From rmeggins at redhat.com Mon Apr 2 14:41:03 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 02 Apr 2007 08:41:03 -0600 Subject: [Fedora-directory-users] Error : Critical extension unavailable In-Reply-To: References: Message-ID: <461115FF.60304@redhat.com> Victor Rodriguez wrote: > > >Richard Megginson wrote: > > >The Fedora DS chaining database (database link) uses the Proxy Auth > > >control. I think you can disable this. Check the docs for the chaining > > >database configuration. It may be that the console does not allow you > > >to set this, but you can set it manually. > _http://www.redhat.com/docs/manuals/dir-server/pdf/ds71cli.pdf_ - search > > >for nsProxiedAuthorization > > >If there are other controls being sent by Fedora DS, you can disable > > >those too - search for nsTransmittedControls in the above document. > > Hi Richard: > > I have disabled these control but the problem still continue, this > error only happen with openldap because when I connect to Novell > eDirectory ldap server I have a different error: I dont have > permisions to read the database link. > I'm not sure - is there some way to examine the log files for openldap to determine exactly what it is complaining about? > > Any idea? > > Regards, > > *Victor Rodriguez* > > /* IT Technical Support Officer*/ > > /*System & Database Administrator*/ > > > / / > > /Attention:/ > > /The information contained in this message and or attachments is > intended only for the person or entity to which it is addressed and > may contain confidential and/or privileged material. Any review, > retransmission, dissemination or other use of, or taking of any action > in reliance upon, this information by persons or entities other than > the intended recipient is prohibited. If you received this in error, > please contact the sender and delete the material from any system and > destroy any copies./ > > /Any views expressed in this message are those of the individual > sender and may not necessarily reflect the views of The Gribbles Group./ > > /Thank You./ > > /Whilst every effort has been made to ensure that this e-mail message > and any attachments are free from viruses, you should scan this > message and any attachments. > Under no circumstances do we accept liability for any loss or damage > which may result from your receipt of this message or any attachment./ > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Apr 2 15:47:45 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 02 Apr 2007 09:47:45 -0600 Subject: [Fedora-directory-users] CA certificate format In-Reply-To: <37d92a190703290820y295cb056h8a13a09882cb8187@mail.gmail.com> References: <37d92a190703281217i17db4058kc4a12d09102c2afe@mail.gmail.com> <460ABF83.1060106@redhat.com> <37d92a190703290820y295cb056h8a13a09882cb8187@mail.gmail.com> Message-ID: <461125A1.1020603@redhat.com> Yoram Kahana wrote: > Hi Richard, > > Indeed it solved one of the problems, I didnt hash the ca certificte > in the client side. > now i am getting new message > > TLS: *hostname does not match CN in peer certificate* > > ** if i understand the meaning the CN and the hostname are not > identical but thats not the situation now. > The CN in the server cert is CN=r1-ows-07.rocaf.org - the server is running on r1-ows-07.rocaf.org? The error message means there is a mismatch somewhere. > > > I have also tried the opensll s_client -debug -connect (the output is > enclosed) > seems that throgh the openssl it works fine, where am i wrong? > > Can you see if you have any clue > great thanks > Yoram > > > > On 3/28/07, *Richard Megginson* > wrote: > > Yoram Kahana wrote: > > Hi > > > > Does anyone has an idea on which format should i save the ca > > certificate in the clients (for SSL communication) ? > > Is it PEM, DER, BER > It depends - what client are you trying to configure? Did you see > this > - > http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients > > > > > > Thanks in advance > > > > Yoram > > > ------------------------------------------------------------------------ > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ------------------------------------------------------------------------ > > > openssl s_client -debug -connect r1-ows-07:636 > CONNECTED(00000003) > write to 00675450 [00675F50] (142 bytes => 142 (0x8E)) > 0000 - 80 8c 01 03 01 00 63 00-00 00 20 00 00 39 00 00 ......c... ..9.. > 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............ > 0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 66 00 ..3..2../.....f. > 0030 - 00 05 00 00 04 01 00 80-08 00 80 00 00 63 00 00 .............c.. > 0040 - 62 00 00 61 00 00 15 00-00 12 00 00 09 06 00 40 b..a...........@ > 0050 - 00 00 65 00 00 64 00 00-60 00 00 14 00 00 11 00 ..e..d..`....... > 0060 - 00 08 00 00 06 04 00 80-00 00 03 02 00 80 24 9c ..............$. > 0070 - 49 e8 7b b6 bf 6a 36 4a-4a f8 04 25 d9 b8 a7 8e I.{..j6JJ..%.... > 0080 - 57 d7 67 c2 3a 6d 72 d0-d9 37 3f f5 ac 07 W.g.:mr..7?... > read from 00675450 [0067B4B0] (7 bytes => 7 (0x7)) > 0000 - 16 03 01 08 23 02 ....#. > 0007 - > read from 00675450 [0067B4B7] (2081 bytes => 1441 (0x5A1)) > 0000 - 00 46 03 01 00 28 82 f7-c8 e3 77 83 de 5f 86 53 .F...(....w.._.S > 0010 - 5d 5a 76 33 04 fe bd a6-b8 02 ee 88 c4 bd e8 6c ]Zv3...........l > 0020 - 18 b9 ee f6 20 22 92 d7-0e b4 ae aa df c2 83 b7 .... ".......... > 0030 - 07 22 94 af 91 d8 2a 92-da 0c d6 3e d5 7a ee 8f ."....*....>.z.. > 0040 - 7f 26 28 3a 56 00 35 00-0b 00 06 dd 00 06 da 00 .&(:V.5......... > 0050 - 03 6e 30 82 03 6a 30 82-02 d3 a0 03 02 01 02 02 .n0..j0......... > 0060 - 01 01 30 0d 06 09 2a 86-48 86 f7 0d 01 01 04 05 ..0...*.H....... > 0070 - 00 30 81 83 31 0b 30 09-06 03 55 04 06 13 02 49 .0..1.0...U....I > 0080 - 4c 31 0f 30 0d 06 03 55-04 08 13 06 49 73 72 61 L1.0...U....Isra > 0090 - 65 6c 31 10 30 0e 06 03-55 04 07 13 07 54 65 6c el1.0...U....Tel > 00a0 - 41 76 69 76 31 11 30 0f-06 03 55 04 0a 13 08 4e Aviv1.0...U....N > 00b0 - 65 73 73 20 4c 74 64 31-0e 30 0c 06 03 55 04 0b ess Ltd1.0...U.. > 00c0 - 13 05 4c 4d 41 44 53 31-0e 30 0c 06 03 55 04 03 ..LMADS1.0...U.. > 00d0 - 13 05 59 6f 72 61 6d 31-1e 30 1c 06 09 2a 86 48 ..Yoram1.0...*.H > 00e0 - 86 f7 0d 01 09 01 16 0f-79 6f 72 61 6d 40 62 61 ........yoram at ba > 00f0 - 6d 61 6d 2e 63 6f 6d 30-1e 17 0d 30 37 30 33 32 mam.com0...07032 > 0100 - 39 31 33 35 31 35 35 5a-17 0d 30 38 30 33 32 38 9135155Z..080328 > 0110 - 31 33 35 31 35 35 5a 30-5f 31 0b 30 09 06 03 55 135155Z0_1.0...U > 0120 - 04 06 13 02 49 4c 31 0f-30 0d 06 03 55 04 08 13 ....IL1.0...U... > 0130 - 06 49 73 72 61 65 6c 31-11 30 0f 06 03 55 04 0a .Israel1.0...U.. > 0140 - 13 08 4e 65 73 73 20 4c-74 64 31 0e 30 0c 06 03 ..Ness Ltd1.0... > 0150 - 55 04 0b 13 05 4c 4d 41-44 53 31 1c 30 1a 06 03 U....LMADS1.0... > 0160 - 55 04 03 13 13 72 31 2d-6f 77 73 2d 30 37 2e 72 U....r1-ows-07.r > 0170 - 6f 63 61 66 2e 6f 72 67-30 81 9f 30 0d 06 09 2a ocaf.org0..0...* > 0180 - 86 48 86 f7 0d 01 01 01-05 00 03 81 8d 00 30 81 .H............0. > 0190 - 89 02 81 81 00 c5 12 31-28 e2 de c6 4a 3d 59 7e .......1(...J=Y~ > 01a0 - d8 f2 c4 5e ca 00 6a 08-52 c1 58 ce 3a 38 dc 58 ...^..j.R.X.:8.X > 01b0 - 7d 0b c9 83 5d 9e 77 bc-09 9f c4 6e 5a 54 19 ff }...].w....nZT.. > 01c0 - 7b 3f 14 6b 40 51 ed 42-ba 34 d8 89 49 07 21 2b {?.k at Q.B.4..I.!+ > 01d0 - 89 4f bf 9c 5c 15 1b 61-03 1f 2f 95 b3 23 1b 6f .O..\..a../..#.o > 01e0 - c2 a9 a2 21 17 ab 62 10-ef 27 27 ae d8 46 84 4b ...!..b..''..F.K > 01f0 - 86 b6 f2 8d b1 3e 45 0d-16 1a 8e 99 90 6d a4 5e .....>E......m.^ > 0200 - 6e 9a f6 f2 b5 d0 fb cb-c2 ec f0 a3 7a 5b 20 59 n...........z[ Y > 0210 - 02 00 13 80 0f 02 03 01-00 01 a3 82 01 0f 30 82 ..............0. > 0220 - 01 0b 30 09 06 03 55 1d-13 04 02 30 00 30 2c 06 ..0...U....0.0,. > 0230 - 09 60 86 48 01 86 f8 42-01 0d 04 1f 16 1d 4f 70 .`.H...B......Op > 0240 - 65 6e 53 53 4c 20 47 65-6e 65 72 61 74 65 64 20 enSSL Generated > 0250 - 43 65 72 74 69 66 69 63-61 74 65 30 1d 06 03 55 Certificate0...U > 0260 - 1d 0e 04 16 04 14 f8 72-da cb af d2 d8 e1 18 17 .......r........ > 0270 - ec 9e 80 10 89 d1 13 07-a6 e3 30 81 b0 06 03 55 ..........0....U > 0280 - 1d 23 04 81 a8 30 81 a5-80 14 26 9a 3c 03 60 32 .#...0....&.<.`2 > 0290 - a4 25 36 ce 56 ae 33 a1-30 45 e2 85 27 a2 a1 81 .%6.V.3.0E..'... > 02a0 - 89 a4 81 86 30 81 83 31-0b 30 09 06 03 55 04 06 ....0..1.0...U.. > 02b0 - 13 02 49 4c 31 0f 30 0d-06 03 55 04 08 13 06 49 ..IL1.0...U....I > 02c0 - 73 72 61 65 6c 31 10 30-0e 06 03 55 04 07 13 07 srael1.0...U.... > 02d0 - 54 65 6c 41 76 69 76 31-11 30 0f 06 03 55 04 0a TelAviv1.0...U.. > 02e0 - 13 08 4e 65 73 73 20 4c-74 64 31 0e 30 0c 06 03 ..Ness Ltd1.0... > 02f0 - 55 04 0b 13 05 4c 4d 41-44 53 31 0e 30 0c 06 03 U....LMADS1.0... > 0300 - 55 04 03 13 05 59 6f 72-61 6d 31 1e 30 1c 06 09 U....Yoram1.0... > 0310 - 2a 86 48 86 f7 0d 01 09-01 16 0f 79 6f 72 61 6d *.H........yoram > 0320 - 40 62 61 6d 61 6d 2e 63-6f 6d 82 01 00 30 0d 06 @bamam.com...0.. > 0330 - 09 2a 86 48 86 f7 0d 01-01 04 05 00 03 81 81 00 .*.H............ > 0340 - 88 38 ad c8 e4 df c9 85-68 2f e6 8b d0 1f 37 fd .8......h/....7. > 0350 - c4 7d 0c ca 01 5f 58 fb-3d 00 d4 f0 d0 f3 fe bb .}..._X.=....... > 0360 - e5 7f e2 44 6f 8c 43 7a-9f cc d6 6b 85 40 9c 04 ...Do.Cz...k. at .. > 0370 - 22 20 28 32 bf f9 d9 a5-85 e3 62 7a fb e7 2c 54 " (2......bz..,T > 0380 - 7a 45 bc b8 a9 4e ce 9e-9d 87 37 d0 06 4b 06 c7 zE...N....7..K.. > 0390 - 51 d4 27 c9 77 f7 e7 c2-2d ac 3d bb 4e 43 df 69 Q.'.w...-.=.NC.i > 03a0 - b8 54 8c 80 4e 86 d7 a0-86 3a c2 a3 7d 15 ab 31 .T..N....:..}..1 > 03b0 - 3f 19 6a d7 09 bb 89 5b-ce 30 83 33 4c 7a bc 5c ?.j....[.0.3Lz.\ > 03c0 - 00 03 66 30 82 03 62 30-82 02 cb a0 03 02 01 02 ..f0..b0........ > 03d0 - 02 01 00 30 0d 06 09 2a-86 48 86 f7 0d 01 01 04 ...0...*.H...... > 03e0 - 05 00 30 81 83 31 0b 30-09 06 03 55 04 06 13 02 ..0..1.0...U.... > 03f0 - 49 4c 31 0f 30 0d 06 03-55 04 08 13 06 49 73 72 IL1.0...U....Isr > 0400 - 61 65 6c 31 10 30 0e 06-03 55 04 07 13 07 54 65 ael1.0...U....Te > 0410 - 6c 41 76 69 76 31 11 30-0f 06 03 55 04 0a 13 08 lAviv1.0...U.... > 0420 - 4e 65 73 73 20 4c 74 64-31 0e 30 0c 06 03 55 04 Ness Ltd1.0...U. > 0430 - 0b 13 05 4c 4d 41 44 53-31 0e 30 0c 06 03 55 04 ...LMADS1.0...U. > 0440 - 03 13 05 59 6f 72 61 6d-31 1e 30 1c 06 09 2a 86 ...Yoram1.0...*. > 0450 - 48 86 f7 0d 01 09 01 16-0f 79 6f 72 61 6d 40 62 H........yoram at b > 0460 - 61 6d 61 6d 2e 63 6f 6d-30 1e 17 0d 30 37 30 33 amam.com0...0703 > 0470 - 32 39 31 33 35 31 33 34-5a 17 0d 30 38 30 33 32 29135134Z..08032 > 0480 - 38 31 33 35 31 33 34 5a-30 81 83 31 0b 30 09 06 8135134Z0..1.0.. > 0490 - 03 55 04 06 13 02 49 4c-31 0f 30 0d 06 03 55 04 .U....IL1.0...U. > 04a0 - 08 13 06 49 73 72 61 65-6c 31 10 30 0e 06 03 55 ...Israel1.0...U > 04b0 - 04 07 13 07 54 65 6c 41-76 69 76 31 11 30 0f 06 ....TelAviv1.0.. > 04c0 - 03 55 04 0a 13 08 4e 65-73 73 20 4c 74 64 31 0e .U....Ness Ltd1. > 04d0 - 30 0c 06 03 55 04 0b 13-05 4c 4d 41 44 53 31 0e 0...U....LMADS1. > 04e0 - 30 0c 06 03 55 04 03 13-05 59 6f 72 61 6d 31 1e 0...U....Yoram1. > 04f0 - 30 1c 06 09 2a 86 48 86-f7 0d 01 09 01 16 0f 79 0...*.H........y > 0500 - 6f 72 61 6d 40 62 61 6d-61 6d 2e 63 6f 6d 30 81 oram at bamam.com0. > 0510 - 9f 30 0d 06 09 2a 86 48-86 f7 0d 01 01 01 05 00 .0...*.H........ > 0520 - 03 81 8d 00 30 81 89 02-81 81 00 a1 9c f4 b7 8b ....0........... > 0530 - 80 35 c5 b7 60 73 da bb-01 7d 33 36 74 1f 67 5d .5..`s...}36t.g] > 0540 - eb ff b5 ca 79 1a 1b 3a-9d ce da 62 4c c8 19 0b ....y..:...bL... > 0550 - 80 e0 7c 4a 4f bb 8f 59-05 b7 a8 c2 ae 5b fe 7c ..|JO..Y.....[.| > 0560 - 74 91 e5 cf d3 54 3b 4e-88 24 50 84 24 b2 16 d8 t....T;N.$P.$... > 0570 - 9c 1d bd 8c 31 8b d7 28-df 06 24 a8 e1 76 b7 72 ....1..(..$..v.r > 0580 - ee 37 75 e2 89 84 b7 ed-51 76 2c b3 1a eb 6c 5c .7u.....Qv,...l\ > 0590 - 64 87 7d 3a 12 39 4b c0-23 fa a8 63 0e a0 77 c8 d.}:.9K.#..c..w. > 05a0 - 4d M > read from 00675450 [0067BA58] (640 bytes => 640 (0x280)) > 0000 - 9c b7 59 cc 06 a3 ad 79-6c 53 02 03 01 00 01 a3 ..Y....ylS...... > 0010 - 81 e3 30 81 e0 30 1d 06-03 55 1d 0e 04 16 04 14 ..0..0...U...... > 0020 - 26 9a 3c 03 60 32 a4 25-36 ce 56 ae 33 a1 30 45 &.<.`2.%6.V.3.0E > 0030 - e2 85 27 a2 30 81 b0 06-03 55 1d 23 04 81 a8 30 ..'.0....U.#...0 > 0040 - 81 a5 80 14 26 9a 3c 03-60 32 a4 25 36 ce 56 ae ....&.<.`2.%6.V. > 0050 - 33 a1 30 45 e2 85 27 a2-a1 81 89 a4 81 86 30 81 3.0E..'.......0. > 0060 - 83 31 0b 30 09 06 03 55-04 06 13 02 49 4c 31 0f .1.0...U....IL1. > 0070 - 30 0d 06 03 55 04 08 13-06 49 73 72 61 65 6c 31 0...U....Israel1 > 0080 - 10 30 0e 06 03 55 04 07-13 07 54 65 6c 41 76 69 .0...U....TelAvi > 0090 - 76 31 11 30 0f 06 03 55-04 0a 13 08 4e 65 73 73 v1.0...U....Ness > 00a0 - 20 4c 74 64 31 0e 30 0c-06 03 55 04 0b 13 05 4c Ltd1.0...U....L > 00b0 - 4d 41 44 53 31 0e 30 0c-06 03 55 04 03 13 05 59 MADS1.0...U....Y > 00c0 - 6f 72 61 6d 31 1e 30 1c-06 09 2a 86 48 86 f7 0d oram1.0...*.H... > 00d0 - 01 09 01 16 0f 79 6f 72-61 6d 40 62 61 6d 61 6d .....yoram at bamam > 00e0 - 2e 63 6f 6d 82 01 00 30-0c 06 03 55 1d 13 04 05 .com...0...U.... > 00f0 - 30 03 01 01 ff 30 0d 06-09 2a 86 48 86 f7 0d 01 0....0...*.H.... > 0100 - 01 04 05 00 03 81 81 00-39 46 ea ff b6 f0 6f 69 ........9F....oi > 0110 - e4 69 d5 bd a6 d5 86 be-a5 91 a2 53 46 75 db c6 .i.........SFu.. > 0120 - 5f 60 a1 f8 dc b2 54 27-d5 e6 d5 e1 ad d6 08 cd _`....T'........ > 0130 - 42 5a 07 e7 e3 4f 0b 45-23 47 36 98 3e b1 be 09 BZ...O.E#G6.>... > 0140 - 12 fe bc 50 e4 1a 93 6d-4a aa d5 56 f4 40 94 26 ...P...mJ..V. at .& > 0150 - 69 b9 a1 21 3c 04 46 17-84 4b 96 88 1c 20 9b 9a i..!<.F..K... .. > 0160 - 5b 6d 33 d6 4d ce 64 1d-15 85 78 3c 2a 1f 33 38 [m3.M.d...x<*.38 > 0170 - 96 39 58 39 88 ba 36 cc-af ce 8c 40 fc 45 5a b1 .9X9..6.... at .EZ. > 0180 - 65 ba 8c 15 24 d1 52 b6-0d 00 00 f0 02 01 02 00 e...$.R......... > 0190 - eb 00 61 30 5f 31 0b 30-09 06 03 55 04 06 13 02 ..a0_1.0...U.... > 01a0 - 55 53 31 20 30 1e 06 03-55 04 0a 13 17 52 53 41 US1 0...U....RSA > 01b0 - 20 44 61 74 61 20 53 65-63 75 72 69 74 79 2c 20 Data Security, > 01c0 - 49 6e 63 2e 31 2e 30 2c-06 03 55 04 0b 13 25 53 Inc.1.0,..U...%S > 01d0 - 65 63 75 72 65 20 53 65-72 76 65 72 20 43 65 72 ecure Server Cer > 01e0 - 74 69 66 69 63 61 74 69-6f 6e 20 41 75 74 68 6f tification Autho > 01f0 - 72 69 74 79 00 86 30 81-83 31 0b 30 09 06 03 55 rity..0..1.0...U > 0200 - 04 06 13 02 49 4c 31 0f-30 0d 06 03 55 04 08 13 ....IL1.0...U... > 0210 - 06 49 73 72 61 65 6c 31-10 30 0e 06 03 55 04 07 .Israel1.0...U.. > 0220 - 13 07 54 65 6c 41 76 69-76 31 11 30 0f 06 03 55 ..TelAviv1.0...U > 0230 - 04 0a 13 08 4e 65 73 73-20 4c 74 64 31 0e 30 0c ....Ness Ltd1.0. > 0240 - 06 03 55 04 0b 13 05 4c-4d 41 44 53 31 0e 30 0c ..U....LMADS1.0. > 0250 - 06 03 55 04 03 13 05 59-6f 72 61 6d 31 1e 30 1c ..U....Yoram1.0. > 0260 - 06 09 2a 86 48 86 f7 0d-01 09 01 16 0f 79 6f 72 ..*.H........yor > 0270 - 61 6d 40 62 61 6d 61 6d-2e 63 6f 6d 0e am at bamam.com. > 0280 - > depth=1 /C=IL/ST=Israel/L=TelAviv/O=Ness Ltd/OU=LMADS/CN=Yoram/emailAddress=yoram at bamam.com > verify error:num=19:self signed certificate in certificate chain > verify return:0 > write to 00675450 [00687150] (12 bytes => 12 (0xC)) > 0000 - 16 03 01 00 07 0b 00 00-03 ......... > 000c - > write to 00675450 [00687150] (139 bytes => 139 (0x8B)) > 0000 - 16 03 01 00 86 10 00 00-82 00 80 37 d0 c6 7a 6b ...........7..zk > 0010 - 54 18 16 df d0 6f 90 8f-b1 8a 45 45 7f 15 47 04 T....o....EE..G. > 0020 - 10 ba 23 1a f9 f7 54 50-05 ee 4c e9 79 fe 31 1a ..#...TP..L.y.1. > 0030 - e2 c1 4a e9 f5 e2 b9 e1-d5 17 e6 e8 28 a9 ee 76 ..J.........(..v > 0040 - b9 ce 5f 59 68 62 a3 8c-07 ee e0 0e 91 b4 df 0d .._Yhb.......... > 0050 - 71 9b ce 38 d2 4b 3d d9-c4 1f e9 74 0e 96 c5 cb q..8.K=....t.... > 0060 - d3 12 57 6c 9a 0c 3b fd-83 3a e4 fd a6 2a ee 8c ..Wl..;..:...*.. > 0070 - e1 67 eb d2 11 3b 6a 03-9c a0 73 38 10 76 89 f0 .g...;j...s8.v.. > 0080 - 81 03 dd 91 4d 43 7d 99-f4 a4 b6 ....MC}.... > write to 00675450 [00687150] (6 bytes => 6 (0x6)) > 0000 - 14 03 01 00 01 01 ...... > write to 00675450 [00687150] (53 bytes => 53 (0x35)) > 0000 - 16 03 01 00 30 09 40 51-48 34 87 0b 53 20 ff 0d ....0. at QH4..S .. > 0010 - 2f 7c 96 04 a6 cc 0d bf-4a 76 b1 4e 4d bb fa 39 /|......Jv.NM..9 > 0020 - 4b 60 6e 47 3e 87 41 77-9c a2 e3 7b 1b 36 0e 9e K`nG>.Aw...{.6.. > 0030 - c6 4c 74 eb 7a .Lt.z > read from 00675450 [0067B4B0] (5 bytes => 5 (0x5)) > 0000 - 14 03 01 00 01 ..... > read from 00675450 [0067B4B5] (1 bytes => 1 (0x1)) > 0000 - 01 . > read from 00675450 [0067B4B0] (5 bytes => 5 (0x5)) > 0000 - 16 03 01 00 30 ....0 > read from 00675450 [0067B4B5] (48 bytes => 48 (0x30)) > 0000 - 75 da a7 8d 28 fb 5d c1-b5 04 0a 9e c1 00 d1 19 u...(.]......... > 0010 - 9f 74 ff 44 38 4b f3 57-73 e7 f4 0f d1 8b 9c a5 .t.D8K.Ws....... > 0020 - 92 39 22 4d 7e 78 c9 66-ff d4 48 81 8a 15 2b e1 .9"M~x.f..H...+. > --- > Certificate chain > 0 s:/C=IL/ST=Israel/O=Ness Ltd/OU=LMADS/CN=r1-ows-07.rocaf.org > i:/C=IL/ST=Israel/L=TelAviv/O=Ness Ltd/OU=LMADS/CN=Yoram/emailAddress=yoram at bamam.com > 1 s:/C=IL/ST=Israel/L=TelAviv/O=Ness Ltd/OU=LMADS/CN=Yoram/emailAddress=yoram at bamam.com > i:/C=IL/ST=Israel/L=TelAviv/O=Ness Ltd/OU=LMADS/CN=Yoram/emailAddress=yoram at bamam.com > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIDajCCAtOgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBgzELMAkGA1UEBhMCSUwx > DzANBgNVBAgTBklzcmFlbDEQMA4GA1UEBxMHVGVsQXZpdjERMA8GA1UEChMITmVz > cyBMdGQxDjAMBgNVBAsTBUxNQURTMQ4wDAYDVQQDEwVZb3JhbTEeMBwGCSqGSIb3 > DQEJARYPeW9yYW1AYmFtYW0uY29tMB4XDTA3MDMyOTEzNTE1NVoXDTA4MDMyODEz > NTE1NVowXzELMAkGA1UEBhMCSUwxDzANBgNVBAgTBklzcmFlbDERMA8GA1UEChMI > TmVzcyBMdGQxDjAMBgNVBAsTBUxNQURTMRwwGgYDVQQDExNyMS1vd3MtMDcucm9j > YWYub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDFEjEo4t7GSj1Zftjy > xF7KAGoIUsFYzjo43Fh9C8mDXZ53vAmfxG5aVBn/ez8Ua0BR7UK6NNiJSQchK4lP > v5xcFRthAx8vlbMjG2/CqaIhF6tiEO8nJ67YRoRLhrbyjbE+RQ0WGo6ZkG2kXm6a > 9vK10PvLwuzwo3pbIFkCABOADwIDAQABo4IBDzCCAQswCQYDVR0TBAIwADAsBglg > hkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0O > BBYEFPhy2suv0tjhGBfsnoAQidETB6bjMIGwBgNVHSMEgagwgaWAFCaaPANgMqQl > Ns5WrjOhMEXihSeioYGJpIGGMIGDMQswCQYDVQQGEwJJTDEPMA0GA1UECBMGSXNy > YWVsMRAwDgYDVQQHEwdUZWxBdml2MREwDwYDVQQKEwhOZXNzIEx0ZDEOMAwGA1UE > CxMFTE1BRFMxDjAMBgNVBAMTBVlvcmFtMR4wHAYJKoZIhvcNAQkBFg95b3JhbUBi > YW1hbS5jb22CAQAwDQYJKoZIhvcNAQEEBQADgYEAiDityOTfyYVoL+aL0B83/cR9 > DMoBX1j7PQDU8NDz/rvlf+JEb4xDep/M1muFQJwEIiAoMr/52aWF42J6++csVHpF > vLipTs6enYc30AZLBsdR1CfJd/fnwi2sPbtOQ99puFSMgE6G16CGOsKjfRWrMT8Z > atcJu4lbzjCDM0x6vFw= > -----END CERTIFICATE----- > subject=/C=IL/ST=Israel/O=Ness Ltd/OU=LMADS/CN=r1-ows-07.rocaf.org > issuer=/C=IL/ST=Israel/L=TelAviv/O=Ness Ltd/OU=LMADS/CN=Yoram/emailAddress=yoram at bamam.com > --- > Acceptable client certificate CA names > /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority > /C=IL/ST=Israel/L=TelAviv/O=Ness Ltd/OU=LMADS/CN=Yoram/emailAddress=yoram at bamam.com > --- > SSL handshake has read 2147 bytes and written 352 bytes > --- > New, TLSv1/SSLv3, Cipher is AES256-SHA > Server public key is 1024 bit > SSL-Session: > Protocol : TLSv1 > Cipher : AES256-SHA > Session-ID: 2292D70EB4AEAADFC283B7072294AF91D82A92DA0CD63ED57AEE8F7F26283A56 > Session-ID-ctx: > Master-Key: 5D9CC7C076BF70BBAECB1BC1588E666C75EB12956F231AF9B3E2F3F4E164AF7BFEEAC912F7482E286F9C819F199FB3E1 > Key-Arg : None > Krb5 Principal: None > Start Time: 1175181192 > Timeout : 300 (sec) > Verify return code: 19 (self signed certificate in certificate chain) > --- > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Apr 2 15:50:20 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 02 Apr 2007 09:50:20 -0600 Subject: [Fedora-directory-users] PSET failure In-Reply-To: <20070330162035.M51998@mail.txwes.edu> References: <20070330162035.M51998@mail.txwes.edu> Message-ID: <4611263C.3050003@redhat.com> Glenn wrote: > Hello, again! I'm trying to install Fedora DS 1.0.4 on Red Hat EL4. > Everything goes smoothly until I try to enable SSL in the admin server > console. When I try to save new settings on the Encryption tab and the User > DS tab, I get a message, "PSET failure. PSET attribute creation or local > cache update failed!" > > After that, I back out of the admin console without saving changes. When I > go back into the admin console, the certificate has disappeared from the > drop-down list. It sounds like a problem with file permissions, but I don't > know what files might be involved. > ls -al /opt/fedora-ds/alias ls -al /opt/fedora-ds/admin-serv/config > Hoping you can help. Thanks. -G. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Apr 2 15:51:26 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 02 Apr 2007 09:51:26 -0600 Subject: [Fedora-directory-users] "Bad Ber Tag Encountered" in log analysis In-Reply-To: <9C0091F428E697439E7A773FFD083427A92C2A@szexchange.Shopzilla.inc> References: <9C0091F428E697439E7A773FFD083427A92C2A@szexchange.Shopzilla.inc> Message-ID: <4611267E.7020307@redhat.com> Philip Kime wrote: > I was looking through the logconv.pl output and I see that the > majority of connection codes are > > B1 Bad Ber Tag Encountered > > Should I be worried about this? LDAP seems to be working fine and has > been for months. This usually means a client disconnected suddenly or sent some bad packets to the server. The server should handle this situation with no problems. > > PK > > -- > Philip Kime > NOPS Systems Architect > 310 401 0407 > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From sys.mailing at gmail.com Mon Apr 2 16:09:38 2007 From: sys.mailing at gmail.com (Bjorn Oglefjorn) Date: Mon, 2 Apr 2007 12:09:38 -0400 Subject: [Fedora-directory-users] Re: Complicated ACI Definitions In-Reply-To: <926ab61b0703300957s6b34b75bjafdee7dd9541f408@mail.gmail.com> References: <926ab61b0703300957s6b34b75bjafdee7dd9541f408@mail.gmail.com> Message-ID: <926ab61b0704020909rf4c16ccnd992770938fe46d5@mail.gmail.com> Here's what I'm starting with: (targetattr = "userPassword" ) (target = "ldap:///dc=example,dc=com") (version 3.0; acl "Support can change passwords"; allow (all) (groupdn = "ldap:///cn=support,ou=groups,dc=example,dc=com");) I just can't figure out how to write the exception. --BO On 3/30/07, Bjorn Oglefjorn wrote: > > Or maybe it's not so complicated and I don't know how. ;) > > This is what I'm trying to accomplish: > > Users who are a member of the group 'cn=support' > can perform ALL operations on 'userPassword', > except on targets which are a member of group 'cn=admins' or 'cn=bosses'. > > > Is this possible? I can't figure out how. Thanks in advance! > --BO > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Apr 2 16:17:49 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 02 Apr 2007 10:17:49 -0600 Subject: [Fedora-directory-users] Re: Complicated ACI Definitions In-Reply-To: <926ab61b0704020909rf4c16ccnd992770938fe46d5@mail.gmail.com> References: <926ab61b0703300957s6b34b75bjafdee7dd9541f408@mail.gmail.com> <926ab61b0704020909rf4c16ccnd992770938fe46d5@mail.gmail.com> Message-ID: <46112CAD.1050005@redhat.com> Bjorn Oglefjorn wrote: > Here's what I'm starting with: > > (targetattr = "userPassword" ) > (target = "ldap:///dc=example,dc=com") > (version 3.0; > acl "Support can change passwords"; > allow (all) > (groupdn = "ldap:///cn=support,ou=groups,dc=example,dc=com");) > > I just can't figure out how to write the exception. You can add a separate deny aci - deny takes precedence over allow. > --BO > > On 3/30/07, * Bjorn Oglefjorn* > wrote: > > Or maybe it's not so complicated and I don't know how. ;) > > This is what I'm trying to accomplish: > > Users who are a member of the group 'cn=support' > can perform ALL operations on 'userPassword', > except on targets which are a member of group 'cn=admins' or > 'cn=bosses'. > > Is this possible? I can't figure out how. Thanks in advance! > --BO > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From sys.mailing at gmail.com Mon Apr 2 16:26:45 2007 From: sys.mailing at gmail.com (Bjorn Oglefjorn) Date: Mon, 2 Apr 2007 12:26:45 -0400 Subject: [Fedora-directory-users] Re: Complicated ACI Definitions In-Reply-To: <46112CAD.1050005@redhat.com> References: <926ab61b0703300957s6b34b75bjafdee7dd9541f408@mail.gmail.com> <926ab61b0704020909rf4c16ccnd992770938fe46d5@mail.gmail.com> <46112CAD.1050005@redhat.com> Message-ID: <926ab61b0704020926t5cb3f1e5y506605a3138777fd@mail.gmail.com> Thanks for the response Richard. This helps some, but how do I target the _members_ of, say 'cn=admins,ou=groups,dc=example,dc=com'? Thanks again, --BO On 4/2/07, Richard Megginson wrote: > > Bjorn Oglefjorn wrote: > > Here's what I'm starting with: > > > > (targetattr = "userPassword" ) > > (target = "ldap:///dc=example,dc=com") > > (version 3.0; > > acl "Support can change passwords"; > > allow (all) > > (groupdn = "ldap:///cn=support,ou=groups,dc=example,dc=com");) > > > > I just can't figure out how to write the exception. > You can add a separate deny aci - deny takes precedence over allow. > > --BO > > > > On 3/30/07, * Bjorn Oglefjorn* > > wrote: > > > > Or maybe it's not so complicated and I don't know how. ;) > > > > This is what I'm trying to accomplish: > > > > Users who are a member of the group 'cn=support' > > can perform ALL operations on 'userPassword', > > except on targets which are a member of group 'cn=admins' or > > 'cn=bosses'. > > > > Is this possible? I can't figure out how. Thanks in advance! > > --BO > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Apr 2 17:14:00 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 02 Apr 2007 11:14:00 -0600 Subject: [Fedora-directory-users] Re: Complicated ACI Definitions In-Reply-To: <926ab61b0704020926t5cb3f1e5y506605a3138777fd@mail.gmail.com> References: <926ab61b0703300957s6b34b75bjafdee7dd9541f408@mail.gmail.com> <926ab61b0704020909rf4c16ccnd992770938fe46d5@mail.gmail.com> <46112CAD.1050005@redhat.com> <926ab61b0704020926t5cb3f1e5y506605a3138777fd@mail.gmail.com> Message-ID: <461139D8.6070601@redhat.com> Bjorn Oglefjorn wrote: > Thanks for the response Richard. This helps some, but how do I target > the _members_ of, say 'cn=admins,ou=groups,dc=example,dc=com'? Hmm - not sure. I don't think this is possible. It doesn't appear that groupdn is supported in a target clause. If all of the entries could be identified by a search filter, you could use a (targetfilter=...) If you use Roles instead of groups, you could use targetfilter=(nsRole=dn_of_role_definition)). > > Thanks again, > --BO > > On 4/2/07, * Richard Megginson* > wrote: > > Bjorn Oglefjorn wrote: > > Here's what I'm starting with: > > > > (targetattr = "userPassword" ) > > (target = "ldap:///dc=example,dc=com") > > (version 3.0; > > acl "Support can change passwords"; > > allow (all) > > (groupdn = "ldap:///cn=support,ou=groups,dc=example,dc=com");) > > > > I just can't figure out how to write the exception. > You can add a separate deny aci - deny takes precedence over allow. > > --BO > > > > On 3/30/07, * Bjorn Oglefjorn* > > >> > wrote: > > > > Or maybe it's not so complicated and I don't know how. ;) > > > > This is what I'm trying to accomplish: > > > > Users who are a member of the group 'cn=support' > > can perform ALL operations on 'userPassword', > > except on targets which are a member of group 'cn=admins' or > > 'cn=bosses'. > > > > Is this possible? I can't figure out how. Thanks in advance! > > --BO > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Apr 2 18:03:15 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 02 Apr 2007 12:03:15 -0600 Subject: [Fedora-directory-users] ip in ACI bind rules In-Reply-To: <460D4BED.4030909@broadcom.com> References: <460D4BED.4030909@broadcom.com> Message-ID: <46114563.1050906@redhat.com> George Holbert wrote: > I've noticed that the 'ip' keyword in ACI bind rules seems to have no > effect on its own. For example, > > This does not deny access to IP 1.2.3.4: > > aci: (version 3.0; acl "Deny 1.2.3.4"; deny(all) (ip = "1.2.3.4");) > > > > But when combined with a userdn clause like this, it works: > > aci: (version 3.0; acl "Deny 1.2.3.4"; deny(all) (userdn = > "ldap:///anyone") and (ip = "1.2.3.4");) > > > > Is this known/expected behavior? > Just want to make sure I'm interpreting this right. Looks like it's probably a bug in the aci code. > > Thanks a lot, > -- George > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Apr 2 18:08:00 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 02 Apr 2007 12:08:00 -0600 Subject: [Fedora-directory-users] The Fedora DS website is now http://directory.fedoraproject.org/ Message-ID: <46114680.4060700@redhat.com> Fedora is moving all of the sites from *.fedora.redhat.com to *.fedoraproject.org. The new site for Fedora DS is http://directory.fedoraproject.org/. Please update your links/bookmarks accordingly. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From sys.mailing at gmail.com Mon Apr 2 18:26:12 2007 From: sys.mailing at gmail.com (Bjorn Oglefjorn) Date: Mon, 2 Apr 2007 14:26:12 -0400 Subject: [Fedora-directory-users] Re: Complicated ACI Definitions In-Reply-To: <461139D8.6070601@redhat.com> References: <926ab61b0703300957s6b34b75bjafdee7dd9541f408@mail.gmail.com> <926ab61b0704020909rf4c16ccnd992770938fe46d5@mail.gmail.com> <46112CAD.1050005@redhat.com> <926ab61b0704020926t5cb3f1e5y506605a3138777fd@mail.gmail.com> <461139D8.6070601@redhat.com> Message-ID: <926ab61b0704021126x3cac4bc0w6603f7e21cf96897@mail.gmail.com> That's a shame. Thanks for the push in the right direction though. --BO On 4/2/07, Richard Megginson wrote: > > Bjorn Oglefjorn wrote: > > Thanks for the response Richard. This helps some, but how do I target > > the _members_ of, say 'cn=admins,ou=groups,dc=example,dc=com'? > Hmm - not sure. I don't think this is possible. It doesn't appear that > groupdn is supported in a target clause. If all of the entries could be > identified by a search filter, you could use a (targetfilter=...) If > you use Roles instead of groups, you could use > targetfilter=(nsRole=dn_of_role_definition)). > > > > Thanks again, > > --BO > > > > On 4/2/07, * Richard Megginson* > > wrote: > > > > Bjorn Oglefjorn wrote: > > > Here's what I'm starting with: > > > > > > (targetattr = "userPassword" ) > > > (target = "ldap:///dc=example,dc=com") > > > (version 3.0; > > > acl "Support can change passwords"; > > > allow (all) > > > (groupdn = "ldap:///cn=support,ou=groups,dc=example,dc=com");) > > > > > > I just can't figure out how to write the exception. > > You can add a separate deny aci - deny takes precedence over allow. > > > --BO > > > > > > On 3/30/07, * Bjorn Oglefjorn* > > > > >> > > wrote: > > > > > > Or maybe it's not so complicated and I don't know how. ;) > > > > > > This is what I'm trying to accomplish: > > > > > > Users who are a member of the group 'cn=support' > > > can perform ALL operations on 'userPassword', > > > except on targets which are a member of group 'cn=admins' or > > > 'cn=bosses'. > > > > > > Is this possible? I can't figure out how. Thanks in advance! > > > --BO > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Victor.Rodriguez at gribbles.com.au Tue Apr 3 06:07:14 2007 From: Victor.Rodriguez at gribbles.com.au (Victor Rodriguez) Date: Tue, 3 Apr 2007 16:07:14 +1000 Subject: [Fedora-directory-users] Two differents suffix, only one search... Message-ID: Good Afternoon: Respect to this: Richard wrote: >Note that you can configure more than one LDAP server in the >nsfarmserverurl attribute of your chaining backend configuration - see >the docs. I have read it the docs, but I have a question: Can I configure another ldap server even if it is in a different domain? Example: Chain 1 suffix : o=domain1 network1 Chain 2 suffix : o=domain2 network2 When I try to connect a ldap client I need to specify one of this suffix but I would like that the search of a contact occurs on both suffix. How can I do that? Regards, Victor Attention: The information contained in this message and or attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any system and destroy any copies. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of The Gribbles Group. Thank You. Whilst every effort has been made to ensure that this e-mail message and any attachments are free from viruses, you should scan this message and any attachments. Under no circumstances do we accept liability for any loss or damage which may result from your receipt of this message or any attachment. From labinfo.suporte at unifacs.br Tue Apr 3 12:49:17 2007 From: labinfo.suporte at unifacs.br (Paulo Estrela - Suporte LabInfo UNIFACS) Date: Tue, 3 Apr 2007 09:49:17 -0300 Subject: [Fedora-directory-users] Create users using scripting language Message-ID: <001e01c775ee$7e4ab540$fc001cac@labinfo.unifacs.br> Hi, Somebody know how can I create users using a script language like perl, python or php? On windows I allways did this with vbscript and ADSI. Is there a similar way to do this? Thanks, Paulo Estrela From ABliss at preferredcare.org Tue Apr 3 12:53:07 2007 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Tue, 3 Apr 2007 08:53:07 -0400 Subject: [Fedora-directory-users] Create users using scripting language In-Reply-To: <001e01c775ee$7e4ab540$fc001cac@labinfo.unifacs.br> References: <001e01c775ee$7e4ab540$fc001cac@labinfo.unifacs.br> Message-ID: Yep, you can use batch scripting calling the ldap* tools.... Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Paulo Estrela - Suporte LabInfo UNIFACS Sent: Tuesday, April 03, 2007 8:49 AM To: General discussion list for the Fedora Directory server project. Subject: [Fedora-directory-users] Create users using scripting language Hi, Somebody know how can I create users using a script language like perl, python or php? On windows I allways did this with vbscript and ADSI. Is there a similar way to do this? Thanks, Paulo Estrela -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From rmeggins at redhat.com Tue Apr 3 13:31:20 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 03 Apr 2007 07:31:20 -0600 Subject: [Fedora-directory-users] Create users using scripting language In-Reply-To: References: <001e01c775ee$7e4ab540$fc001cac@labinfo.unifacs.br> Message-ID: <46125728.3030107@redhat.com> Bliss, Aaron wrote: > Yep, you can use batch scripting calling the ldap* tools.... > I strongly encourage you to use a scripting language not only for user/group management but also for general server management. If you are already familiar with a scripting language, inquire about LDAP support/modules. Most scripting languages have LDAP support (perl, ruby, python, tcl, etc.). If you're not already familiar with any of these, I suggest using python and python-ldap. It may seem daunting at first, but once you realize the power and flexibility you can achieve, you'll be glad you did, especially if you will be doing a lot of LDAP and related system administration work. > Aaron > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Paulo > Estrela - Suporte LabInfo UNIFACS > Sent: Tuesday, April 03, 2007 8:49 AM > To: General discussion list for the Fedora Directory server project. > Subject: [Fedora-directory-users] Create users using scripting language > > Hi, > > Somebody know how can I create users using a script language like perl, > python or php? On windows I allways did this with vbscript and ADSI. Is > there a similar way to do this? > > Thanks, > > Paulo Estrela > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > Confidentiality Notice: > The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Justin.Crawford at cusys.edu Tue Apr 3 13:31:48 2007 From: Justin.Crawford at cusys.edu (Justin Crawford) Date: Tue, 3 Apr 2007 07:31:48 -0600 Subject: [Fedora-directory-users] Create users using scripting language References: <001e01c775ee$7e4ab540$fc001cac@labinfo.unifacs.br> Message-ID: <7315857F21D51B449CC55ADE3A56831817EE91@ex2k3.ad.cusys.edu> As previously mentioned, you can script calls to command-line utilities such as ldapmodify. Or, if you prefer, most languages these days have one or more full-featured LDAP libraries. Some of these libraries depend on external LDAP binaries; these two do not: Ruby Net/LDAP is a pure ruby LDAP library. Adding a user with it is shown here: http://www.gemjack.com/gems/ruby-net-ldap-0.0.4/classes/Net/LDAP.html#M000027 Perl Net::LDAP is a pure perl LDAP library. Adding a user with it is shown here: http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod#SYNOPSIS We use the former; for more than a year in production, it's been bulletproof. Justin -----Original Message----- From: fedora-directory-users-bounces at redhat.com on behalf of Paulo Estrela - Suporte LabInfo UNIFACS Sent: Tue 4/3/2007 6:49 AM To: General discussion list for the Fedora Directory server project. Subject: [Fedora-directory-users] Create users using scripting language Hi, Somebody know how can I create users using a script language like perl, python or php? On windows I allways did this with vbscript and ADSI. Is there a similar way to do this? Thanks, Paulo Estrela -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: winmail.dat Type: application/ms-tnef Size: 3527 bytes Desc: not available URL: From GCopeland at efjohnson.com Tue Apr 3 15:46:02 2007 From: GCopeland at efjohnson.com (Greg Copeland) Date: Tue, 3 Apr 2007 10:46:02 -0500 Subject: [Fedora-directory-users] Create Browsing Index gets stuck In-Reply-To: Message-ID: <273A72C669F45B4996896A031B88CCEF6536A7@EFJDFWMX01.EFJDFW.local> Ah ha! That probably explains how my database magically went RO. It happened right after trying to create a browsing index, which locked up the GUI. I had not associated the two events until know as I did not immediately realize the database was RO, at the time. We had maybe a dozen entries when trying to create the index so size does not appear to be an issue with the bug. Cheers, Greg Copeland > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory- > users-bounces at redhat.com] On Behalf Of Ville Silventoinen > Sent: Monday, March 26, 2007 5:36 AM > To: fedora-directory-users at redhat.com > Subject: [Fedora-directory-users] Create Browsing Index gets stuck > > I'm sorry if this has already been discussed or reported as a bug. I tried > to find the bug report, but couldn't find it so here goes: > > Quite often when I have removed all entries and put them back and tried to > create a Browsing Index with the Console, the Console gets stuck. I have > few times left it for hours but nothing happens. In this case I deleted > the previous browsing index from the GUI and tried to create it again for > People with 1400 entries. The GUI tells me it has done "Adding browsing > index entries to server" (ticked) but it is still "Creating browsing index > in server" (not ticked). It stays in this window forever. The "Server > status for creating browsing index" window is empty. > > I cannot see any error messages in slapd-HOSTNAME/logs/errors or > admin-serv/logs/error log. The startconsole terminal doesn't show any Java > exceptions. Is there anywhere else I could look for clues? > > If I force the window to close, the database goes to read-only mode. I > close the Console, shutdown the slapd, change the database back to > read-write mode and restart everything. The Console shows the index has > been created, but if I look at slapd-HOSTNAME/db/ebiRoot/ directory, I > cannot see a vlv#bymccoupeopledcebidcacdcuk.db4 file, so I guess the > index doesn't really exist? With just 1400 entries it's difficult to tell. > > Sometimes I do get the index created, but quite often not. > > I'm using Fedora DS 1.0.4 on CentOS 4.4 with following JRE: > > Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_09-b01) > Java HotSpot(TM) Server VM (build 1.5.0_09-b01, mixed mode) > > Thanks for any help! > > Ville > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From glenn at mail.txwes.edu Tue Apr 3 19:42:54 2007 From: glenn at mail.txwes.edu (Glenn) Date: Tue, 3 Apr 2007 13:42:54 -0600 Subject: [Fedora-directory-users] SSL Trouble - Windows Sync Message-ID: <20070403193115.M81317@mail.txwes.edu> I'm trying to get Windows Sync working between Fedora DS 1.0.4 and Active Directory. When I try to create the Windows Sync Agreement, it says, "Unable to contact Active Directory server". I gather this means an SSL problem, and indeed when I try to contact the AD server using the ldapsearch command on the DS server, it says, "certificate verify failed". certutil says the CA certificate is included in both the slapd-server- cert8.db and the admin-serv-cert8.db. What else should I check? Thanks. - Glenn. From yoram.kahana at gmail.com Tue Apr 3 19:44:43 2007 From: yoram.kahana at gmail.com (Yoram Kahana) Date: Tue, 3 Apr 2007 21:44:43 +0200 Subject: [Fedora-directory-users] CA certificate format In-Reply-To: <461125A1.1020603@redhat.com> References: <37d92a190703281217i17db4058kc4a12d09102c2afe@mail.gmail.com> <460ABF83.1060106@redhat.com> <37d92a190703290820y295cb056h8a13a09882cb8187@mail.gmail.com> <461125A1.1020603@redhat.com> Message-ID: <37d92a190704031244v151473c3je723c9ab267a2a9b@mail.gmail.com> Hi Richard, Thanks for your answer, This is my problem, i cant see any mismatch. Do you know of any other possibilities or ways of debug it? Thanks in advance Yoram On 4/2/07, Richard Megginson wrote: > > Yoram Kahana wrote: > > Hi Richard, > > > > Indeed it solved one of the problems, I didnt hash the ca certificte > > in the client side. > > now i am getting new message > > > > TLS: *hostname does not match CN in peer certificate* > > > > ** if i understand the meaning the CN and the hostname are not > > identical but thats not the situation now. > > > The CN in the server cert is CN=r1-ows-07.rocaf.org - the server is > running on r1-ows-07.rocaf.org? > > The error message means there is a mismatch somewhere. > > > > > > I have also tried the opensll s_client -debug -connect (the output is > > enclosed) > > seems that throgh the openssl it works fine, where am i wrong? > > > > Can you see if you have any clue > > great thanks > > Yoram > > > > > > > > On 3/28/07, *Richard Megginson* > > wrote: > > > > Yoram Kahana wrote: > > > Hi > > > > > > Does anyone has an idea on which format should i save the ca > > > certificate in the clients (for SSL communication) ? > > > Is it PEM, DER, BER > > It depends - what client are you trying to configure? Did you see > > this > > - > > > http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients > > > > > > > > > Thanks in advance > > > > > > Yoram > > > > > > ------------------------------------------------------------------------ > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > ------------------------------------------------------------------------ > > > > > > openssl s_client -debug -connect r1-ows-07:636 > > CONNECTED(00000003) > > write to 00675450 [00675F50] (142 bytes => 142 (0x8E)) > > 0000 - 80 8c 01 03 01 00 63 00-00 00 20 00 00 39 00 00 ......c... > ..9.. > > 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 > 8..5............ > > 0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 66 00 > ..3..2../.....f. > > 0030 - 00 05 00 00 04 01 00 80-08 00 80 00 00 63 00 00 > .............c.. > > 0040 - 62 00 00 61 00 00 15 00-00 12 00 00 09 06 00 40 > b..a...........@ > > 0050 - 00 00 65 00 00 64 00 00-60 00 00 14 00 00 11 00 > ..e..d..`....... > > 0060 - 00 08 00 00 06 04 00 80-00 00 03 02 00 80 24 9c > ..............$. > > 0070 - 49 e8 7b b6 bf 6a 36 4a-4a f8 04 25 d9 b8 a7 8e > I.{..j6JJ..%.... > > 0080 - 57 d7 67 c2 3a 6d 72 d0-d9 37 3f f5 ac 07 W.g.:mr..7?... > > read from 00675450 [0067B4B0] (7 bytes => 7 (0x7)) > > 0000 - 16 03 01 08 23 02 ....#. > > 0007 - > > read from 00675450 [0067B4B7] (2081 bytes => 1441 (0x5A1)) > > 0000 - 00 46 03 01 00 28 82 f7-c8 e3 77 83 de 5f 86 53 > .F...(....w.._.S > > 0010 - 5d 5a 76 33 04 fe bd a6-b8 02 ee 88 c4 bd e8 6c > ]Zv3...........l > > 0020 - 18 b9 ee f6 20 22 92 d7-0e b4 ae aa df c2 83 b7 .... > ".......... > > 0030 - 07 22 94 af 91 d8 2a 92-da 0c d6 3e d5 7a ee 8f > ."....*....>.z.. > > 0040 - 7f 26 28 3a 56 00 35 00-0b 00 06 dd 00 06 da 00 .&(:V.5........ > . > > 0050 - 03 6e 30 82 03 6a 30 82-02 d3 a0 03 02 01 02 02 > .n0..j0......... > > 0060 - 01 01 30 0d 06 09 2a 86-48 86 f7 0d 01 01 04 05 > ..0...*.H....... > > 0070 - 00 30 81 83 31 0b 30 09-06 03 55 04 06 13 02 49 > .0..1.0...U....I > > 0080 - 4c 31 0f 30 0d 06 03 55-04 08 13 06 49 73 72 61 > L1.0...U....Isra > > 0090 - 65 6c 31 10 30 0e 06 03-55 04 07 13 07 54 65 6c > el1.0...U....Tel > > 00a0 - 41 76 69 76 31 11 30 0f-06 03 55 04 0a 13 08 4e > Aviv1.0...U....N > > 00b0 - 65 73 73 20 4c 74 64 31-0e 30 0c 06 03 55 04 0b ess Ltd1.0...U. > . > > 00c0 - 13 05 4c 4d 41 44 53 31-0e 30 0c 06 03 55 04 03 > ..LMADS1.0...U.. > > 00d0 - 13 05 59 6f 72 61 6d 31-1e 30 1c 06 09 2a 86 48 > ..Yoram1.0...*.H > > 00e0 - 86 f7 0d 01 09 01 16 0f-79 6f 72 61 6d 40 62 61 > ........yoram at ba > > 00f0 - 6d 61 6d 2e 63 6f 6d 30-1e 17 0d 30 37 30 33 32 > mam.com0...07032 > > 0100 - 39 31 33 35 31 35 35 5a-17 0d 30 38 30 33 32 38 > 9135155Z..080328 > > 0110 - 31 33 35 31 35 35 5a 30-5f 31 0b 30 09 06 03 55 > 135155Z0_1.0...U > > 0120 - 04 06 13 02 49 4c 31 0f-30 0d 06 03 55 04 08 13 > ....IL1.0...U... > > 0130 - 06 49 73 72 61 65 6c 31-11 30 0f 06 03 55 04 0a > .Israel1.0...U.. > > 0140 - 13 08 4e 65 73 73 20 4c-74 64 31 0e 30 0c 06 03 ..Ness Ltd1.0.. > . > > 0150 - 55 04 0b 13 05 4c 4d 41-44 53 31 1c 30 1a 06 03 > U....LMADS1.0... > > 0160 - 55 04 03 13 13 72 31 2d-6f 77 73 2d 30 37 2e 72 U....r1- > ows-07.r > > 0170 - 6f 63 61 66 2e 6f 72 67-30 81 9f 30 0d 06 09 2a > ocaf.org0..0...