > warnings or strength restrictions. So what you're seeing may be the norm. > Hopefully someone else out there will have better news for you on this. Actually PADL's pam_ldap has had support for Netscape password policy for many years - you just have to enable it and tell it the DN of the policy object. Recently support has also been added for the IETF draft LDAP password policy specification too, and it works well with the OpenLDAP implementation of this spec. The OpenLDAP implementation has also been tested successfully with CA eTrust, so there are at least a couple implementations out there supporting the IETF spec. > Ian Meyer wrote: >> > Hello all, >> > >> > I set up FDS 1.0.2 on a server and got everything configured and >> > imported etc etc.. things >> > work great, I can authenticate against it, make updates.. but I can >> > not get our linux >> > clients to warn me about changing my password, expiration, length, >> > etc.. I followed the instructions on >> > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1074672 >> > >> > to set up a global config, and a user config. Is there anything on the >> > client side for PAM that needs to be configured? I've been pouring >> > over this for a couple of days now so I may just be blind to a small >> > detail I may have missed. Any help/insight would be appreciated. >> > >> > Thanks in advance, >> > Ian -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/ From nkinder at redhat.com Thu Oct 26 01:16:42 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Wed, 25 Oct 2006 18:16:42 -0700 Subject: [Fedora-directory-users] Issue with fine-grained password policy In-Reply-To: <453FF8B7.9010704@symas.com> References: <20061025234208.9BF7D730FD@hormel.redhat.com> <453FF8B7.9010704@symas.com> Message-ID: <45400C7A.8060107@redhat.com> Howard Chu wrote: >> Date: Wed, 25 Oct 2006 14:40:45 -0700 >> From: "George Holbert" > >> Last time I looked at this, I vaguely recall finding that pam_ldap >> doesn't pay too much attention to FDS password metadata for >> expiration warnings or strength restrictions. So what you're seeing >> may be the norm. >> Hopefully someone else out there will have better news for you on this. > > Actually PADL's pam_ldap has had support for Netscape password policy > for many years - you just have to enable it and tell it the DN of the > policy object. Recently support has also been added for the IETF draft > LDAP password policy specification too, and it works well with the > OpenLDAP implementation of this spec. The OpenLDAP implementation has > also been tested successfully with CA eTrust, so there are at least a > couple implementations out there supporting the IETF spec. Are you referring to the request and response controls defined in draft-behera-ldap-password-policy-09? Fedora Directory Server also supports the above mentioned controls. -NGK > >> Ian Meyer wrote: >>> > Hello all, >>> > >>> > I set up FDS 1.0.2 on a server and got everything configured and >>> > imported etc etc.. things >>> > work great, I can authenticate against it, make updates.. but I can >>> > not get our linux >>> > clients to warn me about changing my password, expiration, length, >>> > etc.. I followed the instructions on >>> > >>> http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1074672 >>> > >>> > to set up a global config, and a user config. Is there anything on >>> the >>> > client side for PAM that needs to be configured? I've been pouring >>> > over this for a couple of days now so I may just be blind to a small >>> > detail I may have missed. Any help/insight would be appreciated. >>> > >>> > Thanks in advance, >>> > Ian > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From midair77 at gmail.com Thu Oct 26 02:07:55 2006 From: midair77 at gmail.com (Steven Truong) Date: Wed, 25 Oct 2006 19:07:55 -0700 Subject: [Fedora-directory-users] Management Console : class loader error FC6 Message-ID: <28bb77d30610251907v7fbdd20fu67c5f66da4a38f03@mail.gmail.com> Hi, all. I am a newbie with FD and eager to install it with FC6. I tried to install Fedora Directory on FC6 but when I used the console and clicked on Administration Server I got error. The error is "Failed to install a local copy of admserv10.jar or one of its supporting files: admserv10.jar not found at http://uranus.mydomain.com:7777/" I also got similar error when I clicked on Directory Server but with different file name. I actually installed Java based on this instruction: http://jpackage.org/installation.php 1. Download jdk_1_5_0.09-linux.i586-rpm.bin -------> installed it 2. Download ftp://jpackage.hmdc.harvard.edu/JPackage/1.7/generic/RPMS.non-free/java-1.5.0-sun-compat-1.5.0.08-1jpp.noarch.rpm and then installed this file Did i miss any steps here? I guess there must be something wrong with my java installation. I installed fedore-ds-1.0.2-1.FC5.i386.opt.rpm and things went without any error. I then ran /opt/fedora-ds/setup/setup and then at the end ./startconsole -u admin -a http://uranus.mydomain.com:7777/ My SELINUX=disable and there is no package for xorg-x11-deprecated-libs to be installed from yum. /usr/bin/java -vesion java version "1.5.0_09" Java (TM) 2 Runtime Environment, Standard Edition (build 1.5.0_09-b03) Java HotSpot(TM) Client VM (build 1.5.0_09-b03, mixed mode, sharing) Please help as I would like to know what went wrong or if I missed something. Thank you. From rmeggins at redhat.com Thu Oct 26 02:16:08 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 25 Oct 2006 20:16:08 -0600 Subject: [Fedora-directory-users] Management Console : class loader error FC6 In-Reply-To: <28bb77d30610251907v7fbdd20fu67c5f66da4a38f03@mail.gmail.com> References: <28bb77d30610251907v7fbdd20fu67c5f66da4a38f03@mail.gmail.com> Message-ID: <45401A68.20403@redhat.com> Steven Truong wrote: > Hi, all. I am a newbie with FD and eager to install it with FC6. I > tried to install Fedora Directory on FC6 but when I used the console > and clicked on Administration Server I got error. The error is > "Failed to install a local copy of admserv10.jar or one of its > supporting files: admserv10.jar not found at > http://uranus.mydomain.com:7777/" What's in your $HOME/.fedora-console directory? > > I also got similar error when I clicked on Directory Server but with > different file name. > > I actually installed Java based on this instruction: > http://jpackage.org/installation.php > > 1. Download jdk_1_5_0.09-linux.i586-rpm.bin -------> installed it > 2. Download > ftp://jpackage.hmdc.harvard.edu/JPackage/1.7/generic/RPMS.non-free/java-1.5.0-sun-compat-1.5.0.08-1jpp.noarch.rpm > > and then installed this file > > Did i miss any steps here? I guess there must be something wrong with > my java installation. > > I installed fedore-ds-1.0.2-1.FC5.i386.opt.rpm and things went without > any error. > > I then ran /opt/fedora-ds/setup/setup and then at the end > > ./startconsole -u admin -a http://uranus.mydomain.com:7777/ > > My SELINUX=disable and there is no package for > xorg-x11-deprecated-libs to be installed from yum. > > /usr/bin/java -vesion > java version "1.5.0_09" > Java (TM) 2 Runtime Environment, Standard Edition (build 1.5.0_09-b03) > Java HotSpot(TM) Client VM (build 1.5.0_09-b03, mixed mode, sharing) > > > Please help as I would like to know what went wrong or if I missed > something. > > Thank you. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From midair77 at gmail.com Thu Oct 26 02:20:58 2006 From: midair77 at gmail.com (Steven Truong) Date: Wed, 25 Oct 2006 19:20:58 -0700 Subject: [Fedora-directory-users] Fwd: Management Console : class loader error FC6 In-Reply-To: <28bb77d30610251907v7fbdd20fu67c5f66da4a38f03@mail.gmail.com> References: <28bb77d30610251907v7fbdd20fu67c5f66da4a38f03@mail.gmail.com> Message-ID: <28bb77d30610251920he0a4086m7c9f24c5d17209e5@mail.gmail.com> ---------- Forwarded message ---------- From: Steven Truong Date: Oct 25, 2006 7:07 PM Subject: Management Console : class loader error FC6 To: fedora-directory-users at redhat.com Hi, all. I am a newbie with FD and eager to install it with FC6. I tried to install Fedora Directory on FC6 but when I used the console and clicked on Administration Server I got error. The error is "Failed to install a local copy of admserv10.jar or one of its supporting files: admserv10.jar not found at http://uranus.mydomain.com:7777/" I also got similar error when I clicked on Directory Server but with different file name. I actually installed Java based on this instruction: http://jpackage.org/installation.php 1. Download jdk_1_5_0.09-linux.i586-rpm.bin -------> installed it 2. Download ftp://jpackage.hmdc.harvard.edu/JPackage/1.7/generic/RPMS.non-free/java-1.5.0-sun-compat-1.5.0.08-1jpp.noarch.rpm and then installed this file Did i miss any steps here? I guess there must be something wrong with my java installation. I installed fedore-ds-1.0.2-1.FC5.i386.opt.rpm and things went without any error. I then ran /opt/fedora-ds/setup/setup and then at the end ./startconsole -u admin -a http://uranus.mydomain.com:7777/ My SELINUX=disable and there is no package for xorg-x11-deprecated-libs to be installed from yum. /usr/bin/java -vesion java version "1.5.0_09" Java (TM) 2 Runtime Environment, Standard Edition (build 1.5.0_09-b03) Java HotSpot(TM) Client VM (build 1.5.0_09-b03, mixed mode, sharing) Please help as I would like to know what went wrong or if I missed something. Thank you. ----------------------------------------------- Hi Richard. Here is what I found: ls ~/.fedora-console/ Console.1.0.Login.preferences cat Console.1.0.Login.preferences UserID=admin HostURL1= HostURL=http\://uranus.mydomain.com\:7777/ Y=440 X-453 Thank you From JFGamsby at lbl.gov Thu Oct 26 02:39:03 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Wed, 25 Oct 2006 19:39:03 -0700 (PDT) Subject: [Fedora-directory-users] WindowsSync password not synced when changed via ldapmodify In-Reply-To: <453FF649.3090600@redhat.com> References: <453FF629.6030601@lbl.gov> <453FF649.3090600@redhat.com> Message-ID: <1931.67.180.4.196.1161830343.squirrel@joanie.lbl.gov> > Jeff Gamsby wrote: >> >> >> I came across this problem today. >> >> When changing passwords from the Fedora console, it works and syncs >> across to AD. >> When changing passwords using 'passwd', it does not sync until >> pam_password is changed to ssha in ldap.conf. Then it syncs fine. >> When changing passwords via ldapmodify in SSHA form, passwords do not >> sync. > FDS needs the clear text password in order to sync it to AD. The > solution is to let FDS hash the password instead of doing it on the > client side. > > -NGK I tried that, using ldapmodify with the clear text password. It didn't work. It's funny, because that's what I thought, but I had to uncomment pam_password ssha in order for it to work using passwd from a shell. I'll give it another try. Thanks Jeff >> >> Has anyone experienced this behavior? >> >> Does anyone have a solution? >> >> I'd like to change passwords via a PHP web interface. >> >> Thanks, >> Jeff >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From JFGamsby at lbl.gov Thu Oct 26 02:56:57 2006 From: JFGamsby at lbl.gov (Jeff Gamsby) Date: Wed, 25 Oct 2006 19:56:57 -0700 (PDT) Subject: [Fedora-directory-users] WindowsSync password not synced when changed via ldapmodify In-Reply-To: <453FF649.3090600@redhat.com> References: <453FF629.6030601@lbl.gov> <453FF649.3090600@redhat.com> Message-ID: <1962.67.180.4.196.1161831417.squirrel@joanie.lbl.gov> > Jeff Gamsby wrote: >> >> >> I came across this problem today. >> >> When changing passwords from the Fedora console, it works and syncs >> across to AD. >> When changing passwords using 'passwd', it does not sync until >> pam_password is changed to ssha in ldap.conf. Then it syncs fine. >> When changing passwords via ldapmodify in SSHA form, passwords do not >> sync. > FDS needs the clear text password in order to sync it to AD. The > solution is to let FDS hash the password instead of doing it on the > client side. > > -NGK OK, Thanks it works now. I wasn't meeting the password complexity requirements. Thanks Jeff >> >> Has anyone experienced this behavior? >> >> Does anyone have a solution? >> >> I'd like to change passwords via a PHP web interface. >> >> Thanks, >> Jeff >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From nkinder at redhat.com Thu Oct 26 04:16:44 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Wed, 25 Oct 2006 21:16:44 -0700 Subject: [Fedora-directory-users] WindowsSync password not synced when changed via ldapmodify In-Reply-To: <1962.67.180.4.196.1161831417.squirrel@joanie.lbl.gov> References: <453FF629.6030601@lbl.gov> <453FF649.3090600@redhat.com> <1962.67.180.4.196.1161831417.squirrel@joanie.lbl.gov> Message-ID: <454036AC.80503@redhat.com> Jeff Gamsby wrote: >> Jeff Gamsby wrote: >> >>> I came across this problem today. >>> >>> When changing passwords from the Fedora console, it works and syncs >>> across to AD. >>> When changing passwords using 'passwd', it does not sync until >>> pam_password is changed to ssha in ldap.conf. Then it syncs fine. >>> When changing passwords via ldapmodify in SSHA form, passwords do not >>> sync. >>> >> FDS needs the clear text password in order to sync it to AD. The >> solution is to let FDS hash the password instead of doing it on the >> client side. >> >> -NGK >> > > OK, Thanks it works now. I wasn't meeting the password complexity > requirements. > If you turn on password syntax checking on the FDS side, the default settings match that of AD's password complexity requirements. -NGK > Thanks > > Jeff > >>> Has anyone experienced this behavior? >>> >>> Does anyone have a solution? >>> >>> I'd like to change passwords via a PHP web interface. >>> >>> Thanks, >>> Jeff >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From gennaro.tortone at na.infn.it Thu Oct 26 05:39:33 2006 From: gennaro.tortone at na.infn.it (Gennaro Tortone) Date: Thu, 26 Oct 2006 07:39:33 +0200 Subject: [Fedora-directory-users] Issue with fine-grained password policy In-Reply-To: References: Message-ID: <20061026053933.GA4839@na.infn.it> Hi, you should try with this PAM option: pam_lookup_policy yes Regards, * Ian Meyer [251006, 17:25]: > Hello all, > > I set up FDS 1.0.2 on a server and got everything configured and > imported etc etc.. things > work great, I can authenticate against it, make updates.. but I can > not get our linux > clients to warn me about changing my password, expiration, length, > etc.. I followed the instructions on > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1074672 > to set up a global config, and a user config. Is there anything on the > client side for PAM that needs to be configured? I've been pouring > over this for a couple of days now so I may just be blind to a small > detail I may have missed. Any help/insight would be appreciated. -- Gennaro Tortone INFN Napoli Italy tel: +39 81 676169 "Computer Science is no more about computers than astronomy is about telescopes." - Edsger Dijkstra From ianmmeyer at gmail.com Thu Oct 26 06:07:57 2006 From: ianmmeyer at gmail.com (Ian Meyer) Date: Thu, 26 Oct 2006 02:07:57 -0400 Subject: [Fedora-directory-users] Issue with fine-grained password policy In-Reply-To: <20061026053933.GA4839@na.infn.it> References: <20061026053933.GA4839@na.infn.it> Message-ID: Ah I forgot to mention, I do have that in my ldap.conf, hence my confusion as to why it wasn't working. I'm not sure if I'm maybe missing something in the server config or what, but I followed the directions in the url I mentioned in my first email, maybe they're outdated? Thanks everyone for the help so far. It's giving me a better grasp on what I'm dealing with. Ian On 10/26/06, Gennaro Tortone wrote: > Hi, > you should try with this PAM option: > > pam_lookup_policy yes > > Regards, > > * Ian Meyer [251006, 17:25]: > > Hello all, > > > > I set up FDS 1.0.2 on a server and got everything configured and > > imported etc etc.. things > > work great, I can authenticate against it, make updates.. but I can > > not get our linux > > clients to warn me about changing my password, expiration, length, > > etc.. I followed the instructions on > > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1074672 > > to set up a global config, and a user config. Is there anything on the > > client side for PAM that needs to be configured? I've been pouring > > over this for a couple of days now so I may just be blind to a small > > detail I may have missed. Any help/insight would be appreciated. > > -- > Gennaro Tortone > INFN Napoli > Italy > tel: +39 81 676169 > > "Computer Science is no more about computers > than astronomy is about telescopes." > - Edsger Dijkstra > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From GCopeland at efjohnson.com Thu Oct 26 15:04:34 2006 From: GCopeland at efjohnson.com (Greg Copeland) Date: Thu, 26 Oct 2006 10:04:34 -0500 Subject: [Fedora-directory-users] Root changing user password Message-ID: <273A72C669F45B4996896A031B88CCEF3022F3@EFJDFWMX01.EFJDFW.local> I've quickly checked the archive and I can find people having trouble with users changing their own password but not the other way around. Here, users can change their own password without issue but root fails. What do I need to do to allow root, using the passwd command on RHES 4, to change user passwords? I've tried setting rootbinddn in my /etc/ldap.conf file. Without an /etc/ldap.secret file, I observe an error in my logs, complaining about the missing ldap.secret file. When I create it, the error goes away but the passwd command still fails with, "passwd: Authentication token manipulation error". In the logs I can observe, "passwd[23689]: pam_ldap: error trying to bind (Invalid credentials)." I've tried placing the admin password in cleartext, and base64 in the ldap.secret file. Frankly, I'd rather root be prompted for the LDAP admin password than the password be stored in a file anyways. Is this possible? Long of the short, what do I need to configure to allow root to change other user's LDAP passwords? Best Regards, Greg Copeland -------------- next part -------------- An HTML attachment was scrubbed... URL: From kylet at panix.com Thu Oct 26 16:27:24 2006 From: kylet at panix.com (Kyle Tucker) Date: Thu, 26 Oct 2006 12:27:24 -0400 (EDT) Subject: [Fedora-directory-users] Use of NetGroups breaks local logins Message-ID: <200610261627.k9QGROX12137@panix1.panix.com> Hi all, New installation of FDS 1.0.2 on FC5. I have gotten netgroup access to host logins set up and working by following the steps in this document. http://directory.fedora.redhat.com/wiki/Howto:Netgroups This required the addition of this new (second) line in the account section of /etc/pam.d/system-auth for the access.netgroup.conf file to avoid issues with crond, which they don't elaborate on. account required pam_unix.so broken_shadow debug account required pam_access.so accessfile=/etc/security/access.netgroup.conf account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so debug account required pam_permit.so But now I am seeing these failures in /var/log/secure. Oct 25 18:01:01 lin2600 crond[22707]: pam_access(crond:account): access denied for user `root' from `cron' I also cannot log in as root. So firstly, is all the advice in the above document accurate? Is the placement of this line incorrect (I am just starting to play with PAM) or do I need to add entries for root (or ALL) in /etc/security/access.conf (presently all commented out as it appears to be the default setup)? Thanks. -- - Kyle --------------------------------------------- kylet at panix.com http://www.panix.com/~kylet --------------------------------------------- From sghosh at redhat.com Thu Oct 26 16:38:08 2006 From: sghosh at redhat.com (Subhendu Ghosh) Date: Thu, 26 Oct 2006 12:38:08 -0400 Subject: [Fedora-directory-users] Use of NetGroups breaks local logins In-Reply-To: <200610261627.k9QGROX12137@panix1.panix.com> References: <200610261627.k9QGROX12137@panix1.panix.com> Message-ID: <1161880688.6125.33.camel@dakar-lap.nyc.redhat.com> On Thu, 2006-10-26 at 12:27 -0400, Kyle Tucker wrote: > Hi all, > New installation of FDS 1.0.2 on FC5. I have gotten netgroup access > to host logins set up and working by following the steps in this document. > > http://directory.fedora.redhat.com/wiki/Howto:Netgroups > > This required the addition of this new (second) line in the account section > of /etc/pam.d/system-auth for the access.netgroup.conf file to avoid issues > with crond, which they don't elaborate on. > > account required pam_unix.so broken_shadow debug > account required pam_access.so accessfile=/etc/security/access.netgroup.conf > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_ldap.so debug > account required pam_permit.so > > But now I am seeing these failures in /var/log/secure. > > Oct 25 18:01:01 lin2600 crond[22707]: pam_access(crond:account): access denied > for user `root' from `cron' > > I also cannot log in as root. > > So firstly, is all the advice in the above document accurate? Is the placement > of this line incorrect (I am just starting to play with PAM) or do I need to > add entries for root (or ALL) in /etc/security/access.conf (presently all > commented out as it appears to be the default setup)? > > Thanks. Hi Kyle I came across this issue (those are my notes ;) /etc/pamd./crond should contain auth sufficient pam_rootok.so Try adding an account line as well /etc/pam.d/crond account sufficient pam_rootok.so -sg From kylet at panix.com Thu Oct 26 16:41:05 2006 From: kylet at panix.com (Kyle Tucker) Date: Thu, 26 Oct 2006 12:41:05 -0400 (EDT) Subject: [Fedora-directory-users] Use of NetGroups breaks local logins In-Reply-To: <1161880688.6125.33.camel@dakar-lap.nyc.redhat.com> Message-ID: <200610261641.k9QGf5b11422@panix1.panix.com> > I came across this issue (those are my notes ;) > > /etc/pamd./crond should contain > auth sufficient pam_rootok.so > > Try adding an account line as well > > /etc/pam.d/crond > account sufficient pam_rootok.so But this won't affect my inability to log in as root. Both direct sshd logins and 'su -' fails, the latter with "incorrect password". I know the password for this system definitely. -- - Kyle --------------------------------------------- kylet at panix.com http://www.panix.com/~kylet --------------------------------------------- From sghosh at redhat.com Thu Oct 26 17:40:06 2006 From: sghosh at redhat.com (Subhendu Ghosh) Date: Thu, 26 Oct 2006 13:40:06 -0400 Subject: [Fedora-directory-users] Use of NetGroups breaks local logins In-Reply-To: <200610261641.k9QGf5b11422@panix1.panix.com> References: <200610261641.k9QGf5b11422@panix1.panix.com> Message-ID: <1161884406.6125.42.camel@dakar-lap.nyc.redhat.com> On Thu, 2006-10-26 at 12:41 -0400, Kyle Tucker wrote: > > I came across this issue (those are my notes ;) > > > > /etc/pamd./crond should contain > > auth sufficient pam_rootok.so > > > > Try adding an account line as well > > > > /etc/pam.d/crond > > account sufficient pam_rootok.so > > But this won't affect my inability to log in as root. Both direct sshd > logins and 'su -' fails, the latter with "incorrect password". I know > the password for this system definitely. > Add to access.netgroup.conf: +:root: this will clear up the root access issue. However - netgroup users will not be able to run cron jobs unless they are added to /etc/security/access.conf -- -sg From kylet at panix.com Thu Oct 26 17:41:56 2006 From: kylet at panix.com (Kyle Tucker) Date: Thu, 26 Oct 2006 13:41:56 -0400 (EDT) Subject: [Fedora-directory-users] Use of NetGroups breaks local logins In-Reply-To: <1161884406.6125.42.camel@dakar-lap.nyc.redhat.com> Message-ID: <200610261741.k9QHfuc26945@panix1.panix.com> > Add to access.netgroup.conf: > > +:root: > > this will clear up the root access issue. > > However - netgroup users will not be able to run cron jobs unless they > are added to /etc/security/access.conf Okay, I will try this. Thank you very much. -- - Kyle --------------------------------------------- kylet at panix.com http://www.panix.com/~kylet --------------------------------------------- From GCopeland at efjohnson.com Thu Oct 26 17:06:08 2006 From: GCopeland at efjohnson.com (Greg Copeland) Date: Thu, 26 Oct 2006 12:06:08 -0500 Subject: [Fedora-directory-users] Issue with fine-grained password policy In-Reply-To: <453FF8B7.9010704@symas.com> Message-ID: <273A72C669F45B4996896A031B88CCEF3023C7@EFJDFWMX01.EFJDFW.local> [snip] > Actually PADL's pam_ldap has had support for Netscape password policy > for many years - you just have to enable it and tell it the DN of the > policy object. Recently support has also been added for the IETF draft Can you expand on the "...tell it the DN..." part there? Greg From kylet at panix.com Thu Oct 26 22:47:16 2006 From: kylet at panix.com (Kyle Tucker) Date: Thu, 26 Oct 2006 18:47:16 -0400 (EDT) Subject: [Fedora-directory-users] Use of NetGroups breaks local logins In-Reply-To: <1161884406.6125.42.camel@dakar-lap.nyc.redhat.com> Message-ID: <200610262247.k9QMlG517510@panix1.panix.com> > On Thu, 2006-10-26 at 12:41 -0400, Kyle Tucker wrote: > > > I came across this issue (those are my notes ;) > > > > > > /etc/pamd./crond should contain > > > auth sufficient pam_rootok.so This line was there. > > > Try adding an account line as well > > > /etc/pam.d/crond > > > account sufficient pam_rootok.so I added this one. > > Add to access.netgroup.conf: > +:root: > this will clear up the root access issue. So root can indeed log in now. But this doesn't seem righ that I should have to add any local user that needs access to this file. I also get this error now in /var/log/secure. Oct 26 18:01:01 lin2600 crond[28799]: PAM unable to resolve symbol: pam_sm_acct_mgmt I will play will the PAM directives and see if I can get things better. Thanks. -- - Kyle --------------------------------------------- kylet at panix.com http://www.panix.com/~kylet --------------------------------------------- From jamsda_1 at yahoo.com Thu Oct 26 23:08:07 2006 From: jamsda_1 at yahoo.com (jamsda) Date: Thu, 26 Oct 2006 16:08:07 -0700 (PDT) Subject: [Fedora-directory-users] Command-line Consumer Initialization In-Reply-To: <45392E1C.7010600@redhat.com> Message-ID: <20061026230807.56034.qmail@web50908.mail.yahoo.com> Thanks for the response. So after step 1 here's my output: dn: cn="Replication to host2.xyz.com",cn=replica,cn="dc=xyz,dc=com",cn=mapping tree,cn=config cn: "Replication to host2.xyz.com" cn: Replication to host2.xyz.com So how would step 2 look on the command-line? Here's what I started with: ldapmodify -D "cn=directory manager" -w password -b n="Replication to host2.xyz.com",cn=replica,cn="dc=xyz,dc=com",cn=mapping tree,cn=config but where do I specify the rest of these attributes: changetype: modify replace: nsds5BeginReplicaRefresh nsds5BeginReplicaRefresh: start Thanks, Jim --- Richard Megginson wrote: > Mike Jackson wrote: > > jamsda wrote: > >> Ok, so I'm guessing this is what happens behind > the > >> scenes (remove/re-create) when I do an > "initialize > >> consumer" from the GUI right? > > > > It is, for all intents and purposes, the > functional equivalent. > Not exactly. Do perform a replica init, all you > need is the DN of the > replication agreement. > Step 1 - find the DN of the replication agreement > with ldapsearch: > ldapsearch -D "cn=directory manager" -w password -s > sub -b cn=config > '(objectclass=nsds5ReplicationAgreement)' cn > Then choose the repl agreement you are interested in > > Step 2 - initiate repl init using ldapmodify > ldapmodify -D "cn=directory manager" -w password > dn: dn of your repl agreement from step 1 > changetype: modify > replace: nsds5BeginReplicaRefresh > nsds5BeginReplicaRefresh: start > > That starts the replica refresh (init). > > Step 3 - view repl init status with ldapsearch - > remember to escape or > quote the quotes in the repl agreement DN > ldapsearch -D "cn=directory manager" -w password -s > base -b "dn of your > repl agreement" "objectclass=*" > nsds5BeginReplicaRefresh > nsds5replicaUpdateInProgress > nsds5ReplicaLastInitStart > nsds5ReplicaLastInitEnd nsds5ReplicaLastInitStatus > > The init is complete when the > nsds5BeginReplicaRefresh attribute is > absent. Then you can check the status with > nsds5ReplicaLastInitStatus, > which should contain the string "Total update > succeeded" if successful. > If there are errors, check the error logs on the > supplier and consumer. > > > > -- > > mike > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From rmeggins at redhat.com Thu Oct 26 23:15:48 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 26 Oct 2006 17:15:48 -0600 Subject: [Fedora-directory-users] Command-line Consumer Initialization In-Reply-To: <20061026230807.56034.qmail@web50908.mail.yahoo.com> References: <20061026230807.56034.qmail@web50908.mail.yahoo.com> Message-ID: <454141A4.2090401@redhat.com> jamsda wrote: > Thanks for the response. So after step 1 here's my > output: > > dn: cn="Replication to > host2.xyz.com",cn=replica,cn="dc=xyz,dc=com",cn=mapping > tree,cn=config > cn: "Replication to host2.xyz.com" > cn: Replication to host2.xyz.com > > So how would step 2 look on the command-line? Here's > what I started with: > > ldapmodify -D "cn=directory manager" -w password -b > n="Replication to > host2.xyz.com",cn=replica,cn="dc=xyz,dc=com",cn=mapping > tree,cn=config > No, just ldapmodify -D "cn=directory manager" -w password Once you type this in, ldapmodify will wait for your input: dn: cn="Replication to host2.xyz.com",cn=replica,cn="dc=xyz,dc=com",cn=mapping tree,cn=config changetype: modify replace: nsds5BeginReplicaRefresh nsds5BeginReplicaRefresh: start ^^ is a blank line then, type Ctrl-D to end the input - you should get the usual shell command prompt again. > but where do I specify the rest of these attributes: > > changetype: modify > replace: nsds5BeginReplicaRefresh > nsds5BeginReplicaRefresh: start > > > > > Thanks, > Jim > > --- Richard Megginson wrote: > > >> Mike Jackson wrote: >> >>> jamsda wrote: >>> >>>> Ok, so I'm guessing this is what happens behind >>>> >> the >> >>>> scenes (remove/re-create) when I do an >>>> >> "initialize >> >>>> consumer" from the GUI right? >>>> >>> It is, for all intents and purposes, the >>> >> functional equivalent. >> Not exactly. Do perform a replica init, all you >> need is the DN of the >> replication agreement. >> Step 1 - find the DN of the replication agreement >> with ldapsearch: >> ldapsearch -D "cn=directory manager" -w password -s >> sub -b cn=config >> '(objectclass=nsds5ReplicationAgreement)' cn >> Then choose the repl agreement you are interested in >> >> Step 2 - initiate repl init using ldapmodify >> ldapmodify -D "cn=directory manager" -w password >> dn: dn of your repl agreement from step 1 >> changetype: modify >> replace: nsds5BeginReplicaRefresh >> nsds5BeginReplicaRefresh: start >> >> That starts the replica refresh (init). >> >> Step 3 - view repl init status with ldapsearch - >> remember to escape or >> quote the quotes in the repl agreement DN >> ldapsearch -D "cn=directory manager" -w password -s >> base -b "dn of your >> repl agreement" "objectclass=*" >> nsds5BeginReplicaRefresh >> nsds5replicaUpdateInProgress >> nsds5ReplicaLastInitStart >> nsds5ReplicaLastInitEnd nsds5ReplicaLastInitStatus >> >> The init is complete when the >> nsds5BeginReplicaRefresh attribute is >> absent. Then you can check the status with >> nsds5ReplicaLastInitStatus, >> which should contain the string "Total update >> succeeded" if successful. >> If there are errors, check the error logs on the >> supplier and consumer. >> >>> -- >>> mike >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> >>> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>> -- >>> >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jamsda_1 at yahoo.com Thu Oct 26 23:56:51 2006 From: jamsda_1 at yahoo.com (jamsda) Date: Thu, 26 Oct 2006 16:56:51 -0700 (PDT) Subject: [Fedora-directory-users] Command-line Consumer Initialization In-Reply-To: <454141A4.2090401@redhat.com> Message-ID: <20061026235652.75900.qmail@web50914.mail.yahoo.com> Thanks Richard, Worked great!! Thanks, Jim --- Richard Megginson wrote: > jamsda wrote: > > Thanks for the response. So after step 1 here's my > > output: > > > > dn: cn="Replication to > > > host2.xyz.com",cn=replica,cn="dc=xyz,dc=com",cn=mapping > > tree,cn=config > > cn: "Replication to host2.xyz.com" > > cn: Replication to host2.xyz.com > > > > So how would step 2 look on the command-line? > Here's > > what I started with: > > > > ldapmodify -D "cn=directory manager" -w password > -b > > n="Replication to > > > host2.xyz.com",cn=replica,cn="dc=xyz,dc=com",cn=mapping > > tree,cn=config > > > No, just ldapmodify -D "cn=directory manager" -w > password > Once you type this in, ldapmodify will wait for your > input: > dn: cn="Replication to > host2.xyz.com",cn=replica,cn="dc=xyz,dc=com",cn=mapping > tree,cn=config > changetype: modify > replace: nsds5BeginReplicaRefresh > nsds5BeginReplicaRefresh: start > > ^^ is a blank line > then, type Ctrl-D to end the input - you should get > the usual shell > command prompt again. > > but where do I specify the rest of these > attributes: > > > > changetype: modify > > replace: nsds5BeginReplicaRefresh > > nsds5BeginReplicaRefresh: start > > > > > > > > > > Thanks, > > Jim > > > > --- Richard Megginson wrote: > > > > > >> Mike Jackson wrote: > >> > >>> jamsda wrote: > >>> > >>>> Ok, so I'm guessing this is what happens behind > >>>> > >> the > >> > >>>> scenes (remove/re-create) when I do an > >>>> > >> "initialize > >> > >>>> consumer" from the GUI right? > >>>> > >>> It is, for all intents and purposes, the > >>> > >> functional equivalent. > >> Not exactly. Do perform a replica init, all you > >> need is the DN of the > >> replication agreement. > >> Step 1 - find the DN of the replication agreement > >> with ldapsearch: > >> ldapsearch -D "cn=directory manager" -w password > -s > >> sub -b cn=config > >> '(objectclass=nsds5ReplicationAgreement)' cn > >> Then choose the repl agreement you are interested > in > >> > >> Step 2 - initiate repl init using ldapmodify > >> ldapmodify -D "cn=directory manager" -w password > >> dn: dn of your repl agreement from step 1 > >> changetype: modify > >> replace: nsds5BeginReplicaRefresh > >> nsds5BeginReplicaRefresh: start > >> > >> That starts the replica refresh (init). > >> > >> Step 3 - view repl init status with ldapsearch - > >> remember to escape or > >> quote the quotes in the repl agreement DN > >> ldapsearch -D "cn=directory manager" -w password > -s > >> base -b "dn of your > >> repl agreement" "objectclass=*" > >> nsds5BeginReplicaRefresh > >> nsds5replicaUpdateInProgress > >> nsds5ReplicaLastInitStart > >> nsds5ReplicaLastInitEnd > nsds5ReplicaLastInitStatus > >> > >> The init is complete when the > >> nsds5BeginReplicaRefresh attribute is > >> absent. Then you can check the status with > >> nsds5ReplicaLastInitStatus, > >> which should contain the string "Total update > >> succeeded" if successful. > >> If there are errors, check the error logs on the > >> supplier and consumer. > >> > >>> -- > >>> mike > >>> > >>> -- > >>> Fedora-directory-users mailing list > >>> Fedora-directory-users at redhat.com > >>> > >>> > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > >>> -- > >>> > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> > >> > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam > protection around > > http://mail.yahoo.com > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From koippa at gmail.com Fri Oct 27 06:52:23 2006 From: koippa at gmail.com (Kimmo Koivisto) Date: Fri, 27 Oct 2006 09:52:23 +0300 Subject: [Fedora-directory-users] Is it possible to use events to create homedirs when user entry is created or deleted? Message-ID: Hello I have small environment with one FDS server and one application server, both RHEL4ES. FDS server provides ldap authentication and home directories for app server with ldap and nfs. I administrate users and groups with phpldapadmin or windows based ldapadmin, everything is working fine. When I add new user to the FDS, I have to create home directory for that user manually, set permissions and copy /etc/skel files. I would like to do home directory administration tasks automatically when user is added or deleted from FDS. One solution (I don't like this) is that I use some command line ldap capable adduser instead of ldapadmin or phpldapadmin. Does FDS have any event support that I could use or are there any existing solutions for this problem? Best Regards Kimmo Koivisto From koippa at gmail.com Fri Oct 27 12:27:05 2006 From: koippa at gmail.com (Kimmo Koivisto) Date: Fri, 27 Oct 2006 15:27:05 +0300 Subject: [Fedora-directory-users] Is it possible to use events to create homedirs when user entry is created or deleted? (resend) Message-ID: <200610271527.05559.koippa@gmail.com> Resending this message: Hello I have small environment with one FDS server and one application server, both RHEL4ES. FDS server provides ldap authentication and home directories for app server with ldap and nfs. I administrate users and groups with phpldapadmin or windows based ldapadmin, everything is working fine. When I add new user to the FDS, I have to create home directory for that user manually, set permissions and copy /etc/skel files. I would like to do home directory administration tasks automatically when user is added or deleted from FDS. One solution (I don't like this) is that I use some command line ldap capable adduser instead of ldapadmin or phpldapadmin. Does FDS have any event support that I could use or are there any existing solutions for this problem? Best Regards Kimmo Koivisto From stpierre at NebrWesleyan.edu Fri Oct 27 12:30:00 2006 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Fri, 27 Oct 2006 07:30:00 -0500 (CDT) Subject: [Fedora-directory-users] Is it possible to use events to create homedirs when user entry is created or deleted? In-Reply-To: References: Message-ID: On Fri, 27 Oct 2006, Kimmo Koivisto wrote: > Does FDS have any event support that I could use or are there any > existing solutions for this problem? There's a PAM module for this: pam_mkhomedir.so. You can configure it so that the first time someone logs in, their home dir is auto-created. We use that on the machines our users have shell access to, plus the "root preexec" directive for our Samba fileserver, to automatically generate home dirs. Just make sure that you have something in place to automatically delete them, too! :) Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University From dennis at ausil.us Fri Oct 27 13:34:40 2006 From: dennis at ausil.us (Dennis Gilmore) Date: Fri, 27 Oct 2006 08:34:40 -0500 Subject: [Fedora-directory-users] Is it possible to use events to create homedirs when user entry is created or deleted? (resend) In-Reply-To: <200610271527.05559.koippa@gmail.com> References: <200610271527.05559.koippa@gmail.com> Message-ID: <200610270834.41724.dennis@ausil.us> On Friday 27 October 2006 07:27, Kimmo Koivisto wrote: > Resending this message: > > Hello > > I have small environment with one FDS server and one application > server, both RHEL4ES. FDS server provides ldap authentication and home > directories for app server with ldap and nfs. > > I administrate users and groups with phpldapadmin or windows based > ldapadmin, everything is working fine. > > When I add new user to the FDS, I have to create home directory for > that user manually, set permissions and copy /etc/skel files. > > I would like to do home directory administration tasks automatically > when user is added or deleted from FDS. > > One solution (I don't like this) is that I use some command line ldap > capable adduser instead of ldapadmin or phpldapadmin. > > Does FDS have any event support that I could use or are there any > existing solutions for this problem? > > > Best Regards > Kimmo Koivisto you can set pam to create the home dir on first login but you would still need to remove manually. another option is a cron job that runs a script that creates and deletes -- Dennis Gilmore, RHCE Proud Australian From tortone at na.infn.it Fri Oct 27 07:28:34 2006 From: tortone at na.infn.it (gennaro.tortone@na.infn.it) Date: Fri, 27 Oct 2006 09:28:34 +0200 (CEST) Subject: [Fedora-directory-users] Is it possible to use events to create homedirs when user entry is created or deleted? In-Reply-To: References: Message-ID: Hi, take a look to pam_mkhomedir; it is a PAM module that create (if it does not exist) the user home directory; Regards, On Fri, 27 Oct 2006, Kimmo Koivisto wrote: > Hello > > I have small environment with one FDS server and one application > server, both RHEL4ES. FDS server provides ldap authentication and home > directories for app server with ldap and nfs. > > I administrate users and groups with phpldapadmin or windows based > ldapadmin, everything is working fine. > > When I add new user to the FDS, I have to create home directory for > that user manually, set permissions and copy /etc/skel files. > > I would like to do home directory administration tasks automatically > when user is added or deleted from FDS. > > One solution (I don't like this) is that I use some command line ldap > capable adduser instead of ldapadmin or phpldapadmin. > > Does FDS have any event support that I could use or are there any > existing solutions for this problem? > > > Best Regards > Kimmo Koivisto > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- Gennaro Tortone INFN Napoli Italy tel: +39 81 676169 "Computer Science is no more about computers than astronomy is about telescopes." - Edsger Dijkstra From thias at spam.spam.spam.spam.spam.spam.spam.egg.and.spam.freshrpms.net Fri Oct 27 14:06:30 2006 From: thias at spam.spam.spam.spam.spam.spam.spam.egg.and.spam.freshrpms.net (Matthias Saou) Date: Fri, 27 Oct 2006 16:06:30 +0200 Subject: [Fedora-directory-users] Is it possible to use events to create homedirs when user entry is created or deleted? In-Reply-To: References: Message-ID: <20061027160630.67f07375@python3.es.egwn.lan> gennaro.tortone at na.infn.it wrote : > take a look to pam_mkhomedir; it is a PAM module that create > (if it does not exist) the user home directory; Well, pam_mkhomedir doesn't work in some cases, most notably with sshd and privileges separation... I've been using "autodir" successfully for some time now, it's a great little program to achieve exactly what you're asking for. Matthias > On Fri, 27 Oct 2006, Kimmo Koivisto wrote: > > > Hello > > > > I have small environment with one FDS server and one application > > server, both RHEL4ES. FDS server provides ldap authentication and home > > directories for app server with ldap and nfs. > > > > I administrate users and groups with phpldapadmin or windows based > > ldapadmin, everything is working fine. > > > > When I add new user to the FDS, I have to create home directory for > > that user manually, set permissions and copy /etc/skel files. > > > > I would like to do home directory administration tasks automatically > > when user is added or deleted from FDS. > > > > One solution (I don't like this) is that I use some command line ldap > > capable adduser instead of ldapadmin or phpldapadmin. > > > > Does FDS have any event support that I could use or are there any > > existing solutions for this problem? -- Clean custom Red Hat Linux rpm packages : http://freshrpms.net/ Fedora Core release 6 (Rawhide) - Linux kernel 2.6.18-1.2798.fc6 Load : 0.00 0.03 0.20 From hyc at symas.com Fri Oct 27 14:56:45 2006 From: hyc at symas.com (Howard Chu) Date: Fri, 27 Oct 2006 07:56:45 -0700 Subject: [Fedora-directory-users] Issue with fine-grained password policy In-Reply-To: <20061027135831.9C6AA736E8@hormel.redhat.com> References: <20061027135831.9C6AA736E8@hormel.redhat.com> Message-ID: <45421E2D.2050903@symas.com> > Date: Thu, 26 Oct 2006 12:06:08 -0500 > From: "Greg Copeland" >> > Actually PADL's pam_ldap has had support for Netscape password policy >> > for many years - you just have to enable it and tell it the DN of the >> > policy object. Recently support has also been added for the IETF draft > > Can you expand on the "...tell it the DN..." part there? I misspoke. When you configure the pam_lookup_policy keyword pam_ldap will do an anonymous search in the rootDSE with a filter (objectclass=passwordPolicy) and use what it finds there. So the only requirement is that you give anonymous enough privileges to perform the search. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/ From GCopeland at efjohnson.com Fri Oct 27 20:53:57 2006 From: GCopeland at efjohnson.com (Greg Copeland) Date: Fri, 27 Oct 2006 15:53:57 -0500 Subject: [Fedora-directory-users] Issue with fine-grained password policy In-Reply-To: <45421E2D.2050903@symas.com> Message-ID: <273A72C669F45B4996896A031B88CCEF30288B@EFJDFWMX01.EFJDFW.local> Great. Thanks. When I read that I was wondering if I had skipped a step. Cheers, Greg Copeland > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory- > users-bounces at redhat.com] On Behalf Of Howard Chu > Sent: Friday, October 27, 2006 9:57 AM > To: fedora-directory-users at redhat.com > Subject: RE: [Fedora-directory-users] Issue with fine-grained password > policy > > > Date: Thu, 26 Oct 2006 12:06:08 -0500 > > From: "Greg Copeland" > > >> > Actually PADL's pam_ldap has had support for Netscape password policy > >> > for many years - you just have to enable it and tell it the DN of the > >> > policy object. Recently support has also been added for the IETF > draft > > > > Can you expand on the "...tell it the DN..." part there? > > I misspoke. When you configure the pam_lookup_policy keyword pam_ldap > will do an anonymous search in the rootDSE with a filter > (objectclass=passwordPolicy) and use what it finds there. So the only > requirement is that you give anonymous enough privileges to perform the > search. > > -- > -- Howard Chu > Chief Architect, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc > OpenLDAP Core Team http://www.openldap.org/project/ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From ABliss at preferredcare.org Sat Oct 28 02:31:39 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Fri, 27 Oct 2006 22:31:39 -0400 Subject: [Fedora-directory-users] Question on enabling ssl passync between windows and fds Message-ID: Hi everyone, I'm attempting to get password synchronization to work between fds and active directory; per the following document http://directory.fedora.redhat.com/wiki/Howto:WindowsSync#Test_to_make_s ure_you_can_talk_SSL_from_Fedora_Directory_to_AD , I now have my AD box listening on port 636 as outlined in the section "With TinyCA2"; I have also installed a certificate for the fds box as prescribed here http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1085091 including the section marked "Trust the Cerficate Authority"; my question is, since both the AD box and FDS box trust my certificate authority setup with tinyCA, I believe then each box would inherently trust each other's certificates? If so, have I already achieved the steps listed below the section marked "Enabling SSl for PASSSync" in the first document above, or do I still need to proceed with that section even though the AD box and FDS box have certificates signed from the same root CA? Thanks very much for your help with this. Aaron Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mikael.kermorgant at gmail.com Sat Oct 28 22:49:20 2006 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Sun, 29 Oct 2006 00:49:20 +0200 Subject: [Fedora-directory-users] password sync with 2 AD domains Message-ID: <9711147e0610281549q641f7ed2o4871492997090cda@mail.gmail.com> Hello, I've read about password sync between Active Directory and Fedora Directory Server. In my environment, there is one global LDAP server built upon FDS, and two Active directory domains. Is there any hope to get password sync between FDS and both Active Directory domains or is this feature limited to one Active Directory domain ? Thanks in advance, -- Mikael Kermorgant From lemsx1 at gmail.com Sun Oct 29 12:14:34 2006 From: lemsx1 at gmail.com (Luis) Date: Sun, 29 Oct 2006 07:14:34 -0500 Subject: [Fedora-directory-users] modify userPassword via perl-ldap? In-Reply-To: References: Message-ID: On 10/25/06, Jo De Troy wrote: > Hello, > > I'm trying to modify the userPassword value from within a perl script > using Perl::LDAP. [snip] > Thanks again, > Jo Hello Jo, I did a nice CGI (under GPL) done in Perl that does this. You can grab a copy from: http://lems.kiskeyix.org/toolbox/?f=adduser-ldap.cgi Just use it as an example. The script is meant to be dropped under any server's cgi-bin directory and it will allow new accounts to be created as well as password resets. If you need help setting it up, let me know. -- ----)(----- Luis Mondesi *NIX Guru Kiskeyix.org "We think basically you watch television to turn your brain off, and you work on your computer when you want to turn your brain on" -- Steve Jobs in an interview for MacWorld Magazine 2004-Feb No .doc: http://www.gnu.org/philosophy/no-word-attachments.es.html From david_list at boreham.org Sun Oct 29 14:17:45 2006 From: david_list at boreham.org (David Boreham) Date: Sun, 29 Oct 2006 07:17:45 -0700 Subject: [Fedora-directory-users] password sync with 2 AD domains In-Reply-To: <9711147e0610281549q641f7ed2o4871492997090cda@mail.gmail.com> References: <9711147e0610281549q641f7ed2o4871492997090cda@mail.gmail.com> Message-ID: <4544B809.40008@boreham.org> Mikael Kermorgant wrote: > I've read about password sync between Active Directory and Fedora > Directory Server. > > In my environment, there is one global LDAP server built upon FDS, and > two Active directory domains. > Is there any hope to get password sync between FDS and both Active > Directory domains or is this feature limited to one Active Directory > domain ? This should work IF and only if you have all the users for each AD domain in their own DIT container in FDS. If you want to mingle all the users in the same container, it won't work. From mikael.kermorgant at gmail.com Sun Oct 29 15:34:18 2006 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Sun, 29 Oct 2006 16:34:18 +0100 Subject: [Fedora-directory-users] password sync with 2 AD domains In-Reply-To: <4544B809.40008@boreham.org> References: <9711147e0610281549q641f7ed2o4871492997090cda@mail.gmail.com> <4544B809.40008@boreham.org> Message-ID: <9711147e0610290734p1ebeccaco65179be5315f912a@mail.gmail.com> 2006/10/29, David Boreham : > Mikael Kermorgant wrote: > > > I've read about password sync between Active Directory and Fedora > > Directory Server. > > > > In my environment, there is one global LDAP server built upon FDS, and > > two Active directory domains. > > Is there any hope to get password sync between FDS and both Active > > Directory domains or is this feature limited to one Active Directory > > domain ? > > This should work IF and only if you have all the users for each AD > domain in their own DIT container in FDS. If you want to mingle all > the users in the same container, it won't work. Is there any hope that a virtual view would be enough ? I have indeed a single ou for all the users in FDS. Regards, -- Mikael Kermorgant From david_list at boreham.org Sun Oct 29 16:05:53 2006 From: david_list at boreham.org (David Boreham) Date: Sun, 29 Oct 2006 09:05:53 -0700 Subject: [Fedora-directory-users] password sync with 2 AD domains In-Reply-To: <9711147e0610290734p1ebeccaco65179be5315f912a@mail.gmail.com> References: <9711147e0610281549q641f7ed2o4871492997090cda@mail.gmail.com> <4544B809.40008@boreham.org> <9711147e0610290734p1ebeccaco65179be5315f912a@mail.gmail.com> Message-ID: <4544D161.8080208@boreham.org> > Is there any hope that a virtual view would be enough ? I have indeed > a single ou for all the users in FDS. Not without code changes, I don't think so. The code uses certain criteria to determine if a given entry 'belongs' in the target AD. It can support multiple AD domains (create multiple sync agreements). However the criteria are : correct object class, and correct subtree. Therefore your entries would match for both agreements and hence get sync'ed to both AD domains, which is not what you want. The 'fix' would be to store the domain name in the entry (possibly this is already done, I can't remember), and then add that to the criteria for syncing. From sigidwu at gmail.com Mon Oct 30 00:20:10 2006 From: sigidwu at gmail.com (sigid@JINLab) Date: Mon, 30 Oct 2006 07:20:10 +0700 Subject: [Fedora-directory-users] fdsgraph: an rrdtool-based graphing utility for FDS In-Reply-To: <4538CF20.5040500@boreham.org> References: <20061004162205.29897.qmail@web34112.mail.mud.yahoo.com> <45242C16.2070107@redhat.com> <45250DF3.7060100@redhat.com> <45252182.8020508@redhat.com> <45254D6D.1040605@redhat.com> <4538CF20.5040500@boreham.org> Message-ID: <4545453A.4030503@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Boreham wrote: > Chris St. Pierre wrote: > >> If any of you are familiar with mailgraph for Postfix-based mail >> servers, I've created something similar for Fedora DS. fdsgraph tails >> >> > For anyone that uses an SNMP based grapher like cricket or cacti, > note that most of this information is also available via SNMP (and LDAP > too in the monitor entry). There's quite a bit of potentially useful data > in the montitor entries that does not show up in the access log also > (database activity for example). monitor entry? what is that? how can i access the monitor entry? thanks sigid -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFFRUU6qiPNNgPlDu0RAtzwAJ9iX4otIxYgf3Xd8U/DtQbgT61X/QCfQd7/ OVKj7KSidJzoh58xcBSLKCs= =RGiI -----END PGP SIGNATURE----- From david_list at boreham.org Mon Oct 30 00:48:15 2006 From: david_list at boreham.org (David Boreham) Date: Sun, 29 Oct 2006 17:48:15 -0700 Subject: [Fedora-directory-users] fdsgraph: an rrdtool-based graphing utility for FDS In-Reply-To: <4545453A.4030503@gmail.com> References: <20061004162205.29897.qmail@web34112.mail.mud.yahoo.com> <45242C16.2070107@redhat.com> <45250DF3.7060100@redhat.com> <45252182.8020508@redhat.com> <45254D6D.1040605@redhat.com> <4538CF20.5040500@boreham.org> <4545453A.4030503@gmail.com> Message-ID: <45454BCF.4080106@boreham.org> >monitor entry? >what is that? >how can i access the monitor entry? > > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/dsstats.html#1005738 http://www.redhat.com/docs/manuals/dir-server/ag/7.1/dsstats.html#1013682 also http://www.redhat.com/docs/manuals/dir-server/ag/7.1/snmp.html#1073255 From oliver.hookins at anchor.com.au Mon Oct 30 00:55:20 2006 From: oliver.hookins at anchor.com.au (Oliver Hookins) Date: Mon, 30 Oct 2006 11:55:20 +1100 Subject: [Fedora-directory-users] RPM/SRPM issues and old RHEL In-Reply-To: <20061015104444.GA15307@captain.bridge.anchor.net.au> References: <44AB1627.8050906@anchor.com.au> <44AE7968.5020809@redhat.com> <20061005092941.GB32078@captain.bridge.anchor.net.au> <45250F55.6080505@redhat.com> <1160065017.2117.16.camel@wzowski.duraflex-politex.com> <452533B6.2010301@redhat.com> <20061015104444.GA15307@captain.bridge.anchor.net.au> Message-ID: <20061030005520.GB7750@captain.bridge.anchor.net.au> On Sun Oct 15, 2006 at 20:44:44 +1000, Oliver Hookins wrote: > >OK well aside from this issue, has anyone got FDS running on RHEL 2.1? I guess nobody has... well in any case I've downloaded the dsbuild 1.0.3 tarball and attempted to do a build on RHEL ES 2.1. Not surprisingly, it fails. Can anyone shed some light on these error messages? I started the build with make BUILD_RPM=1 NOJAVA=1 SNMP_SOURCE=1 make FREEBL_CHILD_BUILD=1 \ OBJDIR=OPT.OBJ/Linux_SINGLE_SHLIB libs make[5]: Entering directory `/share/rpmbuild/BUILD/dsbuild-fds103/ds/mozilla/work/mozilla/security/nss/lib/freebl' rm -f OPT.OBJ/Linux_SINGLE_SHLIB/libfreebl3.so gcc -shared -Wl,-z,defs -Wl,-soname -Wl,libfreebl3.so -Wl,--version-script,OPT.OBJ/Linux_SINGLE_SHLIB/freebl.def -Wl,-Bsymbolic -o OPT.OBJ/Linux_SINGLE_SHLIB/libfreebl3.so OPT.OBJ/Linux_SINGLE_SHLIB/freeblver.o OPT.OBJ/Linux_SINGLE_SHLIB/ldvector.o OPT.OBJ/Linux_SINGLE_SHLIB/prng_fips1861.o OPT.OBJ/Linux_SINGLE_SHLIB/sysrand.o OPT.OBJ/Linux_SINGLE_SHLIB/sha_fast.o OPT.OBJ/Linux_SINGLE_SHLIB/md2.o OPT.OBJ/Linux_SINGLE_SHLIB/md5.o OPT.OBJ/Linux_SINGLE_SHLIB/sha512.o OPT.OBJ/Linux_SINGLE_SHLIB/alghmac.o OPT.OBJ/Linux_SINGLE_SHLIB/rawhash.o OPT.OBJ/Linux_SINGLE_SHLIB/alg2268.o OPT.OBJ/Linux_SINGLE_SHLIB/arcfour.o OPT.OBJ/Linux_SINGLE_SHLIB/arcfive.o OPT.OBJ/Linux_SINGLE_SHLIB/desblapi.o OPT.OBJ/Linux_SINGLE_SHLIB/des.o OPT.OBJ/Linux_SINGLE_SHLIB/rijndael.o OPT.OBJ/Linux_SINGLE_SHLIB/aeskeywrap.o OPT.OBJ/Linux_SINGLE_SHLIB/dh.o OPT.OBJ/Linux_SINGLE_SHLIB/ec.o OPT.OBJ/Linux_SINGLE_SHLIB/pqg.o OPT.OBJ/Linux_SINGLE_SHLIB/dsa.o OPT.OBJ/Linux_SINGLE_SHLIB/rsa.o OPT.OBJ/Linux_SINGLE_SHLIB/shvfy.o OPT.OBJ/Linux_SINGLE_SHLIB/tlsprfalg.o OPT.OBJ/Linux_SINGLE_SHLIB/mpprime.o OPT.OBJ/Linux_SINGLE_SHLIB/mpmontg.o OPT.OBJ/Linux_SINGLE_SHLIB/mplogic.o OPT.OBJ/Linux_SINGLE_SHLIB/mpi.o OPT.OBJ/Linux_SINGLE_SHLIB/mp_gf2m.o OPT.OBJ/Linux_SINGLE_SHLIB/mpcpucache.o OPT.OBJ/Linux_SINGLE_SHLIB/mpi_x86.o ../../../../dist/OPT.OBJ/lib/libsecutil.a -L../../../../dist/OPT.OBJ/lib -lplc4 -lplds4 -lnspr4 -lpthread -ldl -lc/lib/libc.so.6: undefined reference to `_dl_lazy at GLIBC_2.1.1' /lib/libc.so.6: undefined reference to `_dl_dst_substitute at GLIBC_2.1.1' /lib/libc.so.6: undefined reference to `_dl_out_of_memory at GLIBC_2.2' /lib/libc.so.6: undefined reference to `_dl_relocate_object at GLIBC_2.0' /lib/libc.so.6: undefined reference to `_dl_clktck at GLIBC_2.2' /lib/libc.so.6: undefined reference to `__libc_enable_secure at GLIBC_2.0' /lib/libc.so.6: undefined reference to `_dl_catch_error at GLIBC_2.0' /lib/libc.so.6: undefined reference to `_dl_platformlen at GLIBC_2.1.1' /lib/libc.so.6: undefined reference to `_dl_lookup_versioned_symbol_skip at GLIBC_2.0' /lib/libc.so.6: undefined reference to `_dl_lookup_versioned_symbol at GLIBC_2.0' /lib/libc.so.6: undefined reference to `_dl_mcount at GLIBC_2.1' /lib/libc.so.6: undefined reference to `_dl_dst_count at GLIBC_2.1.1' /lib/libc.so.6: undefined reference to `_dl_initial_searchlist at GLIBC_2.1' /lib/libc.so.6: undefined reference to `_dl_start_profile at GLIBC_2.1' /lib/libc.so.6: undefined reference to `_dl_lookup_symbol at GLIBC_2.0' /lib/libc.so.6: undefined reference to `__libc_stack_end at GLIBC_2.1' /lib/libc.so.6: undefined reference to `_dl_argv at GLIBC_2.2' /usr/lib/gcc-lib/i386-redhat-linux/2.96/../../../libpthread.so: undefined reference to `_dl_cpuclock_offset' /lib/libc.so.6: undefined reference to `_dl_loaded at GLIBC_2.1' /lib/libc.so.6: undefined reference to `_dl_origin_path at GLIBC_2.1.1' /lib/libc.so.6: undefined reference to `_dl_check_map_versions at GLIBC_2.2' /lib/libc.so.6: undefined reference to `_dl_map_object at GLIBC_2.0' /lib/libc.so.6: undefined reference to `_dl_main_searchlist at GLIBC_2.1' /lib/libc.so.6: undefined reference to `_dl_debug_mask at GLIBC_2.2.3' /lib/libc.so.6: undefined reference to `_dl_load_lock at GLIBC_2.2' /lib/libc.so.6: undefined reference to `_dl_profile at GLIBC_2.1' /lib/libc.so.6: undefined reference to `_dl_debug_state at GLIBC_2.0' /lib/libc.so.6: undefined reference to `_dl_init_all_dirs at GLIBC_2.2' /lib/libc.so.6: undefined reference to `_r_debug at GLIBC_2.0' /lib/libc.so.6: undefined reference to `_dl_unload_cache at GLIBC_2.1' /lib/libc.so.6: undefined reference to `_dl_signal_error at GLIBC_2.0' /lib/libc.so.6: undefined reference to `_dl_debug_printf at GLIBC_2.2.3' /lib/libc.so.6: undefined reference to `_dl_init at GLIBC_2.2' /lib/libc.so.6: undefined reference to `_dl_all_dirs at GLIBC_2.2' /lib/libc.so.6: undefined reference to `_dl_map_object_deps at GLIBC_2.0' /lib/libc.so.6: undefined reference to `_dl_nloaded at GLIBC_2.2' /lib/libc.so.6: undefined reference to `_dl_profile_map at GLIBC_2.1' /lib/libc.so.6: undefined reference to `_dl_profile_output at GLIBC_2.1' /lib/libc.so.6: undefined reference to `_dl_pagesize at GLIBC_2.2' /lib/libc.so.6: undefined reference to `_dl_lookup_symbol_skip at GLIBC_2.0' /lib/libc.so.6: undefined reference to `_dl_fpu_control at GLIBC_2.1' /usr/lib/gcc-lib/i386-redhat-linux/2.96/../../../libdl.so: undefined reference to `_dl_catch_error' /lib/libc.so.6: undefined reference to `_dl_global_scope_alloc at GLIBC_2.1' collect2: ld returned 1 exit status make[5]: *** [OPT.OBJ/Linux_SINGLE_SHLIB/libfreebl3.so] Error 1 make[5]: Leaving directory `/share/rpmbuild/BUILD/dsbuild-fds103/ds/mozilla/work/mozilla/security/nss/lib/freebl' make[4]: *** [libs] Error 2 make[4]: Leaving directory `/share/rpmbuild/BUILD/dsbuild-fds103/ds/mozilla/work/mozilla/security/nss/lib/freebl' make[3]: *** [libs] Error 2 make[3]: Leaving directory `/share/rpmbuild/BUILD/dsbuild-fds103/ds/mozilla/work/mozilla/security/nss/lib' make[2]: *** [libs] Error 2 make[2]: Leaving directory `/share/rpmbuild/BUILD/dsbuild-fds103/ds/mozilla/work/mozilla/security/nss' make[1]: *** [build-custom] Error 2 make[1]: Leaving directory `/share/rpmbuild/BUILD/dsbuild-fds103/ds/mozilla' make: *** [dep-../../ds/mozilla] Error 2 -- Regards, Oliver Hookins Anchor Systems From yoandym at yahoo.com Mon Oct 30 13:27:14 2006 From: yoandym at