* > > 0180 - 86 48 86 f7 0d 01 01 01-05 00 03 81 8d 00 30 81 > .H............0. > > 0190 - 89 02 81 81 00 c5 12 31-28 e2 de c6 4a 3d 59 7e > .......1(...J=Y~ > > 01a0 - d8 f2 c4 5e ca 00 6a 08-52 c1 58 ce 3a 38 dc 58 ...^..j.R.X.: > 8.X > > 01b0 - 7d 0b c9 83 5d 9e 77 bc-09 9f c4 6e 5a 54 19 ff > }...].w....nZT.. > > 01c0 - 7b 3f 14 6b 40 51 ed 42-ba 34 d8 89 49 07 21 2b {?.k@ > Q.B.4..I.!+ > > 01d0 - 89 4f bf 9c 5c 15 1b 61-03 1f 2f 95 b3 23 1b 6f > .O..\..a../..#.o > > 01e0 - c2 a9 a2 21 17 ab 62 10-ef 27 27 ae d8 46 84 4b > ...!..b..''..F.K > > 01f0 - 86 b6 f2 8d b1 3e 45 0d-16 1a 8e 99 90 6d a4 5e > .....>E......m.^ > > 0200 - 6e 9a f6 f2 b5 d0 fb cb-c2 ec f0 a3 7a 5b 20 59 n...........z[ > Y > > 0210 - 02 00 13 80 0f 02 03 01-00 01 a3 82 01 0f 30 82 > ..............0. > > 0220 - 01 0b 30 09 06 03 55 1d-13 04 02 30 00 30 2c 06 > ..0...U....0.0,. > > 0230 - 09 60 86 48 01 86 f8 42-01 0d 04 1f 16 1d 4f 70 > .`.H...B......Op > > 0240 - 65 6e 53 53 4c 20 47 65-6e 65 72 61 74 65 64 20 enSSL Generated > > 0250 - 43 65 72 74 69 66 69 63-61 74 65 30 1d 06 03 55 > Certificate0...U > > 0260 - 1d 0e 04 16 04 14 f8 72-da cb af d2 d8 e1 18 17 > .......r........ > > 0270 - ec 9e 80 10 89 d1 13 07-a6 e3 30 81 b0 06 03 55 > ..........0....U > > 0280 - 1d 23 04 81 a8 30 81 a5-80 14 26 9a 3c 03 60 32 > .#...0....&.<.`2 > > 0290 - a4 25 36 ce 56 ae 33 a1-30 45 e2 85 27 a2 a1 81 > .%6.V.3.0E..'... > > 02a0 - 89 a4 81 86 30 81 83 31-0b 30 09 06 03 55 04 06 > ....0..1.0...U.. > > 02b0 - 13 02 49 4c 31 0f 30 0d-06 03 55 04 08 13 06 49 > ..IL1.0...U....I > > 02c0 - 73 72 61 65 6c 31 10 30-0e 06 03 55 04 07 13 07 srael1.0...U... > . > > 02d0 - 54 65 6c 41 76 69 76 31-11 30 0f 06 03 55 04 0a TelAviv1.0...U. > . > > 02e0 - 13 08 4e 65 73 73 20 4c-74 64 31 0e 30 0c 06 03 ..Ness Ltd1.0.. > . > > 02f0 - 55 04 0b 13 05 4c 4d 41-44 53 31 0e 30 0c 06 03 > U....LMADS1.0... > > 0300 - 55 04 03 13 05 59 6f 72-61 6d 31 1e 30 1c 06 09 > U....Yoram1.0... > > 0310 - 2a 86 48 86 f7 0d 01 09-01 16 0f 79 6f 72 61 6d > *.H........yoram > > 0320 - 40 62 61 6d 61 6d 2e 63-6f 6d 82 01 00 30 0d 06 @bamam.com...0. > . > > 0330 - 09 2a 86 48 86 f7 0d 01-01 04 05 00 03 81 81 00 > .*.H............ > > 0340 - 88 38 ad c8 e4 df c9 85-68 2f e6 8b d0 1f 37 fd > .8......h/....7. > > 0350 - c4 7d 0c ca 01 5f 58 fb-3d 00 d4 f0 d0 f3 fe bb > .}..._X.=....... > > 0360 - e5 7f e2 44 6f 8c 43 7a-9f cc d6 6b 85 40 9c 04 > ...Do.Cz...k. at .. > > 0370 - 22 20 28 32 bf f9 d9 a5-85 e3 62 7a fb e7 2c 54 " > (2......bz..,T > > 0380 - 7a 45 bc b8 a9 4e ce 9e-9d 87 37 d0 06 4b 06 c7 > zE...N....7..K.. > > 0390 - 51 d4 27 c9 77 f7 e7 c2-2d ac 3d bb 4e 43 df 69 > Q.'.w...-.=.NC.i > > 03a0 - b8 54 8c 80 4e 86 d7 a0-86 3a c2 a3 7d 15 ab 31 > .T..N....:..}..1 > > 03b0 - 3f 19 6a d7 09 bb 89 5b-ce 30 83 33 4c 7a bc 5c > ?.j....[.0.3Lz.\ > > 03c0 - 00 03 66 30 82 03 62 30-82 02 cb a0 03 02 01 02 > ..f0..b0........ > > 03d0 - 02 01 00 30 0d 06 09 2a-86 48 86 f7 0d 01 01 04 > ...0...*.H...... > > 03e0 - 05 00 30 81 83 31 0b 30-09 06 03 55 04 06 13 02 > ..0..1.0...U.... > > 03f0 - 49 4c 31 0f 30 0d 06 03-55 04 08 13 06 49 73 72 > IL1.0...U....Isr > > 0400 - 61 65 6c 31 10 30 0e 06-03 55 04 07 13 07 54 65 > ael1.0...U....Te > > 0410 - 6c 41 76 69 76 31 11 30-0f 06 03 55 04 0a 13 08 lAviv1.0...U... > . > > 0420 - 4e 65 73 73 20 4c 74 64-31 0e 30 0c 06 03 55 04 Ness Ltd1.0...U > . > > 0430 - 0b 13 05 4c 4d 41 44 53-31 0e 30 0c 06 03 55 04 > ...LMADS1.0...U. > > 0440 - 03 13 05 59 6f 72 61 6d-31 1e 30 1c 06 09 2a 86 > ...Yoram1.0...*. > > 0450 - 48 86 f7 0d 01 09 01 16-0f 79 6f 72 61 6d 40 62 > H........yoram at b > > 0460 - 61 6d 61 6d 2e 63 6f 6d-30 1e 17 0d 30 37 30 33 > amam.com0...0703 > > 0470 - 32 39 31 33 35 31 33 34-5a 17 0d 30 38 30 33 32 > 29135134Z..08032 > > 0480 - 38 31 33 35 31 33 34 5a-30 81 83 31 0b 30 09 06 > 8135134Z0..1.0.. > > 0490 - 03 55 04 06 13 02 49 4c-31 0f 30 0d 06 03 55 04 > .U....IL1.0...U. > > 04a0 - 08 13 06 49 73 72 61 65-6c 31 10 30 0e 06 03 55 > ...Israel1.0...U > > 04b0 - 04 07 13 07 54 65 6c 41-76 69 76 31 11 30 0f 06 > ....TelAviv1.0.. > > 04c0 - 03 55 04 0a 13 08 4e 65-73 73 20 4c 74 64 31 0e .U....Ness > Ltd1. > > 04d0 - 30 0c 06 03 55 04 0b 13-05 4c 4d 41 44 53 31 0e > 0...U....LMADS1. > > 04e0 - 30 0c 06 03 55 04 03 13-05 59 6f 72 61 6d 31 1e > 0...U....Yoram1. > > 04f0 - 30 1c 06 09 2a 86 48 86-f7 0d 01 09 01 16 0f 79 > 0...*.H........y > > 0500 - 6f 72 61 6d 40 62 61 6d-61 6d 2e 63 6f 6d 30 81 oram at bamam.com0 > . > > 0510 - 9f 30 0d 06 09 2a 86 48-86 f7 0d 01 01 01 05 00 > .0...*.H........ > > 0520 - 03 81 8d 00 30 81 89 02-81 81 00 a1 9c f4 b7 8b > ....0........... > > 0530 - 80 35 c5 b7 60 73 da bb-01 7d 33 36 74 1f 67 5d > .5..`s...}36t.g] > > 0540 - eb ff b5 ca 79 1a 1b 3a-9d ce da 62 4c c8 19 0b > ....y..:...bL... > > 0550 - 80 e0 7c 4a 4f bb 8f 59-05 b7 a8 c2 ae 5b fe 7c > ..|JO..Y.....[.| > > 0560 - 74 91 e5 cf d3 54 3b 4e-88 24 50 84 24 b2 16 d8 > t....T;N.$P.$... > > 0570 - 9c 1d bd 8c 31 8b d7 28-df 06 24 a8 e1 76 b7 72 > ....1..(..$..v.r > > 0580 - ee 37 75 e2 89 84 b7 ed-51 76 2c b3 1a eb 6c 5c > .7u.....Qv,...l\ > > 0590 - 64 87 7d 3a 12 39 4b c0-23 fa a8 63 0e a0 77 c8 > d.}:.9K.#..c..w. > > 05a0 - 4d M > > read from 00675450 [0067BA58] (640 bytes => 640 (0x280)) > > 0000 - 9c b7 59 cc 06 a3 ad 79-6c 53 02 03 01 00 01 a3 > ..Y....ylS...... > > 0010 - 81 e3 30 81 e0 30 1d 06-03 55 1d 0e 04 16 04 14 > ..0..0...U...... > > 0020 - 26 9a 3c 03 60 32 a4 25-36 ce 56 ae 33 a1 30 45 > &.<.`2.%6.V.3.0E > > 0030 - e2 85 27 a2 30 81 b0 06-03 55 1d 23 04 81 a8 30 > ..'.0....U.#...0 > > 0040 - 81 a5 80 14 26 9a 3c 03-60 32 a4 25 36 ce 56 ae > ....&.<.`2.%6.V. > > 0050 - 33 a1 30 45 e2 85 27 a2-a1 81 89 a4 81 86 30 81 3.0E..'.......0 > . > > 0060 - 83 31 0b 30 09 06 03 55-04 06 13 02 49 4c 31 0f > .1.0...U....IL1. > > 0070 - 30 0d 06 03 55 04 08 13-06 49 73 72 61 65 6c 31 > 0...U....Israel1 > > 0080 - 10 30 0e 06 03 55 04 07-13 07 54 65 6c 41 76 69 > .0...U....TelAvi > > 0090 - 76 31 11 30 0f 06 03 55-04 0a 13 08 4e 65 73 73 > v1.0...U....Ness > > 00a0 - 20 4c 74 64 31 0e 30 0c-06 03 55 04 0b 13 05 4c > Ltd1.0...U....L > > 00b0 - 4d 41 44 53 31 0e 30 0c-06 03 55 04 03 13 05 59 > MADS1.0...U....Y > > 00c0 - 6f 72 61 6d 31 1e 30 1c-06 09 2a 86 48 86 f7 0d oram1.0...*.H.. > . > > 00d0 - 01 09 01 16 0f 79 6f 72-61 6d 40 62 61 6d 61 6d > .....yoram at bamam > > 00e0 - 2e 63 6f 6d 82 01 00 30-0c 06 03 55 1d 13 04 05 > .com...0...U.... > > 00f0 - 30 03 01 01 ff 30 0d 06-09 2a 86 48 86 f7 0d 01 > 0....0...*.H.... > > 0100 - 01 04 05 00 03 81 81 00-39 46 ea ff b6 f0 6f 69 > ........9F....oi > > 0110 - e4 69 d5 bd a6 d5 86 be-a5 91 a2 53 46 75 db c6 > .i.........SFu.. > > 0120 - 5f 60 a1 f8 dc b2 54 27-d5 e6 d5 e1 ad d6 08 cd > _`....T'........ > > 0130 - 42 5a 07 e7 e3 4f 0b 45-23 47 36 98 3e b1 be 09 > BZ...O.E#G6.>... > > 0140 - 12 fe bc 50 e4 1a 93 6d-4a aa d5 56 f4 40 94 26 > ...P...mJ..V. at .& > > 0150 - 69 b9 a1 21 3c 04 46 17-84 4b 96 88 1c 20 9b 9a i..!<.F..K... > .. > > 0160 - 5b 6d 33 d6 4d ce 64 1d-15 85 78 3c 2a 1f 33 38 [m3.M.d...x > <*.38 > > 0170 - 96 39 58 39 88 ba 36 cc-af ce 8c 40 fc 45 5a b1 > .9X9..6.... at .EZ. > > 0180 - 65 ba 8c 15 24 d1 52 b6-0d 00 00 f0 02 01 02 00 > e...$.R......... > > 0190 - eb 00 61 30 5f 31 0b 30-09 06 03 55 04 06 13 02 > ..a0_1.0...U.... > > 01a0 - 55 53 31 20 30 1e 06 03-55 04 0a 13 17 52 53 41 US1 > 0...U....RSA > > 01b0 - 20 44 61 74 61 20 53 65-63 75 72 69 74 79 2c 20 Data Security, > > 01c0 - 49 6e 63 2e 31 2e 30 2c-06 03 55 04 0b 13 25 53 Inc.1.0 > ,..U...%S > > 01d0 - 65 63 75 72 65 20 53 65-72 76 65 72 20 43 65 72 ecure Server > Cer > > 01e0 - 74 69 66 69 63 61 74 69-6f 6e 20 41 75 74 68 6f tification > Autho > > 01f0 - 72 69 74 79 00 86 30 81-83 31 0b 30 09 06 03 55 > rity..0..1.0...U > > 0200 - 04 06 13 02 49 4c 31 0f-30 0d 06 03 55 04 08 13 > ....IL1.0...U... > > 0210 - 06 49 73 72 61 65 6c 31-10 30 0e 06 03 55 04 07 > .Israel1.0...U.. > > 0220 - 13 07 54 65 6c 41 76 69-76 31 11 30 0f 06 03 55 > ..TelAviv1.0...U > > 0230 - 04 0a 13 08 4e 65 73 73-20 4c 74 64 31 0e 30 0c ....Ness Ltd1.0 > . > > 0240 - 06 03 55 04 0b 13 05 4c-4d 41 44 53 31 0e 30 0c > ..U....LMADS1.0. > > 0250 - 06 03 55 04 03 13 05 59-6f 72 61 6d 31 1e 30 1c > ..U....Yoram1.0. > > 0260 - 06 09 2a 86 48 86 f7 0d-01 09 01 16 0f 79 6f 72 > ..*.H........yor > > 0270 - 61 6d 40 62 61 6d 61 6d-2e 63 6f 6d 0e am at bamam.com. > > 0280 - > > depth=1 /C=IL/ST=Israel/L=TelAviv/O=Ness > Ltd/OU=LMADS/CN=Yoram/emailAddress=yoram at bamam.com > > verify error:num=19:self signed certificate in certificate chain > > verify return:0 > > write to 00675450 [00687150] (12 bytes => 12 (0xC)) > > 0000 - 16 03 01 00 07 0b 00 00-03 ......... > > 000c - > > write to 00675450 [00687150] (139 bytes => 139 (0x8B)) > > 0000 - 16 03 01 00 86 10 00 00-82 00 80 37 d0 c6 7a 6b > ...........7..zk > > 0010 - 54 18 16 df d0 6f 90 8f-b1 8a 45 45 7f 15 47 04 > T....o....EE..G. > > 0020 - 10 ba 23 1a f9 f7 54 50-05 ee 4c e9 79 fe 31 1a > ..#...TP..L.y.1. > > 0030 - e2 c1 4a e9 f5 e2 b9 e1-d5 17 e6 e8 28 a9 ee 76 > ..J.........(..v > > 0040 - b9 ce 5f 59 68 62 a3 8c-07 ee e0 0e 91 b4 df 0d > .._Yhb.......... > > 0050 - 71 9b ce 38 d2 4b 3d d9-c4 1f e9 74 0e 96 c5 cb > q..8.K=....t.... > > 0060 - d3 12 57 6c 9a 0c 3b fd-83 3a e4 fd a6 2a ee 8c > ..Wl..;..:...*.. > > 0070 - e1 67 eb d2 11 3b 6a 03-9c a0 73 38 10 76 89 f0 > .g...;j...s8.v.. > > 0080 - 81 03 dd 91 4d 43 7d 99-f4 a4 b6 ....MC}.... > > write to 00675450 [00687150] (6 bytes => 6 (0x6)) > > 0000 - 14 03 01 00 01 01 ...... > > write to 00675450 [00687150] (53 bytes => 53 (0x35)) > > 0000 - 16 03 01 00 30 09 40 51-48 34 87 0b 53 20 ff 0d ....0. at QH4..S > .. > > 0010 - 2f 7c 96 04 a6 cc 0d bf-4a 76 b1 4e 4d bb fa 39 > /|......Jv.NM..9 > > 0020 - 4b 60 6e 47 3e 87 41 77-9c a2 e3 7b 1b 36 0e 9e > K`nG>.Aw...{.6.. > > 0030 - c6 4c 74 eb 7a .Lt.z > > read from 00675450 [0067B4B0] (5 bytes => 5 (0x5)) > > 0000 - 14 03 01 00 01 ..... > > read from 00675450 [0067B4B5] (1 bytes => 1 (0x1)) > > 0000 - 01 . > > read from 00675450 [0067B4B0] (5 bytes => 5 (0x5)) > > 0000 - 16 03 01 00 30 ....0 > > read from 00675450 [0067B4B5] (48 bytes => 48 (0x30)) > > 0000 - 75 da a7 8d 28 fb 5d c1-b5 04 0a 9e c1 00 d1 19 > u...(.]......... > > 0010 - 9f 74 ff 44 38 4b f3 57-73 e7 f4 0f d1 8b 9c a5 > .t.D8K.Ws....... > > 0020 - 92 39 22 4d 7e 78 c9 66-ff d4 48 81 8a 15 2b e1 > .9"M~x.f..H...+. > > --- > > Certificate chain > > 0 s:/C=IL/ST=Israel/O=Ness Ltd/OU=LMADS/CN=r1-ows-07.rocaf.org > > i:/C=IL/ST=Israel/L=TelAviv/O=Ness > Ltd/OU=LMADS/CN=Yoram/emailAddress=yoram at bamam.com > > 1 s:/C=IL/ST=Israel/L=TelAviv/O=Ness > Ltd/OU=LMADS/CN=Yoram/emailAddress=yoram at bamam.com > > i:/C=IL/ST=Israel/L=TelAviv/O=Ness > Ltd/OU=LMADS/CN=Yoram/emailAddress=yoram at bamam.com > > --- > > Server certificate > > -----BEGIN CERTIFICATE----- > > MIIDajCCAtOgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBgzELMAkGA1UEBhMCSUwx > > DzANBgNVBAgTBklzcmFlbDEQMA4GA1UEBxMHVGVsQXZpdjERMA8GA1UEChMITmVz > > cyBMdGQxDjAMBgNVBAsTBUxNQURTMQ4wDAYDVQQDEwVZb3JhbTEeMBwGCSqGSIb3 > > DQEJARYPeW9yYW1AYmFtYW0uY29tMB4XDTA3MDMyOTEzNTE1NVoXDTA4MDMyODEz > > NTE1NVowXzELMAkGA1UEBhMCSUwxDzANBgNVBAgTBklzcmFlbDERMA8GA1UEChMI > > TmVzcyBMdGQxDjAMBgNVBAsTBUxNQURTMRwwGgYDVQQDExNyMS1vd3MtMDcucm9j > > YWYub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDFEjEo4t7GSj1Zftjy > > xF7KAGoIUsFYzjo43Fh9C8mDXZ53vAmfxG5aVBn/ez8Ua0BR7UK6NNiJSQchK4lP > > v5xcFRthAx8vlbMjG2/CqaIhF6tiEO8nJ67YRoRLhrbyjbE+RQ0WGo6ZkG2kXm6a > > 9vK10PvLwuzwo3pbIFkCABOADwIDAQABo4IBDzCCAQswCQYDVR0TBAIwADAsBglg > > hkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0O > > BBYEFPhy2suv0tjhGBfsnoAQidETB6bjMIGwBgNVHSMEgagwgaWAFCaaPANgMqQl > > Ns5WrjOhMEXihSeioYGJpIGGMIGDMQswCQYDVQQGEwJJTDEPMA0GA1UECBMGSXNy > > YWVsMRAwDgYDVQQHEwdUZWxBdml2MREwDwYDVQQKEwhOZXNzIEx0ZDEOMAwGA1UE > > CxMFTE1BRFMxDjAMBgNVBAMTBVlvcmFtMR4wHAYJKoZIhvcNAQkBFg95b3JhbUBi > > YW1hbS5jb22CAQAwDQYJKoZIhvcNAQEEBQADgYEAiDityOTfyYVoL+aL0B83/cR9 > > DMoBX1j7PQDU8NDz/rvlf+JEb4xDep/M1muFQJwEIiAoMr/52aWF42J6++csVHpF > > vLipTs6enYc30AZLBsdR1CfJd/fnwi2sPbtOQ99puFSMgE6G16CGOsKjfRWrMT8Z > > atcJu4lbzjCDM0x6vFw= > > -----END CERTIFICATE----- > > subject=/C=IL/ST=Israel/O=Ness Ltd/OU=LMADS/CN=r1-ows-07.rocaf.org > > issuer=/C=IL/ST=Israel/L=TelAviv/O=Ness > Ltd/OU=LMADS/CN=Yoram/emailAddress=yoram at bamam.com > > --- > > Acceptable client certificate CA names > > /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority > > /C=IL/ST=Israel/L=TelAviv/O=Ness Ltd/OU=LMADS/CN=Yoram/emailAddress= > yoram at bamam.com > > --- > > SSL handshake has read 2147 bytes and written 352 bytes > > --- > > New, TLSv1/SSLv3, Cipher is AES256-SHA > > Server public key is 1024 bit > > SSL-Session: > > Protocol : TLSv1 > > Cipher : AES256-SHA > > Session-ID: > 2292D70EB4AEAADFC283B7072294AF91D82A92DA0CD63ED57AEE8F7F26283A56 > > Session-ID-ctx: > > Master-Key: > 5D9CC7C076BF70BBAECB1BC1588E666C75EB12956F231AF9B3E2F3F4E164AF7BFEEAC912F7482E286F9C819F199FB3E1 > > Key-Arg : None > > Krb5 Principal: None > > Start Time: 1175181192 > > Timeout : 300 (sec) > > Verify return code: 19 (self signed certificate in certificate > chain) > > --- > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Apr 3 20:55:18 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 03 Apr 2007 14:55:18 -0600 Subject: [Fedora-directory-users] CA certificate format In-Reply-To: <37d92a190704031244v151473c3je723c9ab267a2a9b@mail.gmail.com> References: <37d92a190703281217i17db4058kc4a12d09102c2afe@mail.gmail.com> <460ABF83.1060106@redhat.com> <37d92a190703290820y295cb056h8a13a09882cb8187@mail.gmail.com> <461125A1.1020603@redhat.com> <37d92a190704031244v151473c3je723c9ab267a2a9b@mail.gmail.com> Message-ID: <4612BF36.6030001@redhat.com> Yoram Kahana wrote: > Hi Richard, > > Thanks for your answer, This is my problem, i cant see any mismatch. > Do you know of any other possibilities or ways of debug it? No, sorry. > > Thanks in advance > Yoram > > On 4/2/07, *Richard Megginson* > wrote: > > Yoram Kahana wrote: > > Hi Richard, > > > > Indeed it solved one of the problems, I didnt hash the ca certificte > > in the client side. > > now i am getting new message > > > > TLS: *hostname does not match CN in peer certificate* > > > > ** if i understand the meaning the CN and the hostname are not > > identical but thats not the situation now. > > > The CN in the server cert is CN=r1-ows-07.rocaf.org > - the server is > running on r1-ows-07.rocaf.org ? > > The error message means there is a mismatch somewhere. > > > > > > I have also tried the opensll s_client -debug -connect (the > output is > > enclosed) > > seems that throgh the openssl it works fine, where am i wrong? > > > > Can you see if you have any clue > > great thanks > > Yoram > > > > > > > > On 3/28/07, *Richard Megginson* < rmeggins at redhat.com > > > >> wrote: > > > > Yoram Kahana wrote: > > > Hi > > > > > > Does anyone has an idea on which format should i save the ca > > > certificate in the clients (for SSL communication) ? > > > Is it PEM, DER, BER > > It depends - what client are you trying to configure? Did > you see > > this > > - > > > http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients > > > > > > > > > Thanks in advance > > > > > > Yoram > > > > > > ------------------------------------------------------------------------ > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > ------------------------------------------------------------------------ > > > > > > openssl s_client -debug -connect r1-ows-07:636 > > CONNECTED(00000003) > > write to 00675450 [00675F50] (142 bytes => 142 (0x8E)) > > 0000 - 80 8c 01 03 01 00 63 00-00 00 20 00 00 39 00 00 > ......c... ..9.. > > 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 > 8..5............ > > 0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 66 00 > ..3..2../.....f. > > 0030 - 00 05 00 00 04 01 00 80-08 00 80 00 00 63 00 00 > .............c.. > > 0040 - 62 00 00 61 00 00 15 00-00 12 00 00 09 06 00 40 > b..a...........@ > > 0050 - 00 00 65 00 00 64 00 00-60 00 00 14 00 00 11 00 > ..e..d..`....... > > 0060 - 00 08 00 00 06 04 00 80-00 00 03 02 00 80 24 9c > ..............$. > > 0070 - 49 e8 7b b6 bf 6a 36 4a-4a f8 04 25 d9 b8 a7 8e > I.{..j6JJ..%.... > > 0080 - 57 d7 67 c2 3a 6d 72 d0-d9 37 3f f5 ac 07 > W.g.:mr..7?... > > read from 00675450 [0067B4B0] (7 bytes => 7 (0x7)) > > 0000 - 16 03 01 08 23 02 ....#. > > 0007 - > > read from 00675450 [0067B4B7] (2081 bytes => 1441 (0x5A1)) > > 0000 - 00 46 03 01 00 28 82 f7-c8 e3 77 83 de 5f 86 53 > .F...(....w.._.S > > 0010 - 5d 5a 76 33 04 fe bd a6-b8 02 ee 88 c4 bd e8 6c > ]Zv3...........l > > 0020 - 18 b9 ee f6 20 22 92 d7-0e b4 ae aa df c2 83 b7 .... > ".......... > > 0030 - 07 22 94 af 91 d8 2a 92-da 0c d6 3e d5 7a ee 8f > ."....*....>.z.. > > 0040 - 7f 26 28 3a 56 00 35 00-0b 00 06 dd 00 06 da 00 > .&(:V.5......... > > 0050 - 03 6e 30 82 03 6a 30 82-02 d3 a0 03 02 01 02 02 > .n0..j0......... > > 0060 - 01 01 30 0d 06 09 2a 86-48 86 f7 0d 01 01 04 05 > ..0...*.H....... > > 0070 - 00 30 81 83 31 0b 30 09-06 03 55 04 06 13 02 49 > .0..1.0...U....I > > 0080 - 4c 31 0f 30 0d 06 03 55-04 08 13 06 49 73 72 61 > L1.0...U....Isra > > 0090 - 65 6c 31 10 30 0e 06 03-55 04 07 13 07 54 65 6c > el1.0...U....Tel > > 00a0 - 41 76 69 76 31 11 30 0f-06 03 55 04 0a 13 08 4e > Aviv1.0...U....N > > 00b0 - 65 73 73 20 4c 74 64 31-0e 30 0c 06 03 55 04 0b ess > Ltd1.0...U.. > > 00c0 - 13 05 4c 4d 41 44 53 31-0e 30 0c 06 03 55 04 03 > ..LMADS1.0...U.. > > 00d0 - 13 05 59 6f 72 61 6d 31-1e 30 1c 06 09 2a 86 48 > ..Yoram1.0...*.H > > 00e0 - 86 f7 0d 01 09 01 16 0f-79 6f 72 61 6d 40 62 61 > ........yoram at ba > > 00f0 - 6d 61 6d 2e 63 6f 6d 30-1e 17 0d 30 37 30 33 32 > mam.com0...07032 > > 0100 - 39 31 33 35 31 35 35 5a-17 0d 30 38 30 33 32 38 > 9135155Z..080328 > > 0110 - 31 33 35 31 35 35 5a 30-5f 31 0b 30 09 06 03 55 > 135155Z0_1.0...U > > 0120 - 04 06 13 02 49 4c 31 0f-30 0d 06 03 55 04 08 13 > ....IL1.0...U... > > 0130 - 06 49 73 72 61 65 6c 31-11 30 0f 06 03 55 04 0a > .Israel1.0...U.. > > 0140 - 13 08 4e 65 73 73 20 4c-74 64 31 0e 30 0c 06 03 ..Ness > Ltd1.0... > > 0150 - 55 04 0b 13 05 4c 4d 41-44 53 31 1c 30 1a 06 03 > U....LMADS1.0... > > 0160 - 55 04 03 13 13 72 31 2d-6f 77 73 2d 30 37 2e 72 > U....r1-ows-07.r > > 0170 - 6f 63 61 66 2e 6f 72 67-30 81 9f 30 0d 06 09 2a > ocaf.org0..0...* > > 0180 - 86 48 86 f7 0d 01 01 01-05 00 03 81 8d 00 30 81 > .H............0. > > 0190 - 89 02 81 81 00 c5 12 31-28 e2 de c6 4a 3d 59 7e > .......1(...J=Y~ > > 01a0 - d8 f2 c4 5e ca 00 6a 08-52 c1 58 ce 3a 38 dc 58 > ...^..j.R.X.: 8.X > > 01b0 - 7d 0b c9 83 5d 9e 77 bc-09 9f c4 6e 5a 54 19 ff > }...].w....nZT.. > > 01c0 - 7b 3f 14 6b 40 51 ed 42-ba 34 d8 89 49 07 21 2b > {?.k at Q.B.4..I.!+ > > 01d0 - 89 4f bf 9c 5c 15 1b 61-03 1f 2f 95 b3 23 1b 6f > .O..\..a../..#.o > > 01e0 - c2 a9 a2 21 17 ab 62 10-ef 27 27 ae d8 46 84 4b > ...!..b..''..F.K > > 01f0 - 86 b6 f2 8d b1 3e 45 0d-16 1a 8e 99 90 6d a4 5e > .....>E......m.^ > > 0200 - 6e 9a f6 f2 b5 d0 fb cb-c2 ec f0 a3 7a 5b 20 59 > n...........z[ Y > > 0210 - 02 00 13 80 0f 02 03 01-00 01 a3 82 01 0f 30 82 > ..............0. > > 0220 - 01 0b 30 09 06 03 55 1d-13 04 02 30 00 30 2c 06 > ..0...U....0.0,. > > 0230 - 09 60 86 48 01 86 f8 42-01 0d 04 1f 16 1d 4f 70 > .`.H...B......Op > > 0240 - 65 6e 53 53 4c 20 47 65-6e 65 72 61 74 65 64 20 enSSL > Generated > > 0250 - 43 65 72 74 69 66 69 63-61 74 65 30 1d 06 03 55 > Certificate0...U > > 0260 - 1d 0e 04 16 04 14 f8 72-da cb af d2 d8 e1 18 17 > .......r........ > > 0270 - ec 9e 80 10 89 d1 13 07-a6 e3 30 81 b0 06 03 55 > ..........0....U > > 0280 - 1d 23 04 81 a8 30 81 a5-80 14 26 9a 3c 03 60 32 > .#...0....&.<.`2 > > 0290 - a4 25 36 ce 56 ae 33 a1-30 45 e2 85 27 a2 a1 81 > .%6.V.3.0E..'... > > 02a0 - 89 a4 81 86 30 81 83 31-0b 30 09 06 03 55 04 06 > ....0..1.0...U.. > > 02b0 - 13 02 49 4c 31 0f 30 0d-06 03 55 04 08 13 06 49 > ..IL1.0...U....I > > 02c0 - 73 72 61 65 6c 31 10 30-0e 06 03 55 04 07 13 07 > srael1.0...U.... > > 02d0 - 54 65 6c 41 76 69 76 31-11 30 0f 06 03 55 04 0a > TelAviv1.0...U.. > > 02e0 - 13 08 4e 65 73 73 20 4c-74 64 31 0e 30 0c 06 03 ..Ness > Ltd1.0... > > 02f0 - 55 04 0b 13 05 4c 4d 41-44 53 31 0e 30 0c 06 03 > U....LMADS1.0... > > 0300 - 55 04 03 13 05 59 6f 72-61 6d 31 1e 30 1c 06 09 > U....Yoram1.0... > > 0310 - 2a 86 48 86 f7 0d 01 09-01 16 0f 79 6f 72 61 6d > *.H........yoram > > 0320 - 40 62 61 6d 61 6d 2e 63-6f 6d 82 01 00 30 0d 06 @ > bamam.com...0.. > > 0330 - 09 2a 86 48 86 f7 0d 01-01 04 05 00 03 81 81 00 > .*.H............ > > 0340 - 88 38 ad c8 e4 df c9 85-68 2f e6 8b d0 1f 37 fd > .8......h/....7. > > 0350 - c4 7d 0c ca 01 5f 58 fb-3d 00 d4 f0 d0 f3 fe bb > .}..._X.=....... > > 0360 - e5 7f e2 44 6f 8c 43 7a-9f cc d6 6b 85 40 9c 04 > ...Do.Cz...k. at .. > > 0370 - 22 20 28 32 bf f9 d9 a5-85 e3 62 7a fb e7 2c 54 " > (2......bz..,T > > 0380 - 7a 45 bc b8 a9 4e ce 9e-9d 87 37 d0 06 4b 06 c7 > zE...N....7..K.. > > 0390 - 51 d4 27 c9 77 f7 e7 c2-2d ac 3d bb 4e 43 df 69 > Q.'.w...-.=.NC.i > > 03a0 - b8 54 8c 80 4e 86 d7 a0-86 3a c2 a3 7d 15 ab 31 > .T..N....:..}..1 > > 03b0 - 3f 19 6a d7 09 bb 89 5b-ce 30 83 33 4c 7a bc 5c > ?.j....[.0.3Lz.\ > > 03c0 - 00 03 66 30 82 03 62 30-82 02 cb a0 03 02 01 02 > ..f0..b0........ > > 03d0 - 02 01 00 30 0d 06 09 2a-86 48 86 f7 0d 01 01 04 > ...0...*.H...... > > 03e0 - 05 00 30 81 83 31 0b 30-09 06 03 55 04 06 13 02 > ..0..1.0...U.... > > 03f0 - 49 4c 31 0f 30 0d 06 03-55 04 08 13 06 49 73 72 > IL1.0...U....Isr > > 0400 - 61 65 6c 31 10 30 0e 06-03 55 04 07 13 07 54 65 > ael1.0...U....Te > > 0410 - 6c 41 76 69 76 31 11 30-0f 06 03 55 04 0a 13 08 > lAviv1.0...U.... > > 0420 - 4e 65 73 73 20 4c 74 64-31 0e 30 0c 06 03 55 04 Ness > Ltd1.0...U. > > 0430 - 0b 13 05 4c 4d 41 44 53-31 0e 30 0c 06 03 55 04 > ...LMADS1.0...U. > > 0440 - 03 13 05 59 6f 72 61 6d-31 1e 30 1c 06 09 2a 86 > ...Yoram1.0...*. > > 0450 - 48 86 f7 0d 01 09 01 16-0f 79 6f 72 61 6d 40 62 > H........yoram at b > > 0460 - 61 6d 61 6d 2e 63 6f 6d-30 1e 17 0d 30 37 30 33 > amam.com0...0703 > > 0470 - 32 39 31 33 35 31 33 34-5a 17 0d 30 38 30 33 32 > 29135134Z..08032 > > 0480 - 38 31 33 35 31 33 34 5a-30 81 83 31 0b 30 09 06 > 8135134Z0..1.0.. > > 0490 - 03 55 04 06 13 02 49 4c-31 0f 30 0d 06 03 55 04 > .U....IL1.0...U. > > 04a0 - 08 13 06 49 73 72 61 65-6c 31 10 30 0e 06 03 55 > ...Israel1.0...U > > 04b0 - 04 07 13 07 54 65 6c 41-76 69 76 31 11 30 0f 06 > ....TelAviv1.0.. > > 04c0 - 03 55 04 0a 13 08 4e 65-73 73 20 4c 74 64 31 0e > .U....Ness Ltd1. > > 04d0 - 30 0c 06 03 55 04 0b 13-05 4c 4d 41 44 53 31 0e > 0...U....LMADS1. > > 04e0 - 30 0c 06 03 55 04 03 13-05 59 6f 72 61 6d 31 1e > 0...U....Yoram1. > > 04f0 - 30 1c 06 09 2a 86 48 86-f7 0d 01 09 01 16 0f 79 > 0...*.H........y > > 0500 - 6f 72 61 6d 40 62 61 6d-61 6d 2e 63 6f 6d 30 81 > oram at bamam.com0 . > > 0510 - 9f 30 0d 06 09 2a 86 48-86 f7 0d 01 01 01 05 00 > .0...*.H........ > > 0520 - 03 81 8d 00 30 81 89 02-81 81 00 a1 9c f4 b7 8b > ....0........... > > 0530 - 80 35 c5 b7 60 73 da bb-01 7d 33 36 74 1f 67 5d > .5..`s...}36t.g] > > 0540 - eb ff b5 ca 79 1a 1b 3a-9d ce da 62 4c c8 19 0b > ....y..:...bL... > > 0550 - 80 e0 7c 4a 4f bb 8f 59-05 b7 a8 c2 ae 5b fe 7c > ..|JO..Y.....[.| > > 0560 - 74 91 e5 cf d3 54 3b 4e-88 24 50 84 24 b2 16 d8 > t....T;N.$P.$... > > 0570 - 9c 1d bd 8c 31 8b d7 28-df 06 24 a8 e1 76 b7 72 > ....1..(..$..v.r > > 0580 - ee 37 75 e2 89 84 b7 ed-51 76 2c b3 1a eb 6c 5c > .7u.....Qv,...l\ > > 0590 - 64 87 7d 3a 12 39 4b c0-23 fa a8 63 0e a0 77 c8 > d.}:.9K.#..c..w. > > 05a0 - 4d M > > read from 00675450 [0067BA58] (640 bytes => 640 (0x280)) > > 0000 - 9c b7 59 cc 06 a3 ad 79-6c 53 02 03 01 00 01 a3 > ..Y....ylS...... > > 0010 - 81 e3 30 81 e0 30 1d 06-03 55 1d 0e 04 16 04 14 > ..0..0...U...... > > 0020 - 26 9a 3c 03 60 32 a4 25-36 ce 56 ae 33 a1 30 45 > &.<.`2.%6.V.3.0E > > 0030 - e2 85 27 a2 30 81 b0 06-03 55 1d 23 04 81 a8 30 > ..'.0....U.#...0 > > 0040 - 81 a5 80 14 26 9a 3c 03-60 32 a4 25 36 ce 56 ae > ....&.<.`2.%6.V. > > 0050 - 33 a1 30 45 e2 85 27 a2-a1 81 89 a4 81 86 30 81 > 3.0E..'.......0. > > 0060 - 83 31 0b 30 09 06 03 55-04 06 13 02 49 4c 31 0f > .1.0...U....IL1. > > 0070 - 30 0d 06 03 55 04 08 13-06 49 73 72 61 65 6c 31 > 0...U....Israel1 > > 0080 - 10 30 0e 06 03 55 04 07-13 07 54 65 6c 41 76 69 > .0...U....TelAvi > > 0090 - 76 31 11 30 0f 06 03 55-04 0a 13 08 4e 65 73 73 > v1.0...U....Ness > > 00a0 - 20 4c 74 64 31 0e 30 0c-06 03 55 04 0b 13 05 > 4c Ltd1.0...U....L > > 00b0 - 4d 41 44 53 31 0e 30 0c-06 03 55 04 03 13 05 59 > MADS1.0...U....Y > > 00c0 - 6f 72 61 6d 31 1e 30 1c-06 09 2a 86 48 86 f7 0d > oram1.0...*.H... > > 00d0 - 01 09 01 16 0f 79 6f 72-61 6d 40 62 61 6d 61 6d > .....yoram at bamam > > 00e0 - 2e 63 6f 6d 82 01 00 30-0c 06 03 55 1d 13 04 05 > .com...0...U.... > > 00f0 - 30 03 01 01 ff 30 0d 06-09 2a 86 48 86 f7 0d 01 > 0....0...*.H.... > > 0100 - 01 04 05 00 03 81 81 00-39 46 ea ff b6 f0 6f 69 > ........9F....oi > > 0110 - e4 69 d5 bd a6 d5 86 be-a5 91 a2 53 46 75 db c6 > .i.........SFu.. > > 0120 - 5f 60 a1 f8 dc b2 54 27-d5 e6 d5 e1 ad d6 08 cd > _`....T'........ > > 0130 - 42 5a 07 e7 e3 4f 0b 45-23 47 36 98 3e b1 be 09 > BZ...O.E#G6.>... > > 0140 - 12 fe bc 50 e4 1a 93 6d-4a aa d5 56 f4 40 94 26 > ...P...mJ..V. at .& > > 0150 - 69 b9 a1 21 3c 04 46 17-84 4b 96 88 1c 20 9b 9a > i..!<.F..K... .. > > 0160 - 5b 6d 33 d6 4d ce 64 1d-15 85 78 3c 2a 1f 33 38 > [m3.M.d...x<*.38 > > 0170 - 96 39 58 39 88 ba 36 cc-af ce 8c 40 fc 45 5a b1 > .9X9..6.... at .EZ. > > 0180 - 65 ba 8c 15 24 d1 52 b6-0d 00 00 f0 02 01 02 00 > e...$.R......... > > 0190 - eb 00 61 30 5f 31 0b 30-09 06 03 55 04 06 13 02 > ..a0_1.0...U.... > > 01a0 - 55 53 31 20 30 1e 06 03-55 04 0a 13 17 52 53 41 US1 > 0...U....RSA > > 01b0 - 20 44 61 74 61 20 53 65-63 75 72 69 74 79 2c 20 Data > Security, > > 01c0 - 49 6e 63 2e 31 2e 30 2c-06 03 55 04 0b 13 25 53 > Inc.1.0,..U...%S > > 01d0 - 65 63 75 72 65 20 53 65-72 76 65 72 20 43 65 72 ecure > Server Cer > > 01e0 - 74 69 66 69 63 61 74 69-6f 6e 20 41 75 74 68 6f > tification Autho > > 01f0 - 72 69 74 79 00 86 30 81-83 31 0b 30 09 06 03 55 > rity..0..1.0...U > > 0200 - 04 06 13 02 49 4c 31 0f-30 0d 06 03 55 04 08 13 > ....IL1.0...U... > > 0210 - 06 49 73 72 61 65 6c 31-10 30 0e 06 03 55 04 07 > .Israel1.0...U.. > > 0220 - 13 07 54 65 6c 41 76 69-76 31 11 30 0f 06 03 55 > ..TelAviv1.0...U > > 0230 - 04 0a 13 08 4e 65 73 73-20 4c 74 64 31 0e 30 0c > ....Ness Ltd1.0. > > 0240 - 06 03 55 04 0b 13 05 4c-4d 41 44 53 31 0e 30 0c > ..U....LMADS1.0. > > 0250 - 06 03 55 04 03 13 05 59-6f 72 61 6d 31 1e 30 1c > ..U....Yoram1.0. > > 0260 - 06 09 2a 86 48 86 f7 0d-01 09 01 16 0f 79 6f 72 > ..*.H........yor > > 0270 - 61 6d 40 62 61 6d 61 6d-2e 63 6f 6d > 0e am at bamam.com . > > 0280 - > > depth=1 /C=IL/ST=Israel/L=TelAviv/O=Ness > Ltd/OU=LMADS/CN=Yoram/emailAddress= yoram at bamam.com > > > verify error:num=19:self signed certificate in certificate chain > > verify return:0 > > write to 00675450 [00687150] (12 bytes => 12 (0xC)) > > 0000 - 16 03 01 00 07 0b 00 00-03 ......... > > 000c - > > write to 00675450 [00687150] (139 bytes => 139 (0x8B)) > > 0000 - 16 03 01 00 86 10 00 00-82 00 80 37 d0 c6 7a 6b > ...........7..zk > > 0010 - 54 18 16 df d0 6f 90 8f-b1 8a 45 45 7f 15 47 04 > T....o....EE..G. > > 0020 - 10 ba 23 1a f9 f7 54 50-05 ee 4c e9 79 fe 31 1a > ..#...TP..L.y.1. > > 0030 - e2 c1 4a e9 f5 e2 b9 e1-d5 17 e6 e8 28 a9 ee 76 > ..J.........(..v > > 0040 - b9 ce 5f 59 68 62 a3 8c-07 ee e0 0e 91 b4 df 0d > .._Yhb.......... > > 0050 - 71 9b ce 38 d2 4b 3d d9-c4 1f e9 74 0e 96 c5 cb > q..8.K=....t.... > > 0060 - d3 12 57 6c 9a 0c 3b fd-83 3a e4 fd a6 2a ee 8c > ..Wl..;..:...*.. > > 0070 - e1 67 eb d2 11 3b 6a 03-9c a0 73 38 10 76 89 f0 > .g...;j...s8.v.. > > 0080 - 81 03 dd 91 4d 43 7d 99-f4 a4 b6 ....MC}.... > > write to 00675450 [00687150] (6 bytes => 6 (0x6)) > > 0000 - 14 03 01 00 01 01 ...... > > write to 00675450 [00687150] (53 bytes => 53 (0x35)) > > 0000 - 16 03 01 00 30 09 40 51-48 34 87 0b 53 20 ff 0d > ....0. at QH4..S .. > > 0010 - 2f 7c 96 04 a6 cc 0d bf-4a 76 b1 4e 4d bb fa 39 > /|......Jv.NM..9 > > 0020 - 4b 60 6e 47 3e 87 41 77-9c a2 e3 7b 1b 36 0e 9e > K`nG>.Aw...{.6.. > > 0030 - c6 4c 74 eb 7a .Lt.z > > read from 00675450 [0067B4B0] (5 bytes => 5 (0x5)) > > 0000 - 14 03 01 00 01 ..... > > read from 00675450 [0067B4B5] (1 bytes => 1 (0x1)) > > 0000 - 01 . > > read from 00675450 [0067B4B0] (5 bytes => 5 (0x5)) > > 0000 - 16 03 01 00 30 ....0 > > read from 00675450 [0067B4B5] (48 bytes => 48 (0x30)) > > 0000 - 75 da a7 8d 28 fb 5d c1-b5 04 0a 9e c1 00 d1 19 > u...(.]......... > > 0010 - 9f 74 ff 44 38 4b f3 57-73 e7 f4 0f d1 8b 9c a5 > .t.D8K.Ws....... > > 0020 - 92 39 22 4d 7e 78 c9 66-ff d4 48 81 8a 15 2b e1 > .9"M~x.f..H...+. > > --- > > Certificate chain > > 0 s:/C=IL/ST=Israel/O=Ness Ltd/OU=LMADS/CN=r1-ows-07.rocaf.org > > > i:/C=IL/ST=Israel/L=TelAviv/O=Ness > Ltd/OU=LMADS/CN=Yoram/emailAddress= yoram at bamam.com > > > 1 s:/C=IL/ST=Israel/L=TelAviv/O=Ness > Ltd/OU=LMADS/CN=Yoram/emailAddress=yoram at bamam.com > > > i:/C=IL/ST=Israel/L=TelAviv/O=Ness > Ltd/OU=LMADS/CN=Yoram/emailAddress= yoram at bamam.com > > > --- > > Server certificate > > -----BEGIN CERTIFICATE----- > > MIIDajCCAtOgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBgzELMAkGA1UEBhMCSUwx > > DzANBgNVBAgTBklzcmFlbDEQMA4GA1UEBxMHVGVsQXZpdjERMA8GA1UEChMITmVz > > cyBMdGQxDjAMBgNVBAsTBUxNQURTMQ4wDAYDVQQDEwVZb3JhbTEeMBwGCSqGSIb3 > > DQEJARYPeW9yYW1AYmFtYW0uY29tMB4XDTA3MDMyOTEzNTE1NVoXDTA4MDMyODEz > > NTE1NVowXzELMAkGA1UEBhMCSUwxDzANBgNVBAgTBklzcmFlbDERMA8GA1UEChMI > > TmVzcyBMdGQxDjAMBgNVBAsTBUxNQURTMRwwGgYDVQQDExNyMS1vd3MtMDcucm9j > > YWYub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDFEjEo4t7GSj1Zftjy > > xF7KAGoIUsFYzjo43Fh9C8mDXZ53vAmfxG5aVBn/ez8Ua0BR7UK6NNiJSQchK4lP > > v5xcFRthAx8vlbMjG2/CqaIhF6tiEO8nJ67YRoRLhrbyjbE+RQ0WGo6ZkG2kXm6a > > 9vK10PvLwuzwo3pbIFkCABOADwIDAQABo4IBDzCCAQswCQYDVR0TBAIwADAsBglg > > hkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0O > > BBYEFPhy2suv0tjhGBfsnoAQidETB6bjMIGwBgNVHSMEgagwgaWAFCaaPANgMqQl > > Ns5WrjOhMEXihSeioYGJpIGGMIGDMQswCQYDVQQGEwJJTDEPMA0GA1UECBMGSXNy > > YWVsMRAwDgYDVQQHEwdUZWxBdml2MREwDwYDVQQKEwhOZXNzIEx0ZDEOMAwGA1UE > > CxMFTE1BRFMxDjAMBgNVBAMTBVlvcmFtMR4wHAYJKoZIhvcNAQkBFg95b3JhbUBi > > YW1hbS5jb22CAQAwDQYJKoZIhvcNAQEEBQADgYEAiDityOTfyYVoL+aL0B83/cR9 > > DMoBX1j7PQDU8NDz/rvlf+JEb4xDep/M1muFQJwEIiAoMr/52aWF42J6++csVHpF > > vLipTs6enYc30AZLBsdR1CfJd/fnwi2sPbtOQ99puFSMgE6G16CGOsKjfRWrMT8Z > > atcJu4lbzjCDM0x6vFw= > > -----END CERTIFICATE----- > > subject=/C=IL/ST=Israel/O=Ness Ltd/OU=LMADS/CN= > r1-ows-07.rocaf.org > > issuer=/C=IL/ST=Israel/L=TelAviv/O=Ness > Ltd/OU=LMADS/CN=Yoram/emailAddress=yoram at bamam.com > > > --- > > Acceptable client certificate CA names > > /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification > Authority > > /C=IL/ST=Israel/L=TelAviv/O=Ness > Ltd/OU=LMADS/CN=Yoram/emailAddress=yoram at bamam.com > > > --- > > SSL handshake has read 2147 bytes and written 352 bytes > > --- > > New, TLSv1/SSLv3, Cipher is AES256-SHA > > Server public key is 1024 bit > > SSL-Session: > > Protocol : TLSv1 > > Cipher : AES256-SHA > > Session-ID: > 2292D70EB4AEAADFC283B7072294AF91D82A92DA0CD63ED57AEE8F7F26283A56 > > Session-ID-ctx: > > Master-Key: > 5D9CC7C076BF70BBAECB1BC1588E666C75EB12956F231AF9B3E2F3F4E164AF7BFEEAC912F7482E286F9C819F199FB3E1 > > > Key-Arg : None > > Krb5 Principal: None > > Start Time: 1175181192 > > Timeout : 300 (sec) > > Verify return code: 19 (self signed certificate in > certificate chain) > > --- > > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Apr 3 21:00:28 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 03 Apr 2007 15:00:28 -0600 Subject: [Fedora-directory-users] Two differents suffix, only one search... In-Reply-To: References: Message-ID: <4612C06C.704@redhat.com> Victor Rodriguez wrote: > Good Afternoon: > > Respect to this: > > Richard wrote: > >> Note that you can configure more than one LDAP server in the >> nsfarmserverurl attribute of your chaining backend configuration - see >> the docs. >> > > I have read it the docs, but I have a question: > > Can I configure another ldap server even if it is in a different domain? > Yes. > Example: > > Chain 1 suffix : o=domain1 > network1 > > Chain 2 suffix : o=domain2 > network2 > > When I try to connect a ldap client I need to specify one of this suffix but I would like that the search of a contact occurs on both suffix. How can I do that? > I'm not sure. But you cannot have the server search more than one base DN in a search. For example: If you have o=domain1 and o=domain2 as top level suffixes (naming contexts) in your server, you cannot issue one ldapsearch request to search both of these. However, if you can change the base DN that the clients use, you could do something like this: o=toplevel - a "real" backend +-o=domain1 - either a referral or a chaining backend +-o=domain2 - either a referral or a chaining backend Referrals are the simplest, assuming all of your clients can follow referrals. Then all your clients have to do is search o=toplevel. > Regards, > > Victor > Attention: > The information contained in this message and or attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any system and destroy any copies. > > Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of The Gribbles Group. > > Thank You. > > Whilst every effort has been made to ensure that this e-mail message and any attachments are free from viruses, you should scan this message and any attachments. > Under no circumstances do we accept liability for any loss or damage which may result from your receipt of this message or any attachment. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From pkime at Shopzilla.com Wed Apr 4 02:27:40 2007 From: pkime at Shopzilla.com (Philip Kime) Date: Tue, 3 Apr 2007 19:27:40 -0700 Subject: [Fedora-directory-users] Another segfault ... Message-ID: <9C0091F428E697439E7A773FFD083427A92C3C@szexchange.Shopzilla.inc> Apr 3 13:16:04 hqldap01 kernel: ns-slapd[32384]: segfault at 0000000000000000 r ip 0000002a955a580c rsp 0000000040b69ec8 error 4 Any ideas what this might be from the error messages? PK -- Philip Kime NOPS Systems Architect 310 401 0407 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Apr 4 02:32:47 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 03 Apr 2007 20:32:47 -0600 Subject: [Fedora-directory-users] Another segfault ... In-Reply-To: <9C0091F428E697439E7A773FFD083427A92C3C@szexchange.Shopzilla.inc> References: <9C0091F428E697439E7A773FFD083427A92C3C@szexchange.Shopzilla.inc> Message-ID: <46130E4F.4070107@redhat.com> Philip Kime wrote: > Apr 3 13:16:04 hqldap01 kernel: ns-slapd[32384]: segfault at > 0000000000000000 r > ip 0000002a955a580c rsp 0000000040b69ec8 error 4 > Any ideas what this might be from the error messages? No. Can you post the last few lines from your errors and access logs? > > PK > > -- > Philip Kime > NOPS Systems Architect > 310 401 0407 > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From chaks.yoper at gmail.com Wed Apr 4 05:18:13 2007 From: chaks.yoper at gmail.com (Chakkaradeep C C) Date: Wed, 4 Apr 2007 17:18:13 +1200 Subject: [Fedora-directory-users] Regarding Fedora Clients Authentication to FDS Message-ID: Hi All, I have been trying for many days in getting a fedora machine authenticated via FDS and I am not able to. As far as I see, all the options in nsswitch.conf, system-auth pam file and ldap.conf are proper and the nss too mapped in ldap.conf. I have also selected the Password as Unix Crypt Password in the Directory Server. Moreover, I used authconfig to change the Authentication type. I am not sure why my machine is not fetching user names from FDS. And, if i do a ldapsearch as, ldapserach -x -b "dc=fdsdomain,dc=com" from the fedora machine, i am able to get all the ldap details. I would be happy if anyone could help me. I am struggling for the past 3 days :( Thanks, -- Regards, C.C.Chakkaradeep, http://chakkaradeep.wordpress.com -- "Sometimes it's better not to ask - or to listen - when people tell you something can't be done. I didnt ask for permission or approval. I just went ahead and did it." - from "Direct from Dell" -------------- next part -------------- An HTML attachment was scrubbed... URL: From jon at compbio.dundee.ac.uk Wed Apr 4 08:37:18 2007 From: jon at compbio.dundee.ac.uk (Jonathan Barber) Date: Wed, 4 Apr 2007 09:37:18 +0100 Subject: [Fedora-directory-users] CA certificate format In-Reply-To: <37d92a190704031244v151473c3je723c9ab267a2a9b@mail.gmail.com> References: <37d92a190703281217i17db4058kc4a12d09102c2afe@mail.gmail.com> <460ABF83.1060106@redhat.com> <37d92a190703290820y295cb056h8a13a09882cb8187@mail.gmail.com> <461125A1.1020603@redhat.com> <37d92a190704031244v151473c3je723c9ab267a2a9b@mail.gmail.com> Message-ID: <20070404083718.GB10807@compbio.dundee.ac.uk> On Tue, Apr 03, 2007 at 09:44:43PM +0200, Yoram Kahana wrote: > Hi Richard, > > Thanks for your answer, This is my problem, i cant see any mismatch. Do you > know of any other possibilities or ways of debug it? You can try running the openldap ldapsearch client with the "-d" argument for extra debugging goodness. See the loglevel directive in slapd.conf(5) for acceptable levels. Example truncated output from ldapsearch from package 2.2.26-5ubuntu2.2: # ldapsearch -h ldap.fqdn -ZZ -d 1 -b "" -s base -x ... TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: [cert subject data removed] TLS certificate verification: depth: 0, err: 0, subject: [cert subject data removed] TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A ... This will at least tell you what the command is really doing, and what it thinks the subject of the cert is. You should use whatever hostname is contained in the cert (either in the subject or subjectaltname fields) otherwise it'll quite rightly reject you. If your client isn't based on the openldap implementation, then you'll have to debug it using a client based on whatever implementation you are using. Without knowing more about your client and ssl libraries it's hard to suggest what might be broken in their configuration. > Thanks in advance > Yoram > > On 4/2/07, Richard Megginson wrote: > > > >Yoram Kahana wrote: > >> Hi Richard, > >> > >> Indeed it solved one of the problems, I didnt hash the ca certificte > >> in the client side. > >> now i am getting new message > >> > >> TLS: *hostname does not match CN in peer certificate* > >> > >> ** if i understand the meaning the CN and the hostname are not > >> identical but thats not the situation now. > >> > >The CN in the server cert is CN=r1-ows-07.rocaf.org - the server is > >running on r1-ows-07.rocaf.org? > > > >The error message means there is a mismatch somewhere. > >> > >> > >> I have also tried the opensll s_client -debug -connect (the output is > >> enclosed) > >> seems that throgh the openssl it works fine, where am i wrong? > >> > >> Can you see if you have any clue > >> great thanks > >> Yoram > >> > >> > >> > >> On 3/28/07, *Richard Megginson* >> > wrote: > >> > >> Yoram Kahana wrote: > >> > Hi > >> > > >> > Does anyone has an idea on which format should i save the ca > >> > certificate in the clients (for SSL communication) ? > >> > Is it PEM, DER, BER > >> It depends - what client are you trying to configure? Did you see > >> this > >> - > >> > >http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients > >> > > >> > > >> > Thanks in advance > >> > > >> > Yoram > >> > > >> > >------------------------------------------------------------------------ > >> > >> > > >> > -- > >> > Fedora-directory-users mailing list > >> > Fedora-directory-users at redhat.com > >> > >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > > >> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > >> > >> > >> ------------------------------------------------------------------------ > >> > >> > >> openssl s_client -debug -connect r1-ows-07:636 > >> CONNECTED(00000003) > >> write to 00675450 [00675F50] (142 bytes => 142 (0x8E)) > >> 0000 - 80 8c 01 03 01 00 63 00-00 00 20 00 00 39 00 00 ......c... > >..9.. > >> 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 > >8..5............ > >> 0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 66 00 > >..3..2../.....f. > >> 0030 - 00 05 00 00 04 01 00 80-08 00 80 00 00 63 00 00 > >.............c.. > >> 0040 - 62 00 00 61 00 00 15 00-00 12 00 00 09 06 00 40 > >b..a...........@ > >> 0050 - 00 00 65 00 00 64 00 00-60 00 00 14 00 00 11 00 > >..e..d..`....... > >> 0060 - 00 08 00 00 06 04 00 80-00 00 03 02 00 80 24 9c > >..............$. > >> 0070 - 49 e8 7b b6 bf 6a 36 4a-4a f8 04 25 d9 b8 a7 8e > >I.{..j6JJ..%.... > >> 0080 - 57 d7 67 c2 3a 6d 72 d0-d9 37 3f f5 ac 07 W.g.:mr..7?... > >> read from 00675450 [0067B4B0] (7 bytes => 7 (0x7)) > >> 0000 - 16 03 01 08 23 02 ....#. > >> 0007 - > >> read from 00675450 [0067B4B7] (2081 bytes => 1441 (0x5A1)) > >> 0000 - 00 46 03 01 00 28 82 f7-c8 e3 77 83 de 5f 86 53 > >.F...(....w.._.S > >> 0010 - 5d 5a 76 33 04 fe bd a6-b8 02 ee 88 c4 bd e8 6c > >]Zv3...........l > >> 0020 - 18 b9 ee f6 20 22 92 d7-0e b4 ae aa df c2 83 b7 .... > >".......... > >> 0030 - 07 22 94 af 91 d8 2a 92-da 0c d6 3e d5 7a ee 8f > >."....*....>.z.. > >> 0040 - 7f 26 28 3a 56 00 35 00-0b 00 06 dd 00 06 da 00 .&(:V.5........ > >. > >> 0050 - 03 6e 30 82 03 6a 30 82-02 d3 a0 03 02 01 02 02 > >.n0..j0......... > >> 0060 - 01 01 30 0d 06 09 2a 86-48 86 f7 0d 01 01 04 05 > >..0...*.H....... > >> 0070 - 00 30 81 83 31 0b 30 09-06 03 55 04 06 13 02 49 > >.0..1.0...U....I > >> 0080 - 4c 31 0f 30 0d 06 03 55-04 08 13 06 49 73 72 61 > >L1.0...U....Isra > >> 0090 - 65 6c 31 10 30 0e 06 03-55 04 07 13 07 54 65 6c > >el1.0...U....Tel > >> 00a0 - 41 76 69 76 31 11 30 0f-06 03 55 04 0a 13 08 4e > >Aviv1.0...U....N > >> 00b0 - 65 73 73 20 4c 74 64 31-0e 30 0c 06 03 55 04 0b ess Ltd1.0...U. > >. > >> 00c0 - 13 05 4c 4d 41 44 53 31-0e 30 0c 06 03 55 04 03 > >..LMADS1.0...U.. > >> 00d0 - 13 05 59 6f 72 61 6d 31-1e 30 1c 06 09 2a 86 48 > >..Yoram1.0...*.H > >> 00e0 - 86 f7 0d 01 09 01 16 0f-79 6f 72 61 6d 40 62 61 > >........yoram at ba > >> 00f0 - 6d 61 6d 2e 63 6f 6d 30-1e 17 0d 30 37 30 33 32 > >mam.com0...07032 > >> 0100 - 39 31 33 35 31 35 35 5a-17 0d 30 38 30 33 32 38 > >9135155Z..080328 > >> 0110 - 31 33 35 31 35 35 5a 30-5f 31 0b 30 09 06 03 55 > >135155Z0_1.0...U > >> 0120 - 04 06 13 02 49 4c 31 0f-30 0d 06 03 55 04 08 13 > >....IL1.0...U... > >> 0130 - 06 49 73 72 61 65 6c 31-11 30 0f 06 03 55 04 0a > >.Israel1.0...U.. > >> 0140 - 13 08 4e 65 73 73 20 4c-74 64 31 0e 30 0c 06 03 ..Ness Ltd1.0.. > >. > >> 0150 - 55 04 0b 13 05 4c 4d 41-44 53 31 1c 30 1a 06 03 > >U....LMADS1.0... > >> 0160 - 55 04 03 13 13 72 31 2d-6f 77 73 2d 30 37 2e 72 U....r1- > >ows-07.r > >> 0170 - 6f 63 61 66 2e 6f 72 67-30 81 9f 30 0d 06 09 2a > >ocaf.org0..0...* > >> 0180 - 86 48 86 f7 0d 01 01 01-05 00 03 81 8d 00 30 81 > >.H............0. > >> 0190 - 89 02 81 81 00 c5 12 31-28 e2 de c6 4a 3d 59 7e > >.......1(...J=Y~ > >> 01a0 - d8 f2 c4 5e ca 00 6a 08-52 c1 58 ce 3a 38 dc 58 ...^..j.R.X.: > >8.X > >> 01b0 - 7d 0b c9 83 5d 9e 77 bc-09 9f c4 6e 5a 54 19 ff > >}...].w....nZT.. > >> 01c0 - 7b 3f 14 6b 40 51 ed 42-ba 34 d8 89 49 07 21 2b {?.k@ > >Q.B.4..I.!+ > >> 01d0 - 89 4f bf 9c 5c 15 1b 61-03 1f 2f 95 b3 23 1b 6f > >.O..\..a../..#.o > >> 01e0 - c2 a9 a2 21 17 ab 62 10-ef 27 27 ae d8 46 84 4b > >...!..b..''..F.K > >> 01f0 - 86 b6 f2 8d b1 3e 45 0d-16 1a 8e 99 90 6d a4 5e > >.....>E......m.^ > >> 0200 - 6e 9a f6 f2 b5 d0 fb cb-c2 ec f0 a3 7a 5b 20 59 n...........z[ > >Y > >> 0210 - 02 00 13 80 0f 02 03 01-00 01 a3 82 01 0f 30 82 > >..............0. > >> 0220 - 01 0b 30 09 06 03 55 1d-13 04 02 30 00 30 2c 06 > >..0...U....0.0,. > >> 0230 - 09 60 86 48 01 86 f8 42-01 0d 04 1f 16 1d 4f 70 > >.`.H...B......Op > >> 0240 - 65 6e 53 53 4c 20 47 65-6e 65 72 61 74 65 64 20 enSSL Generated > >> 0250 - 43 65 72 74 69 66 69 63-61 74 65 30 1d 06 03 55 > >Certificate0...U > >> 0260 - 1d 0e 04 16 04 14 f8 72-da cb af d2 d8 e1 18 17 > >.......r........ > >> 0270 - ec 9e 80 10 89 d1 13 07-a6 e3 30 81 b0 06 03 55 > >..........0....U > >> 0280 - 1d 23 04 81 a8 30 81 a5-80 14 26 9a 3c 03 60 32 > >.#...0....&.<.`2 > >> 0290 - a4 25 36 ce 56 ae 33 a1-30 45 e2 85 27 a2 a1 81 > >.%6.V.3.0E..'... > >> 02a0 - 89 a4 81 86 30 81 83 31-0b 30 09 06 03 55 04 06 > >....0..1.0...U.. > >> 02b0 - 13 02 49 4c 31 0f 30 0d-06 03 55 04 08 13 06 49 > >..IL1.0...U....I > >> 02c0 - 73 72 61 65 6c 31 10 30-0e 06 03 55 04 07 13 07 srael1.0...U... > >. > >> 02d0 - 54 65 6c 41 76 69 76 31-11 30 0f 06 03 55 04 0a TelAviv1.0...U. > >. > >> 02e0 - 13 08 4e 65 73 73 20 4c-74 64 31 0e 30 0c 06 03 ..Ness Ltd1.0.. > >. > >> 02f0 - 55 04 0b 13 05 4c 4d 41-44 53 31 0e 30 0c 06 03 > >U....LMADS1.0... > >> 0300 - 55 04 03 13 05 59 6f 72-61 6d 31 1e 30 1c 06 09 > >U....Yoram1.0... > >> 0310 - 2a 86 48 86 f7 0d 01 09-01 16 0f 79 6f 72 61 6d > >*.H........yoram > >> 0320 - 40 62 61 6d 61 6d 2e 63-6f 6d 82 01 00 30 0d 06 @bamam.com...0. > >. > >> 0330 - 09 2a 86 48 86 f7 0d 01-01 04 05 00 03 81 81 00 > >.*.H............ > >> 0340 - 88 38 ad c8 e4 df c9 85-68 2f e6 8b d0 1f 37 fd > >.8......h/....7. > >> 0350 - c4 7d 0c ca 01 5f 58 fb-3d 00 d4 f0 d0 f3 fe bb > >.}..._X.=....... > >> 0360 - e5 7f e2 44 6f 8c 43 7a-9f cc d6 6b 85 40 9c 04 > >...Do.Cz...k. at .. > >> 0370 - 22 20 28 32 bf f9 d9 a5-85 e3 62 7a fb e7 2c 54 " > >(2......bz..,T > >> 0380 - 7a 45 bc b8 a9 4e ce 9e-9d 87 37 d0 06 4b 06 c7 > >zE...N....7..K.. > >> 0390 - 51 d4 27 c9 77 f7 e7 c2-2d ac 3d bb 4e 43 df 69 > >Q.'.w...-.=.NC.i > >> 03a0 - b8 54 8c 80 4e 86 d7 a0-86 3a c2 a3 7d 15 ab 31 > >.T..N....:..}..1 > >> 03b0 - 3f 19 6a d7 09 bb 89 5b-ce 30 83 33 4c 7a bc 5c > >?.j....[.0.3Lz.\ > >> 03c0 - 00 03 66 30 82 03 62 30-82 02 cb a0 03 02 01 02 > >..f0..b0........ > >> 03d0 - 02 01 00 30 0d 06 09 2a-86 48 86 f7 0d 01 01 04 > >...0...*.H...... > >> 03e0 - 05 00 30 81 83 31 0b 30-09 06 03 55 04 06 13 02 > >..0..1.0...U.... > >> 03f0 - 49 4c 31 0f 30 0d 06 03-55 04 08 13 06 49 73 72 > >IL1.0...U....Isr > >> 0400 - 61 65 6c 31 10 30 0e 06-03 55 04 07 13 07 54 65 > >ael1.0...U....Te > >> 0410 - 6c 41 76 69 76 31 11 30-0f 06 03 55 04 0a 13 08 lAviv1.0...U... > >. > >> 0420 - 4e 65 73 73 20 4c 74 64-31 0e 30 0c 06 03 55 04 Ness Ltd1.0...U > >. > >> 0430 - 0b 13 05 4c 4d 41 44 53-31 0e 30 0c 06 03 55 04 > >...LMADS1.0...U. > >> 0440 - 03 13 05 59 6f 72 61 6d-31 1e 30 1c 06 09 2a 86 > >...Yoram1.0...*. > >> 0450 - 48 86 f7 0d 01 09 01 16-0f 79 6f 72 61 6d 40 62 > >H........yoram at b > >> 0460 - 61 6d 61 6d 2e 63 6f 6d-30 1e 17 0d 30 37 30 33 > >amam.com0...0703 > >> 0470 - 32 39 31 33 35 31 33 34-5a 17 0d 30 38 30 33 32 > >29135134Z..08032 > >> 0480 - 38 31 33 35 31 33 34 5a-30 81 83 31 0b 30 09 06 > >8135134Z0..1.0.. > >> 0490 - 03 55 04 06 13 02 49 4c-31 0f 30 0d 06 03 55 04 > >.U....IL1.0...U. > >> 04a0 - 08 13 06 49 73 72 61 65-6c 31 10 30 0e 06 03 55 > >...Israel1.0...U > >> 04b0 - 04 07 13 07 54 65 6c 41-76 69 76 31 11 30 0f 06 > >....TelAviv1.0.. > >> 04c0 - 03 55 04 0a 13 08 4e 65-73 73 20 4c 74 64 31 0e .U....Ness > >Ltd1. > >> 04d0 - 30 0c 06 03 55 04 0b 13-05 4c 4d 41 44 53 31 0e > >0...U....LMADS1. > >> 04e0 - 30 0c 06 03 55 04 03 13-05 59 6f 72 61 6d 31 1e > >0...U....Yoram1. > >> 04f0 - 30 1c 06 09 2a 86 48 86-f7 0d 01 09 01 16 0f 79 > >0...*.H........y > >> 0500 - 6f 72 61 6d 40 62 61 6d-61 6d 2e 63 6f 6d 30 81 oram at bamam.com0 > >. > >> 0510 - 9f 30 0d 06 09 2a 86 48-86 f7 0d 01 01 01 05 00 > >.0...*.H........ > >> 0520 - 03 81 8d 00 30 81 89 02-81 81 00 a1 9c f4 b7 8b > >....0........... > >> 0530 - 80 35 c5 b7 60 73 da bb-01 7d 33 36 74 1f 67 5d > >.5..`s...}36t.g] > >> 0540 - eb ff b5 ca 79 1a 1b 3a-9d ce da 62 4c c8 19 0b > >....y..:...bL... > >> 0550 - 80 e0 7c 4a 4f bb 8f 59-05 b7 a8 c2 ae 5b fe 7c > >..|JO..Y.....[.| > >> 0560 - 74 91 e5 cf d3 54 3b 4e-88 24 50 84 24 b2 16 d8 > >t....T;N.$P.$... > >> 0570 - 9c 1d bd 8c 31 8b d7 28-df 06 24 a8 e1 76 b7 72 > >....1..(..$..v.r > >> 0580 - ee 37 75 e2 89 84 b7 ed-51 76 2c b3 1a eb 6c 5c > >.7u.....Qv,...l\ > >> 0590 - 64 87 7d 3a 12 39 4b c0-23 fa a8 63 0e a0 77 c8 > >d.}:.9K.#..c..w. > >> 05a0 - 4d M > >> read from 00675450 [0067BA58] (640 bytes => 640 (0x280)) > >> 0000 - 9c b7 59 cc 06 a3 ad 79-6c 53 02 03 01 00 01 a3 > >..Y....ylS...... > >> 0010 - 81 e3 30 81 e0 30 1d 06-03 55 1d 0e 04 16 04 14 > >..0..0...U...... > >> 0020 - 26 9a 3c 03 60 32 a4 25-36 ce 56 ae 33 a1 30 45 > >&.<.`2.%6.V.3.0E > >> 0030 - e2 85 27 a2 30 81 b0 06-03 55 1d 23 04 81 a8 30 > >..'.0....U.#...0 > >> 0040 - 81 a5 80 14 26 9a 3c 03-60 32 a4 25 36 ce 56 ae > >....&.<.`2.%6.V. > >> 0050 - 33 a1 30 45 e2 85 27 a2-a1 81 89 a4 81 86 30 81 3.0E..'.......0 > >. > >> 0060 - 83 31 0b 30 09 06 03 55-04 06 13 02 49 4c 31 0f > >.1.0...U....IL1. > >> 0070 - 30 0d 06 03 55 04 08 13-06 49 73 72 61 65 6c 31 > >0...U....Israel1 > >> 0080 - 10 30 0e 06 03 55 04 07-13 07 54 65 6c 41 76 69 > >.0...U....TelAvi > >> 0090 - 76 31 11 30 0f 06 03 55-04 0a 13 08 4e 65 73 73 > >v1.0...U....Ness > >> 00a0 - 20 4c 74 64 31 0e 30 0c-06 03 55 04 0b 13 05 4c > >Ltd1.0...U....L > >> 00b0 - 4d 41 44 53 31 0e 30 0c-06 03 55 04 03 13 05 59 > >MADS1.0...U....Y > >> 00c0 - 6f 72 61 6d 31 1e 30 1c-06 09 2a 86 48 86 f7 0d oram1.0...*.H.. > >. > >> 00d0 - 01 09 01 16 0f 79 6f 72-61 6d 40 62 61 6d 61 6d > >.....yoram at bamam > >> 00e0 - 2e 63 6f 6d 82 01 00 30-0c 06 03 55 1d 13 04 05 > >.com...0...U.... > >> 00f0 - 30 03 01 01 ff 30 0d 06-09 2a 86 48 86 f7 0d 01 > >0....0...*.H.... > >> 0100 - 01 04 05 00 03 81 81 00-39 46 ea ff b6 f0 6f 69 > >........9F....oi > >> 0110 - e4 69 d5 bd a6 d5 86 be-a5 91 a2 53 46 75 db c6 > >.i.........SFu.. > >> 0120 - 5f 60 a1 f8 dc b2 54 27-d5 e6 d5 e1 ad d6 08 cd > >_`....T'........ > >> 0130 - 42 5a 07 e7 e3 4f 0b 45-23 47 36 98 3e b1 be 09 > >BZ...O.E#G6.>... > >> 0140 - 12 fe bc 50 e4 1a 93 6d-4a aa d5 56 f4 40 94 26 > >...P...mJ..V. at .& > >> 0150 - 69 b9 a1 21 3c 04 46 17-84 4b 96 88 1c 20 9b 9a i..!<.F..K... > >.. > >> 0160 - 5b 6d 33 d6 4d ce 64 1d-15 85 78 3c 2a 1f 33 38 [m3.M.d...x > ><*.38 > >> 0170 - 96 39 58 39 88 ba 36 cc-af ce 8c 40 fc 45 5a b1 > >.9X9..6.... at .EZ. > >> 0180 - 65 ba 8c 15 24 d1 52 b6-0d 00 00 f0 02 01 02 00 > >e...$.R......... > >> 0190 - eb 00 61 30 5f 31 0b 30-09 06 03 55 04 06 13 02 > >..a0_1.0...U.... > >> 01a0 - 55 53 31 20 30 1e 06 03-55 04 0a 13 17 52 53 41 US1 > >0...U....RSA > >> 01b0 - 20 44 61 74 61 20 53 65-63 75 72 69 74 79 2c 20 Data Security, > >> 01c0 - 49 6e 63 2e 31 2e 30 2c-06 03 55 04 0b 13 25 53 Inc.1.0 > >,..U...%S > >> 01d0 - 65 63 75 72 65 20 53 65-72 76 65 72 20 43 65 72 ecure Server > >Cer > >> 01e0 - 74 69 66 69 63 61 74 69-6f 6e 20 41 75 74 68 6f tification > >Autho > >> 01f0 - 72 69 74 79 00 86 30 81-83 31 0b 30 09 06 03 55 > >rity..0..1.0...U > >> 0200 - 04 06 13 02 49 4c 31 0f-30 0d 06 03 55 04 08 13 > >....IL1.0...U... > >> 0210 - 06 49 73 72 61 65 6c 31-10 30 0e 06 03 55 04 07 > >.Israel1.0...U.. > >> 0220 - 13 07 54 65 6c 41 76 69-76 31 11 30 0f 06 03 55 > >..TelAviv1.0...U > >> 0230 - 04 0a 13 08 4e 65 73 73-20 4c 74 64 31 0e 30 0c ....Ness Ltd1.0 > >. > >> 0240 - 06 03 55 04 0b 13 05 4c-4d 41 44 53 31 0e 30 0c > >..U....LMADS1.0. > >> 0250 - 06 03 55 04 03 13 05 59-6f 72 61 6d 31 1e 30 1c > >..U....Yoram1.0. > >> 0260 - 06 09 2a 86 48 86 f7 0d-01 09 01 16 0f 79 6f 72 > >..*.H........yor > >> 0270 - 61 6d 40 62 61 6d 61 6d-2e 63 6f 6d 0e am at bamam.com. > >> 0280 - > >> depth=1 /C=IL/ST=Israel/L=TelAviv/O=Ness > >Ltd/OU=LMADS/CN=Yoram/emailAddress=yoram at bamam.com > >> verify error:num=19:self signed certificate in certificate chain > >> verify return:0 > >> write to 00675450 [00687150] (12 bytes => 12 (0xC)) > >> 0000 - 16 03 01 00 07 0b 00 00-03 ......... > >> 000c - > >> write to 00675450 [00687150] (139 bytes => 139 (0x8B)) > >> 0000 - 16 03 01 00 86 10 00 00-82 00 80 37 d0 c6 7a 6b > >...........7..zk > >> 0010 - 54 18 16 df d0 6f 90 8f-b1 8a 45 45 7f 15 47 04 > >T....o....EE..G. > >> 0020 - 10 ba 23 1a f9 f7 54 50-05 ee 4c e9 79 fe 31 1a > >..#...TP..L.y.1. > >> 0030 - e2 c1 4a e9 f5 e2 b9 e1-d5 17 e6 e8 28 a9 ee 76 > >..J.........(..v > >> 0040 - b9 ce 5f 59 68 62 a3 8c-07 ee e0 0e 91 b4 df 0d > >.._Yhb.......... > >> 0050 - 71 9b ce 38 d2 4b 3d d9-c4 1f e9 74 0e 96 c5 cb > >q..8.K=....t.... > >> 0060 - d3 12 57 6c 9a 0c 3b fd-83 3a e4 fd a6 2a ee 8c > >..Wl..;..:...*.. > >> 0070 - e1 67 eb d2 11 3b 6a 03-9c a0 73 38 10 76 89 f0 > >.g...;j...s8.v.. > >> 0080 - 81 03 dd 91 4d 43 7d 99-f4 a4 b6 ....MC}.... > >> write to 00675450 [00687150] (6 bytes => 6 (0x6)) > >> 0000 - 14 03 01 00 01 01 ...... > >> write to 00675450 [00687150] (53 bytes => 53 (0x35)) > >> 0000 - 16 03 01 00 30 09 40 51-48 34 87 0b 53 20 ff 0d ....0. at QH4..S > >.. > >> 0010 - 2f 7c 96 04 a6 cc 0d bf-4a 76 b1 4e 4d bb fa 39 > >/|......Jv.NM..9 > >> 0020 - 4b 60 6e 47 3e 87 41 77-9c a2 e3 7b 1b 36 0e 9e > >K`nG>.Aw...{.6.. > >> 0030 - c6 4c 74 eb 7a .Lt.z > >> read from 00675450 [0067B4B0] (5 bytes => 5 (0x5)) > >> 0000 - 14 03 01 00 01 ..... > >> read from 00675450 [0067B4B5] (1 bytes => 1 (0x1)) > >> 0000 - 01 . > >> read from 00675450 [0067B4B0] (5 bytes => 5 (0x5)) > >> 0000 - 16 03 01 00 30 ....0 > >> read from 00675450 [0067B4B5] (48 bytes => 48 (0x30)) > >> 0000 - 75 da a7 8d 28 fb 5d c1-b5 04 0a 9e c1 00 d1 19 > >u...(.]......... > >> 0010 - 9f 74 ff 44 38 4b f3 57-73 e7 f4 0f d1 8b 9c a5 > >.t.D8K.Ws....... > >> 0020 - 92 39 22 4d 7e 78 c9 66-ff d4 48 81 8a 15 2b e1 > >.9"M~x.f..H...+. > >> --- > >> Certificate chain > >> 0 s:/C=IL/ST=Israel/O=Ness Ltd/OU=LMADS/CN=r1-ows-07.rocaf.org > >> i:/C=IL/ST=Israel/L=TelAviv/O=Ness > >Ltd/OU=LMADS/CN=Yoram/emailAddress=yoram at bamam.com > >> 1 s:/C=IL/ST=Israel/L=TelAviv/O=Ness > >Ltd/OU=LMADS/CN=Yoram/emailAddress=yoram at bamam.com > >> i:/C=IL/ST=Israel/L=TelAviv/O=Ness > >Ltd/OU=LMADS/CN=Yoram/emailAddress=yoram at bamam.com > >> --- > >> Server certificate > >> -----BEGIN CERTIFICATE----- > >> MIIDajCCAtOgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBgzELMAkGA1UEBhMCSUwx > >> DzANBgNVBAgTBklzcmFlbDEQMA4GA1UEBxMHVGVsQXZpdjERMA8GA1UEChMITmVz > >> cyBMdGQxDjAMBgNVBAsTBUxNQURTMQ4wDAYDVQQDEwVZb3JhbTEeMBwGCSqGSIb3 > >> DQEJARYPeW9yYW1AYmFtYW0uY29tMB4XDTA3MDMyOTEzNTE1NVoXDTA4MDMyODEz > >> NTE1NVowXzELMAkGA1UEBhMCSUwxDzANBgNVBAgTBklzcmFlbDERMA8GA1UEChMI > >> TmVzcyBMdGQxDjAMBgNVBAsTBUxNQURTMRwwGgYDVQQDExNyMS1vd3MtMDcucm9j > >> YWYub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDFEjEo4t7GSj1Zftjy > >> xF7KAGoIUsFYzjo43Fh9C8mDXZ53vAmfxG5aVBn/ez8Ua0BR7UK6NNiJSQchK4lP > >> v5xcFRthAx8vlbMjG2/CqaIhF6tiEO8nJ67YRoRLhrbyjbE+RQ0WGo6ZkG2kXm6a > >> 9vK10PvLwuzwo3pbIFkCABOADwIDAQABo4IBDzCCAQswCQYDVR0TBAIwADAsBglg > >> hkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0O > >> BBYEFPhy2suv0tjhGBfsnoAQidETB6bjMIGwBgNVHSMEgagwgaWAFCaaPANgMqQl > >> Ns5WrjOhMEXihSeioYGJpIGGMIGDMQswCQYDVQQGEwJJTDEPMA0GA1UECBMGSXNy > >> YWVsMRAwDgYDVQQHEwdUZWxBdml2MREwDwYDVQQKEwhOZXNzIEx0ZDEOMAwGA1UE > >> CxMFTE1BRFMxDjAMBgNVBAMTBVlvcmFtMR4wHAYJKoZIhvcNAQkBFg95b3JhbUBi > >> YW1hbS5jb22CAQAwDQYJKoZIhvcNAQEEBQADgYEAiDityOTfyYVoL+aL0B83/cR9 > >> DMoBX1j7PQDU8NDz/rvlf+JEb4xDep/M1muFQJwEIiAoMr/52aWF42J6++csVHpF > >> vLipTs6enYc30AZLBsdR1CfJd/fnwi2sPbtOQ99puFSMgE6G16CGOsKjfRWrMT8Z > >> atcJu4lbzjCDM0x6vFw= > >> -----END CERTIFICATE----- > >> subject=/C=IL/ST=Israel/O=Ness Ltd/OU=LMADS/CN=r1-ows-07.rocaf.org > >> issuer=/C=IL/ST=Israel/L=TelAviv/O=Ness > >Ltd/OU=LMADS/CN=Yoram/emailAddress=yoram at bamam.com > >> --- > >> Acceptable client certificate CA names > >> /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority > >> /C=IL/ST=Israel/L=TelAviv/O=Ness Ltd/OU=LMADS/CN=Yoram/emailAddress= > >yoram at bamam.com > >> --- > >> SSL handshake has read 2147 bytes and written 352 bytes > >> --- > >> New, TLSv1/SSLv3, Cipher is AES256-SHA > >> Server public key is 1024 bit > >> SSL-Session: > >> Protocol : TLSv1 > >> Cipher : AES256-SHA > >> Session-ID: > >2292D70EB4AEAADFC283B7072294AF91D82A92DA0CD63ED57AEE8F7F26283A56 > >> Session-ID-ctx: > >> Master-Key: > >5D9CC7C076BF70BBAECB1BC1588E666C75EB12956F231AF9B3E2F3F4E164AF7BFEEAC912F7482E286F9C819F199FB3E1 > >> Key-Arg : None > >> Krb5 Principal: None > >> Start Time: 1175181192 > >> Timeout : 300 (sec) > >> Verify return code: 19 (self signed certificate in certificate > >chain) > >> --- > >> > >> > >> > >> ------------------------------------------------------------------------ > >> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > > > >-- > >Fedora-directory-users mailing list > >Fedora-directory-users at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389 From Nate at acsmagnum.com Wed Apr 4 16:46:07 2007 From: Nate at acsmagnum.com (Nate Bradley) Date: Wed, 04 Apr 2007 11:46:07 -0500 Subject: [Fedora-directory-users] search problems Message-ID: <46138FFF.A739.00F5.1@acsmagnum.com> migrating from fc4 to centos. trying to reconfigure replication. initialized the 'new' consumer, users and groups appear to have replicated. noticed the 'new' fedora-ds is searching NetscapeRoot and not UserRoot (dc=sky-runner,dc=com) by default, so it can't find the users or groups? what do I do? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Apr 4 17:07:47 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 04 Apr 2007 11:07:47 -0600 Subject: [Fedora-directory-users] search problems In-Reply-To: <46138FFF.A739.00F5.1@acsmagnum.com> References: <46138FFF.A739.00F5.1@acsmagnum.com> Message-ID: <4613DB63.1070702@redhat.com> Nate Bradley wrote: > migrating from fc4 to centos. > trying to reconfigure replication. > initialized the 'new' consumer, users and groups appear to have > replicated. How did you create the new consumer? > noticed the 'new' fedora-ds is searching I'm not sure what you mean - what is searching? > NetscapeRoot and not UserRoot (dc=sky-runner,dc=com) by default, so it > can't find the users or groups? > what do I do? > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From glenn at mail.txwes.edu Wed Apr 4 19:16:43 2007 From: glenn at mail.txwes.edu (Glenn) Date: Wed, 4 Apr 2007 14:16:43 -0500 Subject: [Fedora-directory-users] Problem running console on Windows Message-ID: <20070404191011.M2857@mail.txwes.edu> I'm trying to get the Fedora DS 1.0.4 console working on a Windows computer, using the instructions in the Howto. When I try to start the console, I get this error message: Exception in thread "main" java.lang.NoClassDefFoundError: com/netscape/management/client/console/Console Any idea what could cause this? Thanks. -Glenn. From patrick.morris at hp.com Wed Apr 4 20:21:09 2007 From: patrick.morris at hp.com (Patrick Morris) Date: Wed, 4 Apr 2007 13:21:09 -0700 Subject: [Fedora-directory-users] Problem running console on Windows In-Reply-To: <20070404191011.M2857@mail.txwes.edu> References: <20070404191011.M2857@mail.txwes.edu> Message-ID: <20070404202109.GQ27901@pmorris.usa.hp.com> On Wed, 04 Apr 2007, Glenn wrote: > I'm trying to get the Fedora DS 1.0.4 console working on a Windows computer, > using the instructions in the Howto. When I try to start the console, I get > this error message: > > Exception in thread "main" java.lang.NoClassDefFoundError: > com/netscape/management/client/console/Console > > Any idea what could cause this? Thanks. -Glenn. Usually, an incorrectly set CLASSPATH or not having all the java files installed. From pkime at Shopzilla.com Thu Apr 5 01:46:48 2007 From: pkime at Shopzilla.com (Philip Kime) Date: Wed, 4 Apr 2007 18:46:48 -0700 Subject: [Fedora-directory-users] Re: Another segfault ... In-Reply-To: <20070404160007.CFDCE7324C@hormel.redhat.com> References: <20070404160007.CFDCE7324C@hormel.redhat.com> Message-ID: <9C0091F428E697439E7A773FFD083427A92C4A@szexchange.Shopzilla.inc> > No. Can you post the last few lines from your errors and access logs? Well, part of the problem is that this server gets so hammered - 99.9% CPU devoted to nslapd all the time, that the access logs roll over so quickly, I don't have them any more. According to the FDSgraph charts (which are messed up because I think it's so busy, the graphs are just a patchwork of points which aren't joined up), it does about 70k ops per minutes, peaking at about 140k. This suddenly shot up a few weeks ago and nobody seems to know why so I'm assuming that the load is the problem. I was thinking about increasing the mem cache for FDS - worth trying? It seems to be at the default (10 Meg?) and this box has easily 3Gb doing nothing at any one time. PK From rmeggins at redhat.com Thu Apr 5 02:33:19 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 04 Apr 2007 20:33:19 -0600 Subject: [Fedora-directory-users] Re: Another segfault ... In-Reply-To: <9C0091F428E697439E7A773FFD083427A92C4A@szexchange.Shopzilla.inc> References: <20070404160007.CFDCE7324C@hormel.redhat.com> <9C0091F428E697439E7A773FFD083427A92C4A@szexchange.Shopzilla.inc> Message-ID: <46145FEF.50907@redhat.com> Philip Kime wrote: >> No. Can you post the last few lines from your errors and access logs? >> > > Well, part of the problem is that this server gets so hammered - 99.9% > CPU devoted to nslapd all the time, that the access logs roll over so > quickly, I don't have them any more. According to the FDSgraph charts > (which are messed up because I think it's so busy, the graphs are just a > patchwork of points which aren't joined up), Ok. Then, how about the error log? > it does about 70k ops per > minutes, peaking at about 140k. What are the clients? OS login? > This suddenly shot up a few weeks ago > and nobody seems to know why so I'm assuming that the load is the > problem. I was thinking about increasing the mem cache for FDS - worth > trying? It seems to be at the default (10 Meg?) and this box has easily > 3Gb doing nothing at any one time. > The mem cache should only be large enough to hold all of the entries/indexes in your database - any more than that is not used. You could try increasing it, but I doubt it will help. > PK > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From chaks.yoper at gmail.com Thu Apr 5 03:35:51 2007 From: chaks.yoper at gmail.com (Chakkaradeep C C) Date: Thu, 5 Apr 2007 15:35:51 +1200 Subject: [Fedora-directory-users] Re: Regarding Fedora Clients Authentication to FDS In-Reply-To: References: Message-ID: Hi All, I tried FDS a lot and also seeked help from IRC and this mailing lists regarding how to get clients authenticated to FDS. I didnt receive ANY help and was (in IRC) sent back that I am not thorough with the LDAP Basics. I was surprised to get that answer. After trying nearly for hours, I switched to openLDAP and Ubuntu as Client, and believe me, THEY WORKED LIKE CHARM !. Just 1 hour spent, LDAP server and client up! FDS looks to be a good product but it still needs extensive documentation. "Run authconfig, that should do the job for the client" isnt enough. I did that, edited pam files, nsswitch.conf files, nothing worked in fedora (version 6) with FDS. But with openLDAP, it worked. I also have to admit that openLDAP and fedora as client didnt work with authconfig. I am running openLDAP in Fedora Core system and that looks to be great. I am very disappointed that there is not much help available from FDS Users, from this mailing list or IRC . Any special reason for this? Even when a User has a dumb question like, "I am not able to add Clients", why cant it be complex? -- Regards, C.C.Chakkaradeep, http://chakkaradeep.wordpress.com -- "Sometimes it's better not to ask - or to listen - when people tell you something can't be done. I didnt ask for permission or approval. I just went ahead and did it." - from "Direct from Dell" -------------- next part -------------- An HTML attachment was scrubbed... URL: From diwakoe at gmail.com Thu Apr 5 03:54:57 2007 From: diwakoe at gmail.com (Diwakoe) Date: Thu, 5 Apr 2007 10:54:57 +0700 Subject: [Fedora-directory-users] Re: Regarding Fedora Clients Authentication to FDS In-Reply-To: References: Message-ID: On 4/5/07, Chakkaradeep C C wrote: > Hi All, > > I tried FDS a lot and also seeked help from IRC and this mailing lists > regarding how to get clients authenticated to FDS. I didnt receive ANY help > and was (in IRC) sent back that I am not thorough with the LDAP Basics. I > was surprised to get that answer. After trying nearly for hours, I switched > to openLDAP and Ubuntu as Client, and believe me, THEY WORKED LIKE CHARM !. > Just 1 hour spent, LDAP server and client up! > It would be nice if you can post your experience to configure clients get authenticate with FDS to your blog or in here. I appreciate that. Regards, Diwa From chaks.yoper at gmail.com Thu Apr 5 04:19:17 2007 From: chaks.yoper at gmail.com (Chakkaradeep C C) Date: Thu, 5 Apr 2007 16:19:17 +1200 Subject: [Fedora-directory-users] Re: Regarding Fedora Clients Authentication to FDS In-Reply-To: References: Message-ID: Hi, It would be nice if you can post your experience to configure clients > get authenticate with FDS to your blog or in here. I am still not able to get clients authenticated to FDS. But sure I will update my blog regarding my openLDAP and Ubuntu client :) and if FDS works, FDS too. I think that there is some problem with the /etc/pam.d/system-auth which authconfig didnt change. Exploring into it. -- Regards, C.C.Chakkaradeep, http://chakkaradeep.wordpress.com -- "Sometimes it's better not to ask - or to listen - when people tell you something can't be done. I didnt ask for permission or approval. I just went ahead and did it." - from "Direct from Dell" -------------- next part -------------- An HTML attachment was scrubbed... URL: From ydossow at bla.cl Thu Apr 5 04:29:04 2007 From: ydossow at bla.cl (Yonathan Dossow) Date: Thu, 5 Apr 2007 00:29:04 -0400 Subject: [Fedora-directory-users] Re: Regarding Fedora Clients Authentication to FDS In-Reply-To: References: Message-ID: <20070405042904.GD4783@bla.cl> On Thu, Apr 05, 2007 at 04:19:17PM +1200, Chakkaradeep C C wrote: > Hi, > It would be nice if you can post your experience to configure clients > >get authenticate with FDS to your blog or in here. > I am still not able to get clients authenticated to FDS. But sure I will > update my blog regarding my openLDAP and Ubuntu client :) and if FDS works, > FDS too. i have FDS with a lot of fedora clients, to configure the clients i use this command: authconfig --useshadow --usemd5 --enableldap --enableldapauth \ --ldapserver=myserver1,myserver2 --ldapbasedn=dc=domain,dc=com \ --enablecache --kickstart and works fine. -- Yonathan H. Dossow Acun~a http://kronin.bla.cl Estudiante Ingenieria Civil Informatica Universidad Tecnica Federico Santa Maria Valparaiso, Chile From dcrissman at perimeterusa.com Thu Apr 5 16:53:18 2007 From: dcrissman at perimeterusa.com (Dennis Crissman) Date: Thu, 05 Apr 2007 12:53:18 -0400 Subject: [Fedora-directory-users] PassSync and SSL Message-ID: <4615297E.9020400@perimeterusa.com> I am experimenting with Fedora Directory Server and trying to hook up PassSync to synchronize with Active Directory. I have found a walk through on how to set this up (http://directory.fedoraproject.org/wiki/Howto:WindowsSync#Configuring_PassSync), but it seems to require using SSL. Is there a way to set this up without SSL for quick testing. Thanks, Dennis -- The sender of this email subscribes to Perimeter Internetworking's email anti-virus service. This email has been scanned for malicious code and is believed to be virus free. For more information on email security please visit: http://www.perimeterusa.com/email-defense-content.html This communication is confidential, intended only for the named recipient(s) above and may contain trade secrets or other information that is exempt from disclosure under applicable law. Any use, dissemination, distribution or copying of this communication by anyone other than the named recipient(s) is strictly prohibited. If you have received this communication in error, please delete the email and immediately notify our Command Center at 203-541-3444. From nkinder at redhat.com Thu Apr 5 17:31:35 2007 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 05 Apr 2007 10:31:35 -0700 Subject: [Fedora-directory-users] PassSync and SSL In-Reply-To: <4615297E.9020400@perimeterusa.com> References: <4615297E.9020400@perimeterusa.com> Message-ID: <46153277.80202@redhat.com> Dennis Crissman wrote: > I am experimenting with Fedora Directory Server and trying to hook up > PassSync to synchronize with Active Directory. I have found a walk > through on how to set this up > (http://directory.fedoraproject.org/wiki/Howto:WindowsSync#Configuring_PassSync), > but it seems to require using SSL. Is there a way to set this up > without SSL for quick testing. > Nope. It absolutely requires SSL. AD will not accept a password modification over LDAP without SSL. The PassSync service will also not send a password over an unencrypted channel. -NGK > Thanks, > Dennis > > > > -- > The sender of this email subscribes to Perimeter Internetworking's email > anti-virus service. This email has been scanned for malicious code and is > believed to be virus free. For more information on email security > please visit: > http://www.perimeterusa.com/email-defense-content.html > > This communication is confidential, intended only for the named > recipient(s) > above and may contain trade secrets or other information that is > exempt from > disclosure under applicable law. Any use, dissemination, distribution or > copying of this communication by anyone other than the named > recipient(s) is > strictly prohibited. If you have received this communication in error, > please > delete the email and immediately notify our Command Center at > 203-541-3444. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From dcrissman at perimeterusa.com Thu Apr 5 17:54:19 2007 From: dcrissman at perimeterusa.com (Dennis Crissman) Date: Thu, 05 Apr 2007 13:54:19 -0400 Subject: [Fedora-directory-users] PassSync and SSL In-Reply-To: <46153277.80202@redhat.com> References: <4615297E.9020400@perimeterusa.com> <46153277.80202@redhat.com> Message-ID: <461537CB.3070404@perimeterusa.com> I have just one other question then. Since SSL is required, is a CA also required? Or can I go without one? Thank you for your help, Dennis Nathan Kinder wrote: > Dennis Crissman wrote: >> I am experimenting with Fedora Directory Server and trying to hook up >> PassSync to synchronize with Active Directory. I have found a walk >> through on how to set this up >> (http://directory.fedoraproject.org/wiki/Howto:WindowsSync#Configuring_PassSync), >> but it seems to require using SSL. Is there a way to set this up >> without SSL for quick testing. >> > Nope. It absolutely requires SSL. AD will not accept a password > modification over LDAP without SSL. The PassSync service will also > not send a password over an unencrypted channel. > > -NGK >> Thanks, >> Dennis >> >> >> >> -- >> The sender of this email subscribes to Perimeter Internetworking's email >> anti-virus service. This email has been scanned for malicious code >> and is >> believed to be virus free. For more information on email security >> please visit: >> http://www.perimeterusa.com/email-defense-content.html >> >> This communication is confidential, intended only for the named >> recipient(s) >> above and may contain trade secrets or other information that is >> exempt from >> disclosure under applicable law. Any use, dissemination, distribution or >> copying of this communication by anyone other than the named >> recipient(s) is >> strictly prohibited. If you have received this communication in >> error, please >> delete the email and immediately notify our Command Center at >> 203-541-3444. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- The sender of this email subscribes to Perimeter Internetworking's email anti-virus service. This email has been scanned for malicious code and is believed to be virus free. For more information on email security please visit: http://www.perimeterusa.com/email-defense-content.html This communication is confidential, intended only for the named recipient(s) above and may contain trade secrets or other information that is exempt from disclosure under applicable law. Any use, dissemination, distribution or copying of this communication by anyone other than the named recipient(s) is strictly prohibited. If you have received this communication in error, please delete the email and immediately notify our Command Center at 203-541-3444. From pkime at Shopzilla.com Thu Apr 5 18:02:50 2007 From: pkime at Shopzilla.com (Philip Kime) Date: Thu, 5 Apr 2007 11:02:50 -0700 Subject: [Fedora-directory-users] Re: Another segfault ... In-Reply-To: <20070405160006.BA8A4737A2@hormel.redhat.com> References: <20070405160006.BA8A4737A2@hormel.redhat.com> Message-ID: <9C0091F428E697439E7A773FFD083427A92C4D@szexchange.Shopzilla.inc> > Ok. Then, how about the error log? Just a load of these, which are common. [03/Apr/2007:12:52:22 -0700] - loading global password policy for uid=glink,ou=p eople,dc=shopzilla,dc=com--local policy entry not found [03/Apr/2007:12:52:22 -0700] - loading global password policy for uid=glink,ou=p eople,dc=shopzilla,dc=com--local policy entry not found [03/Apr/2007:12:52:22 -0700] - loading global password policy for uid=glink,ou=p eople,dc=shopzilla,dc=com--local policy entry not found > What are the clients? OS login? Yes but mainly the vast majority are LDAP-based NIS netgroup queries and a few some LDAP-baed SUDO requests. >The mem cache should only be large enough to hold all of the entries/indexes in your > database - any more than that is not used. You could try increasing it, but I doubt it > will help. Thought so - the DB isn't that large. PK From Nate at acsmagnum.com Thu Apr 5 20:29:54 2007 From: Nate at acsmagnum.com (Nate Bradley) Date: Thu, 05 Apr 2007 15:29:54 -0500 Subject: [Fedora-directory-users] search problems Message-ID: <461515F2.A739.00F5.1@acsmagnum.com> I've figured it out. By 'searching' I meant using the management console's 'Users and Groups' tab to search/add/edit users and groups. Sorry I wasn't too specific. But after a search of bugzilla I found that it is a 'feature' and not a bug. Just annoying to have to change directories when I want to make changes, but I'll survive. From krisa at opensourcery.com Thu Apr 5 23:05:58 2007 From: krisa at opensourcery.com (Kris S. Amundson) Date: Thu, 05 Apr 2007 16:05:58 -0700 Subject: [Fedora-directory-users] PassSync and SSL In-Reply-To: <461537CB.3070404@perimeterusa.com> References: <4615297E.9020400@perimeterusa.com> <46153277.80202@redhat.com> <461537CB.3070404@perimeterusa.com> Message-ID: <461580D6.6050401@opensourcery.com> Dennis Crissman wrote: > I have just one other question then. Since SSL is required, is a CA also > required? Or can I go without one? A CA is required. For self-signed certs you're going to need a CA cert on the FDS side and the Windows side (Certificate Services). I'm working on this very same setup, and I have successfully got it working. If you wait a month or two I hope to have a howtoforge document created on all the steps. The RedHat docs are fine for everything but the Windows side. Enabling certificate services, creating the enterprise root cert, exporting the server cert, and importing into FDS (and then importing the FDS server cert into Windows). -- Kris S. Amundson Founder, CIO GPG Key: D6D39F2C OpenSourcery, LLC. http://www.opensourcery.com/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 191 bytes Desc: OpenPGP digital signature URL: From krisa at opensourcery.com Thu Apr 5 23:13:28 2007 From: krisa at opensourcery.com (Kris S. Amundson) Date: Thu, 05 Apr 2007 16:13:28 -0700 Subject: [Fedora-directory-users] FDS-ADS Sync Message-ID: <46158298.3080700@opensourcery.com> So I got the Windows Sync Agreement working. Windows side: cn=Users,dc=foo,dc=org FDS side: ou=Users,l=Portland,c=US,dc=foo,dc=org SSL certs are properly exchanged between the two, user passwords sync correctly, and accounts removed or added on either side are sync'd correctly. Then suddenly less than 24hrs later, users on the ADS side suddenly start being removed from email distribution groups. Client panics and shuts down the FDS server, which appears to be the only change in the last few days. The accounts had been stable for much time. Aside from asking the obvious of what would cause this, I'm curious where I should start hunting (log level tweaks.. ADS logs, etc). Here are some errors I found on the ADS side. These might be the client correcting the errors, not the original error itself: errors:[04/Apr/2007:09:44:53 -0700] - add value "uid=Finintern,ou=Users,l=Portland,c=US, dc=foo,dc=org" to attribute type "uniqueMember" in entry "cn=FINANCE,ou=Users,l=Portland,c=US, dc=foo,dc=org" failed: value exists errors:[04/Apr/2007:10:54:53 -0700] - add value "uid=Finintern,ou=Users,l=Portland,c=US, dc=foo,dc=org" to attribute type "uniqueMember" in entry "cn=MAS90,ou=Users,l=Portland,c=US, dc=foo,dc=org" failed: value exists errors:[04/Apr/2007:11:54:53 -0700] - add value "uid=sharrison,ou=Users,l=Portland,c=US, dc=foo,dc=org" to attribute type "uniqueMember" in entry "cn=Raisers Edge,ou=Users,l=Portland,c=US, dc=foo,dc=org" failed: value exists -- Kris S. Amundson Founder, CIO GPG Key: D6D39F2C OpenSourcery, LLC. http://www.opensourcery.com/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 191 bytes Desc: OpenPGP digital signature URL: From richard at powerset.com Fri Apr 6 01:49:09 2007 From: richard at powerset.com (Richard Hesse) Date: Thu, 05 Apr 2007 18:49:09 -0700 Subject: [Fedora-directory-users] FDS-ADS Sync In-Reply-To: <46158298.3080700@opensourcery.com> Message-ID: FWIW, the same thing happened to me when we setup our FDS-AD sync agreements. I can't say definitely, but the problem went away after we stopped using the Fedora Console for user and group management. We wrote our own tools to manage the directory data, and the disappearing users problem went away. I'm not saying that the console is the cause, just throwing that out there. Good luck. -richard On 4/5/07 4:13 PM, "Kris S. Amundson" wrote: > So I got the Windows Sync Agreement working. > > Windows side: > cn=Users,dc=foo,dc=org > > FDS side: > ou=Users,l=Portland,c=US,dc=foo,dc=org > > SSL certs are properly exchanged between the two, user passwords sync > correctly, and accounts removed or added on either side are sync'd > correctly. > > Then suddenly less than 24hrs later, users on the ADS side suddenly > start being removed from email distribution groups. Client panics and > shuts down the FDS server, which appears to be the only change in the > last few days. The accounts had been stable for much time. > > Aside from asking the obvious of what would cause this, I'm curious > where I should start hunting (log level tweaks.. ADS logs, etc). > > Here are some errors I found on the ADS side. These might be the client > correcting the errors, not the original error itself: > > errors:[04/Apr/2007:09:44:53 -0700] - add value > "uid=Finintern,ou=Users,l=Portland,c=US, dc=foo,dc=org" to > attribute type "uniqueMember" in entry > "cn=FINANCE,ou=Users,l=Portland,c=US, dc=foo,dc=org" failed: > value exists > > errors:[04/Apr/2007:10:54:53 -0700] - add value > "uid=Finintern,ou=Users,l=Portland,c=US, dc=foo,dc=org" to > attribute type "uniqueMember" in entry > "cn=MAS90,ou=Users,l=Portland,c=US, dc=foo,dc=org" failed: value > exists > > errors:[04/Apr/2007:11:54:53 -0700] - add value > "uid=sharrison,ou=Users,l=Portland,c=US, dc=foo,dc=org" to > attribute type "uniqueMember" in entry "cn=Raisers > Edge,ou=Users,l=Portland,c=US, dc=foo,dc=org" failed: value exists From mjdshop at earthlink.net Fri Apr 6 18:02:28 2007 From: mjdshop at earthlink.net (MJD Shop Account) Date: Fri, 6 Apr 2007 14:02:28 -0400 (GMT-04:00) Subject: [Fedora-directory-users] constructing attribute from two others Message-ID: <12967345.1175882548752.JavaMail.root@elwamui-huard.atl.sa.earthlink.net> Hi all, I am looking to make use of the password passthru module for authentication, but have been considering the best way to do so without modifying schema. Ultimately I may anyway, but here's the situation and question: I need to construct an identity to use for kerberos authentication, where the kerberos user principle will be the same as the 'uid' attribute already defined for the person + @ + the AD domain. The AD domain will be one of potentially 4 values depending on region; in my case really just one of two: "na.example.com" or "eu.example.com". So, can I construct an attribute on the fly which is built from two other attributes? I have already worked out that I can probably benefit from using a classic cosAttribute, defining 'locality' for each user as being 'NA' or 'EU' or possibly more specific values (what is locality generally used for? city? state? country?) and having a template which then defines the 'domain' attribute based on that locality. Maybe it is just as easy to store the domain attribute per user directly. Maybe I just make the locality equal to the proper domain. But I also can consider doing something where the domain would depend upon the range that the uidNumber is in, except I don't know how to do so. Sort of like a cosAttribute, but the value depends on the range of uidNumber, not a specific value. A bit like using a view. Any ideas? -M From dcrissman at perimeterusa.com Mon Apr 9 13:34:14 2007 From: dcrissman at perimeterusa.com (Dennis Crissman) Date: Mon, 09 Apr 2007 09:34:14 -0400 Subject: [Fedora-directory-users] What is syncronized? Message-ID: <461A40D6.4020400@perimeterusa.com> The name PassSync would indicate that this utility synchronizes passwords, can anything else be sync'd? I need to be able to sync all of the following: users, groups, systems, email addresses, and passwords, etc. Can PassSync do all that? If not is there another utility you might recommend, either using FDS or not? -- The sender of this email subscribes to Perimeter Internetworking's email anti-virus service. This email has been scanned for malicious code and is believed to be virus free. For more information on email security please visit: http://www.perimeterusa.com/email-defense-content.html This communication is confidential, intended only for the named recipient(s) above and may contain trade secrets or other information that is exempt from disclosure under applicable law. Any use, dissemination, distribution or copying of this communication by anyone other than the named recipient(s) is strictly prohibited. If you have received this communication in error, please delete the email and immediately notify our Command Center at 203-541-3444. From edlinuxguru at gmail.com Mon Apr 9 18:22:34 2007 From: edlinuxguru at gmail.com (Eddie C) Date: Mon, 9 Apr 2007 14:22:34 -0400 Subject: [Fedora-directory-users] Restoring an LDAP backup to a different server db2bak Message-ID: Every night I run a db2bak. Can this backup be safely restored to a different server? using bak2db? -------------- next part -------------- An HTML attachment was scrubbed... URL: From nhosoi at redhat.com Mon Apr 9 18:36:12 2007 From: nhosoi at redhat.com (Noriko Hosoi) Date: Mon, 09 Apr 2007 11:36:12 -0700 Subject: [Fedora-directory-users] Restoring an LDAP backup to a different server db2bak In-Reply-To: References: Message-ID: <461A879C.50704@redhat.com> Eddie C wrote: > Every night I run a db2bak. > Can this backup be safely restored to a different server? using bak2db? If it is a configuration server (having NetscapeRoot in db), it cannot be, unfortunately. And of course, the base suffix (or suffixes) should be identical between the 2 servers. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From edlinuxguru at gmail.com Mon Apr 9 18:48:33 2007 From: edlinuxguru at gmail.com (Eddie C) Date: Mon, 9 Apr 2007 14:48:33 -0400 Subject: [Fedora-directory-users] Restoring an LDAP backup to a different server db2bak In-Reply-To: <461A879C.50704@redhat.com> References: <461A879C.50704@redhat.com> Message-ID: I have tried this before without luck. I was hoping there was a way. My situation is I have nightly db2bak files. I want to recover the database from friday to a different machine to see the state of the application then. I do not need much other then read only access to the old data on the new server. Any crafty hacks would be appreciated. Edward On 4/9/07, Noriko Hosoi wrote: > > Eddie C wrote: > > Every night I run a db2bak. > > Can this backup be safely restored to a different server? using bak2db? > If it is a configuration server (having NetscapeRoot in db), it cannot > be, unfortunately. And of course, the base suffix (or suffixes) should > be identical between the 2 servers. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From oscar.valdez at duraflex.com.sv Mon Apr 9 18:47:08 2007 From: oscar.valdez at duraflex.com.sv (Oscar A. Valdez) Date: Mon, 09 Apr 2007 12:47:08 -0600 Subject: [Fedora-directory-users] Restoring an LDAP backup to a different server db2bak In-Reply-To: References: Message-ID: <1176144428.2991.28.camel@tux.valdez-bicard.com.sv> El lun, 09-04-2007 a las 14:22 -0400, Eddie C escribi?: > Every night I run a db2bak. > Can this backup be safely restored to a different server? using > bak2db? It won't. I had to do a restore by necessity, and here's what I had to do (by Noriko Hosoi's gracious recommendation): 1. on the current directory server, export the data into ldif files. go to your /slapd-; run "db2ldif -n " for each backend (e.g., userRoot) EXCEPT NetscapeRoot 2. install new FDS 3. go to the /slapd- 4. stop the directory server 5. import the ldif files from the current directory server repeat "ldif2db -n -i /slapd-/.ldif" for each .ldif file exported in (1). 6. start the directory server The issue is documented in this thread: https://www.redhat.com/archives/fedora-directory-users/2007-February/msg00024.html The NetscapeRoot instance is server-specific, and it won't restore properly on a new server. -- Oscar A. Valdez From oscar.valdez at duraflex.com.sv Mon Apr 9 19:05:07 2007 From: oscar.valdez at duraflex.com.sv (Oscar A. Valdez) Date: Mon, 09 Apr 2007 13:05:07 -0600 Subject: [Fedora-directory-users] Restoring an LDAP backup to a different server db2bak In-Reply-To: References: <461A879C.50704@redhat.com> Message-ID: <1176145507.2991.35.camel@tux.valdez-bicard.com.sv> El lun, 09-04-2007 a las 14:48 -0400, Eddie C escribi?: > I have tried this before without luck. I was hoping there was a way. > My situation is I have nightly db2bak files. I want to recover the > database from friday to a different machine to see the state of the > application then. I do not need much other then read only access to > the old data on the new server. > > Any crafty hacks would be appreciated. > Write a script that runs "db2ldif -n " for each backend (e.g., userRoot) EXCEPT NetscapeRoot On the new server, import the ldif files generated above: "ldif2db -n " -- Oscar A. Valdez From edlinuxguru at gmail.com Mon Apr 9 19:11:42 2007 From: edlinuxguru at gmail.com (Eddie C) Date: Mon, 9 Apr 2007 15:11:42 -0400 Subject: [Fedora-directory-users] Restoring an LDAP backup to a different server db2bak In-Reply-To: <1176144428.2991.28.camel@tux.valdez-bicard.com.sv> References: <1176144428.2991.28.camel@tux.valdez-bicard.com.sv> Message-ID: Unfortunately I only have the db2bak from the day I need to restore. No ldif files. And I need to restore them to a new server. I do not need all the configuration data. I only need two of our data trees. On 4/9/07, Oscar A. Valdez wrote: > > El lun, 09-04-2007 a las 14:22 -0400, Eddie C escribi?: > > Every night I run a db2bak. > > Can this backup be safely restored to a different server? using > > bak2db? > > It won't. > > I had to do a restore by necessity, and here's what I had to do (by > Noriko Hosoi's gracious recommendation): > > 1. on the current directory server, export the data into ldif files. > go to your /slapd-; run "db2ldif -n " for each > backend (e.g., userRoot) EXCEPT NetscapeRoot > 2. install new FDS > 3. go to the /slapd- > 4. stop the directory server > 5. import the ldif files from the current directory server > repeat "ldif2db -n -i /slapd-/.ldif" > for each .ldif file exported in (1). > 6. start the directory server > > The issue is documented in this thread: > https://www.redhat.com/archives/fedora-directory-users/2007-February/msg00024.html > > > The NetscapeRoot instance is server-specific, and it won't restore > properly on a new server. > -- > Oscar A. Valdez > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From glenn at mail.txwes.edu Mon Apr 9 21:20:09 2007 From: glenn at mail.txwes.edu (Glenn) Date: Mon, 9 Apr 2007 16:20:09 -0500 Subject: [Fedora-directory-users] Replica has no update vector . . . . Message-ID: <20070409210821.M9961@mail.txwes.edu> When I get Windows Sync running between Fedora Directory Server 1.0.3 and Active Directory on a Windows 2003 server, it logs an error message every four seconds: "Replica has no update vector. It has never been initialized." I've tried restarting the directory server and the admin server, and I've tried initiating a full resyncronization, but the error messages continue. Also, in case it is related, I've noticed that out of 600 or so users in the Fedora directory, only five have replicated to the AD server. Hoping someone can tell me how to get this working. Thanks. -G. From nhosoi at redhat.com Mon Apr 9 22:03:35 2007 From: nhosoi at redhat.com (Noriko Hosoi) Date: Mon, 09 Apr 2007 15:03:35 -0700 Subject: [Fedora-directory-users] Restoring an LDAP backup to a different server db2bak In-Reply-To: References: <1176144428.2991.28.camel@tux.valdez-bicard.com.sv> Message-ID: <461AB837.7020902@redhat.com> Eddie C wrote: > Unfortunately I only have the db2bak from the day I need to restore. > No ldif files. And I need to restore them to a new server. I do not > need all the configuration data. I only need two of our data trees. Once again, do your backed up server and the new server share the same set of suffixes not including NetscapeRoot (if you have o=netscaperoot on the servers, you can't use this trick)? If the answer is yes, you could restore the back-up onto the new server. If the answer is no, did you run "db2bak" when the server was down? If yes, theoretically you could do as follows. cd slapd- ## please make sure the new server already has corresponding root suffixes / backend to be restored. ./stop-slapd rm -rf db/* Repeat the command line for each backend to be restored: ./bak2db -n (e.g., bak2db /opt/fedora-ds/slapd-/bak/2007_04_09_14_46_14/ -n exampleRoot; bak2db /opt/fedora-ds/slapd-/bak/2007_04_09_14_46_14/ -n userRoot) ./start-slapd But I remember it did not work as expected when Oscar experimented for us... If it does not work, you may need to try what Oscar suggested. Thanks, --noriko > On 4/9/07, *Oscar A. Valdez* > wrote: > > El lun, 09-04-2007 a las 14:22 -0400, Eddie C escribi?: > > Every night I run a db2bak. > > Can this backup be safely restored to a different server? using > > bak2db? > > It won't. > > I had to do a restore by necessity, and here's what I had to do (by > Noriko Hosoi's gracious recommendation): > > 1. on the current directory server, export the data into ldif files. > go to your /slapd-; run "db2ldif -n " > for each backend (e.g., userRoot) EXCEPT NetscapeRoot > 2. install new FDS > 3. go to the /slapd- > 4. stop the directory server > 5. import the ldif files from the current directory server > repeat "ldif2db -n -i > /slapd-/.ldif" for each > .ldif file exported in (1). > 6. start the directory server > > The issue is documented in this thread: > https://www.redhat.com/archives/fedora-directory-users/2007-February/msg00024.html > > > The NetscapeRoot instance is server-specific, and it won't restore > properly on a new server. > -- > Oscar A. Valdez > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Apr 10 00:06:51 2007 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 09 Apr 2007 17:06:51 -0700 Subject: [Fedora-directory-users] What is syncronized? In-Reply-To: <461A40D6.4020400@perimeterusa.com> References: <461A40D6.4020400@perimeterusa.com> Message-ID: <461AD51B.2000305@redhat.com> Dennis Crissman wrote: > The name PassSync would indicate that this utility synchronizes > passwords, can anything else be sync'd? I need to be able to sync all > of the following: users, groups, systems, email addresses, and > passwords, etc. > > Can PassSync do all that? If not is there another utility you might > recommend, either using FDS or not? Have you seen this - http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2836267 > > > > -- > The sender of this email subscribes to Perimeter Internetworking's email > anti-virus service. This email has been scanned for malicious code and is > believed to be virus free. For more information on email security > please visit: > http://www.perimeterusa.com/email-defense-content.html > > This communication is confidential, intended only for the named > recipient(s) > above and may contain trade secrets or other information that is > exempt from > disclosure under applicable law. Any use, dissemination, distribution or > copying of this communication by anyone other than the named > recipient(s) is > strictly prohibited. If you have received this communication in error, > please > delete the email and immediately notify our Command Center at > 203-541-3444. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From pkime at Shopzilla.com Tue Apr 10 01:26:42 2007 From: pkime at Shopzilla.com (Philip Kime) Date: Mon, 9 Apr 2007 18:26:42 -0700 Subject: [Fedora-directory-users] Errors in error log on startup Message-ID: <9C0091F428E697439E7A773FFD083427A92C87@szexchange.Shopzilla.inc> Starts up ok (although last week, twice it says it started but the server wasn't talking LDAP at all and the load-balancer ignored it for a day) ... are these anything to worry about? [09/Apr/2007:03:30:24 -0700] - attrcrypt_unwrap_key: failed to unwrap key for ci pher AES [09/Apr/2007:03:30:24 -0700] - Failed to retrieve key for cipher AES in attrcryp t_cipher_init [09/Apr/2007:03:30:24 -0700] - Failed to initialize cipher AES in attrcrypt_init [09/Apr/2007:03:30:24 -0700] - attrcrypt_unwrap_key: failed to unwrap key for ci pher AES [09/Apr/2007:03:30:24 -0700] - Failed to retrieve key for cipher AES in attrcryp t_cipher_init [09/Apr/2007:03:30:24 -0700] - Failed to initialize cipher AES in attrcrypt_init PK -- Philip Kime NOPS Systems Architect 310 401 0407 -------------- next part -------------- An HTML attachment was scrubbed... URL: From pkime at Shopzilla.com Tue Apr 10 01:57:14 2007 From: pkime at Shopzilla.com (Philip Kime) Date: Mon, 9 Apr 2007 18:57:14 -0700 Subject: [Fedora-directory-users] Error viewing Encryption settings tab Message-ID: <9C0091F428E697439E7A773FFD083427A92C88@szexchange.Shopzilla.inc> When I click the Encryption tab in the Configuration page for one of our FDS 1.0.2 servers, I get this popup error: org.mozilla.jss.ssl.SSLSocketException: Unable to connect (-5981) Connection refused by peer And the cipher/cert section is missing on the page after I click OK on this dialog. We had some issues with this server recently, refusing to serve LDAP after its nightly restarts. Any ideas? PK -- Philip Kime NOPS Systems Architect 310 401 0407 -------------- next part -------------- An HTML attachment was scrubbed... URL: From edlinuxguru at gmail.com Tue Apr 10 03:41:01 2007 From: edlinuxguru at gmail.com (Eddie C) Date: Mon, 9 Apr 2007 23:41:01 -0400 Subject: [Fedora-directory-users] Restoring an LDAP backup to a different server db2bak In-Reply-To: References: <1176144428.2991.28.camel@tux.valdez-bicard.com.sv> Message-ID: OK, I found a stragegy that worked. I took vmware and prepared a virtual machine. I did the RPM install of the same directory server 1.0.4. that was installed on the old server. Luckily I had retrospect on the machine. I used restrospect to do a full disk restore of the old system onto the new one. I stopped networking on the server first for fear that the system would start up and try to join the live systme and corrupt data. The server did startup but the data was not as it was that day. This was probably due to the fact that retrospect backed up open files of the FDS. That is ok though. I also had been running db2bak every night. I used back2db.pl to restore one of the backups over the current. Then I ran db2ldif and moved the ldif files out. Then I did an rpm -e fedora.1.0.4. Then I reinstalled FDS again and used the ldif to restore the data. The long way around. Having VMWare was nice because I was able to shut down networking but still access the VMWARE console from the network. :) Edward On 4/9/07, Eddie C wrote: > > Unfortunately I only have the db2bak from the day I need to restore. No > ldif files. And I need to restore them to a new server. I do not need all > the configuration data. I only need two of our data trees. > > > > > > On 4/9/07, Oscar A. Valdez wrote: > > > > El lun, 09-04-2007 a las 14:22 -0400, Eddie C escribi?: > > > Every night I run a db2bak. > > > Can this backup be safely restored to a different server? using > > > bak2db? > > > > It won't. > > > > I had to do a restore by necessity, and here's what I had to do (by > > Noriko Hosoi's gracious recommendation): > > > > 1. on the current directory server, export the data into ldif files. > > go to your /slapd-; run "db2ldif -n " for each > > backend (e.g., userRoot) EXCEPT NetscapeRoot > > 2. install new FDS > > 3. go to the /slapd- > > 4. stop the directory server > > 5. import the ldif files from the current directory server > > repeat "ldif2db -n -i > > /slapd-/.ldif" for each .ldif file > > exported in (1). > > 6. start the directory server > > > > The issue is documented in this thread: > > https://www.redhat.com/archives/fedora-directory-users/2007-February/msg00024.html > > > > > > The NetscapeRoot instance is server-specific, and it won't restore > > properly on a new server. > > -- > > Oscar A. Valdez > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From paolo.ercolani at postel.it Tue Apr 10 13:09:31 2007 From: paolo.ercolani at postel.it (Paolo Ercolani) Date: Tue, 10 Apr 2007 15:09:31 +0200 Subject: [Fedora-directory-users] ssl certificate problem Message-ID: <461B8C8B.8020600@postel.it> Hi. I'm new to this list and it's a week i'm really fighting with directory server. I followed some howtos, i downloaded a lot of documents but i can't get out of trouble. I need to make login from my linux boxes on ldap directory server. If i try to use my test user in clear mode i can do that. The problem is when i try to configure a self-signed certificate. I'll not describe all the tests i've done, i'll tell you just the last!! I created my cacert.pem on the ldapserver and i installed from the console. It goes and it's ok. Then i used openssl to generate a private key and a certificate request then i signed it. That's what i did: openssl genrsa -out privkey.pem 2048 openssl req -new -key privkey.pem -out PEM.csr openssl ca -cert cacert.pem -in PEM.csr -out cert.pem I copied cacert.pem, privkey.pem and cert.pem on the client and i configured ldap.conf on it: URI ldaps://:636 BASE ou=UTENTI,o=postel,c=com host kingu.postel.com TLS_REQCERT allow TLS_CHECKPEER yes TLS_CACERTDIR /etc/ssl TLS_CACERT /etc/ssl/cacert.pem TLS_CERT /etc/ssl/cert.pem TLS_KEY /etc/ssl/privkey.pem I activated ssl on my ldap server and i installed my cacert.pem on it. i didn't anything else. I tried also to generate a certificate request from directory server and to sign it with my cacert.pem. Then i imported it like my server-cert. It imported it but login still didn't go. I followed the manuals i found on directory.fedora.org (managing SSL and SASL), but i saw a lot of documents too. I think logs say nothing bad. That's my access log: / / /[10/Apr/2007:14:59:54 +0200] conn=15 fd=65 slot=65 SSL connection from to / /[10/Apr/2007:14:59:54 +0200] conn=15 SSL 256-bit AES/ /[10/Apr/2007:14:59:54 +0200] conn=15 op=0 BIND dn="" method=128 version=3/ /[10/Apr/2007:14:59:54 +0200] conn=15 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""/ /[10/Apr/2007:14:59:54 +0200] conn=15 op=1 SRCH base="ou=UTENTI,o=postel,c=com" scope=2 filter="(&(objectClass=posixAccount)(uid=utente))" attrs="uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass"/ /[10/Apr/2007:14:59:54 +0200] conn=15 op=1 RESULT err=0 tag=101 nentries=1 etime=0/ /[10/Apr/2007:14:59:56 +0200] conn=15 op=2 SRCH base="ou=UTENTI,o=postel,c=com" scope=2 filter="(&(objectClass=posixAccount)(uid=utente))" attrs="uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass"/ /[10/Apr/2007:14:59:56 +0200] conn=15 op=2 RESULT err=0 tag=101 nentries=1 etime=0/ /[10/Apr/2007:14:59:56 +0200] conn=15 op=3 SRCH base="ou=UTENTI,o=postel,c=com" scope=2 filter="(&(objectClass=shadowAccount)(uid=utente))" attrs="uid userPassword shadowLastChange shadowMax shadowMin shadowWarning shadowInactive shadowExpire shadowFlag"/ /[10/Apr/2007:14:59:56 +0200] conn=15 op=3 RESULT err=0 tag=101 nentries=1 etime=0/ /[10/Apr/2007:14:59:56 +0200] conn=15 op=4 SRCH base="ou=UTENTI,o=postel,c=com" scope=2 filter="(&(objectClass=posixAccount)(uid=utente))" attrs="uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass"/ /[10/Apr/2007:14:59:56 +0200] conn=15 op=4 RESULT err=0 tag=101 nentries=1 etime=0/ /[10/Apr/2007:14:59:56 +0200] conn=16 fd=66 slot=66 SSL connection from to / To me it seems it says nothing bad. I can't get out of it and i don't understand what is wrong. The directory server version is 1.0.4. I installed it from RPM on redhat enterprise 4. If i try to log on URI ldap:// (not ssl !!) it goes and i can authenticate using ldap!!! Anyone can help me, please??? Thanks everyone. Paolo. -- Paolo Ercolani Postel Gestione Servizi e Accessi Telematici Erogazione Servizi e Gestione Infrastrutture Mass Communication Viale Guglielmo Massaia 31 ? 00154 Roma Tel 06 51426 549 Fax 06 51426 553 e-mail: paolo.ercolani at postel.com From vsi at ebi.ac.uk Tue Apr 10 14:57:41 2007 From: vsi at ebi.ac.uk (Ville Silventoinen) Date: Tue, 10 Apr 2007 15:57:41 +0100 (BST) Subject: [Fedora-directory-users] db_verify In-Reply-To: <460D4F76.8040404@redhat.com> References: <460BFC9C.4010507@redhat.com> <460D4F76.8040404@redhat.com> Message-ID: Hi Noriko, sorry it took so long to reply, I've been busy with other work. On Fri, 30 Mar 2007, Noriko Hosoi wrote: > Ville Silventoinen wrote: >> I asked my manager but he doesn't think it's a good idea for security >> reasons. The problem is that the data is our NIS mail.aliases and passwd, >> and we don't want to distribute them to the internet. He suggested I'll >> modify the data, so I can send a sample to you. I'll do that next week. > That would be great. Thanks! I'm interested in what type of characters your > data contain. E.g., character set is UTF-8? Some of your DNs could contain > any special characters such as '\'? etc... The character set should be plain ASCII. I created an imaginary mail.aliases file. You can download it from here: http://www.ebi.ac.uk/systems-srv/mp/file-exchange/ Type in "fedorads" to the Pass Phrase input box and click Go. You should see three files: mail.aliases, mail.aliases.ldif and 99user.ldif. I can reproduce my problem with the above files, for example, I've tested like this: 1. Delete existing ebiRoot database (you could use userRoot). 2. Delete db/ebiRoot directory. 3. Create ebiRoot database. 4. Shutdown slapd. 5. Run db2index and verify-db.pl. No errors. 6. Start slapd. 7. Import mail aliases. I've tried with the Console and my own CLI, which can import LDIF and add entries one-by-one. The method doesn't seem to matter. 8. Shutdown slapd. 9. Run db2index and verify-db.pl, verify gives errors: Verify log files in db ... Good Verify db/ebiRoot/ancestorid.db4 ... DB ERROR: db_verify: Page 2: out-of-order key at entry 254 DB ERROR: db_verify: DB->verify: db/ebiRoot/ancestorid.db4: DB_VERIFY_BAD: Database verification failed Secondary index file ancestorid.db4 in db/ebiRoot is corrupted. Please run db2index(.pl) for reindexing. Verify db/ebiRoot/objectclass.db4 ... DB ERROR: db_verify: Page 2: out-of-order key at entry 255 DB ERROR: db_verify: DB->verify: db/ebiRoot/objectclass.db4: DB_VERIFY_BAD: Database verification failed Secondary index file objectclass.db4 in db/ebiRoot is corrupted. Please run db2index(.pl) for reindexing. Verify db/ebiRoot/nsuniqueid.db4 ... Good Verify db/ebiRoot/parentid.db4 ... DB ERROR: db_verify: Page 1: unsorted duplicate set in sorted-dup database DB ERROR: db_verify: DB->verify: db/ebiRoot/parentid.db4: DB_VERIFY_BAD: Database verification failed Secondary index file parentid.db4 in db/ebiRoot is corrupted. Please run db2index(.pl) for reindexing. Verify db/ebiRoot/cn.db4 ... DB ERROR: db_verify: Page 10: out-of-order key at entry 249 DB ERROR: db_verify: DB->verify: db/ebiRoot/cn.db4: DB_VERIFY_BAD: Database verification failed Secondary index file cn.db4 in db/ebiRoot is corrupted. Please run db2index(.pl) for reindexing. Verify db/ebiRoot/id2entry.db4 ... Good Verify db/ebiRoot/entrydn.db4 ... Good Verify db/ebiRoot/rfc822mailmember.db4 ... DB ERROR: db_verify: Page 2: unsorted duplicate set in sorted-dup database DB ERROR: db_verify: Page 3: unsorted duplicate set in sorted-dup database DB ERROR: db_verify: DB->verify: db/ebiRoot/rfc822mailmember.db4: DB_VERIFY_BAD: Database verification failed Secondary index file rfc822mailmember.db4 in db/ebiRoot is corrupted. Please run db2index(.pl) for reindexing. > So, in your ldif data, the mail attribute also has this type of value: > "|/homes/majordom/wrapper stripmime.pl|/homes/majordom/wrapper resend -l > foobar-dev foobar-dev-outgoing"? No, the People entries have a simpler mail value, like "foo at ebi.ac.uk". > And your mail index has the default indexing type: presence, equality, and substring? Yes. > What type of indexing does the rfc822MailMember attribute have? I've tried without any indexing, with presence and equality and with presence, equality and substring. The above errors are from verify-db.pl when I have presence and equality indeces. If I have presence, equality and substring, I get these errors for rfc822MailMember: Verify db/ebiRoot/rfc822mailmember.db4 ... DB ERROR: db_verify: Page 13: unsorted duplicate set in sorted-dup database DB ERROR: db_verify: Page 6: unsorted duplicate set in sorted-dup database DB ERROR: db_verify: Page 8: unsorted duplicate set in sorted-dup database DB ERROR: db_verify: Page 12: unsorted duplicate set in sorted-dup database DB ERROR: db_verify: Page 3: unsorted duplicate set in sorted-dup database DB ERROR: db_verify: Page 7: unsorted duplicate set in sorted-dup database DB ERROR: db_verify: Page 10: unsorted duplicate set in sorted-dup database DB ERROR: db_verify: Page 15: unsorted duplicate set in sorted-dup database DB ERROR: db_verify: Page 4: unsorted duplicate set in sorted-dup database DB ERROR: db_verify: Page 14: unsorted duplicate set in sorted-dup database DB ERROR: db_verify: Page 5: unsorted duplicate set in sorted-dup database DB ERROR: db_verify: Page 9: unsorted duplicate set in sorted-dup database DB ERROR: db_verify: Page 11: unsorted duplicate set in sorted-dup database DB ERROR: db_verify: DB->verify: db/ebiRoot/rfc822mailmember.db4: DB_VERIFY_BAD: Database verification failed Secondary index file rfc822mailmember.db4 in db/ebiRoot is corrupted. Please run db2index(.pl) for reindexing. > Have we already heard what platform you are running the FDS on? CentOS release 4.4, Linux 2.6.9-42.ELsmp. Pentium III 2x1266MHz CPUs, 2GB memory, SCSI disks. I'm using FDS 1.0.4. I'm away this week Wed-Fri, so I'll get back to you next week. Thanks for the help! Ville From rmeggins at redhat.com Tue Apr 10 15:24:07 2007 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 10 Apr 2007 08:24:07 -0700 Subject: [Fedora-directory-users] Error viewing Encryption settings tab In-Reply-To: <9C0091F428E697439E7A773FFD083427A92C88@szexchange.Shopzilla.inc> References: <9C0091F428E697439E7A773FFD083427A92C88@szexchange.Shopzilla.inc> Message-ID: <461BAC17.4050605@redhat.com> Philip Kime wrote: > When I click the Encryption tab in the Configuration page for one of > our FDS 1.0.2 servers, I get this popup error: > > org.mozilla.jss.ssl.SSLSocketException: Unable to connect (-5981) > Connection refused by peer > > And the cipher/cert section is missing on the page after I click OK on > this dialog. We had some issues with this server recently, refusing to > serve LDAP after its nightly restarts. Any ideas? ls -al /opt/fedora-ds/alias Also, check admin-serv/config/adm.conf and shared/config/dbswitch.conf - the former should list the port used by the admin server, and the latter should list the LDAP URL (ldap or ldaps) for your configuration DS. Then check the various SSL configuration settings mentioned here - http://directory.fedoraproject.org/wiki/Howto:SSL#Console_SSL_Information > > PK > > -- > Philip Kime > NOPS Systems Architect > 310 401 0407 > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Apr 10 15:25:22 2007 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 10 Apr 2007 08:25:22 -0700 Subject: [Fedora-directory-users] Errors in error log on startup In-Reply-To: <9C0091F428E697439E7A773FFD083427A92C87@szexchange.Shopzilla.inc> References: <9C0091F428E697439E7A773FFD083427A92C87@szexchange.Shopzilla.inc> Message-ID: <461BAC62.2010808@redhat.com> Philip Kime wrote: > Starts up ok (although last week, twice it says it started but the > server wasn't talking LDAP at all and the load-balancer ignored it for > a day) ... are these anything to worry about? Could it be that this server was configured for SSL, then SSL was turned off. > > [09/Apr/2007:03:30:24 -0700] - attrcrypt_unwrap_key: failed to unwrap > key for ci > pher AES > [09/Apr/2007:03:30:24 -0700] - Failed to retrieve key for cipher AES > in attrcryp > t_cipher_init > [09/Apr/2007:03:30:24 -0700] - Failed to initialize cipher AES in > attrcrypt_init > [09/Apr/2007:03:30:24 -0700] - attrcrypt_unwrap_key: failed to unwrap > key for ci > pher AES > [09/Apr/2007:03:30:24 -0700] - Failed to retrieve key for cipher AES > in attrcryp > t_cipher_init > [09/Apr/2007:03:30:24 -0700] - Failed to initialize cipher AES in > attrcrypt_init > PK > > -- > Philip Kime > NOPS Systems Architect > 310 401 0407 > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From brzurom at tycho.ncsc.mil Sun Apr 8 04:10:55 2007 From: brzurom at tycho.ncsc.mil (Brian Zuromski) Date: Sun, 08 Apr 2007 00:10:55 -0400 Subject: [Fedora-directory-users] TLS issues during screen lock Message-ID: <46186B4F.4010106@tycho.ncsc.mil> Hello, I'm having an issue with TLS certificates. On the client side, it seems that when I have TLS enabled it works fine. When I screen lock the computer, I have to disable TLS to get back in. Has anyone else experienced this before? Thanks, -- -- Brian Z. From rmeggins at redhat.com Tue Apr 10 15:34:05 2007 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 10 Apr 2007 08:34:05 -0700 Subject: [Fedora-directory-users] ssl certificate problem In-Reply-To: <461B8C8B.8020600@postel.it> References: <461B8C8B.8020600@postel.it> Message-ID: <461BAE6D.9040903@redhat.com> Paolo Ercolani wrote: > Hi. I'm new to this list and it's a week i'm really fighting with > directory server. I followed some howtos, i downloaded a lot of > documents but i can't get out of trouble. > I need to make login from my linux boxes on ldap directory server. If > i try to use my test user in clear mode i can do that. The problem is > when i try to configure a self-signed certificate. I'll not describe > all the tests i've done, i'll tell you just the last!! > I created my cacert.pem on the ldapserver and i installed from the > console. It goes and it's ok. Then i used openssl to generate a > private key and a certificate request then i signed it. That's what i > did: > > openssl genrsa -out privkey.pem 2048 > openssl req -new -key privkey.pem -out PEM.csr > openssl ca -cert cacert.pem -in PEM.csr -out cert.pem > > I copied cacert.pem, privkey.pem and cert.pem on the client and i > configured ldap.conf on it: > > URI ldaps://:636 > BASE ou=UTENTI,o=postel,c=com > host kingu.postel.com > TLS_REQCERT allow > TLS_CHECKPEER yes > TLS_CACERTDIR /etc/ssl > TLS_CACERT /etc/ssl/cacert.pem > TLS_CERT /etc/ssl/cert.pem > TLS_KEY /etc/ssl/privkey.pem > > I activated ssl on my ldap server and i installed my cacert.pem on it. > i didn't anything else. > I tried also to generate a certificate request from directory server > and to sign it with my cacert.pem. Then i imported it like my > server-cert. It imported it but login still didn't go. I'm unclear on this last step. What do you mean by login still didn't go? Because the access log excerpt below would seem to indicate that the os did search for and find the login name. > > I followed the manuals i found on directory.fedora.org (managing SSL > and SASL), but i saw a lot of documents too. > > I think logs say nothing bad. That's my access log: > / > / > > /[10/Apr/2007:14:59:54 +0200] conn=15 fd=65 slot=65 SSL connection > from to / > /[10/Apr/2007:14:59:54 +0200] conn=15 SSL 256-bit AES/ > /[10/Apr/2007:14:59:54 +0200] conn=15 op=0 BIND dn="" method=128 > version=3/ > /[10/Apr/2007:14:59:54 +0200] conn=15 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn=""/ > /[10/Apr/2007:14:59:54 +0200] conn=15 op=1 SRCH > base="ou=UTENTI,o=postel,c=com" scope=2 > filter="(&(objectClass=posixAccount)(uid=utente))" attrs="uid > userPassword uidNumber gidNumber cn homeDirectory loginShell gecos > description objectClass"/ > /[10/Apr/2007:14:59:54 +0200] conn=15 op=1 RESULT err=0 tag=101 > nentries=1 etime=0/ > /[10/Apr/2007:14:59:56 +0200] conn=15 op=2 SRCH > base="ou=UTENTI,o=postel,c=com" scope=2 > filter="(&(objectClass=posixAccount)(uid=utente))" attrs="uid > userPassword uidNumber gidNumber cn homeDirectory loginShell gecos > description objectClass"/ > /[10/Apr/2007:14:59:56 +0200] conn=15 op=2 RESULT err=0 tag=101 > nentries=1 etime=0/ > /[10/Apr/2007:14:59:56 +0200] conn=15 op=3 SRCH > base="ou=UTENTI,o=postel,c=com" scope=2 > filter="(&(objectClass=shadowAccount)(uid=utente))" attrs="uid > userPassword shadowLastChange shadowMax shadowMin shadowWarning > shadowInactive shadowExpire shadowFlag"/ > /[10/Apr/2007:14:59:56 +0200] conn=15 op=3 RESULT err=0 tag=101 > nentries=1 etime=0/ > /[10/Apr/2007:14:59:56 +0200] conn=15 op=4 SRCH > base="ou=UTENTI,o=postel,c=com" scope=2 > filter="(&(objectClass=posixAccount)(uid=utente))" attrs="uid > userPassword uidNumber gidNumber cn homeDirectory loginShell gecos > description objectClass"/ > /[10/Apr/2007:14:59:56 +0200] conn=15 op=4 RESULT err=0 tag=101 > nentries=1 etime=0/ > /[10/Apr/2007:14:59:56 +0200] conn=16 fd=66 slot=66 SSL connection > from to / > > To me it seems it says nothing bad. I can't get out of it and i don't > understand what is wrong. The directory server version is 1.0.4. I > installed it from RPM on redhat enterprise 4. > > If i try to log on URI ldap:// (not ssl !!) it goes and i > can authenticate using ldap!!! > > Anyone can help me, please??? > > > Thanks everyone. > Paolo. > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Apr 10 15:35:00 2007 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 10 Apr 2007 08:35:00 -0700 Subject: [Fedora-directory-users] TLS issues during screen lock In-Reply-To: <46186B4F.4010106@tycho.ncsc.mil> References: <46186B4F.4010106@tycho.ncsc.mil> Message-ID: <461BAEA4.5080708@redhat.com> Brian Zuromski wrote: > Hello, > I'm having an issue with TLS certificates. On the client > side, it seems that when I have TLS enabled it works fine. When I > screen lock the computer, I have to disable TLS to get back in. Has > anyone else experienced this before? Are you using client cert based auth? > > Thanks, > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From glenn at mail.txwes.edu Tue Apr 10 16:07:57 2007 From: glenn at mail.txwes.edu (Glenn) Date: Tue, 10 Apr 2007 11:07:57 -0500 Subject: [Fedora-directory-users] Replica has no update vector . . . . In-Reply-To: <20070409210821.M9961@mail.txwes.edu> References: <20070409210821.M9961@mail.txwes.edu> Message-ID: <20070410154501.M15819@mail.txwes.edu> This problem is due to the formatting of data in the Fedora Directory that does not meet the requirements for Active Directory. The last time I set up Windows Sync, I avoided this by importing the data directly into AD from an ldif file. Then I populated the Fedora Directory by initiating a full resynchronzation. This time I wanted to see if I could populate the AD using the full resynchronization. To begin, I carefully formatted the data before importing the ldif file into Fedora DS. Then I started the initial full resynchronization. I thought my data formatting would eliminate errors, but still the synchronization was interrupted whenever the AD found data it did not like. Since it did not finish, I would get the "replica has no update vetor" message. Also, the Replication Status window reported a "Last consumer init. update" message: Total update aborted LDAP error: Operations error. Error Code: 1 By checking the contents of the Active Directory, I was able to find out where the initial sync stopped. I examined the entry that caused it to stop and corrected the attributes that AD did not like or deleted the entry. I repeated this process several times until the resync finally completed. It would be very helpful if the Fedora Directory could be made to display the entry that caused the initial resync to stop. Things that AD doesn't like: Carriage returns in attribute values, blank attribute values including no password. Also, AD requires all entries to have certain attributes, including: objectclass: ntuser ntUserDomainID: yourADuserID ntusercreatenewaccount: true ---------- Original Message ----------- From: "Glenn" To: "Fedora DS List" Sent: Mon, 9 Apr 2007 16:20:09 -0500 Subject: [Fedora-directory-users] Replica has no update vector . . . . > When I get Windows Sync running between Fedora Directory Server > 1.0.3 and Active Directory on a Windows 2003 server, it logs an > error message every four seconds: "Replica has no update vector. It > has never been initialized." I've tried restarting the directory > server and the admin server, and I've tried initiating a full > resyncronization, but the error messages continue. > > Also, in case it is related, I've noticed that out of 600 or so > users in the Fedora directory, only five have replicated to the AD server. > > Hoping someone can tell me how to get this working. Thanks. -G. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users ------- End of Original Message ------- From glenn at mail.txwes.edu Tue Apr 10 16:27:41 2007 From: glenn at mail.txwes.edu (Glenn) Date: Tue, 10 Apr 2007 11:27:41 -0500 Subject: [Fedora-directory-users] Problem running console on Windows In-Reply-To: <20070404202109.GQ27901@pmorris.usa.hp.com> References: <20070404191011.M2857@mail.txwes.edu> <20070404202109.GQ27901@pmorris.usa.hp.com> Message-ID: <20070410162415.M60688@mail.txwes.edu> Yes. In this case, it seems Windows doesn't use symbolic links the way Linux does. I fixed it by replacing all linked files with copies of the files they were linked to. Thanks for your reply. -G. ---------- Original Message ----------- From: Patrick Morris To: "General discussion list for the Fedora Directory server project." Sent: Wed, 4 Apr 2007 13:21:09 -0700 Subject: Re: [Fedora-directory-users] Problem running console on Windows > On Wed, 04 Apr 2007, Glenn wrote: > > > I'm trying to get the Fedora DS 1.0.4 console working on a Windows computer, > > using the instructions in the Howto. When I try to start the console, I get > > this error message: > > > > Exception in thread "main" java.lang.NoClassDefFoundError: > > com/netscape/management/client/console/Console > > > > Any idea what could cause this? Thanks. -Glenn. > > Usually, an incorrectly set CLASSPATH or not having all the java > files installed. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users ------- End of Original Message ------- From brzurom at tycho.ncsc.mil Sun Apr 8 05:07:50 2007 From: brzurom at tycho.ncsc.mil (Brian Zuromski) Date: Sun, 08 Apr 2007 01:07:50 -0400 Subject: [Fedora-directory-users] TLS issues during screen lock Message-ID: <461878A6.9090007@tycho.ncsc.mil> Rich, No, I'm not using client based auth with this setup. I am sharing out the server certificate to the network client. Date: Tue, 10 Apr 2007 08:35:00 -0700 From: Rich Megginson Subject: Re: [Fedora-directory-users] TLS issues during screen lock To: "General discussion list for the Fedora Directory server project." Message-ID: <461BAEA4.5080708 at redhat.com> Content-Type: text/plain; charset="iso-8859-1" Brian Zuromski wrote: > > Hello, > > I'm having an issue with TLS certificates. On the client > > side, it seems that when I have TLS enabled it works fine. When I > > screen lock the computer, I have to disable TLS to get back in. Has > > anyone else experienced this before? > Are you using client cert based auth? > > > > Thanks, > > > -- -- Brian R. Z From pkime at Shopzilla.com Tue Apr 10 18:14:47 2007 From: pkime at Shopzilla.com (Philip Kime) Date: Tue, 10 Apr 2007 11:14:47 -0700 Subject: [Fedora-directory-users] Re: Error viewing Encryption settings tab In-Reply-To: <20070410153702.61B4B734D4@hormel.redhat.com> References: <20070410153702.61B4B734D4@hormel.redhat.com> Message-ID: <9C0091F428E697439E7A773FFD083427A92C8B@szexchange.Shopzilla.inc> Hmm - I restarted the Admin server and this error went away. Now there is no problem with that tab. I do nightly restarts of slapd (to guard against memory leaks, even though the NSS leak was fixed some time ago) but I've never restarted the admin server. Perhaps I should restart both ... PK From rmattier at Endeca.com Tue Apr 10 18:34:24 2007 From: rmattier at Endeca.com (Rick Mattier) Date: Tue, 10 Apr 2007 14:34:24 -0400 Subject: [Fedora-directory-users] ldap super users Message-ID: Hi In my setup, I currently have three branches ou=Engineering,dc=mydomain,dc=com, ou=Sales,dc=mydomain,dc=com, ou=People,dc=mydomain,dc=com. I would like to know if there is a primary group that I can create that houses administrators that can access all off these ou's without being added to each ou. Rick Mattier Systems Administrator W 617 674-6168 M 617 201-1774 E rmattier at endeca.com Endeca 101 Main Street Cambridge, Ma. 02142 www.endeca.com find / analyze / understand -------------- next part -------------- An HTML attachment was scrubbed... URL: From prowley at redhat.com Tue Apr 10 18:46:22 2007 From: prowley at redhat.com (Pete Rowley) Date: Tue, 10 Apr 2007 11:46:22 -0700 Subject: [Fedora-directory-users] ldap super users In-Reply-To: References: Message-ID: <461BDB7E.7090500@redhat.com> Rick Mattier wrote: > > Hi > > In my setup, I currently have three branches > ou=Engineering,dc=mydomain,dc=com, ou=Sales,dc=mydomain,dc=com, > ou=People,dc=mydomain,dc=com. I would like to know if there is a > primary group that I can create that houses administrators that can > access all off these ou?s without being added to each ou. > create group, add administrators, add aci to dc=mydomain,dc=com which grants the access required for the group. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From pkime at Shopzilla.com Tue Apr 10 19:20:34 2007 From: pkime at Shopzilla.com (Philip Kime) Date: Tue, 10 Apr 2007 12:20:34 -0700 Subject: [Fedora-directory-users] Non-indexed searches on objectclass? Message-ID: <9C0091F428E697439E7A773FFD083427A92C90@szexchange.Shopzilla.inc> When I look at the logconv output for some of my FDS servers, I see that the common factor on all listed unindexed searches is using the "objectclass" attribute. Is it worth indexing this? PK -- Philip Kime NOPS Systems Architect 310 401 0407 -------------- next part -------------- An HTML attachment was scrubbed... URL: From gholbert at broadcom.com Tue Apr 10 20:01:33 2007 From: gholbert at broadcom.com (George Holbert) Date: Tue, 10 Apr 2007 13:01:33 -0700 Subject: [Fedora-directory-users] Non-indexed searches on objectclass? In-Reply-To: <9C0091F428E697439E7A773FFD083427A92C90@szexchange.Shopzilla.inc> References: <9C0091F428E697439E7A773FFD083427A92C90@szexchange.Shopzilla.inc> Message-ID: <461BED1D.6060202@broadcom.com> objectclass is indexed by default, so you shouldn't have to add it. Maybe your searches are exceeding the All IDs threshold. Take a look at: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/index1.html#1110655 Philip Kime wrote: > When I look at the logconv output for some of my FDS servers, I see > that the common factor on all listed unindexed searches is using the > "objectclass" attribute. Is it worth indexing this? > > PK > > -- > Philip Kime > NOPS Systems Architect > 310 401 0407 > > ------------------------------------------------------------------------ From prowley at redhat.com Tue Apr 10 20:05:45 2007 From: prowley at redhat.com (Pete Rowley) Date: Tue, 10 Apr 2007 13:05:45 -0700 Subject: [Fedora-directory-users] Non-indexed searches on objectclass? In-Reply-To: <9C0091F428E697439E7A773FFD083427A92C90@szexchange.Shopzilla.inc> References: <9C0091F428E697439E7A773FFD083427A92C90@szexchange.Shopzilla.inc> Message-ID: <461BEE19.1020900@redhat.com> Philip Kime wrote: > When I look at the logconv output for some of my FDS servers, I see > that the common factor on all listed unindexed searches is using the > "objectclass" attribute. Is it worth indexing this? > It is already indexed for equality. The fact that an attribute is indexed does not mean all searches using it will be indexed searches. In an attempt to perform _less_ work, when the number of candidate entries returned by an index exceeds administrative limits it triggers an unindexed search. Also the type of index must match the search filter type. As db of size increases, objectclass becomes less and less likely to actually distinguish entries sufficiently to be useful, and certainly not with any index type other than equality. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Apr 10 20:53:32 2007 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 10 Apr 2007 13:53:32 -0700 Subject: [Fedora-directory-users] Re: Error viewing Encryption settings tab In-Reply-To: <9C0091F428E697439E7A773FFD083427A92C8B@szexchange.Shopzilla.inc> References: <20070410153702.61B4B734D4@hormel.redhat.com> <9C0091F428E697439E7A773FFD083427A92C8B@szexchange.Shopzilla.inc> Message-ID: <461BF94C.9010208@redhat.com> Philip Kime wrote: > Hmm - I restarted the Admin server and this error went away. Now there > is no problem with that tab. I do nightly restarts of slapd (to guard > against memory leaks, even though the NSS leak was fixed some time ago) > but I've never restarted the admin server. Perhaps I should restart both > ... > I think you should restart both. Admin Server may have persistent connections, or may have to query the directory server periodically. > PK > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Apr 11 16:18:43 2007 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 11 Apr 2007 09:18:43 -0700 Subject: [Fedora-directory-users] TLS issues during screen lock In-Reply-To: <461878A6.9090007@tycho.ncsc.mil> References: <461878A6.9090007@tycho.ncsc.mil> Message-ID: <461D0A63.1010601@redhat.com> Brian Zuromski wrote: > Rich, > No, I'm not using client based auth with this setup. I am > sharing out the server certificate to the network client. How does this relate to LDAP or the directory server? > Date: Tue, 10 Apr 2007 08:35:00 -0700 > From: Rich Megginson > Subject: Re: [Fedora-directory-users] TLS issues during screen lock > To: "General discussion list for the Fedora Directory server project." > > Message-ID: <461BAEA4.5080708 at redhat.com> > Content-Type: text/plain; charset="iso-8859-1" > > Brian Zuromski wrote: > >> > Hello, >> > I'm having an issue with TLS certificates. On the client >> > side, it seems that when I have TLS enabled it works fine. When I >> > screen lock the computer, I have to disable TLS to get back in. >> Has > anyone else experienced this before? >> > Are you using client cert based auth? > >> > >> > Thanks, >> > >> > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From pkime at Shopzilla.com Wed Apr 11 18:31:49 2007 From: pkime at Shopzilla.com (Philip Kime) Date: Wed, 11 Apr 2007 11:31:49 -0700 Subject: [Fedora-directory-users] More segfaults - getting urgent Message-ID: <9C0091F428E697439E7A773FFD083427A92C9B@szexchange.Shopzilla.inc> Help ... my slapd servers are segfaulting regularly now. They are certainly more heavily loaded than they used to be but not overly so. Apr 4 03:40:01 ldap001 kernel: ns-slapd[16820]: segfault at 0000000000000008 rip 0000000000411b6f rsp 00000000406dc0c8 error 4 Mar 19 00:00:08 ldap001 kernel: ns-slapd[18926]: segfault at 0000000000000008 rip 0000000000411b6f rsp 00000000404110c8 error 4 Apr 10 16:00:11 ldap001 kernel: ns-slapd[23382]: segfault at 0000000000000008 rip 0000000000411b6f rsp 00000000404110c8 error 4 It's odd - they were rock-solid for months and suddenly they have started to do this - any ideas? There is nothing in the error logs at all at the time of the crashes and the access logs dont' show anything out of the ordinary. PK -- Philip Kime NOPS Systems Architect 310 401 0407 -------------- next part -------------- An HTML attachment was scrubbed... URL: From glenn at mail.txwes.edu Wed Apr 11 21:37:10 2007 From: glenn at mail.txwes.edu (Glenn) Date: Wed, 11 Apr 2007 16:37:10 -0500 Subject: [Fedora-directory-users] Replication Subtree not Available? Message-ID: <20070411212312.M33219@mail.txwes.edu> I'm trying to create a replication agreement on a Fedora Directory server, version 1.0.3. I want to select a subtree of the database for replication, but there doesn't seem to be a way to do this. The help says I can select a subtree by creating the agreement from the Replication folder instead of from the database, but there is no option to create an agreement when I right- click the Replication folder. Is the help wrong, or is this feature available in some other version, or am I just missing something? This feature is available when creating a Windows Sync agreement, and it is very useful for testing. Thanks. -G. From rmeggins at redhat.com Wed Apr 11 21:43:00 2007 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 11 Apr 2007 14:43:00 -0700 Subject: [Fedora-directory-users] Replication Subtree not Available? In-Reply-To: <20070411212312.M33219@mail.txwes.edu> References: <20070411212312.M33219@mail.txwes.edu> Message-ID: <461D5664.3070502@redhat.com> Glenn wrote: > I'm trying to create a replication agreement on a Fedora Directory server, > version 1.0.3. I want to select a subtree of the database for replication, > but there doesn't seem to be a way to do this. The help says I can select a > subtree by creating the agreement from the Replication folder instead of from > the database, but there is no option to create an agreement when I right- > click the Replication folder. Is the help wrong, or is this feature > available in some other version, or am I just missing something? > The unit of replication is the database, so you have to create a sub-suffix with its own database, then you can replicate that. > This feature is available when creating a Windows Sync agreement, and it is > very useful for testing. Thanks. -G. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ashley at csse.uwa.edu.au Thu Apr 12 01:19:34 2007 From: ashley at csse.uwa.edu.au (ashley) Date: Thu, 12 Apr 2007 09:19:34 +0800 (WST) Subject: [Fedora-directory-users] TLS issues during screen lock In-Reply-To: <461D0A63.1010601@redhat.com> References: <461878A6.9090007@tycho.ncsc.mil> <461D0A63.1010601@redhat.com> Message-ID: Yes I've had that problem before but I fixed it before. I think its a permission problem of user accesing the certificate. When you logged onto the system the auth process is done by root but when you lock it with a screen saver its locked by the user. So to unlock it the auth process is done by the user. But if your user has no access to the certificate he can't authenticate against the ldap. You can verify this by (Test this by) chmod -R 755 /etc/openldap/certs (Or where everever your certs are on the client system) Log in as a normal user, lock it with xscreen saver, try unlocking it. If it works you have a access permission problems with your certs. On Wed, 11 Apr 2007, Rich Megginson wrote: > Brian Zuromski wrote: >> Rich, >> No, I'm not using client based auth with this setup. I am sharing >> out the server certificate to the network client. > How does this relate to LDAP or the directory server? >> Date: Tue, 10 Apr 2007 08:35:00 -0700 >> From: Rich Megginson >> Subject: Re: [Fedora-directory-users] TLS issues during screen lock >> To: "General discussion list for the Fedora Directory server project." >> >> Message-ID: <461BAEA4.5080708 at redhat.com> >> Content-Type: text/plain; charset="iso-8859-1" >> >> Brian Zuromski wrote: >> >>> > Hello, >>> > I'm having an issue with TLS certificates. On the client > >>> side, it seems that when I have TLS enabled it works fine. When I > >>> screen lock the computer, I have to disable TLS to get back in. Has > >>> anyone else experienced this before? >>> >> Are you using client cert based auth? >> >>> > >>> > Thanks, >>> > >>> >> > > > > !DSPAM:272,461d0aeb65221969219952! > -- Ashley Chew - Systems Administrator School of Computer Science and Software Engineering University of Western Australia Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089 Ashley[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ashley "There is no such thing as Fate, Fate is what you make of it!" From dabel at galileoprocessing.com Wed Apr 11 17:50:20 2007 From: dabel at galileoprocessing.com (Deric Abel) Date: Wed, 11 Apr 2007 11:50:20 -0600 Subject: [Fedora-directory-users] reset admin password Message-ID: <1176313820.29526.2.camel@dmachine.gp0001.com> Hello I recently tried changing the admin password on the Management console, and after doing so it's telling me the password is incorrect. How can I reset the password? Thanks, Deric From rmeggins at redhat.com Thu Apr 12 16:12:34 2007 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 12 Apr 2007 09:12:34 -0700 Subject: [Fedora-directory-users] reset admin password In-Reply-To: <1176313820.29526.2.camel@dmachine.gp0001.com> References: <1176313820.29526.2.camel@dmachine.gp0001.com> Message-ID: <461E5A72.4030907@redhat.com> Deric Abel wrote: > Hello > > I recently tried changing the admin password on the Management console, > and after doing so it's telling me the password is incorrect. How can I > reset the password? > Try restarting the Admin Server. What version of FDS are you using? > > Thanks, > > Deric > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From nhosoi at redhat.com Thu Apr 12 18:35:22 2007 From: nhosoi at redhat.com (Noriko Hosoi) Date: Thu, 12 Apr 2007 11:35:22 -0700 Subject: [Fedora-directory-users] db_verify In-Reply-To: References: <460BFC9C.4010507@redhat.com> <460D4F76.8040404@redhat.com> Message-ID: <461E7BEA.2030302@redhat.com> Thank you, Ville, for the test data. I could reproduce the db_verify problem. I have good news and bad news. :) Good news, first... Your db is not corrupted. The error report from verify-db.pl is bogus. Bad news, next. Please take a look at this bug. We are going to provide a fixed utility some time soon. Summary: verify-db.pl (db_verify) does not work on a little endian machine https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=236256 Sorry about this inconvenience, and thank you for reporting the problem! --noriko Ville Silventoinen wrote: > Hi Noriko, > > sorry it took so long to reply, I've been busy with other work. > > On Fri, 30 Mar 2007, Noriko Hosoi wrote: > >> Ville Silventoinen wrote: >>> I asked my manager but he doesn't think it's a good idea for >>> security reasons. The problem is that the data is our NIS >>> mail.aliases and passwd, and we don't want to distribute them to the >>> internet. He suggested I'll modify the data, so I can send a sample >>> to you. I'll do that next week. >> That would be great. Thanks! I'm interested in what type of >> characters your data contain. E.g., character set is UTF-8? Some of >> your DNs could contain any special characters such as '\'? etc... > > The character set should be plain ASCII. I created an imaginary > mail.aliases file. You can download it from here: > > http://www.ebi.ac.uk/systems-srv/mp/file-exchange/ > > Type in "fedorads" to the Pass Phrase input box and click Go. You > should see three files: mail.aliases, mail.aliases.ldif and 99user.ldif. > > I can reproduce my problem with the above files, for example, I've > tested like this: > > 1. Delete existing ebiRoot database (you could use userRoot). > 2. Delete db/ebiRoot directory. > 3. Create ebiRoot database. > 4. Shutdown slapd. > 5. Run db2index and verify-db.pl. No errors. > 6. Start slapd. > 7. Import mail aliases. I've tried with the Console and my own CLI, > which can import LDIF and add entries one-by-one. The method doesn't > seem to matter. > 8. Shutdown slapd. > 9. Run db2index and verify-db.pl, verify gives errors: > > Verify log files in db ... Good > Verify db/ebiRoot/ancestorid.db4 ... > DB ERROR: db_verify: Page 2: out-of-order key at entry 254 > DB ERROR: db_verify: DB->verify: db/ebiRoot/ancestorid.db4: > DB_VERIFY_BAD: Database verification failed > Secondary index file ancestorid.db4 in db/ebiRoot is corrupted. > Please run db2index(.pl) for reindexing. > Verify db/ebiRoot/objectclass.db4 ... > DB ERROR: db_verify: Page 2: out-of-order key at entry 255 > DB ERROR: db_verify: DB->verify: db/ebiRoot/objectclass.db4: > DB_VERIFY_BAD: Database verification failed > Secondary index file objectclass.db4 in db/ebiRoot is corrupted. > Please run db2index(.pl) for reindexing. > Verify db/ebiRoot/nsuniqueid.db4 ... Good > Verify db/ebiRoot/parentid.db4 ... > DB ERROR: db_verify: Page 1: unsorted duplicate set in sorted-dup > database > DB ERROR: db_verify: DB->verify: db/ebiRoot/parentid.db4: > DB_VERIFY_BAD: Database verification failed > Secondary index file parentid.db4 in db/ebiRoot is corrupted. > Please run db2index(.pl) for reindexing. > Verify db/ebiRoot/cn.db4 ... > DB ERROR: db_verify: Page 10: out-of-order key at entry 249 > DB ERROR: db_verify: DB->verify: db/ebiRoot/cn.db4: DB_VERIFY_BAD: > Database verification failed > Secondary index file cn.db4 in db/ebiRoot is corrupted. > Please run db2index(.pl) for reindexing. > Verify db/ebiRoot/id2entry.db4 ... Good > Verify db/ebiRoot/entrydn.db4 ... Good > Verify db/ebiRoot/rfc822mailmember.db4 ... > DB ERROR: db_verify: Page 2: unsorted duplicate set in sorted-dup > database > DB ERROR: db_verify: Page 3: unsorted duplicate set in sorted-dup > database > DB ERROR: db_verify: DB->verify: db/ebiRoot/rfc822mailmember.db4: > DB_VERIFY_BAD: Database verification failed > Secondary index file rfc822mailmember.db4 in db/ebiRoot is corrupted. > Please run db2index(.pl) for reindexing. > >> So, in your ldif data, the mail attribute also has this type of >> value: "|/homes/majordom/wrapper stripmime.pl|/homes/majordom/wrapper >> resend -l foobar-dev foobar-dev-outgoing"? > > No, the People entries have a simpler mail value, like "foo at ebi.ac.uk". > >> And your mail index has the default indexing type: presence, >> equality, and substring? > > Yes. > >> What type of indexing does the rfc822MailMember attribute have? > > I've tried without any indexing, with presence and equality and with > presence, equality and substring. The above errors are from > verify-db.pl when I have presence and equality indeces. If I have > presence, equality and substring, I get these errors for > rfc822MailMember: > > Verify db/ebiRoot/rfc822mailmember.db4 ... > DB ERROR: db_verify: Page 13: unsorted duplicate set in sorted-dup > database > DB ERROR: db_verify: Page 6: unsorted duplicate set in sorted-dup > database > DB ERROR: db_verify: Page 8: unsorted duplicate set in sorted-dup > database > DB ERROR: db_verify: Page 12: unsorted duplicate set in sorted-dup > database > DB ERROR: db_verify: Page 3: unsorted duplicate set in sorted-dup > database > DB ERROR: db_verify: Page 7: unsorted duplicate set in sorted-dup > database > DB ERROR: db_verify: Page 10: unsorted duplicate set in sorted-dup > database > DB ERROR: db_verify: Page 15: unsorted duplicate set in sorted-dup > database > DB ERROR: db_verify: Page 4: unsorted duplicate set in sorted-dup > database > DB ERROR: db_verify: Page 14: unsorted duplicate set in sorted-dup > database > DB ERROR: db_verify: Page 5: unsorted duplicate set in sorted-dup > database > DB ERROR: db_verify: Page 9: unsorted duplicate set in sorted-dup > database > DB ERROR: db_verify: Page 11: unsorted duplicate set in sorted-dup > database > DB ERROR: db_verify: DB->verify: db/ebiRoot/rfc822mailmember.db4: > DB_VERIFY_BAD: Database verification failed > Secondary index file rfc822mailmember.db4 in db/ebiRoot is corrupted. > Please run db2index(.pl) for reindexing. > >> Have we already heard what platform you are running the FDS on? > > CentOS release 4.4, Linux 2.6.9-42.ELsmp. Pentium III 2x1266MHz CPUs, > 2GB memory, SCSI disks. I'm using FDS 1.0.4. > > I'm away this week Wed-Fri, so I'll get back to you next week. > > Thanks for the help! > > Ville > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From brzurom at tycho.ncsc.mil Mon Apr 9 14:17:37 2007 From: brzurom at tycho.ncsc.mil (Brian Zuromski) Date: Mon, 09 Apr 2007 10:17:37 -0400 Subject: [Fedora-directory-users] TLS issues during screen lock In-Reply-To: References: <461878A6.9090007@tycho.ncsc.mil> <461D0A63.1010601@redhat.com> Message-ID: <461A4B01.6080907@tycho.ncsc.mil> Ashley, Thanks for the reply. I figured it out by doing a `ldapsearch -ZZ -d 1 -b "" -s base -x` and saw that the TLS trace didn't have read access when using a non-privileged user. ashley wrote: > > Yes I've had that problem before but I fixed it before. > > I think its a permission problem of user accesing the certificate. > When you logged onto the system the auth process is done by root but > when you lock it with a screen saver its locked by the user. So to > unlock it the auth process is done by the user. > > But if your user has no access to the certificate he can't > authenticate against the ldap. > > You can verify this by (Test this by) > > chmod -R 755 /etc/openldap/certs > > (Or where everever your certs are on the client system) > > Log in as a normal user, lock it with xscreen saver, try unlocking it. > > If it works you have a access permission problems with your certs. > > > > On Wed, 11 Apr 2007, Rich Megginson wrote: > >> Brian Zuromski wrote: >>> Rich, >>> No, I'm not using client based auth with this setup. I am >>> sharing out the server certificate to the network client. >> How does this relate to LDAP or the directory server? >>> Date: Tue, 10 Apr 2007 08:35:00 -0700 >>> From: Rich Megginson >>> Subject: Re: [Fedora-directory-users] TLS issues during screen lock >>> To: "General discussion list for the Fedora Directory server project." >>> >>> Message-ID: <461BAEA4.5080708 at redhat.com> >>> Content-Type: text/plain; charset="iso-8859-1" >>> >>> Brian Zuromski wrote: >>> >>>> > Hello, >>>> > I'm having an issue with TLS certificates. On the >>>> client > side, it seems that when I have TLS enabled it works >>>> fine. When I > screen lock the computer, I have to disable TLS to >>>> get back in. Has > anyone else experienced this before? >>>> >>> Are you using client cert based auth? >>> >>>> > >>>> > Thanks, >>>> > >>>> >>> >> >> >> >> !DSPAM:272,461d0aeb65221969219952! >> > -- -- Brian R. Zuromski National Information Assurance Research Laboratory Office of Defensive Computing Research (R23) Contractor :: Pangia Technologies 443-479-5946 From dcrissman at perimeterusa.com Fri Apr 13 17:22:52 2007 From: dcrissman at perimeterusa.com (Dennis Crissman) Date: Fri, 13 Apr 2007 13:22:52 -0400 Subject: [Fedora-directory-users] SSH help Message-ID: <461FBC6C.7060107@perimeterusa.com> I am really struggling to get Fedora Directory Server working using ADSync. I am confused on a lot of fronts, it would be fair to say I am a newbie when it comes to SSH, CAs, and synchronizing anything against Active Directory. So I am at a disadvantage to start with. I have been using http://directory.fedoraproject.org/wiki/Howto:WindowsSync for my instruction base as well as http://directory.fedoraproject.org/wiki/Howto:SSL for setting up FDS to use SSL. Here are my steps so far: 1) Install and setup FDS and create my directory server. So far so good. 2) Execute setupssl.sh from the Howto:SSL link above. * As far as I can tell this script automates everything in "Basic Steps", so correct me if I am wrong, but I shouldn't have to actually do any of them after running the script? 3) Restart both my admin and directory servers. After I have restarted my servers, it would seem to me that FDS would be exclusively accessible over port 636. So I use an LDAP Browser to verify, and it turns out that 389 is still available and the other isn't. Why is this? At this point I decide to move onto another step (http://directory.fedoraproject.org/wiki/Howto:WindowsSync#Enabling_SSL_for_PassSync) in the instructions and setup ADSync on the Active Directory box. Install goes fine, though I am obviously unable to get it to connect to the FDS yet. I am able to create the cert8.db, but then hit a road block again when I try to execute "pk12util -d . -P slapd- -o servercert.p12 -n Server-Cert", and yes I swap for my host name. I get this exception: "pk12util: find user certs from nickname failed: security library: bad database.". Any idea? I know this is a lot, but I would appreciate any help I can get. Thank you, Dennis -- The sender of this email subscribes to Perimeter eSecurity's email anti-virus service. This email has been scanned for malicious code and is believed to be virus free. For more information on email security please visit: http://www.perimeterusa.com/email-defense-content.html This communication is confidential, intended only for the named recipient(s) above and may contain trade secrets or other information that is exempt from disclosure under applicable law. Any use, dissemination, distribution or copying of this communication by anyone other than the named recipient(s) is strictly prohibited. If you have received this communication in error, please delete the email and immediately notify our Command Center at 203-541-3444. Thanks From rmeggins at redhat.com Sat Apr 14 03:27:25 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 13 Apr 2007 21:27:25 -0600 Subject: [Fedora-directory-users] SSH help In-Reply-To: <461FBC6C.7060107@perimeterusa.com> References: <461FBC6C.7060107@perimeterusa.com> Message-ID: <46204A1D.8090602@redhat.com> Dennis Crissman wrote: > I am really struggling to get Fedora Directory Server working using > ADSync. I am confused on a lot of fronts, it would be fair to say I am > a newbie when it comes to SSH, CAs, and synchronizing anything against > Active Directory. So I am at a disadvantage to start with. > > I have been using > http://directory.fedoraproject.org/wiki/Howto:WindowsSync for my > instruction base as well as > http://directory.fedoraproject.org/wiki/Howto:SSL for setting up FDS > to use SSL. > > Here are my steps so far: > 1) Install and setup FDS and create my directory server. So far so good. > 2) Execute setupssl.sh from the Howto:SSL link above. > * As far as I can tell this script automates everything in "Basic > Steps", so correct me if I am wrong, but I shouldn't have to actually > do any of them after running the script? Correct. > 3) Restart both my admin and directory servers. > > After I have restarted my servers, it would seem to me that FDS would > be exclusively accessible over port 636. So I use an LDAP Browser to > verify, and it turns out that 389 is still available and the other > isn't. Why is this? It should listen to both 389 and 636. Check the error log, do netstat -an | grep 636, and use ldapsearch instead of LDAP Browser to verify. > > At this point I decide to move onto another step > (http://directory.fedoraproject.org/wiki/Howto:WindowsSync#Enabling_SSL_for_PassSync) > in the instructions and setup ADSync on the Active Directory box. > Install goes fine, though I am obviously unable to get it to connect > to the FDS yet. > > I am able to create the cert8.db, but then hit a road block again when > I try to execute "pk12util -d . -P slapd- -o servercert.p12 > -n Server-Cert", and yes I swap for my host name. I get > this exception: "pk12util: find user certs from nickname failed: > security library: bad database.". Any idea? I think you can skip this step. But when you give the -P argument, do not forget the trailing dash - the prefix (-P) is really slapd-instance- > > I know this is a lot, but I would appreciate any help I can get. > > Thank you, > Dennis > > > > > > -- > The sender of this email subscribes to Perimeter eSecurity's email > anti-virus service. This email has been scanned for malicious code and is > believed to be virus free. For more information on email security please > visit: http://www.perimeterusa.com/email-defense-content.html > This communication is confidential, intended only for the named > recipient(s) > above and may contain trade secrets or other information that is > exempt from > disclosure under applicable law. Any use, dissemination, distribution or > copying of this communication by anyone other than the named > recipient(s) is > strictly prohibited. If you have received this communication in error, > please > delete the email and immediately notify our Command Center at > 203-541-3444. > > Thanks > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From edlinuxguru at gmail.com Sun Apr 15 21:52:56 2007 From: edlinuxguru at gmail.com (Eddie C) Date: Sun, 15 Apr 2007 17:52:56 -0400 Subject: [Fedora-directory-users] db_verify In-Reply-To: <461E7BEA.2030302@redhat.com> References: <460BFC9C.4010507@redhat.com> <460D4F76.8040404@redhat.com> <461E7BEA.2030302@redhat.com> Message-ID: I figured as much my FDS complains too about db verify. Even after initial import. On 4/12/07, Noriko Hosoi wrote: > > Thank you, Ville, for the test data. I could reproduce the db_verify > problem. > > I have good news and bad news. :) Good news, first... Your db is not > corrupted. The error report from verify-db.pl is bogus. > > Bad news, next. Please take a look at this bug. We are going to > provide a fixed utility some time soon. > > Summary: verify-db.pl (db_verify) does not work on a little endian machine > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=236256 > > Sorry about this inconvenience, and thank you for reporting the problem! > --noriko > > Ville Silventoinen wrote: > > Hi Noriko, > > > > sorry it took so long to reply, I've been busy with other work. > > > > On Fri, 30 Mar 2007, Noriko Hosoi wrote: > > > >> Ville Silventoinen wrote: > >>> I asked my manager but he doesn't think it's a good idea for > >>> security reasons. The problem is that the data is our NIS > >>> mail.aliases and passwd, and we don't want to distribute them to the > >>> internet. He suggested I'll modify the data, so I can send a sample > >>> to you. I'll do that next week. > >> That would be great. Thanks! I'm interested in what type of > >> characters your data contain. E.g., character set is UTF-8? Some of > >> your DNs could contain any special characters such as '\'? etc... > > > > The character set should be plain ASCII. I created an imaginary > > mail.aliases file. You can download it from here: > > > > http://www.ebi.ac.uk/systems-srv/mp/file-exchange/ > > > > Type in "fedorads" to the Pass Phrase input box and click Go. You > > should see three files: mail.aliases, mail.aliases.ldif and 99user.ldif. > > > > I can reproduce my problem with the above files, for example, I've > > tested like this: > > > > 1. Delete existing ebiRoot database (you could use userRoot). > > 2. Delete db/ebiRoot directory. > > 3. Create ebiRoot database. > > 4. Shutdown slapd. > > 5. Run db2index and verify-db.pl. No errors. > > 6. Start slapd. > > 7. Import mail aliases. I've tried with the Console and my own CLI, > > which can import LDIF and add entries one-by-one. The method doesn't > > seem to matter. > > 8. Shutdown slapd. > > 9. Run db2index and verify-db.pl, verify gives errors: > > > > Verify log files in db ... Good > > Verify db/ebiRoot/ancestorid.db4 ... > > DB ERROR: db_verify: Page 2: out-of-order key at entry 254 > > DB ERROR: db_verify: DB->verify: db/ebiRoot/ancestorid.db4: > > DB_VERIFY_BAD: Database verification failed > > Secondary index file ancestorid.db4 in db/ebiRoot is corrupted. > > Please run db2index(.pl) for reindexing. > > Verify db/ebiRoot/objectclass.db4 ... > > DB ERROR: db_verify: Page 2: out-of-order key at entry 255 > > DB ERROR: db_verify: DB->verify: db/ebiRoot/objectclass.db4: > > DB_VERIFY_BAD: Database verification failed > > Secondary index file objectclass.db4 in db/ebiRoot is corrupted. > > Please run db2index(.pl) for reindexing. > > Verify db/ebiRoot/nsuniqueid.db4 ... Good > > Verify db/ebiRoot/parentid.db4 ... > > DB ERROR: db_verify: Page 1: unsorted duplicate set in sorted-dup > > database > > DB ERROR: db_verify: DB->verify: db/ebiRoot/parentid.db4: > > DB_VERIFY_BAD: Database verification failed > > Secondary index file parentid.db4 in db/ebiRoot is corrupted. > > Please run db2index(.pl) for reindexing. > > Verify db/ebiRoot/cn.db4 ... > > DB ERROR: db_verify: Page 10: out-of-order key at entry 249 > > DB ERROR: db_verify: DB->verify: db/ebiRoot/cn.db4: DB_VERIFY_BAD: > > Database verification failed > > Secondary index file cn.db4 in db/ebiRoot is corrupted. > > Please run db2index(.pl) for reindexing. > > Verify db/ebiRoot/id2entry.db4 ... Good > > Verify db/ebiRoot/entrydn.db4 ... Good > > Verify db/ebiRoot/rfc822mailmember.db4 ... > > DB ERROR: db_verify: Page 2: unsorted duplicate set in sorted-dup > > database > > DB ERROR: db_verify: Page 3: unsorted duplicate set in sorted-dup > > database > > DB ERROR: db_verify: DB->verify: db/ebiRoot/rfc822mailmember.db4: > > DB_VERIFY_BAD: Database verification failed > > Secondary index file rfc822mailmember.db4 in db/ebiRoot is corrupted. > > Please run db2index(.pl) for reindexing. > > > >> So, in your ldif data, the mail attribute also has this type of > >> value: "|/homes/majordom/wrapper stripmime.pl|/homes/majordom/wrapper > >> resend -l foobar-dev foobar-dev-outgoing"? > > > > No, the People entries have a simpler mail value, like "foo at ebi.ac.uk". > > > >> And your mail index has the default indexing type: presence, > >> equality, and substring? > > > > Yes. > > > >> What type of indexing does the rfc822MailMember attribute have? > > > > I've tried without any indexing, with presence and equality and with > > presence, equality and substring. The above errors are from > > verify-db.pl when I have presence and equality indeces. If I have > > presence, equality and substring, I get these errors for > > rfc822MailMember: > > > > Verify db/ebiRoot/rfc822mailmember.db4 ... > > DB ERROR: db_verify: Page 13: unsorted duplicate set in sorted-dup > > database > > DB ERROR: db_verify: Page 6: unsorted duplicate set in sorted-dup > > database > > DB ERROR: db_verify: Page 8: unsorted duplicate set in sorted-dup > > database > > DB ERROR: db_verify: Page 12: unsorted duplicate set in sorted-dup > > database > > DB ERROR: db_verify: Page 3: unsorted duplicate set in sorted-dup > > database > > DB ERROR: db_verify: Page 7: unsorted duplicate set in sorted-dup > > database > > DB ERROR: db_verify: Page 10: unsorted duplicate set in sorted-dup > > database > > DB ERROR: db_verify: Page 15: unsorted duplicate set in sorted-dup > > database > > DB ERROR: db_verify: Page 4: unsorted duplicate set in sorted-dup > > database > > DB ERROR: db_verify: Page 14: unsorted duplicate set in sorted-dup > > database > > DB ERROR: db_verify: Page 5: unsorted duplicate set in sorted-dup > > database > > DB ERROR: db_verify: Page 9: unsorted duplicate set in sorted-dup > > database > > DB ERROR: db_verify: Page 11: unsorted duplicate set in sorted-dup > > database > > DB ERROR: db_verify: DB->verify: db/ebiRoot/rfc822mailmember.db4: > > DB_VERIFY_BAD: Database verification failed > > Secondary index file rfc822mailmember.db4 in db/ebiRoot is corrupted. > > Please run db2index(.pl) for reindexing. > > > >> Have we already heard what platform you are running the FDS on? > > > > CentOS release 4.4, Linux 2.6.9-42.ELsmp. Pentium III 2x1266MHz CPUs, > > 2GB memory, SCSI disks. I'm using FDS 1.0.4. > > > > I'm away this week Wed-Fri, so I'll get back to you next week. > > > > Thanks for the help! > > > > Ville > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sleepyjoeyu at gmail.com Mon Apr 16 08:10:29 2007 From: sleepyjoeyu at gmail.com (Yu Joe) Date: Mon, 16 Apr 2007 16:10:29 +0800 Subject: [Fedora-directory-users] How can I check other user info in non-privileged mode? In-Reply-To: References: Message-ID: Dear all I've just set up fedora directory server for centrailizing my system accounts . I could log in the system by any of my ldap accounts, but suddently found I cannot get other user info by "id" or "getent passwd" command when I was in the non-privileged user mode. Does anyone know why? Because I can do this in root-user or nis enviornment. Somebody helps, please. Thanks anyway. Joe Yu One of the RHCEs in Taiwan. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sleepyjoeyu at gmail.com Mon Apr 16 08:20:04 2007 From: sleepyjoeyu at gmail.com (Yu Joe) Date: Mon, 16 Apr 2007 16:20:04 +0800 Subject: [Fedora-directory-users] How can I check other user info in non-privileged mode Message-ID: Dear all I've just set up fedora directory server for centrailizing my system accounts . I could log in the system by any of my ldap accounts, but suddently found I cannot get other user info by "id" or "getent passwd" command when I was in the non-privileged user mode. Does anyone know why? Because I can do this in root-user or nis enviornment. Somebody helps, please. Thanks a lot. -- Joe Yu One of the RHCEs in Taiwan. -------------- next part -------------- An HTML attachment was scrubbed... URL: From vsi at ebi.ac.uk Mon Apr 16 11:44:33 2007 From: vsi at ebi.ac.uk (Ville Silventoinen) Date: Mon, 16 Apr 2007 12:44:33 +0100 (BST) Subject: [Fedora-directory-users] db_verify In-Reply-To: <461E7BEA.2030302@redhat.com> References: <460BFC9C.4010507@redhat.com> <460D4F76.8040404@redhat.com> <461E7BEA.2030302@redhat.com> Message-ID: Thanks Noriko, that explains a lot! I still have that other problem to solve, related to re-creating the database (see the end of my first email). I will try to reproduce this problem and create some test data this week. Thanks, Ville On Thu, 12 Apr 2007, Noriko Hosoi wrote: > Thank you, Ville, for the test data. I could reproduce the db_verify > problem. > > I have good news and bad news. :) Good news, first... Your db is not > corrupted. The error report from verify-db.pl is bogus. > > Bad news, next. Please take a look at this bug. We are going to provide a > fixed utility some time soon. > > Summary: verify-db.pl (db_verify) does not work on a little endian machine > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=236256 > > Sorry about this inconvenience, and thank you for reporting the problem! > --noriko > > Ville Silventoinen wrote: >> Hi Noriko, >> >> sorry it took so long to reply, I've been busy with other work. >> >> On Fri, 30 Mar 2007, Noriko Hosoi wrote: >> >>> Ville Silventoinen wrote: >>>> I asked my manager but he doesn't think it's a good idea for security >>>> reasons. The problem is that the data is our NIS mail.aliases and passwd, >>>> and we don't want to distribute them to the internet. He suggested I'll >>>> modify the data, so I can send a sample to you. I'll do that next week. >>> That would be great. Thanks! I'm interested in what type of characters >>> your data contain. E.g., character set is UTF-8? Some of your DNs could >>> contain any special characters such as '\'? etc... >> >> The character set should be plain ASCII. I created an imaginary >> mail.aliases file. You can download it from here: >> >> http://www.ebi.ac.uk/systems-srv/mp/file-exchange/ >> >> Type in "fedorads" to the Pass Phrase input box and click Go. You should >> see three files: mail.aliases, mail.aliases.ldif and 99user.ldif. >> >> I can reproduce my problem with the above files, for example, I've tested >> like this: >> >> 1. Delete existing ebiRoot database (you could use userRoot). >> 2. Delete db/ebiRoot directory. >> 3. Create ebiRoot database. >> 4. Shutdown slapd. >> 5. Run db2index and verify-db.pl. No errors. >> 6. Start slapd. >> 7. Import mail aliases. I've tried with the Console and my own CLI, which >> can import LDIF and add entries one-by-one. The method doesn't seem to >> matter. >> 8. Shutdown slapd. >> 9. Run db2index and verify-db.pl, verify gives errors: >> >> Verify log files in db ... Good >> Verify db/ebiRoot/ancestorid.db4 ... >> DB ERROR: db_verify: Page 2: out-of-order key at entry 254 >> DB ERROR: db_verify: DB->verify: db/ebiRoot/ancestorid.db4: DB_VERIFY_BAD: >> Database verification failed >> Secondary index file ancestorid.db4 in db/ebiRoot is corrupted. >> Please run db2index(.pl) for reindexing. >> Verify db/ebiRoot/objectclass.db4 ... >> DB ERROR: db_verify: Page 2: out-of-order key at entry 255 >> DB ERROR: db_verify: DB->verify: db/ebiRoot/objectclass.db4: DB_VERIFY_BAD: >> Database verification failed >> Secondary index file objectclass.db4 in db/ebiRoot is corrupted. >> Please run db2index(.pl) for reindexing. >> Verify db/ebiRoot/nsuniqueid.db4 ... Good >> Verify db/ebiRoot/parentid.db4 ... >> DB ERROR: db_verify: Page 1: unsorted duplicate set in sorted-dup database >> DB ERROR: db_verify: DB->verify: db/ebiRoot/parentid.db4: DB_VERIFY_BAD: >> Database verification failed >> Secondary index file parentid.db4 in db/ebiRoot is corrupted. >> Please run db2index(.pl) for reindexing. >> Verify db/ebiRoot/cn.db4 ... >> DB ERROR: db_verify: Page 10: out-of-order key at entry 249 >> DB ERROR: db_verify: DB->verify: db/ebiRoot/cn.db4: DB_VERIFY_BAD: Database >> verification failed >> Secondary index file cn.db4 in db/ebiRoot is corrupted. >> Please run db2index(.pl) for reindexing. >> Verify db/ebiRoot/id2entry.db4 ... Good >> Verify db/ebiRoot/entrydn.db4 ... Good >> Verify db/ebiRoot/rfc822mailmember.db4 ... >> DB ERROR: db_verify: Page 2: unsorted duplicate set in sorted-dup database >> DB ERROR: db_verify: Page 3: unsorted duplicate set in sorted-dup database >> DB ERROR: db_verify: DB->verify: db/ebiRoot/rfc822mailmember.db4: >> DB_VERIFY_BAD: Database verification failed >> Secondary index file rfc822mailmember.db4 in db/ebiRoot is corrupted. >> Please run db2index(.pl) for reindexing. >> >>> So, in your ldif data, the mail attribute also has this type of value: >>> "|/homes/majordom/wrapper stripmime.pl|/homes/majordom/wrapper resend -l >>> foobar-dev foobar-dev-outgoing"? >> >> No, the People entries have a simpler mail value, like "foo at ebi.ac.uk". >> >>> And your mail index has the default indexing type: presence, equality, and >>> substring? >> >> Yes. >> >>> What type of indexing does the rfc822MailMember attribute have? >> >> I've tried without any indexing, with presence and equality and with >> presence, equality and substring. The above errors are from verify-db.pl >> when I have presence and equality indeces. If I have presence, equality and >> substring, I get these errors for rfc822MailMember: >> >> Verify db/ebiRoot/rfc822mailmember.db4 ... >> DB ERROR: db_verify: Page 13: unsorted duplicate set in sorted-dup database >> DB ERROR: db_verify: Page 6: unsorted duplicate set in sorted-dup database >> DB ERROR: db_verify: Page 8: unsorted duplicate set in sorted-dup database >> DB ERROR: db_verify: Page 12: unsorted duplicate set in sorted-dup database >> DB ERROR: db_verify: Page 3: unsorted duplicate set in sorted-dup database >> DB ERROR: db_verify: Page 7: unsorted duplicate set in sorted-dup database >> DB ERROR: db_verify: Page 10: unsorted duplicate set in sorted-dup database >> DB ERROR: db_verify: Page 15: unsorted duplicate set in sorted-dup database >> DB ERROR: db_verify: Page 4: unsorted duplicate set in sorted-dup database >> DB ERROR: db_verify: Page 14: unsorted duplicate set in sorted-dup database >> DB ERROR: db_verify: Page 5: unsorted duplicate set in sorted-dup database >> DB ERROR: db_verify: Page 9: unsorted duplicate set in sorted-dup database >> DB ERROR: db_verify: Page 11: unsorted duplicate set in sorted-dup database >> DB ERROR: db_verify: DB->verify: db/ebiRoot/rfc822mailmember.db4: >> DB_VERIFY_BAD: Database verification failed >> Secondary index file rfc822mailmember.db4 in db/ebiRoot is corrupted. >> Please run db2index(.pl) for reindexing. >> >>> Have we already heard what platform you are running the FDS on? >> >> CentOS release 4.4, Linux 2.6.9-42.ELsmp. Pentium III 2x1266MHz CPUs, 2GB >> memory, SCSI disks. I'm using FDS 1.0.4. >> >> I'm away this week Wed-Fri, so I'll get back to you next week. >> >> Thanks for the help! >> >> Ville >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From paolo.ercolani at postel.it Mon Apr 16 16:08:56 2007 From: paolo.ercolani at postel.it (Paolo Ercolani) Date: Mon, 16 Apr 2007 18:08:56 +0200 Subject: [Fedora-directory-users] ldap and certificate Message-ID: <46239F98.2010109@postel.it> I want my linux box logging in using ldap on ssl with self-signed certificate. I read a lot of documents, but i can't get over a problem. I created my own CA on my ldap server and i'm signing my certificates. Then i requested a certificate for my client using fedora directory browser, manage certificate's option. I signed it with my CA and then i put it on my client. I installed my CA in DS using the gui. My DS seems to recognize, now, my certificate. Infact, it doesn't tell me anymore he doesn't recognize peer. It seems to go, on server side. I increased log level on client and now i can see these messages: TLS certificate verification: Error, self signed certificate in certificate chain TLS certificate verification: Error, invalid CA certificate TLS certificate verification: Error, unsupported certificate purpose TLS: unable to get peer certificate. request done: ld 0x83f2ee0 msgid 1 I don't know what it is and i wanna tell you i used the howto on fedora directory server's site for making and importing the self signed certificate, but maybe i don't understand something.... Can anyone help me with this please?? Thanks in advance. Paolo From labinfo.suporte at unifacs.br Mon Apr 16 19:54:35 2007 From: labinfo.suporte at unifacs.br (Paulo Estrela - Suporte LabInfo UNIFACS) Date: Mon, 16 Apr 2007 16:54:35 -0300 Subject: [Fedora-directory-users] FDS on redhat 5 Message-ID: <001801c78061$0f317130$fc001cac@labinfo.unifacs.br> Hi, What binary package should I install on RH5? fedora-ds-1.0.4-1.FC6.i386.opt.rpm fedora-ds-1.0.4-1.FC5.i386.opt.rpm fedora-ds-1.0.4-1.FC4.i386.opt.rpm fedora-ds-1.0.4-1.RHEL4.i386.opt.rpm Thanks, Paulo Estrela From rmeggins at redhat.com Mon Apr 16 20:53:20 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 16 Apr 2007 14:53:20 -0600 Subject: [Fedora-directory-users] FDS on redhat 5 In-Reply-To: <001801c78061$0f317130$fc001cac@labinfo.unifacs.br> References: <001801c78061$0f317130$fc001cac@labinfo.unifacs.br> Message-ID: <4623E240.10000@redhat.com> Paulo Estrela - Suporte LabInfo UNIFACS wrote: > Hi, > > What binary package should I install on RH5? > > fedora-ds-1.0.4-1.FC6.i386.opt.rpm > FC6 is the closest to RHEL5, so that just might work. We don't yet have a binary for RHEL5. > fedora-ds-1.0.4-1.FC5.i386.opt.rpm > fedora-ds-1.0.4-1.FC4.i386.opt.rpm > fedora-ds-1.0.4-1.RHEL4.i386.opt.rpm > > Thanks, > > Paulo Estrela > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From nhosoi at redhat.com Tue Apr 17 01:08:27 2007 From: nhosoi at redhat.com (Noriko Hosoi) Date: Mon, 16 Apr 2007 18:08:27 -0700 Subject: [Fedora-directory-users] db_verify In-Reply-To: References: <460BFC9C.4010507@redhat.com> <460D4F76.8040404@redhat.com> <461E7BEA.2030302@redhat.com> Message-ID: <46241E0B.4020506@redhat.com> Ville Silventoinen wrote: > Thanks Noriko, that explains a lot! > > I still have that other problem to solve, related to re-creating the > database (see the end of my first email). I will try to reproduce this > problem and create some test data this week. Hi Ville, > If I delete a database with the Console, it leaves behind couple of > index files: > > -rw------- 1 w3secure systems 16384 Mar 28 17:05 ancestorid.db4 > -rw------- 1 w3secure systems 18 Mar 28 17:03 DBVERSION > -rw------- 1 w3secure systems 32768 Mar 28 17:05 id2entry.db4 > > These index files don't seem to shrink when new entries are imported. > dbscan still shows the deleted entries in id2entry. > > I noticed a problem when I import a small set of entries, delete the > database, import large set of entries and if I query the entries, I > get the entries from the first set (they don't exist in the second > set). I can reproduce the problem. If I delete ancestorid.db4 and > id2entry.db4 manually when I delete the database, I don't have this > problem. Is there a reason why those two files are not deleted? Or can > this whole thing be caused by corrupted data? I wonder this might be your case? http://www.redhat.com/docs/manuals/dir-server/ag/7.1/entry_dist.html#22293 Deleting a Database The following procedure describes deleting a directory database using the Directory Server Console. Deleting a database deletes the configuration information and entries for that database only, *not the physical database itself.* http://www.redhat.com/docs/manuals/dir-server/ag/7.1/dbmanage.html#1117312 Importing a Database from the Console When you perform an import operation from the Directory Server Console, an ldapmodify operation is executed to *append data*, as well as to modify and delete entries. To overwrite the existing data, please take this step before importing the data. http://www.redhat.com/docs/manuals/dir-server/ag/7.1/dbmanage.html#1117339 Initializing a Database from the Console Or you could do the same thing from the command-line interface: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/dbmanage.html#1117378 Importing from the Command-Line You can use three methods for importing data through the command-line: . Using ldif2db - This import method overwrites the contents of your database and requires the server to be stopped. . Using ldif2db.pl - This import method overwrites the contents of your database while the server is still running. Hope it helps, --noriko > > Thanks, > Ville > > > On Thu, 12 Apr 2007, Noriko Hosoi wrote: > >> Thank you, Ville, for the test data. I could reproduce the db_verify >> problem. >> >> I have good news and bad news. :) Good news, first... Your db is >> not corrupted. The error report from verify-db.pl is bogus. >> >> Bad news, next. Please take a look at this bug. We are going to >> provide a fixed utility some time soon. >> >> Summary: verify-db.pl (db_verify) does not work on a little endian >> machine >> >> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=236256 >> >> Sorry about this inconvenience, and thank you for reporting the problem! >> --noriko >> >> Ville Silventoinen wrote: >> >>> Hi Noriko, >>> >>> sorry it took so long to reply, I've been busy with other work. >>> >>> On Fri, 30 Mar 2007, Noriko Hosoi wrote: >>> >>>> Ville Silventoinen wrote: >>>> >>>>> I asked my manager but he doesn't think it's a good idea for >>>>> security reasons. The problem is that the data is our NIS >>>>> mail.aliases and passwd, and we don't want to distribute them to >>>>> the internet. He suggested I'll modify the data, so I can send a >>>>> sample to you. I'll do that next week. >>>> >>>> That would be great. Thanks! I'm interested in what type of >>>> characters your data contain. E.g., character set is UTF-8? Some of >>>> your DNs could contain any special characters such as '\'? etc... >>> >>> >>> The character set should be plain ASCII. I created an imaginary >>> mail.aliases file. You can download it from here: >>> >>> http://www.ebi.ac.uk/systems-srv/mp/file-exchange/ >>> >>> Type in "fedorads" to the Pass Phrase input box and click Go. You >>> should see three files: mail.aliases, mail.aliases.ldif and >>> 99user.ldif. >>> >>> I can reproduce my problem with the above files, for example, I've >>> tested like this: >>> >>> 1. Delete existing ebiRoot database (you could use userRoot). >>> 2. Delete db/ebiRoot directory. >>> 3. Create ebiRoot database. >>> 4. Shutdown slapd. >>> 5. Run db2index and verify-db.pl. No errors. >>> 6. Start slapd. >>> 7. Import mail aliases. I've tried with the Console and my own CLI, >>> which can import LDIF and add entries one-by-one. The method doesn't >>> seem to matter. >>> 8. Shutdown slapd. >>> 9. Run db2index and verify-db.pl, verify gives errors: >>> >>> Verify log files in db ... Good >>> Verify db/ebiRoot/ancestorid.db4 ... >>> DB ERROR: db_verify: Page 2: out-of-order key at entry 254 >>> DB ERROR: db_verify: DB->verify: db/ebiRoot/ancestorid.db4: >>> DB_VERIFY_BAD: Database verification failed >>> Secondary index file ancestorid.db4 in db/ebiRoot is corrupted. >>> Please run db2index(.pl) for reindexing. >>> Verify db/ebiRoot/objectclass.db4 ... >>> DB ERROR: db_verify: Page 2: out-of-order key at entry 255 >>> DB ERROR: db_verify: DB->verify: db/ebiRoot/objectclass.db4: >>> DB_VERIFY_BAD: Database verification failed >>> Secondary index file objectclass.db4 in db/ebiRoot is corrupted. >>> Please run db2index(.pl) for reindexing. >>> Verify db/ebiRoot/nsuniqueid.db4 ... Good >>> Verify db/ebiRoot/parentid.db4 ... >>> DB ERROR: db_verify: Page 1: unsorted duplicate set in sorted-dup >>> database >>> DB ERROR: db_verify: DB->verify: db/ebiRoot/parentid.db4: >>> DB_VERIFY_BAD: Database verification failed >>> Secondary index file parentid.db4 in db/ebiRoot is corrupted. >>> Please run db2index(.pl) for reindexing. >>> Verify db/ebiRoot/cn.db4 ... >>> DB ERROR: db_verify: Page 10: out-of-order key at entry 249 >>> DB ERROR: db_verify: DB->verify: db/ebiRoot/cn.db4: DB_VERIFY_BAD: >>> Database verification failed >>> Secondary index file cn.db4 in db/ebiRoot is corrupted. >>> Please run db2index(.pl) for reindexing. >>> Verify db/ebiRoot/id2entry.db4 ... Good >>> Verify db/ebiRoot/entrydn.db4 ... Good >>> Verify db/ebiRoot/rfc822mailmember.db4 ... >>> DB ERROR: db_verify: Page 2: unsorted duplicate set in sorted-dup >>> database >>> DB ERROR: db_verify: Page 3: unsorted duplicate set in sorted-dup >>> database >>> DB ERROR: db_verify: DB->verify: db/ebiRoot/rfc822mailmember.db4: >>> DB_VERIFY_BAD: Database verification failed >>> Secondary index file rfc822mailmember.db4 in db/ebiRoot is corrupted. >>> Please run db2index(.pl) for reindexing. >>> >>>> So, in your ldif data, the mail attribute also has this type of >>>> value: "|/homes/majordom/wrapper >>>> stripmime.pl|/homes/majordom/wrapper resend -l foobar-dev >>>> foobar-dev-outgoing"? >>> >>> >>> No, the People entries have a simpler mail value, like "foo at ebi.ac.uk". >>> >>>> And your mail index has the default indexing type: presence, >>>> equality, and substring? >>> >>> >>> Yes. >>> >>>> What type of indexing does the rfc822MailMember attribute have? >>> >>> >>> I've tried without any indexing, with presence and equality and with >>> presence, equality and substring. The above errors are from >>> verify-db.pl when I have presence and equality indeces. If I have >>> presence, equality and substring, I get these errors for >>> rfc822MailMember: >>> >>> Verify db/ebiRoot/rfc822mailmember.db4 ... >>> DB ERROR: db_verify: Page 13: unsorted duplicate set in sorted-dup >>> database >>> DB ERROR: db_verify: Page 6: unsorted duplicate set in sorted-dup >>> database >>> DB ERROR: db_verify: Page 8: unsorted duplicate set in sorted-dup >>> database >>> DB ERROR: db_verify: Page 12: unsorted duplicate set in sorted-dup >>> database >>> DB ERROR: db_verify: Page 3: unsorted duplicate set in sorted-dup >>> database >>> DB ERROR: db_verify: Page 7: unsorted duplicate set in sorted-dup >>> database >>> DB ERROR: db_verify: Page 10: unsorted duplicate set in sorted-dup >>> database >>> DB ERROR: db_verify: Page 15: unsorted duplicate set in sorted-dup >>> database >>> DB ERROR: db_verify: Page 4: unsorted duplicate set in sorted-dup >>> database >>> DB ERROR: db_verify: Page 14: unsorted duplicate set in sorted-dup >>> database >>> DB ERROR: db_verify: Page 5: unsorted duplicate set in sorted-dup >>> database >>> DB ERROR: db_verify: Page 9: unsorted duplicate set in sorted-dup >>> database >>> DB ERROR: db_verify: Page 11: unsorted duplicate set in sorted-dup >>> database >>> DB ERROR: db_verify: DB->verify: db/ebiRoot/rfc822mailmember.db4: >>> DB_VERIFY_BAD: Database verification failed >>> Secondary index file rfc822mailmember.db4 in db/ebiRoot is corrupted. >>> Please run db2index(.pl) for reindexing. >>> >>>> Have we already heard what platform you are running the FDS on? >>> >>> >>> CentOS release 4.4, Linux 2.6.9-42.ELsmp. Pentium III 2x1266MHz >>> CPUs, 2GB memory, SCSI disks. I'm using FDS 1.0.4. >>> >>> I'm away this week Wed-Fri, so I'll get back to you next week. >>> >>> Thanks for the help! >>> >>> Ville >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From ashley at csse.uwa.edu.au Tue Apr 17 03:10:37 2007 From: ashley at csse.uwa.edu.au (ashley) Date: Tue, 17 Apr 2007 11:10:37 +0800 (WST) Subject: [Fedora-directory-users] ldap and certificate In-Reply-To: <46239F98.2010109@postel.it> References: <46239F98.2010109@postel.it> Message-ID: I've written a guide to get the LDAPS working with self signed certificates which show all the steps involved from certificate creation to LDAPS from a to z. The guide you find is located here http://www.csse.uwa.edu.au/~ashley/ Hope that helps. Regards Ashley On Mon, 16 Apr 2007, Paolo Ercolani wrote: > I want my linux box logging in using ldap on ssl with self-signed > certificate. I read a lot of documents, but i can't get over a problem. > > I created my own CA on my ldap server and i'm signing my certificates. Then i > requested a certificate for my client using fedora directory browser, manage > certificate's option. I signed it with my CA and then i put it on my client. > I installed my CA in DS using the gui. > My DS seems to recognize, now, my certificate. Infact, it doesn't tell me > anymore he doesn't recognize peer. It seems to go, on server side. I > increased log level on client and now i can see these messages: > > TLS certificate verification: Error, self signed certificate in certificate > chain > TLS certificate verification: Error, invalid CA certificate > TLS certificate verification: Error, unsupported certificate purpose > TLS: unable to get peer certificate. > request done: ld 0x83f2ee0 msgid 1 > > I don't know what it is and i wanna tell you i used the howto on fedora > directory server's site for making and importing the self signed certificate, > but maybe i don't understand something.... > > Can anyone help me with this please?? > > Thanks in advance. > Paolo > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > !DSPAM:272,4623a5e1248941804284693! > -- Ashley Chew - Systems Administrator School of Computer Science and Software Engineering University of Western Australia Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089 Ashley[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ashley "There is no such thing as Fate, Fate is what you make of it!" From paolo.ercolani at postel.it Tue Apr 17 10:13:13 2007 From: paolo.ercolani at postel.it (Paolo Ercolani) Date: Tue, 17 Apr 2007 12:13:13 +0200 Subject: [Fedora-directory-users] ssl certificate problem Message-ID: <46249DB9.2040800@postel.it> Paolo Ercolani wrote: Hi. I'm new to this list and it's a week i'm really fighting with directory server. I followed some howtos, i downloaded a lot of documents but i can't get out of trouble. I need to make login from my linux boxes on ldap directory server. If i try to use my test user in clear mode i can do that. The problem is when i try to configure a self-signed certificate. I'll not describe all the tests i've done, i'll tell you just the last!! I created my cacert.pem on the ldapserver and i installed from the console. It goes and it's ok. Then i used openssl to generate a private key and a certificate request then i signed it. That's what i did: openssl genrsa -out privkey.pem 2048 openssl req -new -key privkey.pem -out PEM.csr openssl ca -cert cacert.pem -in PEM.csr -out cert.pem I copied cacert.pem, privkey.pem and cert.pem on the client and i configured ldap.conf on it: URI ldaps://:636 BASE ou=UTENTI,o=postel,c=com host kingu.postel.com TLS_REQCERT allow TLS_CHECKPEER yes TLS_CACERTDIR /etc/ssl TLS_CACERT /etc/ssl/cacert.pem TLS_CERT /etc/ssl/cert.pem TLS_KEY /etc/ssl/privkey.pem I activated ssl on my ldap server and i installed my cacert.pem on it. i didn't anything else. I tried also to generate a certificate request from directory server and to sign it with my cacert.pem. Then i imported it like my server-cert. It imported it but login still didn't go. >I'm unclear on this last step. What do you mean by login still didn't go? Because the access log excerpt below >would seem to indicate that the os did search for and find the login name. Yes. Reading logs it seems login goes ok. But my client can't really login and i don't know what i can check. Client asks me again for password, but i'm sure it's the right one. Have you any ideas for checking something??? Thanks in advance. Paolo. From rmeggins at redhat.com Tue Apr 17 14:31:53 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 17 Apr 2007 08:31:53 -0600 Subject: [Fedora-directory-users] ssl certificate problem In-Reply-To: <46249DB9.2040800@postel.it> References: <46249DB9.2040800@postel.it> Message-ID: <4624DA59.8080501@redhat.com> Paolo Ercolani wrote: > Paolo Ercolani wrote: > > Hi. I'm new to this list and it's a week i'm really fighting with > directory server. I followed some howtos, i downloaded a lot of > documents but i can't get out of trouble. I need to make login from > my linux boxes on ldap directory server. If i try to use my test > user in clear mode i can do that. The problem is when i try to > configure a self-signed certificate. I'll not describe all the tests > i've done, i'll tell you just the last!! I created my cacert.pem on > the ldapserver and i installed from the console. It goes and it's > ok. Then i used openssl to generate a private key and a certificate > request then i signed it. That's what i did: > > openssl genrsa -out privkey.pem 2048 > openssl req -new -key privkey.pem -out PEM.csr > openssl ca -cert cacert.pem -in PEM.csr -out cert.pem > > > I copied cacert.pem, privkey.pem and cert.pem on the client and i > configured ldap.conf on it: Is this /etc/openldap/ldap.conf? In order to get pam/nss working (I assume by "login" you mean login to the operating system) you need to configure pam/nss ldap to do TLS, which is the file /etc/ldap.conf, which takes the below parameters in slightly different format. I don't know if you need TLS_CERT and TLS_KEY - are you attempting to do client cert auth - EXTERNAL bind? > > URI ldaps://:636 > BASE ou=UTENTI,o=postel,c=com > host kingu.postel.com > TLS_REQCERT allow > TLS_CHECKPEER yes > TLS_CACERTDIR /etc/ssl > TLS_CACERT /etc/ssl/cacert.pem > TLS_CERT /etc/ssl/cert.pem > TLS_KEY /etc/ssl/privkey.pem > > > I activated ssl on my ldap server and i installed my cacert.pem on > it. i didn't anything else. I tried also to generate a certificate > request from directory server and to sign it with my cacert.pem. > Then i imported it like my server-cert. It imported it but login > still didn't go. > >I'm unclear on this last step. What do you mean by login still didn't > go? Because the access log excerpt below >would seem to indicate that > the os did search for and find the login name. > > Yes. Reading logs it seems login goes ok. But my client can't really > login and i don't know what i can check. Client asks me again for > password, but i'm sure it's the right one. Have you any ideas for > checking something??? > > Thanks in advance. > Paolo. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From michal.drozdziewicz at uaznia.net Tue Apr 17 14:44:55 2007 From: michal.drozdziewicz at uaznia.net (=?UTF-8?B?TWljaGHFgiBEcm/FumR6aWV3aWN6?=) Date: Tue, 17 Apr 2007 16:44:55 +0200 Subject: [Fedora-directory-users] FDS on redhat 5 In-Reply-To: <4623E240.10000@redhat.com> References: <001801c78061$0f317130$fc001cac@labinfo.unifacs.br> <4623E240.10000@redhat.com> Message-ID: <4624DD67.2090705@uaznia.net> Richard Megginson napisa?(a): > FC6 is the closest to RHEL5, so that just might work. We don't yet have > a binary for RHEL5. I'm trying to build one right now using dsbuild and make [BUILD_RPM=1] but after build finishes without any errors there is no rpm package anywhere in the system, weird... -- xmpp/email: koniczynek at uaznia.net xmpp/email: koniczynek at gmail.com From michal.drozdziewicz at uaznia.net Tue Apr 17 14:41:26 2007 From: michal.drozdziewicz at uaznia.net (=?UTF-8?B?TWljaGHFgiBEcm/FumR6aWV3aWN6?=) Date: Tue, 17 Apr 2007 16:41:26 +0200 Subject: [Fedora-directory-users] FDS on redhat 5 In-Reply-To: <4623E240.10000@redhat.com> References: <001801c78061$0f317130$fc001cac@labinfo.unifacs.br> <4623E240.10000@redhat.com> Message-ID: <4624DC96.6000401@uaznia.net> Richard Megginson napisa?(a): > FC6 is the closest to RHEL5, so that just might work. We don't yet have > a binary for RHEL5. I'm trying to build this RPM right now, but make [BUILD_RPM=1] won't build any rpm at all, build is completed without any errors... weird.. -- xmpp/email: koniczynek at uaznia.net xmpp/email: koniczynek at gmail.com From GCopeland at efjohnson.com Tue Apr 17 19:10:05 2007 From: GCopeland at efjohnson.com (Greg Copeland) Date: Tue, 17 Apr 2007 14:10:05 -0500 Subject: [Fedora-directory-users] ldap and certificate In-Reply-To: Message-ID: <273A72C669F45B4996896A031B88CCEF677772@EFJDFWMX01.EFJDFW.local> I get no reply, via ping or browser, from that address. Cheers, Greg Copeland > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory- > users-bounces at redhat.com] On Behalf Of ashley > Sent: Monday, April 16, 2007 10:11 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] ldap and certificate > > > I've written a guide to get the LDAPS working with self signed > certificates which show all the steps involved from certificate creation > to LDAPS from a to z. > > The guide you find is located here > > http://www.csse.uwa.edu.au/~ashley/ From ashley at csse.uwa.edu.au Wed Apr 18 04:52:31 2007 From: ashley at csse.uwa.edu.au (ashley) Date: Wed, 18 Apr 2007 12:52:31 +0800 (WST) Subject: [Fedora-directory-users] ldap and certificate In-Reply-To: <273A72C669F45B4996896A031B88CCEF677772@EFJDFWMX01.EFJDFW.local> References: <273A72C669F45B4996896A031B88CCEF677772@EFJDFWMX01.EFJDFW.local> Message-ID: Sorry our optic fibre link was down. So hence even though our server was up you can't get to it. Well our link is back up, so it should be there. Cheers then, Ashley On Tue, 17 Apr 2007, Greg Copeland wrote: > I get no reply, via ping or browser, from that address. > > > Cheers, > > Greg Copeland > >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory- >> users-bounces at redhat.com] On Behalf Of ashley >> Sent: Monday, April 16, 2007 10:11 PM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: [Fedora-directory-users] ldap and certificate >> >> >> I've written a guide to get the LDAPS working with self signed >> certificates which show all the steps involved from certificate > creation >> to LDAPS from a to z. >> >> The guide you find is located here >> >> http://www.csse.uwa.edu.au/~ashley/ > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > !DSPAM:272,462586ab275702143498666! > -- Ashley Chew - Systems Administrator School of Computer Science and Software Engineering University of Western Australia Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089 Ashley[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ashley "There is no such thing as Fate, Fate is what you make of it!" From ankur_agwal at yahoo.com Wed Apr 18 10:48:15 2007 From: ankur_agwal at yahoo.com (Ankur Agarwal) Date: Wed, 18 Apr 2007 03:48:15 -0700 (PDT) Subject: [Fedora-directory-users] How to achieve load balancing in multi-master set-up? Message-ID: <908863.86230.qm@web54109.mail.re2.yahoo.com> Hi, We have a 2 LDAP servers multi-master set-up. Procuring hardware load balancing is not an option hence would request to pass on any information you may have to achieve load-balancing through either : 1) Some config in LDAP to achieve load balancing 2) Software load balancer 3) Some logic in custom application that people use frequently when connecting to multi-master setup regards, Ankur --------------------------------- Ahhh...imagining that irresistible "new car" smell? Check outnew cars at Yahoo! Autos. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sghosh at redhat.com Wed Apr 18 11:57:45 2007 From: sghosh at redhat.com (Subhendu Ghosh) Date: Wed, 18 Apr 2007 07:57:45 -0400 Subject: [Fedora-directory-users] How to achieve load balancing in multi-master set-up? In-Reply-To: <908863.86230.qm@web54109.mail.re2.yahoo.com> References: <908863.86230.qm@web54109.mail.re2.yahoo.com> Message-ID: <462607B9.2050803@redhat.com> Ankur Agarwal wrote: > Hi, > > We have a 2 LDAP servers multi-master set-up. Procuring hardware load > balancing is not an option hence would request to pass on any > information you may have to achieve load-balancing through either : > 1) Some config in LDAP to achieve load balancing > 2) Software load balancer > 3) Some logic in custom application that people use frequently when > connecting to multi-master setup Fedora GFS includes the ClusterSuite tools which provide software load balancing. http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Cluster_Suite_Overview/s1-lvs-overview-CSO.html -sg -------------- next part -------------- A non-text attachment was scrubbed... Name: sghosh.vcf Type: text/x-vcard Size: 266 bytes Desc: not available URL: From patrick.morris at hp.com Wed Apr 18 14:02:18 2007 From: patrick.morris at hp.com (Morris, Patrick) Date: Wed, 18 Apr 2007 10:02:18 -0400 Subject: [Fedora-directory-users] How to achieve load balancing inmulti-master set-up? In-Reply-To: <908863.86230.qm@web54109.mail.re2.yahoo.com> References: <908863.86230.qm@web54109.mail.re2.yahoo.com> Message-ID: > We have a 2 LDAP servers multi-master set-up. Procuring > hardware load balancing is not an option hence would request > to pass on any information you may have to achieve > load-balancing through either : > 1) Some config in LDAP to achieve load balancing > 2) Software load balancer > 3) Some logic in custom application that people use > frequently when connecting to multi-master setup For really basic load balancing, a round-robin DNS entry works well. From GCopeland at efjohnson.com Wed Apr 18 19:02:34 2007 From: GCopeland at efjohnson.com (Greg Copeland) Date: Wed, 18 Apr 2007 14:02:34 -0500 Subject: [Fedora-directory-users] ldap and certificate In-Reply-To: Message-ID: <273A72C669F45B4996896A031B88CCEF699D6B@EFJDFWMX01.EFJDFW.local> I'm walking through http://www.csse.uwa.edu.au/~ashley/fedora-ds/fedora-ds-26072006.html. I have attempted it several times and each time it fails in the exact same place. I get "pk12util-bin: PKCS12 decode import bags failed: You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert." It fails for the same reason every time. I can get only one of the two certificates imported into each of the two databases. Each time, I can only import the "DS-Server-Cert". The other fails as above. I can confirm the DS-Server-Cert has been added via the GUI interface. [root at host fedora-ds]# /opt/fedora-ds/shared/bin/pk12util -i /tmp/ldap/server.p12 -d alias -P admin-serv-host- Enter Password or Pin for "NSS Certificate DB": Enter Password or Pin for "NSS Certificate DB": Enter password for PKCS12 file: pk12util-bin: PKCS12 IMPORT SUCCESSFUL [root at host fedora-ds]# /opt/fedora-ds/shared/bin/pk12util -i /tmp/admingui/server.p12 -d alias -P admin-serv-host- Enter Password or Pin for "NSS Certificate DB": Enter password for PKCS12 file: pk12util-bin: PKCS12 decode import bags failed: You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. Cheers, Greg Copeland > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory- > users-bounces at redhat.com] On Behalf Of ashley > Sent: Tuesday, April 17, 2007 11:53 PM > To: General discussion list for the Fedora Directory server project. > Subject: RE: [Fedora-directory-users] ldap and certificate > > > Sorry our optic fibre link was down. So hence even though our server was > up you can't get to it. > > Well our link is back up, so it should be there. > > > Cheers then, Ashley > > On Tue, 17 Apr 2007, Greg Copeland wrote: > > > I get no reply, via ping or browser, from that address. > > > > > > Cheers, > > > > Greg Copeland > > > >> -----Original Message----- > >> From: fedora-directory-users-bounces at redhat.com > > [mailto:fedora-directory- > >> users-bounces at redhat.com] On Behalf Of ashley > >> Sent: Monday, April 16, 2007 10:11 PM > >> To: General discussion list for the Fedora Directory server project. > >> Subject: Re: [Fedora-directory-users] ldap and certificate > >> > >> > >> I've written a guide to get the LDAPS working with self signed > >> certificates which show all the steps involved from certificate > > creation > >> to LDAPS from a to z. > >> > >> The guide you find is located here > >> > >> http://www.csse.uwa.edu.au/~ashley/ > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > !DSPAM:272,462586ab275702143498666! > > > > -- > Ashley Chew - Systems Administrator > School of Computer Science and Software Engineering > University of Western Australia > Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089 > Ashley[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ashley > > "There is no such thing as Fate, Fate is what you make of it!" > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From ashley at csse.uwa.edu.au Thu Apr 19 03:36:22 2007 From: ashley at csse.uwa.edu.au (ashley) Date: Thu, 19 Apr 2007 11:36:22 +0800 (WST) Subject: [Fedora-directory-users] How can I check other user info in non-privileged mode? In-Reply-To: References: Message-ID: I think I've documented this somewhere in my documents somewhere. But the short story is, it depends on how you bind to your LDAP directory ie anonymously or with bind to it with a user/pw etc. Normally normal users don't (Ie only user who has power is root everyone is useless unless they are elevated to root via sudoers etc) have the necessary previledges to do a lookup in the LDAP information although they are authenticated. To solve this problem you need to run name service cache daemon or nscd which basically binds the lookup as root which caches the information locally for users ie passwd, shadow, group etc. Regards Ashley On Mon, 16 Apr 2007, Yu Joe wrote: > Dear all > > I've just set up fedora directory server for centrailizing my system > accounts . I could log in the system by any of my ldap accounts, but > suddently found I cannot get other user info by "id" or "getent passwd" > command when I was in the non-privileged user mode. Does anyone know why? > Because I can do this in root-user or nis enviornment. Somebody helps, > please. Thanks anyway. > > Joe Yu > One of the RHCEs in Taiwan. > > > !DSPAM:272,4623313116977933430235! > -- Ashley Chew - Systems Administrator School of Computer Science and Software Engineering University of Western Australia Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089 Ashley[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ashley "There is no such thing as Fate, Fate is what you make of it!" From sjoshi.ce at gmail.com Thu Apr 19 02:32:06 2007 From: sjoshi.ce at gmail.com (Sameet Joshi) Date: Wed, 18 Apr 2007 19:32:06 -0700 Subject: [Fedora-directory-users] setting up single master replication between 2 fedora directory servers Message-ID: <000601c7822a$ed675d00$0e0310ac@chanakya> Hi I want to know how to setup single master replication between 2 fedora directory servers can anybody help please! thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From pkime at Shopzilla.com Fri Apr 20 02:42:08 2007 From: pkime at Shopzilla.com (Philip Kime) Date: Thu, 19 Apr 2007 19:42:08 -0700 Subject: [Fedora-directory-users] Automatically inactivate accounts after a certain time or on a certain date? Message-ID: <9C0091F428E697439E7A773FFD083427A92CF4@szexchange.Shopzilla.inc> It looks like this isn't possible at the moment as this plug-in seems to still be in development: http://directory.fedoraproject.org/wiki/Account_Policy_Design Or is there a neat way with roles? It seems tricky, even with a filtered role. PK -- Philip Kime NOPS Systems Architect 310 401 0407 -------------- next part -------------- An HTML attachment was scrubbed... URL: From howard at cohtech.com Fri Apr 20 09:42:44 2007 From: howard at cohtech.com (Howard Wilkinson) Date: Fri, 20 Apr 2007 10:42:44 +0100 Subject: [Fedora-directory-users] Fedora DS, Kerberos, Active Directory - HOWTO? Message-ID: <46288B14.8000802@cohtech.com> I am new to Fedora DS and have installed 1.0.4 onto a Fedora Core 6 (+ enhancements) build. I have built the install using the dsbuild operation and all seems to be working. I can authenticate to the system using the 'admin' user and the "CN=Directory Manager" identity. I have SSL working and now want to use our Kerberos environment to provide SSO to the server. Our Kerberos environment is based on an AD KDC and is supporting other application successfully. We have created the 'ldap/...' service principal and imported it into the system keytab. First test with ldapsearch using GSSAPI fails with permission denied from the GSSAPI function. So I thought I would try the mapping facility as documented in the administration manual and set up to map the Kerberos identity to the correct search DN for the AD. As we only have the one Domain/Forest I set up a simple map that takes any name and maps to this DN. I then set up a referral inside the DS to point to the AD controllers in the hope that this would activate the necessary logic. No joy. Looking in the code for 'saslbind.c' it looks like the code only allows for locally registered users. If I am reading this right does this mean my next step is to remove the referral and add a replica for the AD into my DS using the procedure outlined in the Administration Guide section "Windows Sync". In doing this will I have then enabled GSSAPI/Kerberos authentication or will I still be missing something? If I do this will I be causing problems in the future with other parts of the AD as I want to get referrals when the data is not held in the DS? (Given that I will be syncing users (and groups?) only). I can use OU trees for this and tie the referrals there of course but then I will need to sync the entire CN=Users tree. I understand that I will need to create a separate DIT (root) for the AD data to ensure that I can sync to multiple domains in the future, is this correct? Any advice or even a description of the set of steps that will make this dance work would be much appreciated. -- Howard Wilkinson Phone: +44(20)76907075 Coherent Technology Limited Fax: 23 Northampton Square, Mobile: +44(7980)639379 United Kingdom, EC1V 0HL Email: howard at cohtech.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Apr 20 13:56:11 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 20 Apr 2007 07:56:11 -0600 Subject: [Fedora-directory-users] Fedora DS, Kerberos, Active Directory - HOWTO? In-Reply-To: <46288B14.8000802@cohtech.com> References: <46288B14.8000802@cohtech.com> Message-ID: <4628C67B.5020404@redhat.com> Howard Wilkinson wrote: > I am new to Fedora DS and have installed 1.0.4 onto a Fedora Core 6 (+ > enhancements) build. I have built the install using the dsbuild > operation and all seems to be working. I can authenticate to the > system using the 'admin' user and the "CN=Directory Manager" identity. > I have SSL working and now want to use our Kerberos environment to > provide SSO to the server. > > Our Kerberos environment is based on an AD KDC and is supporting other > application successfully. We have created the 'ldap/...' service > principal and imported it into the system keytab. > > First test with ldapsearch using GSSAPI fails with permission denied > from the GSSAPI function. So I thought I would try the mapping > facility as documented in the administration manual and set up to map > the Kerberos identity to the correct search DN for the AD. As we only > have the one Domain/Forest I set up a simple map that takes any name > and maps to this DN. I then set up a referral inside the DS to point > to the AD controllers in the hope that this would activate the > necessary logic. No joy. > > Looking in the code for 'saslbind.c' it looks like the code only > allows for locally registered users. If I am reading this right does > this mean my next step is to remove the referral and add a replica for > the AD into my DS using the procedure outlined in the Administration > Guide section "Windows Sync". Yes. I believe you have to have an entry associated with the principal in Fedora DS. So yes, you will have to sync your user information from AD to Fedora DS. > In doing this will I have then enabled GSSAPI/Kerberos authentication > or will I still be missing something? If I do this will I be causing > problems in the future with other parts of the AD as I want to get > referrals when the data is not held in the DS? Well, it depends. What are you using Fedora DS for? Are you just using it as an authentication gateway to AD? If so, then you could probably just use something like pam_winbindd and skip Fedora DS altogether. > (Given that I will be syncing users (and groups?) only). I can use OU > trees for this and tie the referrals there of course but then I will > need to sync the entire CN=Users tree. > > I understand that I will need to create a separate DIT (root) for the > AD data to ensure that I can sync to multiple domains in the future, > is this correct? I'm not really sure. Can you explain more about your topology and how you want to use Fedora DS? > > Any advice or even a description of the set of steps that will make > this dance work would be much appreciated. > -- > > Howard Wilkinson > > > > Phone: > > > > +44(20)76907075 > > Coherent Technology Limited > > > > Fax: > > > > > > 23 Northampton Square, > > > > Mobile: > > > > +44(7980)639379 > > United Kingdom, EC1V 0HL > > > > Email: > > > > howard at cohtech.com > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From howard at cohtech.com Fri Apr 20 17:12:08 2007 From: howard at cohtech.com (Howard Wilkinson) Date: Fri, 20 Apr 2007 18:12:08 +0100 Subject: [Fedora-directory-users] Fedora DS, Kerberos, Active Directory - HOWTO? In-Reply-To: <4628C67B.5020404@redhat.com> References: <46288B14.8000802@cohtech.com> <4628C67B.5020404@redhat.com> Message-ID: <4628F468.1000205@cohtech.com> Richard Megginson wrote: > Howard Wilkinson wrote: >> I am new to Fedora DS and have installed 1.0.4 onto a Fedora Core 6 >> (+ enhancements) build. I have built the install using the dsbuild >> operation and all seems to be working. I can authenticate to the >> system using the 'admin' user and the "CN=Directory Manager" >> identity. I have SSL working and now want to use our Kerberos >> environment to provide SSO to the server. >> >> Our Kerberos environment is based on an AD KDC and is supporting >> other application successfully. We have created the 'ldap/...' >> service principal and imported it into the system keytab. >> >> First test with ldapsearch using GSSAPI fails with permission denied >> from the GSSAPI function. So I thought I would try the mapping >> facility as documented in the administration manual and set up to map >> the Kerberos identity to the correct search DN for the AD. As we only >> have the one Domain/Forest I set up a simple map that takes any name >> and maps to this DN. I then set up a referral inside the DS to point >> to the AD controllers in the hope that this would activate the >> necessary logic. No joy. >> >> Looking in the code for 'saslbind.c' it looks like the code only >> allows for locally registered users. If I am reading this right does >> this mean my next step is to remove the referral and add a replica >> for the AD into my DS using the procedure outlined in the >> Administration Guide section "Windows Sync". > Yes. I believe you have to have an entry associated with the > principal in Fedora DS. So yes, you will have to sync your user > information from AD to Fedora DS. >> In doing this will I have then enabled GSSAPI/Kerberos authentication >> or will I still be missing something? If I do this will I be causing >> problems in the future with other parts of the AD as I want to get >> referrals when the data is not held in the DS? > Well, it depends. What are you using Fedora DS for? Are you just > using it as an authentication gateway to AD? If so, then you could > probably just use something like pam_winbindd and skip Fedora DS > altogether. >> (Given that I will be syncing users (and groups?) only). I can use OU >> trees for this and tie the referrals there of course but then I will >> need to sync the entire CN=Users tree. >> >> I understand that I will need to create a separate DIT (root) for the >> AD data to ensure that I can sync to multiple domains in the future, >> is this correct? > I'm not really sure. Can you explain more about your topology and how > you want to use Fedora DS? >> >> Any advice or even a description of the set of steps that will make >> this dance work would be much appreciated. >> -- >> >> Howard Wilkinson >> >> >> >> Phone: >> >> >> >> +44(20)76907075 >> >> Coherent Technology Limited >> >> >> >> Fax: >> >> >> >> >> >> 23 Northampton Square, >> >> >> >> Mobile: >> >> >> >> +44(7980)639379 >> >> United Kingdom, EC1V 0HL >> >> >> >> Email: >> >> >> >> howard at cohtech.com >> >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > Richard, I am implementing the Fedora DS to provide data from other domains than my AD. So I have other roots in the Directory Store already. I also will be storing additional information for users in the DS to support RADIUS and other applications. However our primary authentication store is on Windows 2003 using the KDC. I have users who have Kerberos tickets granted and can do GSSAPI exchanges with the AD to retrieve LDAP results. The DS has a map which I believe should take a Kerberos/GSSAPI identity and map it to a LDAP lookup. I have arranged for users to be synchronised using the Windows Sync and am trying to match on uid=,OU=People,DC=example,DC=com for the user. From the debug logs I am not sure that the DS is doing the GSSAPI look or executing the maps but I get permission denied response with 'ldap_sasl_interactive_bind_s: Invalid credentials (49)' as the primary message. I am not sure where to look next unless what I need to do is to add some acl's for the users currently I just want to get LDAPSEARCH working with Kerberos. Howard. -- Howard Wilkinson Phone: +44(20)76907075 Coherent Technology Limited Fax: 23 Northampton Square, Mobile: +44(7980)639379 United Kingdom, EC1V 0HL Email: howard at cohtech.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Apr 20 17:54:43 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 20 Apr 2007 11:54:43 -0600 Subject: [Fedora-directory-users] Fedora DS, Kerberos, Active Directory - HOWTO? In-Reply-To: <4628F468.1000205@cohtech.com> References: <46288B14.8000802@cohtech.com> <4628C67B.5020404@redhat.com> <4628F468.1000205@cohtech.com> Message-ID: <4628FE63.3040605@redhat.com> Howard Wilkinson wrote: > Richard, > > I am implementing the Fedora DS to provide data from other domains > than my AD. So I have other roots in the Directory Store already. I > also will be storing additional information for users in the DS to > support RADIUS and other applications. However our primary > authentication store is on Windows 2003 using the KDC. I have users > who have Kerberos tickets granted and can do GSSAPI exchanges with the > AD to retrieve LDAP results. The DS has a map which I believe should > take a Kerberos/GSSAPI identity and map it to a LDAP lookup. I have > arranged for users to be synchronised using the Windows Sync and am > trying to match on uid=,OU=People,DC=example,DC=com > for the user. > > >From the debug logs I am not sure that the DS is doing the GSSAPI > look or executing the maps but I get permission denied response with > 'ldap_sasl_interactive_bind_s: Invalid credentials (49)' as the > primary message. > > I am not sure where to look next unless what I need to do is to add > some acl's for the users currently I just want to get LDAPSEARCH > working with Kerberos. I presume you've seen http://directory.fedoraproject.org/wiki/Howto:Kerberos and http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1083165 If it's still not working, then perhaps it's some sort of cross domain trust issue. > > Howard. > > > -- > > Howard Wilkinson > > > > Phone: > > > > +44(20)76907075 > > Coherent Technology Limited > > > > Fax: > > > > > > 23 Northampton Square, > > > > Mobile: > > > > +44(7980)639379 > > United Kingdom, EC1V 0HL > > > > Email: > > > > howard at cohtech.com > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From alex-saf at npc.vrn.ru Tue Apr 24 15:55:09 2007 From: alex-saf at npc.vrn.ru (=?utf-8?B?0KHQsNGE0L7QvdC+0LIg0JDQu9C10LrRgdC10Lk=?=) Date: Tue, 24 Apr 2007 19:55:09 +0400 (MSD) Subject: [Fedora-directory-users] AD and FDS sync problem In-Reply-To: <30502958.121177430077481.JavaMail.root@proxy1.npc.vrn.ru> Message-ID: <25067400.141177430109026.JavaMail.root@proxy1.npc.vrn.ru> Hello! I have a problem at synchronization AD and FDS. I do not manage to synchronize completely domain AD mup-example.vrn.ru. The tree of the domain mup-example.vrn.ru is made as follows: in him exist OU (these are departments of the enterprise). In everyone OU there are users of a department and group into which these users enter. Certainly, besides this, in the domain there are system users, groups and OU. At me users and groups which are directly in the container mup-example.vrn.ru (dc=mup-example, dc=vrn, dc=ru) are synchronized only. OU (for example, ou=GIS, dc=mup-example, dc=vrn, dc=ru) which are in the container mup-example.vrn.ru - are not synchronized. If manually to create OU GIS in this container the group (cn=GIS, ou=GIS, dc=mup-example, dc=vrn, dc=ru is created), but users are not sync. Here a error in a log-file: [23/Apr/2007:13:53:33 +0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=win2003" (srv-vm1:636)". [23/Apr/2007:13:53:34 +0400] - Entry "uid=Guest,CN=Users,dc=mup-example,dc=vrn,dc=ru" missing attribute "sn" required by object class "person" [23/Apr/2007:13:53:34 +0400] - Entry "uid=SUPPORT_388945a0,CN=Users,dc=mup-example,dc=vrn,dc=ru" missing attribute "sn" required by object class "person" [23/Apr/2007:13:53:34 +0400] - Entry "uid=Alex_Saf,OU=GIS,dc=mup-example,dc=vrn,dc=ru" missing attribute "sn" required by object class "person" [23/Apr/2007:13:53:34 +0400] - Entry "uid=Administrator,CN=Users,dc=mup-example,dc=vrn,dc=ru" missing attribute "sn" required by object class "person" [23/Apr/2007:13:53:34 +0400] - Entry "uid=krbtgt,CN=Users,dc=mup-example,dc=vrn,dc=ru" missing attribute "sn" required by object class "person" [23/Apr/2007:13:53:34 +0400] - Entry "uid=IUSR_SRV-VM1,CN=Users,dc=mup-example,dc=vrn,dc=ru" missing attribute "sn" required by object class "person" [23/Apr/2007:13:53:34 +0400] - Entry "uid=IWAM_SRV-VM1,CN=Users,dc=mup-example,dc=vrn,dc=ru" missing attribute "sn" required by object class "person" [23/Apr/2007:13:53:34 +0400] - Entry "uid=SRV-VM1$,OU=Domain Controllers,dc=mup-example,dc=vrn,dc=ru" missing attribute "sn" required by object class "person" [23/Apr/2007:13:53:34 +0400] - Entry "uid=asd,OU=GIS,dc=mup-example,dc=vrn,dc=ru" missing attribute "sn" required by object class "person" [23/Apr/2007:13:53:34 +0400] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=win2003" (srv-vm1:636)". Sent 7 entries. I Ask to help(assist) with the decision of a problem. From capareci at uol.com.br Tue Apr 24 17:31:18 2007 From: capareci at uol.com.br (Renato Ribeiro da Silva) Date: Tue, 24 Apr 2007 14:31:18 -0300 Subject: [Fedora-directory-users] Renew server certificate Message-ID: I'm trying to renew a server certificate using Fedora-DS Admin Console but this function seems no working. When I click on renew button is opened the "Request Certificate Window". Can I renew the certificate using command line? Thanks in advance, Renato From jon at compbio.dundee.ac.uk Tue Apr 24 18:16:13 2007 From: jon at compbio.dundee.ac.uk (Jonathan Barber) Date: Tue, 24 Apr 2007 19:16:13 +0100 Subject: [Fedora-directory-users] SASL bindings via PLAIN mechanism to FDS Message-ID: <20070424181612.GN14045@compbio.dundee.ac.uk> Hi, I'm trying to get FDS (1.0.4 on Centos 4.4 with Cyrus SASL) to accept authenticated bindings from clients using the SASL PLAIN mechanism over SSL/TLS. This is the first time that I've played with SASL, so I'd appreciate any pointers to decent documentation if I'm doing something stupid. My overall aim is too allow SASL PLAIN bindings via the openldap ldapsearch client. I've added the following SASL mapping and user entry to my FDS directory: # SASL mapping dn: cn=test,cn=mapping,cn=sasl,cn=config objectClass: top objectClass: nsSaslMapping cn: test nsSaslMapRegexString: \(.*\) nsSaslMapBaseDNTemplate: ou=people,ou=lifesci,o=dundee nsSaslMapFilterTemplate: (uid=\1) # User dn: uid=jon,ou=people,ou=lifesci,o=dundee givenName: j sn: b uidNumber: 1000 gidNumber: 1000 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount uid: jon cn: j b homeDirectory: /tmp/ userpassword: {SSHA}hashedpassword And restarted the server. I set the nsslapd-errorlog-level to 1 to observe the bind process in detail, and get the trace in [1] when I try to bind to the LDAP server with the command: # ldapsearch -H ldaps://test -Y PLAIN SASL/PLAIN authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-14): authorization failure: Password verification failed This appears to fail because for some reason SASL tries to look the user up again thinking that the DN is the the UID, fails, and rejects the bind as the DN is unknown. When I add a second mapping (and restart ns-slapd) to try and correct the second failed search: dn: cn=test2,cn=mapping,cn=sasl,cn=config objectClass: top objectClass: nsSaslMapping cn: test2 nsSaslMapRegexString: uid=\([^,]*\), nsSaslMapBaseDNTemplate: ou=people,ou=lifesci,o=dundee nsSaslMapFilterTemplate: (uid=\1) I get the trace in [2], and the client returns: additional info: SASL(-13): authentication failure: Password verification failed This just looks like SASL failed to authenticate the passwords this time. So, have I got the wrong end of the stick - and I am trying to do something that SASL won't let me - or have I just got an error somewhere in my configuration? I've read both the wiki page: http://directory.fedora.redhat.com/wiki/Howto:Kerberos and Chapter 11 of the Admin guide, and neither are particulary useful, looking at the FDS source isn't shedding much light. Cheers. [1] error log output with SASL mapping test [24/Apr/2007:18:31:38 +0100] - BIND dn="" method=163 version=3 [24/Apr/2007:18:31:38 +0100] - => get_ldapmessage_controls [24/Apr/2007:18:31:38 +0100] - <= get_ldapmessage_controls no controls [24/Apr/2007:18:31:38 +0100] - => slapi_control_present (looking for 2.16.840.1.113730.3.4.16) [24/Apr/2007:18:31:38 +0100] - <= slapi_control_present 0 (NO CONTROLS) [24/Apr/2007:18:31:38 +0100] - do_bind: version 3 method 0xa3 dn [24/Apr/2007:18:31:38 +0100] - => ids_sasl_check_bind [24/Apr/2007:18:31:38 +0100] - => ids_sasl_mech_supported [24/Apr/2007:18:31:38 +0100] - ids_sasl_getopt: plugin= option=mech_list [24/Apr/2007:18:31:38 +0100] - ids_sasl_getopt: plugin= option=mech_list [24/Apr/2007:18:31:38 +0100] - ids_sasl_getopt: plugin= option=mech_list [24/Apr/2007:18:31:38 +0100] - ids_sasl_getopt: plugin= option=mech_list [24/Apr/2007:18:31:38 +0100] - ids_sasl_getopt: plugin= option=mech_list [24/Apr/2007:18:31:38 +0100] - ids_sasl_getopt: plugin= option=mech_list [24/Apr/2007:18:31:38 +0100] - ids_sasl_getopt: plugin= option=mech_list [24/Apr/2007:18:31:38 +0100] - ids_sasl_getopt: plugin= option=mech_list [24/Apr/2007:18:31:38 +0100] - ids_sasl_getopt: plugin= option=mech_list [24/Apr/2007:18:31:38 +0100] - ids_sasl_getopt: plugin= option=mech_list [24/Apr/2007:18:31:38 +0100] - ids_sasl_getopt: plugin= option=mech_list [24/Apr/2007:18:31:38 +0100] - ids_sasl_getopt: plugin= option=mech_list [24/Apr/2007:18:31:38 +0100] - <= ids_sasl_mech_supported [24/Apr/2007:18:31:38 +0100] - ids_sasl_getopt: plugin= option=mech_list [24/Apr/2007:18:31:38 +0100] - ids_sasl_canon_user(user=jon, realm=) [24/Apr/2007:18:31:38 +0100] - -> sasl_map_domap [24/Apr/2007:18:31:38 +0100] - -> sasl_map_check [24/Apr/2007:18:31:38 +0100] - regex: \(.*\), id: jon, matched [24/Apr/2007:18:31:38 +0100] - mapped base dn: [BINARY JUNK], filter: [BINARY JUNK] [24/Apr/2007:18:31:38 +0100] - <- sasl_map_check [24/Apr/2007:18:31:38 +0100] - <- sasl_map_domap (mapped) [24/Apr/2007:18:31:38 +0100] - sasl user search basedn="ou=people,ou=lifesci,o=dundee" filter="(uid=jon)" [24/Apr/2007:18:31:38 +0100] - => slapi_reslimit_get_integer_limit() conn=0x0, handle=2 [24/Apr/2007:18:31:38 +0100] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [24/Apr/2007:18:31:38 +0100] - => slapi_reslimit_get_integer_limit() conn=0x0, handle=1 [24/Apr/2007:18:31:38 +0100] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [24/Apr/2007:18:31:39 +0100] - => compute_limits: sizelimit=-1, timelimit=-1 [24/Apr/2007:18:31:39 +0100] - Calling plugin 'ACL preoperation' #1 type 403 [24/Apr/2007:18:31:39 +0100] - Calling plugin 'Legacy replication preoperation plugin' #3 type 403 [24/Apr/2007:18:31:39 +0100] - Calling plugin 'Multimaster replication preoperation plugin' #4 type 403 [24/Apr/2007:18:31:39 +0100] - => slapi_reslimit_get_integer_limit() conn=0x0, handle=0 [24/Apr/2007:18:31:39 +0100] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [24/Apr/2007:18:31:39 +0100] - => find_entry_internal (dn=ou=people,ou=lifesci,o=dundee) lock 0 [24/Apr/2007:18:31:39 +0100] - => dn2entry "ou=people,ou=lifesci,o=dundee" [24/Apr/2007:18:31:39 +0100] - <= dn2entry 96034e0 [24/Apr/2007:18:31:39 +0100] - <= find_entry_internal_dn found (ou=people,ou=lifesci,o=dundee) [24/Apr/2007:18:31:39 +0100] - => filter_candidates [24/Apr/2007:18:31:39 +0100] - => list_candidates 0xa1 [24/Apr/2007:18:31:39 +0100] - => filter_candidates [24/Apr/2007:18:31:39 +0100] - => ava_candidates [24/Apr/2007:18:31:39 +0100] - uid=jon [24/Apr/2007:18:31:39 +0100] - => keys2idl type uid indextype eq [24/Apr/2007:18:31:39 +0100] - => index_read( "uid" = "jon" ) [24/Apr/2007:18:31:39 +0100] - bulk fetch buffer nids=1 [24/Apr/2007:18:31:39 +0100] - idl_new_fetch =jon returns nids=1 [24/Apr/2007:18:31:39 +0100] - <= index_read 1 candidates [24/Apr/2007:18:31:39 +0100] - ival[0] = "jon" => 1 IDs [24/Apr/2007:18:31:39 +0100] - <= filter_candidates 1 [24/Apr/2007:18:31:39 +0100] - => filter_candidates [24/Apr/2007:18:31:39 +0100] - => ava_candidates [24/Apr/2007:18:31:39 +0100] - objectclass=referral [24/Apr/2007:18:31:39 +0100] - => keys2idl type objectclass indextype eq [24/Apr/2007:18:31:39 +0100] - => index_read( "objectclass" = "referral" ) [24/Apr/2007:18:31:39 +0100] - <= index_read 0 candidates [24/Apr/2007:18:31:39 +0100] - ival[0] = "referral" => 0 IDs [24/Apr/2007:18:31:39 +0100] - <= filter_candidates 0 [24/Apr/2007:18:31:39 +0100] - <= list_candidates 1 [24/Apr/2007:18:31:39 +0100] - <= filter_candidates 1 [24/Apr/2007:18:31:39 +0100] - candidate list has 1 ids [24/Apr/2007:18:31:39 +0100] - => id2entry( 5 ) [24/Apr/2007:18:31:39 +0100] - => str2entry_fast [24/Apr/2007:18:31:39 +0100] - <= str2entry_fast 0x95b2578 [24/Apr/2007:18:31:39 +0100] - -> attrcrypt_decrypt_entry [24/Apr/2007:18:31:39 +0100] - <- attrcrypt_decrypt_entry [24/Apr/2007:18:31:39 +0100] - <= id2entry( 5 ) 9638cc8 (disk) [24/Apr/2007:18:31:39 +0100] - => send_ldap_search_entry (uid=jon,ou=people,ou=lifesci,o=dundee) [24/Apr/2007:18:31:39 +0100] - <= send_ldap_search_entry [24/Apr/2007:18:31:39 +0100] - => send_ldap_result 0:: [24/Apr/2007:18:31:39 +0100] - <= send_ldap_result [24/Apr/2007:18:31:39 +0100] - sasl user search found dn=uid=jon,ou=people,ou=lifesci,o=dundee [24/Apr/2007:18:31:39 +0100] - sasl user search found this entry: dn:uid=jon,ou=people,ou=lifesci,o=dundee, matching filter= [24/Apr/2007:18:31:39 +0100] - ids_sasl_getopt: plugin= option=canon_user_plugin [24/Apr/2007:18:31:39 +0100] - ids_sasl_getopt: plugin= option=auxprop_plugin [24/Apr/2007:18:31:39 +0100] - ids_sasl_getopt: plugin= option=pwcheck_method [24/Apr/2007:18:31:39 +0100] - ids_sasl_canon_user(user=uid=jon,ou=people,ou=lifesci,o=dundee, realm=) [24/Apr/2007:18:31:40 +0100] - -> sasl_map_domap [24/Apr/2007:18:31:40 +0100] - -> sasl_map_check [24/Apr/2007:18:31:40 +0100] - regex: \(.*\), id: uid=jon,ou=people,ou=lifesci,o=dundee, matched [24/Apr/2007:18:31:40 +0100] - mapped base dn: [BINARY JUNK], filter: [BINARY JUNK] [24/Apr/2007:18:31:40 +0100] - <- sasl_map_check [24/Apr/2007:18:31:40 +0100] - <- sasl_map_domap (mapped) [24/Apr/2007:18:31:40 +0100] - sasl user search basedn="ou=people,ou=lifesci,o=dundee" filter="(uid=uid=jon,ou=people,ou=lifesci,o=dundee)" [24/Apr/2007:18:31:40 +0100] - => slapi_reslimit_get_integer_limit() conn=0x0, handle=2 [24/Apr/2007:18:31:40 +0100] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [24/Apr/2007:18:31:40 +0100] - => slapi_reslimit_get_integer_limit() conn=0x0, handle=1 [24/Apr/2007:18:31:40 +0100] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [24/Apr/2007:18:31:40 +0100] - => compute_limits: sizelimit=-1, timelimit=-1 [24/Apr/2007:18:31:40 +0100] - Calling plugin 'ACL preoperation' #1 type 403 [24/Apr/2007:18:31:40 +0100] - Calling plugin 'Legacy replication preoperation plugin' #3 type 403 [24/Apr/2007:18:31:40 +0100] - Calling plugin 'Multimaster replication preoperation plugin' #4 type 403 [24/Apr/2007:18:31:40 +0100] - => slapi_reslimit_get_integer_limit() conn=0x0, handle=0 [24/Apr/2007:18:31:40 +0100] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [24/Apr/2007:18:31:40 +0100] - => find_entry_internal (dn=ou=people,ou=lifesci,o=dundee) lock 0 [24/Apr/2007:18:31:40 +0100] - => dn2entry "ou=people,ou=lifesci,o=dundee" [24/Apr/2007:18:31:40 +0100] - <= dn2entry 96034e0 [24/Apr/2007:18:31:40 +0100] - <= find_entry_internal_dn found (ou=people,ou=lifesci,o=dundee) [24/Apr/2007:18:31:40 +0100] - => filter_candidates [24/Apr/2007:18:31:40 +0100] - => list_candidates 0xa1 [24/Apr/2007:18:31:40 +0100] - => filter_candidates [24/Apr/2007:18:31:40 +0100] - => ava_candidates [24/Apr/2007:18:31:40 +0100] - uid=uid=jon,ou=people,ou=lifesci,o=dundee [24/Apr/2007:18:31:40 +0100] - => keys2idl type uid indextype eq [24/Apr/2007:18:31:40 +0100] - => index_read( "uid" = "uid=jon,ou=people,ou=lifesci,o=dundee" ) [24/Apr/2007:18:31:40 +0100] - <= index_read 0 candidates [24/Apr/2007:18:31:40 +0100] - ival[0] = "uid=jon,ou=people,ou=lifesci,o=dundee" => 0 IDs [24/Apr/2007:18:31:40 +0100] - <= filter_candidates 0 [24/Apr/2007:18:31:40 +0100] - => filter_candidates [24/Apr/2007:18:31:40 +0100] - => ava_candidates [24/Apr/2007:18:31:40 +0100] - objectclass=referral [24/Apr/2007:18:31:40 +0100] - => keys2idl type objectclass indextype eq [24/Apr/2007:18:31:40 +0100] - => index_read( "objectclass" = "referral" ) [24/Apr/2007:18:31:40 +0100] - <= index_read 0 candidates [24/Apr/2007:18:31:40 +0100] - ival[0] = "referral" => 0 IDs [24/Apr/2007:18:31:40 +0100] - <= filter_candidates 0 [24/Apr/2007:18:31:40 +0100] - <= list_candidates 0 [24/Apr/2007:18:31:40 +0100] - <= filter_candidates 0 [24/Apr/2007:18:31:40 +0100] - candidate list has 0 ids [24/Apr/2007:18:31:40 +0100] - => send_ldap_result 0:: [24/Apr/2007:18:31:40 +0100] - <= send_ldap_result [24/Apr/2007:18:31:40 +0100] - sasl user search found no entries matching filter=:#w [24/Apr/2007:18:31:41 +0100] - sasl(2): Password verification failed [24/Apr/2007:18:31:41 +0100] - => send_ldap_result 49::SASL(-14): authorization failure: Password verification failed [24/Apr/2007:18:31:41 +0100] - <= send_ldap_result [2] error log output with SASL mapping test and test2 [24/Apr/2007:18:42:40 +0100] - => ids_sasl_server_new (lsd_test.lifesci.dundee.ac.uk) [24/Apr/2007:18:42:40 +0100] - ids_sasl_getopt: plugin= option=log_level [24/Apr/2007:18:42:40 +0100] - ids_sasl_getopt: plugin= option=auto_transition [24/Apr/2007:18:42:40 +0100] - <= ids_sasl_server_new [24/Apr/2007:18:42:40 +0100] - => slapi_reslimit_get_integer_limit() conn=0xb6b598a8, handle=3 [24/Apr/2007:18:42:40 +0100] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [24/Apr/2007:18:42:40 +0100] - => slapi_reslimit_get_integer_limit() conn=0xb6b59808, handle=3 [24/Apr/2007:18:42:40 +0100] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [24/Apr/2007:18:42:40 +0100] - add_pb [24/Apr/2007:18:42:40 +0100] - => slapi_reslimit_get_integer_limit() conn=0xb6b59808, handle=3 [24/Apr/2007:18:42:40 +0100] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [24/Apr/2007:18:42:40 +0100] - get_pb [24/Apr/2007:18:42:42 +0100] - => slapi_reslimit_get_integer_limit() conn=0xb6b598a8, handle=3 [24/Apr/2007:18:42:42 +0100] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [24/Apr/2007:18:42:42 +0100] - => slapi_reslimit_get_integer_limit() conn=0xb6b59808, handle=3 [24/Apr/2007:18:42:42 +0100] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [24/Apr/2007:18:42:42 +0100] - add_pb [24/Apr/2007:18:42:42 +0100] - => slapi_reslimit_get_integer_limit() conn=0xb6b59808, handle=3 [24/Apr/2007:18:42:42 +0100] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [24/Apr/2007:18:42:42 +0100] - get_pb [24/Apr/2007:18:42:42 +0100] - => slapi_reslimit_get_integer_limit() conn=0xb6b598a8, handle=3 [24/Apr/2007:18:42:42 +0100] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [24/Apr/2007:18:42:42 +0100] - => slapi_reslimit_get_integer_limit() conn=0xb6b59808, handle=3 [24/Apr/2007:18:42:42 +0100] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [24/Apr/2007:18:42:42 +0100] - do_bind [24/Apr/2007:18:42:42 +0100] - BIND dn="" method=163 version=3 [24/Apr/2007:18:42:42 +0100] - => get_ldapmessage_controls [24/Apr/2007:18:42:42 +0100] - <= get_ldapmessage_controls no controls [24/Apr/2007:18:42:42 +0100] - => slapi_control_present (looking for 2.16.840.1.113730.3.4.16) [24/Apr/2007:18:42:42 +0100] - <= slapi_control_present 0 (NO CONTROLS) [24/Apr/2007:18:42:42 +0100] - do_bind: version 3 method 0xa3 dn [24/Apr/2007:18:42:42 +0100] - => ids_sasl_check_bind [24/Apr/2007:18:42:42 +0100] - => ids_sasl_mech_supported [24/Apr/2007:18:42:43 +0100] - ids_sasl_getopt: plugin= option=mech_list [24/Apr/2007:18:42:43 +0100] - ids_sasl_getopt: plugin= option=mech_list [24/Apr/2007:18:42:43 +0100] - ids_sasl_getopt: plugin= option=mech_list [24/Apr/2007:18:42:43 +0100] - ids_sasl_getopt: plugin= option=mech_list [24/Apr/2007:18:42:43 +0100] - ids_sasl_getopt: plugin= option=mech_list [24/Apr/2007:18:42:43 +0100] - ids_sasl_getopt: plugin= option=mech_list [24/Apr/2007:18:42:43 +0100] - ids_sasl_getopt: plugin= option=mech_list [24/Apr/2007:18:42:43 +0100] - ids_sasl_getopt: plugin= option=mech_list [24/Apr/2007:18:42:43 +0100] - ids_sasl_getopt: plugin= option=mech_list [24/Apr/2007:18:42:43 +0100] - ids_sasl_getopt: plugin= option=mech_list [24/Apr/2007:18:42:43 +0100] - ids_sasl_getopt: plugin= option=mech_list [24/Apr/2007:18:42:43 +0100] - ids_sasl_getopt: plugin= option=mech_list [24/Apr/2007:18:42:43 +0100] - <= ids_sasl_mech_supported [24/Apr/2007:18:42:43 +0100] - ids_sasl_getopt: plugin= option=mech_list [24/Apr/2007:18:42:43 +0100] - ids_sasl_canon_user(user=jon, realm=) [24/Apr/2007:18:42:43 +0100] - -> sasl_map_domap [24/Apr/2007:18:42:43 +0100] - -> sasl_map_check [24/Apr/2007:18:42:43 +0100] - regex: uid=\([^,]*\),, id: jon, didn't match [24/Apr/2007:18:42:43 +0100] - <- sasl_map_check [24/Apr/2007:18:42:43 +0100] - -> sasl_map_check [24/Apr/2007:18:42:43 +0100] - regex: \(.*\), id: jon, matched [24/Apr/2007:18:42:43 +0100] - mapped base dn: [BINARY JUNK], filter: [BINARY JUNK] [24/Apr/2007:18:42:43 +0100] - <- sasl_map_check [24/Apr/2007:18:42:43 +0100] - <- sasl_map_domap (mapped) [24/Apr/2007:18:42:43 +0100] - sasl user search basedn="ou=people,ou=lifesci,o=dundee" filter="(uid=jon)" [24/Apr/2007:18:42:43 +0100] - => slapi_reslimit_get_integer_limit() conn=0x0, handle=2 [24/Apr/2007:18:42:43 +0100] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [24/Apr/2007:18:42:43 +0100] - => slapi_reslimit_get_integer_limit() conn=0x0, handle=1 [24/Apr/2007:18:42:43 +0100] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [24/Apr/2007:18:42:43 +0100] - => compute_limits: sizelimit=-1, timelimit=-1 [24/Apr/2007:18:42:43 +0100] - Calling plugin 'ACL preoperation' #1 type 403 [24/Apr/2007:18:42:43 +0100] - Calling plugin 'Legacy replication preoperation plugin' #3 type 403 [24/Apr/2007:18:42:43 +0100] - Calling plugin 'Multimaster replication preoperation plugin' #4 type 403 [24/Apr/2007:18:42:43 +0100] - => slapi_reslimit_get_integer_limit() conn=0x0, handle=0 [24/Apr/2007:18:42:43 +0100] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [24/Apr/2007:18:42:43 +0100] - => find_entry_internal (dn=ou=people,ou=lifesci,o=dundee) lock 0 [24/Apr/2007:18:42:43 +0100] - => dn2entry "ou=people,ou=lifesci,o=dundee" [24/Apr/2007:18:42:43 +0100] - <= dn2entry 8851fa0 [24/Apr/2007:18:42:43 +0100] - <= find_entry_internal_dn found (ou=people,ou=lifesci,o=dundee) [24/Apr/2007:18:42:43 +0100] - => filter_candidates [24/Apr/2007:18:42:43 +0100] - => list_candidates 0xa1 [24/Apr/2007:18:42:43 +0100] - => filter_candidates [24/Apr/2007:18:42:43 +0100] - => ava_candidates [24/Apr/2007:18:42:43 +0100] - uid=jon [24/Apr/2007:18:42:43 +0100] - => keys2idl type uid indextype eq [24/Apr/2007:18:42:43 +0100] - => index_read( "uid" = "jon" ) [24/Apr/2007:18:42:43 +0100] - bulk fetch buffer nids=1 [24/Apr/2007:18:42:43 +0100] - idl_new_fetch =jon returns nids=1 [24/Apr/2007:18:42:44 +0100] - <= index_read 1 candidates [24/Apr/2007:18:42:44 +0100] - ival[0] = "jon" => 1 IDs [24/Apr/2007:18:42:44 +0100] - <= filter_candidates 1 [24/Apr/2007:18:42:44 +0100] - => filter_candidates [24/Apr/2007:18:42:44 +0100] - => ava_candidates [24/Apr/2007:18:42:44 +0100] - objectclass=referral [24/Apr/2007:18:42:44 +0100] - => keys2idl type objectclass indextype eq [24/Apr/2007:18:42:44 +0100] - => index_read( "objectclass" = "referral" ) [24/Apr/2007:18:42:44 +0100] - <= index_read 0 candidates [24/Apr/2007:18:42:44 +0100] - ival[0] = "referral" => 0 IDs [24/Apr/2007:18:42:44 +0100] - <= filter_candidates 0 [24/Apr/2007:18:42:44 +0100] - <= list_candidates 1 [24/Apr/2007:18:42:44 +0100] - <= filter_candidates 1 [24/Apr/2007:18:42:44 +0100] - candidate list has 1 ids [24/Apr/2007:18:42:44 +0100] - => id2entry( 5 ) [24/Apr/2007:18:42:44 +0100] - <= id2entry 8ab8d90 (cache) [24/Apr/2007:18:42:44 +0100] - => send_ldap_search_entry (uid=jon,ou=people,ou=lifesci,o=dundee) [24/Apr/2007:18:42:44 +0100] - <= send_ldap_search_entry [24/Apr/2007:18:42:44 +0100] - => send_ldap_result 0:: [24/Apr/2007:18:42:44 +0100] - <= send_ldap_result [24/Apr/2007:18:42:44 +0100] - sasl user search found dn=uid=jon,ou=people,ou=lifesci,o=dundee [24/Apr/2007:18:42:44 +0100] - sasl user search found this entry: dn:uid=jon,ou=people,ou=lifesci,o=dundee, matching filter=p [24/Apr/2007:18:42:44 +0100] - ids_sasl_getopt: plugin= option=canon_user_plugin [24/Apr/2007:18:42:44 +0100] - ids_sasl_getopt: plugin= option=auxprop_plugin [24/Apr/2007:18:42:44 +0100] - ids_sasl_getopt: plugin= option=pwcheck_method [24/Apr/2007:18:42:44 +0100] - ids_sasl_canon_user(user=uid=jon,ou=people,ou=lifesci,o=dundee, realm=) [24/Apr/2007:18:42:44 +0100] - -> sasl_map_domap [24/Apr/2007:18:42:44 +0100] - -> sasl_map_check [24/Apr/2007:18:42:44 +0100] - regex: uid=\([^,]*\),, id: uid=jon,ou=people,ou=lifesci,o=dundee, matched [24/Apr/2007:18:42:44 +0100] - mapped base dn: [BINARY JUNK] filter: [BINARY JUNK] [24/Apr/2007:18:42:44 +0100] - <- sasl_map_check [24/Apr/2007:18:42:44 +0100] - <- sasl_map_domap (mapped) [24/Apr/2007:18:42:44 +0100] - sasl user search basedn="ou=people,ou=lifesci,o=dundee" filter="(uid=jon)" [24/Apr/2007:18:42:44 +0100] - => slapi_reslimit_get_integer_limit() conn=0x0, handle=2 [24/Apr/2007:18:42:44 +0100] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [24/Apr/2007:18:42:44 +0100] - => slapi_reslimit_get_integer_limit() conn=0x0, handle=1 [24/Apr/2007:18:42:44 +0100] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [24/Apr/2007:18:42:44 +0100] - => compute_limits: sizelimit=-1, timelimit=-1 [24/Apr/2007:18:42:44 +0100] - Calling plugin 'ACL preoperation' #1 type 403 [24/Apr/2007:18:42:44 +0100] - Calling plugin 'Legacy replication preoperation plugin' #3 type 403 [24/Apr/2007:18:42:44 +0100] - Calling plugin 'Multimaster replication preoperation plugin' #4 type 403 [24/Apr/2007:18:42:44 +0100] - => slapi_reslimit_get_integer_limit() conn=0x0, handle=0 [24/Apr/2007:18:42:45 +0100] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [24/Apr/2007:18:42:45 +0100] - => find_entry_internal (dn=ou=people,ou=lifesci,o=dundee) lock 0 [24/Apr/2007:18:42:45 +0100] - => dn2entry "ou=people,ou=lifesci,o=dundee" [24/Apr/2007:18:42:45 +0100] - <= dn2entry 8851fa0 [24/Apr/2007:18:42:45 +0100] - <= find_entry_internal_dn found (ou=people,ou=lifesci,o=dundee) [24/Apr/2007:18:42:45 +0100] - => filter_candidates [24/Apr/2007:18:42:45 +0100] - => list_candidates 0xa1 [24/Apr/2007:18:42:45 +0100] - => filter_candidates [24/Apr/2007:18:42:45 +0100] - => ava_candidates [24/Apr/2007:18:42:45 +0100] - uid=jon [24/Apr/2007:18:42:45 +0100] - => keys2idl type uid indextype eq [24/Apr/2007:18:42:45 +0100] - => index_read( "uid" = "jon" ) [24/Apr/2007:18:42:45 +0100] - bulk fetch buffer nids=1 [24/Apr/2007:18:42:45 +0100] - idl_new_fetch =jon returns nids=1 [24/Apr/2007:18:42:45 +0100] - <= index_read 1 candidates [24/Apr/2007:18:42:45 +0100] - ival[0] = "jon" => 1 IDs [24/Apr/2007:18:42:45 +0100] - <= filter_candidates 1 [24/Apr/2007:18:42:45 +0100] - => filter_candidates [24/Apr/2007:18:42:45 +0100] - => ava_candidates [24/Apr/2007:18:42:45 +0100] - objectclass=referral [24/Apr/2007:18:42:45 +0100] - => keys2idl type objectclass indextype eq [24/Apr/2007:18:42:45 +0100] - => index_read( "objectclass" = "referral" ) [24/Apr/2007:18:42:45 +0100] - <= index_read 0 candidates [24/Apr/2007:18:42:45 +0100] - ival[0] = "referral" => 0 IDs [24/Apr/2007:18:42:45 +0100] - <= filter_candidates 0 [24/Apr/2007:18:42:45 +0100] - <= list_candidates 1 [24/Apr/2007:18:42:45 +0100] - <= filter_candidates 1 [24/Apr/2007:18:42:45 +0100] - candidate list has 1 ids [24/Apr/2007:18:42:45 +0100] - => id2entry( 5 ) [24/Apr/2007:18:42:45 +0100] - <= id2entry 8ab8d90 (cache) [24/Apr/2007:18:42:45 +0100] - => send_ldap_search_entry (uid=jon,ou=people,ou=lifesci,o=dundee) [24/Apr/2007:18:42:45 +0100] - <= send_ldap_search_entry [24/Apr/2007:18:42:45 +0100] - => send_ldap_result 0:: [24/Apr/2007:18:42:45 +0100] - <= send_ldap_result [24/Apr/2007:18:42:45 +0100] - sasl user search found dn=uid=jon,ou=people,ou=lifesci,o=dundee [24/Apr/2007:18:42:45 +0100] - sasl user search found this entry: dn:uid=jon,ou=people,ou=lifesci,o=dundee, matching filter=:. [24/Apr/2007:18:42:45 +0100] - ids_sasl_getopt: plugin= option=canon_user_plugin [24/Apr/2007:18:42:45 +0100] - ids_sasl_getopt: plugin= option=auxprop_plugin [24/Apr/2007:18:42:45 +0100] - ids_sasl_getopt: plugin= option=auxprop_plugin [24/Apr/2007:18:42:45 +0100] - sasl(2): Password verification failed [24/Apr/2007:18:42:45 +0100] - => send_ldap_result 49::SASL(-13): authentication failure: Password verification failed [24/Apr/2007:18:42:45 +0100] - <= send_ldap_result [24/Apr/2007:18:42:45 +0100] - add_pb [24/Apr/2007:18:42:45 +0100] - => slapi_reslimit_get_integer_limit() conn=0xb6b59808, handle=3 [24/Apr/2007:18:42:45 +0100] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [24/Apr/2007:18:42:45 +0100] - get_pb [24/Apr/2007:18:42:45 +0100] - => slapi_reslimit_get_integer_limit() conn=0xb6b59808, handle=3 [24/Apr/2007:18:42:45 +0100] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [24/Apr/2007:18:42:46 +0100] - => ids_sasl_check_bind -- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389 From rcritten at redhat.com Tue Apr 24 19:12:36 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 24 Apr 2007 15:12:36 -0400 Subject: [Fedora-directory-users] Renew server certificate In-Reply-To: References: Message-ID: <462E56A4.20009@redhat.com> Renato Ribeiro da Silva wrote: > I'm trying to renew a server certificate using Fedora-DS Admin Console but this function seems no working. When I click on renew button is opened the "Request Certificate Window". Can I renew the certificate using command line? > > Thanks in advance, > Renato > I wonder if it generated a new key or is just trying to generate a new Certificate Signing Request (CSR). For a renewal you'd use the same key but get a new cert from the CA. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From chris at sourcelabs.com Thu Apr 26 17:28:32 2007 From: chris at sourcelabs.com (Chris Halstead) Date: Thu, 26 Apr 2007 10:28:32 -0700 Subject: [Fedora-directory-users] Previous password still works? Message-ID: <4630E140.80405@sourcelabs.com> Hi folks, I've been googling 'til my eyes bleed but I can't find anything on this. We're using FDS 1.0.2 and I recently used the admin console (logged in as myself, not as the admin account) to change my personal account password. The new password worked, so far so good. The problem is that my *old* password still worked as well. Everywhere. Login through PAM, login to the FDS admin console, you name it. After doing some testing I've found that if I change my password logged in as myself the old password will still work, yet if I change it logged in with our admin user account only the new one works. What am I missing? I was planning on putting together a web-form for user password changes (using the user's credentials to bind), but if user password changes won't invalidate old passwords I'm going to have to change my approach. -chris From rmeggins at redhat.com Thu Apr 26 19:39:09 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 26 Apr 2007 13:39:09 -0600 Subject: [Fedora-directory-users] Previous password still works? In-Reply-To: <4630E140.80405@sourcelabs.com> References: <4630E140.80405@sourcelabs.com> Message-ID: <4630FFDD.2020301@redhat.com> Chris Halstead wrote: > Hi folks, > > I've been googling 'til my eyes bleed but I can't find anything on this. > > We're using FDS 1.0.2 and I recently used the admin console (logged in > as myself, not as the admin account) to change my personal account > password. The new password worked, so far so good. The problem is > that my *old* password still worked as well. Everywhere. Login > through PAM, login to the FDS admin console, you name it. So, both old and new password work everywhere? pam too? Have you tried the command line ldapsearch? > > After doing some testing I've found that if I change my password > logged in as myself the old password will still work, yet if I change > it logged in with our admin user account only the new one works. What > am I missing? > > I was planning on putting together a web-form for user password > changes (using the user's credentials to bind), but if user password > changes won't invalidate old passwords I'm going to have to change my > approach. > > -chris > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From chris at sourcelabs.com Thu Apr 26 20:46:05 2007 From: chris at sourcelabs.com (Chris Halstead) Date: Thu, 26 Apr 2007 13:46:05 -0700 Subject: [Fedora-directory-users] Previous password still works? In-Reply-To: <4630FFDD.2020301@redhat.com> References: <4630E140.80405@sourcelabs.com> <4630FFDD.2020301@redhat.com> Message-ID: <46310F8D.8030308@sourcelabs.com> Richard Megginson wrote: > So, both old and new password work everywhere? pam too? Have you > tried the command line ldapsearch? Yep - PAM, httpd auth, FDS console login, passthru auth from LDAP-enabled apps all work with both old and new, but *only* when I've changed the password through the console while logged in as myself. If I change my password with passwd on a PAM-enabled system, or change it in the console logged in as an admin user, only the new one works. -chris From rmeggins at redhat.com Thu Apr 26 20:56:49 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 26 Apr 2007 14:56:49 -0600 Subject: [Fedora-directory-users] Previous password still works? In-Reply-To: <46310F8D.8030308@sourcelabs.com> References: <4630E140.80405@sourcelabs.com> <4630FFDD.2020301@redhat.com> <46310F8D.8030308@sourcelabs.com> Message-ID: <46311211.1090708@redhat.com> Chris Halstead wrote: > Richard Megginson wrote: >> So, both old and new password work everywhere? pam too? Have you >> tried the command line ldapsearch? > > Yep - PAM, httpd auth, FDS console login, passthru auth from > LDAP-enabled apps all work with both old and new, but *only* when I've > changed the password through the console while logged in as myself. > If I change my password with passwd on a PAM-enabled system, or change > it in the console logged in as an admin user, only the new one works. So the following both work and produce the exact same result? ldapsearch -x -h ldaphost -p ldapport -D "uid=chalstead,ou=people,dc=yourdomain,dc=com" -w oldpassword -b ou=people,dc=yourdomain,dc=com "(uid=chalstead)" and ldapsearch -x -h ldaphost -p ldapport -D "uid=chalstead,ou=people,dc=yourdomain,dc=com" -w newpassword -b ou=people,dc=yourdomain,dc=com "(uid=chalstead)" ? > > -chris > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kyley_engle at hotmail.com Thu Apr 26 21:16:14 2007 From: kyley_engle at hotmail.com (Kyley Engle) Date: Thu, 26 Apr 2007 14:16:14 -0700 Subject: [Fedora-directory-users] Problem with Admin Console failover using FedoraDS Message-ID: Hello, I am having problems with the admin-serv when doing failure testing in my multi-master environmnet. What I have: 2 masters replicating the userRoot and NetscapeRoot directories various hub and consumer/search servers When I installed the instances on each of these servers, i pointed them at one of the masters, let's call it primary-master, for it's configuration directory. when both masters are up and running, i can connect my admin consoel to either directory and manage my fleet of servers While doing failure mode testing, I discovered that if the primary-master was turned off, that the secondary master admin-serv would not start properly. it gives the following in /opt/fedora-ds/admin-serv/logs/error: [Tue Apr 24 20:37:36 2007] [crit] mod_admserv_post_config(): unable to build user/group LDAP server info: unable to set User/Group baseDN Configuration Failed I followed the instructions found here: http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt#How_to_change_the_user.2Fgroup_LDAP_server to change the admin server running on secondary-master to point to itself instead of to the primary master. this did not resolve the issue. Has anyone out there gotten the configuration directory successfully working in a failover capacity in a multi-master environment? ke _________________________________________________________________ The average US Credit Score is 675. The cost to see yours: $0 by Experian. http://www.freecreditreport.com/pm/default.aspx?sc=660600&bcd=EMAILFOOTERAVERAGE From smooge at gmail.com Thu Apr 26 21:16:59 2007 From: smooge at gmail.com (Stephen John Smoogen) Date: Thu, 26 Apr 2007 15:16:59 -0600 Subject: [Fedora-directory-users] Previous password still works? In-Reply-To: <46311211.1090708@redhat.com> References: <4630E140.80405@sourcelabs.com> <4630FFDD.2020301@redhat.com> <46310F8D.8030308@sourcelabs.com> <46311211.1090708@redhat.com> Message-ID: <80d7e4090704261416o78404753q39b320993ffc2a99@mail.gmail.com> On 4/26/07, Richard Megginson wrote: > Chris Halstead wrote: > > Richard Megginson wrote: > >> So, both old and new password work everywhere? pam too? Have you > >> tried the command line ldapsearch? > > > > Yep - PAM, httpd auth, FDS console login, passthru auth from > > LDAP-enabled apps all work with both old and new, but *only* when I've > > changed the password through the console while logged in as myself. > > If I change my password with passwd on a PAM-enabled system, or change > > it in the console logged in as an admin user, only the new one works. > So the following both work and produce the exact same result? > ldapsearch -x -h ldaphost -p ldapport -D > "uid=chalstead,ou=people,dc=yourdomain,dc=com" -w oldpassword -b > ou=people,dc=yourdomain,dc=com "(uid=chalstead)" > and > ldapsearch -x -h ldaphost -p ldapport -D > "uid=chalstead,ou=people,dc=yourdomain,dc=com" -w newpassword -b > ou=people,dc=yourdomain,dc=com "(uid=chalstead)" > ? Would nscd help cause this? -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" From rmeggins at redhat.com Thu Apr 26 21:17:43 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 26 Apr 2007 15:17:43 -0600 Subject: [Fedora-directory-users] Problem with Admin Console failover using FedoraDS In-Reply-To: References: Message-ID: <463116F7.6070804@redhat.com> Kyley Engle wrote: > > Hello, > > I am having problems with the admin-serv when doing failure testing in > my multi-master environmnet. > > What I have: > > 2 masters replicating the userRoot and NetscapeRoot directories > various hub and consumer/search servers > > When I installed the instances on each of these servers, i pointed > them at one of the masters, let's call it primary-master, for it's > configuration directory. when both masters are up and running, i can > connect my admin consoel to either directory and manage my fleet of > servers > > While doing failure mode testing, I discovered that if the > primary-master was turned off, that the secondary master admin-serv > would not start properly. it gives the following in > /opt/fedora-ds/admin-serv/logs/error: > > [Tue Apr 24 20:37:36 2007] [crit] mod_admserv_post_config(): unable to > build user/group LDAP server info: unable to set User/Group baseDN > Configuration Failed > > I followed the instructions found here: > http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt#How_to_change_the_user.2Fgroup_LDAP_server > > > to change the admin server running on secondary-master to point to > itself instead of to the primary master. this did not resolve the issue. > > Has anyone out there gotten the configuration directory successfully > working in a failover capacity in a multi-master environment? Try updating shared/config/dbswitch.conf to point to the backup configuration ds. > > ke > > _________________________________________________________________ > The average US Credit Score is 675. The cost to see yours: $0 by > Experian. > http://www.freecreditreport.com/pm/default.aspx?sc=660600&bcd=EMAILFOOTERAVERAGE > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kyley_engle at hotmail.com Thu Apr 26 21:46:40 2007 From: kyley_engle at hotmail.com (Kyley Engle) Date: Thu, 26 Apr 2007 14:46:40 -0700 Subject: [Fedora-directory-users] Problem with Admin Console failoverusing FedoraDS In-Reply-To: <463116F7.6070804@redhat.com> Message-ID: i have done that, as well as changing the directory in the nsDirectoryURL entry and the file /opt/fedora-ds/admin-serv/config/adm.conf is there maybe a way to increase the debug logging on the admin-serv? i'm not finding very much documentation on it. ke >From: Richard Megginson >Reply-To: "General discussion list for the Fedora Directory server >project." >To: "General discussion list for the Fedora Directory server project." > >Subject: Re: [Fedora-directory-users] Problem with Admin Console >failoverusing FedoraDS >Date: Thu, 26 Apr 2007 15:17:43 -0600 > >Kyley Engle wrote: >> >>Hello, >> >>I am having problems with the admin-serv when doing failure testing in my >>multi-master environmnet. >> >>What I have: >> >>2 masters replicating the userRoot and NetscapeRoot directories >>various hub and consumer/search servers >> >>When I installed the instances on each of these servers, i pointed them at >>one of the masters, let's call it primary-master, for it's configuration >>directory. when both masters are up and running, i can connect my admin >>consoel to either directory and manage my fleet of servers >> >>While doing failure mode testing, I discovered that if the primary-master >>was turned off, that the secondary master admin-serv would not start >>properly. it gives the following in /opt/fedora-ds/admin-serv/logs/error: >> >>[Tue Apr 24 20:37:36 2007] [crit] mod_admserv_post_config(): unable to >>build user/group LDAP server info: unable to set User/Group baseDN >>Configuration Failed >> >>I followed the instructions found here: >>http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt#How_to_change_the_user.2Fgroup_LDAP_server >> >> >>to change the admin server running on secondary-master to point to itself >>instead of to the primary master. this did not resolve the issue. >> >>Has anyone out there gotten the configuration directory successfully >>working in a failover capacity in a multi-master environment? >Try updating shared/config/dbswitch.conf to point to the backup >configuration ds. >> >>ke >> >>_________________________________________________________________ >>The average US Credit Score is 675. The cost to see yours: $0 by Experian. >>http://www.freecreditreport.com/pm/default.aspx?sc=660600&bcd=EMAILFOOTERAVERAGE >> >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users ><< smime.p7s >> >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users _________________________________________________________________ Download Messenger. Join the i?m Initiative. Help make a difference today. http://im.live.com/messenger/im/home/?source=TAGHM_APR07 From chris at sourcelabs.com Thu Apr 26 21:50:44 2007 From: chris at sourcelabs.com (Chris Halstead) Date: Thu, 26 Apr 2007 14:50:44 -0700 Subject: [Fedora-directory-users] Previous password still works? In-Reply-To: <46311211.1090708@redhat.com> References: <4630E140.80405@sourcelabs.com> <4630FFDD.2020301@redhat.com> <46310F8D.8030308@sourcelabs.com> <46311211.1090708@redhat.com> Message-ID: <46311EB4.7010501@sourcelabs.com> I had to set my bind credentials using 'cn' instead of 'uid' to get ldapsearch to work, but anyway... After setting my password logged into console as myself I get identical ldapsearch results with both old and new passwords. After setting via 'passwd' only the new password works. I can send you the ldapsearch output offline if you'd like. -chris Richard Megginson wrote: > So the following both work and produce the exact same result? > ldapsearch -x -h ldaphost -p ldapport -D > "uid=chalstead,ou=people,dc=yourdomain,dc=com" -w oldpassword -b > ou=people,dc=yourdomain,dc=com "(uid=chalstead)" > and > ldapsearch -x -h ldaphost -p ldapport -D > "uid=chalstead,ou=people,dc=yourdomain,dc=com" -w newpassword -b > ou=people,dc=yourdomain,dc=com "(uid=chalstead)" > ? From chris at sourcelabs.com Thu Apr 26 21:55:47 2007 From: chris at sourcelabs.com (Chris Halstead) Date: Thu, 26 Apr 2007 14:55:47 -0700 Subject: [Fedora-directory-users] Previous password still works? In-Reply-To: <80d7e4090704261416o78404753q39b320993ffc2a99@mail.gmail.com> References: <4630E140.80405@sourcelabs.com> <4630FFDD.2020301@redhat.com> <46310F8D.8030308@sourcelabs.com> <46311211.1090708@redhat.com> <80d7e4090704261416o78404753q39b320993ffc2a99@mail.gmail.com> Message-ID: <46311FE3.2050506@sourcelabs.com> That was actually the first thing I checked. ;-) -chris Stephen John Smoogen wrote: > > Would nscd help cause this? > From rmeggins at redhat.com Thu Apr 26 21:59:03 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 26 Apr 2007 15:59:03 -0600 Subject: [Fedora-directory-users] Previous password still works? In-Reply-To: <46311EB4.7010501@sourcelabs.com> References: <4630E140.80405@sourcelabs.com> <4630FFDD.2020301@redhat.com> <46310F8D.8030308@sourcelabs.com> <46311211.1090708@redhat.com> <46311EB4.7010501@sourcelabs.com> Message-ID: <463120A7.2000409@redhat.com> Chris Halstead wrote: > I had to set my bind credentials using 'cn' instead of 'uid' to get > ldapsearch to work, but anyway... > > After setting my password logged into console as myself I get > identical ldapsearch results with both old and new passwords. After > setting via 'passwd' only the new password works. I can send you the > ldapsearch output offline if you'd like. Do you have two values for the userPassword attribute in your entry? > > -chris > > Richard Megginson wrote: >> So the following both work and produce the exact same result? >> ldapsearch -x -h ldaphost -p ldapport -D >> "uid=chalstead,ou=people,dc=yourdomain,dc=com" -w oldpassword -b >> ou=people,dc=yourdomain,dc=com "(uid=chalstead)" >> and >> ldapsearch -x -h ldaphost -p ldapport -D >> "uid=chalstead,ou=people,dc=yourdomain,dc=com" -w newpassword -b >> ou=people,dc=yourdomain,dc=com "(uid=chalstead)" >> ? > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Apr 26 22:01:22 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 26 Apr 2007 16:01:22 -0600 Subject: [Fedora-directory-users] Problem with Admin Console failoverusing FedoraDS In-Reply-To: References: Message-ID: <46312132.90807@redhat.com> Kyley Engle wrote: > > > i have done that, as well as changing the directory in the > nsDirectoryURL entry and the file > /opt/fedora-ds/admin-serv/config/adm.conf > > is there maybe a way to increase the debug logging on the admin-serv? > i'm not finding very much documentation on it. I think you'll also need to change or disable the pass through authentication plug-in in your backup configuration directory server. edit admin-serv/config/httpd.conf and set the LogLevel to debug > > ke > >> From: Richard Megginson >> Reply-To: "General discussion list for the Fedora Directory server >> project." >> To: "General discussion list for the Fedora Directory server >> project." >> Subject: Re: [Fedora-directory-users] Problem with Admin Console >> failoverusing FedoraDS >> Date: Thu, 26 Apr 2007 15:17:43 -0600 >> >> Kyley Engle wrote: >>> >>> Hello, >>> >>> I am having problems with the admin-serv when doing failure testing >>> in my multi-master environmnet. >>> >>> What I have: >>> >>> 2 masters replicating the userRoot and NetscapeRoot directories >>> various hub and consumer/search servers >>> >>> When I installed the instances on each of these servers, i pointed >>> them at one of the masters, let's call it primary-master, for it's >>> configuration directory. when both masters are up and running, i can >>> connect my admin consoel to either directory and manage my fleet of >>> servers >>> >>> While doing failure mode testing, I discovered that if the >>> primary-master was turned off, that the secondary master admin-serv >>> would not start properly. it gives the following in >>> /opt/fedora-ds/admin-serv/logs/error: >>> >>> [Tue Apr 24 20:37:36 2007] [crit] mod_admserv_post_config(): unable >>> to build user/group LDAP server info: unable to set User/Group baseDN >>> Configuration Failed >>> >>> I followed the instructions found here: >>> http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt#How_to_change_the_user.2Fgroup_LDAP_server >>> >>> >>> >>> to change the admin server running on secondary-master to point to >>> itself instead of to the primary master. this did not resolve the >>> issue. >>> >>> Has anyone out there gotten the configuration directory successfully >>> working in a failover capacity in a multi-master environment? >> Try updating shared/config/dbswitch.conf to point to the backup >> configuration ds. >>> >>> ke >>> >>> _________________________________________________________________ >>> The average US Credit Score is 675. The cost to see yours: $0 by >>> Experian. >>> http://www.freecreditreport.com/pm/default.aspx?sc=660600&bcd=EMAILFOOTERAVERAGE >>> >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >> << smime.p7s >> > > > > >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > _________________________________________________________________ > Download Messenger. Join the i?m Initiative. Help make a difference > today. http://im.live.com/messenger/im/home/?source=TAGHM_APR07 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From chris at sourcelabs.com Thu Apr 26 22:13:44 2007 From: chris at sourcelabs.com (Chris Halstead) Date: Thu, 26 Apr 2007 15:13:44 -0700 Subject: [Fedora-directory-users] Previous password still works? In-Reply-To: <463120A7.2000409@redhat.com> References: <4630E140.80405@sourcelabs.com> <4630FFDD.2020301@redhat.com> <46310F8D.8030308@sourcelabs.com> <46311211.1090708@redhat.com> <46311EB4.7010501@sourcelabs.com> <463120A7.2000409@redhat.com> Message-ID: <46312418.8020000@sourcelabs.com> userPassword has no value at all. -chris Richard Megginson wrote: > Do you have two values for the userPassword attribute in your entry? From nkinder at redhat.com Thu Apr 26 22:18:43 2007 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 26 Apr 2007 15:18:43 -0700 Subject: [Fedora-directory-users] Previous password still works? In-Reply-To: <46312418.8020000@sourcelabs.com> References: <4630E140.80405@sourcelabs.com> <4630FFDD.2020301@redhat.com> <46310F8D.8030308@sourcelabs.com> <46311211.1090708@redhat.com> <46311EB4.7010501@sourcelabs.com> <463120A7.2000409@redhat.com> <46312418.8020000@sourcelabs.com> Message-ID: <46312543.2020808@redhat.com> Chris Halstead wrote: > userPassword has no value at all. Are you searching as "cn=Directory Manager" when you check for userPassword? > > -chris > > Richard Megginson wrote: >> Do you have two values for the userPassword attribute in your entry? > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From kyley_engle at hotmail.com Thu Apr 26 22:52:37 2007 From: kyley_engle at hotmail.com (Kyley Engle) Date: Thu, 26 Apr 2007 15:52:37 -0700 Subject: [Fedora-directory-users] Problem with Admin Console failoverusingFedoraDS In-Reply-To: <46312132.90807@redhat.com> Message-ID: so here's where i'm at now..... primary-master and secondary-master running...everything is fine. i shut down the primary-master and i can log into the admin console on the secondary-master fine. however, if i try to restart the admin server, it fails with: [Thu Apr 26 22:48:50 2007] [info] Init: Initializing NSS library [Thu Apr 26 22:48:50 2007] [info] Initializing SSL Session Cache of size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. [Thu Apr 26 22:48:50 2007] [info] Init: Initializing (virtual) servers for SSL [Thu Apr 26 22:48:50 2007] [info] Server: Apache/2.0.52, Interface: mod_nss/2.0.52, Library: NSS/3.11 [Thu Apr 26 22:48:50 2007] [debug] mod_admserv.c(2154): [30854] Cache expiration set to 600 seconds [Thu Apr 26 22:48:50 2007] [crit] mod_admserv_post_config(): unable to build user/group LDAP server info: unable to set User/Group baseDN Configuration Failed I change the 2 files and 1 directory entry listed in the HowTo: and i get the exact same behavior. I have no pass through authentication configured. I'm doing some testing on 2 freshly installed instances that don't have anything other than o=NetscapeRoot replication enabled and working. hope this is useful.... -ke >From: Richard Megginson >Reply-To: "General discussion list for the Fedora Directory server >project." >To: "General discussion list for the Fedora Directory server project." > >Subject: Re: [Fedora-directory-users] Problem with Admin Console >failoverusingFedoraDS >Date: Thu, 26 Apr 2007 16:01:22 -0600 > >Kyley Engle wrote: >> >> >>i have done that, as well as changing the directory in the nsDirectoryURL >>entry and the file /opt/fedora-ds/admin-serv/config/adm.conf >> >>is there maybe a way to increase the debug logging on the admin-serv? i'm >>not finding very much documentation on it. >I think you'll also need to change or disable the pass through >authentication plug-in in your backup configuration directory server. > >edit admin-serv/config/httpd.conf and set the LogLevel to debug >> >>ke >> >>>From: Richard Megginson >>>Reply-To: "General discussion list for the Fedora Directory server >>>project." >>>To: "General discussion list for the Fedora Directory server project." >>> >>>Subject: Re: [Fedora-directory-users] Problem with Admin Console >>>failoverusing FedoraDS >>>Date: Thu, 26 Apr 2007 15:17:43 -0600 >>> >>>Kyley Engle wrote: >>>> >>>>Hello, >>>> >>>>I am having problems with the admin-serv when doing failure testing in >>>>my multi-master environmnet. >>>> >>>>What I have: >>>> >>>>2 masters replicating the userRoot and NetscapeRoot directories >>>>various hub and consumer/search servers >>>> >>>>When I installed the instances on each of these servers, i pointed them >>>>at one of the masters, let's call it primary-master, for it's >>>>configuration directory. when both masters are up and running, i can >>>>connect my admin consoel to either directory and manage my fleet of >>>>servers >>>> >>>>While doing failure mode testing, I discovered that if the >>>>primary-master was turned off, that the secondary master admin-serv >>>>would not start properly. it gives the following in >>>>/opt/fedora-ds/admin-serv/logs/error: >>>> >>>>[Tue Apr 24 20:37:36 2007] [crit] mod_admserv_post_config(): unable to >>>>build user/group LDAP server info: unable to set User/Group baseDN >>>>Configuration Failed >>>> >>>>I followed the instructions found here: >>>>http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt#How_to_change_the_user.2Fgroup_LDAP_server >>>> >>>> >>>> >>>>to change the admin server running on secondary-master to point to >>>>itself instead of to the primary master. this did not resolve the issue. >>>> >>>>Has anyone out there gotten the configuration directory successfully >>>>working in a failover capacity in a multi-master environment? >>>Try updating shared/config/dbswitch.conf to point to the backup >>>configuration ds. >>>> >>>>ke >>>> >>>>_________________________________________________________________ >>>>The average US Credit Score is 675. The cost to see yours: $0 by >>>>Experian. >>>>http://www.freecreditreport.com/pm/default.aspx?sc=660600&bcd=EMAILFOOTERAVERAGE >>>> >>>> >>>> >>>>-- >>>>Fedora-directory-users mailing list >>>>Fedora-directory-users at redhat.com >>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >>><< smime.p7s >> >> >> >> >> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >>_________________________________________________________________ >>Download Messenger. Join the i?m Initiative. Help make a difference today. >>http://im.live.com/messenger/im/home/?source=TAGHM_APR07 >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users ><< smime.p7s >> >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users _________________________________________________________________ Mortgage refinance is Hot. *Terms. Get a 5.375%* fix rate. Check savings https://www2.nextag.com/goto.jsp?product=100000035&url=%2fst.jsp&tm=y&search=mortgage_text_links_88_h2bbb&disc=y&vers=925&s=4056&p=5117 From chris at sourcelabs.com Thu Apr 26 23:30:24 2007 From: chris at sourcelabs.com (Chris Halstead) Date: Thu, 26 Apr 2007 16:30:24 -0700 Subject: [Fedora-directory-users] Previous password still works? In-Reply-To: <46312543.2020808@redhat.com> References: <4630E140.80405@sourcelabs.com> <4630FFDD.2020301@redhat.com> <46310F8D.8030308@sourcelabs.com> <46311211.1090708@redhat.com> <46311EB4.7010501@sourcelabs.com> <463120A7.2000409@redhat.com> <46312418.8020000@sourcelabs.com> <46312543.2020808@redhat.com> Message-ID: <46313610.5030902@sourcelabs.com> OK, It took me a while to get there (had to figure out what our equivalent of 'cn=Directory Manager' was), but there are indeed two entries for userPassword after I change the password logged in as myself to the console. When I reset the password using PAM-enabled passwd there is only one. -chris Nathan Kinder wrote: > Chris Halstead wrote: >> userPassword has no value at all. > Are you searching as "cn=Directory Manager" when you check for > userPassword? >> >> -chris >> >> Richard Megginson wrote: >>> Do you have two values for the userPassword attribute in your entry? >> From nkinder at redhat.com Thu Apr 26 23:33:37 2007 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 26 Apr 2007 16:33:37 -0700 Subject: [Fedora-directory-users] Previous password still works? In-Reply-To: <46313610.5030902@sourcelabs.com> References: <4630E140.80405@sourcelabs.com> <4630FFDD.2020301@redhat.com> <46310F8D.8030308@sourcelabs.com> <46311211.1090708@redhat.com> <46311EB4.7010501@sourcelabs.com> <463120A7.2000409@redhat.com> <46312418.8020000@sourcelabs.com> <46312543.2020808@redhat.com> <46313610.5030902@sourcelabs.com> Message-ID: <463136D1.7080609@redhat.com> Chris Halstead wrote: > OK, It took me a while to get there (had to figure out what our > equivalent of 'cn=Directory Manager' was), but there are indeed two > entries for userPassword after I change the password logged in as > myself to the console. How are you changing the password through the console? A second value for userPassword is getting added instead of doing a replace of the existing password for some reason. -NGK > > When I reset the password using PAM-enabled passwd there is only one. > > -chris > > Nathan Kinder wrote: >> Chris Halstead wrote: >>> userPassword has no value at all. >> Are you searching as "cn=Directory Manager" when you check for >> userPassword? >>> >>> -chris >>> >>> Richard Megginson wrote: >>>> Do you have two values for the userPassword attribute in your entry? >>> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From francois.beretti at gmail.com Fri Apr 27 13:06:35 2007 From: francois.beretti at gmail.com (=?ISO-8859-1?Q?Fran=E7ois_Beretti?=) Date: Fri, 27 Apr 2007 15:06:35 +0200 Subject: [Fedora-directory-users] Issues with TLS, password modify operation, and password expiration Message-ID: <85d6be850704270606w78e9b896n4d9b1a7f6651cfb1@mail.gmail.com> Hi, I am implementing password policy in my LDAP-based software. When using Fedora DS I encountered several problems (or questions) : 1) when password expired, no request other than modifying its userPassword attribute is allowed. Two requests would have been usefull in my opinion : * Start TLS : I want to enable TLS just before changing my password, but : - Start TLS is not allowed, since it is not the only allowed modify request on userpassword - After Start TLS (when the password is not expired), it seems that the connection become sometimes anonymous, and needs a new bind. I thought only the Stop TLS operation must disable the authentication on the LDAP connection * Password Modify Extended operation : I just thought it would be a good idea to use it to change a password, but it is not allowed 2) when changing the password using a standard ldap modify request, if I send two modify operations in the same request, the first one to remove the old password and the second one to add the new password, do I need to hash the old password for it to be in the same format than in the directory ? 3) when using the Password Modify Extended operation, then at the next logon the server requires the user to change its password ! So I definitly can't use this operation on a server implementing password policy. I believe that in the Fedora DS password policy code this operation is only seen as an administration request, not intended to be done by a user : it is handled as a "force password" request, not a "change password" request. 4) I use the Novell LDAP client API. Any call to ldap_stop_tls_s blocks the calling thread. I don't know if it comes from the server, the client API, or both. It is not too bad since I can just call ldap_unbind and ldap_init instead. Fran?ois From rmeggins at redhat.com Fri Apr 27 14:17:43 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 27 Apr 2007 08:17:43 -0600 Subject: [Fedora-directory-users] Problem with Admin Console failoverusingFedoraDS In-Reply-To: References: Message-ID: <46320607.3060708@redhat.com> Kyley Engle wrote: > > so here's where i'm at now..... > > primary-master and secondary-master running...everything is fine. i > shut down the primary-master and i can log into the admin console on > the secondary-master fine. however, if i try to restart the admin > server, it fails with: > > [Thu Apr 26 22:48:50 2007] [info] Init: Initializing NSS library > [Thu Apr 26 22:48:50 2007] [info] Initializing SSL Session Cache of > size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. > [Thu Apr 26 22:48:50 2007] [info] Init: Initializing (virtual) servers > for SSL > [Thu Apr 26 22:48:50 2007] [info] Server: Apache/2.0.52, Interface: > mod_nss/2.0.52, Library: NSS/3.11 > [Thu Apr 26 22:48:50 2007] [debug] mod_admserv.c(2154): [30854] Cache > expiration set to 600 seconds > [Thu Apr 26 22:48:50 2007] [crit] mod_admserv_post_config(): unable to > build user/group LDAP server info: unable to set User/Group baseDN > Configuration Failed > > I change the 2 files and 1 directory entry listed in the HowTo: and i > get the exact same behavior. There are probably some other values under o=NetscapeRoot somewhere that reference the old directory server. Try this: cd /opt/fedora-ds/shared/bin ; ./ldapsearch -T -h host -p port -D "cn=directory manager" -w password -s sub -b o=netscaperoot "objectclass=*" | grep "old ldap server host and/or port" > > I have no pass through authentication configured. I'm doing some > testing on 2 freshly installed instances that don't have anything > other than o=NetscapeRoot replication enabled and working. > > hope this is useful.... > > -ke > > >> From: Richard Megginson >> Reply-To: "General discussion list for the Fedora Directory server >> project." >> To: "General discussion list for the Fedora Directory server >> project." >> Subject: Re: [Fedora-directory-users] Problem with Admin Console >> failoverusingFedoraDS >> Date: Thu, 26 Apr 2007 16:01:22 -0600 >> >> Kyley Engle wrote: >>> >>> >>> i have done that, as well as changing the directory in the >>> nsDirectoryURL entry and the file >>> /opt/fedora-ds/admin-serv/config/adm.conf >>> >>> is there maybe a way to increase the debug logging on the >>> admin-serv? i'm not finding very much documentation on it. >> I think you'll also need to change or disable the pass through >> authentication plug-in in your backup configuration directory server. >> >> edit admin-serv/config/httpd.conf and set the LogLevel to debug >>> >>> ke >>> >>>> From: Richard Megginson >>>> Reply-To: "General discussion list for the Fedora Directory server >>>> project." >>>> To: "General discussion list for the Fedora Directory server >>>> project." >>>> Subject: Re: [Fedora-directory-users] Problem with Admin Console >>>> failoverusing FedoraDS >>>> Date: Thu, 26 Apr 2007 15:17:43 -0600 >>>> >>>> Kyley Engle wrote: >>>>> >>>>> Hello, >>>>> >>>>> I am having problems with the admin-serv when doing failure >>>>> testing in my multi-master environmnet. >>>>> >>>>> What I have: >>>>> >>>>> 2 masters replicating the userRoot and NetscapeRoot directories >>>>> various hub and consumer/search servers >>>>> >>>>> When I installed the instances on each of these servers, i pointed >>>>> them at one of the masters, let's call it primary-master, for it's >>>>> configuration directory. when both masters are up and running, i >>>>> can connect my admin consoel to either directory and manage my >>>>> fleet of servers >>>>> >>>>> While doing failure mode testing, I discovered that if the >>>>> primary-master was turned off, that the secondary master >>>>> admin-serv would not start properly. it gives the following in >>>>> /opt/fedora-ds/admin-serv/logs/error: >>>>> >>>>> [Tue Apr 24 20:37:36 2007] [crit] mod_admserv_post_config(): >>>>> unable to build user/group LDAP server info: unable to set >>>>> User/Group baseDN >>>>> Configuration Failed >>>>> >>>>> I followed the instructions found here: >>>>> http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt#How_to_change_the_user.2Fgroup_LDAP_server >>>>> >>>>> >>>>> >>>>> >>>>> to change the admin server running on secondary-master to point to >>>>> itself instead of to the primary master. this did not resolve the >>>>> issue. >>>>> >>>>> Has anyone out there gotten the configuration directory >>>>> successfully working in a failover capacity in a multi-master >>>>> environment? >>>> Try updating shared/config/dbswitch.conf to point to the backup >>>> configuration ds. >>>>> >>>>> ke >>>>> >>>>> _________________________________________________________________ >>>>> The average US Credit Score is 675. The cost to see yours: $0 by >>>>> Experian. >>>>> http://www.freecreditreport.com/pm/default.aspx?sc=660600&bcd=EMAILFOOTERAVERAGE >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>>> << smime.p7s >> >>> >>> >>> >>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> _________________________________________________________________ >>> Download Messenger. Join the i?m Initiative. Help make a difference >>> today. http://im.live.com/messenger/im/home/?source=TAGHM_APR07 >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >> << smime.p7s >> > > > > >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > _________________________________________________________________ > Mortgage refinance is Hot. *Terms. Get a 5.375%* fix rate. Check > savings > https://www2.nextag.com/goto.jsp?product=100000035&url=%2fst.jsp&tm=y&search=mortgage_text_links_88_h2bbb&disc=y&vers=925&s=4056&p=5117 > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Apr 27 14:47:06 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 27 Apr 2007 08:47:06 -0600 Subject: [Fedora-directory-users] Issues with TLS, password modify operation, and password expiration In-Reply-To: <85d6be850704270606w78e9b896n4d9b1a7f6651cfb1@mail.gmail.com> References: <85d6be850704270606w78e9b896n4d9b1a7f6651cfb1@mail.gmail.com> Message-ID: <46320CEA.9020806@redhat.com> Fran?ois Beretti wrote: > Hi, > > I am implementing password policy in my LDAP-based software. When > using Fedora DS I encountered several problems (or questions) : > > 1) when password expired, no request other than modifying its > userPassword attribute is allowed. Two requests would have been > usefull in my opinion : > > * Start TLS : I want to enable TLS just before changing my password, > but : > - Start TLS is not allowed, since it is not the only allowed > modify request on userpassword Can you do the StartTLS extended operation first, before the bind request, then the password modify? > - After Start TLS (when the password is not expired), it seems > that the connection become sometimes anonymous, and needs a new bind. I'm not sure what you mean. Can you elaborate on this? > I thought only the Stop TLS operation must disable the authentication > on the LDAP connection Do you mean authentication or transport encryption? > > * Password Modify Extended operation : I just thought it would be a > good idea to use it to change a password, but it is not allowed Even if you do this as the first operation, before the bind? > > 2) when changing the password using a standard ldap modify request, if > I send two modify operations in the same request, the first one to > remove the old password and the second one to add the new password, do > I need to hash the old password for it to be in the same format than > in the directory ? No. You should not send pre-hashed passwords, you should let the DS hash the passwords. > > 3) when using the Password Modify Extended operation, then at the next > logon the server requires the user to change its password ! So I > definitly can't use this operation on a server implementing password > policy. I believe that in the Fedora DS password policy code this > operation is only seen as an administration request, not intended to > be done by a user : it is handled as a "force password" request, not a > "change password" request. Hmm - that could be a bug in that we perhaps do not reset the password expiration time. It's supposed to - it goes through the same code as regular password modify. > > 4) I use the Novell LDAP client API. Any call to ldap_stop_tls_s > blocks the calling thread. I don't know if it comes from the server, > the client API, or both. It is not too bad since I can just call > ldap_unbind and ldap_init instead. > > > Fran?ois > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From playactor at gmail.com Fri Apr 27 15:15:48 2007 From: playactor at gmail.com (Eric Brown) Date: Fri, 27 Apr 2007 10:15:48 -0500 Subject: [Fedora-directory-users] Setting up Mutual Authenticated SSL between FDS and RHEL4 Message-ID: I have set up SSL communication in FDS, and am able to connect with Annoymous SSL. I need to set up Authenticated SSL communication from RHEL4 components (nscd, nss_ldap, etc.) to FDS. I was just wondering if anyone has tried to do this, if it is even possible and if anyone had any documentation or links to where I can find help in doing this. Thanks, Eric From chris at sourcelabs.com Fri Apr 27 15:45:51 2007 From: chris at sourcelabs.com (Chris Halstead) Date: Fri, 27 Apr 2007 08:45:51 -0700 Subject: [Fedora-directory-users] Previous password still works? In-Reply-To: <463136D1.7080609@redhat.com> References: <4630E140.80405@sourcelabs.com> <4630FFDD.2020301@redhat.com> <46310F8D.8030308@sourcelabs.com> <46311211.1090708@redhat.com> <46311EB4.7010501@sourcelabs.com> <463120A7.2000409@redhat.com> <46312418.8020000@sourcelabs.com> <46312543.2020808@redhat.com> <46313610.5030902@sourcelabs.com> <463136D1.7080609@redhat.com> Message-ID: <46321AAF.9030402@sourcelabs.com> Pretty straightforward: - run /opt/fedora-ds/startconsole and log in as myself - go the the 'Users and Groups' tab - search on my uid - double-click my account entry - enter a new password in the 'Password' and 'Confirm Password' inputs - click OK When I do the exact same procedure while logged in as an administrator only one userPassword value results. -chris Nathan Kinder wrote: > Chris Halstead wrote: >> OK, It took me a while to get there (had to figure out what our >> equivalent of 'cn=Directory Manager' was), but there are indeed two >> entries for userPassword after I change the password logged in as >> myself to the console. > How are you changing the password through the console? A second value > for userPassword is getting added instead of doing a replace of the > existing password for some reason. > > -NGK From pkime at Shopzilla.com Fri Apr 27 16:13:57 2007 From: pkime at Shopzilla.com (Philip Kime) Date: Fri, 27 Apr 2007 09:13:57 -0700 Subject: [Fedora-directory-users] Re: Issues with TLS, password modify operation, and password expiration In-Reply-To: <20070427144917.CA2DF73280@hormel.redhat.com> References: <20070427144917.CA2DF73280@hormel.redhat.com> Message-ID: <9C0091F428E697439E7A773FFD083427A92D3B@szexchange.Shopzilla.inc> As I remember, we had this problem with password policies and exop - doing password resets via exop would only see a global password policy and nothing more fine-grained. I believe this was logged as a bug in FDS against <= 1.0.4. Since were are using SSL for all connections, we switched to clear passwords and it all worked. From david.stutzman at dstutz.com Fri Apr 27 16:33:09 2007 From: david.stutzman at dstutz.com (David Stutzman) Date: Fri, 27 Apr 2007 12:33:09 -0400 Subject: [Fedora-directory-users] fds 1.0.4 on Gentoo 64-bit Message-ID: <463225C5.5070308@dstutz.com> I have built and installed fedora-ds 1.0.4 twice now using the dsbuild script. Once with a jdk of 1.5.0.11 (64bit) and once with a jdk of 1.4.2.03 (64bit). The ds builds fine, I run the setup and go through the wizard, everything is installed, started up and running. When I try to connect using the console I get: "Cannot connect to the directory server: netscape.ldap.LDAPException: error result (32); No such object" I then look in the access log of the ldap server and see: [27/Apr/2007:10:42:13 -0400] conn=7 fd=65 slot=65 connection from 192.168.1.162 to 192.168.1.222 [27/Apr/2007:10:42:13 -0400] conn=7 op=0 BIND dn="(null)" method=128 version=3 [27/Apr/2007:10:42:13 -0400] conn=7 op=0 RESULT err=32 tag=97 nentries=0 etime=0 I know that what is *supposed* to be in the BIND dn field is more along the lines of: [27/Apr/2007:10:34:29 -0400] conn=135705 fd=76 slot=76 connection from 192.168.1.162 to 192.168.1.121 [27/Apr/2007:10:34:29 -0400] conn=135705 op=0 BIND dn="uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" method=128 version=3 [27/Apr/2007:10:34:29 -0400] conn=135705 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot" It seems like the java console is not properly passing the uid that I type into the console login to the directory server. I have attempted to login both locally on the server (again with system vm JDK 1.5 and with the whole thing rebuilt using 1.4.2) and get the same error. I also am using a remote console on a windowsxp machine (that works fine going to my other FDS server, running fedora os, 1.0.2 @ 192.168.1.121) and get the error. I am using the system versions of net-snmp and cyrus-sasl which are: net-analyzer/net-snmp-5.4 dev-libs/cyrus-sasl-2.1.22-r2 All the other deps are: dev-lang/perl-5.8.8-r2 (URI 1.35) dev-util/cvs-1.12.12-r4 sys-devel/make-3.81 app-arch/tar-1.16.1 app-arch/gzip-1.3.11 app-arch/zip-2.31-r1 net-www/apache-2.0.58-r2 dev-java/ant-core-1.6.5-r14 Back when Fedora DS 1.0.2 was the current version I successfully built and installed it on a 64-bit gentoo system and home and everything is working great. I imagine 1.0.4 doesn't like a newer version of one of the system utils/libraries? I know the ldap server is functioning properly: # cd /opt/fedora-ds/shared/bin # ./ldapsearch -b o=netscaperoot -D "cn=directory manager" -w password "objectclass=nsAdminConfig" dn Gives me: version: 1 dn: cn=configuration, cn=admin-serv-mbn, cn=Fedora Administration Server, cn=S erver Group, cn=mbn.pki, ou=pki, o=NetscapeRoot Any help would be much appreciated. Thanks, Dave -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3531 bytes Desc: S/MIME Cryptographic Signature URL: From kyley_engle at hotmail.com Fri Apr 27 22:37:02 2007 From: kyley_engle at hotmail.com (Kyley Engle) Date: Fri, 27 Apr 2007 15:37:02 -0700 Subject: [Fedora-directory-users] Problem with AdminConsole failoverusingFedoraDS In-Reply-To: <46320607.3060708@redhat.com> Message-ID: bah, you were right earlier, and i missed something. examining the dse.ldif file, i found that it was indeed the passthrough authentication plug-in. i manually turned it off for the secondary-master, shut down the primary-master, and was then able to restart the secondary-master admin-server they entry is: dn: cn=Pass Through Authentication,cn=plugins,cn=config nsslapd-pluginEnabled it might help to update the HowTo to reference that change >From: Richard Megginson >Reply-To: "General discussion list for the Fedora Directory server >project." >To: "General discussion list for the Fedora Directory server project." > >Subject: Re: [Fedora-directory-users] Problem with >AdminConsole failoverusingFedoraDS >Date: Fri, 27 Apr 2007 08:17:43 -0600 > >Kyley Engle wrote: >> >>so here's where i'm at now..... >> >>primary-master and secondary-master running...everything is fine. i shut >>down the primary-master and i can log into the admin console on the >>secondary-master fine. however, if i try to restart the admin server, it >>fails with: >> >>[Thu Apr 26 22:48:50 2007] [info] Init: Initializing NSS library >>[Thu Apr 26 22:48:50 2007] [info] Initializing SSL Session Cache of size >>10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. >>[Thu Apr 26 22:48:50 2007] [info] Init: Initializing (virtual) servers for >>SSL >>[Thu Apr 26 22:48:50 2007] [info] Server: Apache/2.0.52, Interface: >>mod_nss/2.0.52, Library: NSS/3.11 >>[Thu Apr 26 22:48:50 2007] [debug] mod_admserv.c(2154): [30854] Cache >>expiration set to 600 seconds >>[Thu Apr 26 22:48:50 2007] [crit] mod_admserv_post_config(): unable to >>build user/group LDAP server info: unable to set User/Group baseDN >>Configuration Failed >> >>I change the 2 files and 1 directory entry listed in the HowTo: and i get >>the exact same behavior. >There are probably some other values under o=NetscapeRoot somewhere that >reference the old directory server. Try this: >cd /opt/fedora-ds/shared/bin ; ./ldapsearch -T -h host -p port -D >"cn=directory manager" -w password -s sub -b o=netscaperoot "objectclass=*" >| grep "old ldap server host and/or port" >> >>I have no pass through authentication configured. I'm doing some testing >>on 2 freshly installed instances that don't have anything other than >>o=NetscapeRoot replication enabled and working. >> >>hope this is useful.... >> >>-ke >> >> >>>From: Richard Megginson >>>Reply-To: "General discussion list for the Fedora Directory server >>>project." >>>To: "General discussion list for the Fedora Directory server project." >>> >>>Subject: Re: [Fedora-directory-users] Problem with Admin Console >>>failoverusingFedoraDS >>>Date: Thu, 26 Apr 2007 16:01:22 -0600 >>> >>>Kyley Engle wrote: >>>> >>>> >>>>i have done that, as well as changing the directory in the >>>>nsDirectoryURL entry and the file >>>>/opt/fedora-ds/admin-serv/config/adm.conf >>>> >>>>is there maybe a way to increase the debug logging on the admin-serv? >>>>i'm not finding very much documentation on it. >>>I think you'll also need to change or disable the pass through >>>authentication plug-in in your backup configuration directory server. >>> >>>edit admin-serv/config/httpd.conf and set the LogLevel to debug >>>> >>>>ke >>>> >>>>>From: Richard Megginson >>>>>Reply-To: "General discussion list for the Fedora Directory server >>>>>project." >>>>>To: "General discussion list for the Fedora Directory server project." >>>>> >>>>>Subject: Re: [Fedora-directory-users] Problem with Admin Console >>>>>failoverusing FedoraDS >>>>>Date: Thu, 26 Apr 2007 15:17:43 -0600 >>>>> >>>>>Kyley Engle wrote: >>>>>> >>>>>>Hello, >>>>>> >>>>>>I am having problems with the admin-serv when doing failure testing in >>>>>>my multi-master environmnet. >>>>>> >>>>>>What I have: >>>>>> >>>>>>2 masters replicating the userRoot and NetscapeRoot directories >>>>>>various hub and consumer/search servers >>>>>> >>>>>>When I installed the instances on each of these servers, i pointed >>>>>>them at one of the masters, let's call it primary-master, for it's >>>>>>configuration directory. when both masters are up and running, i can >>>>>>connect my admin consoel to either directory and manage my fleet of >>>>>>servers >>>>>> >>>>>>While doing failure mode testing, I discovered that if the >>>>>>primary-master was turned off, that the secondary master admin-serv >>>>>>would not start properly. it gives the following in >>>>>>/opt/fedora-ds/admin-serv/logs/error: >>>>>> >>>>>>[Tue Apr 24 20:37:36 2007] [crit] mod_admserv_post_config(): unable to >>>>>>build user/group LDAP server info: unable to set User/Group baseDN >>>>>>Configuration Failed >>>>>> >>>>>>I followed the instructions found here: >>>>>>http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt#How_to_change_the_user.2Fgroup_LDAP_server >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>to change the admin server running on secondary-master to point to >>>>>>itself instead of to the primary master. this did not resolve the >>>>>>issue. >>>>>> >>>>>>Has anyone out there gotten the configuration directory successfully >>>>>>working in a failover capacity in a multi-master environment? >>>>>Try updating shared/config/dbswitch.conf to point to the backup >>>>>configuration ds. >>>>>> >>>>>>ke >>>>>> >>>>>>_________________________________________________________________ >>>>>>The average US Credit Score is 675. The cost to see yours: $0 by >>>>>>Experian. >>>>>>http://www.freecreditreport.com/pm/default.aspx?sc=660600&bcd=EMAILFOOTERAVERAGE >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>-- >>>>>>Fedora-directory-users mailing list >>>>>>Fedora-directory-users at redhat.com >>>>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>>><< smime.p7s >> >>>> >>>> >>>> >>>> >>>>>-- >>>>>Fedora-directory-users mailing list >>>>>Fedora-directory-users at redhat.com >>>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>>_________________________________________________________________ >>>>Download Messenger. Join the i?m Initiative. Help make a difference >>>>today. http://im.live.com/messenger/im/home/?source=TAGHM_APR07 >>>> >>>>-- >>>>Fedora-directory-users mailing list >>>>Fedora-directory-users at redhat.com >>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >>><< smime.p7s >> >> >> >> >> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >>_________________________________________________________________ >>Mortgage refinance is Hot. *Terms. Get a 5.375%* fix rate. Check savings >>https://www2.nextag.com/goto.jsp?product=100000035&url=%2fst.jsp&tm=y&search=mortgage_text_links_88_h2bbb&disc=y&vers=925&s=4056&p=5117 >> >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users ><< smime.p7s >> >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users _________________________________________________________________ Exercise your brain! Try Flexicon. http://games.msn.com/en/flexicon/default.htm?icid=flexicon_hmemailtaglineapril07 From francois.beretti at gmail.com Sat Apr 28 06:07:08 2007 From: francois.beretti at gmail.com (=?ISO-8859-1?Q?Fran=E7ois_Beretti?=) Date: Sat, 28 Apr 2007 08:07:08 +0200 Subject: [Fedora-directory-users] Issues with TLS, password modify operation, and password expiration In-Reply-To: <46320CEA.9020806@redhat.com> References: <85d6be850704270606w78e9b896n4d9b1a7f6651cfb1@mail.gmail.com> <46320CEA.9020806@redhat.com> Message-ID: <85d6be850704272307u46f06ealdd6e1b5b223c8af8@mail.gmail.com> Hi Richard, as always, thank you very much for your answers. You make this list very very usefull ! 2007/4/27, Richard Megginson : > > * Start TLS : I want to enable TLS just before changing my password, > > but : > > - Start TLS is not allowed, since it is not the only allowed > > modify request on userpassword > Can you do the StartTLS extended operation first, before the bind > request, then the password modify? Yes of course, but since I detect the password expiration in the bind, I must close the connection then open it again then start tls then bind then change password. Not a big issue after all, but that was just a remark > > - After Start TLS (when the password is not expired), it seems > > that the connection become sometimes anonymous, and needs a new bind. > I'm not sure what you mean. Can you elaborate on this? I mean that I believe (I have not tried to reproduce it) that when I do a start tls operation, I get anonymous, even if I had done a bind request just before. So in my code, just after a start tls, I always do a bind (even if I had already done it before start tls). > > I thought only the Stop TLS operation must disable the authentication > > on the LDAP connection > Do you mean authentication or transport encryption? I mean that when you call stop tls, you become anonymous > > > > * Password Modify Extended operation : I just thought it would be a > > good idea to use it to change a password, but it is not allowed > Even if you do this as the first operation, before the bind? in fact I did not try this, I thought you can only change your password if you do a bind, obviously I was wrong. But anyways, I detect the expiration when I do the bind, so its to late, the bind is done. I did not try to close the connection, init it and call the exop > > > > 2) when changing the password using a standard ldap modify request, if > > I send two modify operations in the same request, the first one to > > remove the old password and the second one to add the new password, do > > I need to hash the old password for it to be in the same format than > > in the directory ? > No. You should not send pre-hashed passwords, you should let the DS > hash the passwords. > > > > 3) when using the Password Modify Extended operation, then at the next > > logon the server requires the user to change its password ! So I > > definitly can't use this operation on a server implementing password > > policy. I believe that in the Fedora DS password policy code this > > operation is only seen as an administration request, not intended to > > be done by a user : it is handled as a "force password" request, not a > > "change password" request. > Hmm - that could be a bug in that we perhaps do not reset the password > expiration time. It's supposed to - it goes through the same code as > regular password modify. I am really not sure of this > > > > 4) I use the Novell LDAP client API. Any call to ldap_stop_tls_s > > blocks the calling thread. I don't know if it comes from the server, > > the client API, or both. It is not too bad since I can just call > > ldap_unbind and ldap_init instead. > > > > > > Fran?ois > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > From ds at dans.pl Sat Apr 28 21:16:45 2007 From: ds at dans.pl (Dans) Date: Sat, 28 Apr 2007 23:16:45 +0200 Subject: [Fedora-directory-users] Winsync - repeating password synchronization Message-ID: <4633B9BD.1020909@dans.pl> Hey, I have problem with password's synchronization between Fedora Directory Server (1.0.4) and Active Directory (2003). I read wiki (Howto:WindowsSync) and setup up synchronization arrangement. Without PassSync everything is ok. I can synchronize users both ways from AD -> FDS and FDS-> AD. But if I install PassSync I can notice strange behavior: 1. I change user's password in FDS 2. Password is populated to AD 3. !!! PassSync recognize that password was changed !!! 4. PassSync populate password to FDS 5. FDS recognize that password was changed and realize step 2 - and it's repeating ! Anybody has any idea what is wrong ? Dans From david_list at boreham.org Sun Apr 29 00:34:03 2007 From: david_list at boreham.org (David Boreham) Date: Sat, 28 Apr 2007 18:34:03 -0600 Subject: [Fedora-directory-users] Winsync - repeating password synchronization In-Reply-To: <4633B9BD.1020909@dans.pl> References: <4633B9BD.1020909@dans.pl> Message-ID: <4633E7FB.10900@boreham.org> Not sure what the problem is but passync is designed to avoid this loop : it attempts to bind to fds with the new password before propagating it back. If the bind succeeds it concludes there is a loop and refrains from sending the change to FDS. At least that's what should happen. You might look in the FDS log to see what operations passsync is performing. If it's failing for some reason to do the bind correctly then that would break the loop detection logic. Dans wrote: > Hey, > I have problem with password's synchronization between Fedora > Directory Server (1.0.4) and Active Directory (2003). I read wiki > (Howto:WindowsSync) and setup up synchronization arrangement. Without > PassSync everything is ok. I can synchronize users both ways from AD > -> FDS and FDS-> AD. > But if I install PassSync I can notice strange behavior: > 1. I change user's password in FDS > 2. Password is populated to AD > 3. !!! PassSync recognize that password was changed !!! > 4. PassSync populate password to FDS > 5. FDS recognize that password was changed and realize step 2 - and > it's repeating ! > Anybody has any idea what is wrong ? > > Dans > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From bappa_tapas at yahoo.com Sat Apr 28 11:18:06 2007 From: bappa_tapas at yahoo.com (BAPPA MALLICK) Date: Sat, 28 Apr 2007 04:18:06 -0700 (PDT) Subject: [Fedora-directory-users] Fedora Directory Service and Java error Message-ID: <756602.27299.qm@web33206.mail.mud.yahoo.com> Dear List, I am very new in FDS and install my first FDS server on my RHEL-4 ES system. The installation goes smooth and I am able to start the FDS and Administration server. But the problem arises when I try to open FD console, I have googled net and found one related topic at "http://fedoranews.org/mediawiki/index.php/JPackage_Java_for_FC4". But I found the instruction is premative and all the specified files are not there. Below is the screen dump of the error I am getting. If you please give me the detail instruction, it will be a lifesaver for me. ======================================================= Warning: -ms8m not understood. Ignoring. Warning: -mx64m not understood. Ignoring. Exception in thread main java.lang.NoSuchMethodError: method com.netscape.mana gement.client.util.RemoteImage.setImage was not found. at _Jv_ResolvePoolEntry(java.lang.Class, int) (/usr/lib/libgcj.so.5.0.0) at com.netscape.management.client.util.RemoteImage.RemoteImage(java.lang.Stri ng) (Unknown Source) at com.netscape.management.nmclf.SuiLookAndFeel.initComponentDefaults(javax.s wing.UIDefaults) (Unknown Source) at com.netscape.management.nmclf.SuiLookAndFeel.getDefaults() (Unknown Source ) at javax.swing.UIManager.put(java.lang.Object, java.lang.Object) (/usr/lib/li bgcj.so.5.0.0) at com.netscape.management.client.components.FontFactory.initializeLFFonts() (Unknown Source) at com.netscape.management.client.console.Console.common_init(java.lang.Strin g) (Unknown Source) at com.netscape.management.client.console.Console.Console(java.lang.String, j ava.lang.String, java.lang.String, java.lang.String, java.lang.String, java.lang .String) (Unknown Source) at com.netscape.management.client.console.Console.main(java.lang.String[]) (Unknown Source) ======================================================= Regards, Tapas Mallick bappa_tapas at yahoo.com tapas.mallick at gmail.com __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From rcritten at redhat.com Mon Apr 30 13:19:36 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 30 Apr 2007 09:19:36 -0400 Subject: [Fedora-directory-users] Fedora Directory Service and Java error In-Reply-To: <756602.27299.qm@web33206.mail.mud.yahoo.com> References: <756602.27299.qm@web33206.mail.mud.yahoo.com> Message-ID: <4635ECE8.2030208@redhat.com> BAPPA MALLICK wrote: > Dear List, > > I am very new in FDS and install my first FDS server > on my RHEL-4 ES system. The installation goes smooth > and I am able to start the FDS and Administration > server. > > But the problem arises when I try to open FD console, > I have googled net and found one related topic at > "http://fedoranews.org/mediawiki/index.php/JPackage_Java_for_FC4". > But I found the instruction is premative and all the > specified files are not there. Below is the screen > dump of the error I am getting. If you please give me > the detail instruction, it will be a lifesaver for me. > ======================================================= > Warning: -ms8m not understood. Ignoring. > Warning: -mx64m not understood. Ignoring. > > Exception in thread main java.lang.NoSuchMethodError: > method com.netscape.mana > gement.client.util.RemoteImage.setImage was not found. > at _Jv_ResolvePoolEntry(java.lang.Class, > > int) (/usr/lib/libgcj.so.5.0.0) > at > com.netscape.management.client.util.RemoteImage.RemoteImage(java.lang.Stri > ng) (Unknown Source) > at > com.netscape.management.nmclf.SuiLookAndFeel.initComponentDefaults(javax.s > wing.UIDefaults) (Unknown Source) > at > com.netscape.management.nmclf.SuiLookAndFeel.getDefaults() > > (Unknown Source ) > at javax.swing.UIManager.put(java.lang.Object, > java.lang.Object) (/usr/lib/li bgcj.so.5.0.0) > at > com.netscape.management.client.components.FontFactory.initializeLFFonts() > (Unknown Source) > at > com.netscape.management.client.console.Console.common_init(java.lang.Strin > g) > (Unknown Source) > at > com.netscape.management.client.console.Console.Console(java.lang.String, > j ava.lang.String, java.lang.String, java.lang.String, > java.lang.String, java.lang .String) > (Unknown Source) > at > com.netscape.management.client.console.Console.main(java.lang.String[]) > (Unknown Source) > ======================================================= > > > Regards, > > Tapas Mallick > bappa_tapas at yahoo.com > tapas.mallick at gmail.com You need to use either the Sun or IBM JRE. The console doesn't currently work with gcj. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Apr 30 13:57:05 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 30 Apr 2007 07:57:05 -0600 Subject: [Fedora-directory-users] Winsync - repeating password synchronization In-Reply-To: <4633B9BD.1020909@dans.pl> References: <4633B9BD.1020909@dans.pl> Message-ID: <4635F5B1.7000403@redhat.com> Dans wrote: > Hey, > I have problem with password's synchronization between Fedora > Directory Server (1.0.4) and Active Directory (2003). I read wiki > (Howto:WindowsSync) and setup up synchronization arrangement. Without > PassSync everything is ok. I can synchronize users both ways from AD > -> FDS and FDS-> AD. > But if I install PassSync I can notice strange behavior: > 1. I change user's password in FDS How did you change the password? Are you sure that a pre-hashed password was not stored (e.g. pam_ldap with md5)? > 2. Password is populated to AD > 3. !!! PassSync recognize that password was changed !!! > 4. PassSync populate password to FDS > 5. FDS recognize that password was changed and realize step 2 - and > it's repeating ! > Anybody has any idea what is wrong ? > > Dans > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Apr 30 16:15:05 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 30 Apr 2007 10:15:05 -0600 Subject: [Fedora-directory-users] Issues with TLS, password modify operation, and password expiration In-Reply-To: <85d6be850704272307u46f06ealdd6e1b5b223c8af8@mail.gmail.com> References: <85d6be850704270606w78e9b896n4d9b1a7f6651cfb1@mail.gmail.com> <46320CEA.9020806@redhat.com> <85d6be850704272307u46f06ealdd6e1b5b223c8af8@mail.gmail.com> Message-ID: <46361609.3080502@redhat.com> Fran?ois Beretti wrote: > 2007/4/27, Richard Megginson : >> > - After Start TLS (when the password is not expired), it seems >> > that the connection become sometimes anonymous, and needs a new bind. >> I'm not sure what you mean. Can you elaborate on this? > > I mean that I believe (I have not tried to reproduce it) that when I > do a start tls operation, I get anonymous, even if I had done a bind > request just before. So in my code, just after a start tls, I always > do a bind (even if I had already done it before start tls). Please verify this. startTLS should not change the authentication state (unless you are also doing client cert based auth with the startTLS request via SASL/EXTERNAL). > >> > I thought only the Stop TLS operation must disable the authentication >> > on the LDAP connection >> Do you mean authentication or transport encryption? > > I mean that when you call stop tls, you become anonymous Yes. This is by design - see http://www.rfc-editor.org/rfc/rfc2830.txt section 5.2: > 5.2. TLS Connection Closure Effects > > Closure of the TLS connection MUST cause the LDAP association to move > to an anonymous authentication and authorization state regardless of > the state established over TLS and regardless of the authentication > and authorization state prior to TLS connection establishment. > > >> >> > 3) when using the Password Modify Extended operation, then at the next >> > logon the server requires the user to change its password ! So I >> > definitly can't use this operation on a server implementing password >> > policy. I believe that in the Fedora DS password policy code this >> > operation is only seen as an administration request, not intended to >> > be done by a user : it is handled as a "force password" request, not a >> > "change password" request. >> Hmm - that could be a bug in that we perhaps do not reset the password >> expiration time. It's supposed to - it goes through the same code as >> regular password modify. > > I am really not sure of this Can you verify this? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From davea at support.kcm.org Mon Apr 30 19:38:15 2007 From: davea at support.kcm.org (Dave Augustus) Date: Mon, 30 Apr 2007 14:38:15 -0500 Subject: [Fedora-directory-users] I have 2 masters in MM mode- how do I add a 3rd and 4th? Message-ID: <1177961895.20601.7.camel@kcm40202.kcmhq.org> Currently, I have 2 FDS in production in Multimaster mode. I want to bring 2 more up as well and put them at a remote site so eventually they will replicate via WAN. Then I will have 2 sets of my data- one at each location. So I plan to bring up 2 new servers in MMR mode with the first 2 servers. Once they are synced up I would then move the new ones to the remote site and use SSH tunnels to re-establish the replication connection. Can someone chime in on the viability of this? Is this possible? What are the steps? I have looked and have not found anything yet. Any help appreciated. Thanks, Dave From edlinuxguru at gmail.com Mon Apr 30 19:43:51 2007 From: edlinuxguru at gmail.com (Eddie C) Date: Mon, 30 Apr 2007 15:43:51 -0400 Subject: [Fedora-directory-users] Fedora Directory Service and Java error In-Reply-To: <4635ECE8.2030208@redhat.com> References: <756602.27299.qm@web33206.mail.mud.yahoo.com> <4635ECE8.2030208@redhat.com> Message-ID: I have been using java for years and never figured out how to work with the gcj java. I think the major problem is that java is distrubuted with the SUN Public Lic. I think that stops people from making simple RPM packages of the java runtime on public sites. Or there is some other reason I am not aware of. What I have done in the past is went to java.sun.com. I download the full JDK or SDK. This allows a user to compile and run. The JRE is for running applications only. I run the RPM or tar and install it saying yes to whatever questions it ask. Then I tar up the entire directory and make a shell script to install it on other machines. Java SDK is very portable itself the linux version will run on any linux kernel 2.4 2.6 and distro (as far as I have tested). All you need is the tar file. A path entry poining to the java executable and a JAVA_HOME entry for your java path. ** I only use java for running command line applications. My method works well for me. Running the full install as sun designs it to be run is a better option. ** On 4/30/07, Rob Crittenden wrote: > > BAPPA MALLICK wrote: > > Dear List, > > > > I am very new in FDS and install my first FDS server > > on my RHEL-4 ES system. The installation goes smooth > > and I am able to start the FDS and Administration > > server. > > > > But the problem arises when I try to open FD console, > > I have googled net and found one related topic at > > "http://fedoranews.org/mediawiki/index.php/JPackage_Java_for_FC4". > > But I found the instruction is premative and all the > > specified files are not there. Below is the screen > > dump of the error I am getting. If you please give me > > the detail instruction, it will be a lifesaver for me. > > ======================================================= > > Warning: -ms8m not understood. Ignoring. > > Warning: -mx64m not understood. Ignoring. > > > > Exception in thread main java.lang.NoSuchMethodError: > > method com.netscape.mana > > gement.client.util.RemoteImage.setImage was not found. > > at _Jv_ResolvePoolEntry(java.lang.Class, > > > > int) (/usr/lib/libgcj.so.5.0.0) > > at > > com.netscape.management.client.util.RemoteImage.RemoteImage( > java.lang.Stri > > ng) (Unknown Source) > > at > > com.netscape.management.nmclf.SuiLookAndFeel.initComponentDefaults( > javax.s > > wing.UIDefaults) (Unknown Source) > > at > > com.netscape.management.nmclf.SuiLookAndFeel.getDefaults() > > > > (Unknown Source ) > > at javax.swing.UIManager.put(java.lang.Object, > > java.lang.Object) (/usr/lib/li bgcj.so.5.0.0) > > at > > com.netscape.management.client.components.FontFactory.initializeLFFonts > () > > (Unknown Source) > > at > > com.netscape.management.client.console.Console.common_init( > java.lang.Strin > > g) > > (Unknown Source) > > at > > com.netscape.management.client.console.Console.Console(java.lang.String, > > j ava.lang.String, java.lang.String, java.lang.String, > > java.lang.String, java.lang .String) > > (Unknown Source) > > at > > com.netscape.management.client.console.Console.main(java.lang.String[]) > > (Unknown Source) > > ======================================================= > > > > > > Regards, > > > > Tapas Mallick > > bappa_tapas at yahoo.com > > tapas.mallick at gmail.com > > You need to use either the Sun or IBM JRE. The console doesn't currently > work with gcj. > > rob > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From patrick.morris at hp.com Mon Apr 30 19:56:09 2007 From: patrick.morris at hp.com (Morris, Patrick) Date: Mon, 30 Apr 2007 15:56:09 -0400 Subject: [Fedora-directory-users] I have 2 masters in MM mode- how do I adda 3rd and 4th? In-Reply-To: <1177961895.20601.7.camel@kcm40202.kcmhq.org> References: <1177961895.20601.7.camel@kcm40202.kcmhq.org> Message-ID: > Currently, I have 2 FDS in production in Multimaster mode. I > want to bring 2 more up as well and put them at a remote site > so eventually they will replicate via WAN. Then I will have 2 > sets of my data- one at each location. > > So I plan to bring up 2 new servers in MMR mode with the > first 2 servers. Once they are synced up I would then move > the new ones to the remote site and use SSH tunnels to > re-establish the replication connection. > > Can someone chime in on the viability of this? > > Is this possible? > > What are the steps? I have looked and have not found anything yet. I'd highly recommend against doing it this way. The extra complications added by setting them up and them moving them probably just isn't worth the effort vs. setting them up the way they'll be used from the beginning. Unless your LDAP repo is obscenely large, chances are you won't save much time setting them up locally, either. If I were to go further I'd say you're asking for trouble trying to keep them synched over SSH tunnels, given the low reliability you'll have on connectivity. If it were me (and it has been several times) I'd just set up the servers as usual, in the places where they'll be used, and then use something a bit more reliable (or at least fault-tolerant) as a connectivity method, such as stunnel. Then the only thing you need to do differently is set up replication on the providers to a local IP address, and otherwsie it's the same as a standard setup. From edlinuxguru at gmail.com Mon Apr 30 20:03:21 2007 From: edlinuxguru at gmail.com (Eddie C) Date: Mon, 30 Apr 2007 16:03:21 -0400 Subject: [Fedora-directory-users] I have 2 masters in MM mode- how do I add a 3rd and 4th? In-Reply-To: <1177961895.20601.7.camel@kcm40202.kcmhq.org> References: <1177961895.20601.7.camel@kcm40202.kcmhq.org> Message-ID: I once tried to tunnel and LDAP connection over SSH. I needed this because my admin server on public internet was attempting to redirect me to an internal IP address. Technically it should work but I could not make it. One of the issues, that may come up for you, is that the replication agreements are going to be awkward because of tunnel names. localhost:389 etc. I would suggest going the VPN route or just replicating over LDAPS. Same result more logical setup. Edward On 4/30/07, Dave Augustus wrote: > > Currently, I have 2 FDS in production in Multimaster mode. I want to > bring 2 more up as well and put them at a remote site so eventually they > will replicate via WAN. Then I will have 2 sets of my data- one at each > location. > > So I plan to bring up 2 new servers in MMR mode with the first 2 > servers. Once they are synced up I would then move the new ones to the > remote site and use SSH tunnels to re-establish the replication > connection. > > Can someone chime in on the viability of this? > > Is this possible? > > What are the steps? I have looked and have not found anything yet. > > Any help appreciated. > > Thanks, > Dave > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From davea at support.kcm.org Mon Apr 30 20:38:13 2007 From: davea at support.kcm.org (Dave Augustus) Date: Mon, 30 Apr 2007 15:38:13 -0500 Subject: [Fedora-directory-users] I have 2 masters in MM mode- how do I add a 3rd and 4th? In-Reply-To: References: <1177961895.20601.7.camel@kcm40202.kcmhq.org> Message-ID: <1177965493.20601.9.camel@kcm40202.kcmhq.org> ok, so is there a way to bring a fresh install of FDS into sync with an existing server? From patrick.morris at hp.com Mon Apr 30 20:38:58 2007 From: patrick.morris at hp.com (Morris, Patrick) Date: Mon, 30 Apr 2007 16:38:58 -0400 Subject: [Fedora-directory-users] I have 2 masters in MM mode- how do Iadd a 3rd and 4th? In-Reply-To: <1177965493.20601.9.camel@kcm40202.kcmhq.org> References: <1177961895.20601.7.camel@kcm40202.kcmhq.org> <1177965493.20601.9.camel@kcm40202.kcmhq.org> Message-ID: > ok, so is there a way to bring a fresh install of FDS into > sync with an existing server? Sure. Set up a replication agreement and initialize the consumer. From davea at support.kcm.org Mon Apr 30 20:46:12 2007 From: davea at support.kcm.org (Dave Augustus) Date: Mon, 30 Apr 2007 15:46:12 -0500 Subject: [Fedora-directory-users] I have 2 masters in MM mode- how do Iadd a 3rd and 4th? In-Reply-To: References: <1177961895.20601.7.camel@kcm40202.kcmhq.org> <1177965493.20601.9.camel@kcm40202.kcmhq.org> Message-ID: <1177965972.20601.11.camel@kcm40202.kcmhq.org> That's too easy! This will also make the new one a master as well ? TIA Dave On Mon, 2007-04-30 at 16:38 -0400, Morris, Patrick wrote: > > ok, so is there a way to bring a fresh install of FDS into > > sync with an existing server? > > Sure. Set up a replication agreement and initialize the consumer. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From patrick.morris at hp.com Mon Apr 30 20:46:57 2007 From: patrick.morris at hp.com (Morris, Patrick) Date: Mon, 30 Apr 2007 16:46:57 -0400 Subject: [Fedora-directory-users] I have 2 masters in MM mode- how doIadd a 3rd and 4th? In-Reply-To: <1177965972.20601.11.camel@kcm40202.kcmhq.org> References: <1177961895.20601.7.camel@kcm40202.kcmhq.org><1177965493.20601.9.camel@kcm40202.kcmhq.org> <1177965972.20601.11.camel@kcm40202.kcmhq.org> Message-ID: > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf > Of Dave Augustus > Sent: Monday, April 30, 2007 1:46 PM > To: General discussion list for the Fedora Directory server project. > Subject: RE: [Fedora-directory-users] I have 2 masters in MM > mode- how doIadd a 3rd and 4th? > > That's too easy! > > This will also make the new one a master as well ? > > TIA > Dave > > On Mon, 2007-04-30 at 16:38 -0400, Morris, Patrick wrote: > > > ok, so is there a way to bring a fresh install of FDS > into sync with > > > an existing server? > > > > Sure. Set up a replication agreement and initialize the consumer. You'll need to configure the server as a master, but yes, the sync process is the same.