yahoo.com (Yoandy Mesa) Date: Mon, 30 Oct 2006 05:27:14 -0800 (PST) Subject: [Fedora-directory-users] non local access problem to FDS console Message-ID: <20061030132714.41100.qmail@web39506.mail.mud.yahoo.com> hi, i have a problem with non local acces to the fedora console, and all other FDS application (dsgw, etc) i always get http error code 401 (authorization required) my /opt/fedora-ds/admin-serv/config/httpd.conf Options Indexes FollowSymLinks AllowOverride None Order deny,allow Deny from all denies access from anywhere but in my /opt/fedora-ds/admin-serv/config/admserv.conf more specific clauses grant access to application like this: AllowOverride None Options None Order allow,deny Allow from all NESCompatEnv on if i understand the: Order allow,deny Allow from all above, should grant me acces from anywhere ... but i always get 401 error. what i?m missing here ? thanks in advanced, yoandy -------------- next part -------------- An HTML attachment was scrubbed... URL: From koippa at gmail.com Mon Oct 30 14:30:22 2006 From: koippa at gmail.com (Kimmo Koivisto) Date: Mon, 30 Oct 2006 16:30:22 +0200 Subject: [Fedora-directory-users] non local access problem to FDS console In-Reply-To: <20061030132714.41100.qmail@web39506.mail.mud.yahoo.com> References: <20061030132714.41100.qmail@web39506.mail.mud.yahoo.com> Message-ID: <200610301630.22705.koippa@gmail.com> Yoandy Mesa wrote: > hi, > > i have a problem with non local acces to the fedora console, and all other > FDS application (dsgw, etc) i always get http error code 401 (authorization > required) Check out the errors from /opt/fedora-ds/admin-serv/logs. There is a bug in the allowod IP access check but there is a workaround, just see this link: http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt#How_to_set_the_hosts.2FIP_addresses_allowed_to_access_the_Admin_Server Regards Kimmo Koivisto From rmeggins at redhat.com Mon Oct 30 15:27:54 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 30 Oct 2006 08:27:54 -0700 Subject: [Fedora-directory-users] RPM/SRPM issues and old RHEL In-Reply-To: <20061030005520.GB7750@captain.bridge.anchor.net.au> References: <44AB1627.8050906@anchor.com.au> <44AE7968.5020809@redhat.com> <20061005092941.GB32078@captain.bridge.anchor.net.au> <45250F55.6080505@redhat.com> <1160065017.2117.16.camel@wzowski.duraflex-politex.com> <452533B6.2010301@redhat.com> <20061015104444.GA15307@captain.bridge.anchor.net.au> <20061030005520.GB7750@captain.bridge.anchor.net.au> Message-ID: <454619FA.4000700@redhat.com> Oliver Hookins wrote: > On Sun Oct 15, 2006 at 20:44:44 +1000, Oliver Hookins wrote: > >> OK well aside from this issue, has anyone got FDS running on RHEL 2.1? >> > > I guess nobody has... well in any case I've downloaded the dsbuild 1.0.3 > tarball and attempted to do a build on RHEL ES 2.1. Not surprisingly, it > fails. Can anyone shed some light on these error messages? I started the > build with make BUILD_RPM=1 NOJAVA=1 SNMP_SOURCE=1 > I'm not sure, but it looks like a glibc compatability issue. You might have to install some sort of gcc or glibc compat package. On the other hand, it may require a newer version of gcc/glibc than AS 2.1 has. > make FREEBL_CHILD_BUILD=1 \ > OBJDIR=OPT.OBJ/Linux_SINGLE_SHLIB libs > make[5]: Entering directory > `/share/rpmbuild/BUILD/dsbuild-fds103/ds/mozilla/work/mozilla/security/nss/lib/freebl' > rm -f OPT.OBJ/Linux_SINGLE_SHLIB/libfreebl3.so > gcc -shared -Wl,-z,defs -Wl,-soname -Wl,libfreebl3.so > -Wl,--version-script,OPT.OBJ/Linux_SINGLE_SHLIB/freebl.def -Wl,-Bsymbolic -o > OPT.OBJ/Linux_SINGLE_SHLIB/libfreebl3.so > OPT.OBJ/Linux_SINGLE_SHLIB/freeblver.o OPT.OBJ/Linux_SINGLE_SHLIB/ldvector.o > OPT.OBJ/Linux_SINGLE_SHLIB/prng_fips1861.o > OPT.OBJ/Linux_SINGLE_SHLIB/sysrand.o OPT.OBJ/Linux_SINGLE_SHLIB/sha_fast.o > OPT.OBJ/Linux_SINGLE_SHLIB/md2.o OPT.OBJ/Linux_SINGLE_SHLIB/md5.o > OPT.OBJ/Linux_SINGLE_SHLIB/sha512.o OPT.OBJ/Linux_SINGLE_SHLIB/alghmac.o > OPT.OBJ/Linux_SINGLE_SHLIB/rawhash.o OPT.OBJ/Linux_SINGLE_SHLIB/alg2268.o > OPT.OBJ/Linux_SINGLE_SHLIB/arcfour.o OPT.OBJ/Linux_SINGLE_SHLIB/arcfive.o > OPT.OBJ/Linux_SINGLE_SHLIB/desblapi.o OPT.OBJ/Linux_SINGLE_SHLIB/des.o > OPT.OBJ/Linux_SINGLE_SHLIB/rijndael.o > OPT.OBJ/Linux_SINGLE_SHLIB/aeskeywrap.o OPT.OBJ/Linux_SINGLE_SHLIB/dh.o > OPT.OBJ/Linux_SINGLE_SHLIB/ec.o OPT.OBJ/Linux_SINGLE_SHLIB/pqg.o > OPT.OBJ/Linux_SINGLE_SHLIB/dsa.o OPT.OBJ/Linux_SINGLE_SHLIB/rsa.o > OPT.OBJ/Linux_SINGLE_SHLIB/shvfy.o OPT.OBJ/Linux_SINGLE_SHLIB/tlsprfalg.o > OPT.OBJ/Linux_SINGLE_SHLIB/mpprime.o OPT.OBJ/Linux_SINGLE_SHLIB/mpmontg.o > OPT.OBJ/Linux_SINGLE_SHLIB/mplogic.o OPT.OBJ/Linux_SINGLE_SHLIB/mpi.o > OPT.OBJ/Linux_SINGLE_SHLIB/mp_gf2m.o OPT.OBJ/Linux_SINGLE_SHLIB/mpcpucache.o > OPT.OBJ/Linux_SINGLE_SHLIB/mpi_x86.o > ../../../../dist/OPT.OBJ/lib/libsecutil.a -L../../../../dist/OPT.OBJ/lib > -lplc4 -lplds4 -lnspr4 -lpthread -ldl -lc/lib/libc.so.6: undefined > reference to `_dl_lazy at GLIBC_2.1.1' > /lib/libc.so.6: undefined reference to `_dl_dst_substitute at GLIBC_2.1.1' > /lib/libc.so.6: undefined reference to `_dl_out_of_memory at GLIBC_2.2' > /lib/libc.so.6: undefined reference to `_dl_relocate_object at GLIBC_2.0' > /lib/libc.so.6: undefined reference to `_dl_clktck at GLIBC_2.2' > /lib/libc.so.6: undefined reference to `__libc_enable_secure at GLIBC_2.0' > /lib/libc.so.6: undefined reference to `_dl_catch_error at GLIBC_2.0' > /lib/libc.so.6: undefined reference to `_dl_platformlen at GLIBC_2.1.1' > /lib/libc.so.6: undefined reference to > `_dl_lookup_versioned_symbol_skip at GLIBC_2.0' > /lib/libc.so.6: undefined reference to > `_dl_lookup_versioned_symbol at GLIBC_2.0' > /lib/libc.so.6: undefined reference to `_dl_mcount at GLIBC_2.1' > /lib/libc.so.6: undefined reference to `_dl_dst_count at GLIBC_2.1.1' > /lib/libc.so.6: undefined reference to `_dl_initial_searchlist at GLIBC_2.1' > /lib/libc.so.6: undefined reference to `_dl_start_profile at GLIBC_2.1' > /lib/libc.so.6: undefined reference to `_dl_lookup_symbol at GLIBC_2.0' > /lib/libc.so.6: undefined reference to `__libc_stack_end at GLIBC_2.1' > /lib/libc.so.6: undefined reference to `_dl_argv at GLIBC_2.2' > /usr/lib/gcc-lib/i386-redhat-linux/2.96/../../../libpthread.so: undefined > reference to `_dl_cpuclock_offset' > /lib/libc.so.6: undefined reference to `_dl_loaded at GLIBC_2.1' > /lib/libc.so.6: undefined reference to `_dl_origin_path at GLIBC_2.1.1' > /lib/libc.so.6: undefined reference to `_dl_check_map_versions at GLIBC_2.2' > /lib/libc.so.6: undefined reference to `_dl_map_object at GLIBC_2.0' > /lib/libc.so.6: undefined reference to `_dl_main_searchlist at GLIBC_2.1' > /lib/libc.so.6: undefined reference to `_dl_debug_mask at GLIBC_2.2.3' > /lib/libc.so.6: undefined reference to `_dl_load_lock at GLIBC_2.2' > /lib/libc.so.6: undefined reference to `_dl_profile at GLIBC_2.1' > /lib/libc.so.6: undefined reference to `_dl_debug_state at GLIBC_2.0' > /lib/libc.so.6: undefined reference to `_dl_init_all_dirs at GLIBC_2.2' > /lib/libc.so.6: undefined reference to `_r_debug at GLIBC_2.0' > /lib/libc.so.6: undefined reference to `_dl_unload_cache at GLIBC_2.1' > /lib/libc.so.6: undefined reference to `_dl_signal_error at GLIBC_2.0' > /lib/libc.so.6: undefined reference to `_dl_debug_printf at GLIBC_2.2.3' > /lib/libc.so.6: undefined reference to `_dl_init at GLIBC_2.2' > /lib/libc.so.6: undefined reference to `_dl_all_dirs at GLIBC_2.2' > /lib/libc.so.6: undefined reference to `_dl_map_object_deps at GLIBC_2.0' > /lib/libc.so.6: undefined reference to `_dl_nloaded at GLIBC_2.2' > /lib/libc.so.6: undefined reference to `_dl_profile_map at GLIBC_2.1' > /lib/libc.so.6: undefined reference to `_dl_profile_output at GLIBC_2.1' > /lib/libc.so.6: undefined reference to `_dl_pagesize at GLIBC_2.2' > /lib/libc.so.6: undefined reference to `_dl_lookup_symbol_skip at GLIBC_2.0' > /lib/libc.so.6: undefined reference to `_dl_fpu_control at GLIBC_2.1' > /usr/lib/gcc-lib/i386-redhat-linux/2.96/../../../libdl.so: undefined > reference to `_dl_catch_error' > /lib/libc.so.6: undefined reference to `_dl_global_scope_alloc at GLIBC_2.1' > collect2: ld returned 1 exit status > make[5]: *** [OPT.OBJ/Linux_SINGLE_SHLIB/libfreebl3.so] Error 1 > make[5]: Leaving directory > `/share/rpmbuild/BUILD/dsbuild-fds103/ds/mozilla/work/mozilla/security/nss/lib/freebl' > make[4]: *** [libs] Error 2 > make[4]: Leaving directory > `/share/rpmbuild/BUILD/dsbuild-fds103/ds/mozilla/work/mozilla/security/nss/lib/freebl' > make[3]: *** [libs] Error 2 > make[3]: Leaving directory > `/share/rpmbuild/BUILD/dsbuild-fds103/ds/mozilla/work/mozilla/security/nss/lib' > make[2]: *** [libs] Error 2 > make[2]: Leaving directory > `/share/rpmbuild/BUILD/dsbuild-fds103/ds/mozilla/work/mozilla/security/nss' > make[1]: *** [build-custom] Error 2 > make[1]: Leaving directory `/share/rpmbuild/BUILD/dsbuild-fds103/ds/mozilla' > make: *** [dep-../../ds/mozilla] Error 2 > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Mon Oct 30 16:16:27 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Mon, 30 Oct 2006 17:16:27 +0100 Subject: [Fedora-directory-users] password reset and policies Message-ID: Hello, I was wondering which command I need to use via Perl to be able to reset a user's password when the user him/her self cannot reset his/her password because of the password policy (min age 1 day) I have noticed that when executing the ldappasswd command as Drrectory Manager I cannot reset the password. Can FedoraDS see the difference between a password reset (by an administrator) and a change (by an enduser)? Which command should I use as admin from a perl script to get this kind of behaviour? Thanks again, Jo From nkinder at redhat.com Mon Oct 30 16:39:33 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Mon, 30 Oct 2006 08:39:33 -0800 Subject: [Fedora-directory-users] Question on enabling ssl passync between windows and fds In-Reply-To: References: Message-ID: <45462AC5.8050508@redhat.com> Bliss, Aaron wrote: > > Hi everyone, > I'm attempting to get password synchronization to work between fds and > active directory; per the following document > _http://directory.fedora.redhat.com/wiki/Howto:WindowsSync#Test_to_make_sure_you_can_talk_SSL_from_Fedora_Directory_to_AD_ > , I now have my AD box listening on port 636 as outlined in the > section "With TinyCA2"; I have also installed a certificate for the > fds box as prescribed here > _http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1085091_ > including the section marked "Trust the Cerficate Authority"; my > question is, since both the AD box and FDS box trust my certificate > authority setup with tinyCA, I believe then each box would inherently > trust each other's certificates? If so, have I already achieved the > steps listed below the section marked "Enabling SSl for PASSSync" in > the first document above, or do I still need to proceed with that > section even though the AD box and FDS box have certificates signed > from the same root CA? Thanks very much for your help with this. > You still need to enable SSL for the PassSync service. PassSync uses it's own certificate database, which is not the one that AD uses. This is why you need to set up SSL for PassSync separately from setting SSL up for AD. -NGK > > Aaron > > Confidentiality Notice: > The information contained in this electronic message is intended for > the exclusive use of the individual or entity named above and may > contain privileged or confidential information. If the reader of this > message is not the intended recipient or the employee or agent > responsible to deliver it to the intended recipient, you are hereby > notified that dissemination, distribution or copying of this > information is prohibited. If you have received this communication in > error, please notify the sender immediately by telephone and destroy > the copies you received. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From oliver.hookins at anchor.com.au Tue Oct 31 00:40:19 2006 From: oliver.hookins at anchor.com.au (Oliver Hookins) Date: Tue, 31 Oct 2006 11:40:19 +1100 Subject: [Fedora-directory-users] RPM/SRPM issues and old RHEL In-Reply-To: <454619FA.4000700@redhat.com> References: <44AB1627.8050906@anchor.com.au> <44AE7968.5020809@redhat.com> <20061005092941.GB32078@captain.bridge.anchor.net.au> <45250F55.6080505@redhat.com> <1160065017.2117.16.camel@wzowski.duraflex-politex.com> <452533B6.2010301@redhat.com> <20061015104444.GA15307@captain.bridge.anchor.net.au> <20061030005520.GB7750@captain.bridge.anchor.net.au> <454619FA.4000700@redhat.com> Message-ID: <20061031004019.GA15358@captain.bridge.anchor.net.au> On Mon Oct 30, 2006 at 08:27:54 -0700, Richard Megginson wrote: >Oliver Hookins wrote: >>On Sun Oct 15, 2006 at 20:44:44 +1000, Oliver Hookins wrote: >> >>>OK well aside from this issue, has anyone got FDS running on RHEL 2.1? >>> >> >>I guess nobody has... well in any case I've downloaded the dsbuild 1.0.3 >>tarball and attempted to do a build on RHEL ES 2.1. Not surprisingly, it >>fails. Can anyone shed some light on these error messages? I started the >>build with make BUILD_RPM=1 NOJAVA=1 SNMP_SOURCE=1 >> >I'm not sure, but it looks like a glibc compatability issue. You might >have to install some sort of gcc or glibc compat package. On the other >hand, it may require a newer version of gcc/glibc than AS 2.1 has. Most of the errors suggest it is looking for GLIBC 2.0 and 2.1 procedures, while the system has GLIBC 2.2.4 installed. I installed the compat-glibc package which has 2.1 but including this in the LD_LIBRARY_PATH first causes make to bail out because it requires 2.2 and apparently it gives up at the first libc file it examines. If there is no way around this particular thing, perhaps your suggestion of using a later version of GLIBC will be the answer. Is there an easy way to signal dsbuild to statically link GLIBC or will it require editing a lot of files? -- Regards, Oliver Hookins Anchor Systems From rmeggins at redhat.com Tue Oct 31 03:03:07 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 30 Oct 2006 20:03:07 -0700 Subject: [Fedora-directory-users] RPM/SRPM issues and old RHEL In-Reply-To: <20061031004019.GA15358@captain.bridge.anchor.net.au> References: <44AB1627.8050906@anchor.com.au> <44AE7968.5020809@redhat.com> <20061005092941.GB32078@captain.bridge.anchor.net.au> <45250F55.6080505@redhat.com> <1160065017.2117.16.camel@wzowski.duraflex-politex.com> <452533B6.2010301@redhat.com> <20061015104444.GA15307@captain.bridge.anchor.net.au> <20061030005520.GB7750@captain.bridge.anchor.net.au> <454619FA.4000700@redhat.com> <20061031004019.GA15358@captain.bridge.anchor.net.au> Message-ID: <4546BCEB.4020306@redhat.com> Oliver Hookins wrote: > On Mon Oct 30, 2006 at 08:27:54 -0700, Richard Megginson wrote: > >> Oliver Hookins wrote: >> >>> On Sun Oct 15, 2006 at 20:44:44 +1000, Oliver Hookins wrote: >>> >>> >>>> OK well aside from this issue, has anyone got FDS running on RHEL 2.1? >>>> >>>> >>> I guess nobody has... well in any case I've downloaded the dsbuild 1.0.3 >>> tarball and attempted to do a build on RHEL ES 2.1. Not surprisingly, it >>> fails. Can anyone shed some light on these error messages? I started the >>> build with make BUILD_RPM=1 NOJAVA=1 SNMP_SOURCE=1 >>> >>> >> I'm not sure, but it looks like a glibc compatability issue. You might >> have to install some sort of gcc or glibc compat package. On the other >> hand, it may require a newer version of gcc/glibc than AS 2.1 has. >> > > Most of the errors suggest it is looking for GLIBC 2.0 and 2.1 procedures, > while the system has GLIBC 2.2.4 installed. I installed the compat-glibc > package which has 2.1 but including this in the LD_LIBRARY_PATH first causes > make to bail out because it requires 2.2 and apparently it gives up at the > first libc file it examines. > Maybe there is a compat-make? > If there is no way around this particular thing, perhaps your suggestion of > using a later version of GLIBC will be the answer. Is there an easy way to > signal dsbuild to statically link GLIBC or will it require editing a lot of > files? > I have no idea. This is highly not-recommended to do. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From ABliss at preferredcare.org Tue Oct 31 03:17:15 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Mon, 30 Oct 2006 22:17:15 -0500 Subject: [Fedora-directory-users] Trouble getting windows to talk to fds Message-ID: Hi everyone, I'm having trouble with the directions in the wiki that deals with getting windows to sync with fds; I'm having trouble with this step; there are 2 files in my /opt/fedora-ds/alias file; 1 is the cert database, the other is the key database; are either of these the parameters that I'm suppose to be passing the -P option below? Thanks for your help. Aaron * From your Fedora Directory Server, export the server certificate using pk12util. cd "/opt/fedora-ds/alias/" pk12util -d . -P slapd- -o servercert.p12 -n Server-Cert Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ABliss at preferredcare.org Tue Oct 31 03:33:17 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Mon, 30 Oct 2006 22:33:17 -0500 Subject: [Fedora-directory-users] Trouble getting windows to talk to fds In-Reply-To: Message-ID: On a separate issue, when attempting to verify connectivity to the ad box, I'm receiving the following error: ; any ideas? Thanks. /shared/bin/ldapsearch: error while loading shared libraries: libssldap50.so: cannot open shared object file: No such file or directory ________________________________ From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Bliss, Aaron Sent: Monday, October 30, 2006 10:17 PM To: General discussion list for the Fedora Directory server project. Subject: [Fedora-directory-users] Trouble getting windows to talk to fds Hi everyone, I'm having trouble with the directions in the wiki that deals with getting windows to sync with fds; I'm having trouble with this step; there are 2 files in my /opt/fedora-ds/alias file; 1 is the cert database, the other is the key database; are either of these the parameters that I'm suppose to be passing the -P option below? Thanks for your help. Aaron * From your Fedora Directory Server, export the server certificate using pk12util. cd "/opt/fedora-ds/alias/" pk12util -d . -P slapd- -o servercert.p12 -n Server-Cert Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Oct 31 03:41:40 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 30 Oct 2006 20:41:40 -0700 Subject: [Fedora-directory-users] Trouble getting windows to talk to fds In-Reply-To: References: Message-ID: <4546C5F4.6040602@redhat.com> Bliss, Aaron wrote: > > Hi everyone, > I'm having trouble with the directions in the wiki that deals with > getting windows to sync with fds; I'm having trouble with this step; > there are 2 files in my /opt/fedora-ds/alias file; 1 is the cert > database, the other is the key database; are either of these the > parameters that I'm suppose to be passing the -P option below? Thanks > for your help. > > Aaron > > * From your Fedora Directory Server, export the server certificate > using pk12util. > > cd "/opt/fedora-ds/alias/" > pk12util -d . -P slapd- -o servercert.p12 -n Server-Cert > Firstly, you only need this pk12 file for backup purposes - you don't need it to get FDS to talk to AD or vice versa. Secondly, the argument to -P is the filename prefix of either your key or cert db file e.g. if you have slapd-instance-cert8.db and slapd-instance-key3.db your -P argument will be "slapd-instance-" <- note the trailing "-" after "slapd-instance" - this is critical - it is part of the filename prefix and must not be omitted. > > Confidentiality Notice: > The information contained in this electronic message is intended for > the exclusive use of the individual or entity named above and may > contain privileged or confidential information. If the reader of this > message is not the intended recipient or the employee or agent > responsible to deliver it to the intended recipient, you are hereby > notified that dissemination, distribution or copying of this > information is prohibited. If you have received this communication in > error, please notify the sender immediately by telephone and destroy > the copies you received. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From gholbert at broadcom.com Tue Oct 31 03:39:38 2006 From: gholbert at broadcom.com (George Holbert) Date: Mon, 30 Oct 2006 19:39:38 -0800 Subject: [Fedora-directory-users] Trouble getting windows to talk to fds References: Message-ID: <003801c6fc9e$314e86a0$88fdf00a@chunky> Trouble getting windows to talk to fds"-P" takes the part of the filename leading up to "cert8.db" or "key3.db". e.g. Say you have: slapd-example-cert8.db slapd-example-key3.db Then you would do this: ... -P slapd-example- ... ----- Original Message ----- From: Bliss, Aaron To: General discussion list for the Fedora Directory server project. Sent: Monday, October 30, 2006 7:17 PM Subject: [Fedora-directory-users] Trouble getting windows to talk to fds Hi everyone, I'm having trouble with the directions in the wiki that deals with getting windows to sync with fds; I'm having trouble with this step; there are 2 files in my /opt/fedora-ds/alias file; 1 is the cert database, the other is the key database; are either of these the parameters that I'm suppose to be passing the -P option below? Thanks for your help. Aaron a.. From your Fedora Directory Server, export the server certificate using pk12util. cd "/opt/fedora-ds/alias/" pk12util -d . -P slapd- -o servercert.p12 -n Server-Cert Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. ------------------------------------------------------------------------------ -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Oct 31 03:59:49 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 30 Oct 2006 20:59:49 -0700 Subject: [Fedora-directory-users] Trouble getting windows to talk to fds In-Reply-To: References: Message-ID: <4546CA35.8030702@redhat.com> Bliss, Aaron wrote: > On a separate issue, when attempting to verify connectivity to the ad > box, I'm receiving the following error: ; any ideas? Thanks. > > ./shared/bin/ldapsearch: error while loading shared libraries: > libssldap50.so: cannot open shared object file: No such file or directory cd /opt/fedora-ds/shared/bin ; ./ldapsearch .... > > ------------------------------------------------------------------------ > *From:* fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] *On Behalf Of > *Bliss, Aaron > *Sent:* Monday, October 30, 2006 10:17 PM > *To:* General discussion list for the Fedora Directory server project. > *Subject:* [Fedora-directory-users] Trouble getting windows to talk to fds > > Hi everyone, > I'm having trouble with the directions in the wiki that deals with > getting windows to sync with fds; I'm having trouble with this step; > there are 2 files in my /opt/fedora-ds/alias file; 1 is the cert > database, the other is the key database; are either of these the > parameters that I'm suppose to be passing the -P option below? Thanks > for your help. > > Aaron > > * From your Fedora Directory Server, export the server certificate > using pk12util. > > cd "/opt/fedora-ds/alias/" > pk12util -d . -P slapd- -o servercert.p12 -n Server-Cert > > Confidentiality Notice: > The information contained in this electronic message is intended for > the exclusive use of the individual or entity named above and may > contain privileged or confidential information. If the reader of this > message is not the intended recipient or the employee or agent > responsible to deliver it to the intended recipient, you are hereby > notified that dissemination, distribution or copying of this > information is prohibited. If you have received this communication in > error, please notify the sender immediately by telephone and destroy > the copies you received. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Tue Oct 31 08:36:45 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Tue, 31 Oct 2006 09:36:45 +0100 Subject: [Fedora-directory-users] password change vs password reset Message-ID: Hello, I was wondering if FedoraDS makes a difference between a password reset (by an admin) and a password change (by an end user). Does this translate in different behaviour wrt password policies (minimum age of a password)? Which command should be used to get the different behaviour? What I'm looking for is to allow and admin to reset a user's password whenever but at the same time let the enduser only modify his password once a day. Would ldappasswd have different behaviour depending on the binddn being used? Thanks in advance, Jo From ABliss at preferredcare.org Tue Oct 31 13:31:04 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Tue, 31 Oct 2006 08:31:04 -0500 Subject: [Fedora-directory-users] Trouble getting windows to talk to fds In-Reply-To: <003801c6fc9e$314e86a0$88fdf00a@chunky> Message-ID: That was it, thanks George. Aaron ________________________________ From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of George Holbert Sent: Monday, October 30, 2006 10:40 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Trouble getting windows to talk to fds "-P" takes the part of the filename leading up to "cert8.db" or "key3.db". e.g. Say you have: slapd-example-cert8.db slapd-example-key3.db Then you would do this: .. -P slapd-example- ... ----- Original Message ----- From: Bliss, Aaron To: General discussion list for the Fedora Directory server project. Sent: Monday, October 30, 2006 7:17 PM Subject: [Fedora-directory-users] Trouble getting windows to talk to fds Hi everyone, I'm having trouble with the directions in the wiki that deals with getting windows to sync with fds; I'm having trouble with this step; there are 2 files in my /opt/fedora-ds/alias file; 1 is the cert database, the other is the key database; are either of these the parameters that I'm suppose to be passing the -P option below? Thanks for your help. Aaron * From your Fedora Directory Server, export the server certificate using pk12util. cd "/opt/fedora-ds/alias/" pk12util -d . -P slapd- -o servercert.p12 -n Server-Cert Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. ________________________________ -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From ABliss at preferredcare.org Tue Oct 31 13:31:34 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Tue, 31 Oct 2006 08:31:34 -0500 Subject: [Fedora-directory-users] Trouble getting windows to talk to fds In-Reply-To: <4546C5F4.6040602@redhat.com> Message-ID: Thanks very much; changing the the shared directory did the trick. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Monday, October 30, 2006 10:42 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Trouble getting windows to talk to fds Bliss, Aaron wrote: > > Hi everyone, > I'm having trouble with the directions in the wiki that deals with > getting windows to sync with fds; I'm having trouble with this step; > there are 2 files in my /opt/fedora-ds/alias file; 1 is the cert > database, the other is the key database; are either of these the > parameters that I'm suppose to be passing the -P option below? Thanks > for your help. > > Aaron > > * From your Fedora Directory Server, export the server certificate > using pk12util. > > cd "/opt/fedora-ds/alias/" > pk12util -d . -P slapd- -o servercert.p12 -n Server-Cert > Firstly, you only need this pk12 file for backup purposes - you don't need it to get FDS to talk to AD or vice versa. Secondly, the argument to -P is the filename prefix of either your key or cert db file e.g. if you have slapd-instance-cert8.db and slapd-instance-key3.db your -P argument will be "slapd-instance-" <- note the trailing "-" after "slapd-instance" - this is critical - it is part of the filename prefix and must not be omitted. > > Confidentiality Notice: > The information contained in this electronic message is intended for > the exclusive use of the individual or entity named above and may > contain privileged or confidential information. If the reader of this > message is not the intended recipient or the employee or agent > responsible to deliver it to the intended recipient, you are hereby > notified that dissemination, distribution or copying of this > information is prohibited. If you have received this communication in > error, please notify the sender immediately by telephone and destroy > the copies you received. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Tue Oct 31 16:53:04 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 31 Oct 2006 09:53:04 -0700 Subject: [Fedora-directory-users] Announcing Fedora Directory Server 1.0.3 Message-ID: <45477F70.6070505@redhat.com> Fedora Directory Server 1.0.3 is released! This release is primarily a bug fix release. * The password extended operation (ldappasswd) can now generate a new password * Bug fixes - follow this link (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=208654) to see the bugzilla report * Upgraded components - NSPR 4.6.3, NSS 3.11.3, LDAPCSDK 6.0.0 Release Notes: http://directory.fedora.redhat.com/wiki/Release_Notes Download: http://directory.fedora.redhat.com/wiki/Download Home Page: http://directory.fedora.redhat.com/wiki/Main_Page -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From ABliss at preferredcare.org Tue Oct 31 16:50:23 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Tue, 31 Oct 2006 11:50:23 -0500 Subject: [Fedora-directory-users] Trouble getting windows to talk to fds In-Reply-To: <4546CA35.8030702@redhat.com> Message-ID: I must apologize for all of the questions, however this (getting windows to talk to fds) is very new to me; I believe that I have the ssl piece as far as the service is concerned configured properly; passync service is installed to the ad box, however after rebooting I checked the logfile and noticed some errors; failed to load entries from file, ldap bind error, no such object Can not connect to ldap server in syncpasswords It sounds like I have not configured the service properly to bind to the fds database; on the fds side of the house, I've configured an account called dn=psync,cn=config in the config ou (simular to setting up an account used for setting up a supplier/consumer setup, such that the account itself will not be replicated); I then installed the passsync service on the ad box usning the following values: Host name: hostname of fds suppler server Port: 636 Username: uid=psync,cn=config Password: same as user setup in database on fds box Cert token: password to local passync database Search base: dc=mydomain,dc=org Couple of questions; does it appear that I've set things up properly on both the fds side of the house and the ad side of the house? What is the best way to further troubleshoot this? Thanks again. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Monday, October 30, 2006 11:00 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Trouble getting windows to talk to fds Bliss, Aaron wrote: > On a separate issue, when attempting to verify connectivity to the ad > box, I'm receiving the following error: ; any ideas? Thanks. > > ./shared/bin/ldapsearch: error while loading shared libraries: > libssldap50.so: cannot open shared object file: No such file or directory cd /opt/fedora-ds/shared/bin ; ./ldapsearch .... > > ------------------------------------------------------------------------ > *From:* fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] *On Behalf Of > *Bliss, Aaron > *Sent:* Monday, October 30, 2006 10:17 PM > *To:* General discussion list for the Fedora Directory server project. > *Subject:* [Fedora-directory-users] Trouble getting windows to talk to fds > > Hi everyone, > I'm having trouble with the directions in the wiki that deals with > getting windows to sync with fds; I'm having trouble with this step; > there are 2 files in my /opt/fedora-ds/alias file; 1 is the cert > database, the other is the key database; are either of these the > parameters that I'm suppose to be passing the -P option below? Thanks > for your help. > > Aaron > > * From your Fedora Directory Server, export the server certificate > using pk12util. > > cd "/opt/fedora-ds/alias/" > pk12util -d . -P slapd- -o servercert.p12 -n Server-Cert > > Confidentiality Notice: > The information contained in this electronic message is intended for > the exclusive use of the individual or entity named above and may > contain privileged or confidential information. If the reader of this > message is not the intended recipient or the employee or agent > responsible to deliver it to the intended recipient, you are hereby > notified that dissemination, distribution or copying of this > information is prohibited. If you have received this communication in > error, please notify the sender immediately by telephone and destroy > the copies you received. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From nkinder at redhat.com Tue Oct 31 16:56:57 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Tue, 31 Oct 2006 08:56:57 -0800 Subject: [Fedora-directory-users] Trouble getting windows to talk to fds In-Reply-To: References: Message-ID: <45478059.4070704@redhat.com> Bliss, Aaron wrote: > I must apologize for all of the questions, however this (getting windows > to talk to fds) is very new to me; I believe that I have the ssl piece > as far as the service is concerned configured properly; passync service > is installed to the ad box, however after rebooting I checked the > logfile and noticed some errors; > failed to load entries from file, > ldap bind error, > no such object > Can not connect to ldap server in syncpasswords > It sounds like I have not configured the service properly to bind to the > fds database; on the fds side of the house, I've configured an account > called dn=psync,cn=config in the config ou (simular to setting up an > account used for setting up a supplier/consumer setup, such that the > account itself will not be replicated); I then installed the passsync > service on the ad box usning the following values: > Host name: hostname of fds suppler server > Port: 636 > Username: uid=psync,cn=config > Password: same as user setup in database on fds box > Cert token: password to local passync database > Search base: dc=mydomain,dc=org > > Couple of questions; does it appear that I've set things up properly on > both the fds side of the house and the ad side of the house? What is > the best way to further troubleshoot this? Thanks again. > The best thing to do when setting up Windows Sync is to go one step at a time. First get your user & group sync working. It will work just fine without setting up the PassSync service. Do you have this part working already? If PassSync is having trouble binding to FDS, you should start troubleshooting by looking at the FDS access logs when PassSync attempts to connect. It sounds like the bind DN may be incorrect. -NGK > Aaron > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From srigler at marathonoil.com Tue Oct 31 18:55:12 2006 From: srigler at marathonoil.com (Stephen C. Rigler) Date: Tue, 31 Oct 2006 12:55:12 -0600 Subject: [Fedora-directory-users] Problems Setting up 1.0.3 Message-ID: <1162320912.9441.21.camel@houuc8> I'm attempting to install 1.0.3 on an x86_64 machine running CentOS 4.4. Once the rpm is installed, I run the setup script, answer the questions and then the setup script does nothing (currently it's sitting at a screen that says "Fedora Project Directory Installation/Uninstallation" and nothing else). I can see the following processes: root 4916 4820 0 11:07 pts/0 00:00:00 /bin/sh /opt/fedora- ds/setup/setup root 5004 4916 0 11:07 pts/0 00:00:00 ./ns-config - f /tmp/setupyd4964 -l /tmp/logMS4919 -m 3 I'm not sure what else to look for at this point. I had previously been running 1.0.2 on this machine without any issues. Thanks, Steve From rmeggins at redhat.com Tue Oct 31 19:01:30 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 31 Oct 2006 12:01:30 -0700 Subject: [Fedora-directory-users] Problems Setting up 1.0.3 In-Reply-To: <1162320912.9441.21.camel@houuc8> References: <1162320912.9441.21.camel@houuc8> Message-ID: <45479D8A.4030903@redhat.com> Stephen C. Rigler wrote: > I'm attempting to install 1.0.3 on an x86_64 machine running CentOS 4.4. > Once the rpm is installed, I run the setup script, answer the questions > and then the setup script does nothing (currently it's sitting at a > screen that says "Fedora Project Directory Installation/Uninstallation" > and nothing else). > > I can see the following processes: > > root 4916 4820 0 11:07 pts/0 00:00:00 /bin/sh /opt/fedora- > ds/setup/setup > root 5004 4916 0 11:07 pts/0 00:00:00 ./ns-config - > f /tmp/setupyd4964 -l /tmp/logMS4919 -m 3 > > I'm not sure what else to look for at this point. I had previously been > running 1.0.2 on this machine without any issues. > try strace -p 5004 Maybe it's waiting for input? Also do tail /tmp/logMS4919 to see if it has printed a prompt that looks like it is waiting for input. > Thanks, > Steve > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From mj at sci.fi Tue Oct 31 18:54:44 2006 From: mj at sci.fi (Mike Jackson) Date: Tue, 31 Oct 2006 20:54:44 +0200 Subject: [Fedora-directory-users] Problems Setting up 1.0.3 In-Reply-To: <1162320912.9441.21.camel@houuc8> References: <1162320912.9441.21.camel@houuc8> Message-ID: <45479BF4.7050707@sci.fi> Stephen C. Rigler wrote: > I'm attempting to install 1.0.3 on an x86_64 machine running CentOS 4.4. > Once the rpm is installed, I run the setup script, answer the questions > and then the setup script does nothing (currently it's sitting at a Some problems here as well: [slapd-netauth]: starting up server ... [slapd-netauth]: Fedora-Directory/1.0.3 B2006.303.1848 [slapd-netauth]: laptop.netauth.com:389 (/opt/fedora-ds/slapd-netauth) [slapd-netauth]: [slapd-netauth]: [31/Oct/2006:20:50:57 +0200] - Fedora-Directory/1.0.3 B2006.303.1848 starting up [slapd-netauth]: [31/Oct/2006:20:50:57 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests NMC_Status: 0 NMC_Description: Success! The server has been started. Start Slapd Starting Slapd server reconfiguration. Fatal Slapd ERROR: Could not find Directory Server Configuration URL ldap://laptop.netauth.com:389/o=NetscapeRoot user id admin DN cn=laptop.netauth.com, ou=netauth.com, o=NetscapeRoot (153:Unknown error) Configuring Administration Server... InstallInfo: Apache Directory "ApacheDir" is missing. /opt/fedora-ds/slapd-netauth/config/dse.ldif: SSL on ... Restarting Directory Server: /opt/fedora-ds/slapd-netauth/start-slapd Server failed to start !!! Please check errors log for problems You can now use the console. Here is the command to use to start the console: cd /opt/fedora-ds ./startconsole -u admin -a http://laptop.netauth.com:1500/ INFO Finished with setup, logfile is setup/setup.log hmm.... -- mike From srigler at marathonoil.com Tue Oct 31 19:38:14 2006 From: srigler at marathonoil.com (Stephen C. Rigler) Date: Tue, 31 Oct 2006 13:38:14 -0600 Subject: [Fedora-directory-users] Problems Setting up 1.0.3 In-Reply-To: <45479D8A.4030903@redhat.com> References: <1162320912.9441.21.camel@houuc8> <45479D8A.4030903@redhat.com> Message-ID: <1162323494.9441.24.camel@houuc8> On Tue, 2006-10-31 at 12:01 -0700, Richard Megginson wrote: > > try strace -p 5004 > > Maybe it's waiting for input? Also do tail /tmp/logMS4919 to see if it > has printed a prompt that looks like it is waiting for input. It looks like it is waiting for input. When I hit it brings me back to the prompt asking if I want to install sample entries. However, it seems to be stuck in a loop because any answer brings me back to the same prompt. -Steve From rmeggins at redhat.com Tue Oct 31 20:02:09 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 31 Oct 2006 13:02:09 -0700 Subject: [Fedora-directory-users] Problems Setting up 1.0.3 In-Reply-To: <1162323494.9441.24.camel@houuc8> References: <1162320912.9441.21.camel@houuc8> <45479D8A.4030903@redhat.com> <1162323494.9441.24.camel@houuc8> Message-ID: <4547ABC1.2090702@redhat.com> Stephen C. Rigler wrote: > On Tue, 2006-10-31 at 12:01 -0700, Richard Megginson wrote: > >> >> try strace -p 5004 >> >> Maybe it's waiting for input? Also do tail /tmp/logMS4919 to see if it >> has printed a prompt that looks like it is waiting for input. >> > > It looks like it is waiting for input. When I hit it brings me > back to the prompt asking if I want to install sample entries. However, > it seems to be stuck in a loop because any answer brings me back to the > same prompt. > Hmm - what install mode did you choose? Sounds like you chose Advanced - try it again with Typical. > -Steve > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From srigler at marathonoil.com Tue Oct 31 20:36:05 2006 From: srigler at marathonoil.com (Stephen C. Rigler) Date: Tue, 31 Oct 2006 14:36:05 -0600 Subject: [Fedora-directory-users] Problems Setting up 1.0.3 In-Reply-To: <4547ABC1.2090702@redhat.com> References: <1162320912.9441.21.camel@houuc8> <45479D8A.4030903@redhat.com> <1162323494.9441.24.camel@houuc8> <4547ABC1.2090702@redhat.com> Message-ID: <1162326965.9441.35.camel@houuc8> On Tue, 2006-10-31 at 13:02 -0700, Richard Megginson wrote: > > It looks like it is waiting for input. When I hit it brings me > > back to the prompt asking if I want to install sample entries. However, > > it seems to be stuck in a loop because any answer brings me back to the > > same prompt. > > > Hmm - what install mode did you choose? Sounds like you chose Advanced > - try it again with Typical. Tried it with "typical" and it's working now. Thanks! -Steve From seriv at omniti.com Tue Oct 31 20:40:05 2006 From: seriv at omniti.com (Sergey Ivanov) Date: Tue, 31 Oct 2006 15:40:05 -0500 Subject: [Fedora-directory-users] Problems Setting up 1.0.3 In-Reply-To: <45479BF4.7050707@sci.fi> References: <1162320912.9441.21.camel@houuc8> <45479BF4.7050707@sci.fi> Message-ID: <4547B4A5.5060700@omniti.com> For me it was a problem with ownership of directories in /opt/fedora-ds/slapd-/ tree. logs, locks and config ownership was changed by upgrade process to root. So the ns-slpad process was unable to start. Also the file /opt/fedora-ds/slapd-/config/dse.ldif.startOK was there in the way, being unable to deleted, - lack of permissions. -- Sergey. Mike Jackson wrote: > Start Slapd Starting Slapd server reconfiguration. > Fatal Slapd ERROR: Could not find Directory Server Configuration > URL ldap://laptop.netauth.com:389/o=NetscapeRoot user id admin DN > cn=laptop.netauth.com, ou=netauth.com, o=NetscapeRoot (153:Unknown error) > Configuring Administration Server... > InstallInfo: Apache Directory "ApacheDir" is missing. > /opt/fedora-ds/slapd-netauth/config/dse.ldif: SSL on ... > Restarting Directory Server: /opt/fedora-ds/slapd-netauth/start-slapd > Server failed to start !!! Please check errors log for problems > From rmeggins at redhat.com Tue Oct 31 21:21:19 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 31 Oct 2006 14:21:19 -0700 Subject: [Fedora-directory-users] Problems Setting up 1.0.3 In-Reply-To: <4547B4A5.5060700@omniti.com> References: <1162320912.9441.21.camel@houuc8> <45479BF4.7050707@sci.fi> <4547B4A5.5060700@omniti.com> Message-ID: <4547BE4F.80407@redhat.com> Sergey Ivanov wrote: > For me it was a problem with ownership of directories in > /opt/fedora-ds/slapd-/ tree. logs, locks and config ownership was > changed by upgrade process to root. So the ns-slpad process was unable > to start. Also the file > /opt/fedora-ds/slapd-/config/dse.ldif.startOK was there in the > way, being unable to deleted, - lack of permissions. > Very odd. It doesn't appear that setup does this, the chown is done in the server itself: main.c: fix_ownership() { struct passwd* pw=NULL; char dirname[MAXPATHLEN + 1]; slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); if ( slapdFrontendConfig->localuser != NULL ) { if ( (pw = getpwnam( slapdFrontendConfig->localuser )) == NULL ) return; localuser should be "nobody" or the uid of the server user. So one possible problem is that if this is set to "root" for some reason. } else { return; } /* The instance directory needs to be owned by the local user */ slapd_chown_if_not_owner( slapdFrontendConfig->instancedir, pw->pw_uid, -1 ); instancedir is "/opt/fedora-ds/slapd-instance" PR_snprintf(dirname,sizeof(dirname),"%s/config",slapdFrontendConfig->instancedir); chown_dir_files(dirname, pw, PR_FALSE); /* config directory */ chown_dir_files(slapdFrontendConfig->accesslog, pw, PR_TRUE); /* do access log directory */ chown_dir_files(slapdFrontendConfig->auditlog, pw, PR_TRUE); /* do audit log directory */ chown_dir_files(slapdFrontendConfig->errorlog, pw, PR_TRUE); /* do error log directory */ chown_dir_files chowns the directory and all of the files in it (does not recurse). If given a file name, it will strip off the file name (PR_TRUE). It would appear that the only way this can happen is if either slapdFrontendConfig->localuser is "root" or getpwnam( slapdFrontendConfig->localuser ) returns uid 0. If someone can come up with a reproducible test case, please let me know. So far, I've just done simple fds102 install followed by upgrade to fds103 on RHEL4 using the default values. I cannot reproduce this problem. } -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From ABliss at preferredcare.org Tue Oct 31 21:27:05 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Tue, 31 Oct 2006 16:27:05 -0500 Subject: [Fedora-directory-users] Trouble getting windows to talk to fds In-Reply-To: <45478059.4070704@redhat.com> Message-ID: I'm a little confused here; what is the purpose of the passsync service (I've successfully created a replication agreement over ssl via fds and ad). Thanks again. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Nathan Kinder Sent: Tuesday, October 31, 2006 11:57 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Trouble getting windows to talk to fds Bliss, Aaron wrote: > I must apologize for all of the questions, however this (getting windows > to talk to fds) is very new to me; I believe that I have the ssl piece > as far as the service is concerned configured properly; passync service > is installed to the ad box, however after rebooting I checked the > logfile and noticed some errors; > failed to load entries from file, > ldap bind error, > no such object > Can not connect to ldap server in syncpasswords > It sounds like I have not configured the service properly to bind to the > fds database; on the fds side of the house, I've configured an account > called dn=psync,cn=config in the config ou (simular to setting up an > account used for setting up a supplier/consumer setup, such that the > account itself will not be replicated); I then installed the passsync > service on the ad box usning the following values: > Host name: hostname of fds suppler server > Port: 636 > Username: uid=psync,cn=config > Password: same as user setup in database on fds box > Cert token: password to local passync database > Search base: dc=mydomain,dc=org > > Couple of questions; does it appear that I've set things up properly on > both the fds side of the house and the ad side of the house? What is > the best way to further troubleshoot this? Thanks again. > The best thing to do when setting up Windows Sync is to go one step at a time. First get your user & group sync working. It will work just fine without setting up the PassSync service. Do you have this part working already? If PassSync is having trouble binding to FDS, you should start troubleshooting by looking at the FDS access logs when PassSync attempts to connect. It sounds like the bind DN may be incorrect. -NGK > Aaron > Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From prowley at redhat.com Tue Oct 31 21:32:14 2006 From: prowley at redhat.com (Pete Rowley) Date: Tue, 31 Oct 2006 13:32:14 -0800 Subject: [Fedora-directory-users] Trouble getting windows to talk to fds In-Reply-To: References: Message-ID: <4547C0DE.2010504@redhat.com> Bliss, Aaron wrote: > I'm a little confused here; what is the purpose of the passsync service > (I've successfully created a replication agreement over ssl via fds and > ad). Thanks again. > To synchronize passwords as they change. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Tue Oct 31 21:41:43 2006 From: david_list at boreham.org (David Boreham) Date: Tue, 31 Oct 2006 14:41:43 -0700 Subject: [Fedora-directory-users] Trouble getting windows to talk to fds In-Reply-To: <4547C0DE.2010504@redhat.com> References: <4547C0DE.2010504@redhat.com> Message-ID: <4547C317.9030302@boreham.org> Pete Rowley wrote: > Bliss, Aaron wrote: > >> I'm a little confused here; what is the purpose of the passsync service >> (I've successfully created a replication agreement over ssl via fds and >> ad). Thanks again. >> > > To synchronize passwords as they change. Specifically, in the AD->FDS direction. Read here : http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2878913 the paragraph beginning 'In addition to the entry synchronization mechanisms discussed above, the Password Sync Service is needed to catch password changes made on the Windows server..' From nkinder at redhat.com Tue Oct 31 21:44:01 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Tue, 31 Oct 2006 13:44:01 -0800 Subject: [Fedora-directory-users] Trouble getting windows to talk to fds In-Reply-To: References: Message-ID: <4547C3A1.3060906@redhat.com> Bliss, Aaron wrote: > I'm a little confused here; what is the purpose of the passsync service > (I've successfully created a replication agreement over ssl via fds and > ad). Thanks again. > The PassSync service is only responsible for sending password changes initiated on the AD side to FDS. Any password that is changed on the FDS side will be sent to AD over the synchronization agreement along with other user & group changes. The synchronization agreement will also pull changes that happened on the AD side over to FDS. The problem is that AD hashes the password differently than FDS does, so FDS needs access to the clear-text password. The only way for this to happen when a password change is initiated on the AD side is to have a password plug-in installed on the domain controller to get a copy of the clear-text password. This is exactly what the PassSync service does. It installs a plugin (passhook.dll) that receives the clear-text password which passsync.exe sends across to FDS over LDAPS. Hopefully that clears things up. -NGK > Aaron > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From ABliss at preferredcare.org Tue Oct 31 21:43:33 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Tue, 31 Oct 2006 16:43:33 -0500 Subject: [Fedora-directory-users] Trouble getting windows to talk to fds In-Reply-To: <4547C0DE.2010504@redhat.com> Message-ID: Ok, I'm with you; now I noticed by default, that the windows sync replication agreement will initially synchronize users that are in the users OU on the domain controller to the People ou in fds; it seems that I would want to change this and have the synchronization agreement to bring the users over to the users ou in fds? If so, will it ignore (i.e. not overwrite existing fds user accounts if there is a conflict; in other words, if the user john exists in fds and he exists with the same dn in active directory, will he get overwritten when synchronizing? Thanks again. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Pete Rowley Sent: Tuesday, October 31, 2006 4:32 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Trouble getting windows to talk to fds Bliss, Aaron wrote: > I'm a little confused here; what is the purpose of the passsync service > (I've successfully created a replication agreement over ssl via fds and > ad). Thanks again. > To synchronize passwords as they change. -- Pete Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From ABliss at preferredcare.org Tue Oct 31 21:46:44 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Tue, 31 Oct 2006 16:46:44 -0500 Subject: [Fedora-directory-users] Trouble getting windows to talk to fds In-Reply-To: <4547C3A1.3060906@redhat.com> Message-ID: That makes perfect sense, as I noticed that the replication agreement I created was a supplier/consumer agreement between fds and ad; now I have another question, if a new user is created in ad, since the fds box is the supplier, how will that uid be replicated to fds? Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Nathan Kinder Sent: Tuesday, October 31, 2006 4:44 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Trouble getting windows to talk to fds Bliss, Aaron wrote: > I'm a little confused here; what is the purpose of the passsync service > (I've successfully created a replication agreement over ssl via fds and > ad). Thanks again. > The PassSync service is only responsible for sending password changes initiated on the AD side to FDS. Any password that is changed on the FDS side will be sent to AD over the synchronization agreement along with other user & group changes. The synchronization agreement will also pull changes that happened on the AD side over to FDS. The problem is that AD hashes the password differently than FDS does, so FDS needs access to the clear-text password. The only way for this to happen when a password change is initiated on the AD side is to have a password plug-in installed on the domain controller to get a copy of the clear-text password. This is exactly what the PassSync service does. It installs a plugin (passhook.dll) that receives the clear-text password which passsync.exe sends across to FDS over LDAPS. Hopefully that clears things up. -NGK > Aaron > > Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From aaron.cline at gmail.com Tue Oct 31 22:17:16 2006 From: aaron.cline at gmail.com (Aaron Cline) Date: Tue, 31 Oct 2006 17:17:16 -0500 Subject: [Fedora-directory-users] Upgrade from 7.1-2 to 1.0.3 Message-ID: <2f8a29cb0610311417r6f000706t2d5ebabf26e711dc@mail.gmail.com> It would seem that my LDAP is up and running but I'm still trying to finish the upgrade process as outlined here: http://directory.fedora.redhat.com/wiki/Install_Guide#Upgrading_from_the_7.1_release Specifically I'm told to run the following commands: cd /opt/fedora-ds/slapd-yourhost ./db2ldif -U -s o=netscaperoot -o /tmp/nsroot.ldif After doing the above command, I get the following error: [root at low-mgt-101 slapd-low-mgt-101]# ./db2ldif -U -s o=netscaperoot -o /tmp/nsroot.ldif usage: ns-slapd db2ldif -D instancedir [-n backend-instance-name] [-d debuglevel] [-N] [-a outputfile] [-r] [-C] [{-s includesuffix}*] [{-x excludesuffix}*] [-u] [-U] [-m] [-M] [-E] Note: either "-n backend_instance_name" or "-s includesuffix" is required. Can someone help me out? Thanks, Aaron -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Oct 31 22:34:05 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 31 Oct 2006 15:34:05 -0700 Subject: [Fedora-directory-users] Upgrade from 7.1-2 to 1.0.3 In-Reply-To: <2f8a29cb0610311417r6f000706t2d5ebabf26e711dc@mail.gmail.com> References: <2f8a29cb0610311417r6f000706t2d5ebabf26e711dc@mail.gmail.com> Message-ID: <4547CF5D.6010703@redhat.com> Aaron Cline wrote: > It would seem that my LDAP is up and running but I'm still trying to > finish the upgrade process as outlined here: > > http://directory.fedora.redhat.com/wiki/Install_Guide#Upgrading_from_the_7.1_release > > > Specifically I'm told to run the following commands: > > cd /opt/fedora-ds/slapd-yourhost > ./db2ldif -U -s o=netscaperoot -o /tmp/nsroot.ldif > > > > > After doing the above command, I get the following error: > > [root at low-mgt-101 slapd-low-mgt-101]# ./db2ldif -U -s o=netscaperoot > -o /tmp/nsroot.ldif > usage: ns-slapd db2ldif -D instancedir [-n backend-instance-name] [-d > debuglevel] [-N] [-a outputfile] [-r] [-C] [{-s includesuffix}*] [{-x > excludesuffix}*] [-u] [-U] [-m] [-M] [-E] > Note: either "-n backend_instance_name" or "-s includesuffix" is > required. > > > Can someone help me out? Use -a instead of -o - I've updated the wiki page. > > Thanks, > > Aaron > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Tue Oct 31 22:49:12 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Tue, 31 Oct 2006 14:49:12 -0800 Subject: [Fedora-directory-users] Trouble getting windows to talk to fds In-Reply-To: References: Message-ID: <4547D2E8.9060306@redhat.com> Bliss, Aaron wrote: > That makes perfect sense, as I noticed that the replication agreement I > created was a supplier/consumer agreement between fds and ad; now I have > another question, if a new user is created in ad, since the fds box is > the supplier, how will that uid be replicated to fds? > When FDS connects to AD, it will send the dirsync control. This control contains a cookie of sorts. This basically tells AD to give us all modifications since the last time we sent the dirsync control (which it knows from the cookie we are sending). Ad then gives us the modifications along with a new cookie to use next time. You can think of this as pull-style replication in the AD->FDS direction. FDS pushes it's changes to AD while pulling changes from AD to itself. -NGK > Aaron > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Nathan > Kinder > Sent: Tuesday, October 31, 2006 4:44 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Trouble getting windows to talk to > fds > > Bliss, Aaron wrote: > >> I'm a little confused here; what is the purpose of the passsync >> > service > >> (I've successfully created a replication agreement over ssl via fds >> > and > >> ad). Thanks again. >> >> > The PassSync service is only responsible for sending password changes > initiated on the AD side to FDS. Any password that is changed on the > FDS side will be sent to AD over the synchronization agreement along > with other user & group changes. The synchronization agreement will > also pull changes that happened on the AD side over to FDS. > > The problem is that AD hashes the password differently than FDS does, so > > FDS needs access to the clear-text password. The only way for this to > happen when a password change is initiated on the AD side is to have a > password plug-in installed on the domain controller to get a copy of the > > clear-text password. This is exactly what the PassSync service does. > It installs a plugin (passhook.dll) that receives the clear-text > password which passsync.exe sends across to FDS over LDAPS. > > Hopefully that clears things up. > > -NGK > >> Aaron >> >> >> > > > > Confidentiality Notice: > The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From ABliss at preferredcare.org Tue Oct 31 22:51:06 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Tue, 31 Oct 2006 17:51:06 -0500 Subject: [Fedora-directory-users] Trouble getting windows to talk to fds In-Reply-To: <4547D2E8.9060306@redhat.com> Message-ID: Thanks very much for your explanations; they have cleared up a lot of grey area for me. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Nathan Kinder Sent: Tuesday, October 31, 2006 5:49 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Trouble getting windows to talk to fds Bliss, Aaron wrote: > That makes perfect sense, as I noticed that the replication agreement I > created was a supplier/consumer agreement between fds and ad; now I have > another question, if a new user is created in ad, since the fds box is > the supplier, how will that uid be replicated to fds? > When FDS connects to AD, it will send the dirsync control. This control contains a cookie of sorts. This basically tells AD to give us all modifications since the last time we sent the dirsync control (which it knows from the cookie we are sending). Ad then gives us the modifications along with a new cookie to use next time. You can think of this as pull-style replication in the AD->FDS direction. FDS pushes it's changes to AD while pulling changes from AD to itself. -NGK > Aaron > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Nathan > Kinder > Sent: Tuesday, October 31, 2006 4:44 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Trouble getting windows to talk to > fds > > Bliss, Aaron wrote: > >> I'm a little confused here; what is the purpose of the passsync >> > service > >> (I've successfully created a replication agreement over ssl via fds >> > and > >> ad). Thanks again. >> >> > The PassSync service is only responsible for sending password changes > initiated on the AD side to FDS. Any password that is changed on the > FDS side will be sent to AD over the synchronization agreement along > with other user & group changes. The synchronization agreement will > also pull changes that happened on the AD side over to FDS. > > The problem is that AD hashes the password differently than FDS does, so > > FDS needs access to the clear-text password. The only way for this to > happen when a password change is initiated on the AD side is to have a > password plug-in installed on the domain controller to get a copy of the > > clear-text password. This is exactly what the PassSync service does. > It installs a plugin (passhook.dll) that receives the clear-text > password which passsync.exe sends across to FDS over LDAPS. > > Hopefully that clears things up. > > -NGK > >> Aaron >> >> >> > > > > Confidentiality Notice: > The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >