From glenn at mail.txwes.edu Tue Jan 2 16:37:49 2007 From: glenn at mail.txwes.edu (Glenn) Date: Tue, 2 Jan 2007 10:37:49 -0600 Subject: [Fedora-directory-users] Windows Sync Errors Message-ID: <20070102162343.M13292@mail.txwes.edu> Hello again. I'm still trying to get Windows Sync working between Directory Server 7.1sp3 and Active Directory on a Windows 2003 server. I thought I would narrow down the problem by trying to add a user in the DS and see if it would replicate to AD. It does not, and the error message is: [02/Jan/2007:09:58:31 -0600] NSMMReplicationPlugin - agmt="cn=ldap-ad" (adserver:636): windows_replay_update: Looking at add operation local dn="uid=PApostle,ou=People,o=txwes.edu" (not ours,not user,not group) The replication agreement specifies that ou=People,o=txwes.edu in the DS should be synchronized with ou=Domain Users,dc=ad,dc=txwesleyan,dc=edu in AD. Both ous exist as specified. Can anyone please suggest what I might try to get this working? Thanks. - Glenn. From david_list at boreham.org Tue Jan 2 17:01:33 2007 From: david_list at boreham.org (David Boreham) Date: Tue, 02 Jan 2007 10:01:33 -0700 Subject: [Fedora-directory-users] Windows Sync Errors In-Reply-To: <20070102162343.M13292@mail.txwes.edu> References: <20070102162343.M13292@mail.txwes.edu> Message-ID: <459A8FED.2030001@boreham.org> Glenn wrote: >Hello again. I'm still trying to get Windows Sync working between Directory >Server 7.1sp3 and Active Directory on a Windows 2003 server. I thought I >would narrow down the problem by trying to add a user in the DS and see if it >would replicate to AD. It does not, and the error message is: > >[02/Jan/2007:09:58:31 -0600] NSMMReplicationPlugin - agmt="cn=ldap-ad" >(adserver:636): windows_replay_update: Looking at add operation local >dn="uid=PApostle,ou=People,o=txwes.edu" (not ours,not user,not group) > >The replication agreement specifies that ou=People,o=txwes.edu in the DS >should be synchronized with ou=Domain Users,dc=ad,dc=txwesleyan,dc=edu in >AD. Both ous exist as specified. > >Can anyone please suggest what I might try to get this working? Thanks. - >Glenn. > > Based on the information you've provided, the most likely cause is that the entry lacks the appropriate object class and attributes to be sync'ed. From ian at hcs-management.com Tue Jan 2 15:09:06 2007 From: ian at hcs-management.com (Ian Holroyd) Date: Tue, 2 Jan 2007 15:09:06 -0000 Subject: [Fedora-directory-users] FDS dies on SSL - How do I rescue installation? Message-ID: <008101c72e7f$f56bde80$022ea8c0@ijh> I have been setting up Fedora Directory Server for use with Samba PDC etc. I had most aspects of this working, with SSL transport operating correctly, having followed the HowTo. However, I have now restarted whole system and the start-slapd will not work, generating the following errors: (retyped as email sent from another system, excuse any typos) [timestamp] - SSL alert: Security Initialization: Can't find certificate (Server-Cert) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [timestamp] - SSL alert: Security Initialization: Unable to retrieve private key for ert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [timestamp] - SSL failure: None of the cipher are valid Now, if (big if) I am reading this correctly, this means that it has failed to find the certificate named Server-Cert. I believe that this may be as a result of me having 'used my initiative' and changed all references to 'Server-Cert' in the HowTo to a personalised version of this (i.e. I created the certs with my own names). Start-admin fails without leaving any message (I assume because it can't read config information from the LDAP server). The problem, however, is that ALL documentation I have found on how to solve problems like this (or indeed delete and start over) refers to either using the console (which I cannot start without my slapd-instance running) or utilities like certutil which appear to fail for the same reason. If I understand this correctly, I am in a catch22 - I cannot start the LDAP server until I change the config, but I cannot change the config without the LDAP directory being available. So, is there ANY way to start FDS without SSL support (which I don't need right now anyway!) so that I can put-right the damage I have done by following the HowTo properly this time??? If not, is there any way to reinstall / reconfigure without scrapping my data (which took some time to build). Thanks for any thoughts, Ian Holroyd From ulf.weltman at hp.com Tue Jan 2 19:08:54 2007 From: ulf.weltman at hp.com (Ulf Weltman) Date: Tue, 02 Jan 2007 11:08:54 -0800 Subject: [Fedora-directory-users] FDS dies on SSL - How do I rescue installation? In-Reply-To: <008101c72e7f$f56bde80$022ea8c0@ijh> References: <008101c72e7f$f56bde80$022ea8c0@ijh> Message-ID: <459AADC6.1070005@hp.com> Ian Holroyd wrote: > I have been setting up Fedora Directory Server for use with Samba PDC > etc. I had most aspects of this working, with SSL transport operating > correctly, having followed the HowTo. > > However, I have now restarted whole system and the start-slapd will not > work, generating the following errors: (retyped as email sent from > another system, excuse any typos) > [timestamp] - SSL alert: Security Initialization: Can't find certificate > (Server-Cert) for family cn=RSA,cn=encryption,cn=config (Netscape > Portable Runtime error -8174 - security library: bad database.) > [timestamp] - SSL alert: Security Initialization: Unable to retrieve > private key for ert Server-Cert of family cn=RSA,cn=encryption,cn=config > (Netscape Portable Runtime error -8174 - security library: bad > database.) > [timestamp] - SSL failure: None of the cipher are valid > > Now, if (big if) I am reading this correctly, this means that it has > failed to find the certificate named Server-Cert. I believe that this > may be as a result of me having 'used my initiative' and changed all > references to 'Server-Cert' in the HowTo to a personalised version of > this (i.e. I created the certs with my own names). > > Start-admin fails without leaving any message (I assume because it can't > read config information from the LDAP server). > > The problem, however, is that ALL documentation I have found on how to > solve problems like this (or indeed delete and start over) refers to > either using the console (which I cannot start without my slapd-instance > running) or utilities like certutil which appear to fail for the same > reason. > > If I understand this correctly, I am in a catch22 - I cannot start the > LDAP server until I change the config, but I cannot change the config > without the LDAP directory being available. So, is there ANY way to > start FDS without SSL support (which I don't need right now anyway!) so > that I can put-right the damage I have done by following the HowTo > properly this time??? If not, is there any way to reinstall / > reconfigure without scrapping my data (which took some time to build). > The slapd configuration DSE is backed by a flat file which you can edit if the server is not running. Change nsslapd-security to off in the cn=config entry in /opt/fedora-ds/slapd-instance/config/dse.ldif to get it started, or set the nsSSLPersonalitySSL attribute to match your certificate nickname in the cn=RSA,cn=encryption,cn=config entry (should match the one displayed with certutil -L). > Thanks for any thoughts, > > Ian Holroyd > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From a-t at mindspring.com Tue Jan 2 20:30:15 2007 From: a-t at mindspring.com (a-t at mindspring.com) Date: Tue, 2 Jan 2007 12:30:15 -0800 (GMT-08:00) Subject: [Fedora-directory-users] operational attributes Message-ID: <6887137.1167769815640.JavaMail.root@mswamui-valley.atl.sa.earthlink.net> I have trouble getting operational attribute (such as createTimestamp, CreatorsName, etc.) against the Fedora Directory Server using LDAP V3. It seems to work with fine LDAP V2, but the attributes are not returned if V3 is used. Is LDAP V3 not allowing viewing of these attributes? Thanks. From rmeggins at redhat.com Tue Jan 2 20:59:25 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 02 Jan 2007 13:59:25 -0700 Subject: [Fedora-directory-users] operational attributes In-Reply-To: <6887137.1167769815640.JavaMail.root@mswamui-valley.atl.sa.earthlink.net> References: <6887137.1167769815640.JavaMail.root@mswamui-valley.atl.sa.earthlink.net> Message-ID: <459AC7AD.6040809@redhat.com> a-t at mindspring.com wrote: > I have trouble getting operational attribute (such as createTimestamp, CreatorsName, etc.) > against the Fedora Directory Server using LDAP V3. > It seems to work with fine LDAP V2, but the attributes are not returned if V3 is used. > > Is LDAP V3 not allowing viewing of these attributes? > In LDAP v3, operational attributes must be explicitly listed in the list of attributes to return in the search request. What application are you using? Do you know how to specify an explicit attribute list? > Thanks. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jan 2 21:00:42 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 02 Jan 2007 14:00:42 -0700 Subject: [Fedora-directory-users] Can't connect to admin server as Directory Manager In-Reply-To: References: <20061224141515.GQ3022@cox.net> <99de6f1f0612241910m3727e485o78a21ffbd1d6e8e2@mail.gmail.com> Message-ID: <459AC7FA.7060005@redhat.com> Mike Mueller wrote: > I hate to do this, but I'd really appreciate it if someone has any > thoughs about my problem using the GUI admin console. I'm completely > stuck. Check the access log for the DS from around the time of the console login attempt. You should see a BIND dn="cn=directory manager" followed by the result of that operation. > > (In other words, "bump") > > Mike > > On 12/24/06, Bob Rossi wrote: >> Could it be uninterruptible sleep? Just think about it. >> >> > On Sat, Dec 23, 2006 at 05:18:42AM -0500, Mike Mueller wrote: >> > > I just did a fresh install of FDS 1.0.4 on a Gentoo Linux >> workstation >> > > (built manually, not from RPM). After running the setup script to >> > > install it, everything appears to be working, except I can't >> login to >> > > the admin console. I can connect to the server via the web >> browser on >> > > my admin port (9419) and authenticate fine there. >> > > >> > > However, when I start the console up, I do: >> > > >> > > User ID: cn=Directory Manager >> > > Password: >> > > Administration URL: http://hostname.domain.com:9419/ >> > > >> > > The dialog that I get says: >> > > >> > > "Cannot logon because of an incorrect User ID, >> > > Incorrect password or Directory problem. >> > > >> > > HttpException >> > > Response: HTTP/1.1 401 Authorization Required >> > > Status: 401 >> > > URL: http://hostname.domain.com:9419/admin-serv/authenticate" >> > > >> > > I made sure that the admin server isn't configured to block any >> hosts >> > > or IP addresses (set them both to '*' in the local.conf file). >> > > >> > > Here's what the error log says: >> > > >> > > [Sat Dec 23 05:09:46 2006] [notice] [client 192.168.2.1] >> > > admserv_host_ip_check: ap_get_remote_host could not resolve >> > > 192.168.2.1 >> > > [Sat Dec 23 05:09:46 2006] [error] [client 192.168.2.1] user >> > > cn=Directory Manager not found: /admin-serv/authenticate >> > > >> > > How could the "cn=Directory Manager" user be not found? Doesn't it >> > > always exist? Yes, I used the default name for this user when I ran >> > > setup. >> > > >> > > Any input would be appreciated! >> > > >> > > Thanks, >> > > Mike >> > >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jan 2 21:01:59 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 02 Jan 2007 14:01:59 -0700 Subject: [Fedora-directory-users] New install with Admin Server issues In-Reply-To: References: Message-ID: <459AC847.9060004@redhat.com> Duncan McGreggor wrote: > Hey all, > > I'm having some troubles with the Admin Server (web). First, some > details: > > * This is my first experience with FDS > * I'm running Debian and followed the install instructions here: > http://directory.fedora.redhat.com/wiki/Howto:DebianUbuntu > * I created/installed the debian package from > fedora-ds-1.0.4-1.RHEL3.i386.opt.rpm > * I can run the java console application, login, create entries, etc. > * I'm a python coder, not a java one, so I have no idea about the java > stuff. What version of Apache are you using? e.g. /usr/sbin/httpd.worker -V > > Here are the issues I am seeing: > 1) clicking on the "help" buttons on the java console results in a > download dialog with the following message: > The file "help" is of type application/octect-stream... > 2) Clicking the "Restart" button (admin tasks) on the java console > results in a 404 > 3) Attempting to visit the url http://myhost:62332/ results in a > download dialog > 4) If I download the file, open it and read it, it's a binary file. > The file begins with the following: > ELF > ( > >  > Q?td > 2 > And then later in the file, there is this: > Error: %s > s > text/html > > dsgw_menu_block> > > dist > cstart-console.html > > > ... > 5) I saw the following rewrite rule in > /opt/fedora-ds/admin-serv/config/admserv.conf: > RewriteRule ^/$ /dist/download [R,L,QSA] > I commented it out, restarted the server, and now I get a 403 > (Forbidden) when I access http://myhost:62332/ > 6) I set the admin server's log level to debug, and I started seeing > these messages: > [Sun Dec 31 03:00:57 2006] [debug] mod_admserv.c(1759): [client > 72.51.42.180] admserv_check_authz: uri [tasks/operation/StatusPing] > did not begin with [commands/] - not a command > [Sun Dec 31 03:00:57 2006] [debug] mod_admserv.c(1808): [client > 72.51.42.180] admserv_check_authz: execute CGI > [/opt/fedora-ds/bin/admin/admin/bin/statusping] args [(null)] > > That's all I can think of for now. Does anyone have any clue as to > what could be going on? Is this a java app server dealie? I tried > searching through the docs and the FDS pages for anything that might > clue me in, and came up empty-handed... > > Other than this, though, it looks like a killer LDAP server. Looking > forward to getting this rolled out here, and providing folks with the > web admin link to manage their info... > > Thanks! > > d > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mike at subfocal.net Tue Jan 2 21:18:34 2007 From: mike at subfocal.net (Mike Mueller) Date: Tue, 2 Jan 2007 16:18:34 -0500 Subject: [Fedora-directory-users] Can't connect to admin server as Directory Manager In-Reply-To: <459AC7FA.7060005@redhat.com> References: <20061224141515.GQ3022@cox.net> <99de6f1f0612241910m3727e485o78a21ffbd1d6e8e2@mail.gmail.com> <459AC7FA.7060005@redhat.com> Message-ID: On 1/2/07, Richard Megginson wrote: > Mike Mueller wrote: > > I hate to do this, but I'd really appreciate it if someone has any > > thoughs about my problem using the GUI admin console. I'm completely > > stuck. > Check the access log for the DS from around the time of the console > login attempt. You should see a BIND dn="cn=directory manager" followed > by the result of that operation. > > > > (In other words, "bump") > > > > Mike > > > > On 12/24/06, Bob Rossi wrote: > >> Could it be uninterruptible sleep? Just think about it. > >> > >> > On Sat, Dec 23, 2006 at 05:18:42AM -0500, Mike Mueller wrote: > >> > > I just did a fresh install of FDS 1.0.4 on a Gentoo Linux > >> workstation > >> > > (built manually, not from RPM). After running the setup script to > >> > > install it, everything appears to be working, except I can't > >> login to > >> > > the admin console. I can connect to the server via the web > >> browser on > >> > > my admin port (9419) and authenticate fine there. > >> > > > >> > > However, when I start the console up, I do: > >> > > > >> > > User ID: cn=Directory Manager > >> > > Password: > >> > > Administration URL: http://hostname.domain.com:9419/ > >> > > > >> > > The dialog that I get says: > >> > > > >> > > "Cannot logon because of an incorrect User ID, > >> > > Incorrect password or Directory problem. > >> > > > >> > > HttpException > >> > > Response: HTTP/1.1 401 Authorization Required > >> > > Status: 401 > >> > > URL: http://hostname.domain.com:9419/admin-serv/authenticate" > >> > > > >> > > I made sure that the admin server isn't configured to block any > >> hosts > >> > > or IP addresses (set them both to '*' in the local.conf file). > >> > > > >> > > Here's what the error log says: > >> > > > >> > > [Sat Dec 23 05:09:46 2006] [notice] [client 192.168.2.1] > >> > > admserv_host_ip_check: ap_get_remote_host could not resolve > >> > > 192.168.2.1 > >> > > [Sat Dec 23 05:09:46 2006] [error] [client 192.168.2.1] user > >> > > cn=Directory Manager not found: /admin-serv/authenticate > >> > > > >> > > How could the "cn=Directory Manager" user be not found? Doesn't it > >> > > always exist? Yes, I used the default name for this user when I ran > >> > > setup. > >> > > > >> > > Any input would be appreciated! > >> > > > >> > > Thanks, > >> > > Mike > >> > > >> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users Nothing at all appears in the slapd access or error logs. From rmeggins at redhat.com Tue Jan 2 21:19:38 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 02 Jan 2007 14:19:38 -0700 Subject: [Fedora-directory-users] Can't connect to admin server as Directory Manager In-Reply-To: References: <20061224141515.GQ3022@cox.net> <99de6f1f0612241910m3727e485o78a21ffbd1d6e8e2@mail.gmail.com> <459AC7FA.7060005@redhat.com> Message-ID: <459ACC6A.7040507@redhat.com> Mike Mueller wrote: > On 1/2/07, Richard Megginson wrote: >> Mike Mueller wrote: >> > I hate to do this, but I'd really appreciate it if someone has any >> > thoughs about my problem using the GUI admin console. I'm completely >> > stuck. >> Check the access log for the DS from around the time of the console >> login attempt. You should see a BIND dn="cn=directory manager" followed >> by the result of that operation. >> > >> > (In other words, "bump") >> > >> > Mike >> > >> > On 12/24/06, Bob Rossi wrote: >> >> Could it be uninterruptible sleep? Just think about it. >> >> >> >> > On Sat, Dec 23, 2006 at 05:18:42AM -0500, Mike Mueller wrote: >> >> > > I just did a fresh install of FDS 1.0.4 on a Gentoo Linux >> >> workstation >> >> > > (built manually, not from RPM). After running the setup >> script to >> >> > > install it, everything appears to be working, except I can't >> >> login to >> >> > > the admin console. I can connect to the server via the web >> >> browser on >> >> > > my admin port (9419) and authenticate fine there. >> >> > > >> >> > > However, when I start the console up, I do: >> >> > > >> >> > > User ID: cn=Directory Manager >> >> > > Password: >> >> > > Administration URL: http://hostname.domain.com:9419/ >> >> > > >> >> > > The dialog that I get says: >> >> > > >> >> > > "Cannot logon because of an incorrect User ID, >> >> > > Incorrect password or Directory problem. >> >> > > >> >> > > HttpException >> >> > > Response: HTTP/1.1 401 Authorization Required >> >> > > Status: 401 >> >> > > URL: http://hostname.domain.com:9419/admin-serv/authenticate" >> >> > > >> >> > > I made sure that the admin server isn't configured to block any >> >> hosts >> >> > > or IP addresses (set them both to '*' in the local.conf file). >> >> > > >> >> > > Here's what the error log says: >> >> > > >> >> > > [Sat Dec 23 05:09:46 2006] [notice] [client 192.168.2.1] >> >> > > admserv_host_ip_check: ap_get_remote_host could not resolve >> >> > > 192.168.2.1 >> >> > > [Sat Dec 23 05:09:46 2006] [error] [client 192.168.2.1] user >> >> > > cn=Directory Manager not found: /admin-serv/authenticate >> >> > > >> >> > > How could the "cn=Directory Manager" user be not found? >> Doesn't it >> >> > > always exist? Yes, I used the default name for this user when >> I ran >> >> > > setup. >> >> > > >> >> > > Any input would be appreciated! >> >> > > >> >> > > Thanks, >> >> > > Mike >> >> > >> >> >> >> -- >> >> Fedora-directory-users mailing list >> >> Fedora-directory-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> > >> > -- >> > Fedora-directory-users mailing list >> > Fedora-directory-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > Nothing at all appears in the slapd access or error logs. Hmm - check shared/config/dbswitch.conf and make sure it points to the correct ds host and port. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From bart at schelstraete.org Tue Jan 2 21:22:33 2007 From: bart at schelstraete.org (Bart Schelstraete) Date: Tue, 2 Jan 2007 22:22:33 +0100 Subject: [Fedora-directory-users] Can't connect to admin server as Directory Manager In-Reply-To: References: <20061224141515.GQ3022@cox.net> <99de6f1f0612241910m3727e485o78a21ffbd1d6e8e2@mail.gmail.com> <459AC7FA.7060005@redhat.com> Message-ID: <9905faa50701021322s1dbff18bnef59b80c72de2ece@mail.gmail.com> Can you just try adding your IP to the /etc/hosts file? Bart On 1/2/07, Mike Mueller wrote: > On 1/2/07, Richard Megginson wrote: > > Mike Mueller wrote: > > > I hate to do this, but I'd really appreciate it if someone has any > > > thoughs about my problem using the GUI admin console. I'm completely > > > stuck. > > Check the access log for the DS from around the time of the console > > login attempt. You should see a BIND dn="cn=directory manager" followed > > by the result of that operation. > > > > > > (In other words, "bump") > > > > > > Mike > > > > > > On 12/24/06, Bob Rossi wrote: > > >> Could it be uninterruptible sleep? Just think about it. > > >> > > >> > On Sat, Dec 23, 2006 at 05:18:42AM -0500, Mike Mueller wrote: > > >> > > I just did a fresh install of FDS 1.0.4 on a Gentoo Linux > > >> workstation > > >> > > (built manually, not from RPM). After running the setup script to > > >> > > install it, everything appears to be working, except I can't > > >> login to > > >> > > the admin console. I can connect to the server via the web > > >> browser on > > >> > > my admin port (9419) and authenticate fine there. > > >> > > > > >> > > However, when I start the console up, I do: > > >> > > > > >> > > User ID: cn=Directory Manager > > >> > > Password: > > >> > > Administration URL: http://hostname.domain.com:9419/ > > >> > > > > >> > > The dialog that I get says: > > >> > > > > >> > > "Cannot logon because of an incorrect User ID, > > >> > > Incorrect password or Directory problem. > > >> > > > > >> > > HttpException > > >> > > Response: HTTP/1.1 401 Authorization Required > > >> > > Status: 401 > > >> > > URL: http://hostname.domain.com:9419/admin-serv/authenticate" > > >> > > > > >> > > I made sure that the admin server isn't configured to block any > > >> hosts > > >> > > or IP addresses (set them both to '*' in the local.conf file). > > >> > > > > >> > > Here's what the error log says: > > >> > > > > >> > > [Sat Dec 23 05:09:46 2006] [notice] [client 192.168.2.1] > > >> > > admserv_host_ip_check: ap_get_remote_host could not resolve > > >> > > 192.168.2.1 > > >> > > [Sat Dec 23 05:09:46 2006] [error] [client 192.168.2.1] user > > >> > > cn=Directory Manager not found: /admin-serv/authenticate > > >> > > > > >> > > How could the "cn=Directory Manager" user be not found? Doesn't it > > >> > > always exist? Yes, I used the default name for this user when I ran > > >> > > setup. > > >> > > > > >> > > Any input would be appreciated! > > >> > > > > >> > > Thanks, > > >> > > Mike -- Schelstraete Bart http://www.schelstraete.org bart at schelstraete.org From duncan at zenoss.com Tue Jan 2 21:25:15 2007 From: duncan at zenoss.com (Duncan McGreggor) Date: Tue, 2 Jan 2007 14:25:15 -0700 Subject: [Fedora-directory-users] New install with Admin Server issues In-Reply-To: <459AC847.9060004@redhat.com> References: <459AC847.9060004@redhat.com> Message-ID: <0C868163-6BEF-44FD-82A0-FBEFF1C72302@zenoss.com> On Jan 2, 2007, at 2:01 PM, Richard Megginson wrote: > Duncan McGreggor wrote: >> Hey all, >> >> I'm having some troubles with the Admin Server (web). First, some >> details: >> >> * This is my first experience with FDS >> * I'm running Debian and followed the install instructions here: >> http://directory.fedora.redhat.com/wiki/Howto:DebianUbuntu >> * I created/installed the debian package from fedora- >> ds-1.0.4-1.RHEL3.i386.opt.rpm >> * I can run the java console application, login, create entries, etc. >> * I'm a python coder, not a java one, so I have no idea about the >> java stuff. > What version of Apache are you using? e.g. /usr/sbin/httpd.worker -V Here's the output: # /usr/sbin/httpd -V Server version: Apache/2.0.54 Server built: Jul 28 2006 08:55:39 Server's Module Magic Number: 20020903:9 Architecture: 32-bit Server compiled with.... -D APACHE_MPM_DIR="server/mpm/worker" -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D HTTPD_ROOT="" -D SUEXEC_BIN="/usr/lib/apache2/suexec2" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="/etc/apache2/mime.types" -D SERVER_CONFIG_FILE="/etc/apache2/apache2.conf" From a-t at mindspring.com Tue Jan 2 21:41:14 2007 From: a-t at mindspring.com (a-t at mindspring.com) Date: Tue, 2 Jan 2007 13:41:14 -0800 (GMT-08:00) Subject: [Fedora-directory-users] operational attributes Message-ID: <19980500.1167774074991.JavaMail.root@mswamui-valley.atl.sa.earthlink.net> Thanks! I am able to get the createTimestamp attribute as specified. Is there a way to get all operational attributes without having to list each explicitly (e.g., wild card)? Thanks. -----Original Message----- >From: Richard Megginson >Sent: Jan 2, 2007 12:59 PM >To: a-t at mindspring.com, "General discussion list for the Fedora Directory server project." >Subject: Re: [Fedora-directory-users] operational attributes > >a-t at mindspring.com wrote: >> I have trouble getting operational attribute (such as createTimestamp, CreatorsName, etc.) >> against the Fedora Directory Server using LDAP V3. >> It seems to work with fine LDAP V2, but the attributes are not returned if V3 is used. >> >> Is LDAP V3 not allowing viewing of these attributes? >> >In LDAP v3, operational attributes must be explicitly listed in the list >of attributes to return in the search request. What application are you >using? Do you know how to specify an explicit attribute list? >> Thanks. >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> From glenn at mail.txwes.edu Tue Jan 2 21:38:50 2007 From: glenn at mail.txwes.edu (Glenn) Date: Tue, 2 Jan 2007 15:38:50 -0600 Subject: [Fedora-directory-users] Windows Sync Errors In-Reply-To: <459A8FED.2030001@boreham.org> References: <20070102162343.M13292@mail.txwes.edu> <459A8FED.2030001@boreham.org> Message-ID: <20070102205631.M13724@mail.txwes.edu> O.K., so I'm guessing there are certain required object classes and attributes, and some that are not allowed. I tried to populate the Active Directory using Windows Sync, but it didn't work. Then I took the ldif file I used to populate the DS and tried to import it into AD, but that didn't work either. I found that if I changed some object classes and attributes, the ldif would import into AD, but not into DS. And they would not sync. For instance, "objectclass: user" does not import into DS, but is required for AD. And "objectclass: inetOrgPerson" imports into DS, but not into AD. So if I have some object classes and attributes required for AD that are not allowed in DS, and vice-versa, how can I make Windows Sync work? I'm sure I'm missing something here. I'm including sample ldif entries from each import below. Thanks. -Glenn. AD-compatible entry: dn: cn=Peter Apostle,ou=Domain Users,dc=ad,dc=example,dc=com objectclass: top objectclass: person objectclass: organizationalPerson objectclass: user sn: Apostle cn: Peter Apostle SAMAccountName: PApostle userPrincipalName: papostle at ad.example.com mail: papostle at ad.example.com facsimiletelephonenumber: 817-531-4806 title: Electronic Reference Librarian givenname: Peter businesscategory: EJW Library roomnumber: EJW Library employeenumber: 1234567 departmentnumber: Provost telephonenumber: 817-555-4802 userpassword: {SHA}8/P0XfVT5t9GpNL8MNPH+jdPGA0= description: Reference Librarian scriptPath: twu_script.bat uid: abaker DS-compatible entry: dn: cn=Peter Apostle,ou=People,o=example.com objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson sn: Apostle cn: Peter Apostle mail: papostle at ad.example.com facsimiletelephonenumber: 817-555-4806 title: Electronic Reference Librarian givenname: Peter businesscategory: EJW Library roomnumber: EJW Library employeenumber: 1234567 departmentnumber: Provost telephonenumber: 817-555-4802 userpassword: {SHA}8/P0XfVT5t9GpNL8MNPH+jdPGA0= description: Reference Librarian uid: papostle ---------- Original Message ----------- From: David Boreham To: "General discussion list for the Fedora Directory server project." Sent: Tue, 02 Jan 2007 10:01:33 -0700 Subject: Re: [Fedora-directory-users] Windows Sync Errors > Glenn wrote: > > >Hello again. I'm still trying to get Windows Sync working between Directory > >Server 7.1sp3 and Active Directory on a Windows 2003 server. I thought I > >would narrow down the problem by trying to add a user in the DS and see if it > >would replicate to AD. It does not, and the error message is: > > > >[02/Jan/2007:09:58:31 -0600] NSMMReplicationPlugin - agmt="cn=ldap-ad" > >(adserver:636): windows_replay_update: Looking at add operation local > >dn="uid=PApostle,ou=People,o=txwes.edu" (not ours,not user,not group) > > > >The replication agreement specifies that ou=People,o=txwes.edu in the DS > >should be synchronized with ou=Domain Users,dc=ad,dc=txwesleyan,dc=edu in > >AD. Both ous exist as specified. > > > >Can anyone please suggest what I might try to get this working? Thanks. - > >Glenn. > > > > > Based on the information you've provided, the most likely cause is > that the entry lacks the appropriate object class and attributes to > be sync'ed. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users ------- End of Original Message ------- From ersin.er at gmail.com Tue Jan 2 21:59:54 2007 From: ersin.er at gmail.com (Ersin Er) Date: Tue, 2 Jan 2007 23:59:54 +0200 Subject: [Fedora-directory-users] operational attributes In-Reply-To: <19980500.1167774074991.JavaMail.root@mswamui-valley.atl.sa.earthlink.net> References: <19980500.1167774074991.JavaMail.root@mswamui-valley.atl.sa.earthlink.net> Message-ID: http://tools.ietf.org/html/rfc3673 is the answer. You just need to add an '+' to your returning attr list for any search operation. On 1/2/07, a-t at mindspring.com wrote: > Thanks! I am able to get the createTimestamp attribute as specified. > Is there a way to get all operational attributes without having to list each explicitly (e.g., wild card)? > Thanks. > > -----Original Message----- > >From: Richard Megginson > >Sent: Jan 2, 2007 12:59 PM > >To: a-t at mindspring.com, "General discussion list for the Fedora Directory server project." > >Subject: Re: [Fedora-directory-users] operational attributes > > > >a-t at mindspring.com wrote: > >> I have trouble getting operational attribute (such as createTimestamp, CreatorsName, etc.) > >> against the Fedora Directory Server using LDAP V3. > >> It seems to work with fine LDAP V2, but the attributes are not returned if V3 is used. > >> > >> Is LDAP V3 not allowing viewing of these attributes? > >> > >In LDAP v3, operational attributes must be explicitly listed in the list > >of attributes to return in the search request. What application are you > >using? Do you know how to specify an explicit attribute list? > >> Thanks. > >> > >> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Ersin From rmeggins at redhat.com Tue Jan 2 22:02:49 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 02 Jan 2007 15:02:49 -0700 Subject: [Fedora-directory-users] operational attributes In-Reply-To: References: <19980500.1167774074991.JavaMail.root@mswamui-valley.atl.sa.earthlink.net> Message-ID: <459AD689.7030700@redhat.com> Ersin Er wrote: > http://tools.ietf.org/html/rfc3673 is the answer. You just need to add > an '+' to your returning attr list for any search operation. Nope. Fedora DS does not yet support that RFC. > > On 1/2/07, a-t at mindspring.com wrote: >> Thanks! I am able to get the createTimestamp attribute as specified. >> Is there a way to get all operational attributes without having to >> list each explicitly (e.g., wild card)? >> Thanks. >> >> -----Original Message----- >> >From: Richard Megginson >> >Sent: Jan 2, 2007 12:59 PM >> >To: a-t at mindspring.com, "General discussion list for the Fedora >> Directory server project." >> >Subject: Re: [Fedora-directory-users] operational attributes >> > >> >a-t at mindspring.com wrote: >> >> I have trouble getting operational attribute (such as >> createTimestamp, CreatorsName, etc.) >> >> against the Fedora Directory Server using LDAP V3. >> >> It seems to work with fine LDAP V2, but the attributes are not >> returned if V3 is used. >> >> >> >> Is LDAP V3 not allowing viewing of these attributes? >> >> >> >In LDAP v3, operational attributes must be explicitly listed in the >> list >> >of attributes to return in the search request. What application are >> you >> >using? Do you know how to specify an explicit attribute list? >> >> Thanks. >> >> >> >> >> >> -- >> >> Fedora-directory-users mailing list >> >> Fedora-directory-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jan 2 22:42:57 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 02 Jan 2007 15:42:57 -0700 Subject: [Fedora-directory-users] New install with Admin Server issues In-Reply-To: <0C868163-6BEF-44FD-82A0-FBEFF1C72302@zenoss.com> References: <459AC847.9060004@redhat.com> <0C868163-6BEF-44FD-82A0-FBEFF1C72302@zenoss.com> Message-ID: <459ADFF1.30600@redhat.com> Duncan McGreggor wrote: > > On Jan 2, 2007, at 2:01 PM, Richard Megginson wrote: > >> Duncan McGreggor wrote: >>> Hey all, >>> >>> I'm having some troubles with the Admin Server (web). First, some >>> details: >>> >>> * This is my first experience with FDS >>> * I'm running Debian and followed the install instructions here: >>> http://directory.fedora.redhat.com/wiki/Howto:DebianUbuntu >>> * I created/installed the debian package from >>> fedora-ds-1.0.4-1.RHEL3.i386.opt.rpm >>> * I can run the java console application, login, create entries, etc. >>> * I'm a python coder, not a java one, so I have no idea about the >>> java stuff. >> What version of Apache are you using? e.g. /usr/sbin/httpd.worker -V > > Here's the output: > > # /usr/sbin/httpd -V > Server version: Apache/2.0.54 > Server built: Jul 28 2006 08:55:39 > Server's Module Magic Number: 20020903:9 > Architecture: 32-bit > Server compiled with.... > -D APACHE_MPM_DIR="server/mpm/worker" > -D APR_HAS_SENDFILE > -D APR_HAS_MMAP > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > -D APR_USE_SYSVSEM_SERIALIZE > -D APR_USE_PTHREAD_SERIALIZE > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > -D APR_HAS_OTHER_CHILD > -D AP_HAVE_RELIABLE_PIPED_LOGS > -D HTTPD_ROOT="" > -D SUEXEC_BIN="/usr/lib/apache2/suexec2" > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > -D DEFAULT_ERRORLOG="logs/error_log" > -D AP_TYPES_CONFIG_FILE="/etc/apache2/mime.types" > -D SERVER_CONFIG_FILE="/etc/apache2/apache2.conf" Anything in the admin-serv/logs/access or error? You might try using the debug log level - edit admin-serv/config/httpd.conf and set LogLevel to debug, then restart the admin server. > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Diana.Shepard at cusys.edu Tue Jan 2 22:54:58 2007 From: Diana.Shepard at cusys.edu (Diana Shepard) Date: Tue, 2 Jan 2007 15:54:58 -0700 Subject: [Fedora-directory-users] Can't connect to admin serveras Directory Manager In-Reply-To: <459AC7FA.7060005@redhat.com> Message-ID: <7315857F21D51B449CC55ADE3A56831802AF52E4@ex2k3.ad.cusys.edu> I had trouble logging into the admin console on a RHEL server as well. My resolution; install 64-bit java. > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf > Of Richard Megginson > Sent: Tuesday, January 02, 2007 2:01 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Can't connect to admin > serveras Directory Manager > > Mike Mueller wrote: > > I hate to do this, but I'd really appreciate it if someone has any > > thoughs about my problem using the GUI admin console. I'm > completely > > stuck. > Check the access log for the DS from around the time of the > console login attempt. You should see a BIND > dn="cn=directory manager" followed by the result of that operation. > > > > (In other words, "bump") > > > > Mike > > > > On 12/24/06, Bob Rossi wrote: > >> Could it be uninterruptible sleep? Just think about it. > >> > >> > On Sat, Dec 23, 2006 at 05:18:42AM -0500, Mike Mueller wrote: > >> > > I just did a fresh install of FDS 1.0.4 on a Gentoo Linux > >> workstation > >> > > (built manually, not from RPM). After running the > setup script > >> > > to install it, everything appears to be working, except I can't > >> login to > >> > > the admin console. I can connect to the server via the web > >> browser on > >> > > my admin port (9419) and authenticate fine there. > >> > > > >> > > However, when I start the console up, I do: > >> > > > >> > > User ID: cn=Directory Manager > >> > > Password: > >> > > Administration URL: http://hostname.domain.com:9419/ > >> > > > >> > > The dialog that I get says: > >> > > > >> > > "Cannot logon because of an incorrect User ID, > Incorrect password > >> > > or Directory problem. > >> > > > >> > > HttpException > >> > > Response: HTTP/1.1 401 Authorization Required > >> > > Status: 401 > >> > > URL: http://hostname.domain.com:9419/admin-serv/authenticate" > >> > > > >> > > I made sure that the admin server isn't configured to block any > >> hosts > >> > > or IP addresses (set them both to '*' in the local.conf file). > >> > > > >> > > Here's what the error log says: > >> > > > >> > > [Sat Dec 23 05:09:46 2006] [notice] [client 192.168.2.1] > >> > > admserv_host_ip_check: ap_get_remote_host could not resolve > >> > > 192.168.2.1 > >> > > [Sat Dec 23 05:09:46 2006] [error] [client 192.168.2.1] user > >> > > cn=Directory Manager not found: /admin-serv/authenticate > >> > > > >> > > How could the "cn=Directory Manager" user be not > found? Doesn't > >> > > it always exist? Yes, I used the default name for > this user when > >> > > I ran setup. > >> > > > >> > > Any input would be appreciated! > >> > > > >> > > Thanks, > >> > > Mike > >> > > >> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From duncan at zenoss.com Wed Jan 3 02:37:17 2007 From: duncan at zenoss.com (Duncan McGreggor) Date: Tue, 2 Jan 2007 19:37:17 -0700 Subject: [Fedora-directory-users] New install with Admin Server issues In-Reply-To: References: Message-ID: On Dec 30, 2006, at 8:11 PM, Duncan McGreggor wrote: >> 5) I saw the following rewrite rule in /opt/fedora-ds/admin-serv/ >> config/admserv.conf: >> RewriteRule ^/$ /dist/download [R,L,QSA] >> I commented it out, restarted the server, and now I get a 403 >> (Forbidden) when I access http://myhost:62332/ >> 6) I set the admin server's log level to debug, and I started >> seeing these messages: >> [Sun Dec 31 03:00:57 2006] [debug] mod_admserv.c(1759): [client >> 72.51.42.180] admserv_check_authz: uri [tasks/operation/ >> StatusPing] did not begin with [commands/] - not a command >> [Sun Dec 31 03:00:57 2006] [debug] mod_admserv.c(1808): [client >> 72.51.42.180] admserv_check_authz: execute CGI [/opt/fedora-ds/bin/ >> admin/admin/bin/statusping] args [(null)] > > Anything in the admin-serv/logs/access or error? You might try > using the debug log level - edit admin-serv/config/httpd.conf and > set LogLevel to debug, then restart the admin server. The above is all that's all that's in the log file... From rmeggins at redhat.com Wed Jan 3 02:46:27 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 02 Jan 2007 19:46:27 -0700 Subject: [Fedora-directory-users] New install with Admin Server issues In-Reply-To: References: Message-ID: <459B1903.3020408@redhat.com> Duncan McGreggor wrote: > > On Dec 30, 2006, at 8:11 PM, Duncan McGreggor wrote: > >>> 5) I saw the following rewrite rule in >>> /opt/fedora-ds/admin-serv/config/admserv.conf: >>> RewriteRule ^/$ /dist/download [R,L,QSA] >>> I commented it out, restarted the server, and now I get a 403 >>> (Forbidden) when I access http://myhost:62332/ >>> 6) I set the admin server's log level to debug, and I started seeing >>> these messages: >>> [Sun Dec 31 03:00:57 2006] [debug] mod_admserv.c(1759): [client >>> 72.51.42.180] admserv_check_authz: uri [tasks/operation/StatusPing] >>> did not begin with [commands/] - not a command >>> [Sun Dec 31 03:00:57 2006] [debug] mod_admserv.c(1808): [client >>> 72.51.42.180] admserv_check_authz: execute CGI >>> [/opt/fedora-ds/bin/admin/admin/bin/statusping] args [(null)] >> > > >> Anything in the admin-serv/logs/access or error? You might try using >> the debug log level - edit admin-serv/config/httpd.conf and set >> LogLevel to debug, then restart the admin server. > > The above is all that's all that's in the log file... Even using the debug log level? > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From duncan at zenoss.com Wed Jan 3 02:57:17 2007 From: duncan at zenoss.com (Duncan McGreggor) Date: Tue, 2 Jan 2007 19:57:17 -0700 Subject: [Fedora-directory-users] New install with Admin Server issues In-Reply-To: <459B1903.3020408@redhat.com> References: <459B1903.3020408@redhat.com> Message-ID: <5B5925DA-F0B7-4ECA-90CD-0C7A7CFE31E3@zenoss.com> On Jan 2, 2007, at 7:46 PM, Richard Megginson wrote: >>>> 5) I saw the following rewrite rule in /opt/fedora-ds/admin-serv/ >>>> config/admserv.conf: >>>> RewriteRule ^/$ /dist/download [R,L,QSA] >>>> I commented it out, restarted the server, and now I get a 403 >>>> (Forbidden) when I access http://myhost:62332/ >>>> 6) I set the admin server's log level to debug, and I started >>>> seeing these messages: >>>> [Sun Dec 31 03:00:57 2006] [debug] mod_admserv.c(1759): [client >>>> 72.51.42.180] admserv_check_authz: uri [tasks/operation/ >>>> StatusPing] did not begin with [commands/] - not a command >>>> [Sun Dec 31 03:00:57 2006] [debug] mod_admserv.c(1808): [client >>>> 72.51.42.180] admserv_check_authz: execute CGI [/opt/fedora-ds/ >>>> bin/admin/admin/bin/statusping] args [(null)] >>> >> >> >>> Anything in the admin-serv/logs/access or error? You might try >>> using the debug log level - edit admin-serv/config/httpd.conf and >>> set LogLevel to debug, then restart the admin server. >> >> The above is all that's all that's in the log file... > Even using the debug log level? Yup, that's with LogLevel set to "debug". From rmeggins at redhat.com Wed Jan 3 02:59:12 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 02 Jan 2007 19:59:12 -0700 Subject: [Fedora-directory-users] New install with Admin Server issues In-Reply-To: <5B5925DA-F0B7-4ECA-90CD-0C7A7CFE31E3@zenoss.com> References: <459B1903.3020408@redhat.com> <5B5925DA-F0B7-4ECA-90CD-0C7A7CFE31E3@zenoss.com> Message-ID: <459B1C00.90401@redhat.com> Duncan McGreggor wrote: > > On Jan 2, 2007, at 7:46 PM, Richard Megginson wrote: > >>>>> 5) I saw the following rewrite rule in >>>>> /opt/fedora-ds/admin-serv/config/admserv.conf: >>>>> RewriteRule ^/$ /dist/download [R,L,QSA] >>>>> I commented it out, restarted the server, and now I get a 403 >>>>> (Forbidden) when I access http://myhost:62332/ >>>>> 6) I set the admin server's log level to debug, and I started >>>>> seeing these messages: >>>>> [Sun Dec 31 03:00:57 2006] [debug] mod_admserv.c(1759): [client >>>>> 72.51.42.180] admserv_check_authz: uri >>>>> [tasks/operation/StatusPing] did not begin with [commands/] - not >>>>> a command >>>>> [Sun Dec 31 03:00:57 2006] [debug] mod_admserv.c(1808): [client >>>>> 72.51.42.180] admserv_check_authz: execute CGI >>>>> [/opt/fedora-ds/bin/admin/admin/bin/statusping] args [(null)] >>>> >>> >>> >>>> Anything in the admin-serv/logs/access or error? You might try >>>> using the debug log level - edit admin-serv/config/httpd.conf and >>>> set LogLevel to debug, then restart the admin server. >>> >>> The above is all that's all that's in the log file... >> Even using the debug log level? > > Yup, that's with LogLevel set to "debug". Looks like mod_cgi is not working properly or is misconfigured. It should be executing the help CGI and other CGI programs, not attempting to download them. Does the Apache on Debian include mod_cgi? Does Debian have anything like SELinux which would prevent CGI execution? > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From duncan at zenoss.com Wed Jan 3 05:30:08 2007 From: duncan at zenoss.com (Duncan McGreggor) Date: Tue, 2 Jan 2007 22:30:08 -0700 Subject: [Fedora-directory-users] New install with Admin Server issues In-Reply-To: <459B1C00.90401@redhat.com> References: <459B1903.3020408@redhat.com> <5B5925DA-F0B7-4ECA-90CD-0C7A7CFE31E3@zenoss.com> <459B1C00.90401@redhat.com> Message-ID: On Jan 2, 2007, at 7:59 PM, Richard Megginson wrote: >>>>>> 5) I saw the following rewrite rule in /opt/fedora-ds/admin- >>>>>> serv/config/admserv.conf: >>>>>> RewriteRule ^/$ /dist/download [R,L,QSA] >>>>>> I commented it out, restarted the server, and now I get a >>>>>> 403 (Forbidden) when I access http://myhost:62332/ >>>>>> 6) I set the admin server's log level to debug, and I started >>>>>> seeing these messages: >>>>>> [Sun Dec 31 03:00:57 2006] [debug] mod_admserv.c(1759): >>>>>> [client 72.51.42.180] admserv_check_authz: uri [tasks/ >>>>>> operation/StatusPing] did not begin with [commands/] - not a >>>>>> command >>>>>> [Sun Dec 31 03:00:57 2006] [debug] mod_admserv.c(1808): >>>>>> [client 72.51.42.180] admserv_check_authz: execute CGI [/opt/ >>>>>> fedora-ds/bin/admin/admin/bin/statusping] args [(null)] >>>>> >>>> >>>> >>>>> Anything in the admin-serv/logs/access or error? You might try >>>>> using the debug log level - edit admin-serv/config/httpd.conf >>>>> and set LogLevel to debug, then restart the admin server. >>>> >>>> The above is all that's all that's in the log file... >>> Even using the debug log level? >> >> Yup, that's with LogLevel set to "debug". > Looks like mod_cgi is not working properly or is misconfigured. It > should be executing the help CGI and other CGI programs, not > attempting to download them. Does the Apache on Debian include > mod_cgi? Does Debian have anything like SELinux which would > prevent CGI execution? Hmm. I created a test cgi on the server in the system Apache, and it executed properly. Ah, but then I checked the module loads in the FDS admin-serv/config/ admserv.conf, and the cgi module was commented out -- thanks! I can now access the web admin server from the local machine. Can't get to it remotely, even though I followed the instructions described here: http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt But I can now see it working, and that's more than I had before. I'm sure I'm just a few tweaks shy of getting remote access working. Thanks for your help and patience! d From kylet at panix.com Wed Jan 3 10:32:02 2007 From: kylet at panix.com (Kyle Tucker) Date: Wed, 3 Jan 2007 05:32:02 -0500 (EST) Subject: [Fedora-directory-users] LDIF modify syntax Message-ID: <200701031032.l03AW2H01225@panix1.panix.com> Hi all, Simple issue here perhaps. I had set up my LDIF files like this example (variables get set of course) to change a users shadowAccount password under FDS 1.0.4 and all my updates seem to work just fine using ldapmodify. dn: uid=$UID, ou=People, $DNDOMAIN changetype: modify shadowLastChange: $TODAY userPassword: $PWHASH But recent research into LDIF revealed that the proper way to update attributes is using this "replace" method. dn: uid=$UID, ou=People, $DNDOMAIN changetype: modify replace: shadowLastChange shadowLastChange: $TODAY dn: uid=$UID, ou=People, $DNDOMAIN changetype: modify replace: userPassword userPassword: $PWHASH Are both legal or permitted or did I just get lucky or is it not really doing what I think? All ldapsearch results look the same after using either? -- - Kyle From ando at sys-net.it Wed Jan 3 11:11:58 2007 From: ando at sys-net.it (Pierangelo Masarati) Date: Wed, 03 Jan 2007 12:11:58 +0100 Subject: [Fedora-directory-users] LDIF modify syntax In-Reply-To: <200701031032.l03AW2H01225@panix1.panix.com> References: <200701031032.l03AW2H01225@panix1.panix.com> Message-ID: <459B8F7E.8060706@sys-net.it> Kyle Tucker wrote: > But recent research into LDIF revealed that the proper way What do you mean by "recent" here? RFC 2849 was published in 2000, and I don't think there was much further research. That document illustrate even wiser (and syntactically correct) means to perform the modifications you need. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati at sys-net.it ------------------------------------------ From kylet at panix.com Wed Jan 3 12:54:13 2007 From: kylet at panix.com (Kyle Tucker) Date: Wed, 3 Jan 2007 07:54:13 -0500 (EST) Subject: [Fedora-directory-users] LDIF modify syntax In-Reply-To: <459B8F7E.8060706@sys-net.it> Message-ID: <200701031254.l03CsDI12356@panix2.panix.com> > Kyle Tucker wrote: > > But recent research into LDIF revealed that the proper way > > What do you mean by "recent" here? RFC 2849 was published in 2000, and > I don't think there was much further research. That document illustrate > even wiser (and syntactically correct) means to perform the > modifications you need. I was referring to my research. I was more looking into why the other non-replace method works, if it was some optional syntax or if it wasn't even working as it seemed, although all evidence I saw indicated it was. -- - Kyle From ando at sys-net.it Wed Jan 3 17:25:48 2007 From: ando at sys-net.it (Pierangelo Masarati) Date: Wed, 03 Jan 2007 18:25:48 +0100 Subject: [Fedora-directory-users] LDIF modify syntax In-Reply-To: <200701031254.l03CsDI12356@panix2.panix.com> References: <200701031254.l03CsDI12356@panix2.panix.com> Message-ID: <459BE71C.6010200@sys-net.it> Kyle Tucker wrote: >> Kyle Tucker wrote: >>> But recent research into LDIF revealed that the proper way >> What do you mean by "recent" here? RFC 2849 was published in 2000, and >> I don't think there was much further research. That document illustrate >> even wiser (and syntactically correct) means to perform the >> modifications you need. > > I was referring to my research. I was more looking into why the other > non-replace method works, if it was some optional syntax or if it wasn't > even working as it seemed, although all evidence I saw indicated it was. > > dn: uid=$UID, ou=People, $DNDOMAIN > changetype: modify > shadowLastChange: $TODAY > userPassword: $PWHASH The above is a bug (feature?) of the LDIF parsing routine, a bit too liberal > dn: uid=$UID, ou=People, $DNDOMAIN > changetype: modify > replace: shadowLastChange > shadowLastChange: $TODAY > > dn: uid=$UID, ou=People, $DNDOMAIN > changetype: modify > replace: userPassword > userPassword: $PWHASH The above, according to RFC 2849, can be summarized in dn: uid=$UID, ou=People, $DNDOMAIN changetype: modify replace: shadowLastChange shadowLastChange: $TODAY - replace: userPassword userPassword: $PWHASH - with two relevant consequences: 1) only one operation is performed instead of two; 2) as a consequence, the modification is atomic, i.e. either they both succeed or they both fail; the way you indicated, they could have independently succeeded or failed. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati at sys-net.it ------------------------------------------ From edlinuxguru at gmail.com Wed Jan 3 19:29:02 2007 From: edlinuxguru at gmail.com (Eddie C) Date: Wed, 3 Jan 2007 14:29:02 -0500 Subject: [Fedora-directory-users] My company switched to FDS Message-ID: My company switched to FDS from iplanet 5.2. Overall we are very happy. If we make a press release or something of that nature is there anywhere specifically to send it. Edward -------------- next part -------------- An HTML attachment was scrubbed... URL: From ewen.cumming at gmail.com Wed Jan 3 20:33:15 2007 From: ewen.cumming at gmail.com (Ewen Cumming) Date: Thu, 4 Jan 2007 09:33:15 +1300 Subject: [Fedora-directory-users] Virtual Views entries only as leaves? Message-ID: <7ca6a0ae0701031233h189d0b7bx511b5a2d65230b82@mail.gmail.com> Hi all, We've recently been migrating our data from an OpenLDAP server to FDS. The data import went smoothly, very impressed. However, I am currently experimenting with using a virtual view to allow a flat directory structure to be displayed as a hierachical view. Through experimentation I've only found it possible to add virtual entries as leaves. Is it possible to have virtual entries in an organizational unit that contains another organizational unit with other virtual entries. I'm sure that makes no sense so I've attempted to draw the tree stucture I'm trying to achieve. ou=view contains the virtual view and ou=entries contains the actual entries. dc=root - ou=view - - ou=group - - - ou=subgroup - - - - o=org1 - - - - o=org2 - - - o=org3 - ou=entries - - o=org1 - - o=org2 - - o=org3 In the virtual view ou=group contains both ou=subgroup (with it's own virtual entries org1&2) and a virtual entry (org3) of its own. At the moment I only seem able to get the deepest OU to display virtual entries (ou=subgroup in this example). Does anyone know if what I am trying is possible or are virtual entries only able to be added at the deepest container? From bkosick at mxlogic.com Thu Jan 4 00:03:30 2007 From: bkosick at mxlogic.com (Brian Kosick) Date: Wed, 03 Jan 2007 17:03:30 -0700 Subject: [Fedora-directory-users] Apache Auth/pam_check_host_attr? Message-ID: <1167869019.22855.28.camel@mxlrmt-186.corp.mxlogic.com> Hi All, I've been using FDS for quite a while now, and I'd just like to say I love it great job! I'm posting this question because I've been banging my head for awhile about it. I'm using FDS as the central Auth server in a pretty much all RH/FC environment, and currently use pam_check_host_attr to control which users are allowed to login to which servers. All was working great until I upgraded our internal WWW server from RHEL3 to FC6. The WWW server is/was using mod_authz_ldap apache module to control what groups were allowed to login to certain sections of the website, after the upgrade to FC6, group restrictions stopped working. Basically, apache +mod_authz_ldap started denying users that didn't have the WWW server in the hosts attribute. My goal is to allow/dis-allow SSH/telnet etc etc using pam_check_host_attr, but still allow them to login to the http areas of the server using ldap groups. Here's my authz_ldap conf AuthType Basic AuthName "Temporary Folder to Disseminate files" AuthzLDAPAuthoritative On AuthzLDAPMethod ldap AuthzLDAPProtocolversion 3 #AuthzLDAPLogLevel debug AuthzLDAPServer server.domain.com AuthzLDAPUserBase ou=People,dc=corp,dc=domain,dc=com AuthzLDAPUserKey uid AuthzLDAPGroupBase ou=Groups,dc=corp,dc=domain,dc=com AuthzLDAPGroupkey cn AuthzLDAPMemberKey uniquemember AuthzLDAPSetGroupAuth ldapdn Require group qausers dev ops psg threat se Like I said this used to work the way I wanted with RHEL3 and an older version of mod_authz_ldap, can anyone point the way for me? Now with FC6 and the authz_ldap that comes with it, I get the error in the httpd_error.log: [error] [client 10.30.0.200] PAM: user 'test' - invalid account: Permission denied Now, it only works when I add the FQDN for the WWW server to the users hosts attribute. But then the user can SSH to the server also (which I don't want). Also asking a second question, can you use hostobject or account with groups in order to restrict logins using pam_check_host_attr? I thank you in advance for any pointers, suggestions, or kicks to the head that will help me resolve my problem. -- Brian Kosick From sstipl at exstream.com Thu Jan 4 10:20:01 2007 From: sstipl at exstream.com (Stipl, Stepan) Date: Thu, 4 Jan 2007 05:20:01 -0500 Subject: [Fedora-directory-users] PAM pass through & ENTRY problem In-Reply-To: <1167869019.22855.28.camel@mxlrmt-186.corp.mxlogic.com> Message-ID: Hi, I'm currently playing with Fedora DS - and I really like it :). problem: I'm trying to use PAM pass through plugin -> pam_krb5 -> Active Directory/Kerberos I'm able t get this working fine, with pamIDMapMethod set to RDN, but not set to ENTRY with apropriate pamIDAttr set. With disabled PAM PT plugin, I'm able to do simple bind to given object. With enabled PAM PT plugin, set to RDN I'm able to do bind with password stored in Kerberos, and with allowed pamFallback also with password stored in Fedora DS. And finally with PAM PT plugin enabled and set to ENTRY and attribute specified in pamIDAttr - I'm unable to do bind with Kerberos password, only with simple bind pass. stored in Fedora DS if pamFallback is enabled. errors log with debuglevel set for plugins debugging: [04/Jan/2007:11:13:40 +0100] pam_passthru-plugin - => pam_passthru_bindpreop [04/Jan/2007:11:13:40 +0100] - allow_operation: component identity is NULL [04/Jan/2007:11:13:40 +0100] pam_passthru-plugin - Could not find BIND dn cn=xxx,ou=users,dc=xxx,dc=com (error 32 - No such object) [04/Jan/2007:11:13:40 +0100] pam_passthru-plugin - Bind DN [cn=xxx,ou=users,dc=xxx,dc=com] is invalid or not found [04/Jan/2007:11:13:40 +0100] pam_passthru-plugin - <= handled (error 32 - No such object) The message looks strange to me, because bind DN cn=xxx,ou=users,dc=xxx,dc=com exists and I'm able to do bind to it with password stored in Fedora DS. So please if you see where I'm wrong or have any ideas, suggestion please help, if I won't be able to solve this, it'll unfortunatey prevent me from deploying Fedora DS :(. thanks, .stepan From rmeggins at redhat.com Thu Jan 4 16:28:14 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 04 Jan 2007 09:28:14 -0700 Subject: [Fedora-directory-users] PAM pass through & ENTRY problem In-Reply-To: References: Message-ID: <459D2B1E.1010305@redhat.com> Stipl, Stepan wrote: > Hi, > I'm currently playing with Fedora DS - and I really like it :). > > problem: I'm trying to use PAM pass through plugin -> pam_krb5 -> Active Directory/Kerberos > > I'm able t get this working fine, with pamIDMapMethod set to RDN, but not set to ENTRY with apropriate pamIDAttr set. > > With disabled PAM PT plugin, I'm able to do simple bind to given object. > > With enabled PAM PT plugin, set to RDN I'm able to do bind with password stored in Kerberos, and with allowed pamFallback also with password stored in Fedora DS. > > And finally with PAM PT plugin enabled and set to ENTRY and attribute specified in pamIDAttr - I'm unable to do bind with Kerberos password, only with simple bind pass. stored in Fedora DS if pamFallback is enabled. > > errors log with debuglevel set for plugins debugging: > > [04/Jan/2007:11:13:40 +0100] pam_passthru-plugin - => pam_passthru_bindpreop > [04/Jan/2007:11:13:40 +0100] - allow_operation: component identity is NULL > [04/Jan/2007:11:13:40 +0100] pam_passthru-plugin - Could not find BIND dn cn=xxx,ou=users,dc=xxx,dc=com (error 32 - No such object) > [04/Jan/2007:11:13:40 +0100] pam_passthru-plugin - Bind DN [cn=xxx,ou=users,dc=xxx,dc=com] is invalid or not found > [04/Jan/2007:11:13:40 +0100] pam_passthru-plugin - <= handled (error 32 - No such object) > > The message looks strange to me, because bind DN cn=xxx,ou=users,dc=xxx,dc=com exists and I'm able to do bind to it with password stored in Fedora DS. > So please if you see where I'm wrong or have any ideas, suggestion please help, if I won't be able to solve this, it'll unfortunatey prevent me from deploying Fedora DS :(. > What version of Fedora DS are you using? 1.0.4 should work - earlier versions had problems with the ENTRY method. Can you post your pam passthru plugin configuration entry, and an example of your user entry, being careful to obscure sensitive information? > thanks, > > .stepan > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From dan.hawker at astrium.eads.net Thu Jan 4 17:51:20 2007 From: dan.hawker at astrium.eads.net (HAWKER, Dan) Date: Thu, 4 Jan 2007 17:51:20 -0000 Subject: [Fedora-directory-users] FDS, SNMP & Cacti... Message-ID: <7F6B06837A5DBD49AC6E1650EFF54906012231B5@auk52177.ukr.astrium.corp> Hi All, Am in the process of setting up some monitoring for my two FDS (1.0.2) boxes. We mostly use Nagios & Cacti for these kinds of things. Nagios is done, however am about to start Cacti and hance SNMP). Reading the RedHat docs, it seems FDS can use SNMP (cool), so it *should* be fairly simple. Have had a quick surf and there are couple of OpenLDAP and SunOne DS templates out there I can use as a starting point, but nothing specifically for FDS. So am wondering if anyone has done so before and has a handy Cacti data query/template they'd like to share, before I go ahead and start making a go of it myself. Am only really after some simple stats like no of transactions, throughput, response time, etc. TIA Dan -- Dan Hawker Linux System Administrator Astrium -- This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Astrium disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. --------------------------------------------------------------------- Astrium Limited, Registered in England and Wales No. 2449259 Registered Office: Gunnels Wood Road, Stevenage, Hertfordshire, SG1 2AS, England From david_list at boreham.org Thu Jan 4 18:13:22 2007 From: david_list at boreham.org (David Boreham) Date: Thu, 04 Jan 2007 11:13:22 -0700 Subject: [Fedora-directory-users] FDS, SNMP & Cacti... In-Reply-To: <7F6B06837A5DBD49AC6E1650EFF54906012231B5@auk52177.ukr.astrium.corp> References: <7F6B06837A5DBD49AC6E1650EFF54906012231B5@auk52177.ukr.astrium.corp> Message-ID: <459D43C2.4090603@boreham.org> HAWKER, Dan wrote: > >Have had a quick surf and there are couple of OpenLDAP and SunOne DS >templates out there I can use as a starting point, but nothing specifically >for FDS. > > The SunOne template should work, since the SNMP MIB is identical. From dan.hawker at astrium.eads.net Thu Jan 4 18:41:58 2007 From: dan.hawker at astrium.eads.net (HAWKER, Dan) Date: Thu, 4 Jan 2007 18:41:58 -0000 Subject: [Fedora-directory-users] FDS, SNMP & Cacti... Message-ID: <7F6B06837A5DBD49AC6E1650EFF54906012231B6@auk52177.ukr.astrium.corp> > > > > >Have had a quick surf and there are couple of OpenLDAP and SunOne DS > >templates out there I can use as a starting point, but nothing > >specifically for FDS. > > > > > The SunOne template should work, since the SNMP MIB is identical. > Thanks for the info Dave. I'll have a look at it tomorrow and let you all know. Dan This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Astrium disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. --------------------------------------------------------------------- Astrium Limited, Registered in England and Wales No. 2449259 Registered Office: Gunnels Wood Road, Stevenage, Hertfordshire, SG1 2AS, England From bkosick at mxlogic.com Thu Jan 4 20:05:58 2007 From: bkosick at mxlogic.com (Brian Kosick) Date: Thu, 04 Jan 2007 13:05:58 -0700 Subject: [Fedora-directory-users] Apache Auth/pam_check_host_attr? In-Reply-To: <1167869019.22855.28.camel@mxlrmt-186.corp.mxlogic.com> References: <1167869019.22855.28.camel@mxlrmt-186.corp.mxlogic.com> Message-ID: <1167941158.12326.14.camel@mxlrmt-186.corp.mxlogic.com> On Wed, 2007-01-03 at 17:03 -0700, Brian Kosick wrote: > Hi All, > > I've been using FDS for quite a while now, and I'd just like to say I > love it great job! I'm posting this question because I've been banging > my head for awhile about it. > > I'm using FDS as the central Auth server in a pretty much all RH/FC > environment, and currently use pam_check_host_attr to control which > users are allowed to login to which servers. All was working great > until I upgraded our internal WWW server from RHEL3 to FC6. The WWW > server is/was using mod_authz_ldap apache module to control what groups > were allowed to login to certain sections of the website, after the > upgrade to FC6, group restrictions stopped working. Basically, apache > +mod_authz_ldap started denying users that didn't have the WWW server in > the hosts attribute. > > My goal is to allow/dis-allow SSH/telnet etc etc using > pam_check_host_attr, but still allow them to login to the http areas of > the server using ldap groups. > > Here's my authz_ldap conf > > > AuthType Basic > AuthName "Temporary Folder to Disseminate files" > > AuthzLDAPAuthoritative On > AuthzLDAPMethod ldap > AuthzLDAPProtocolversion 3 > #AuthzLDAPLogLevel debug > AuthzLDAPServer server.domain.com > > AuthzLDAPUserBase ou=People,dc=corp,dc=domain,dc=com > AuthzLDAPUserKey uid > > AuthzLDAPGroupBase ou=Groups,dc=corp,dc=domain,dc=com > AuthzLDAPGroupkey cn > AuthzLDAPMemberKey uniquemember > AuthzLDAPSetGroupAuth ldapdn > > Require group qausers dev ops psg threat se > > > > Like I said this used to work the way I wanted with RHEL3 and an older > version of mod_authz_ldap, can anyone point the way for me? Now with > FC6 and the authz_ldap that comes with it, I get the error in the > httpd_error.log: > > [error] [client 10.30.0.200] PAM: user 'test' - invalid account: > Permission denied > > Now, it only works when I add the FQDN for the WWW server to the users > hosts attribute. But then the user can SSH to the server also (which I > don't want). > > > Also asking a second question, can you use hostobject or account with > groups in order to restrict logins using pam_check_host_attr? > > > I thank you in advance for any pointers, suggestions, or kicks to the > head that will help me resolve my problem. > Dang I smoke some good crack. I figured it out. I had accidentally? installed the mod_auth_pam rpm, I rpm -e 'd it, and restarted httpd, and it works like I want it to. It looks like the mod_auth_pam rpm forces the ldap queries to go through system pam which was enforcing my pam_check_host_attr setting. However I would still like to know if I can use hostObject and hosts with a Group and whether or not that will satisfy the pam_check_host_attr requirement. Thanks, -- Brian Kosick bkosick at mxlogic.com 720-895-5449 From lesmikesell at gmail.com Thu Jan 4 20:20:23 2007 From: lesmikesell at gmail.com (Les Mikesell) Date: Thu, 04 Jan 2007 14:20:23 -0600 Subject: [Fedora-directory-users] Apache Auth/pam_check_host_attr? In-Reply-To: <1167941158.12326.14.camel@mxlrmt-186.corp.mxlogic.com> References: <1167869019.22855.28.camel@mxlrmt-186.corp.mxlogic.com> <1167941158.12326.14.camel@mxlrmt-186.corp.mxlogic.com> Message-ID: <1167942023.16197.104.camel@oldmoola.futuresource.com> On Thu, 2007-01-04 at 13:05 -0700, Brian Kosick wrote: > > > Dang I smoke some good crack. I figured it out. I had accidentally? > installed the mod_auth_pam rpm, I rpm -e 'd it, and restarted httpd, and > it works like I want it to. > > It looks like the mod_auth_pam rpm forces the ldap queries to go through > system pam which was enforcing my pam_check_host_attr setting. mod_auth_pam should follow the directives in /etc/pam.d/http which doesn't necessarily have to include the same things as other services. -- Les Mikesell lesmikesell at gmail.com From bkosick at mxlogic.com Thu Jan 4 20:38:34 2007 From: bkosick at mxlogic.com (Brian Kosick) Date: Thu, 04 Jan 2007 13:38:34 -0700 Subject: [Fedora-directory-users] Apache Auth/pam_check_host_attr? In-Reply-To: <1167942023.16197.104.camel@oldmoola.futuresource.com> References: <1167869019.22855.28.camel@mxlrmt-186.corp.mxlogic.com> <1167941158.12326.14.camel@mxlrmt-186.corp.mxlogic.com> <1167942023.16197.104.camel@oldmoola.futuresource.com> Message-ID: <1167943114.12326.17.camel@mxlrmt-186.corp.mxlogic.com> On Thu, 2007-01-04 at 14:20 -0600, Les Mikesell wrote: > On Thu, 2007-01-04 at 13:05 -0700, Brian Kosick wrote: > > > > > Dang I smoke some good crack. I figured it out. I had accidentally? > > installed the mod_auth_pam rpm, I rpm -e 'd it, and restarted httpd, and > > it works like I want it to. > > > > It looks like the mod_auth_pam rpm forces the ldap queries to go through > > system pam which was enforcing my pam_check_host_attr setting. > > mod_auth_pam should follow the directives in /etc/pam.d/http which > doesn't necessarily have to include the same things as other services. > Thanks, for the tip, I'll look into it, however, since I don't need/use it for anything at the moment, it's going to go on my back burner.... -- Brian Kosick bkosick at mxlogic.com 720-895-5449 From lesmikesell at gmail.com Thu Jan 4 21:14:40 2007 From: lesmikesell at gmail.com (Les Mikesell) Date: Thu, 04 Jan 2007 15:14:40 -0600 Subject: [Fedora-directory-users] Apache Auth/pam_check_host_attr? In-Reply-To: <1167943114.12326.17.camel@mxlrmt-186.corp.mxlogic.com> References: <1167869019.22855.28.camel@mxlrmt-186.corp.mxlogic.com> <1167941158.12326.14.camel@mxlrmt-186.corp.mxlogic.com> <1167942023.16197.104.camel@oldmoola.futuresource.com> <1167943114.12326.17.camel@mxlrmt-186.corp.mxlogic.com> Message-ID: <1167945281.16197.132.camel@oldmoola.futuresource.com> On Thu, 2007-01-04 at 13:38 -0700, Brian Kosick wrote: > > > Dang I smoke some good crack. I figured it out. I had accidentally? > > > installed the mod_auth_pam rpm, I rpm -e 'd it, and restarted httpd, and > > > it works like I want it to. > > > > > > It looks like the mod_auth_pam rpm forces the ldap queries to go through > > > system pam which was enforcing my pam_check_host_attr setting. > > > > mod_auth_pam should follow the directives in /etc/pam.d/http which > > doesn't necessarily have to include the same things as other services. > > > > Thanks, for the tip, I'll look into it, however, since I don't need/use > it for anything at the moment, it's going to go on my back burner.... The place it is great is where you want to provide web access to a set of people who already have passwords elsewhere like a windows domain plus some local users, and ldap should work the same way. You can skip the need for any account info with a line like: account required pam_permit.so if all you want is a password check. -- Les Mikesell lesmikesell at gmail.com From edlinuxguru at gmail.com Fri Jan 5 05:01:29 2007 From: edlinuxguru at gmail.com (Eddie C) Date: Fri, 5 Jan 2007 00:01:29 -0500 Subject: [Fedora-directory-users] FDS, SNMP & Cacti... In-Reply-To: <7F6B06837A5DBD49AC6E1650EFF54906012231B6@auk52177.ukr.astrium.corp> References: <7F6B06837A5DBD49AC6E1650EFF54906012231B6@auk52177.ukr.astrium.corp> Message-ID: Post up some links you find. Im a cacti user too. On 1/4/07, HAWKER, Dan wrote: > > > > > > > > > >Have had a quick surf and there are couple of OpenLDAP and SunOne DS > > >templates out there I can use as a starting point, but nothing > > >specifically for FDS. > > > > > > > > The SunOne template should work, since the SNMP MIB is identical. > > > > Thanks for the info Dave. > > I'll have a look at it tomorrow and let you all know. > > Dan > > This email (including any attachments) may contain confidential and/or > privileged information or information otherwise protected from disclosure. > If you are not the intended recipient, please notify the sender > immediately, do not copy this message or any attachments and do not use it > for any purpose or disclose its content to any person, but delete this > message and any attachments from your system. > Astrium disclaims any and all liability if this email transmission was > virus corrupted, altered or falsified. > --------------------------------------------------------------------- > Astrium Limited, Registered in England and Wales No. 2449259 > Registered Office: Gunnels Wood Road, Stevenage, Hertfordshire, SG1 2AS, > England > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dan.hawker at astrium.eads.net Fri Jan 5 15:47:46 2007 From: dan.hawker at astrium.eads.net (HAWKER, Dan) Date: Fri, 5 Jan 2007 15:47:46 -0000 Subject: [Fedora-directory-users] FDS, SNMP & Cacti... Message-ID: <7F6B06837A5DBD49AC6E1650EFF54906012231B8@auk52177.ukr.astrium.corp> > > > > > >Have had a quick surf and there are couple of OpenLDAP and > SunOne DS > > >templates out there I can use as a starting point, but nothing > > >specifically for FDS. > > > > > > > > The SunOne template should work, since the SNMP MIB is identical. > > > > Thanks for the info Dave. > > I'll have a look at it tomorrow and let you all know. > > Dan Well, am glad to report success :) Wandered across both an OpenLDAP response[1] and a SunOneDS[2], Cacti template for use in monitoring an FDS box. Works nicely. The generic one shows how quick it responds, the SunOne template shows you more specific stats (binds, searches, etc) per second and other odds and sods. The Generic one worked out of the box, the Sun one took a small amount of munging, as despite what you'd expect/hope, the MIBs are seemingly not the same anymore. Think its just a vendor attribute, as each OID needed just a slight adjustment (see below). If anyone wants my ready FDS-ified cacti templates, send me an email and I'll forward it on. (or is there a special accessories area on the wiki I can upload it to???). Thanks for all who responded :) Dan ######## [1] http://www.linagora.org/article125.html [2] http://forums.cacti.net/about16638.html OID in SunOne templates for dsAnonymousBinds .1.3.6.1.4.1.1450.7.1.1.1.389 FDS OID for dsAnonymousBinds .1.3.6.1.4.1.2312.6.1.1.1.389 Note the 1450.7 rather than 2312.6 ######### -- Dan Hawker Linux System Administrator Astrium -- This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Astrium disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. --------------------------------------------------------------------- Astrium Limited, Registered in England and Wales No. 2449259 Registered Office: Gunnels Wood Road, Stevenage, Hertfordshire, SG1 2AS, England From rmeggins at redhat.com Fri Jan 5 16:14:07 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 05 Jan 2007 09:14:07 -0700 Subject: [Fedora-directory-users] FDS, SNMP & Cacti... In-Reply-To: <7F6B06837A5DBD49AC6E1650EFF54906012231B8@auk52177.ukr.astrium.corp> References: <7F6B06837A5DBD49AC6E1650EFF54906012231B8@auk52177.ukr.astrium.corp> Message-ID: <459E794F.2030307@redhat.com> HAWKER, Dan wrote: > ...snip... > Well, am glad to report success :) > > Wandered across both an OpenLDAP response[1] and a SunOneDS[2], Cacti > template for use in monitoring an FDS box. Works nicely. The generic one > shows how quick it responds, the SunOne template shows you more specific > stats (binds, searches, etc) per second and other odds and sods. > > The Generic one worked out of the box, the Sun one took a small amount of > munging, as despite what you'd expect/hope, the MIBs are seemingly not the > same anymore. Think its just a vendor attribute, as each OID needed just a > slight adjustment (see below). > > If anyone wants my ready FDS-ified cacti templates, send me an email and > I'll forward it on. (or is there a special accessories area on the wiki I > can upload it to???). > Just send me the files and I'll put them in the download area of the wiki. Would you be interested in creating a Howto:SNMP or Cacti page? Doesn't have to be much, maybe just a few "do this" and "don't do that" with the links to the downloads. > Thanks for all who responded :) > > Dan > > ######## > > [1] http://www.linagora.org/article125.html > [2] http://forums.cacti.net/about16638.html > > OID in SunOne templates for dsAnonymousBinds > .1.3.6.1.4.1.1450.7.1.1.1.389 > > FDS OID for dsAnonymousBinds > .1.3.6.1.4.1.2312.6.1.1.1.389 > > Note the 1450.7 rather than 2312.6 > > ######### > > -- > > Dan Hawker > Linux System Administrator > Astrium > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From dan.hawker at astrium.eads.net Fri Jan 5 17:52:07 2007 From: dan.hawker at astrium.eads.net (HAWKER, Dan) Date: Fri, 5 Jan 2007 17:52:07 -0000 Subject: [Fedora-directory-users] FDS, SNMP & Cacti... Message-ID: <7F6B06837A5DBD49AC6E1650EFF54906012231B9@auk52177.ukr.astrium.corp> > If anyone wants my ready FDS-ified cacti templates, send me an email and > I'll forward it on. (or is there a special accessories area on the wiki I > can upload it to???). > >Just send me the files and I'll put them in the download area of the >wiki. Would you be interested in creating a Howto:SNMP or Cacti page? >Doesn't have to be much, maybe just a few "do this" and "don't do that" >with the links to the downloads. Hi Richard, I'll give it a go. I'm no SNMP or Cacti guru in any way, but it was thankfully quite simple to setup and I managed to get it to work, so it can't be that tricky :) Off home here in the UK, but will wrap up the bits and forward you them next week. They'll probably need some instructions for the un-initiated, so I'll have a bash at the how-to also. Have a good weekend :) Dan -- Dan Hawker Linux System Administrator Astrium -- This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Astrium disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. --------------------------------------------------------------------- Astrium Limited, Registered in England and Wales No. 2449259 Registered Office: Gunnels Wood Road, Stevenage, Hertfordshire, SG1 2AS, England From prowley at redhat.com Fri Jan 5 18:48:22 2007 From: prowley at redhat.com (Pete Rowley) Date: Fri, 05 Jan 2007 10:48:22 -0800 Subject: [Fedora-directory-users] Virtual Views entries only as leaves? In-Reply-To: <7ca6a0ae0701031233h189d0b7bx511b5a2d65230b82@mail.gmail.com> References: <7ca6a0ae0701031233h189d0b7bx511b5a2d65230b82@mail.gmail.com> Message-ID: <459E9D76.1090204@redhat.com> Ewen Cumming wrote: > > dc=root > - ou=view > - - ou=group > - - - ou=subgroup > - - - - o=org1 > - - - - o=org2 > - - - o=org3 > - ou=entries > - - o=org1 > - - o=org2 > - - o=org3 > > In the virtual view ou=group contains both ou=subgroup (with it's own > virtual entries org1&2) and a virtual entry (org3) of its own. At the > moment I only seem able to get the deepest OU to display virtual > entries (ou=subgroup in this example). > > Does anyone know if what I am trying is possible or are virtual > entries only able to be added at the deepest container? > You should be able to do that. Are you sure that the o=org3 entry doesn't match the filter in ou=subgroup? Also, do all three entries ou=view, ou=group, ou=subgroup have the objectclass nsview? -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From glenn at mail.txwes.edu Fri Jan 5 22:41:38 2007 From: glenn at mail.txwes.edu (Glenn) Date: Fri, 5 Jan 2007 16:41:38 -0600 Subject: [Fedora-directory-users] Windows Sync Errors In-Reply-To: <20070102205631.M13724@mail.txwes.edu> References: <20070102162343.M13292@mail.txwes.edu> <459A8FED.2030001@boreham.org> <20070102205631.M13724@mail.txwes.edu> Message-ID: <20070105224123.M27238@mail.txwes.edu> Anybody? Thanks. -G. ---------- Original Message ----------- From: "Glenn" To: "General discussion list for the Fedora Directory server project." Sent: Tue, 2 Jan 2007 15:38:50 -0600 Subject: Re: [Fedora-directory-users] Windows Sync Errors > O.K., so I'm guessing there are certain required object classes and > attributes, and some that are not allowed. I tried to populate the > Active Directory using Windows Sync, but it didn't work. Then I > took the ldif file I used to populate the DS and tried to import it > into AD, but that didn't work either. I found that if I changed > some object classes and attributes, the ldif would import into AD, > but not into DS. And they would not sync. > > For instance, "objectclass: user" does not import into DS, but is > required for AD. And "objectclass: inetOrgPerson" imports into DS, > but not into AD. > > So if I have some object classes and attributes required for AD that > are not allowed in DS, and vice-versa, how can I make Windows Sync > work? I'm sure I'm missing something here. I'm including sample > ldif entries from each import below. Thanks. -Glenn. > > AD-compatible entry: > > dn: cn=Peter Apostle,ou=Domain Users,dc=ad,dc=example,dc=com > objectclass: top > objectclass: person > objectclass: organizationalPerson > objectclass: user > sn: Apostle > cn: Peter Apostle > SAMAccountName: PApostle > userPrincipalName: papostle at ad.example.com > mail: papostle at ad.example.com > facsimiletelephonenumber: 817-531-4806 > title: Electronic Reference Librarian > givenname: Peter > businesscategory: EJW Library > roomnumber: EJW Library > employeenumber: 1234567 > departmentnumber: Provost > telephonenumber: 817-555-4802 > userpassword: {SHA}8/P0XfVT5t9GpNL8MNPH+jdPGA0= > description: Reference Librarian > scriptPath: twu_script.bat > uid: abaker > > DS-compatible entry: > > dn: cn=Peter Apostle,ou=People,o=example.com > objectclass: top > objectclass: person > objectclass: organizationalPerson > objectclass: inetOrgPerson > sn: Apostle > cn: Peter Apostle > mail: papostle at ad.example.com > facsimiletelephonenumber: 817-555-4806 > title: Electronic Reference Librarian > givenname: Peter > businesscategory: EJW Library > roomnumber: EJW Library > employeenumber: 1234567 > departmentnumber: Provost > telephonenumber: 817-555-4802 > userpassword: {SHA}8/P0XfVT5t9GpNL8MNPH+jdPGA0= > description: Reference Librarian > uid: papostle > > ---------- Original Message ----------- > From: David Boreham > To: "General discussion list for the Fedora Directory server > project." > Sent: Tue, 02 Jan 2007 10:01:33 -0700 Subject: Re: [Fedora-directory- > users] Windows Sync Errors > > > Glenn wrote: > > > > >Hello again. I'm still trying to get Windows Sync working between > Directory > > >Server 7.1sp3 and Active Directory on a Windows 2003 server. I thought I > > >would narrow down the problem by trying to add a user in the DS and see if > it > > >would replicate to AD. It does not, and the error message is: > > > > > >[02/Jan/2007:09:58:31 -0600] NSMMReplicationPlugin - agmt="cn=ldap-ad" > > >(adserver:636): windows_replay_update: Looking at add operation local > > >dn="uid=PApostle,ou=People,o=txwes.edu" (not ours,not user,not group) > > > > > >The replication agreement specifies that ou=People,o=txwes.edu in the DS > > >should be synchronized with ou=Domain Users,dc=ad,dc=txwesleyan,dc=edu in > > >AD. Both ous exist as specified. > > > > > >Can anyone please suggest what I might try to get this working? > Thanks. - > > >Glenn. > > > > > > > > Based on the information you've provided, the most likely cause is > > that the entry lacks the appropriate object class and attributes to > > be sync'ed. > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------- End of Original Message ------- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users ------- End of Original Message ------- From patrick.morris at hp.com Fri Jan 5 23:12:25 2007 From: patrick.morris at hp.com (Patrick Morris) Date: Fri, 5 Jan 2007 15:12:25 -0800 Subject: [Fedora-directory-users] Windows Sync Errors In-Reply-To: <20070105224123.M27238@mail.txwes.edu> References: <20070102162343.M13292@mail.txwes.edu> <459A8FED.2030001@boreham.org> <20070102205631.M13724@mail.txwes.edu> <20070105224123.M27238@mail.txwes.edu> Message-ID: <20070105231225.GI17454@pmorris.usa.hp.com> On Fri, 05 Jan 2007, Glenn wrote: > > So if I have some object classes and attributes required for AD that > > are not allowed in DS, and vice-versa, how can I make Windows Sync > > work? I'm sure I'm missing something here. I'm including sample > > ldif entries from each import below. Thanks. -Glenn. It seems to me (but I'm no expert on Windows sync) that the easiest solution would be to update your DS schema with the required AD attributes and classes so that it will accept the ones from AD. From richard at powerset.com Fri Jan 5 23:20:13 2007 From: richard at powerset.com (Richard Hesse) Date: Fri, 05 Jan 2007 15:20:13 -0800 Subject: [Fedora-directory-users] Directory sync with Windows 2003 Server x64 Message-ID: Has anyone had any luck getting Windows 2003 Server x64 edition to sync with FDS? FDS will successfully pull down new objects from AD, but the passwords are not synchronized. Also, it appears that passhook.dll isn't functioning. The logfile indicates perpetual waiting for an event. It doesn't catch any password changes that occur. Yes, password complexity is enabled at the domain level (it is on by default in 2003 x64). There are a few events in the Application log from Password Synchronization, but there is no event text. The event ids are mostly 105 and 144. Thanks, -richard From david_list at boreham.org Fri Jan 5 23:25:39 2007 From: david_list at boreham.org (David Boreham) Date: Fri, 05 Jan 2007 16:25:39 -0700 Subject: [Fedora-directory-users] Windows Sync Errors In-Reply-To: <20070105231225.GI17454@pmorris.usa.hp.com> References: <20070102162343.M13292@mail.txwes.edu> <459A8FED.2030001@boreham.org> <20070102205631.M13724@mail.txwes.edu> <20070105224123.M27238@mail.txwes.edu> <20070105231225.GI17454@pmorris.usa.hp.com> Message-ID: <459EDE73.2080804@boreham.org> Patrick Morris wrote: >On Fri, 05 Jan 2007, Glenn wrote: > > > >>>So if I have some object classes and attributes required for AD that >>>are not allowed in DS, and vice-versa, how can I make Windows Sync >>>work? I'm sure I'm missing something here. I'm including sample >>>ldif entries from each import below. Thanks. -Glenn. >>> >>> > >It seems to me (but I'm no expert on Windows sync) that the easiest >solution would be to update your DS schema with the required AD >attributes and classes so that it will accept the ones from AD. > > No this isn't necessary. Winsync takes care of the schema translation. All you need is to have entries that are 'syncable'. On the FDS side this means special objectclass and attribute values. On the AD side it only means having the entries in the container configured in the sync agreement. -------------- next part -------------- An HTML attachment was scrubbed... URL: From david_list at boreham.org Fri Jan 5 23:26:20 2007 From: david_list at boreham.org (David Boreham) Date: Fri, 05 Jan 2007 16:26:20 -0700 Subject: [Fedora-directory-users] Directory sync with Windows 2003 Server x64 In-Reply-To: References: Message-ID: <459EDE9C.2030009@boreham.org> Richard Hesse wrote: >Has anyone had any luck getting Windows 2003 Server x64 edition to sync with >FDS? FDS will successfully pull down new objects from AD, but the passwords >are not synchronized. Also, it appears that passhook.dll isn't functioning. >The logfile indicates perpetual waiting for an event. It doesn't catch any >password changes that occur. Yes, password complexity is enabled at the >domain level (it is on by default in 2003 x64). > > Random guess, but do you need a 64-bit version of the passhook dll ? From richard at powerset.com Sat Jan 6 00:01:37 2007 From: richard at powerset.com (Richard Hesse) Date: Fri, 05 Jan 2007 16:01:37 -0800 Subject: [Fedora-directory-users] Directory sync with Windows 2003 Server x64 In-Reply-To: <459EDE9C.2030009@boreham.org> Message-ID: I'm guessing the problem is along those lines. The installer MSI puts the files in the correct locations for 32-bit binaries [syswow64 and program files (x86)]. Everything appears kosher along those lines, but it's just not working. My fear is that Windows will only let a 64-bit DLL hook password changes. I've found similar information at http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=993126&SiteID=17 Are there any plans to create x64 binaries of the PassSync package? Thanks, -richard On 1/5/07 3:26 PM, "David Boreham" wrote: > Richard Hesse wrote: > >> Has anyone had any luck getting Windows 2003 Server x64 edition to sync with >> FDS? FDS will successfully pull down new objects from AD, but the passwords >> are not synchronized. Also, it appears that passhook.dll isn't functioning. >> The logfile indicates perpetual waiting for an event. It doesn't catch any >> password changes that occur. Yes, password complexity is enabled at the >> domain level (it is on by default in 2003 x64). >> >> > Random guess, but do you need a 64-bit version of the passhook dll ? From david_list at boreham.org Sat Jan 6 00:53:53 2007 From: david_list at boreham.org (David Boreham) Date: Fri, 05 Jan 2007 17:53:53 -0700 Subject: [Fedora-directory-users] Directory sync with Windows 2003 Server x64 In-Reply-To: References: Message-ID: <459EF321.4070709@boreham.org> Richard Hesse wrote: >I'm guessing the problem is along those lines. The installer MSI puts the >files in the correct locations for 32-bit binaries [syswow64 and program >files (x86)]. Everything appears kosher along those lines, but it's just not >working. My fear is that Windows will only let a 64-bit DLL hook password >changes. I've found similar information at >http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=993126&SiteID=17 > >Are there any plans to create x64 binaries of the PassSync package? > > Dunno, but it's open source you know, so you could build your own (assuming of course that the code is 64-bit clean). From ankur_agwal at yahoo.com Sat Jan 6 11:46:31 2007 From: ankur_agwal at yahoo.com (Ankur Agarwal) Date: Sat, 6 Jan 2007 03:46:31 -0800 (PST) Subject: [Fedora-directory-users] How to detect if user password has expired? Message-ID: <530808.98251.qm@web54104.mail.yahoo.com> Hi, Is there any in-built attribute that can tell me if user password has expired? I do get an appropriate exception if i try to authenticate such a user but i want to identify such users by looking at their saved profile data. regards, Ankur __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From ankur_agwal at yahoo.com Sun Jan 7 14:14:30 2007 From: ankur_agwal at yahoo.com (Ankur Agarwal) Date: Sun, 7 Jan 2007 06:14:30 -0800 (PST) Subject: [Fedora-directory-users] Red Hat capacacity planning guidelines Message-ID: <855468.74050.qm@web54105.mail.yahoo.com> Hi, Are there any capacity planning guidelines available for Red Hat directory server? I am specifically looking for planning my disk size and RAM requirements based on my userbase and frequent operations. regards, Ankur __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From edlinuxguru at gmail.com Sun Jan 7 16:26:30 2007 From: edlinuxguru at gmail.com (Eddie C) Date: Sun, 7 Jan 2007 11:26:30 -0500 Subject: [Fedora-directory-users] Red Hat capacacity planning guidelines In-Reply-To: <855468.74050.qm@web54105.mail.yahoo.com> References: <855468.74050.qm@web54105.mail.yahoo.com> Message-ID: Directory server at least in my usage seems to be fairly light on RAM/SWAP usage. I would focus on some other things. We use a dell 860 2 sata disks 1 3.6 ghz duel core processor 2 gigs ram 4 gigs swap. 1) Disk: My directory server is using software mirrored 80 GIG sata disk. I notice the utilization can hit 100% but by iowait is near zero. For now it seems to be running great find but next server we will end up investing in a raid system. We are multi-master so a fast multidisk stripe or RAID 5 is what we might end up with. 2) There is a varabile that can only be defined in dse.ldif and requires rebuilding the databases if its changed then name escapes me. But if the number of returned results is higher then a certain number it causes directory server to abandon the index. It comes stock at 1,000?? but if you are going to be running a huge database and queries that return large result set you should set this varaible before creating the database. (Sorry the name totally escapes me) 3) Ram and processor can hit 6% memory up to 5% processor. We all know this is application/ deployment specific. My point from part, 1 in my deployment disk speed will be the choke point. But in general a DB like mysql seems to really want to consume large ammounts of memory, seems like FDS works more on disk. (I could be wrong) 4) Set you look through limits high otherwise the server will abandon searches that examin too many records. If your DB is big In any case we get great performance on a fairly basic hardware platform. Hope that was helpful, Edward On 1/7/07, Ankur Agarwal wrote: > > Hi, > > Are there any capacity planning guidelines available for Red Hat directory > server? I am specifically looking for planning my disk size and RAM > requirements based on my userbase and frequent operations. > > regards, > Ankur > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ewen.cumming at gmail.com Mon Jan 8 04:06:01 2007 From: ewen.cumming at gmail.com (Ewen Cumming) Date: Mon, 8 Jan 2007 17:06:01 +1300 Subject: [Fedora-directory-users] Virtual Views entries only as leaves? In-Reply-To: <459E9D76.1090204@redhat.com> References: <7ca6a0ae0701031233h189d0b7bx511b5a2d65230b82@mail.gmail.com> <459E9D76.1090204@redhat.com> Message-ID: <7ca6a0ae0701072006l6e6cbb28kb9915c64a5d10d21@mail.gmail.com> Hi Pete, Thanks for the reply, here is the LDIF of my test tree: dn: dc=test dc: test objectClass: top objectClass: dcobject dn: ou=view,dc=test objectClass: top objectClass: organizationalunit objectClass: nsview ou: view dn: ou=entries,dc=test ou: entries objectClass: top objectClass: organizationalunit dn: o=org1,ou=entries,dc=test o: org1 objectClass: top objectClass: organization dn: o=org2,ou=entries,dc=test o: org2 objectClass: top objectClass: organization dn: o=org3,ou=entries,dc=test o: org3 objectClass: top objectClass: organization dn: ou=group,ou=view,dc=test ou: group objectClass: top objectClass: organizationalunit objectClass: nsview dn: ou=subgroup,ou=group,ou=view,dc=test ou: subgroup objectClass: top objectClass: organizationalunit objectClass: nsview nsViewFilter: (|(o=org1)(o=org2)) That works OK, however when I add an 'nsViewFilter: (o=org3)' attribute to ou=group, org3 displays correctly as a virtual entry under ou=group but ou=subgroup stops displaying org1 and org2 as virtual entries. Any ideas? Thanks, Ewen On 1/6/07, Pete Rowley wrote: > Ewen Cumming wrote: > > > > dc=root > > - ou=view > > - - ou=group > > - - - ou=subgroup > > - - - - o=org1 > > - - - - o=org2 > > - - - o=org3 > > - ou=entries > > - - o=org1 > > - - o=org2 > > - - o=org3 > > > > In the virtual view ou=group contains both ou=subgroup (with it's own > > virtual entries org1&2) and a virtual entry (org3) of its own. At the > > moment I only seem able to get the deepest OU to display virtual > > entries (ou=subgroup in this example). > > > > Does anyone know if what I am trying is possible or are virtual > > entries only able to be added at the deepest container? > > > You should be able to do that. Are you sure that the o=org3 entry > doesn't match the filter in ou=subgroup? Also, do all three entries > ou=view, ou=group, ou=subgroup have the objectclass nsview? > > -- > Pete > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > From sigid.wahyu at gmail.com Mon Jan 8 04:12:22 2007 From: sigid.wahyu at gmail.com (sigid@JINLab) Date: Mon, 08 Jan 2007 11:12:22 +0700 Subject: [Fedora-directory-users] adding some object and atribute Message-ID: <45A1C4A6.4050706@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear Members, How to add some additional objects and atributes to all/some existing user on FDS instead of opening and adding one by one on fds console. thanks swu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD4DBQFFocSla2bg8QmXta0RAqpWAJ4kEwMkQrvffsvC9d8mESAkzjs81QCYx+fR hErUJK0BrkblhlJ5zcvqJA== =gbzX -----END PGP SIGNATURE----- From dan.hawker at astrium.eads.net Mon Jan 8 14:54:36 2007 From: dan.hawker at astrium.eads.net (HAWKER, Dan) Date: Mon, 8 Jan 2007 14:54:36 -0000 Subject: [Fedora-directory-users] FDS, SNMP & Cacti... Message-ID: <7F6B06837A5DBD49AC6E1650EFF54906012231BE@auk52177.ukr.astrium.corp> > > Hi Richard, > > I'll give it a go. I'm no SNMP or Cacti guru in any way, but > it was thankfully quite simple to setup and I managed to get > it to work, so it can't be that tricky :) All, Have created a quick and dirty Howto for SNMP Monitoring on the wiki (http://directory.fedora.redhat.com/wiki/Howto:SNMPMonitoring) as requested by Richard. Am hoping its OK, but no doubt there will be ommissions and errors :) Enjoy Dan -- Dan Hawker Linux System Administrator Astrium -- This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Astrium disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. --------------------------------------------------------------------- Astrium Limited, Registered in England and Wales No. 2449259 Registered Office: Gunnels Wood Road, Stevenage, Hertfordshire, SG1 2AS, England From dan.hawker at astrium.eads.net Mon Jan 8 16:20:27 2007 From: dan.hawker at astrium.eads.net (HAWKER, Dan) Date: Mon, 8 Jan 2007 16:20:27 -0000 Subject: [Fedora-directory-users] FDS, SNMP & Cacti... Message-ID: <7F6B06837A5DBD49AC6E1650EFF54906012231C2@auk52177.ukr.astrium.corp> Hmmm, had a bounce back from this address. Will try it again and forward to the FDS list also... ##### Hi Richard, As requested please find attached a tarball with my template and its accompanying perl script. If you can pop that onto the wiki so that I can link to it, that'd be great. Regarding a Howto:SNMPMonitoring, have rustled up a quick one on the wiki. Should be at http://directory.fedora.redhat.com/wiki/Howto:SNMPMonitoring Think its all there, but no doubt there will be ommissions and errors :) Thanks Dan -- Dan Hawker Linux System Administrator Astrium -- This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Astrium disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. --------------------------------------------------------------------- Astrium Limited, Registered in England and Wales No. 2449259 Registered Office: Gunnels Wood Road, Stevenage, Hertfordshire, SG1 2AS, England -------------- next part -------------- Astrium Security Policy File fds_cacti_template.tar.gz(openldap_response_time.pl) has been removed because this file type may be used to transmit viruses. If you believe this is a valid attachment from a known and trusted source: * Non Astrium recipients should contact the sender * The Astrium sender/recipient should contact their helpdesk Please include this notice and reference code. [Ref:CA1-GBL-FEMP] From koippa at gmail.com Mon Jan 8 16:43:10 2007 From: koippa at gmail.com (Kimmo Koivisto) Date: Mon, 8 Jan 2007 18:43:10 +0200 Subject: [Fedora-directory-users] FDS, SNMP & Cacti... In-Reply-To: <7F6B06837A5DBD49AC6E1650EFF54906012231C2@auk52177.ukr.astrium.corp> References: <7F6B06837A5DBD49AC6E1650EFF54906012231C2@auk52177.ukr.astrium.corp> Message-ID: <200701081843.11139.koippa@gmail.com> On Monday 08 January 2007 18:20, HAWKER, Dan wrote: > Hmmm, had a bounce back from this address. Will try it again and forward to > the FDS list also... Dan, I did not see any attached files, it seems that your company filters out tarball: >File fds_cacti_template.tar.gz(openldap_response_time.pl) has been removed because this file type may be used to transmit viruses. Can you rename your tarball and resend it? Regards Kimmo > ##### > > Hi Richard, > > As requested please find attached a tarball with my template and its > accompanying perl script. If you can pop that onto the wiki so that I can > link to it, that'd be great. > > Regarding a Howto:SNMPMonitoring, have rustled up a quick one on the wiki. > Should be at http://directory.fedora.redhat.com/wiki/Howto:SNMPMonitoring > > Think its all there, but no doubt there will be ommissions and errors :) > > Thanks > > Dan > -- > > Dan Hawker > Linux System Administrator > Astrium From glenn at mail.txwes.edu Mon Jan 8 17:03:02 2007 From: glenn at mail.txwes.edu (Glenn) Date: Mon, 8 Jan 2007 11:03:02 -0600 Subject: [Fedora-directory-users] Windows Sync Errors In-Reply-To: <459EDE73.2080804@boreham.org> References: <20070102162343.M13292@mail.txwes.edu> <459A8FED.2030001@boreham.org> <20070102205631.M13724@mail.txwes.edu> <20070105224123.M27238@mail.txwes.edu> <20070105231225.GI17454@pmorris.usa.hp.com> <459EDE73.2080804@boreham.org> Message-ID: <20070108162932.M52355@mail.txwes.edu> > > All you need is to have entries that are 'syncable'. On the FDS side > this means > special objectclass and attribute values. On the AD side it only > means having the entries in the container configured in the sync agreement. If I have entries in DS that do not exist in AD, and I "Initiate Full Re- synchronization", then these entries should be created in AD, correct? And if so, they should be 'syncable'? But this does not happen in my case. Entries created in DS are rejected with the error messages, windows_replay_update: Looking at add operation local dn="uid=fprefect,ou=People,o=txwes.edu" (not ours,not user,not group) and windows_process_total_entry: Looking dn="uid=fprefect,ou=People,o=txwes.edu" (not ours) So I guess the question now is, what special object classes or attribute values do I need to add to a DS entry in order to make it replicate to AD? Here is what the DS entry looks like now as exported to ldif: dn: uid=fprefect,ou=People,o=txwes.edu telephoneNumber: 817-555-4000 mail: frprefect at ad.txwesleyan.edu uid: fprefect givenName: Ford objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: Prefect cn: Ford Prefect creatorsname: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot modifiersname: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot createtimestamp: 20070108161609Z modifytimestamp: 20070108161609Z nsuniqueid: 7608d381-1dd211b2-802a98a3-2f8c0000 parentid: 1352 entryid: 1914 entrydn: uid=fprefect,ou=people,o=txwes.edu numsubordinates: 0 subschemasubentry: cn=schema hassubordinates: FALSE From stpierre at NebrWesleyan.edu Mon Jan 8 17:20:43 2007 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Mon, 8 Jan 2007 11:20:43 -0600 (CST) Subject: [Fedora-directory-users] Announcing FDSGraph v0.2 Message-ID: I'm happy to announce the release of FDSGraph v0.2. The only major change is support for graphing TLS connections in addition to plaintext and SSL. FDSGraph also has a new home at LinuxLaboratory.org thanks to Brian K. Jones. Download: http://www.linuxlaboratory.org/?q=node/60 Original v0.1 announcement: http://www.mail-archive.com/fedora-directory-users at redhat.com/msg03832.html Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University From skonstant at sgul.ac.uk Mon Jan 8 17:36:18 2007 From: skonstant at sgul.ac.uk (=?utf-8?q?St=C3=A9phane_Konstantaropoulos?=) Date: Mon, 08 Jan 2007 17:36:18 +0000 Subject: [Fedora-directory-users] big searches dont return anything Message-ID: <200701081736.19011.skonstant@sgul.ac.uk> Hello, I am moving our old Sun One setup to Fedora Directory server and I am pretty impressed. Just one thing does not work: searches that find a lot of entries: e.g. if I search for "smith", nothing comes back, no error either (from the console). I have around 10 000 users, so I'd say there are a lot of Smith's since this is London... However, if I make the search more precise, like "John Smith", it returns the results. It must have something to do with search limits, I tried a couple of things in the console but no result at all. I think I remember a param called "admin limit" but I cannot find it in the console. I tuned "lookthrough limit" and "size limit" with no luck. Any ideas? This is FDS 1.0.4 running on Fedora Core 6, x86_64. Thanks for helping, -- St?phane Konstantaropoulos -- Web Developer - Computing Services --- St George's University of London -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From david_list at boreham.org Mon Jan 8 17:46:26 2007 From: david_list at boreham.org (David Boreham) Date: Mon, 08 Jan 2007 10:46:26 -0700 Subject: [Fedora-directory-users] Windows Sync Errors In-Reply-To: <20070108162932.M52355@mail.txwes.edu> References: <20070102162343.M13292@mail.txwes.edu> <459A8FED.2030001@boreham.org> <20070102205631.M13724@mail.txwes.edu> <20070105224123.M27238@mail.txwes.edu> <20070105231225.GI17454@pmorris.usa.hp.com> <459EDE73.2080804@boreham.org> <20070108162932.M52355@mail.txwes.edu> Message-ID: <45A28372.2090402@boreham.org> Glenn wrote: >>All you need is to have entries that are 'syncable'. On the FDS side >>this means >>special objectclass and attribute values. On the AD side it only >>means having the entries in the container configured in the sync agreement. >> >> > >If I have entries in DS that do not exist in AD, and I "Initiate Full Re- >synchronization", then these entries should be created in AD, correct? > Incorrect. As I said, they need very particular schema to be sync'ed (entries from AD to FDS will be sync'ed even if they only have basic AD schema though). There is a bit of doc on this here : http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2859623 The easiest route might be for you to create a test user using the java console (make it an 'nt user') and then copy the object class and attributes from that. From rmeggins at redhat.com Mon Jan 8 17:58:45 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 08 Jan 2007 10:58:45 -0700 Subject: [Fedora-directory-users] big searches dont return anything In-Reply-To: <200701081736.19011.skonstant@sgul.ac.uk> References: <200701081736.19011.skonstant@sgul.ac.uk> Message-ID: <45A28655.1090005@redhat.com> St?phane Konstantaropoulos wrote: > Hello, > > I am moving our old Sun One setup to Fedora Directory server and I am pretty > impressed. > > Just one thing does not work: searches that find a lot of entries: > > e.g. if I search for "smith", nothing comes back, no error either (from the > console). I have around 10 000 users, so I'd say there are a lot of Smith's > since this is London... > > However, if I make the search more precise, like "John Smith", it returns the > results. > > It must have something to do with search limits, I tried a couple of things in > the console but no result at all. > > I think I remember a param called "admin limit" but I cannot find it in the > console. I tuned "lookthrough limit" and "size limit" with no luck. > http://www.redhat.com/docs/manuals/dir-server/pdf/ds71cli.pdf Look for nsslapd-sizelimit, nsslapd-timelimit, and nsslapd-lookthroughlimit Also, please post the RESULT line from the access log for these searches which do not return results. > Any ideas? > > This is FDS 1.0.4 running on Fedora Core 6, x86_64. > > Thanks for helping, > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From stpierre at NebrWesleyan.edu Mon Jan 8 18:26:46 2007 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Mon, 8 Jan 2007 12:26:46 -0600 (CST) Subject: [Fedora-directory-users] Announcing FDSGraph v0.2 In-Reply-To: References: Message-ID: The download link has been fixed. Oops. :) Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University On Mon, 8 Jan 2007, Chris St. Pierre wrote: > I'm happy to announce the release of FDSGraph v0.2. The only major > change is support for graphing TLS connections in addition to > plaintext and SSL. > > FDSGraph also has a new home at LinuxLaboratory.org thanks to Brian > K. Jones. > > Download: http://www.linuxlaboratory.org/?q=node/60 > > Original v0.1 announcement: > http://www.mail-archive.com/fedora-directory-users at redhat.com/msg03832.html > > Chris St. Pierre > Unix Systems Administrator > Nebraska Wesleyan University > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From prowley at redhat.com Mon Jan 8 18:56:55 2007 From: prowley at redhat.com (Pete Rowley) Date: Mon, 08 Jan 2007 10:56:55 -0800 Subject: [Fedora-directory-users] Virtual Views entries only as leaves? In-Reply-To: <7ca6a0ae0701072006l6e6cbb28kb9915c64a5d10d21@mail.gmail.com> References: <7ca6a0ae0701031233h189d0b7bx511b5a2d65230b82@mail.gmail.com> <459E9D76.1090204@redhat.com> <7ca6a0ae0701072006l6e6cbb28kb9915c64a5d10d21@mail.gmail.com> Message-ID: <45A293F7.3000206@redhat.com> Ewen Cumming wrote: > That works OK, however when I add an 'nsViewFilter: (o=org3)' > attribute to ou=group, org3 displays correctly as a virtual entry > under ou=group but ou=subgroup stops displaying org1 and org2 as > virtual entries. > > Any ideas? Yes :) You have misunderstood how views work a little. Each view with a filter restricts the descendant entries that may exist in the hierarchy, so the higher view filters should be general like o=finance, then the next level might be (o=Purchasing) with a peer (o=Sales), a third level under the latter might contain (o=USA Sales) and (o=Canada Sales). Each time you add a sub-view with a view filter it will remove those entries that match from the parent and begin displaying them in the sub-view. To get what you are after you would need to add something like (o=*) or (|((o=org1)(o=org2)(o=org3))) to the ou=group entry. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From ulf.weltman at hp.com Mon Jan 8 19:12:05 2007 From: ulf.weltman at hp.com (Ulf Weltman) Date: Mon, 08 Jan 2007 11:12:05 -0800 Subject: [Fedora-directory-users] How to detect if user password has expired? In-Reply-To: <530808.98251.qm@web54104.mail.yahoo.com> References: <530808.98251.qm@web54104.mail.yahoo.com> Message-ID: <45A29785.2020107@hp.com> The expiration time is stored as the passwordexpirationtime attribute in generalized time format. You could search for users with an expiration time of less than the current time, like "(passwordexpirationtime<=20070108190000Z)". Ulf Ankur Agarwal wrote: > Hi, > > Is there any in-built attribute that can tell me if user password has > expired? > > I do get an appropriate exception if i try to authenticate such a user > but i want to identify such users by looking at their saved profile data. > > regards, > Ankur > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ewen.cumming at gmail.com Mon Jan 8 20:25:26 2007 From: ewen.cumming at gmail.com (Ewen Cumming) Date: Tue, 9 Jan 2007 09:25:26 +1300 Subject: [Fedora-directory-users] Virtual Views entries only as leaves? In-Reply-To: <45A293F7.3000206@redhat.com> References: <7ca6a0ae0701031233h189d0b7bx511b5a2d65230b82@mail.gmail.com> <459E9D76.1090204@redhat.com> <7ca6a0ae0701072006l6e6cbb28kb9915c64a5d10d21@mail.gmail.com> <45A293F7.3000206@redhat.com> Message-ID: <7ca6a0ae0701081225u591b6c3bj5b78aac68aea996c@mail.gmail.com> Yes! It works :) Big thanks for the help Pete. Ewen On 1/9/07, Pete Rowley wrote: > Ewen Cumming wrote: > > That works OK, however when I add an 'nsViewFilter: (o=org3)' > > attribute to ou=group, org3 displays correctly as a virtual entry > > under ou=group but ou=subgroup stops displaying org1 and org2 as > > virtual entries. > > > > Any ideas? > Yes :) You have misunderstood how views work a little. Each view with a > filter restricts the descendant entries that may exist in the hierarchy, > so the higher view filters should be general like o=finance, then the > next level might be (o=Purchasing) with a peer (o=Sales), a third level > under the latter might contain (o=USA Sales) and (o=Canada Sales). Each > time you add a sub-view with a view filter it will remove those entries > that match from the parent and begin displaying them in the sub-view. To > get what you are after you would need to add something like (o=*) or > (|((o=org1)(o=org2)(o=org3))) to the ou=group entry. > > -- > Pete > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > From glenn at mail.txwes.edu Mon Jan 8 20:32:07 2007 From: glenn at mail.txwes.edu (Glenn) Date: Mon, 8 Jan 2007 14:32:07 -0600 Subject: [Fedora-directory-users] Windows Sync Errors In-Reply-To: <45A28372.2090402@boreham.org> References: <20070102162343.M13292@mail.txwes.edu> <459A8FED.2030001@boreham.org> <20070102205631.M13724@mail.txwes.edu> <20070105224123.M27238@mail.txwes.edu> <20070105231225.GI17454@pmorris.usa.hp.com> <459EDE73.2080804@boreham.org> <20070108162932.M52355@mail.txwes.edu> <45A28372.2090402@boreham.org> Message-ID: <20070108191744.M52695@mail.txwes.edu> O.K., I think I have it now. It seems that the DS entry must have an "ntUserDomainID" attribute before Windows Sync can write it to the AD. Also, the "ntusercreatenewaccount" attribute must have a value of true. These attributes and their values can be adjusted in the console directory editor under each user's NT User page. Some attributes and their counterparts in Active Directory are mentioned in the Windows Sync manual, but the requirements for synchronization are not plainly enumerated. Such a list might make a worthwhile addition to a future edition of the manual. Thanks for your kind responses! -Glenn. ---------- Original Message ----------- From: David Boreham To: "General discussion list for the Fedora Directory server project." Sent: Mon, 08 Jan 2007 10:46:26 -0700 Subject: Re: [Fedora-directory-users] Windows Sync Errors > Glenn wrote: > > >>All you need is to have entries that are 'syncable'. On the FDS side > >>this means > >>special objectclass and attribute values. On the AD side it only > >>means having the entries in the container configured in the sync agreement. > >> > >> > > > >If I have entries in DS that do not exist in AD, and I "Initiate Full Re- > >synchronization", then these entries should be created in AD, correct? > > > Incorrect. As I said, they need very particular schema to be sync'ed > > (entries from AD to FDS will be sync'ed even if they only have basic > AD schema though). There is a bit of doc on this here : > http://www.redhat.com/docs/manuals/dir- > server/ag/7.1/sync.html#2859623 The easiest route might be for you > to create a test user using the java console > (make it an 'nt user') and then copy the object class and attributes > from that. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users ------- End of Original Message ------- From glenn at mail.txwes.edu Mon Jan 8 22:31:36 2007 From: glenn at mail.txwes.edu (Glenn) Date: Mon, 8 Jan 2007 16:31:36 -0600 Subject: [Fedora-directory-users] Windows Sync Errors In-Reply-To: <20070108191744.M52695@mail.txwes.edu> References: <20070102162343.M13292@mail.txwes.edu> <459A8FED.2030001@boreham.org> <20070102205631.M13724@mail.txwes.edu> <20070105224123.M27238@mail.txwes.edu> <20070105231225.GI17454@pmorris.usa.hp.com> <459EDE73.2080804@boreham.org> <20070108162932.M52355@mail.txwes.edu> <45A28372.2090402@boreham.org> <20070108191744.M52695@mail.txwes.edu> Message-ID: <20070108223014.M69553@mail.txwes.edu> One more entry is required -- objectclass: ntuser -Glenn. ---------- Original Message ----------- From: "Glenn" To: david_list at boreham.org, "General discussion list for the Fedora Directory server project." Sent: Mon, 8 Jan 2007 14:32:07 -0600 Subject: Re: [Fedora-directory-users] Windows Sync Errors > O.K., I think I have it now. It seems that the DS entry must have > an "ntUserDomainID" attribute before Windows Sync can write it to > the AD. Also, the "ntusercreatenewaccount" attribute must have a > value of true. These attributes and their values can be adjusted in > the console directory editor under each user's NT User page. > > Some attributes and their counterparts in Active Directory are > mentioned in the Windows Sync manual, but the requirements for > synchronization are not plainly enumerated. Such a list might make > a worthwhile addition to a future edition of the manual. > > Thanks for your kind responses! -Glenn. > > ---------- Original Message ----------- > From: David Boreham > To: "General discussion list for the Fedora Directory server > project." > Sent: Mon, 08 Jan 2007 10:46:26 -0700 Subject: Re: [Fedora-directory- > users] Windows Sync Errors > > > Glenn wrote: > > > > >>All you need is to have entries that are 'syncable'. On the FDS side > > >>this means > > >>special objectclass and attribute values. On the AD side it only > > >>means having the entries in the container configured in the sync > agreement. > > >> > > >> > > > > > >If I have entries in DS that do not exist in AD, and I "Initiate Full Re- > > >synchronization", then these entries should be created in AD, correct? > > > > > Incorrect. As I said, they need very particular schema to be sync'ed > > > > (entries from AD to FDS will be sync'ed even if they only have basic > > AD schema though). There is a bit of doc on this here : > > http://www.redhat.com/docs/manuals/dir- > > server/ag/7.1/sync.html#2859623 The easiest route might be for you > > to create a test user using the java console > > (make it an 'nt user') and then copy the object class and attributes > > from that. > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------- End of Original Message ------- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users ------- End of Original Message ------- From Justin.Crawford at cusys.edu Tue Jan 9 01:10:49 2007 From: Justin.Crawford at cusys.edu (Justin Crawford) Date: Mon, 8 Jan 2007 18:10:49 -0700 Subject: [Fedora-directory-users] passwordRetryCount Manipulations In-Reply-To: <459E794F.2030307@redhat.com> Message-ID: <7315857F21D51B449CC55ADE3A5683182C00A9@ex2k3.ad.cusys.edu> Howdy- I have noticed something unexpected. Setting "passwordRetryCount" programatically (e.g. with ldapmodify) to some value higher than our limit (say, 10) causes an account to be locked, right? Well, yes, but only after that account has been locked at least once the old-fashioned way, by trying to bind too many times with a bad password. Brand new accounts* that've never been locked the old-fashioned way do not mind a passwordRetryCount of 1000; these accounts can bind successfully, and their passwordRetryCount gets set to 0. Does this make sense? If so, what's the additional attribute involved in locking, and what are its potential values? Thanks! Justin *Created with minimal attributes using ruby's net/ldap library. From dan.hawker at astrium.eads.net Tue Jan 9 10:16:37 2007 From: dan.hawker at astrium.eads.net (HAWKER, Dan) Date: Tue, 9 Jan 2007 10:16:37 -0000 Subject: [Fedora-directory-users] FDS, SNMP & Cacti... Message-ID: <7F6B06837A5DBD49AC6E1650EFF54906012231C8@auk52177.ukr.astrium.corp> Hmmm, nice :) Will resubmit... Dan > -----Original Message----- > From: Kimmo Koivisto [mailto:koippa at gmail.com] > Sent: Monday, January 08, 2007 4:43 PM > To: fedora-directory-users at redhat.com > Cc: HAWKER, Dan > Subject: Re: [Fedora-directory-users] FDS, SNMP & Cacti... > > > On Monday 08 January 2007 18:20, HAWKER, Dan wrote: > > Hmmm, had a bounce back from this address. Will try it again and > > forward to the FDS list also... > > Dan, I did not see any attached files, it seems that your > company filters out > tarball: > > >File fds_cacti_template.tar.gz(openldap_response_time.pl) has been > >removed > because this file type may be used to transmit viruses. > > Can you rename your tarball and resend it? > > Regards > Kimmo > > > ##### > > > > Hi Richard, > > > > As requested please find attached a tarball with my > template and its > > accompanying perl script. If you can pop that onto the wiki > so that I > > can link to it, that'd be great. > > > > Regarding a Howto:SNMPMonitoring, have rustled up a quick > one on the > > wiki. Should be at > > http://directory.fedora.redhat.com/wiki/Howto:SNMPMonitoring > > > > Think its all there, but no doubt there will be ommissions > and errors > > :) > > > > Thanks > > > > Dan > > -- > > > > Dan Hawker > > Linux System Administrator > > Astrium > This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Astrium disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. --------------------------------------------------------------------- Astrium Limited, Registered in England and Wales No. 2449259 Registered Office: Gunnels Wood Road, Stevenage, Hertfordshire, SG1 2AS, England From skonstant at sgul.ac.uk Tue Jan 9 11:23:36 2007 From: skonstant at sgul.ac.uk (=?utf-8?q?St=C3=A9phane_Konstantaropoulos?=) Date: Tue, 09 Jan 2007 11:23:36 +0000 Subject: [Fedora-directory-users] big searches dont return anything In-Reply-To: <45A28655.1090005@redhat.com> References: <200701081736.19011.skonstant@sgul.ac.uk> <45A28655.1090005@redhat.com> Message-ID: <200701091123.40837.skonstant@sgul.ac.uk> Le lundi 08 jan 2007 17:58, Richard Megginson a ?crit?: > St?phane Konstantaropoulos wrote: > > Hello, > > > > I am moving our old Sun One setup to Fedora Directory server and I am > > pretty impressed. > > > > Just one thing does not work: searches that find a lot of entries: > > > > e.g. if I search for "smith", nothing comes back, no error either (from > > the console). I have around 10 000 users, so I'd say there are a lot of > > Smith's since this is London... > > > > However, if I make the search more precise, like "John Smith", it returns > > the results. > > > > It must have something to do with search limits, I tried a couple of > > things in the console but no result at all. > > > > I think I remember a param called "admin limit" but I cannot find it in > > the console. I tuned "lookthrough limit" and "size limit" with no luck. > > http://www.redhat.com/docs/manuals/dir-server/pdf/ds71cli.pdf > Look for nsslapd-sizelimit, nsslapd-timelimit, and nsslapd-lookthroughlimit > > Also, please post the RESULT line from the access log for these searches > which do not return results. > OK, here is a search log, for a search that does not return anything: [09/Jan/2007:11:08:15 +0000] conn=914 op=7 SRCH base="o=sghms.ac.uk" scope=2 filter="(|(&(objectClass=person)(cn=*smith*))(&(objectClass=person) (uid=smith)))" attrs=ALL [09/Jan/2007:11:08:15 +0000] conn=914 op=7 RESULT err=0 tag=101 nentries=0 etime=0 seems to be no error at all. size limit is set to 10000, time limit to 3600 and lookthrough to 20000 (is that right? it's on the LDBM plug-in settings). Does this make sense to anybody? -- St?phane Konstantaropoulos -- Web Developer - Computing Services --- St George's University of London -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From dan.hawker at astrium.eads.net Tue Jan 9 10:28:53 2007 From: dan.hawker at astrium.eads.net (HAWKER, Dan) Date: Tue, 9 Jan 2007 10:28:53 -0000 Subject: [Fedora-directory-users] FDS, SNMP & Cacti... Message-ID: <7F6B06837A5DBD49AC6E1650EFF54906012231C9@auk52177.ukr.astrium.corp> And another attempt... Have separated out the three files in the tarball as it seems my company filter was killing the perl script. To use, simply follow the Howto on the wiki, but you'll all need to rename *openldap_response_time.txt* to openldap_response_time.pl*. The other two files are as required. Thanks Dan ##### Hmmm, had a bounce back from this address. Will try it again and forward to the FDS list also... ##### Hi Richard, As requested please find attached a tarball with my template and its accompanying perl script. If you can pop that onto the wiki so that I can link to it, that'd be great. Regarding a Howto:SNMPMonitoring, have rustled up a quick one on the wiki. Should be at http://directory.fedora.redhat.com/wiki/Howto:SNMPMonitoring Think its all there, but no doubt there will be ommissions and errors :) Thanks Dan -- Dan Hawker Linux System Administrator Astrium -- This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Astrium disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. --------------------------------------------------------------------- Astrium Limited, Registered in England and Wales No. 2449259 Registered Office: Gunnels Wood Road, Stevenage, Hertfordshire, SG1 2AS, England -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openldap_response_time.txt URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: README Type: application/octet-stream Size: 1194 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: cacti_host_template_fedora_directory_server.xml Type: application/octet-stream Size: 93003 bytes Desc: not available URL: From rmeggins at redhat.com Tue Jan 9 15:26:55 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 09 Jan 2007 08:26:55 -0700 Subject: [Fedora-directory-users] Red Hat capacacity planning guidelines In-Reply-To: References: <855468.74050.qm@web54105.mail.yahoo.com> Message-ID: <45A3B43F.8080900@redhat.com> Eddie C wrote: > Directory server at least in my usage seems to be fairly light on > RAM/SWAP usage. I would focus on some other things. > > We use a dell 860 2 sata disks 1 3.6 ghz duel core processor 2 gigs > ram 4 gigs swap. > > 1) Disk: My directory server is using software mirrored 80 GIG sata > disk. I notice the utilization can hit 100% but by iowait is near > zero. For now it seems to be running great find but next server we > will end up investing in a raid system. We are multi-master so a fast > multidisk stripe or RAID 5 is what we might end up with. If you want to maximize your disk usage, you should put your database index files on their own separate disk, and put the database transaction logs on their own separate disk. > > 2) There is a varabile that can only be defined in dse.ldif and > requires rebuilding the databases if its changed then name escapes me. > But if the number of returned results is higher then a certain number > it causes directory server to abandon the index. It comes stock at > 1,000?? but if you are going to be running a huge database and queries > that return large result set you should set this varaible before > creating the database. (Sorry the name totally escapes me) nsslapd-sizelimit, nsslapd-timelimit, nsslapd-lookthroughlimit, and possibly http://www.redhat.com/docs/manuals/dir-server/ag/7.1/index1.html#1112653 > > 3) Ram and processor can hit 6% memory up to 5% processor. We all > know this is application/ deployment specific. My point from part, 1 > in my deployment disk speed will be the choke point. But in general a > DB like mysql seems to really want to consume large ammounts of > memory, seems like FDS works more on disk. (I could be wrong) You want to make FDS cache as much information in RAM as it can. You want to set nsslapd-cachememsize as high as you can, to accomodate the entire database in RAM if possible, without taking any memory away for other uses of RAM in the ns-slapd process or other processes on the machine. See http://www.redhat.com/docs/manuals/dir-server/ag/7.1/dsmanage.html#996824 for starters. You can use the console Status tab under each database to monitor cache usage. > > 4) Set you look through limits high otherwise the server will abandon > searches that examin too many records. If your DB is big > > In any case we get great performance on a fairly basic hardware platform. > > Hope that was helpful, > Edward > > > On 1/7/07, *Ankur Agarwal* > wrote: > > Hi, > > Are there any capacity planning guidelines available for Red Hat > directory server? I am specifically looking for planning my disk > size and RAM requirements based on my userbase and frequent > operations. > > regards, > Ankur > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Tue Jan 9 18:50:01 2007 From: david_list at boreham.org (David Boreham) Date: Tue, 09 Jan 2007 11:50:01 -0700 Subject: [Fedora-directory-users] big searches dont return anything In-Reply-To: <200701091123.40837.skonstant@sgul.ac.uk> References: <200701081736.19011.skonstant@sgul.ac.uk> <45A28655.1090005@redhat.com> <200701091123.40837.skonstant@sgul.ac.uk> Message-ID: <45A3E3D9.60504@boreham.org> St?phane Konstantaropoulos wrote: >[09/Jan/2007:11:08:15 +0000] conn=914 op=7 SRCH base="o=sghms.ac.uk" scope=2 >filter="(|(&(objectClass=person)(cn=*smith*))(&(objectClass=person) >(uid=smith)))" attrs=ALL >[09/Jan/2007:11:08:15 +0000] conn=914 op=7 RESULT err=0 tag=101 nentries=0 >etime=0 > >seems to be no error at all. > >size limit is set to 10000, time limit to 3600 and lookthrough to 20000 (is >that right? it's on the LDBM plug-in settings). > >Does this make sense to anybody? > > > Not yet. Can you post a successful search and an example of one of the entries returned ? The above log seems to indicate that there really are no target entries in the database, but there could be other explainations such as ACL preventing their access, database corrupt, etc. From rmeggins at redhat.com Tue Jan 9 19:10:44 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 09 Jan 2007 12:10:44 -0700 Subject: [Fedora-directory-users] FDS, SNMP & Cacti... In-Reply-To: <7F6B06837A5DBD49AC6E1650EFF54906012231C9@auk52177.ukr.astrium.corp> References: <7F6B06837A5DBD49AC6E1650EFF54906012231C9@auk52177.ukr.astrium.corp> Message-ID: <45A3E8B4.9050506@redhat.com> HAWKER, Dan wrote: > And another attempt... > > Have separated out the three files in the tarball as it seems my company > filter was killing the perl script. > > To use, simply follow the Howto on the wiki, but you'll all need to rename > *openldap_response_time.txt* to openldap_response_time.pl*. The other two > files are as required. > > Thanks > Dan > Thank you! http://directory.fedora.redhat.com/download/README.snmp-cacti http://directory.fedora.redhat.com/download/openldap_response_time.pl http://directory.fedora.redhat.com/download/cacti_host_template_fedora_directory_server.xml > ##### > > Hmmm, had a bounce back from this address. Will try it again and forward to > the FDS list also... > > ##### > > Hi Richard, > > As requested please find attached a tarball with my template and its > accompanying perl script. If you can pop that onto the wiki so that I can > link to it, that'd be great. > > Regarding a Howto:SNMPMonitoring, have rustled up a quick one on the wiki. > Should be at http://directory.fedora.redhat.com/wiki/Howto:SNMPMonitoring > > Think its all there, but no doubt there will be ommissions and errors :) > > Thanks > > Dan > -- > > Dan Hawker > Linux System Administrator > Astrium > > > ------------------------------------------------------------------------ > > #! /usr/bin/perl -w > > #==================================================================== > # What's this ? > #==================================================================== > # Script designed for cacti [ http://www.cacti.net ] > # Gives the time to do these LDAP operations : > # - bind (anonymous or not) > # - RootDSE base search > # - suffix (found in RootDSE) sub search (20 entries max) > # > # Copyright (C) 2005 Clement OUDOT > # Copyright (C) 2005 LINAGORA > # > # This program is free software; you can redistribute it and/or > # modify it under the terms of the GNU General Public License > # as published by the Free Software Foundation; either version 2 > # of the License, or (at your option) any later version. > # > # This program is distributed in the hope that it will be useful, > # but WITHOUT ANY WARRANTY; without even the implied warranty of > # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > # GNU General Public License for more details. > # > # You should have received a copy of the GNU General Public License > # along with this program; if not, write to the Free Software > # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. > #==================================================================== > > #==================================================================== > # Modules > #==================================================================== > use strict; > use Net::LDAP; > use Getopt::Std; > use Time::HiRes qw(gettimeofday); > > #==================================================================== > # Configuration > #==================================================================== > # Command line parameters > my ($host, $port, $binddn, $bindpw, $timeout, $ldap_version) = &options; > > # Name of the Operations branch in monitor > my $branch = "cn=Operations,cn=Monitor"; > > #==================================================================== > # options() subroutine > #==================================================================== > sub options { > # Init Options Hash Table > my %opts; > getopt('hpDWtv',\%opts); > &usage unless exists $opts{"h"}; > $opts{"p"} = 389 unless exists $opts{"p"}; > $opts{"t"} = 5 unless exists $opts{"t"}; > $opts{"v"} = 3 unless exists $opts{"v"}; > > return ($opts{"h"}, $opts{"p"}, $opts{"D"}, $opts{"W"}, $opts{"t"}, $opts{"v"}); > } > > #==================================================================== > # usage() subroutine > #==================================================================== > sub usage { > print STDERR "Usage: $0 -h host [-p port] [-D binddn -W bindpw] [-t timeout] [-v ldap_version]\n"; > print STDERR "Default values are :\n"; > print STDERR "\tport: 389\n\tbinddn/bindpw: without (anonymous connection)\n\ttimeout: 5\n\tldap_version: 3\n"; > exit 1; > } > > #==================================================================== > # Connection to OpenLDAP monitor > #==================================================================== > # Create LDAP connection > my $ldap = Net::LDAP->new( $host, > port => $port, > version => $ldap_version, > timeout => $timeout) or die "Unable to connect to $host on port $port\n"; > > # Bind (anonymous or no) > my $bind_time = gettimeofday(); > my $bind; > > if ($binddn && $bindpw) { > $bind = $ldap->bind($binddn, password => $bindpw); > } else { > $bind = $ldap->bind; > } > > if ($bind->code) { > print "bind:U rootdsesearch:U suffixsearch:U\n"; > print STDERR "Bind : ".$bind->error."\n"; > exit 1; > } > $bind_time = gettimeofday() - $bind_time; > > # RootDSE Search > my $rootdsesearch_time = gettimeofday(); > my $search = $ldap->search( base => '', > scope => 'base', > filter => 'objectClass=*', > attrs => ['namingContexts'], > timelimit => "$timeout"); > > if ($search->code) { > print "bind:$bind_time rootdsesearch:U suffixsearch:U\n"; > $ldap->unbind; > print STDERR "Root DSE search : ".$search->error." (code ".$search->code.")\n"; > exit 1 ; > } > $rootdsesearch_time = gettimeofday() - $rootdsesearch_time, > > # Suffix search > my $suffix = ($search->shift_entry())->get_value('namingContexts'); > my $suffix_time = gettimeofday(); > my $suffix_search = $ldap->search( base => "$suffix", > scope => 'sub', > filter => 'objectClass=*', > attrs => ['1.1'], > sizelimit => '20', > timelimit => "$timeout"); > > if ($suffix_search->code && $suffix_search->code != 4) { > print "bind:$bind_time rootdsesearch:$rootdsesearch_time suffixsearch:U\n"; > $ldap->unbind; > print STDERR "Suffix search : ".$suffix_search->error." (code ".$suffix_search->code.")\n"; > exit 1 ; > } > $suffix_time = gettimeofday() - $suffix_time, > > # Unbind > $ldap->unbind; > > #==================================================================== > # Print results > #==================================================================== > print "bind:$bind_time rootdsesearch:$rootdsesearch_time suffixsearch:$suffix_time\n"; > > #==================================================================== > # Exit > #==================================================================== > exit 0; > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From afreitas at sei.ba.gov.br Tue Jan 9 19:45:34 2007 From: afreitas at sei.ba.gov.br (Agnaldo Freitas) Date: Tue, 9 Jan 2007 16:45:34 -0300 Subject: [Fedora-directory-users] Trouble with NSS and Fedora-ds Message-ID: <006301c73426$cce7bf90$2e01a8c0@netuno.intranet> Hi List! Ldapsearch returns data from "Fedora-DS" but "getent group/passwd" and "id user" commands can not get them. They just can get data from "/etc/passwd" and "/etc/group". What is wrong? Please, can someone help me? Agnaldo P.S.: Some configuration files # /etc/pam.d/system-auth #################### #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so # /etc/nsswitch.conf ################# passwd: files ldap shadow: files ldap group: files ldap hosts: files dns bootparams: files ethers: files netmasks: files networks: files protocols: files ldap rpc: files services: files ldap netgroup: files ldap publickey: files automount: files ldap aliases: files # ldap.conf ######### host 192.168.2.3 base dc=sei,dc=intranet bindpw passwd rootbinddn cn=Directory Manager,dc=sei,dc=intranet timelimit 50 pam_lookup_policy yes nss_base_passwd ou=People,dc=sei,dc=intranet?one nss_base_shadow ou=People,dc=sei,dc=intranet?one nss_base_group ou=Groups,dc=sei,dc=intranet?one pam_password exop ssl off # /etc/pam.d/login ################ #%PAM-1.0 auth required pam_securetty.so auth required pam_stack.so service=system-auth auth required pam_nologin.so #auth sufficient /lib/security/pam_ldap.so use_first_pass #account sufficient /lib/security/pam_ldap.so account sufficient pam_stack.so service=system-auth password required pam_stack.so service=system-auth # pam_selinux.so close should be the first session rule # session required pam_selinux.so close session required pam_stack.so service=system-auth session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should be the last session rule # session required pam_selinux.so open [root at netuno1 ~]# strings /lib/libnss_ldap.so.2 | grep conf _nss_ldap_readconfig _nss_ldap_readconfigfromdns _nss_ldap_init_config sysconf -conf /etc/ldap.conf /etc/openldap/ldap.conf version conflict in sasl_client_add_plugin for %s %.*s%c%s.conf auth-conf DB environment not configured for transactions Database environment not configured for encryption %s interface requires an environment configured for the %s subsystem DB_ENV->set_lk_conflicts Environment not configured as replication master or client an index not configured to support duplicates Primary databases may not be configured with duplicates ssl session id conflict confounded by authenticator. configuration file routines id-it-confirmWaitTime id-cmc-confirmCertAcceptance no sign function configured no verify function configured no config database X509V3_EXT_conf no conf no conf or environment variable conflicting engine id v3_conf.c conf_lib.c conf_api.c conf_def.c /etc/krb5.conf:/etc/krb5.conf Can't open/find Kerberos configuration file Improper format of Kerberos configuration file No supported encryption types (config file error?) -------------- next part -------------- An HTML attachment was scrubbed... URL: From yinyang at eburg.com Wed Jan 10 08:50:39 2007 From: yinyang at eburg.com (Gordon Messmer) Date: Wed, 10 Jan 2007 00:50:39 -0800 Subject: [Fedora-directory-users] Trouble with NSS and Fedora-ds In-Reply-To: <006301c73426$cce7bf90$2e01a8c0@netuno.intranet> References: <006301c73426$cce7bf90$2e01a8c0@netuno.intranet> Message-ID: <45A4A8DF.7060006@eburg.com> Agnaldo Freitas wrote: > > Ldapsearch returns data from "Fedora-DS" but "getent group/passwd" and > "id user" commands can not get them. They just can get data from > "/etc/passwd" and "/etc/group". ... > # *ldap.conf* > ######### > host 192.168.2.3 > base dc=sei,dc=intranet > bindpw passwd > rootbinddn cn=Directory Manager,dc=sei,dc=intranet > timelimit 50 > pam_lookup_policy yes > > nss_base_passwd ou=People,dc=sei,dc=intranet?one > nss_base_shadow ou=People,dc=sei,dc=intranet?one > nss_base_group ou=Groups,dc=sei,dc=intranet?one > pam_password exop > ssl off You didn't list a path on this one. It should be /etc/ldap.conf, is it? Is the file readable by the user running "id" and "getent"? Try removing the rootbinddn and bindpw entries; they usually aren't necessary. From dan.hawker at astrium.eads.net Wed Jan 10 12:33:59 2007 From: dan.hawker at astrium.eads.net (HAWKER, Dan) Date: Wed, 10 Jan 2007 12:33:59 -0000 Subject: [Fedora-directory-users] FDS, SNMP & Cacti... Message-ID: <7F6B06837A5DBD49AC6E1650EFF54906012231CE@auk52177.ukr.astrium.corp> > > > Thank you! > http://directory.fedora.redhat.com/download/README.snmp-cacti > http://directory.fedora.redhat.com/download/openldap_response_time.pl > http://directory.fedora.redhat.com/download/cacti_host_templat > e_fedora_directory_server.xml > > ##### Thanks Richard, have ammended the howto to reflect the file locations... Dan This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Astrium disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. --------------------------------------------------------------------- Astrium Limited, Registered in England and Wales No. 2449259 Registered Office: Gunnels Wood Road, Stevenage, Hertfordshire, SG1 2AS, England From skonstant at sgul.ac.uk Wed Jan 10 13:27:17 2007 From: skonstant at sgul.ac.uk (=?iso-8859-1?q?St=E9phane_Konstantaropoulos?=) Date: Wed, 10 Jan 2007 13:27:17 +0000 Subject: [Fedora-directory-users] big searches dont return anything In-Reply-To: <45A3E3D9.60504@boreham.org> References: <200701081736.19011.skonstant@sgul.ac.uk> <200701091123.40837.skonstant@sgul.ac.uk> <45A3E3D9.60504@boreham.org> Message-ID: <200701101327.23002.skonstant@sgul.ac.uk> Le mardi 09 jan 2007 18:50, David Boreham a ?crit?: > St?phane Konstantaropoulos wrote: > >[09/Jan/2007:11:08:15 +0000] conn=914 op=7 SRCH base="o=sghms.ac.uk" > > scope=2 > > filter="(|(&(objectClass=person)(cn=*smith*))(&(objectClass=person) > > (uid=smith)))" attrs=ALL > >[09/Jan/2007:11:08:15 +0000] conn=914 op=7 RESULT err=0 tag=101 nentries=0 > >etime=0 > > > >seems to be no error at all. > > > >size limit is set to 10000, time limit to 3600 and lookthrough to 20000 > > (is that right? it's on the LDBM plug-in settings). > > > >Does this make sense to anybody? > > Not yet. Can you post a successful search and an example of one of the > entries returned ? > The above log seems to indicate that there really are no target entries > in the database, > but there could be other explainations such as ACL preventing their > access, database corrupt, etc. Here you go, I first search on "k", then "ko", then "kon", then "kons" returns results. Yes, i think my db may be a bit funny, I just deleted all the indexes and tried re-creating them, no change tho still. I set timelimit, sizelimit and lookthrough limit to -1, so as to have no limit at all now. [10/Jan/2007:13:24:26 +0000] conn=24 op=62 SRCH base="o=sghms.ac.uk,o=sghms.ac.uk" scope=2 filter="(|(&(objectClass=person) (cn=*k*))(&(objectClass=person)(uid=k)))" attrs=ALL [10/Jan/2007:13:24:26 +0000] conn=24 op=62 RESULT err=0 tag=101 nentries=0 etime=0 [10/Jan/2007:13:24:29 +0000] conn=24 op=64 SRCH base="" scope=0 filter="(| (objectClass=*)(objectClass=ldapsubentry))" attrs="nsBackendSuffix" [10/Jan/2007:13:24:29 +0000] conn=24 op=64 RESULT err=0 tag=101 nentries=1 etime=0 [10/Jan/2007:13:24:29 +0000] conn=24 op=65 SRCH base="cn=userRoot,cn=ldbm database, cn=plugins, cn=config" scope=1 filter="(objectClass=vlvSearch)" attrs=ALL [10/Jan/2007:13:24:29 +0000] conn=24 op=65 RESULT err=0 tag=101 nentries=4 etime=0 [10/Jan/2007:13:24:29 +0000] conn=24 op=66 SRCH base="o=sghms.ac.uk,o=sghms.ac.uk" scope=2 filter="(|(&(objectClass=person) (cn=*kon*))(&(objectClass=person)(uid=kon)))" attrs=ALL [10/Jan/2007:13:24:29 +0000] conn=24 op=66 RESULT err=0 tag=101 nentries=0 etime=0 [10/Jan/2007:13:24:31 +0000] conn=24 op=67 SRCH base="" scope=0 filter="(| (objectClass=*)(objectClass=ldapsubentry))" attrs="nsBackendSuffix" [10/Jan/2007:13:24:31 +0000] conn=24 op=67 RESULT err=0 tag=101 nentries=1 etime=0 [10/Jan/2007:13:24:31 +0000] conn=24 op=68 SRCH base="cn=userRoot,cn=ldbm database, cn=plugins, cn=config" scope=1 filter="(objectClass=vlvSearch)" attrs=ALL [10/Jan/2007:13:24:31 +0000] conn=24 op=68 RESULT err=0 tag=101 nentries=4 etime=0 [10/Jan/2007:13:24:31 +0000] conn=24 op=69 SRCH base="o=sghms.ac.uk,o=sghms.ac.uk" scope=2 filter="(|(&(objectClass=person) (cn=*kons*))(&(objectClass=person)(uid=kons)))" attrs=ALL [10/Jan/2007:13:24:31 +0000] conn=24 op=69 RESULT err=0 tag=101 nentries=4 etime=0 -- St?phane Konstantaropoulos -- Web Developer - Computing Services --- St George's University of London -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From rmeggins at redhat.com Wed Jan 10 15:18:25 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 10 Jan 2007 08:18:25 -0700 Subject: [Fedora-directory-users] big searches dont return anything In-Reply-To: <200701101327.23002.skonstant@sgul.ac.uk> References: <200701081736.19011.skonstant@sgul.ac.uk> <200701091123.40837.skonstant@sgul.ac.uk> <45A3E3D9.60504@boreham.org> <200701101327.23002.skonstant@sgul.ac.uk> Message-ID: <45A503C1.5010605@redhat.com> St?phane Konstantaropoulos wrote: > Le mardi 09 jan 2007 18:50, David Boreham a ?crit : > >> St?phane Konstantaropoulos wrote: >> >>> [09/Jan/2007:11:08:15 +0000] conn=914 op=7 SRCH base="o=sghms.ac.uk" >>> scope=2 >>> filter="(|(&(objectClass=person)(cn=*smith*))(&(objectClass=person) >>> (uid=smith)))" attrs=ALL >>> [09/Jan/2007:11:08:15 +0000] conn=914 op=7 RESULT err=0 tag=101 nentries=0 >>> etime=0 >>> >>> seems to be no error at all. >>> >>> size limit is set to 10000, time limit to 3600 and lookthrough to 20000 >>> (is that right? it's on the LDBM plug-in settings). >>> >>> Does this make sense to anybody? >>> >> Not yet. Can you post a successful search and an example of one of the >> entries returned ? >> The above log seems to indicate that there really are no target entries >> in the database, >> but there could be other explainations such as ACL preventing their >> access, database corrupt, etc. >> > > Here you go, I first search on "k", then "ko", then "kon", then "kons" returns > results. > > Yes, i think my db may be a bit funny, I just deleted all the indexes and > tried re-creating them, no change tho still. I set timelimit, sizelimit and > lookthrough limit to -1, so as to have no limit at all now. > > [10/Jan/2007:13:24:26 +0000] conn=24 op=62 SRCH > base="o=sghms.ac.uk,o=sghms.ac.uk" scope=2 filter="(|(&(objectClass=person) > (cn=*k*))(&(objectClass=person)(uid=k)))" attrs=ALL > [10/Jan/2007:13:24:26 +0000] conn=24 op=62 RESULT err=0 tag=101 nentries=0 > etime=0 > [10/Jan/2007:13:24:29 +0000] conn=24 op=64 SRCH base="" scope=0 filter="(| > (objectClass=*)(objectClass=ldapsubentry))" attrs="nsBackendSuffix" > [10/Jan/2007:13:24:29 +0000] conn=24 op=64 RESULT err=0 tag=101 nentries=1 > etime=0 > [10/Jan/2007:13:24:29 +0000] conn=24 op=65 SRCH base="cn=userRoot,cn=ldbm > database, cn=plugins, cn=config" scope=1 filter="(objectClass=vlvSearch)" > attrs=ALL > [10/Jan/2007:13:24:29 +0000] conn=24 op=65 RESULT err=0 tag=101 nentries=4 > etime=0 > [10/Jan/2007:13:24:29 +0000] conn=24 op=66 SRCH > base="o=sghms.ac.uk,o=sghms.ac.uk" scope=2 filter="(|(&(objectClass=person) > (cn=*kon*))(&(objectClass=person)(uid=kon)))" attrs=ALL > [10/Jan/2007:13:24:29 +0000] conn=24 op=66 RESULT err=0 tag=101 nentries=0 > etime=0 > Hmm - no unindexed notes in the results. Do you know how many entries match *kon*? How many match *kons*? > [10/Jan/2007:13:24:31 +0000] conn=24 op=67 SRCH base="" scope=0 filter="(| > (objectClass=*)(objectClass=ldapsubentry))" attrs="nsBackendSuffix" > [10/Jan/2007:13:24:31 +0000] conn=24 op=67 RESULT err=0 tag=101 nentries=1 > etime=0 > [10/Jan/2007:13:24:31 +0000] conn=24 op=68 SRCH base="cn=userRoot,cn=ldbm > database, cn=plugins, cn=config" scope=1 filter="(objectClass=vlvSearch)" > attrs=ALL > [10/Jan/2007:13:24:31 +0000] conn=24 op=68 RESULT err=0 tag=101 nentries=4 > etime=0 > [10/Jan/2007:13:24:31 +0000] conn=24 op=69 SRCH > base="o=sghms.ac.uk,o=sghms.ac.uk" scope=2 filter="(|(&(objectClass=person) > (cn=*kons*))(&(objectClass=person)(uid=kons)))" attrs=ALL > [10/Jan/2007:13:24:31 +0000] conn=24 op=69 RESULT err=0 tag=101 nentries=4 > etime=0 > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From glenn at mail.txwes.edu Wed Jan 10 15:49:59 2007 From: glenn at mail.txwes.edu (Glenn) Date: Wed, 10 Jan 2007 09:49:59 -0600 Subject: [Fedora-directory-users] Admin server won't start Message-ID: <20070110154201.M62193@mail.txwes.edu> I'm trying to restart the admin server from the command line in RHDS 7.1. It shuts down o.k., but it responds to the start-admin command with an error message: startup failure: could not bind to port 30838 (Address already in use) This only happens after I connect to the directory server gateway through a web browser using SSL. I can fix it by rebooting the server, but that's not a good option. Is there another way? Thanks again. -G. From skonstant at sgul.ac.uk Wed Jan 10 15:54:35 2007 From: skonstant at sgul.ac.uk (=?utf-8?q?St=C3=A9phane_Konstantaropoulos?=) Date: Wed, 10 Jan 2007 15:54:35 +0000 Subject: [Fedora-directory-users] big searches dont return anything In-Reply-To: <45A503C1.5010605@redhat.com> References: <200701081736.19011.skonstant@sgul.ac.uk> <200701101327.23002.skonstant@sgul.ac.uk> <45A503C1.5010605@redhat.com> Message-ID: <200701101554.35938.skonstant@sgul.ac.uk> Le mercredi 10 jan 2007 15:18, Richard Megginson a ?crit?: > St?phane Konstantaropoulos wrote: > > Le mardi 09 jan 2007 18:50, David Boreham a ?crit : > >> St?phane Konstantaropoulos wrote: > >>> [09/Jan/2007:11:08:15 +0000] conn=914 op=7 SRCH base="o=sghms.ac.uk" > >>> scope=2 > >>> filter="(|(&(objectClass=person)(cn=*smith*))(&(objectClass=person) > >>> (uid=smith)))" attrs=ALL > >>> [09/Jan/2007:11:08:15 +0000] conn=914 op=7 RESULT err=0 tag=101 > >>> nentries=0 etime=0 > >>> > >>> seems to be no error at all. > >>> > >>> size limit is set to 10000, time limit to 3600 and lookthrough to 20000 > >>> (is that right? it's on the LDBM plug-in settings). > >>> > >>> Does this make sense to anybody? > >> > >> Not yet. Can you post a successful search and an example of one of the > >> entries returned ? > >> The above log seems to indicate that there really are no target entries > >> in the database, > >> but there could be other explainations such as ACL preventing their > >> access, database corrupt, etc. > > > > Here you go, I first search on "k", then "ko", then "kon", then "kons" > > returns results. > > > > Yes, i think my db may be a bit funny, I just deleted all the indexes and > > tried re-creating them, no change tho still. I set timelimit, sizelimit > > and lookthrough limit to -1, so as to have no limit at all now. > > > > [10/Jan/2007:13:24:26 +0000] conn=24 op=62 SRCH > > base="o=sghms.ac.uk,o=sghms.ac.uk" scope=2 > > filter="(|(&(objectClass=person) > > (cn=*k*))(&(objectClass=person)(uid=k)))" attrs=ALL > > [10/Jan/2007:13:24:26 +0000] conn=24 op=62 RESULT err=0 tag=101 > > nentries=0 etime=0 > > [10/Jan/2007:13:24:29 +0000] conn=24 op=64 SRCH base="" scope=0 > > filter="(| (objectClass=*)(objectClass=ldapsubentry))" > > attrs="nsBackendSuffix" [10/Jan/2007:13:24:29 +0000] conn=24 op=64 RESULT > > err=0 tag=101 nentries=1 etime=0 > > [10/Jan/2007:13:24:29 +0000] conn=24 op=65 SRCH base="cn=userRoot,cn=ldbm > > database, cn=plugins, cn=config" scope=1 filter="(objectClass=vlvSearch)" > > attrs=ALL > > [10/Jan/2007:13:24:29 +0000] conn=24 op=65 RESULT err=0 tag=101 > > nentries=4 etime=0 > > [10/Jan/2007:13:24:29 +0000] conn=24 op=66 SRCH > > base="o=sghms.ac.uk,o=sghms.ac.uk" scope=2 > > filter="(|(&(objectClass=person) > > (cn=*kon*))(&(objectClass=person)(uid=kon)))" attrs=ALL > > [10/Jan/2007:13:24:29 +0000] conn=24 op=66 RESULT err=0 tag=101 > > nentries=0 etime=0 > > Hmm - no unindexed notes in the results. Do you know how many entries > match *kon*? How many match *kons*? > "kons" matched 5 entries, "kon" not sure. Anyway, it was definitely a database corruption problem, I emptied the directory and re-populated it with a script I have and now it finds everybody and returns an ADMINLIMIT_EXCEEDED error when it reaches the limit, I set it to no limit now because I have a 40k entries. It'd be nice if it noticed by itself that the db is corrupted. I also tried to delete all the indexes and then re-create them, which it did but that made no difference. Anyway, thanks for helping, -- St?phane Konstantaropoulos -- Web Developer - Computing Services --- St George's University of London -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From shaundai at hotmail.com Wed Jan 10 16:04:23 2007 From: shaundai at hotmail.com (Shaun Daigle) Date: Wed, 10 Jan 2007 12:04:23 -0400 Subject: [Fedora-directory-users] How to Reset NT4 LDAP Service Password Message-ID: We installed the NT4 LDAP Service (ntds.msi) and have followed instructions as per ds71admin.pdf and we are encountering an issue when authenticating to the LDAP server. Prior to starting the service, we set the password in the usersync.conf file, but it seems that it "did not take". Using various LDAP clients, we receive the following error message when authenticating using "uid=admin,ou=system": [Error 49] Invalid Credentials LDAP: error code 49 - Bind failure org.apache.ldap.common.exception.LdapAuthenticationException Oddly, when binding anonymously, we are able to connect normally and browse the contents of the SAM database. We tried authenticating using a number of username/password combinations, but none work. I'm a little worried about being able to bind anonymously... isn't this a security risk? Any way to turn that off? Reading through the guide, I understand that once started, the only way to change the password is by using an "LDAP Modify Operation". If this is the case, how do we do this?Please advise. Thanks, Shaun D _________________________________________________________________ Be one of the first to try Windows Live Mail. http://ideas.live.com/programpage.aspx?versionId=5d21c51a-b161-4314-9b0e-4911fb2b2e6d -------------- next part -------------- An HTML attachment was scrubbed... URL: From david_list at boreham.org Wed Jan 10 16:07:06 2007 From: david_list at boreham.org (David Boreham) Date: Wed, 10 Jan 2007 09:07:06 -0700 Subject: [Fedora-directory-users] big searches dont return anything In-Reply-To: <200701101554.35938.skonstant@sgul.ac.uk> References: <200701081736.19011.skonstant@sgul.ac.uk> <200701101327.23002.skonstant@sgul.ac.uk> <45A503C1.5010605@redhat.com> <200701101554.35938.skonstant@sgul.ac.uk> Message-ID: <45A50F2A.40700@boreham.org> St?phane Konstantaropoulos wrote: >It'd be nice if it noticed by itself that the db is corrupted. > Unfortunately that's something of an AI problem :( There is some code in the server that can compare the results of an indexed vs an unindexed execution of the same query (used in the past to debug query optimizations). Someone could develop that into a kind of index inconsistency tool. All out corruption (someone writes random c**p over the database pages _will_ be detected). It sounds like you had some inconsistency between the primary and secondary indices. I'm not sure how that could have happened (it shouldn't). >I also tried to >delete all the indexes and then re-create them, which it did but that made no >difference. > > From edlinuxguru at gmail.com Wed Jan 10 17:23:16 2007 From: edlinuxguru at gmail.com (Eddie C) Date: Wed, 10 Jan 2007 12:23:16 -0500 Subject: [Fedora-directory-users] FDS, SNMP & Cacti... In-Reply-To: <7F6B06837A5DBD49AC6E1650EFF54906012231B9@auk52177.ukr.astrium.corp> References: <7F6B06837A5DBD49AC6E1650EFF54906012231B9@auk52177.ukr.astrium.corp> Message-ID: I am using cacti 8.6.E I got this error: trying to import the template. Error: XML: Hash version does not exist. Should i move to a higher version? Everythign else is working well. Edward On 1/5/07, HAWKER, Dan wrote: > > > > > If anyone wants my ready FDS-ified cacti templates, send me an email and > > > I'll forward it on. (or is there a special accessories area on the wiki > I > > can upload it to???). > > > >Just send me the files and I'll put them in the download area of the > >wiki. Would you be interested in creating a Howto:SNMP or Cacti page? > >Doesn't have to be much, maybe just a few "do this" and "don't do that" > >with the links to the downloads. > > Hi Richard, > > I'll give it a go. I'm no SNMP or Cacti guru in any way, but it was > thankfully quite simple to setup and I managed to get it to work, so it > can't be that tricky :) > > Off home here in the UK, but will wrap up the bits and forward you them > next > week. They'll probably need some instructions for the un-initiated, so > I'll > have a bash at the how-to also. > > Have a good weekend :) > > Dan > -- > > Dan Hawker > Linux System Administrator > Astrium > > -- > > This email (including any attachments) may contain confidential and/or > privileged information or information otherwise protected from disclosure. > If you are not the intended recipient, please notify the sender > immediately, do not copy this message or any attachments and do not use it > for any purpose or disclose its content to any person, but delete this > message and any attachments from your system. > Astrium disclaims any and all liability if this email transmission was > virus corrupted, altered or falsified. > --------------------------------------------------------------------- > Astrium Limited, Registered in England and Wales No. 2449259 > Registered Office: Gunnels Wood Road, Stevenage, Hertfordshire, SG1 2AS, > England > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From shaundai at hotmail.com Wed Jan 10 17:02:49 2007 From: shaundai at hotmail.com (Shaun Daigle) Date: Wed, 10 Jan 2007 13:02:49 -0400 Subject: [Fedora-directory-users] How to Reset NT4 LDAP Service Password Message-ID: Update: I found this post that shows how to change the default password: http://www.redhat.com/archives/fedora-directory-users/2005-November/msg00184.html, but unfortunately, I am unable to login as 'uid=admin,ou=system' in order to perform the change. As stated earlier, I am able to bind to the LDAP server anonymously, but I have insuficient rights to change anything. I'm totally locked out of my system. How do I reset it back to normal?If there a default password for 'uid=admin,ou=system'? I know that for ApacheDS, the default password for 'uid=admin,ou=system' is 'secret'. Is there a similar thing for the NT4 LSAP Service?Thanks, Shaun D From: shaundai at hotmail.comTo: fedora-directory-users at redhat.comDate: Wed, 10 Jan 2007 12:04:23 -0400Subject: [Fedora-directory-users] How to Reset NT4 LDAP Service Password We installed the NT4 LDAP Service (ntds.msi) and have followed instructions as per ds71admin.pdf and we are encountering an issue when authenticating to the LDAP server. Prior to starting the service, we set the password in the usersync.conf file, but it seems that it "did not take". Using various LDAP clients, we receive the following error message when authenticating using "uid=admin,ou=system":[Error 49] Invalid CredentialsLDAP: error code 49 - Bind failureorg.apache.ldap.common.exception.LdapAuthenticationException Oddly, when binding anonymously, we are able to connect normally and browse the contents of the SAM database. We tried authenticating using a number of username/password combinations, but none work. I'm a little worried about being able to bind anonymously... isn't this a security risk? Any way to turn that off? Reading through the guide, I understand that once started, the only way to change the password is by using an "LDAP Modify Operation". If this is the case, how do we do this?Please advise. Thanks, Shaun D Be one of the first to try Windows Live Mail. Windows Live Mail. _________________________________________________________________ Be one of the first to try Windows Live Mail. http://ideas.live.com/programpage.aspx?versionId=5d21c51a-b161-4314-9b0e-4911fb2b2e6d -------------- next part -------------- An HTML attachment was scrubbed... URL: From dan.hawker at astrium.eads.net Wed Jan 10 17:43:56 2007 From: dan.hawker at astrium.eads.net (HAWKER, Dan) Date: Wed, 10 Jan 2007 17:43:56 -0000 Subject: [Fedora-directory-users] FDS, SNMP & Cacti... Message-ID: <7F6B06837A5DBD49AC6E1650EFF54906012231D1@auk52177.ukr.astrium.corp> I am using cacti 8.6.E I got this error: trying to import the template. Error: XML: Hash version does not exist. Should i move to a higher version? Everythign else is working well. Edward To be completely honest Edward, have no idea. I am using 0.8.6i and it all worked fine for me, so, yeah maybe a jump up to a higher version may work. Dan This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Astrium disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. --------------------------------------------------------------------- Astrium Limited, Registered in England and Wales No. 2449259 Registered Office: Gunnels Wood Road, Stevenage, Hertfordshire, SG1 2AS, England -------------- next part -------------- An HTML attachment was scrubbed... URL: From edlinuxguru at gmail.com Wed Jan 10 18:35:45 2007 From: edlinuxguru at gmail.com (Eddie C) Date: Wed, 10 Jan 2007 13:35:45 -0500 Subject: [Fedora-directory-users] FDS, SNMP & Cacti... In-Reply-To: <7F6B06837A5DBD49AC6E1650EFF54906012231CE@auk52177.ukr.astrium.corp> References: <7F6B06837A5DBD49AC6E1650EFF54906012231CE@auk52177.ukr.astrium.corp> Message-ID: I confirmed this. I upgraded by cacti to 0.8.6i and the template imported. The templates seem to not be backwards compatable. So far everything is going smooth. Edward On 1/10/07, HAWKER, Dan wrote: > > > > > > > Thank you! > > http://directory.fedora.redhat.com/download/README.snmp-cacti > > http://directory.fedora.redhat.com/download/openldap_response_time.pl > > http://directory.fedora.redhat.com/download/cacti_host_templat > > e_fedora_directory_server.xml > > > ##### > > Thanks Richard, have ammended the howto to reflect the file locations... > > Dan > > This email (including any attachments) may contain confidential and/or > privileged information or information otherwise protected from disclosure. > If you are not the intended recipient, please notify the sender > immediately, do not copy this message or any attachments and do not use it > for any purpose or disclose its content to any person, but delete this > message and any attachments from your system. > Astrium disclaims any and all liability if this email transmission was > virus corrupted, altered or falsified. > --------------------------------------------------------------------- > Astrium Limited, Registered in England and Wales No. 2449259 > Registered Office: Gunnels Wood Road, Stevenage, Hertfordshire, SG1 2AS, > England > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at spider-security.net Wed Jan 10 18:46:38 2007 From: lists at spider-security.net (Nathaniel Hall) Date: Wed, 10 Jan 2007 12:46:38 -0600 Subject: [Fedora-directory-users] FDS behind NATed firewall Message-ID: <45A5348E.5080809@spider-security.net> I have a master directory server behind a firewall that uses NAT. I want to place a read only server behind a different firewall. The new server does have a public IP address. Here is my setup: Master <--> Firewall (NAT) <--> Internet <--> Firewall <--> Read-Only My initial thought was to write a script (All done and works) that SSHs to the RO server and creates local and remote SSH tunnels. That would allow me to point the servers to localhost on specific ports so that they would get redirect appropriately and securely. Right now I am having problems getting them work the way I want them to. I had it partially working yesterday, but they were synchronizing like a normal system (out of SSH, over port 389). Does anybody have any ideas how this should be done securely? It is going over the Internet, so security is a must. -- Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA From hyc at symas.com Wed Jan 10 19:17:46 2007 From: hyc at symas.com (Howard Chu) Date: Wed, 10 Jan 2007 11:17:46 -0800 Subject: [Fedora-directory-users] FDS, SNMP & Cacti... In-Reply-To: <20070110155459.001D9735E0@hormel.redhat.com> References: <20070110155459.001D9735E0@hormel.redhat.com> Message-ID: <45A53BDA.4080706@symas.com> > Date: Tue, 09 Jan 2007 12:10:44 -0700 > From: Richard Megginson >> To use, simply follow the Howto on the wiki, but you'll all need to rename >> *openldap_response_time.txt* to openldap_response_time.pl*. The other two >> files are as required. >> >> Thanks >> Dan >> > Thank you! > http://directory.fedora.redhat.com/download/README.snmp-cacti > http://directory.fedora.redhat.com/download/openldap_response_time.pl I really wish Net::LDAP would just go away and die. People should be using Mozilla::LDAP (or Net::LDAPapi), particularly when they're doing timing measurements. I guess as a monitoring device to say "is it alive" it's not too crucial, but you have to realize that when it says it measures the response time of the LDAP server, 99% of the measured time is actually perl execution, and only 1% is actual network+LDAP time. (That's not an exaggeration; there is a clear 100:1 difference in execution time between Net::LDAP and Mozilla::LDAP / Net::LDAPapi.) -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/ From david_list at boreham.org Wed Jan 10 19:36:39 2007 From: david_list at boreham.org (David Boreham) Date: Wed, 10 Jan 2007 12:36:39 -0700 Subject: [Fedora-directory-users] FDS, SNMP & Cacti... In-Reply-To: <45A53BDA.4080706@symas.com> References: <20070110155459.001D9735E0@hormel.redhat.com> <45A53BDA.4080706@symas.com> Message-ID: <45A54047.7030304@boreham.org> Howard Chu wrote: > > I really wish Net::LDAP would just go away and die. People should be > using Mozilla::LDAP (or Net::LDAPapi), particularly when they're doing > timing measurements. I guess as a monitoring device to say "is it > alive" it's not too crucial, but you have to realize that when it says > it measures the response time of the LDAP server, 99% of the measured > time is actually perl execution, and only 1% is actual network+LDAP > time. (That's not an exaggeration; there is a clear 100:1 difference > in execution time between Net::LDAP and Mozilla::LDAP / Net::LDAPapi.) Still, a pure Perl solution is nice from an integration perspective. Is either Mozilla::LDAP or Net::LDAPapi shipped with a popular Linux distribution today ? In an application like Cacti, the service response time measurement is really aimed at detecting an overloaded service (hence requests queue and response time becomes very high). So I'm not sure a few ms matters one way or the other. btw I'd vote for more effort put in to making the Python LDAP support better and more widely distributed -- Perl itself is evil (IMHO of course). From rmeggins at redhat.com Wed Jan 10 19:33:58 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 10 Jan 2007 12:33:58 -0700 Subject: [Fedora-directory-users] FDS, SNMP & Cacti... In-Reply-To: <45A54047.7030304@boreham.org> References: <20070110155459.001D9735E0@hormel.redhat.com> <45A53BDA.4080706@symas.com> <45A54047.7030304@boreham.org> Message-ID: <45A53FA6.6090804@redhat.com> David Boreham wrote: > Howard Chu wrote: > >> >> I really wish Net::LDAP would just go away and die. People should be >> using Mozilla::LDAP (or Net::LDAPapi), particularly when they're >> doing timing measurements. I guess as a monitoring device to say "is >> it alive" it's not too crucial, but you have to realize that when it >> says it measures the response time of the LDAP server, 99% of the >> measured time is actually perl execution, and only 1% is actual >> network+LDAP time. (That's not an exaggeration; there is a clear >> 100:1 difference in execution time between Net::LDAP and >> Mozilla::LDAP / Net::LDAPapi.) > > Still, a pure Perl solution is nice from an integration perspective. But even Net::LDAP is not entirely perl - the SSL bits call out to openssl via Net::SSLeay. There may be other C bits called as well. > Is either Mozilla::LDAP or Net::LDAPapi shipped with a popular > Linux distribution today ? Not yet. > > In an application like Cacti, the service response time measurement is > really aimed at detecting an overloaded service (hence requests queue > and response time becomes very high). So I'm not sure a few ms matters > one way or the other. > > btw I'd vote for more effort put in to making the Python LDAP support > better and more widely distributed -- Perl itself is evil (IMHO of > course). python-ldap++ > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Wed Jan 10 19:47:45 2007 From: david_list at boreham.org (David Boreham) Date: Wed, 10 Jan 2007 12:47:45 -0700 Subject: [Fedora-directory-users] FDS, SNMP & Cacti... In-Reply-To: <45A53FA6.6090804@redhat.com> References: <20070110155459.001D9735E0@hormel.redhat.com> <45A53BDA.4080706@symas.com> <45A54047.7030304@boreham.org> <45A53FA6.6090804@redhat.com> Message-ID: <45A542E1.8050005@boreham.org> Richard Megginson wrote: > But even Net::LDAP is not entirely perl - the SSL bits call out to > openssl via Net::SSLeay. There may be other C bits called as well. Calling out to C isn't bad per se, but it really only works when the module has OS distribution support. End users typically can't cope with the module build process. From rcritten at redhat.com Wed Jan 10 19:46:20 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 10 Jan 2007 14:46:20 -0500 Subject: [Fedora-directory-users] Admin server won't start In-Reply-To: <20070110154201.M62193@mail.txwes.edu> References: <20070110154201.M62193@mail.txwes.edu> Message-ID: <45A5428C.9070006@redhat.com> Glenn wrote: > I'm trying to restart the admin server from the command line in RHDS 7.1. It > shuts down o.k., but it responds to the start-admin command with an error > message: > > startup failure: could not bind to port 30838 (Address already in use) > > This only happens after I connect to the directory server gateway through a > web browser using SSL. I can fix it by rebooting the server, but that's not > a good option. Is there another way? > > Thanks again. -G. It sounds like Apache isn't really stopping. Can you take a look at the admin server error log file? Have you tried stopping the admin server again via stop-admin? rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From patrick.morris at hp.com Wed Jan 10 20:36:04 2007 From: patrick.morris at hp.com (Patrick Morris) Date: Wed, 10 Jan 2007 12:36:04 -0800 Subject: [Fedora-directory-users] FDS behind NATed firewall In-Reply-To: <45A5348E.5080809@spider-security.net> References: <45A5348E.5080809@spider-security.net> Message-ID: <20070110203604.GM17454@pmorris.usa.hp.com> On Wed, 10 Jan 2007, Nathaniel Hall wrote: > I have a master directory server behind a firewall that uses NAT. I > want to place a read only server behind a different firewall. The new > server does have a public IP address. Here is my setup: > > Master <--> Firewall (NAT) <--> Internet <--> Firewall <--> Read-Only > > My initial thought was to write a script (All done and works) that SSHs > to the RO server and creates local and remote SSH tunnels. That would > allow me to point the servers to localhost on specific ports so that > they would get redirect appropriately and securely. Right now I am > having problems getting them work the way I want them to. I had it > partially working yesterday, but they were synchronizing like a normal > system (out of SSH, over port 389). > > Does anybody have any ideas how this should be done securely? It is > going over the Internet, so security is a must. I've had decent luck using stunnel for this sort of thing. I've found it to work a lot more reliably than SSH tunnels. From edlinuxguru at gmail.com Wed Jan 10 21:29:20 2007 From: edlinuxguru at gmail.com (Eddie C) Date: Wed, 10 Jan 2007 16:29:20 -0500 Subject: [Fedora-directory-users] FDS behind NATed firewall In-Reply-To: <20070110203604.GM17454@pmorris.usa.hp.com> References: <45A5348E.5080809@spider-security.net> <20070110203604.GM17454@pmorris.usa.hp.com> Message-ID: I have never gotten this suggestion to work but I did not try it much. You can use Point to Point IP Sec tunneling. This will remove the SSH layer. it will be more natural in terms of IP resolution and more standard then making tunnels. Edward On 1/10/07, Patrick Morris wrote: > > On Wed, 10 Jan 2007, Nathaniel Hall wrote: > > > I have a master directory server behind a firewall that uses NAT. I > > want to place a read only server behind a different firewall. The new > > server does have a public IP address. Here is my setup: > > > > Master <--> Firewall (NAT) <--> Internet <--> Firewall <--> Read-Only > > > > My initial thought was to write a script (All done and works) that SSHs > > to the RO server and creates local and remote SSH tunnels. That would > > allow me to point the servers to localhost on specific ports so that > > they would get redirect appropriately and securely. Right now I am > > having problems getting them work the way I want them to. I had it > > partially working yesterday, but they were synchronizing like a normal > > system (out of SSH, over port 389). > > > > Does anybody have any ideas how this should be done securely? It is > > going over the Internet, so security is a must. > > I've had decent luck using stunnel for this sort of thing. I've found > it to work a lot more reliably than SSH tunnels. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From edlinuxguru at gmail.com Wed Jan 10 21:33:08 2007 From: edlinuxguru at gmail.com (Eddie C) Date: Wed, 10 Jan 2007 16:33:08 -0500 Subject: [Fedora-directory-users] FDS, SNMP & Cacti... In-Reply-To: <45A542E1.8050005@boreham.org> References: <20070110155459.001D9735E0@hormel.redhat.com> <45A53BDA.4080706@symas.com> <45A54047.7030304@boreham.org> <45A53FA6.6090804@redhat.com> <45A542E1.8050005@boreham.org> Message-ID: My data is graphing nearly perfectly. I found only two issues. Perl requires time::HiRes. not on my older solaris cacti machine. The other thing: Directory Search Operations: Total Searches is a purple graph. wholeSubTree is a green graph. wholSubTree is always less then total, but I do not see it. Is it behind the purple total searches graph? Edward On 1/10/07, David Boreham wrote: > > Richard Megginson wrote: > > > But even Net::LDAP is not entirely perl - the SSL bits call out to > > openssl via Net::SSLeay. There may be other C bits called as well. > > Calling out to C isn't bad per se, but it really only works when the > module > has OS distribution support. End users typically can't cope with the > module > build process. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at spider-security.net Wed Jan 10 21:40:44 2007 From: lists at spider-security.net (Nathaniel Hall) Date: Wed, 10 Jan 2007 15:40:44 -0600 Subject: [Fedora-directory-users] FDS behind NATed firewall In-Reply-To: References: <45A5348E.5080809@spider-security.net> <20070110203604.GM17454@pmorris.usa.hp.com> Message-ID: <45A55D5C.80201@spider-security.net> I have been trying to do this for a couple of days. It worked at one point, but it was replicating in plaintext. Alternatively, what I am trying is to point the read only system to the master through SSH tunnels and setup replication through the standard SSL port. I had a very similar setup yesterday, but mixed in with my changes I lost it. It just wasn't using SSL. Eddie C wrote: > I have never gotten this suggestion to work but I did not try it much. > You can use Point to Point IP Sec tunneling. This will remove the SSH > layer. it will be more natural in terms of IP resolution and more > standard then making tunnels. > > Edward > > > On 1/10/07, *Patrick Morris* > wrote: > > On Wed, 10 Jan 2007, Nathaniel Hall wrote: > > > I have a master directory server behind a firewall that uses > NAT. I > > want to place a read only server behind a different > firewall. The new > > server does have a public IP address. Here is my setup: > > > > Master <--> Firewall (NAT) <--> Internet <--> Firewall <--> > Read-Only > > > > My initial thought was to write a script (All done and works) > that SSHs > > to the RO server and creates local and remote SSH tunnels. That > would > > allow me to point the servers to localhost on specific ports so > that > > they would get redirect appropriately and securely. Right now I am > > having problems getting them work the way I want them to. I had it > > partially working yesterday, but they were synchronizing like a > normal > > system (out of SSH, over port 389). > > > > Does anybody have any ideas how this should be done securely? It is > > going over the Internet, so security is a must. > > I've had decent luck using stunnel for this sort of thing. I've > found > it to work a lot more reliably than SSH tunnels. > From david_list at boreham.org Thu Jan 11 02:20:37 2007 From: david_list at boreham.org (David Boreham) Date: Wed, 10 Jan 2007 19:20:37 -0700 Subject: [Fedora-directory-users] FDS behind NATed firewall In-Reply-To: <45A55D5C.80201@spider-security.net> References: <45A5348E.5080809@spider-security.net> <20070110203604.GM17454@pmorris.usa.hp.com> <45A55D5C.80201@spider-security.net> Message-ID: <45A59EF5.5000207@boreham.org> One thing to watch when using software tunnels is that there was (is still?) a bug in the ldap protocol library underneath the server where if packets are fragmented in strange and unnatural ways, the server just won't work properly (it fails to decode the LDAP PDU header properly). This happens for example if the tunnel software ends up sending only a few bytes of the beginning of a PDU as a TCP segment. Basically you can send perfectly correct LDAP but fragmented in just the wrong way the server will not decode it correctly. I'm not sure if this is a real issue any longer but thought it worth mentioning. From bernhard.waldvogel at freesurf.ch Thu Jan 11 08:14:17 2007 From: bernhard.waldvogel at freesurf.ch (bernhard.waldvogel at freesurf.ch) Date: Thu, 11 Jan 2007 09:14:17 +0100 Subject: [Fedora-directory-users] FDS behind NATed firewall Message-ID: <457ECF8E00014F8D@mta-fs-be-04.sunrise.ch> > I have a master directory server behind a firewall that uses NAT. I > want to place a read only server behind a different firewall. The new > server does have a public IP address. Here is my setup: > > Master <--> Firewall (NAT) <--> Internet <--> Firewall <--> Read-Only Question, wath about LDAPS? Is there anything against to use ldaps for the replication? This should be secure enough, or not? Neu: Das erste ADSL-Abo ohne Monatsgeb?hr! Steigen Sie jetzt auf sunrise ADSL free um. http://www.sunrise.ch/privatkunden/iminternetsurfen/adsl/adsl_abosundpreise/adsl_gelegenheitssurfer/adsl_free.htm From dan.hawker at astrium.eads.net Thu Jan 11 09:54:36 2007 From: dan.hawker at astrium.eads.net (HAWKER, Dan) Date: Thu, 11 Jan 2007 09:54:36 -0000 Subject: [Fedora-directory-users] FDS, SNMP & Cacti... Message-ID: <7F6B06837A5DBD49AC6E1650EFF54906012231D2@auk52177.ukr.astrium.corp> My data is graphing nearly perfectly. I found only two issues. Perl requires time::HiRes. not on my older solaris cacti machine. The other thing: Directory Search Operations: Total Searches is a purple graph. wholeSubTree is a green graph. wholSubTree is always less then total, but I do not see it. Is it behind the purple total searches graph? Edward Hi Edward, time::HiRes - Ummm, sorry :) Is just a quick script I borrowed from another Cacti template. Works, but my perl programming skills are almost as good as my skills in any foreign language. I can usually listen, read it and get the gist of whats going on, however actually making a conversation takes more than I know. Good spot. Yeah, it seems it is. This can be seen by changing the graph type for the total searches. For instance if you change it to Line1, (Graph Templates -> FDS Search -> Edit Item #9) you can clearly see the other searches behind. Dan This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Astrium disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. --------------------------------------------------------------------- Astrium Limited, Registered in England and Wales No. 2449259 Registered Office: Gunnels Wood Road, Stevenage, Hertfordshire, SG1 2AS, England -------------- next part -------------- An HTML attachment was scrubbed... URL: From g.digiambelardini at fabaris.it Thu Jan 11 10:57:53 2007 From: g.digiambelardini at fabaris.it (Di Giambelardini Gabriele) Date: Thu, 11 Jan 2007 11:57:53 +0100 (CET) Subject: [Fedora-directory-users] problem encryption passwd Message-ID: <49512.192.168.12.207.1168513073.squirrel@webmail2.fabaris.it> Hi to all, this is my first time in this mailinglist. we changed the "Passowrd encryptio" from Clear to Crypt, and very things worked fine. In a second time, we changed that setting back to "No Encryption ( Clear )", but the fedora-ds now accepts only the encrypted passords, even after that change. We tried to delete and create again the user, but it didn't work. the fedora-ds version i'm using it's = fedora-ds-1.0.2-1.RHEL4 From gholbert at broadcom.com Thu Jan 11 20:35:46 2007 From: gholbert at broadcom.com (George Holbert) Date: Thu, 11 Jan 2007 12:35:46 -0800 Subject: [Fedora-directory-users] big searches dont return anything References: <200701081736.19011.skonstant@sgul.ac.uk> <200701101327.23002.skonstant@sgul.ac.uk> <45A503C1.5010605@redhat.com> <200701101554.35938.skonstant@sgul.ac.uk> <45A50F2A.40700@boreham.org> Message-ID: <001e01c735c0$12ccc0b0$11fdf00a@chunky> Is it possible for DB corruption to be replicated? In other words, if a master replica's DB goes corrupt, how likely is that to corrupt the DB on the consumers (if at all)? Thanks, -- George ----- Original Message ----- From: "David Boreham" To: "General discussion list for the Fedora Directory server project." Sent: Wednesday, January 10, 2007 8:07 AM Subject: Re: [Fedora-directory-users] big searches dont return anything St?phane Konstantaropoulos wrote: >It'd be nice if it noticed by itself that the db is corrupted. Unfortunately that's something of an AI problem :( There is some code in the server that can compare the results of an indexed vs an unindexed execution of the same query (used in the past to debug query optimizations). Someone could develop that into a kind of index inconsistency tool. All out corruption (someone writes random c**p over the database pages _will_ be detected). It sounds like you had some inconsistency between the primary and secondary indices. I'm not sure how that could have happened (it shouldn't). From david_list at boreham.org Thu Jan 11 20:46:03 2007 From: david_list at boreham.org (David Boreham) Date: Thu, 11 Jan 2007 13:46:03 -0700 Subject: [Fedora-directory-users] big searches dont return anything In-Reply-To: <001e01c735c0$12ccc0b0$11fdf00a@chunky> References: <200701081736.19011.skonstant@sgul.ac.uk> <200701101327.23002.skonstant@sgul.ac.uk> <45A503C1.5010605@redhat.com> <200701101554.35938.skonstant@sgul.ac.uk> <45A50F2A.40700@boreham.org> <001e01c735c0$12ccc0b0$11fdf00a@chunky> Message-ID: <45A6A20B.2050004@boreham.org> George Holbert wrote: > Is it possible for DB corruption to be replicated? > In other words, if a master replica's DB goes corrupt, how likely is > that to corrupt the DB on the consumers (if at all)? In general this can't happen. Replication is done at the directory entry semantic level, so each server re-creates its own underlying database content to reflect replicated entries (unlike for example a transaction log shipping type replication that you might see in some relational databases). However, if there were a database corruption bug present somewhere in the server, it is possible, even likely that the same bug would be triggered in multiple replicating servers that contain the same data. From edlinuxguru at gmail.com Thu Jan 11 22:20:10 2007 From: edlinuxguru at gmail.com (Eddie C) Date: Thu, 11 Jan 2007 17:20:10 -0500 Subject: [Fedora-directory-users] FDS, SNMP & Cacti... In-Reply-To: <7F6B06837A5DBD49AC6E1650EFF54906012231D2@auk52177.ukr.astrium.corp> References: <7F6B06837A5DBD49AC6E1650EFF54906012231D2@auk52177.ukr.astrium.corp> Message-ID: The perl dependancy can be solved by installing the extra perl module. I just wanted to let you know. Something like this: perl -MCPAN -e 'install time::HiRes' Maybe modern linux perl has this, but my old solaris cacti machine does not. As for the line1 suggestion. Great advice. That works perfectly. Thanks again. Edward On 1/11/07, HAWKER, Dan wrote: > > > > My data is graphing nearly perfectly. I found only two issues. Perl > requires time::HiRes. not on my older solaris cacti machine. > The other thing: > > Directory Search Operations: > > Total Searches is a purple graph. wholeSubTree is a green graph. > wholSubTree is always less then total, but I do not see it. Is it behind the > purple total searches graph? > > > Edward > > Hi Edward, > > time::HiRes - Ummm, sorry :) Is just a quick script I borrowed from > another Cacti template. Works, but my perl programming skills are almost as > good as my skills in any foreign language. I can usually listen, read it and > get the gist of whats going on, however actually making a conversation takes > more than I know. > > Good spot. Yeah, it seems it is. This can be seen by changing the graph > type for the total searches. For instance if you change it to Line1, (Graph > Templates -> FDS Search -> Edit Item #9) you can clearly see the other > searches behind. > > Dan > This email (including any attachments) may contain confidential and/or > privileged information or information otherwise protected from disclosure. > If you are not the intended recipient, please notify the sender > immediately, do not copy this message or any attachments and do not use it > for any purpose or disclose its content to any person, but delete this > message and any attachments from your system. > Astrium disclaims any and all liability if this email transmission was > virus corrupted, altered or falsified. > --------------------------------------------------------------------- > Astrium Limited, Registered in England and Wales No. 2449259 > Registered Office: Gunnels Wood Road, Stevenage, Hertfordshire, SG1 2AS, > England > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at spider-security.net Fri Jan 12 04:31:16 2007 From: lists at spider-security.net (Nathaniel Hall) Date: Thu, 11 Jan 2007 22:31:16 -0600 Subject: [Fedora-directory-users] FDS behind NATed firewall In-Reply-To: <457ECF8E00014F8D@mta-fs-be-04.sunrise.ch> References: <457ECF8E00014F8D@mta-fs-be-04.sunrise.ch> Message-ID: <45A70F14.8060103@spider-security.net> bernhard.waldvogel at freesurf.ch wrote: >> I have a master directory server behind a firewall that uses NAT. I >> want to place a read only server behind a different firewall. The new >> >> server does have a public IP address. Here is my setup: >> >> Master <--> Firewall (NAT) <--> Internet <--> Firewall <--> Read-Only >> > > Question, wath about LDAPS? Is there anything against to use ldaps for the > replication? > This should be secure enough, or not? Well, I have considered this, but I have to make sure that any new connections from the RO server to the master go through the SSH tunnel. From gopan at amritapuri.amrita.edu Mon Jan 15 08:06:38 2007 From: gopan at amritapuri.amrita.edu (Gopan) Date: Mon, 15 Jan 2007 13:36:38 +0530 (IST) Subject: [Fedora-directory-users] Error on starting Admin. console Message-ID: <33398.203.197.150.195.1168848398.squirrel@mail> hi everybody, i was trying to set up a directory server in my RHEL4 box. but whenever i am trying to start the administration console, i am getting an error. I am quite sure about that JRE is installed. Pls help me.... [root at server fedora-ds]# ./startconsole -u admin -a http://server.net.edu:47736/ Warning: -ms8m not understood. Ignoring. Warning: -mx64m not understood. Ignoring. Exception in thread "main" java.lang.NoSuchMethodError: method com.netscape.management.client.util.RemoteImage.setImage was not found. at _Jv_ResolvePoolEntry(java.lang.Class, int) (/usr/lib/libgcj.so.5.0.0) at com.netscape.management.client.util.RemoteImage.RemoteImage(java.lang.String) (Unknown Source) at com.netscape.management.nmclf.SuiLookAndFeel.initComponentDefaults(javax.swing.UIDefaults) (Unknown Source) at com.netscape.management.nmclf.SuiLookAndFeel.getDefaults() (Unknown Source) at javax.swing.UIManager.put(java.lang.Object, java.lang.Object) (/usr/lib/libgcj.so.5.0.0) at com.netscape.management.client.components.FontFactory.initializeLFFonts() (Unknown Source) at com.netscape.management.client.console.Console.common_init(java.lang.String) (Unknown Source) at com.netscape.management.client.console.Console.Console(java.lang.String, java.lang.String, java.lang.String, java.lang.String, java.lang.String, java.lang.String) (Unknown Source) at com.netscape.management.client.console.Console.main(java.lang.String[]) (Unknown Source) thanks and regards, Gopan S *********************************************************************************************** This email was sent using Amrita Mail. "Maintained by IT Enabled Services" http://ites.amrita.ac.in From gopan at amritapuri.amrita.edu Mon Jan 15 08:03:13 2007 From: gopan at amritapuri.amrita.edu (Gopan) Date: Mon, 15 Jan 2007 13:33:13 +0530 (IST) Subject: [Fedora-directory-users] Error on starting Admin. console Message-ID: <33380.203.197.150.195.1168848193.squirrel@mail> hi everybody, i was trying to set up a directory server in my RHEL4 box. but whenever i am trying to start the administration console, i am getting an error. I am quite sure about that JRE is installed. Pls help me.... [root at server fedora-ds]# ./startconsole -u admin -a http://server.net.edu:47736/ Warning: -ms8m not understood. Ignoring. Warning: -mx64m not understood. Ignoring. Exception in thread "main" java.lang.NoSuchMethodError: method com.netscape.management.client.util.RemoteImage.setImage was not found. at _Jv_ResolvePoolEntry(java.lang.Class, int) (/usr/lib/libgcj.so.5.0.0) at com.netscape.management.client.util.RemoteImage.RemoteImage(java.lang.String) (Unknown Source) at com.netscape.management.nmclf.SuiLookAndFeel.initComponentDefaults(javax.swing.UIDefaults) (Unknown Source) at com.netscape.management.nmclf.SuiLookAndFeel.getDefaults() (Unknown Source) at javax.swing.UIManager.put(java.lang.Object, java.lang.Object) (/usr/lib/libgcj.so.5.0.0) at com.netscape.management.client.components.FontFactory.initializeLFFonts() (Unknown Source) at com.netscape.management.client.console.Console.common_init(java.lang.String) (Unknown Source) at com.netscape.management.client.console.Console.Console(java.lang.String, java.lang.String, java.lang.String, java.lang.String, java.lang.String, java.lang.String) (Unknown Source) at com.netscape.management.client.console.Console.main(java.lang.String[]) (Unknown Source) thanks and regards, Gopan S *********************************************************************************************** This email was sent using Amrita Mail. "Maintained by IT Enabled Services" http://ites.amrita.ac.in From yourgopan at gmail.com Mon Jan 15 07:34:09 2007 From: yourgopan at gmail.com (Gopakumar S) Date: Mon, 15 Jan 2007 13:04:09 +0530 Subject: [Fedora-directory-users] installation problem Message-ID: hi everybody, i was trying to set up a directory server in my RHEL4 box. but whenever i am trying to start the administration console, i am getting an error. I am quite sure about that JRE is installed. Pls help me.... [root at server fedora-ds]# ./startconsole -u admin -a http://server.net.edu:47736/ Warning: -ms8m not understood. Ignoring. Warning: -mx64m not understood. Ignoring. Exception in thread "main" java.lang.NoSuchMethodError: method com.netscape.management.client.util.RemoteImage.setImage was not found. at _Jv_ResolvePoolEntry(java.lang.Class, int) (/usr/lib/libgcj.so.5.0.0) at com.netscape.management.client.util.RemoteImage.RemoteImage(java.lang.String) (Unknown Source) at com.netscape.management.nmclf.SuiLookAndFeel.initComponentDefaults(javax.swing.UIDefaults) (Unknown Source) at com.netscape.management.nmclf.SuiLookAndFeel.getDefaults() (Unknown Source) at javax.swing.UIManager.put(java.lang.Object, java.lang.Object) (/usr/lib/libgcj.so.5.0.0) at com.netscape.management.client.components.FontFactory.initializeLFFonts() (Unknown Source) at com.netscape.management.client.console.Console.common_init(java.lang.String) (Unknown Source) at com.netscape.management.client.console.Console.Console(java.lang.String, java.lang.String, java.lang.String, java.lang.String, java.lang.String, java.lang.String) (Unknown Source) at com.netscape.management.client.console.Console.main(java.lang.String[]) (Unknown Source) thanks and regards, Gopan S From cdesilva at aconex.com Tue Jan 16 03:42:41 2007 From: cdesilva at aconex.com (Chandana De Silva) Date: Tue, 16 Jan 2007 14:42:41 +1100 Subject: [Fedora-directory-users] Can't use admconfig with FDS Message-ID: <1168918961.2924.20.camel@fatta.ops.acx> I am trying to use the admconfig utility with Fedora Directory Server. Initially it gave the following error; ./admconfig: line 55: /opt/fedora-ds/bin/base/jre/bin/java: No such file or directory ./admconfig: line 55: exec: /opt/fedora-ds/bin/base//opt/fedora-ds/bin/base/jre/bin/java: cannot execute: No such file or directory I then sym linked the JDK 1.7 jre directory at /opt/fedora-ds/bin/base/ and tried again. I now get this error; ./admconfig Error: native VM not supported Does anyone know anything about this ? regards Chandana From clockwork at sigsys.org Tue Jan 16 16:21:55 2007 From: clockwork at sigsys.org (clockwork at sigsys.org) Date: Tue, 16 Jan 2007 11:21:55 -0500 Subject: [Fedora-directory-users] Failed attempts & Locked accounts ... unlock ? Message-ID: <5849d9130701160821l2391369dlf3fddcadb70bb646@mail.gmail.com> So I have a pair of FDS servers and a few users automate scripts to run against some development boxes, if they use the wrong password the essentially surpass the max retry limit. After looking around I cannot find an easy way to unlock the accounts. They are logging into RHEL, Solaris 9 & 10 systems. The output in the logs is like so: error: PAM: Authentication failed for $USER from $IP Is there some magic field that needs to be reset to unlock the account ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jan 16 16:21:22 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 16 Jan 2007 09:21:22 -0700 Subject: [Fedora-directory-users] Failed attempts & Locked accounts ... unlock ? In-Reply-To: <5849d9130701160821l2391369dlf3fddcadb70bb646@mail.gmail.com> References: <5849d9130701160821l2391369dlf3fddcadb70bb646@mail.gmail.com> Message-ID: <45ACFB82.4030800@redhat.com> clockwork at sigsys.org wrote: > So I have a pair of FDS servers and a few users automate scripts to > run against some development boxes, if they use the wrong password the > essentially surpass the max retry limit. After looking around I cannot > find an easy way to unlock the accounts. They are logging into RHEL, > Solaris 9 & 10 systems. The output in the logs is like so: > > error: PAM: Authentication failed for $USER from $IP > > Is there some magic field that needs to be reset to unlock the account ? http://directory.fedora.redhat.com/wiki/Howto:PasswordReset > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From glenn at mail.txwes.edu Tue Jan 16 20:00:17 2007 From: glenn at mail.txwes.edu (Glenn) Date: Tue, 16 Jan 2007 14:00:17 -0600 Subject: [Fedora-directory-users] Back in SSL hell again! Message-ID: <20070116192952.M28177@mail.txwes.edu> So I'm just about to finish getting Windows Sync working between RH Directory Server 7.1SP3 and Active Directory. The latest error message in the passsync log says "insufficient access", so I create an ACI that gives the replication manager access to everything, just to see if it will work. Nope. So I think, maybe I have to restart the Directory Server. And then it fails to restart, logging the error message: SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert server-cert of family cn=RSA,cn=encryption,cn=cconfig (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) Yeah, right. Here's a copy of the certificate: [root at ourserver alias]# ./certutil -L -d ./ -n server-cert Certificate: Data: Version: 3 (0x2) Serial Number: 16:43:78:57:00:00:00:00:00:0e Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "CN=OURCA,DC=ad,DC=ourshop,DC=edu" Validity: Not Before: Tue Nov 14 22:50:17 2006 Not After : Thu Nov 13 22:50:17 2008 ... Now, I'll grant you that this little synchronization exercise FEELS like it has gone on for more than two years, but according to the certificate, it has taken barely two months so far, leaving the certificate good for another 22 months. Once again, the SSL error message seems to have little to do with reality. I just restarted the server three hours earlier, and it worked fine then. Can anyone suggest what I might try now? Thanks. -Glenn. From rmeggins at redhat.com Tue Jan 16 20:12:21 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 16 Jan 2007 13:12:21 -0700 Subject: [Fedora-directory-users] Back in SSL hell again! In-Reply-To: <20070116192952.M28177@mail.txwes.edu> References: <20070116192952.M28177@mail.txwes.edu> Message-ID: <45AD31A5.1030301@redhat.com> Glenn wrote: > So I'm just about to finish getting Windows Sync working between RH Directory > Server 7.1SP3 and Active Directory. The latest error message in the passsync > log says "insufficient access", so I create an ACI that gives the replication > manager access to everything, just to see if it will work. Nope. So I > think, maybe I have to restart the Directory Server. And then it fails to > restart, logging the error message: > > SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert > server-cert of family cn=RSA,cn=encryption,cn=cconfig (Netscape Portable > Runtime error -8181 - Peer's Certificate has expired.) > Is it possible it is complaining about the CA cert? > Yeah, right. Here's a copy of the certificate: > > [root at ourserver alias]# ./certutil -L -d ./ -n server-cert > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > 16:43:78:57:00:00:00:00:00:0e > Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption > Issuer: > "CN=OURCA,DC=ad,DC=ourshop,DC=edu" > Validity: > Not Before: Tue Nov 14 22:50:17 2006 > Not After : Thu Nov 13 22:50:17 2008 > ... > > Now, I'll grant you that this little synchronization exercise FEELS like it > has gone on for more than two years, but according to the certificate, it has > taken barely two months so far, leaving the certificate good for another 22 > months. Once again, the SSL error message seems to have little to do with > reality. > > I just restarted the server three hours earlier, and it worked fine then. > Can anyone suggest what I might try now? Thanks. -Glenn. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From clockwork at sigsys.org Tue Jan 16 20:16:57 2007 From: clockwork at sigsys.org (clockwork at sigsys.org) Date: Tue, 16 Jan 2007 15:16:57 -0500 Subject: [Fedora-directory-users] Failed attempts & Locked accounts ... unlock ? In-Reply-To: <45ACFB82.4030800@redhat.com> References: <5849d9130701160821l2391369dlf3fddcadb70bb646@mail.gmail.com> <45ACFB82.4030800@redhat.com> Message-ID: <5849d9130701161216t6875c969i55930694d8f34824@mail.gmail.com> Those attributes dont show up using ldapsearch and ldapmodify throws an error: $ ldapmodify -D -x -w $password "cn=Directory Manager" uid=$user,ou=People,dc=blah,dc=com changetype: modify delete: passwordRetryCount - changetype: modify delete: accountUnlockTime produces: ldapmodify: No match. Running ldapsearch shows the user info, but nothing about that specific field. Admittedly I am a bit new to this, I had seen the FAQ/wiki, but since it didnt work I figured I would ask. Perhaps the wiki it out of date ? Or is my syntax wrong ? Regards. On 1/16/07, Richard Megginson wrote: > > clockwork at sigsys.org wrote: > > So I have a pair of FDS servers and a few users automate scripts to > > run against some development boxes, if they use the wrong password the > > essentially surpass the max retry limit. After looking around I cannot > > find an easy way to unlock the accounts. They are logging into RHEL, > > Solaris 9 & 10 systems. The output in the logs is like so: > > > > error: PAM: Authentication failed for $USER from $IP > > > > Is there some magic field that needs to be reset to unlock the account ? > http://directory.fedora.redhat.com/wiki/Howto:PasswordReset > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jan 16 20:31:30 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 16 Jan 2007 13:31:30 -0700 Subject: [Fedora-directory-users] Failed attempts & Locked accounts ... unlock ? In-Reply-To: <5849d9130701161216t6875c969i55930694d8f34824@mail.gmail.com> References: <5849d9130701160821l2391369dlf3fddcadb70bb646@mail.gmail.com> <45ACFB82.4030800@redhat.com> <5849d9130701161216t6875c969i55930694d8f34824@mail.gmail.com> Message-ID: <45AD3622.6030801@redhat.com> clockwork at sigsys.org wrote: > Those attributes dont show up using ldapsearch They are operational attributes and must be listed explicitly at the end of the ldapsearch command line. > and ldapmodify throws an error: > > $ ldapmodify -D -x -w $password "cn=Directory Manager" > uid=$user,ou=People,dc=blah,dc=com changetype: modify delete: > passwordRetryCount - changetype: modify delete: accountUnlockTime > > produces: > ldapmodify: No match. try ldapmodify -x -D "cn=Directory Manager" -w $password ...... > > Running ldapsearch shows the user info, but nothing about that > specific field. > > Admittedly I am a bit new to this, I had seen the FAQ/wiki, but since > it didnt work I figured I would ask. Perhaps the wiki it out of date ? > Or is my syntax wrong ? > > Regards. > > > On 1/16/07, *Richard Megginson* > wrote: > > clockwork at sigsys.org wrote: > > So I have a pair of FDS servers and a few users automate scripts to > > run against some development boxes, if they use the wrong > password the > > essentially surpass the max retry limit. After looking around I > cannot > > find an easy way to unlock the accounts. They are logging into RHEL, > > Solaris 9 & 10 systems. The output in the logs is like so: > > > > error: PAM: Authentication failed for $USER from $IP > > > > Is there some magic field that needs to be reset to unlock the > account ? > http://directory.fedora.redhat.com/wiki/Howto:PasswordReset > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From glenn at mail.txwes.edu Tue Jan 16 21:09:49 2007 From: glenn at mail.txwes.edu (Glenn) Date: Tue, 16 Jan 2007 15:09:49 -0600 Subject: [Fedora-directory-users] Back in SSL hell again! In-Reply-To: <45AD31A5.1030301@redhat.com> References: <20070116192952.M28177@mail.txwes.edu> <45AD31A5.1030301@redhat.com> Message-ID: <20070116205233.M17347@mail.txwes.edu> > Is it possible it is complaining about the CA cert? Ahem. No, after all, it did name the certificate it was complaining about. But I figured out what the problem was. Sometime this morning it became apparent that having the clocks synchronized on the AD and DS servers would make it easier to read the logs, so I used the "date" command to change the time. I still find it difficult to understand some of the command manuals, and, assuming it was necessary to include the century and year as well as the date and time in the command, I accidentally put in 2006 instead of 2007. But, you know, if the error message had said, "your certificate is not valid yet" or even, "check the date, twit", I might have resolved this more quickly. Then again, maybe not. :) Thanks again. -Glenn. ---------- Original Message ----------- From: Richard Megginson To: "General discussion list for the Fedora Directory server project." Sent: Tue, 16 Jan 2007 13:12:21 -0700 Subject: Re: [Fedora-directory-users] Back in SSL hell again! > Glenn wrote: > > So I'm just about to finish getting Windows Sync working between RH Directory > > Server 7.1SP3 and Active Directory. The latest error message in the passsync > > log says "insufficient access", so I create an ACI that gives the replication > > manager access to everything, just to see if it will work. Nope. So I > > think, maybe I have to restart the Directory Server. And then it fails to > > restart, logging the error message: > > > > SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert > > server-cert of family cn=RSA,cn=encryption,cn=cconfig (Netscape Portable > > Runtime error -8181 - Peer's Certificate has expired.) > > > Is it possible it is complaining about the CA cert? > > Yeah, right. Here's a copy of the certificate: > > > > [root at ourserver alias]# ./certutil -L -d ./ -n server-cert > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: > > 16:43:78:57:00:00:00:00:00:0e > > Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption > > Issuer: > > "CN=OURCA,DC=ad,DC=ourshop,DC=edu" > > Validity: > > Not Before: Tue Nov 14 22:50:17 2006 > > Not After : Thu Nov 13 22:50:17 2008 > > ... > > > > Now, I'll grant you that this little synchronization exercise FEELS like it > > has gone on for more than two years, but according to the certificate, it has > > taken barely two months so far, leaving the certificate good for another 22 > > months. Once again, the SSL error message seems to have little to do with > > reality. > > > > I just restarted the server three hours earlier, and it worked fine then. > > Can anyone suggest what I might try now? Thanks. -Glenn. > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------- End of Original Message ------- From rmeggins at redhat.com Tue Jan 16 23:02:50 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 16 Jan 2007 16:02:50 -0700 Subject: [Fedora-directory-users] Back in SSL hell again! In-Reply-To: <20070116205233.M17347@mail.txwes.edu> References: <20070116192952.M28177@mail.txwes.edu> <45AD31A5.1030301@redhat.com> <20070116205233.M17347@mail.txwes.edu> Message-ID: <45AD599A.7080506@redhat.com> Glenn wrote: >> Is it possible it is complaining about the CA cert? >> > > Ahem. No, after all, it did name the certificate it was complaining about. > But I figured out what the problem was. Sometime this morning it became > apparent that having the clocks synchronized on the AD and DS servers would > make it easier to read the logs, so I used the "date" command to change the > time. I still find it difficult to understand some of the command manuals, > and, assuming it was necessary to include the century and year as well as the > date and time in the command, I accidentally put in 2006 instead of 2007. > But, you know, if the error message had said, "your certificate is not valid > yet" or even, "check the date, twit", I might have resolved this more > quickly. Then again, maybe not. :) Thanks again. -Glenn. > If you think that's bad, try to have a Kerberos environment where one or more clocks are out of sync, and try to interpret those error messages :P > ---------- Original Message ----------- > From: Richard Megginson > To: "General discussion list for the Fedora Directory server project." > > Sent: Tue, 16 Jan 2007 13:12:21 -0700 > Subject: Re: [Fedora-directory-users] Back in SSL hell again! > > >> Glenn wrote: >> >>> So I'm just about to finish getting Windows Sync working between RH >>> > Directory > >>> Server 7.1SP3 and Active Directory. The latest error message in the >>> > passsync > >>> log says "insufficient access", so I create an ACI that gives the >>> > replication > >>> manager access to everything, just to see if it will work. Nope. So I >>> think, maybe I have to restart the Directory Server. And then it fails >>> > to > >>> restart, logging the error message: >>> >>> SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert >>> server-cert of family cn=RSA,cn=encryption,cn=cconfig (Netscape Portable >>> Runtime error -8181 - Peer's Certificate has expired.) >>> >>> >> Is it possible it is complaining about the CA cert? >> >>> Yeah, right. Here's a copy of the certificate: >>> >>> [root at ourserver alias]# ./certutil -L -d ./ -n server-cert >>> Certificate: >>> Data: >>> Version: 3 (0x2) >>> Serial Number: >>> 16:43:78:57:00:00:00:00:00:0e >>> Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption >>> Issuer: >>> "CN=OURCA,DC=ad,DC=ourshop,DC=edu" >>> Validity: >>> Not Before: Tue Nov 14 22:50:17 2006 >>> Not After : Thu Nov 13 22:50:17 2008 >>> ... >>> >>> Now, I'll grant you that this little synchronization exercise FEELS like >>> > it > >>> has gone on for more than two years, but according to the certificate, it >>> > has > >>> taken barely two months so far, leaving the certificate good for another >>> > 22 > >>> months. Once again, the SSL error message seems to have little to do >>> > with > >>> reality. >>> >>> I just restarted the server three hours earlier, and it worked fine >>> > then. > >>> Can anyone suggest what I might try now? Thanks. -Glenn. >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> > ------- End of Original Message ------- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Jan 17 14:57:35 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 17 Jan 2007 07:57:35 -0700 Subject: [Fedora-directory-users] passwordRetryCount Manipulations In-Reply-To: <7315857F21D51B449CC55ADE3A5683182C00A9@ex2k3.ad.cusys.edu> References: <7315857F21D51B449CC55ADE3A5683182C00A9@ex2k3.ad.cusys.edu> Message-ID: <45AE395F.2020107@redhat.com> Justin Crawford wrote: > Howdy- > > I have noticed something unexpected. > > Setting "passwordRetryCount" programatically (e.g. with ldapmodify) to > some value higher than our limit (say, 10) causes an account to be > locked, right? Well, yes, but only after that account has been locked > at least once the old-fashioned way, by trying to bind too many times > with a bad password. > > Brand new accounts* that've never been locked the old-fashioned way do > not mind a passwordRetryCount of 1000; these accounts can bind > successfully, and their passwordRetryCount gets set to 0. > > Does this make sense? If so, what's the additional attribute involved > in locking, and what are its potential values? > http://directory.fedora.redhat.com/wiki/Howto:PasswordReset > Thanks! > > Justin > > *Created with minimal attributes using ruby's net/ldap library. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From saphipps at mchsi.com Wed Jan 17 20:20:38 2007 From: saphipps at mchsi.com (Scott A. Phipps) Date: Wed, 17 Jan 2007 14:20:38 -0600 Subject: [Fedora-directory-users] snmp monitoring Message-ID: <1169065238.21157.5.camel@localhost.localdomain> I've been trying to get the snmp monitoring with cacti going, but I've run into a snag. After I set everything up and run an snmp walk to test the setup, the subagent crashes. Here is part of what I get from strace: gettimeofday({1169063878, 909115}, NULL) = 0 select(8, [4 6 7], NULL, NULL, {6, 52205}) = 1 (in [4], left {6, 56000}) read(4, " ", 1) = 1 writev(2, [{"/opt/fedora-ds/bin/slapd/server/"..., 42}, {": ", 2}, {"symbol lookup error", 19}, {": ", 2}, {"/usr/lib/libnetsnmpagent.so.5", 29}, {": ", 2}, {"undefined symbol: hosts_ctl", 27}, {"", 0}, {"", 0}, {"\n", 1}], 10) = 124 exit_group(127) = ? Process 29587 detached I'm running fds 1.0.2 on FC4. If someone could point me in the right direction, I'd appreciate it. Thanks, Scott From rmeggins at redhat.com Wed Jan 17 22:14:55 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 17 Jan 2007 15:14:55 -0700 Subject: [Fedora-directory-users] snmp monitoring In-Reply-To: <1169065238.21157.5.camel@localhost.localdomain> References: <1169065238.21157.5.camel@localhost.localdomain> Message-ID: <45AE9FDF.8090509@redhat.com> Scott A. Phipps wrote: > I've been trying to get the snmp monitoring with cacti going, but I've > run into a snag. After I set everything up and run an snmp walk to test > the setup, the subagent crashes. Here is part of what I get from strace: > > gettimeofday({1169063878, 909115}, NULL) = 0 > select(8, [4 6 7], NULL, NULL, {6, 52205}) = 1 (in [4], left {6, 56000}) > read(4, " ", 1) = 1 > writev(2, [{"/opt/fedora-ds/bin/slapd/server/"..., 42}, {": ", 2}, > {"symbol lookup error", 19}, {": ", 2}, > {"/usr/lib/libnetsnmpagent.so.5", 29}, {": ", 2}, {"undefined symbol: > hosts_ctl", 27}, {"", 0}, {"", 0}, {"\n", 1}], 10) = 124 > exit_group(127) = ? > Process 29587 detached > > I'm running fds 1.0.2 on FC4. If someone could point me in the right > direction, I'd appreciate it. > Hmm - looks like it's using the wrong version of one of the libs? Do rpm -qa|grep net-snmp then ldd /opt/fedora-ds/bin/slapd/server/ldap-agent > Thanks, > > Scott > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From saphipps at mchsi.com Wed Jan 17 23:21:54 2007 From: saphipps at mchsi.com (Scott A. Phipps) Date: Wed, 17 Jan 2007 17:21:54 -0600 Subject: [Fedora-directory-users] snmp monitoring In-Reply-To: <45AE9FDF.8090509@redhat.com> References: <1169065238.21157.5.camel@localhost.localdomain> <45AE9FDF.8090509@redhat.com> Message-ID: <1169076114.21157.10.camel@localhost.localdomain> On Wed, 2007-01-17 at 15:14 -0700, Richard Megginson wrote: > Hmm - looks like it's using the wrong version of one of the libs? Do > rpm -qa|grep net-snmp > then > ldd /opt/fedora-ds/bin/slapd/server/ldap-agent > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users Here are the results. net-snmp-libs-5.2.1.2-fc4.1 net-snmp-devel-5.2.1.2-fc4.1 net-snmp-utils-5.2.1.2-fc4.1 net-snmp-perl-5.2.1.2-fc4.1 net-snmp-5.2.1.2-fc4.1 [root at newhulk ~]# ldd /opt/fedora-ds/bin/slapd/server/ldap-agent linux-gate.so.1 => (0x00eeb000) libdl.so.2 => ../lib/libdl.so.2 (0x009ef000) libnetsnmp.so.5 => /usr/lib/libnetsnmp.so.5 (0x004e0000) libnetsnmpagent.so.5 => /usr/lib/libnetsnmpagent.so.5 (0x00193000) libnetsnmpmibs.so.5 => /usr/lib/libnetsnmpmibs.so.5 (0x001cc000) libnetsnmphelpers.so.5 => /usr/lib/libnetsnmphelpers.so.5 (0x00663000) libcrypto.so.5 => ../lib/libcrypto.so.5 (0x002ce000) libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00c3a000) libm.so.6 => ../lib/libm.so.6 (0x009c8000) libgcc_s.so.1 => ../lib/libgcc_s.so.1 (0x00c1c000) libc.so.6 => ../lib/libc.so.6 (0x0089d000) /lib/ld-linux.so.2 (0x0087f000) libz.so.1 => /usr/lib/libz.so.1 (0x009f5000) Thanks, Scott From daves at wavesco.com Thu Jan 18 03:04:15 2007 From: daves at wavesco.com (David J. Schnardthorst) Date: Wed, 17 Jan 2007 21:04:15 -0600 Subject: [Fedora-directory-users] Replication Errors Message-ID: <45AEE3AF.5050001@wavesco.com> I am having issues with replication and need some assistance. I have setup multi-master replication using the mmr.pl script. However, replication is not occurring. I show the following messages in my LDAP error log. [14/Jan/2007:01:02:49 -0600] - Fedora-Directory/1.0.2 B2006.060.1928 starting up [15/Jan/2007:00:00:00 -0600] NSMMReplicationPlugin - agmt="cn="Replication to xxxxxx.com"" (xxxxxx:389): Incremental protocol: event update_window_opened should not occur in state wait_for_changes [16/Jan/2007:00:00:00 -0600] NSMMReplicationPlugin - agmt="cn="Replication to xxxxxx.com"" (xxxxxx:389): Incremental protocol: event update_window_opened should not occur in state wait_for_changes Any thoughts would be greatly appreciated. -- David Schnardthorst http://www.wavesco.com From nicholas.byrne at quadriga.com Thu Jan 18 15:10:23 2007 From: nicholas.byrne at quadriga.com (Nicholas Byrne) Date: Thu, 18 Jan 2007 15:10:23 +0000 Subject: [Fedora-directory-users] FDS Crashing! Message-ID: <45AF8DDF.1030008@quadriga.com> I'm using 1.0.4-1 release. My configuration fairly basic using "one way" windows sync (ref: https://www.redhat.com/archives/fedora-directory-users/2006-December/msg00070.html). It's been working well until this morning for going on a month (fortunately it's not live yet, but was planning to put it live this weekend - not anymore!). I'm not sure what occurred exactly, a few password changes and minor updates to a couple of attributes but since a few hours ago any attempt to write to anything in the userRoot database fails and slapd crashes. I've looked in the error and access logs but it doesn't give much away - on restart i see: [18/Jan/2007:14:48:42 +0000] - Fedora-Directory/1.0.4 B2006.312.435 starting up [18/Jan/2007:14:48:42 +0000] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [18/Jan/2007:14:48:43 +0000] - slapd started. Listening on All Interfaces port 389 for LDAP requests [18/Jan/2007:14:48:43 +0000] - Listening on All Interfaces port 636 for LDAPS requests What can do to get more info? Yesterday i did password change using ldappasswd and i found this issue (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179723) just now - my directory does have a password policy. Is this fixed in 1.0.4? I have tried a restore from a week old backup (using bak2db) but that didn't fix the problem so anyone got any idea whats going on and how i might start fixing this - Help!? Thanks Nick This e-mail is the property of Quadriga Worldwide Ltd, intended for the addressee only and confidential. Any dissemination, copying or distribution of this message or any attachments is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from Quadriga may be monitored. Quadriga cannot guarantee any message delivery method is secure or error-free. Information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. We do not accept responsibility for any errors or omissions in this message and/or attachment that arise as a result of transmission. You should carry out your own virus checks before opening any attachment. Any views or opinions presented are solely those of the author and do not necessarily represent those of Quadriga. From rmeggins at redhat.com Thu Jan 18 15:22:40 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 18 Jan 2007 08:22:40 -0700 Subject: [Fedora-directory-users] FDS Crashing! In-Reply-To: <45AF8DDF.1030008@quadriga.com> References: <45AF8DDF.1030008@quadriga.com> Message-ID: <45AF90C0.3080306@redhat.com> Nicholas Byrne wrote: > I'm using 1.0.4-1 release. My configuration fairly basic using "one > way" windows sync (ref: > https://www.redhat.com/archives/fedora-directory-users/2006-December/msg00070.html). > > > It's been working well until this morning for going on a month > (fortunately it's not live yet, but was planning to put it live this > weekend - not anymore!). I'm not sure what occurred exactly, a few > password changes and minor updates to a couple of attributes but since > a few hours ago any attempt to write to anything in the userRoot > database fails and slapd crashes. I've looked in the error and access > logs but it doesn't give much away - on restart i see: > > [18/Jan/2007:14:48:42 +0000] - Fedora-Directory/1.0.4 B2006.312.435 > starting up > [18/Jan/2007:14:48:42 +0000] - Detected Disorderly Shutdown last time > Directory Server was running, recovering database. > [18/Jan/2007:14:48:43 +0000] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > [18/Jan/2007:14:48:43 +0000] - Listening on All Interfaces port 636 > for LDAPS requests > > What can do to get more info? start-slapd -d 1 or http://directory.fedora.redhat.com/wiki/FAQ#Troubleshooting and use the TRACE debug level. > > Yesterday i did password change using ldappasswd and i found this > issue (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179723) > just now - my directory does have a password policy. Is this fixed in > 1.0.4? Yes, it is supposed to be - but if you reproduced it with 1.0.4, then I guess not :-( So, if I understand correctly - you used ldappasswd to change a user's password, and you have password policy enabled (global or local?), and you can crash the server. > > I have tried a restore from a week old backup (using bak2db) but that > didn't fix the problem so anyone got any idea whats going on and how i > might start fixing this - Help!? > > Thanks > Nick > > > > > > > > This e-mail is the property of Quadriga Worldwide Ltd, intended for > the addressee only and confidential. Any dissemination, copying or > distribution of this message or any attachments is strictly prohibited. > > If you have received this message in error, please notify us > immediately by replying to the message and deleting it from your > computer. > > Messages sent to and from Quadriga may be monitored. > > Quadriga cannot guarantee any message delivery method is secure or > error-free. Information could be intercepted, corrupted, lost, > destroyed, arrive late or incomplete, or contain viruses. > > We do not accept responsibility for any errors or omissions in this > message and/or attachment that arise as a result of transmission. > > You should carry out your own virus checks before opening any attachment. > > Any views or opinions presented are solely those of the author and do > not necessarily represent those of Quadriga. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jan 18 15:28:17 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 18 Jan 2007 08:28:17 -0700 Subject: [Fedora-directory-users] Replication Errors In-Reply-To: <45AEE3AF.5050001@wavesco.com> References: <45AEE3AF.5050001@wavesco.com> Message-ID: <45AF9211.5060205@redhat.com> David J. Schnardthorst wrote: > I am having issues with replication and need some assistance. I have > setup multi-master replication using the mmr.pl script. However, > replication is not occurring. I show the following messages in my LDAP > error log. > > [14/Jan/2007:01:02:49 -0600] - Fedora-Directory/1.0.2 B2006.060.1928 > starting up > [15/Jan/2007:00:00:00 -0600] NSMMReplicationPlugin - > agmt="cn="Replication to xxxxxx.com"" (xxxxxx:389): Incremental > protocol: event update_window_opened should not occur in state > wait_for_changes > [16/Jan/2007:00:00:00 -0600] NSMMReplicationPlugin - > agmt="cn="Replication to xxxxxx.com"" (xxxxxx:389): Incremental > protocol: event update_window_opened should not occur in state > wait_for_changes > > Any thoughts would be greatly appreciated. What is your replication schedule? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jan 18 15:45:09 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 18 Jan 2007 08:45:09 -0700 Subject: [Fedora-directory-users] snmp monitoring In-Reply-To: <1169076114.21157.10.camel@localhost.localdomain> References: <1169065238.21157.5.camel@localhost.localdomain> <45AE9FDF.8090509@redhat.com> <1169076114.21157.10.camel@localhost.localdomain> Message-ID: <45AF9605.6080609@redhat.com> Scott A. Phipps wrote: > On Wed, 2007-01-17 at 15:14 -0700, Richard Megginson wrote: > >> Hmm - looks like it's using the wrong version of one of the libs? Do >> rpm -qa|grep net-snmp >> then >> ldd /opt/fedora-ds/bin/slapd/server/ldap-agent >> > > >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > Here are the results. > > net-snmp-libs-5.2.1.2-fc4.1 > net-snmp-devel-5.2.1.2-fc4.1 > net-snmp-utils-5.2.1.2-fc4.1 > net-snmp-perl-5.2.1.2-fc4.1 > net-snmp-5.2.1.2-fc4.1 > [root at newhulk ~]# ldd /opt/fedora-ds/bin/slapd/server/ldap-agent > linux-gate.so.1 => (0x00eeb000) > libdl.so.2 => ../lib/libdl.so.2 (0x009ef000) > libnetsnmp.so.5 => /usr/lib/libnetsnmp.so.5 (0x004e0000) > libnetsnmpagent.so.5 => /usr/lib/libnetsnmpagent.so.5 > (0x00193000) > libnetsnmpmibs.so.5 => /usr/lib/libnetsnmpmibs.so.5 (0x001cc000) > libnetsnmphelpers.so.5 => /usr/lib/libnetsnmphelpers.so.5 > (0x00663000) > libcrypto.so.5 => ../lib/libcrypto.so.5 (0x002ce000) > libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00c3a000) > libm.so.6 => ../lib/libm.so.6 (0x009c8000) > libgcc_s.so.1 => ../lib/libgcc_s.so.1 (0x00c1c000) > libc.so.6 => ../lib/libc.so.6 (0x0089d000) > /lib/ld-linux.so.2 (0x0087f000) > libz.so.1 => /usr/lib/libz.so.1 (0x009f5000) > hosts_ctl is defined in libwrap.so - do you have tcp_wrappers installed e.g. rpm -qa|grep tcp_wrappers > Thanks, > > Scott > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From saphipps at mchsi.com Thu Jan 18 17:01:57 2007 From: saphipps at mchsi.com (Scott A. Phipps) Date: Thu, 18 Jan 2007 11:01:57 -0600 Subject: [Fedora-directory-users] snmp monitoring In-Reply-To: <45AF9605.6080609@redhat.com> References: <1169065238.21157.5.camel@localhost.localdomain> <45AE9FDF.8090509@redhat.com> <1169076114.21157.10.camel@localhost.localdomain> <45AF9605.6080609@redhat.com> Message-ID: <1169139717.7905.2.camel@localhost.localdomain> On Thu, 2007-01-18 at 08:45 -0700, Richard Megginson wrote: > hosts_ctl is defined in libwrap.so - do you have tcp_wrappers installed e.g. > rpm -qa|grep tcp_wrappers tcp_wrappers-7.6-39 is installed > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From nicholas.byrne at quadriga.com Thu Jan 18 17:20:29 2007 From: nicholas.byrne at quadriga.com (Nicholas Byrne) Date: Thu, 18 Jan 2007 17:20:29 +0000 Subject: [Fedora-directory-users] FDS Crashing! In-Reply-To: <45AF90C0.3080306@redhat.com> References: <45AF8DDF.1030008@quadriga.com> <45AF90C0.3080306@redhat.com> Message-ID: <45AFAC5D.9030502@quadriga.com> Richard Megginson wrote: > Nicholas Byrne wrote: >> I'm using 1.0.4-1 release. My configuration fairly basic using "one >> way" windows sync (ref: >> https://www.redhat.com/archives/fedora-directory-users/2006-December/msg00070.html). >> >> >> It's been working well until this morning for going on a month >> (fortunately it's not live yet, but was planning to put it live this >> weekend - not anymore!). I'm not sure what occurred exactly, a few >> password changes and minor updates to a couple of attributes but >> since a few hours ago any attempt to write to anything in the >> userRoot database fails and slapd crashes. I've looked in the error >> and access logs but it doesn't give much away - on restart i see: >> >> [18/Jan/2007:14:48:42 +0000] - Fedora-Directory/1.0.4 B2006.312.435 >> starting up >> [18/Jan/2007:14:48:42 +0000] - Detected Disorderly Shutdown last time >> Directory Server was running, recovering database. >> [18/Jan/2007:14:48:43 +0000] - slapd started. Listening on All >> Interfaces port 389 for LDAP requests >> [18/Jan/2007:14:48:43 +0000] - Listening on All Interfaces port 636 >> for LDAPS requests >> >> What can do to get more info? > start-slapd -d 1 > or > http://directory.fedora.redhat.com/wiki/FAQ#Troubleshooting and use > the TRACE debug level. thanks, the server takes a long time to fully start and is really quite slow with this switch. I suppose thats normal. Any hints as to what else to look for, there is an enormous amount of output. The log ends (when it crashes when i attempt any write operation) with a segmentation fault. >> >> Yesterday i did password change using ldappasswd and i found this >> issue (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179723) >> just now - my directory does have a password policy. Is this fixed in >> 1.0.4? > Yes, it is supposed to be - but if you reproduced it with 1.0.4, then > I guess not :-( > > So, if I understand correctly - you used ldappasswd to change a user's > password, and you have password policy enabled (global or local?), and > you can crash the server. I have all three requirements it seems to reproduce this bug, 1. ssl on, 2. password policy global and local/subtree and i've used ldappassword (yesterday) - uh oh! My issue is slightly different in that the server crashes when any update is attempted, not just a modify password. Is there any way to restore an old database and turn off all password policy for the time being without writing to the directory / user database? Probably not i suppose, at least not easily. So is my best bet to dump the directory to ldif and do a reinstall and reconfigure. What do you think? >> >> I have tried a restore from a week old backup (using bak2db) but that >> didn't fix the problem so anyone got any idea whats going on and how >> i might start fixing this - Help!? >> >> Thanks >> Nick >> >> >> >> >> >> >> >> This e-mail is the property of Quadriga Worldwide Ltd, intended for >> the addressee only and confidential. Any dissemination, copying or >> distribution of this message or any attachments is strictly prohibited. >> >> If you have received this message in error, please notify us >> immediately by replying to the message and deleting it from your >> computer. >> >> Messages sent to and from Quadriga may be monitored. >> >> Quadriga cannot guarantee any message delivery method is secure or >> error-free. Information could be intercepted, corrupted, lost, >> destroyed, arrive late or incomplete, or contain viruses. >> >> We do not accept responsibility for any errors or omissions in this >> message and/or attachment that arise as a result of transmission. >> >> You should carry out your own virus checks before opening any >> attachment. >> >> Any views or opinions presented are solely those of the author and do >> not necessarily represent those of Quadriga. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > This e-mail is the property of Quadriga Worldwide Ltd, intended for the addressee only and confidential. Any dissemination, copying or distribution of this message or any attachments is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from Quadriga may be monitored. Quadriga cannot guarantee any message delivery method is secure or error-free. Information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. We do not accept responsibility for any errors or omissions in this message and/or attachment that arise as a result of transmission. You should carry out your own virus checks before opening any attachment. Any views or opinions presented are solely those of the author and do not necessarily represent those of Quadriga. From rmeggins at redhat.com Thu Jan 18 17:37:23 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 18 Jan 2007 10:37:23 -0700 Subject: [Fedora-directory-users] FDS Crashing! In-Reply-To: <45AFAC5D.9030502@quadriga.com> References: <45AF8DDF.1030008@quadriga.com> <45AF90C0.3080306@redhat.com> <45AFAC5D.9030502@quadriga.com> Message-ID: <45AFB053.1080308@redhat.com> Nicholas Byrne wrote: > > > Richard Megginson wrote: >> Nicholas Byrne wrote: >>> I'm using 1.0.4-1 release. My configuration fairly basic using "one >>> way" windows sync (ref: >>> https://www.redhat.com/archives/fedora-directory-users/2006-December/msg00070.html). >>> >>> >>> It's been working well until this morning for going on a month >>> (fortunately it's not live yet, but was planning to put it live this >>> weekend - not anymore!). I'm not sure what occurred exactly, a few >>> password changes and minor updates to a couple of attributes but >>> since a few hours ago any attempt to write to anything in the >>> userRoot database fails and slapd crashes. I've looked in the error >>> and access logs but it doesn't give much away - on restart i see: >>> >>> [18/Jan/2007:14:48:42 +0000] - Fedora-Directory/1.0.4 B2006.312.435 >>> starting up >>> [18/Jan/2007:14:48:42 +0000] - Detected Disorderly Shutdown last >>> time Directory Server was running, recovering database. >>> [18/Jan/2007:14:48:43 +0000] - slapd started. Listening on All >>> Interfaces port 389 for LDAP requests >>> [18/Jan/2007:14:48:43 +0000] - Listening on All Interfaces port 636 >>> for LDAPS requests >>> >>> What can do to get more info? >> start-slapd -d 1 >> or >> http://directory.fedora.redhat.com/wiki/FAQ#Troubleshooting and use >> the TRACE debug level. > thanks, the server takes a long time to fully start and is really > quite slow with this switch. I suppose thats normal. Yes. > Any hints as to what else to look for, there is an enormous amount of > output. The log ends (when it crashes when i attempt any write > operation) with a segmentation fault. So, not just a write of userPassword, but of any attribute? >>> >>> Yesterday i did password change using ldappasswd and i found this >>> issue (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179723) >>> just now - my directory does have a password policy. Is this fixed >>> in 1.0.4? >> Yes, it is supposed to be - but if you reproduced it with 1.0.4, then >> I guess not :-( >> >> So, if I understand correctly - you used ldappasswd to change a >> user's password, and you have password policy enabled (global or >> local?), and you can crash the server. > I have all three requirements it seems to reproduce this bug, 1. ssl > on, 2. password policy global and local/subtree and i've used > ldappassword (yesterday) - uh oh! > > My issue is slightly different in that the server crashes when any > update is attempted, not just a modify password. > > Is there any way to restore an old database and turn off all password > policy for the time being without writing to the directory / user > database? Probably not i suppose, at least not easily. So is my best > bet to dump the directory to ldif and do a reinstall and reconfigure. > What do you think? If the database is corrupted, just a dump to LDIF and a reimport might do the trick. If not, then I suggest disabling the local password policy to see if that fixes the problem. At any rate, please file a bug http://bugzilla.redhat.com/ and list OS + version + bitsize, and detailed steps about how to reproduce the bug. My inclination is that this is a bug which will require a patch to address. >>> >>> I have tried a restore from a week old backup (using bak2db) but >>> that didn't fix the problem so anyone got any idea whats going on >>> and how i might start fixing this - Help!? >>> >>> Thanks >>> Nick >>> >>> >>> >>> >>> >>> >>> >>> This e-mail is the property of Quadriga Worldwide Ltd, intended for >>> the addressee only and confidential. Any dissemination, copying or >>> distribution of this message or any attachments is strictly prohibited. >>> >>> If you have received this message in error, please notify us >>> immediately by replying to the message and deleting it from your >>> computer. >>> >>> Messages sent to and from Quadriga may be monitored. >>> >>> Quadriga cannot guarantee any message delivery method is secure or >>> error-free. Information could be intercepted, corrupted, lost, >>> destroyed, arrive late or incomplete, or contain viruses. >>> >>> We do not accept responsibility for any errors or omissions in this >>> message and/or attachment that arise as a result of transmission. >>> >>> You should carry out your own virus checks before opening any >>> attachment. >>> >>> Any views or opinions presented are solely those of the author and >>> do not necessarily represent those of Quadriga. >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > > This e-mail is the property of Quadriga Worldwide Ltd, intended for > the addressee only and confidential. Any dissemination, copying or > distribution of this message or any attachments is strictly prohibited. > > If you have received this message in error, please notify us > immediately by replying to the message and deleting it from your > computer. > > Messages sent to and from Quadriga may be monitored. > > Quadriga cannot guarantee any message delivery method is secure or > error-free. Information could be intercepted, corrupted, lost, > destroyed, arrive late or incomplete, or contain viruses. > > We do not accept responsibility for any errors or omissions in this > message and/or attachment that arise as a result of transmission. > > You should carry out your own virus checks before opening any attachment. > > Any views or opinions presented are solely those of the author and do > not necessarily represent those of Quadriga. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jan 18 17:41:25 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 18 Jan 2007 10:41:25 -0700 Subject: [Fedora-directory-users] snmp monitoring In-Reply-To: <1169139717.7905.2.camel@localhost.localdomain> References: <1169065238.21157.5.camel@localhost.localdomain> <45AE9FDF.8090509@redhat.com> <1169076114.21157.10.camel@localhost.localdomain> <45AF9605.6080609@redhat.com> <1169139717.7905.2.camel@localhost.localdomain> Message-ID: <45AFB145.6020104@redhat.com> Scott A. Phipps wrote: > On Thu, 2007-01-18 at 08:45 -0700, Richard Megginson wrote: > > >> hosts_ctl is defined in libwrap.so - do you have tcp_wrappers installed e.g. >> rpm -qa|grep tcp_wrappers >> > > tcp_wrappers-7.6-39 is installed > Hmm - looks like ldap-agent in FDS 1.0.2 is just broken - it's not linked with libwrap. However, on 1.0.4, it is. Here is the output from ldd ldap-agent from FDS 1.0.4 on a FC4 (64 bit) system. I suggest upgrading to FDS 1.0.4. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: lddoutput URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From nicholas.byrne at quadriga.com Thu Jan 18 18:27:55 2007 From: nicholas.byrne at quadriga.com (Nicholas Byrne) Date: Thu, 18 Jan 2007 18:27:55 +0000 Subject: [Fedora-directory-users] FDS Crashing! In-Reply-To: <45AFB053.1080308@redhat.com> References: <45AF8DDF.1030008@quadriga.com> <45AF90C0.3080306@redhat.com> <45AFAC5D.9030502@quadriga.com> <45AFB053.1080308@redhat.com> Message-ID: <45AFBC2B.2000903@quadriga.com> Richard Megginson wrote: > Nicholas Byrne wrote: >> >> >> Richard Megginson wrote: >>> Nicholas Byrne wrote: >>>> I'm using 1.0.4-1 release. My configuration fairly basic using "one >>>> way" windows sync (ref: >>>> https://www.redhat.com/archives/fedora-directory-users/2006-December/msg00070.html). >>>> >>>> >>>> It's been working well until this morning for going on a month >>>> (fortunately it's not live yet, but was planning to put it live >>>> this weekend - not anymore!). I'm not sure what occurred exactly, a >>>> few password changes and minor updates to a couple of attributes >>>> but since a few hours ago any attempt to write to anything in the >>>> userRoot database fails and slapd crashes. I've looked in the error >>>> and access logs but it doesn't give much away - on restart i see: >>>> >>>> [18/Jan/2007:14:48:42 +0000] - Fedora-Directory/1.0.4 B2006.312.435 >>>> starting up >>>> [18/Jan/2007:14:48:42 +0000] - Detected Disorderly Shutdown last >>>> time Directory Server was running, recovering database. >>>> [18/Jan/2007:14:48:43 +0000] - slapd started. Listening on All >>>> Interfaces port 389 for LDAP requests >>>> [18/Jan/2007:14:48:43 +0000] - Listening on All Interfaces port 636 >>>> for LDAPS requests >>>> >>>> What can do to get more info? >>> start-slapd -d 1 >>> or >>> http://directory.fedora.redhat.com/wiki/FAQ#Troubleshooting and use >>> the TRACE debug level. >> thanks, the server takes a long time to fully start and is really >> quite slow with this switch. I suppose thats normal. > Yes. >> Any hints as to what else to look for, there is an enormous amount of >> output. The log ends (when it crashes when i attempt any write >> operation) with a segmentation fault. > So, not just a write of userPassword, but of any attribute? Yep thats correct >>>> >>>> Yesterday i did password change using ldappasswd and i found this >>>> issue (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179723) >>>> just now - my directory does have a password policy. Is this fixed >>>> in 1.0.4? >>> Yes, it is supposed to be - but if you reproduced it with 1.0.4, >>> then I guess not :-( >>> >>> So, if I understand correctly - you used ldappasswd to change a >>> user's password, and you have password policy enabled (global or >>> local?), and you can crash the server. >> I have all three requirements it seems to reproduce this bug, 1. ssl >> on, 2. password policy global and local/subtree and i've used >> ldappassword (yesterday) - uh oh! >> >> My issue is slightly different in that the server crashes when any >> update is attempted, not just a modify password. >> >> Is there any way to restore an old database and turn off all password >> policy for the time being without writing to the directory / user >> database? Probably not i suppose, at least not easily. So is my best >> bet to dump the directory to ldif and do a reinstall and >> reconfigure. What do you think? > If the database is corrupted, just a dump to LDIF and a reimport might > do the trick. If not, then I suggest disabling the local password > policy to see if that fixes the problem. i did a dump and ended up having to do a ldif2db (as i couldn't write to the live database without a crash) and i seem to be back up and running except i don't have the default ACI's anymore. How can i recreate them? Is there wiki/manual page or a script with the default ones, thats all i need for the time being. > > At any rate, please file a bug http://bugzilla.redhat.com/ and list OS > + version + bitsize, and detailed steps about how to reproduce the > bug. My inclination is that this is a bug which will require a patch > to address. Will do, and help so far the support Richard. >>>> >>>> I have tried a restore from a week old backup (using bak2db) but >>>> that didn't fix the problem so anyone got any idea whats going on >>>> and how i might start fixing this - Help!? >>>> >>>> Thanks >>>> Nick >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> This e-mail is the property of Quadriga Worldwide Ltd, intended for >>>> the addressee only and confidential. Any dissemination, copying or >>>> distribution of this message or any attachments is strictly >>>> prohibited. >>>> >>>> If you have received this message in error, please notify us >>>> immediately by replying to the message and deleting it from your >>>> computer. >>>> >>>> Messages sent to and from Quadriga may be monitored. >>>> >>>> Quadriga cannot guarantee any message delivery method is secure or >>>> error-free. Information could be intercepted, corrupted, lost, >>>> destroyed, arrive late or incomplete, or contain viruses. >>>> >>>> We do not accept responsibility for any errors or omissions in this >>>> message and/or attachment that arise as a result of transmission. >>>> >>>> You should carry out your own virus checks before opening any >>>> attachment. >>>> >>>> Any views or opinions presented are solely those of the author and >>>> do not necessarily represent those of Quadriga. >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> >> >> This e-mail is the property of Quadriga Worldwide Ltd, intended for >> the addressee only and confidential. Any dissemination, copying or >> distribution of this message or any attachments is strictly prohibited. >> >> If you have received this message in error, please notify us >> immediately by replying to the message and deleting it from your >> computer. >> >> Messages sent to and from Quadriga may be monitored. >> >> Quadriga cannot guarantee any message delivery method is secure or >> error-free. Information could be intercepted, corrupted, lost, >> destroyed, arrive late or incomplete, or contain viruses. >> >> We do not accept responsibility for any errors or omissions in this >> message and/or attachment that arise as a result of transmission. >> >> You should carry out your own virus checks before opening any >> attachment. >> >> Any views or opinions presented are solely those of the author and do >> not necessarily represent those of Quadriga. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > This e-mail is the property of Quadriga Worldwide Ltd, intended for the addressee only and confidential. Any dissemination, copying or distribution of this message or any attachments is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from Quadriga may be monitored. Quadriga cannot guarantee any message delivery method is secure or error-free. Information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. We do not accept responsibility for any errors or omissions in this message and/or attachment that arise as a result of transmission. You should carry out your own virus checks before opening any attachment. Any views or opinions presented are solely those of the author and do not necessarily represent those of Quadriga. From saphipps at mchsi.com Thu Jan 18 18:25:17 2007 From: saphipps at mchsi.com (Scott A. Phipps) Date: Thu, 18 Jan 2007 12:25:17 -0600 Subject: [Fedora-directory-users] snmp monitoring In-Reply-To: <45AFB145.6020104@redhat.com> References: <1169065238.21157.5.camel@localhost.localdomain> <45AE9FDF.8090509@redhat.com> <1169076114.21157.10.camel@localhost.localdomain> <45AF9605.6080609@redhat.com> <1169139717.7905.2.camel@localhost.localdomain> <45AFB145.6020104@redhat.com> Message-ID: <1169144717.7905.8.camel@localhost.localdomain> On Thu, 2007-01-18 at 10:41 -0700, Richard Megginson wrote: > Scott A. Phipps wrote: > > On Thu, 2007-01-18 at 08:45 -0700, Richard Megginson wrote: > > > > > >> hosts_ctl is defined in libwrap.so - do you have tcp_wrappers installed e.g. > >> rpm -qa|grep tcp_wrappers > >> > > > > tcp_wrappers-7.6-39 is installed > > > Hmm - looks like ldap-agent in FDS 1.0.2 is just broken - it's not > linked with libwrap. However, on 1.0.4, it is. Here is the output from > ldd ldap-agent from FDS 1.0.4 on a FC4 (64 bit) system. I suggest > upgrading to FDS 1.0.4. > I may have to try that . . . though the howto on the wiki says it covers only version 1.0.2 and the previous thread on this subject states that they are using 1.0.2 as well. Oh well, I'll have to play around with it some more when I get back to work. Thanks, Scott From rmeggins at redhat.com Thu Jan 18 18:29:22 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 18 Jan 2007 11:29:22 -0700 Subject: [Fedora-directory-users] FDS Crashing! In-Reply-To: <45AFBC2B.2000903@quadriga.com> References: <45AF8DDF.1030008@quadriga.com> <45AF90C0.3080306@redhat.com> <45AFAC5D.9030502@quadriga.com> <45AFB053.1080308@redhat.com> <45AFBC2B.2000903@quadriga.com> Message-ID: <45AFBC82.7080606@redhat.com> Nicholas Byrne wrote: > > > Richard Megginson wrote: >> Nicholas Byrne wrote: >>> >>> >>> Richard Megginson wrote: >>>> Nicholas Byrne wrote: >>>>> I'm using 1.0.4-1 release. My configuration fairly basic using >>>>> "one way" windows sync (ref: >>>>> https://www.redhat.com/archives/fedora-directory-users/2006-December/msg00070.html). >>>>> >>>>> >>>>> It's been working well until this morning for going on a month >>>>> (fortunately it's not live yet, but was planning to put it live >>>>> this weekend - not anymore!). I'm not sure what occurred exactly, >>>>> a few password changes and minor updates to a couple of attributes >>>>> but since a few hours ago any attempt to write to anything in the >>>>> userRoot database fails and slapd crashes. I've looked in the >>>>> error and access logs but it doesn't give much away - on restart i >>>>> see: >>>>> >>>>> [18/Jan/2007:14:48:42 +0000] - Fedora-Directory/1.0.4 >>>>> B2006.312.435 starting up >>>>> [18/Jan/2007:14:48:42 +0000] - Detected Disorderly Shutdown last >>>>> time Directory Server was running, recovering database. >>>>> [18/Jan/2007:14:48:43 +0000] - slapd started. Listening on All >>>>> Interfaces port 389 for LDAP requests >>>>> [18/Jan/2007:14:48:43 +0000] - Listening on All Interfaces port >>>>> 636 for LDAPS requests >>>>> >>>>> What can do to get more info? >>>> start-slapd -d 1 >>>> or >>>> http://directory.fedora.redhat.com/wiki/FAQ#Troubleshooting and use >>>> the TRACE debug level. >>> thanks, the server takes a long time to fully start and is really >>> quite slow with this switch. I suppose thats normal. >> Yes. >>> Any hints as to what else to look for, there is an enormous amount >>> of output. The log ends (when it crashes when i attempt any write >>> operation) with a segmentation fault. >> So, not just a write of userPassword, but of any attribute? > Yep thats correct >>>>> >>>>> Yesterday i did password change using ldappasswd and i found this >>>>> issue >>>>> (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179723) just >>>>> now - my directory does have a password policy. Is this fixed in >>>>> 1.0.4? >>>> Yes, it is supposed to be - but if you reproduced it with 1.0.4, >>>> then I guess not :-( >>>> >>>> So, if I understand correctly - you used ldappasswd to change a >>>> user's password, and you have password policy enabled (global or >>>> local?), and you can crash the server. >>> I have all three requirements it seems to reproduce this bug, 1. ssl >>> on, 2. password policy global and local/subtree and i've used >>> ldappassword (yesterday) - uh oh! >>> >>> My issue is slightly different in that the server crashes when any >>> update is attempted, not just a modify password. >>> >>> Is there any way to restore an old database and turn off all >>> password policy for the time being without writing to the directory >>> / user database? Probably not i suppose, at least not easily. So is >>> my best bet to dump the directory to ldif and do a reinstall and >>> reconfigure. What do you think? >> If the database is corrupted, just a dump to LDIF and a reimport >> might do the trick. If not, then I suggest disabling the local >> password policy to see if that fixes the problem. > i did a dump and ended up having to do a ldif2db (as i couldn't write > to the live database without a crash) and i seem to be back up and > running except i don't have the default ACI's anymore. How can i > recreate them? Are you sure they're missing? Did you use ldapsearch to look for them? Remember that the aci attribute is operational and must be specified on the ldapsearch command line. > Is there wiki/manual page or a script with the default ones, thats all > i need for the time being. >> >> At any rate, please file a bug http://bugzilla.redhat.com/ and list >> OS + version + bitsize, and detailed steps about how to reproduce the >> bug. My inclination is that this is a bug which will require a patch >> to address. > Will do, and help so far the support Richard. >>>>> >>>>> I have tried a restore from a week old backup (using bak2db) but >>>>> that didn't fix the problem so anyone got any idea whats going on >>>>> and how i might start fixing this - Help!? >>>>> >>>>> Thanks >>>>> Nick >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> This e-mail is the property of Quadriga Worldwide Ltd, intended >>>>> for the addressee only and confidential. Any dissemination, >>>>> copying or distribution of this message or any attachments is >>>>> strictly prohibited. >>>>> >>>>> If you have received this message in error, please notify us >>>>> immediately by replying to the message and deleting it from your >>>>> computer. >>>>> >>>>> Messages sent to and from Quadriga may be monitored. >>>>> >>>>> Quadriga cannot guarantee any message delivery method is secure or >>>>> error-free. Information could be intercepted, corrupted, lost, >>>>> destroyed, arrive late or incomplete, or contain viruses. >>>>> >>>>> We do not accept responsibility for any errors or omissions in >>>>> this message and/or attachment that arise as a result of >>>>> transmission. >>>>> >>>>> You should carry out your own virus checks before opening any >>>>> attachment. >>>>> >>>>> Any views or opinions presented are solely those of the author and >>>>> do not necessarily represent those of Quadriga. >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> >>> >>> This e-mail is the property of Quadriga Worldwide Ltd, intended for >>> the addressee only and confidential. Any dissemination, copying or >>> distribution of this message or any attachments is strictly prohibited. >>> >>> If you have received this message in error, please notify us >>> immediately by replying to the message and deleting it from your >>> computer. >>> >>> Messages sent to and from Quadriga may be monitored. >>> >>> Quadriga cannot guarantee any message delivery method is secure or >>> error-free. Information could be intercepted, corrupted, lost, >>> destroyed, arrive late or incomplete, or contain viruses. >>> >>> We do not accept responsibility for any errors or omissions in this >>> message and/or attachment that arise as a result of transmission. >>> >>> You should carry out your own virus checks before opening any >>> attachment. >>> >>> Any views or opinions presented are solely those of the author and >>> do not necessarily represent those of Quadriga. >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > > This e-mail is the property of Quadriga Worldwide Ltd, intended for > the addressee only and confidential. Any dissemination, copying or > distribution of this message or any attachments is strictly prohibited. > > If you have received this message in error, please notify us > immediately by replying to the message and deleting it from your > computer. > > Messages sent to and from Quadriga may be monitored. > > Quadriga cannot guarantee any message delivery method is secure or > error-free. Information could be intercepted, corrupted, lost, > destroyed, arrive late or incomplete, or contain viruses. > > We do not accept responsibility for any errors or omissions in this > message and/or attachment that arise as a result of transmission. > > You should carry out your own virus checks before opening any attachment. > > Any views or opinions presented are solely those of the author and do > not necessarily represent those of Quadriga. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From nicholas.byrne at quadriga.com Thu Jan 18 19:06:16 2007 From: nicholas.byrne at quadriga.com (Nicholas Byrne) Date: Thu, 18 Jan 2007 19:06:16 +0000 Subject: [Fedora-directory-users] FDS Crashing! In-Reply-To: <45AFBC82.7080606@redhat.com> References: <45AF8DDF.1030008@quadriga.com> <45AF90C0.3080306@redhat.com> <45AFAC5D.9030502@quadriga.com> <45AFB053.1080308@redhat.com> <45AFBC2B.2000903@quadriga.com> <45AFBC82.7080606@redhat.com> Message-ID: <45AFC528.7000005@quadriga.com> Richard Megginson wrote: > Nicholas Byrne wrote: >> >> >> Richard Megginson wrote: >>> Nicholas Byrne wrote: >>>> >>>> >>>> Richard Megginson wrote: >>>>> Nicholas Byrne wrote: >>>>>> I'm using 1.0.4-1 release. My configuration fairly basic using >>>>>> "one way" windows sync (ref: >>>>>> https://www.redhat.com/archives/fedora-directory-users/2006-December/msg00070.html). >>>>>> >>>>>> >>>>>> It's been working well until this morning for going on a month >>>>>> (fortunately it's not live yet, but was planning to put it live >>>>>> this weekend - not anymore!). I'm not sure what occurred exactly, >>>>>> a few password changes and minor updates to a couple of >>>>>> attributes but since a few hours ago any attempt to write to >>>>>> anything in the userRoot database fails and slapd crashes. I've >>>>>> looked in the error and access logs but it doesn't give much away >>>>>> - on restart i see: >>>>>> >>>>>> [18/Jan/2007:14:48:42 +0000] - Fedora-Directory/1.0.4 >>>>>> B2006.312.435 starting up >>>>>> [18/Jan/2007:14:48:42 +0000] - Detected Disorderly Shutdown last >>>>>> time Directory Server was running, recovering database. >>>>>> [18/Jan/2007:14:48:43 +0000] - slapd started. Listening on All >>>>>> Interfaces port 389 for LDAP requests >>>>>> [18/Jan/2007:14:48:43 +0000] - Listening on All Interfaces port >>>>>> 636 for LDAPS requests >>>>>> >>>>>> What can do to get more info? >>>>> start-slapd -d 1 >>>>> or >>>>> http://directory.fedora.redhat.com/wiki/FAQ#Troubleshooting and >>>>> use the TRACE debug level. >>>> thanks, the server takes a long time to fully start and is really >>>> quite slow with this switch. I suppose thats normal. >>> Yes. >>>> Any hints as to what else to look for, there is an enormous amount >>>> of output. The log ends (when it crashes when i attempt any write >>>> operation) with a segmentation fault. >>> So, not just a write of userPassword, but of any attribute? >> Yep thats correct >>>>>> >>>>>> Yesterday i did password change using ldappasswd and i found this >>>>>> issue >>>>>> (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179723) >>>>>> just now - my directory does have a password policy. Is this >>>>>> fixed in 1.0.4? >>>>> Yes, it is supposed to be - but if you reproduced it with 1.0.4, >>>>> then I guess not :-( >>>>> >>>>> So, if I understand correctly - you used ldappasswd to change a >>>>> user's password, and you have password policy enabled (global or >>>>> local?), and you can crash the server. >>>> I have all three requirements it seems to reproduce this bug, 1. >>>> ssl on, 2. password policy global and local/subtree and i've used >>>> ldappassword (yesterday) - uh oh! >>>> >>>> My issue is slightly different in that the server crashes when any >>>> update is attempted, not just a modify password. >>>> >>>> Is there any way to restore an old database and turn off all >>>> password policy for the time being without writing to the directory >>>> / user database? Probably not i suppose, at least not easily. So is >>>> my best bet to dump the directory to ldif and do a reinstall and >>>> reconfigure. What do you think? >>> If the database is corrupted, just a dump to LDIF and a reimport >>> might do the trick. If not, then I suggest disabling the local >>> password policy to see if that fixes the problem. >> i did a dump and ended up having to do a ldif2db (as i couldn't write >> to the live database without a crash) and i seem to be back up and >> running except i don't have the default ACI's anymore. How can i >> recreate them? > > Are you sure they're missing? Did you use ldapsearch to look for > them? Remember that the aci attribute is operational and must be > specified on the ldapsearch command line. The process i followed was ("tech" is my top level dn/domain) - ldapsearch -x -b "dc=tech" | egrep -v '^pwdpolicysubentry|^ tainer' > tech.ldif vi tech.ldif # remove subtree password policy - "dn: cn=nsPwPolicyContainer,ou=People,dc=tech" stop-slapd ldif2db -n userRoot -i tech.ldif &> ~/import.log So maybe i missed them out, are aci's stored in the NetscapeRoot or "userRoot" db? I had to add a single generic one to my top level domain (tech) be able to read it without being "cn=Domain Manager". I 've used the FD console to look for ACI's but none seem obvious and i'm sure there were a number of default ACI's (selfwrite, read for all - not sure of names/dn's etc) but now there appear to be none. After adding this generic one on the dc=tech dn, running "ldapsearch -x" and looking through output, it appears aci's are stored elsewhere. Where? Thanks again > >> Is there wiki/manual page or a script with the default ones, thats >> all i need for the time being. >>> >>> At any rate, please file a bug http://bugzilla.redhat.com/ and list >>> OS + version + bitsize, and detailed steps about how to reproduce >>> the bug. My inclination is that this is a bug which will require a >>> patch to address. >> Will do, and help so far the support Richard. >>>>>> >>>>>> I have tried a restore from a week old backup (using bak2db) but >>>>>> that didn't fix the problem so anyone got any idea whats going on >>>>>> and how i might start fixing this - Help!? >>>>>> >>>>>> Thanks >>>>>> Nick >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> This e-mail is the property of Quadriga Worldwide Ltd, intended >>>>>> for the addressee only and confidential. Any dissemination, >>>>>> copying or distribution of this message or any attachments is >>>>>> strictly prohibited. >>>>>> >>>>>> If you have received this message in error, please notify us >>>>>> immediately by replying to the message and deleting it from your >>>>>> computer. >>>>>> >>>>>> Messages sent to and from Quadriga may be monitored. >>>>>> >>>>>> Quadriga cannot guarantee any message delivery method is secure >>>>>> or error-free. Information could be intercepted, corrupted, >>>>>> lost, destroyed, arrive late or incomplete, or contain viruses. >>>>>> >>>>>> We do not accept responsibility for any errors or omissions in >>>>>> this message and/or attachment that arise as a result of >>>>>> transmission. >>>>>> >>>>>> You should carry out your own virus checks before opening any >>>>>> attachment. >>>>>> >>>>>> Any views or opinions presented are solely those of the author >>>>>> and do not necessarily represent those of Quadriga. >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> ------------------------------------------------------------------------ >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>> >>>> >>>> >>>> This e-mail is the property of Quadriga Worldwide Ltd, intended for >>>> the addressee only and confidential. Any dissemination, copying or >>>> distribution of this message or any attachments is strictly >>>> prohibited. >>>> >>>> If you have received this message in error, please notify us >>>> immediately by replying to the message and deleting it from your >>>> computer. >>>> >>>> Messages sent to and from Quadriga may be monitored. >>>> >>>> Quadriga cannot guarantee any message delivery method is secure or >>>> error-free. Information could be intercepted, corrupted, lost, >>>> destroyed, arrive late or incomplete, or contain viruses. >>>> >>>> We do not accept responsibility for any errors or omissions in this >>>> message and/or attachment that arise as a result of transmission. >>>> >>>> You should carry out your own virus checks before opening any >>>> attachment. >>>> >>>> Any views or opinions presented are solely those of the author and >>>> do not necessarily represent those of Quadriga. >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> >> >> This e-mail is the property of Quadriga Worldwide Ltd, intended for >> the addressee only and confidential. Any dissemination, copying or >> distribution of this message or any attachments is strictly prohibited. >> >> If you have received this message in error, please notify us >> immediately by replying to the message and deleting it from your >> computer. >> >> Messages sent to and from Quadriga may be monitored. >> >> Quadriga cannot guarantee any message delivery method is secure or >> error-free. Information could be intercepted, corrupted, lost, >> destroyed, arrive late or incomplete, or contain viruses. >> >> We do not accept responsibility for any errors or omissions in this >> message and/or attachment that arise as a result of transmission. >> >> You should carry out your own virus checks before opening any >> attachment. >> >> Any views or opinions presented are solely those of the author and do >> not necessarily represent those of Quadriga. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > This e-mail is the property of Quadriga Worldwide Ltd, intended for the addressee only and confidential. Any dissemination, copying or distribution of this message or any attachments is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from Quadriga may be monitored. Quadriga cannot guarantee any message delivery method is secure or error-free. Information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. We do not accept responsibility for any errors or omissions in this message and/or attachment that arise as a result of transmission. You should carry out your own virus checks before opening any attachment. Any views or opinions presented are solely those of the author and do not necessarily represent those of Quadriga. From rmeggins at redhat.com Thu Jan 18 19:16:39 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 18 Jan 2007 12:16:39 -0700 Subject: [Fedora-directory-users] FDS Crashing! In-Reply-To: <45AFC528.7000005@quadriga.com> References: <45AF8DDF.1030008@quadriga.com> <45AF90C0.3080306@redhat.com> <45AFAC5D.9030502@quadriga.com> <45AFB053.1080308@redhat.com> <45AFBC2B.2000903@quadriga.com> <45AFBC82.7080606@redhat.com> <45AFC528.7000005@quadriga.com> Message-ID: <45AFC797.4090205@redhat.com> Nicholas Byrne wrote: > > > Richard Megginson wrote: >> Nicholas Byrne wrote: >>> >>> >>> Richard Megginson wrote: >>>> Nicholas Byrne wrote: >>>>> >>>>> >>>>> Richard Megginson wrote: >>>>>> Nicholas Byrne wrote: >>>>>>> I'm using 1.0.4-1 release. My configuration fairly basic using >>>>>>> "one way" windows sync (ref: >>>>>>> https://www.redhat.com/archives/fedora-directory-users/2006-December/msg00070.html). >>>>>>> >>>>>>> >>>>>>> It's been working well until this morning for going on a month >>>>>>> (fortunately it's not live yet, but was planning to put it live >>>>>>> this weekend - not anymore!). I'm not sure what occurred >>>>>>> exactly, a few password changes and minor updates to a couple of >>>>>>> attributes but since a few hours ago any attempt to write to >>>>>>> anything in the userRoot database fails and slapd crashes. I've >>>>>>> looked in the error and access logs but it doesn't give much >>>>>>> away - on restart i see: >>>>>>> >>>>>>> [18/Jan/2007:14:48:42 +0000] - Fedora-Directory/1.0.4 >>>>>>> B2006.312.435 starting up >>>>>>> [18/Jan/2007:14:48:42 +0000] - Detected Disorderly Shutdown last >>>>>>> time Directory Server was running, recovering database. >>>>>>> [18/Jan/2007:14:48:43 +0000] - slapd started. Listening on All >>>>>>> Interfaces port 389 for LDAP requests >>>>>>> [18/Jan/2007:14:48:43 +0000] - Listening on All Interfaces port >>>>>>> 636 for LDAPS requests >>>>>>> >>>>>>> What can do to get more info? >>>>>> start-slapd -d 1 >>>>>> or >>>>>> http://directory.fedora.redhat.com/wiki/FAQ#Troubleshooting and >>>>>> use the TRACE debug level. >>>>> thanks, the server takes a long time to fully start and is really >>>>> quite slow with this switch. I suppose thats normal. >>>> Yes. >>>>> Any hints as to what else to look for, there is an enormous amount >>>>> of output. The log ends (when it crashes when i attempt any write >>>>> operation) with a segmentation fault. >>>> So, not just a write of userPassword, but of any attribute? >>> Yep thats correct >>>>>>> >>>>>>> Yesterday i did password change using ldappasswd and i found >>>>>>> this issue >>>>>>> (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179723) >>>>>>> just now - my directory does have a password policy. Is this >>>>>>> fixed in 1.0.4? >>>>>> Yes, it is supposed to be - but if you reproduced it with 1.0.4, >>>>>> then I guess not :-( >>>>>> >>>>>> So, if I understand correctly - you used ldappasswd to change a >>>>>> user's password, and you have password policy enabled (global or >>>>>> local?), and you can crash the server. >>>>> I have all three requirements it seems to reproduce this bug, 1. >>>>> ssl on, 2. password policy global and local/subtree and i've used >>>>> ldappassword (yesterday) - uh oh! >>>>> >>>>> My issue is slightly different in that the server crashes when any >>>>> update is attempted, not just a modify password. >>>>> >>>>> Is there any way to restore an old database and turn off all >>>>> password policy for the time being without writing to the >>>>> directory / user database? Probably not i suppose, at least not >>>>> easily. So is my best bet to dump the directory to ldif and do a >>>>> reinstall and reconfigure. What do you think? >>>> If the database is corrupted, just a dump to LDIF and a reimport >>>> might do the trick. If not, then I suggest disabling the local >>>> password policy to see if that fixes the problem. >>> i did a dump and ended up having to do a ldif2db (as i couldn't >>> write to the live database without a crash) and i seem to be back up >>> and running except i don't have the default ACI's anymore. How can i >>> recreate them? >> >> Are you sure they're missing? Did you use ldapsearch to look for >> them? Remember that the aci attribute is operational and must be >> specified on the ldapsearch command line. > The process i followed was ("tech" is my top level dn/domain) - > > ldapsearch -x -b "dc=tech" | egrep -v '^pwdpolicysubentry|^ tainer' > > tech.ldif > vi tech.ldif # remove subtree password policy - "dn: > cn=nsPwPolicyContainer,ou=People,dc=tech" > stop-slapd > ldif2db -n userRoot -i tech.ldif &> ~/import.log > > So maybe i missed them out, are aci's stored in the NetscapeRoot or > "userRoot" db? Both. acis are stored with the the regular data in the database. > > I had to add a single generic one to my top level domain (tech) be > able to read it without being "cn=Domain Manager". I 've used the FD > console to look for ACI's but none seem obvious and i'm sure there > were a number of default ACI's (selfwrite, read for all - not sure of > names/dn's etc) but now there appear to be none. > > After adding this generic one on the dc=tech dn, running "ldapsearch > -x" and looking through output, it appears aci's are stored elsewhere. > Where? try this: ldapsearch -x -D "cn=directory manager" -w password -b "dc=tech" "aci=*" aci > Thanks again >> >>> Is there wiki/manual page or a script with the default ones, thats >>> all i need for the time being. >>>> >>>> At any rate, please file a bug http://bugzilla.redhat.com/ and list >>>> OS + version + bitsize, and detailed steps about how to reproduce >>>> the bug. My inclination is that this is a bug which will require a >>>> patch to address. >>> Will do, and help so far the support Richard. >>>>>>> >>>>>>> I have tried a restore from a week old backup (using bak2db) but >>>>>>> that didn't fix the problem so anyone got any idea whats going >>>>>>> on and how i might start fixing this - Help!? >>>>>>> >>>>>>> Thanks >>>>>>> Nick >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> This e-mail is the property of Quadriga Worldwide Ltd, intended >>>>>>> for the addressee only and confidential. Any dissemination, >>>>>>> copying or distribution of this message or any attachments is >>>>>>> strictly prohibited. >>>>>>> >>>>>>> If you have received this message in error, please notify us >>>>>>> immediately by replying to the message and deleting it from your >>>>>>> computer. >>>>>>> >>>>>>> Messages sent to and from Quadriga may be monitored. >>>>>>> >>>>>>> Quadriga cannot guarantee any message delivery method is secure >>>>>>> or error-free. Information could be intercepted, corrupted, >>>>>>> lost, destroyed, arrive late or incomplete, or contain viruses. >>>>>>> >>>>>>> We do not accept responsibility for any errors or omissions in >>>>>>> this message and/or attachment that arise as a result of >>>>>>> transmission. >>>>>>> >>>>>>> You should carry out your own virus checks before opening any >>>>>>> attachment. >>>>>>> >>>>>>> Any views or opinions presented are solely those of the author >>>>>>> and do not necessarily represent those of Quadriga. >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>> >>>>> >>>>> >>>>> This e-mail is the property of Quadriga Worldwide Ltd, intended >>>>> for the addressee only and confidential. Any dissemination, >>>>> copying or distribution of this message or any attachments is >>>>> strictly prohibited. >>>>> >>>>> If you have received this message in error, please notify us >>>>> immediately by replying to the message and deleting it from your >>>>> computer. >>>>> >>>>> Messages sent to and from Quadriga may be monitored. >>>>> >>>>> Quadriga cannot guarantee any message delivery method is secure or >>>>> error-free. Information could be intercepted, corrupted, lost, >>>>> destroyed, arrive late or incomplete, or contain viruses. >>>>> >>>>> We do not accept responsibility for any errors or omissions in >>>>> this message and/or attachment that arise as a result of >>>>> transmission. >>>>> >>>>> You should carry out your own virus checks before opening any >>>>> attachment. >>>>> >>>>> Any views or opinions presented are solely those of the author and >>>>> do not necessarily represent those of Quadriga. >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> >>> >>> This e-mail is the property of Quadriga Worldwide Ltd, intended for >>> the addressee only and confidential. Any dissemination, copying or >>> distribution of this message or any attachments is strictly prohibited. >>> >>> If you have received this message in error, please notify us >>> immediately by replying to the message and deleting it from your >>> computer. >>> >>> Messages sent to and from Quadriga may be monitored. >>> >>> Quadriga cannot guarantee any message delivery method is secure or >>> error-free. Information could be intercepted, corrupted, lost, >>> destroyed, arrive late or incomplete, or contain viruses. >>> >>> We do not accept responsibility for any errors or omissions in this >>> message and/or attachment that arise as a result of transmission. >>> >>> You should carry out your own virus checks before opening any >>> attachment. >>> >>> Any views or opinions presented are solely those of the author and >>> do not necessarily represent those of Quadriga. >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > > This e-mail is the property of Quadriga Worldwide Ltd, intended for > the addressee only and confidential. Any dissemination, copying or > distribution of this message or any attachments is strictly prohibited. > > If you have received this message in error, please notify us > immediately by replying to the message and deleting it from your > computer. > > Messages sent to and from Quadriga may be monitored. > > Quadriga cannot guarantee any message delivery method is secure or > error-free. Information could be intercepted, corrupted, lost, > destroyed, arrive late or incomplete, or contain viruses. > > We do not accept responsibility for any errors or omissions in this > message and/or attachment that arise as a result of transmission. > > You should carry out your own virus checks before opening any attachment. > > Any views or opinions presented are solely those of the author and do > not necessarily represent those of Quadriga. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From nicholas.byrne at quadriga.com Thu Jan 18 19:34:57 2007 From: nicholas.byrne at quadriga.com (Nicholas Byrne) Date: Thu, 18 Jan 2007 19:34:57 +0000 Subject: [Fedora-directory-users] FDS Crashing! In-Reply-To: <45AFC797.4090205@redhat.com> References: <45AF8DDF.1030008@quadriga.com> <45AF90C0.3080306@redhat.com> <45AFAC5D.9030502@quadriga.com> <45AFB053.1080308@redhat.com> <45AFBC2B.2000903@quadriga.com> <45AFBC82.7080606@redhat.com> <45AFC528.7000005@quadriga.com> <45AFC797.4090205@redhat.com> Message-ID: <45AFCBE1.6030903@quadriga.com> running ldapsearch -x -D "cn=directory manager" -w password -b "dc=tech" "aci=*" aci i get - # tech dn: dc=tech aci: (targetattr = "*") (version 3.0;acl "DefaultReadAllandWriteSelf";allow (a ll)(userdn = "ldap:///anyone");) Thats it, it is the one i created (disclaimer in case of embarrassment - don't know that much about aci's yet!). Richard Megginson wrote: > Nicholas Byrne wrote: >> >> >> Richard Megginson wrote: >>> Nicholas Byrne wrote: >>>> >>>> >>>> Richard Megginson wrote: >>>>> Nicholas Byrne wrote: >>>>>> >>>>>> >>>>>> Richard Megginson wrote: >>>>>>> Nicholas Byrne wrote: >>>>>>>> I'm using 1.0.4-1 release. My configuration fairly basic using >>>>>>>> "one way" windows sync (ref: >>>>>>>> https://www.redhat.com/archives/fedora-directory-users/2006-December/msg00070.html). >>>>>>>> >>>>>>>> >>>>>>>> It's been working well until this morning for going on a month >>>>>>>> (fortunately it's not live yet, but was planning to put it live >>>>>>>> this weekend - not anymore!). I'm not sure what occurred >>>>>>>> exactly, a few password changes and minor updates to a couple >>>>>>>> of attributes but since a few hours ago any attempt to write to >>>>>>>> anything in the userRoot database fails and slapd crashes. I've >>>>>>>> looked in the error and access logs but it doesn't give much >>>>>>>> away - on restart i see: >>>>>>>> >>>>>>>> [18/Jan/2007:14:48:42 +0000] - Fedora-Directory/1.0.4 >>>>>>>> B2006.312.435 starting up >>>>>>>> [18/Jan/2007:14:48:42 +0000] - Detected Disorderly Shutdown >>>>>>>> last time Directory Server was running, recovering database. >>>>>>>> [18/Jan/2007:14:48:43 +0000] - slapd started. Listening on All >>>>>>>> Interfaces port 389 for LDAP requests >>>>>>>> [18/Jan/2007:14:48:43 +0000] - Listening on All Interfaces port >>>>>>>> 636 for LDAPS requests >>>>>>>> >>>>>>>> What can do to get more info? >>>>>>> start-slapd -d 1 >>>>>>> or >>>>>>> http://directory.fedora.redhat.com/wiki/FAQ#Troubleshooting and >>>>>>> use the TRACE debug level. >>>>>> thanks, the server takes a long time to fully start and is really >>>>>> quite slow with this switch. I suppose thats normal. >>>>> Yes. >>>>>> Any hints as to what else to look for, there is an enormous >>>>>> amount of output. The log ends (when it crashes when i attempt >>>>>> any write operation) with a segmentation fault. >>>>> So, not just a write of userPassword, but of any attribute? >>>> Yep thats correct >>>>>>>> >>>>>>>> Yesterday i did password change using ldappasswd and i found >>>>>>>> this issue >>>>>>>> (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179723) >>>>>>>> just now - my directory does have a password policy. Is this >>>>>>>> fixed in 1.0.4? >>>>>>> Yes, it is supposed to be - but if you reproduced it with 1.0.4, >>>>>>> then I guess not :-( >>>>>>> >>>>>>> So, if I understand correctly - you used ldappasswd to change a >>>>>>> user's password, and you have password policy enabled (global or >>>>>>> local?), and you can crash the server. >>>>>> I have all three requirements it seems to reproduce this bug, 1. >>>>>> ssl on, 2. password policy global and local/subtree and i've used >>>>>> ldappassword (yesterday) - uh oh! >>>>>> >>>>>> My issue is slightly different in that the server crashes when >>>>>> any update is attempted, not just a modify password. >>>>>> >>>>>> Is there any way to restore an old database and turn off all >>>>>> password policy for the time being without writing to the >>>>>> directory / user database? Probably not i suppose, at least not >>>>>> easily. So is my best bet to dump the directory to ldif and do a >>>>>> reinstall and reconfigure. What do you think? >>>>> If the database is corrupted, just a dump to LDIF and a reimport >>>>> might do the trick. If not, then I suggest disabling the local >>>>> password policy to see if that fixes the problem. >>>> i did a dump and ended up having to do a ldif2db (as i couldn't >>>> write to the live database without a crash) and i seem to be back >>>> up and running except i don't have the default ACI's anymore. How >>>> can i recreate them? >>> >>> Are you sure they're missing? Did you use ldapsearch to look for >>> them? Remember that the aci attribute is operational and must be >>> specified on the ldapsearch command line. >> The process i followed was ("tech" is my top level dn/domain) - >> >> ldapsearch -x -b "dc=tech" | egrep -v '^pwdpolicysubentry|^ tainer' > >> tech.ldif >> vi tech.ldif # remove subtree password policy - "dn: >> cn=nsPwPolicyContainer,ou=People,dc=tech" >> stop-slapd >> ldif2db -n userRoot -i tech.ldif &> ~/import.log >> >> So maybe i missed them out, are aci's stored in the NetscapeRoot or >> "userRoot" db? > Both. acis are stored with the the regular data in the database. >> >> I had to add a single generic one to my top level domain (tech) be >> able to read it without being "cn=Domain Manager". I 've used the FD >> console to look for ACI's but none seem obvious and i'm sure there >> were a number of default ACI's (selfwrite, read for all - not sure of >> names/dn's etc) but now there appear to be none. >> >> After adding this generic one on the dc=tech dn, running "ldapsearch >> -x" and looking through output, it appears aci's are stored >> elsewhere. Where? > try this: > ldapsearch -x -D "cn=directory manager" -w password -b "dc=tech" > "aci=*" aci >> Thanks again >>> >>>> Is there wiki/manual page or a script with the default ones, thats >>>> all i need for the time being. >>>>> >>>>> At any rate, please file a bug http://bugzilla.redhat.com/ and >>>>> list OS + version + bitsize, and detailed steps about how to >>>>> reproduce the bug. My inclination is that this is a bug which >>>>> will require a patch to address. >>>> Will do, and help so far the support Richard. >>>>>>>> >>>>>>>> I have tried a restore from a week old backup (using bak2db) >>>>>>>> but that didn't fix the problem so anyone got any idea whats >>>>>>>> going on and how i might start fixing this - Help!? >>>>>>>> >>>>>>>> Thanks >>>>>>>> Nick >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> This e-mail is the property of Quadriga Worldwide Ltd, intended >>>>>>>> for the addressee only and confidential. Any dissemination, >>>>>>>> copying or distribution of this message or any attachments is >>>>>>>> strictly prohibited. >>>>>>>> >>>>>>>> If you have received this message in error, please notify us >>>>>>>> immediately by replying to the message and deleting it from >>>>>>>> your computer. >>>>>>>> >>>>>>>> Messages sent to and from Quadriga may be monitored. >>>>>>>> >>>>>>>> Quadriga cannot guarantee any message delivery method is secure >>>>>>>> or error-free. Information could be intercepted, corrupted, >>>>>>>> lost, destroyed, arrive late or incomplete, or contain viruses. >>>>>>>> >>>>>>>> We do not accept responsibility for any errors or omissions in >>>>>>>> this message and/or attachment that arise as a result of >>>>>>>> transmission. >>>>>>>> >>>>>>>> You should carry out your own virus checks before opening any >>>>>>>> attachment. >>>>>>>> >>>>>>>> Any views or opinions presented are solely those of the author >>>>>>>> and do not necessarily represent those of Quadriga. >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> ------------------------------------------------------------------------ >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> This e-mail is the property of Quadriga Worldwide Ltd, intended >>>>>> for the addressee only and confidential. Any dissemination, >>>>>> copying or distribution of this message or any attachments is >>>>>> strictly prohibited. >>>>>> >>>>>> If you have received this message in error, please notify us >>>>>> immediately by replying to the message and deleting it from your >>>>>> computer. >>>>>> >>>>>> Messages sent to and from Quadriga may be monitored. >>>>>> >>>>>> Quadriga cannot guarantee any message delivery method is secure >>>>>> or error-free. Information could be intercepted, corrupted, >>>>>> lost, destroyed, arrive late or incomplete, or contain viruses. >>>>>> >>>>>> We do not accept responsibility for any errors or omissions in >>>>>> this message and/or attachment that arise as a result of >>>>>> transmission. >>>>>> >>>>>> You should carry out your own virus checks before opening any >>>>>> attachment. >>>>>> >>>>>> Any views or opinions presented are solely those of the author >>>>>> and do not necessarily represent those of Quadriga. >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> ------------------------------------------------------------------------ >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>> >>>> >>>> >>>> This e-mail is the property of Quadriga Worldwide Ltd, intended for >>>> the addressee only and confidential. Any dissemination, copying or >>>> distribution of this message or any attachments is strictly >>>> prohibited. >>>> >>>> If you have received this message in error, please notify us >>>> immediately by replying to the message and deleting it from your >>>> computer. >>>> >>>> Messages sent to and from Quadriga may be monitored. >>>> >>>> Quadriga cannot guarantee any message delivery method is secure or >>>> error-free. Information could be intercepted, corrupted, lost, >>>> destroyed, arrive late or incomplete, or contain viruses. >>>> >>>> We do not accept responsibility for any errors or omissions in this >>>> message and/or attachment that arise as a result of transmission. >>>> >>>> You should carry out your own virus checks before opening any >>>> attachment. >>>> >>>> Any views or opinions presented are solely those of the author and >>>> do not necessarily represent those of Quadriga. >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> >> >> This e-mail is the property of Quadriga Worldwide Ltd, intended for >> the addressee only and confidential. Any dissemination, copying or >> distribution of this message or any attachments is strictly prohibited. >> >> If you have received this message in error, please notify us >> immediately by replying to the message and deleting it from your >> computer. >> >> Messages sent to and from Quadriga may be monitored. >> >> Quadriga cannot guarantee any message delivery method is secure or >> error-free. Information could be intercepted, corrupted, lost, >> destroyed, arrive late or incomplete, or contain viruses. >> >> We do not accept responsibility for any errors or omissions in this >> message and/or attachment that arise as a result of transmission. >> >> You should carry out your own virus checks before opening any >> attachment. >> >> Any views or opinions presented are solely those of the author and do >> not necessarily represent those of Quadriga. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > This e-mail is the property of Quadriga Worldwide Ltd, intended for the addressee only and confidential. Any dissemination, copying or distribution of this message or any attachments is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from Quadriga may be monitored. Quadriga cannot guarantee any message delivery method is secure or error-free. Information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. We do not accept responsibility for any errors or omissions in this message and/or attachment that arise as a result of transmission. You should carry out your own virus checks before opening any attachment. Any views or opinions presented are solely those of the author and do not necessarily represent those of Quadriga. From nicholas.byrne at quadriga.com Thu Jan 18 19:51:40 2007 From: nicholas.byrne at quadriga.com (Nicholas Byrne) Date: Thu, 18 Jan 2007 19:51:40 +0000 Subject: [Fedora-directory-users] FDS Crashing! In-Reply-To: <45AFCBE1.6030903@quadriga.com> References: <45AF8DDF.1030008@quadriga.com> <45AF90C0.3080306@redhat.com> <45AFAC5D.9030502@quadriga.com> <45AFB053.1080308@redhat.com> <45AFBC2B.2000903@quadriga.com> <45AFBC82.7080606@redhat.com> <45AFC528.7000005@quadriga.com> <45AFC797.4090205@redhat.com> <45AFCBE1.6030903@quadriga.com> Message-ID: <45AFCFCC.9000508@quadriga.com> in /opt/fedora-ds/slapd-/ldif/Example.ldif there are the default aci's i believe im looking for (snippet) - aci: (target ="ldap:///dc=example,dc=com")(targetattr != "userPassword")(version 3.0;acl "Anonymous read-search access"; allow (read, search, compare)(userdn = "ldap:///anyone");) aci: (target="ldap:///dc=example,dc=com") (targetattr = "*")(version 3.0; acl "allow all Admin group"; allow(all) groupdn = "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";) and some more for ou=people. I'll try these (with modifications) and hopefully that should do it. Nicholas Byrne wrote: > running > > ldapsearch -x -D "cn=directory manager" -w password -b "dc=tech" > "aci=*" aci > > i get - > > # tech > dn: dc=tech > aci: (targetattr = "*") (version 3.0;acl > "DefaultReadAllandWriteSelf";allow (a > ll)(userdn = "ldap:///anyone");) > > Thats it, it is the one i created (disclaimer in case of embarrassment > - don't know that much about aci's yet!). > > Richard Megginson wrote: >> Nicholas Byrne wrote: >>> >>> >>> Richard Megginson wrote: >>>> Nicholas Byrne wrote: >>>>> >>>>> >>>>> Richard Megginson wrote: >>>>>> Nicholas Byrne wrote: >>>>>>> >>>>>>> >>>>>>> Richard Megginson wrote: >>>>>>>> Nicholas Byrne wrote: >>>>>>>>> I'm using 1.0.4-1 release. My configuration fairly basic using >>>>>>>>> "one way" windows sync (ref: >>>>>>>>> https://www.redhat.com/archives/fedora-directory-users/2006-December/msg00070.html). >>>>>>>>> >>>>>>>>> >>>>>>>>> It's been working well until this morning for going on a month >>>>>>>>> (fortunately it's not live yet, but was planning to put it >>>>>>>>> live this weekend - not anymore!). I'm not sure what occurred >>>>>>>>> exactly, a few password changes and minor updates to a couple >>>>>>>>> of attributes but since a few hours ago any attempt to write >>>>>>>>> to anything in the userRoot database fails and slapd crashes. >>>>>>>>> I've looked in the error and access logs but it doesn't give >>>>>>>>> much away - on restart i see: >>>>>>>>> >>>>>>>>> [18/Jan/2007:14:48:42 +0000] - Fedora-Directory/1.0.4 >>>>>>>>> B2006.312.435 starting up >>>>>>>>> [18/Jan/2007:14:48:42 +0000] - Detected Disorderly Shutdown >>>>>>>>> last time Directory Server was running, recovering database. >>>>>>>>> [18/Jan/2007:14:48:43 +0000] - slapd started. Listening on >>>>>>>>> All Interfaces port 389 for LDAP requests >>>>>>>>> [18/Jan/2007:14:48:43 +0000] - Listening on All Interfaces >>>>>>>>> port 636 for LDAPS requests >>>>>>>>> >>>>>>>>> What can do to get more info? >>>>>>>> start-slapd -d 1 >>>>>>>> or >>>>>>>> http://directory.fedora.redhat.com/wiki/FAQ#Troubleshooting and >>>>>>>> use the TRACE debug level. >>>>>>> thanks, the server takes a long time to fully start and is >>>>>>> really quite slow with this switch. I suppose thats normal. >>>>>> Yes. >>>>>>> Any hints as to what else to look for, there is an enormous >>>>>>> amount of output. The log ends (when it crashes when i attempt >>>>>>> any write operation) with a segmentation fault. >>>>>> So, not just a write of userPassword, but of any attribute? >>>>> Yep thats correct >>>>>>>>> >>>>>>>>> Yesterday i did password change using ldappasswd and i found >>>>>>>>> this issue >>>>>>>>> (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179723) >>>>>>>>> just now - my directory does have a password policy. Is this >>>>>>>>> fixed in 1.0.4? >>>>>>>> Yes, it is supposed to be - but if you reproduced it with >>>>>>>> 1.0.4, then I guess not :-( >>>>>>>> >>>>>>>> So, if I understand correctly - you used ldappasswd to change a >>>>>>>> user's password, and you have password policy enabled (global >>>>>>>> or local?), and you can crash the server. >>>>>>> I have all three requirements it seems to reproduce this bug, 1. >>>>>>> ssl on, 2. password policy global and local/subtree and i've >>>>>>> used ldappassword (yesterday) - uh oh! >>>>>>> >>>>>>> My issue is slightly different in that the server crashes when >>>>>>> any update is attempted, not just a modify password. >>>>>>> >>>>>>> Is there any way to restore an old database and turn off all >>>>>>> password policy for the time being without writing to the >>>>>>> directory / user database? Probably not i suppose, at least not >>>>>>> easily. So is my best bet to dump the directory to ldif and do >>>>>>> a reinstall and reconfigure. What do you think? >>>>>> If the database is corrupted, just a dump to LDIF and a reimport >>>>>> might do the trick. If not, then I suggest disabling the local >>>>>> password policy to see if that fixes the problem. >>>>> i did a dump and ended up having to do a ldif2db (as i couldn't >>>>> write to the live database without a crash) and i seem to be back >>>>> up and running except i don't have the default ACI's anymore. How >>>>> can i recreate them? >>>> >>>> Are you sure they're missing? Did you use ldapsearch to look for >>>> them? Remember that the aci attribute is operational and must be >>>> specified on the ldapsearch command line. >>> The process i followed was ("tech" is my top level dn/domain) - >>> >>> ldapsearch -x -b "dc=tech" | egrep -v '^pwdpolicysubentry|^ tainer' >>> > tech.ldif >>> vi tech.ldif # remove subtree password policy - "dn: >>> cn=nsPwPolicyContainer,ou=People,dc=tech" >>> stop-slapd >>> ldif2db -n userRoot -i tech.ldif &> ~/import.log >>> >>> So maybe i missed them out, are aci's stored in the NetscapeRoot or >>> "userRoot" db? >> Both. acis are stored with the the regular data in the database. >>> >>> I had to add a single generic one to my top level domain (tech) be >>> able to read it without being "cn=Domain Manager". I 've used the >>> FD console to look for ACI's but none seem obvious and i'm sure >>> there were a number of default ACI's (selfwrite, read for all - not >>> sure of names/dn's etc) but now there appear to be none. >>> >>> After adding this generic one on the dc=tech dn, running "ldapsearch >>> -x" and looking through output, it appears aci's are stored >>> elsewhere. Where? >> try this: >> ldapsearch -x -D "cn=directory manager" -w password -b "dc=tech" >> "aci=*" aci >>> Thanks again >>>> >>>>> Is there wiki/manual page or a script with the default ones, thats >>>>> all i need for the time being. >>>>>> >>>>>> At any rate, please file a bug http://bugzilla.redhat.com/ and >>>>>> list OS + version + bitsize, and detailed steps about how to >>>>>> reproduce the bug. My inclination is that this is a bug which >>>>>> will require a patch to address. >>>>> Will do, and help so far the support Richard. >>>>>>>>> >>>>>>>>> I have tried a restore from a week old backup (using bak2db) >>>>>>>>> but that didn't fix the problem so anyone got any idea whats >>>>>>>>> going on and how i might start fixing this - Help!? >>>>>>>>> >>>>>>>>> Thanks >>>>>>>>> Nick >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> This e-mail is the property of Quadriga Worldwide Ltd, >>>>>>>>> intended for the addressee only and confidential. Any >>>>>>>>> dissemination, copying or distribution of this message or any >>>>>>>>> attachments is strictly prohibited. >>>>>>>>> >>>>>>>>> If you have received this message in error, please notify us >>>>>>>>> immediately by replying to the message and deleting it from >>>>>>>>> your computer. >>>>>>>>> >>>>>>>>> Messages sent to and from Quadriga may be monitored. >>>>>>>>> >>>>>>>>> Quadriga cannot guarantee any message delivery method is >>>>>>>>> secure or error-free. Information could be intercepted, >>>>>>>>> corrupted, lost, destroyed, arrive late or incomplete, or >>>>>>>>> contain viruses. >>>>>>>>> >>>>>>>>> We do not accept responsibility for any errors or omissions in >>>>>>>>> this message and/or attachment that arise as a result of >>>>>>>>> transmission. >>>>>>>>> >>>>>>>>> You should carry out your own virus checks before opening any >>>>>>>>> attachment. >>>>>>>>> >>>>>>>>> Any views or opinions presented are solely those of the author >>>>>>>>> and do not necessarily represent those of Quadriga. >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Fedora-directory-users mailing list >>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>> ------------------------------------------------------------------------ >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> This e-mail is the property of Quadriga Worldwide Ltd, intended >>>>>>> for the addressee only and confidential. Any dissemination, >>>>>>> copying or distribution of this message or any attachments is >>>>>>> strictly prohibited. >>>>>>> >>>>>>> If you have received this message in error, please notify us >>>>>>> immediately by replying to the message and deleting it from your >>>>>>> computer. >>>>>>> >>>>>>> Messages sent to and from Quadriga may be monitored. >>>>>>> >>>>>>> Quadriga cannot guarantee any message delivery method is secure >>>>>>> or error-free. Information could be intercepted, corrupted, >>>>>>> lost, destroyed, arrive late or incomplete, or contain viruses. >>>>>>> >>>>>>> We do not accept responsibility for any errors or omissions in >>>>>>> this message and/or attachment that arise as a result of >>>>>>> transmission. >>>>>>> >>>>>>> You should carry out your own virus checks before opening any >>>>>>> attachment. >>>>>>> >>>>>>> Any views or opinions presented are solely those of the author >>>>>>> and do not necessarily represent those of Quadriga. >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>> >>>>> >>>>> >>>>> This e-mail is the property of Quadriga Worldwide Ltd, intended >>>>> for the addressee only and confidential. Any dissemination, >>>>> copying or distribution of this message or any attachments is >>>>> strictly prohibited. >>>>> >>>>> If you have received this message in error, please notify us >>>>> immediately by replying to the message and deleting it from your >>>>> computer. >>>>> >>>>> Messages sent to and from Quadriga may be monitored. >>>>> >>>>> Quadriga cannot guarantee any message delivery method is secure or >>>>> error-free. Information could be intercepted, corrupted, lost, >>>>> destroyed, arrive late or incomplete, or contain viruses. >>>>> >>>>> We do not accept responsibility for any errors or omissions in >>>>> this message and/or attachment that arise as a result of >>>>> transmission. >>>>> >>>>> You should carry out your own virus checks before opening any >>>>> attachment. >>>>> >>>>> Any views or opinions presented are solely those of the author and >>>>> do not necessarily represent those of Quadriga. >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> >>> >>> This e-mail is the property of Quadriga Worldwide Ltd, intended for >>> the addressee only and confidential. Any dissemination, copying or >>> distribution of this message or any attachments is strictly prohibited. >>> >>> If you have received this message in error, please notify us >>> immediately by replying to the message and deleting it from your >>> computer. >>> >>> Messages sent to and from Quadriga may be monitored. >>> >>> Quadriga cannot guarantee any message delivery method is secure or >>> error-free. Information could be intercepted, corrupted, lost, >>> destroyed, arrive late or incomplete, or contain viruses. >>> >>> We do not accept responsibility for any errors or omissions in this >>> message and/or attachment that arise as a result of transmission. >>> >>> You should carry out your own virus checks before opening any >>> attachment. >>> >>> Any views or opinions presented are solely those of the author and >>> do not necessarily represent those of Quadriga. >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > > This e-mail is the property of Quadriga Worldwide Ltd, intended for > the addressee only and confidential. Any dissemination, copying or > distribution of this message or any attachments is strictly prohibited. > > If you have received this message in error, please notify us > immediately by replying to the message and deleting it from your > computer. > > Messages sent to and from Quadriga may be monitored. > > Quadriga cannot guarantee any message delivery method is secure or > error-free. Information could be intercepted, corrupted, lost, > destroyed, arrive late or incomplete, or contain viruses. > > We do not accept responsibility for any errors or omissions in this > message and/or attachment that arise as a result of transmission. > > You should carry out your own virus checks before opening any attachment. > > Any views or opinions presented are solely those of the author and do > not necessarily represent those of Quadriga. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > This e-mail is the property of Quadriga Worldwide Ltd, intended for the addressee only and confidential. Any dissemination, copying or distribution of this message or any attachments is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from Quadriga may be monitored. Quadriga cannot guarantee any message delivery method is secure or error-free. Information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. We do not accept responsibility for any errors or omissions in this message and/or attachment that arise as a result of transmission. You should carry out your own virus checks before opening any attachment. Any views or opinions presented are solely those of the author and do not necessarily represent those of Quadriga. From rmeggins at redhat.com Thu Jan 18 19:54:24 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 18 Jan 2007 12:54:24 -0700 Subject: [Fedora-directory-users] FDS Crashing! In-Reply-To: <45AFCFCC.9000508@quadriga.com> References: <45AF8DDF.1030008@quadriga.com> <45AF90C0.3080306@redhat.com> <45AFAC5D.9030502@quadriga.com> <45AFB053.1080308@redhat.com> <45AFBC2B.2000903@quadriga.com> <45AFBC82.7080606@redhat.com> <45AFC528.7000005@quadriga.com> <45AFC797.4090205@redhat.com> <45AFCBE1.6030903@quadriga.com> <45AFCFCC.9000508@quadriga.com> Message-ID: <45AFD070.3040207@redhat.com> Nicholas Byrne wrote: > in /opt/fedora-ds/slapd-/ldif/Example.ldif there are the default > aci's i believe im looking for (snippet) - > > aci: (target ="ldap:///dc=example,dc=com")(targetattr != > "userPassword")(version 3.0;acl "Anonymous read-search access"; > allow (read, search, compare)(userdn = "ldap:///anyone");) > aci: (target="ldap:///dc=example,dc=com") (targetattr = > "*")(version 3.0; acl "allow all Admin group"; allow(all) groupdn = > "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";) > > and some more for ou=people. I'll try these (with modifications) and > hopefully that should do it. Ok. But I wonder what happened to the defaults in your original database? How did you create the suffix? How did you import the data? Note that the default ACIs are only added when you create the default suffix using the setup utility. If you go into the console and create a new root suffix, then populate it manually, there will be no default ACIs, only ones that you add explicitly. > > Nicholas Byrne wrote: >> running >> >> ldapsearch -x -D "cn=directory manager" -w password -b "dc=tech" >> "aci=*" aci >> >> i get - >> >> # tech >> dn: dc=tech >> aci: (targetattr = "*") (version 3.0;acl >> "DefaultReadAllandWriteSelf";allow (a >> ll)(userdn = "ldap:///anyone");) >> >> Thats it, it is the one i created (disclaimer in case of >> embarrassment - don't know that much about aci's yet!). >> >> Richard Megginson wrote: >>> Nicholas Byrne wrote: >>>> >>>> >>>> Richard Megginson wrote: >>>>> Nicholas Byrne wrote: >>>>>> >>>>>> >>>>>> Richard Megginson wrote: >>>>>>> Nicholas Byrne wrote: >>>>>>>> >>>>>>>> >>>>>>>> Richard Megginson wrote: >>>>>>>>> Nicholas Byrne wrote: >>>>>>>>>> I'm using 1.0.4-1 release. My configuration fairly basic >>>>>>>>>> using "one way" windows sync (ref: >>>>>>>>>> https://www.redhat.com/archives/fedora-directory-users/2006-December/msg00070.html). >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> It's been working well until this morning for going on a >>>>>>>>>> month (fortunately it's not live yet, but was planning to put >>>>>>>>>> it live this weekend - not anymore!). I'm not sure what >>>>>>>>>> occurred exactly, a few password changes and minor updates to >>>>>>>>>> a couple of attributes but since a few hours ago any attempt >>>>>>>>>> to write to anything in the userRoot database fails and slapd >>>>>>>>>> crashes. I've looked in the error and access logs but it >>>>>>>>>> doesn't give much away - on restart i see: >>>>>>>>>> >>>>>>>>>> [18/Jan/2007:14:48:42 +0000] - Fedora-Directory/1.0.4 >>>>>>>>>> B2006.312.435 starting up >>>>>>>>>> [18/Jan/2007:14:48:42 +0000] - Detected Disorderly Shutdown >>>>>>>>>> last time Directory Server was running, recovering database. >>>>>>>>>> [18/Jan/2007:14:48:43 +0000] - slapd started. Listening on >>>>>>>>>> All Interfaces port 389 for LDAP requests >>>>>>>>>> [18/Jan/2007:14:48:43 +0000] - Listening on All Interfaces >>>>>>>>>> port 636 for LDAPS requests >>>>>>>>>> >>>>>>>>>> What can do to get more info? >>>>>>>>> start-slapd -d 1 >>>>>>>>> or >>>>>>>>> http://directory.fedora.redhat.com/wiki/FAQ#Troubleshooting >>>>>>>>> and use the TRACE debug level. >>>>>>>> thanks, the server takes a long time to fully start and is >>>>>>>> really quite slow with this switch. I suppose thats normal. >>>>>>> Yes. >>>>>>>> Any hints as to what else to look for, there is an enormous >>>>>>>> amount of output. The log ends (when it crashes when i attempt >>>>>>>> any write operation) with a segmentation fault. >>>>>>> So, not just a write of userPassword, but of any attribute? >>>>>> Yep thats correct >>>>>>>>>> >>>>>>>>>> Yesterday i did password change using ldappasswd and i found >>>>>>>>>> this issue >>>>>>>>>> (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179723) >>>>>>>>>> just now - my directory does have a password policy. Is this >>>>>>>>>> fixed in 1.0.4? >>>>>>>>> Yes, it is supposed to be - but if you reproduced it with >>>>>>>>> 1.0.4, then I guess not :-( >>>>>>>>> >>>>>>>>> So, if I understand correctly - you used ldappasswd to change >>>>>>>>> a user's password, and you have password policy enabled >>>>>>>>> (global or local?), and you can crash the server. >>>>>>>> I have all three requirements it seems to reproduce this bug, >>>>>>>> 1. ssl on, 2. password policy global and local/subtree and i've >>>>>>>> used ldappassword (yesterday) - uh oh! >>>>>>>> >>>>>>>> My issue is slightly different in that the server crashes when >>>>>>>> any update is attempted, not just a modify password. >>>>>>>> >>>>>>>> Is there any way to restore an old database and turn off all >>>>>>>> password policy for the time being without writing to the >>>>>>>> directory / user database? Probably not i suppose, at least not >>>>>>>> easily. So is my best bet to dump the directory to ldif and do >>>>>>>> a reinstall and reconfigure. What do you think? >>>>>>> If the database is corrupted, just a dump to LDIF and a reimport >>>>>>> might do the trick. If not, then I suggest disabling the local >>>>>>> password policy to see if that fixes the problem. >>>>>> i did a dump and ended up having to do a ldif2db (as i couldn't >>>>>> write to the live database without a crash) and i seem to be back >>>>>> up and running except i don't have the default ACI's anymore. How >>>>>> can i recreate them? >>>>> >>>>> Are you sure they're missing? Did you use ldapsearch to look for >>>>> them? Remember that the aci attribute is operational and must be >>>>> specified on the ldapsearch command line. >>>> The process i followed was ("tech" is my top level dn/domain) - >>>> >>>> ldapsearch -x -b "dc=tech" | egrep -v '^pwdpolicysubentry|^ tainer' >>>> > tech.ldif >>>> vi tech.ldif # remove subtree password policy - "dn: >>>> cn=nsPwPolicyContainer,ou=People,dc=tech" >>>> stop-slapd >>>> ldif2db -n userRoot -i tech.ldif &> ~/import.log >>>> >>>> So maybe i missed them out, are aci's stored in the NetscapeRoot or >>>> "userRoot" db? >>> Both. acis are stored with the the regular data in the database. >>>> >>>> I had to add a single generic one to my top level domain (tech) be >>>> able to read it without being "cn=Domain Manager". I 've used the >>>> FD console to look for ACI's but none seem obvious and i'm sure >>>> there were a number of default ACI's (selfwrite, read for all - not >>>> sure of names/dn's etc) but now there appear to be none. >>>> >>>> After adding this generic one on the dc=tech dn, running >>>> "ldapsearch -x" and looking through output, it appears aci's are >>>> stored elsewhere. Where? >>> try this: >>> ldapsearch -x -D "cn=directory manager" -w password -b "dc=tech" >>> "aci=*" aci >>>> Thanks again >>>>> >>>>>> Is there wiki/manual page or a script with the default ones, >>>>>> thats all i need for the time being. >>>>>>> >>>>>>> At any rate, please file a bug http://bugzilla.redhat.com/ and >>>>>>> list OS + version + bitsize, and detailed steps about how to >>>>>>> reproduce the bug. My inclination is that this is a bug which >>>>>>> will require a patch to address. >>>>>> Will do, and help so far the support Richard. >>>>>>>>>> >>>>>>>>>> I have tried a restore from a week old backup (using bak2db) >>>>>>>>>> but that didn't fix the problem so anyone got any idea whats >>>>>>>>>> going on and how i might start fixing this - Help!? >>>>>>>>>> >>>>>>>>>> Thanks >>>>>>>>>> Nick >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> This e-mail is the property of Quadriga Worldwide Ltd, >>>>>>>>>> intended for the addressee only and confidential. Any >>>>>>>>>> dissemination, copying or distribution of this message or any >>>>>>>>>> attachments is strictly prohibited. >>>>>>>>>> >>>>>>>>>> If you have received this message in error, please notify us >>>>>>>>>> immediately by replying to the message and deleting it from >>>>>>>>>> your computer. >>>>>>>>>> >>>>>>>>>> Messages sent to and from Quadriga may be monitored. >>>>>>>>>> >>>>>>>>>> Quadriga cannot guarantee any message delivery method is >>>>>>>>>> secure or error-free. Information could be intercepted, >>>>>>>>>> corrupted, lost, destroyed, arrive late or incomplete, or >>>>>>>>>> contain viruses. >>>>>>>>>> >>>>>>>>>> We do not accept responsibility for any errors or omissions >>>>>>>>>> in this message and/or attachment that arise as a result of >>>>>>>>>> transmission. >>>>>>>>>> >>>>>>>>>> You should carry out your own virus checks before opening any >>>>>>>>>> attachment. >>>>>>>>>> >>>>>>>>>> Any views or opinions presented are solely those of the >>>>>>>>>> author and do not necessarily represent those of Quadriga. >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Fedora-directory-users mailing list >>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> This e-mail is the property of Quadriga Worldwide Ltd, intended >>>>>>>> for the addressee only and confidential. Any dissemination, >>>>>>>> copying or distribution of this message or any attachments is >>>>>>>> strictly prohibited. >>>>>>>> >>>>>>>> If you have received this message in error, please notify us >>>>>>>> immediately by replying to the message and deleting it from >>>>>>>> your computer. >>>>>>>> >>>>>>>> Messages sent to and from Quadriga may be monitored. >>>>>>>> >>>>>>>> Quadriga cannot guarantee any message delivery method is secure >>>>>>>> or error-free. Information could be intercepted, corrupted, >>>>>>>> lost, destroyed, arrive late or incomplete, or contain viruses. >>>>>>>> >>>>>>>> We do not accept responsibility for any errors or omissions in >>>>>>>> this message and/or attachment that arise as a result of >>>>>>>> transmission. >>>>>>>> >>>>>>>> You should carry out your own virus checks before opening any >>>>>>>> attachment. >>>>>>>> >>>>>>>> Any views or opinions presented are solely those of the author >>>>>>>> and do not necessarily represent those of Quadriga. >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> ------------------------------------------------------------------------ >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> This e-mail is the property of Quadriga Worldwide Ltd, intended >>>>>> for the addressee only and confidential. Any dissemination, >>>>>> copying or distribution of this message or any attachments is >>>>>> strictly prohibited. >>>>>> >>>>>> If you have received this message in error, please notify us >>>>>> immediately by replying to the message and deleting it from your >>>>>> computer. >>>>>> >>>>>> Messages sent to and from Quadriga may be monitored. >>>>>> >>>>>> Quadriga cannot guarantee any message delivery method is secure >>>>>> or error-free. Information could be intercepted, corrupted, >>>>>> lost, destroyed, arrive late or incomplete, or contain viruses. >>>>>> >>>>>> We do not accept responsibility for any errors or omissions in >>>>>> this message and/or attachment that arise as a result of >>>>>> transmission. >>>>>> >>>>>> You should carry out your own virus checks before opening any >>>>>> attachment. >>>>>> >>>>>> Any views or opinions presented are solely those of the author >>>>>> and do not necessarily represent those of Quadriga. >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> ------------------------------------------------------------------------ >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>> >>>> >>>> >>>> This e-mail is the property of Quadriga Worldwide Ltd, intended for >>>> the addressee only and confidential. Any dissemination, copying or >>>> distribution of this message or any attachments is strictly >>>> prohibited. >>>> >>>> If you have received this message in error, please notify us >>>> immediately by replying to the message and deleting it from your >>>> computer. >>>> >>>> Messages sent to and from Quadriga may be monitored. >>>> >>>> Quadriga cannot guarantee any message delivery method is secure or >>>> error-free. Information could be intercepted, corrupted, lost, >>>> destroyed, arrive late or incomplete, or contain viruses. >>>> >>>> We do not accept responsibility for any errors or omissions in this >>>> message and/or attachment that arise as a result of transmission. >>>> >>>> You should carry out your own virus checks before opening any >>>> attachment. >>>> >>>> Any views or opinions presented are solely those of the author and >>>> do not necessarily represent those of Quadriga. >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> >> >> This e-mail is the property of Quadriga Worldwide Ltd, intended for >> the addressee only and confidential. Any dissemination, copying or >> distribution of this message or any attachments is strictly prohibited. >> >> If you have received this message in error, please notify us >> immediately by replying to the message and deleting it from your >> computer. >> >> Messages sent to and from Quadriga may be monitored. >> >> Quadriga cannot guarantee any message delivery method is secure or >> error-free. Information could be intercepted, corrupted, lost, >> destroyed, arrive late or incomplete, or contain viruses. >> >> We do not accept responsibility for any errors or omissions in this >> message and/or attachment that arise as a result of transmission. >> >> You should carry out your own virus checks before opening any >> attachment. >> >> Any views or opinions presented are solely those of the author and do >> not necessarily represent those of Quadriga. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > > This e-mail is the property of Quadriga Worldwide Ltd, intended for > the addressee only and confidential. Any dissemination, copying or > distribution of this message or any attachments is strictly prohibited. > > If you have received this message in error, please notify us > immediately by replying to the message and deleting it from your > computer. > > Messages sent to and from Quadriga may be monitored. > > Quadriga cannot guarantee any message delivery method is secure or > error-free. Information could be intercepted, corrupted, lost, > destroyed, arrive late or incomplete, or contain viruses. > > We do not accept responsibility for any errors or omissions in this > message and/or attachment that arise as a result of transmission. > > You should carry out your own virus checks before opening any attachment. > > Any views or opinions presented are solely those of the author and do > not necessarily represent those of Quadriga. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mike at subfocal.net Thu Jan 18 22:10:39 2007 From: mike at subfocal.net (Mike Mueller) Date: Thu, 18 Jan 2007 17:10:39 -0500 Subject: [Fedora-directory-users] Slapd command line usage Message-ID: <20070118221039.GB31152@zelda.vigilantsw.com> Hi all. I am looking to run the slapd process in the foreground on a Unix system, so I can be notified immediately if it dies... Looking at the usage of the "start-slapd" command: usage: ns-slapd -D instancedir [-d debuglevel] [-i pidlogfile] [-v] [-V] There's no real guidance as to how the -d option works (i.e. what levels it supports), but experimentally, we've determined that -d 0 will run the process and not fork/exit into the background. Is this behavior known, and should we count on it? Is there a better way to get the slapd to stay in the foreground? Finally, what debug levels are available, and what do they mean? Thanks! -- Mike Mueller mike at subfocal.net From rmeggins at redhat.com Thu Jan 18 22:44:26 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 18 Jan 2007 15:44:26 -0700 Subject: [Fedora-directory-users] Slapd command line usage In-Reply-To: <20070118221039.GB31152@zelda.vigilantsw.com> References: <20070118221039.GB31152@zelda.vigilantsw.com> Message-ID: <45AFF84A.6090407@redhat.com> Mike Mueller wrote: > Hi all. > > I am looking to run the slapd process in the foreground on a Unix > system, so I can be notified immediately if it dies... > > Looking at the usage of the "start-slapd" command: > usage: ns-slapd -D instancedir [-d debuglevel] [-i pidlogfile] [-v] [-V] > > There's no real guidance as to how the -d option works (i.e. what levels > it supports), but experimentally, we've determined that -d 0 will run > the process and not fork/exit into the background. Is this behavior > known, and should we count on it? Yes. > Is there a better way to get the > slapd to stay in the foreground? No, that's it. > Finally, what debug levels are > available, and what do they mean? > http://directory.fedora.redhat.com/wiki/FAQ#Troubleshooting > Thanks! > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From daves at wavesco.com Fri Jan 19 04:21:27 2007 From: daves at wavesco.com (David J. Schnardthorst) Date: Thu, 18 Jan 2007 22:21:27 -0600 Subject: [Fedora-directory-users] Replication Errors In-Reply-To: <45AF9211.5060205@redhat.com> References: <45AEE3AF.5050001@wavesco.com> <45AF9211.5060205@redhat.com> Message-ID: <45B04747.8000100@wavesco.com> The replication schedule is set to All Days and is to take place between 00:00 and 23:59. I changed it to keep in sync and now all is working properly. Thanks for pointing me in the right direction. David Schnardthorst http://www.wavesco.com Richard Megginson wrote: > David J. Schnardthorst wrote: >> I am having issues with replication and need some assistance. I have >> setup multi-master replication using the mmr.pl script. However, >> replication is not occurring. I show the following messages in my LDAP >> error log. >> >> [14/Jan/2007:01:02:49 -0600] - Fedora-Directory/1.0.2 B2006.060.1928 >> starting up >> [15/Jan/2007:00:00:00 -0600] NSMMReplicationPlugin - >> agmt="cn="Replication to xxxxxx.com"" (xxxxxx:389): Incremental >> protocol: event update_window_opened should not occur in state >> wait_for_changes >> [16/Jan/2007:00:00:00 -0600] NSMMReplicationPlugin - >> agmt="cn="Replication to xxxxxx.com"" (xxxxxx:389): Incremental >> protocol: event update_window_opened should not occur in state >> wait_for_changes >> >> Any thoughts would be greatly appreciated. > What is your replication schedule? > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From mj at sci.fi Fri Jan 19 16:21:44 2007 From: mj at sci.fi (Mike Jackson) Date: Fri, 19 Jan 2007 18:21:44 +0200 Subject: [Fedora-directory-users] Slapd command line usage In-Reply-To: <20070118221039.GB31152@zelda.vigilantsw.com> References: <20070118221039.GB31152@zelda.vigilantsw.com> Message-ID: <45B0F018.8030401@sci.fi> Mike Mueller wrote: > Hi all. > > I am looking to run the slapd process in the foreground on a Unix > system, so I can be notified immediately if it dies... > > Looking at the usage of the "start-slapd" command: > usage: ns-slapd -D instancedir [-d debuglevel] [-i pidlogfile] [-v] [-V] > > There's no real guidance as to how the -d option works (i.e. what levels > it supports), but experimentally, we've determined that -d 0 will run > the process and not fork/exit into the background. Is this behavior > known, and should we count on it? Is there a better way to get the > slapd to stay in the foreground? Finally, what debug levels are > available, and what do they mean? > > Thanks! > See this howto I wrote for details about running in the foreground: http://directory.fedora.redhat.com/wiki/Howto:Daemontools And with daemontools, it will be restarted immediately if it dies. Mike -- http://www.netauth.com - LDAP Directory Consulting From GCopeland at efjohnson.com Fri Jan 19 16:39:43 2007 From: GCopeland at efjohnson.com (Greg Copeland) Date: Fri, 19 Jan 2007 10:39:43 -0600 Subject: [Fedora-directory-users] Custom New User Template in GUI? Message-ID: <273A72C669F45B4996896A031B88CCEF49843D@EFJDFWMX01.EFJDFW.local> For every user I add, I wind up having to customize. Does the GUI use a template for new user creation which would allow me to customize the template, thereby easing user creation? What about automatic uid/gid calculation? Best Regards, Greg Copeland -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Jan 19 16:41:29 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 19 Jan 2007 09:41:29 -0700 Subject: [Fedora-directory-users] Custom New User Template in GUI? In-Reply-To: <273A72C669F45B4996896A031B88CCEF49843D@EFJDFWMX01.EFJDFW.local> References: <273A72C669F45B4996896A031B88CCEF49843D@EFJDFWMX01.EFJDFW.local> Message-ID: <45B0F4B9.5020700@redhat.com> Greg Copeland wrote: > > For every user I add, I wind up having to customize. Does the GUI use > a template for new user creation which would allow me to customize the > template, thereby easing user creation? > Are you talking about the java console or the web UI? If the former, you'll have to write some java code. If the latter, look for the gateway customization guide. > > What about automatic uid/gid calculation? > There is working going on right now to have that done via a plug-in. > > > > > > Best Regards, > > > > Greg Copeland > > > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From bkyoung at gmail.com Tue Jan 23 21:20:02 2007 From: bkyoung at gmail.com (Brandon Young) Date: Tue, 23 Jan 2007 15:20:02 -0600 Subject: [Fedora-directory-users] group mapping issue Message-ID: <824ffea00701231320q4281760fk4cff350ca62560d9@mail.gmail.com> I have recently attempted to set up a Fedora Directory Server for evaluation as a replacement for NIS. Overall, the set up process was pretty painless. I spent some time reading the Installation Guide, Administrator's Guide, and Deployment Guide beforehand. Additionally, I tracked down this wonderful guide (http://www.csse.uwa.edu.au/~ashley/fedora-ds/fedora-ds-26072006.html) which seemed like exactly what I needed. I am trying to (ultimately) set up a directory service which provides user authentication for Linux and OS X clients. The problem I have run in to is the following: when I issue the command `ls`, I see the following: ~$ ls -l total 1 drwxr-xr-x 2 bky 1676 336 Jan 23 09:12 Desktop drwxr-xr-x 4 bky 1676 216 Jan 17 10:24 Documents drwx------ 19 bky 1676 544 Jan 22 12:19 Library drwxr-xr-x 2 bky 1676 48 Jan 17 08:33 Movies drwxr-xr-x 3 bky 1676 72 Jan 17 09:45 Music drwxr-xr-x 2 bky 1676 48 Jan 17 08:30 Pictures drwxrwxr-x 2 bky 1676 96 Dec 20 14:29 bin drwxrwxr-x 3 bky 1676 72 Dec 20 15:53 svn drwxr-xr-x 2 bky 1676 48 Jan 17 09:48 vmware ~$ if I issue the 'groups' command for the user, it tells me: # groups bky id: cannot find name for group ID 1676 # So, it seems obvious to me that group mappings are not configured correctly. On the client side, I am using a CentOS 4.4 machine, configured to use ldap using system-config-authentication, and further tweaking /etc/ldap.conf values for nss_base_passwd, nss_base_shadow, and nss_base_group. Further, in digging through the mailing list archives I found a suggestion to make sure pam_member_attribute was set to uniqueMember -- which I tried, to no avail. I also tried starting nscd which does not fix it (but I didn't really feel like that was the problem, anyway). I will further mention here that the ldap-client package is installed and I have not tried to configure SSL or TLS, yet. So, with that in mind ... what very obvious thing am I missing? Has anyone seen and resolved this issue for themselves? Any help would be greatly appreciated. -- Brandon From gholbert at broadcom.com Tue Jan 23 22:26:17 2007 From: gholbert at broadcom.com (George Holbert) Date: Tue, 23 Jan 2007 14:26:17 -0800 Subject: [Fedora-directory-users] group mapping issue In-Reply-To: <824ffea00701231320q4281760fk4cff350ca62560d9@mail.gmail.com> References: <824ffea00701231320q4281760fk4cff350ca62560d9@mail.gmail.com> Message-ID: <45B68B89.3040809@broadcom.com> This means the client can't find any group objects in your LDAP directory that have gidNumber=1676. Have you loaded your group data into the directory? Try this on one of your LDAP clients: # getent group 1676 Then, see what search this generates on the LDAP server by looking at the access log. You could also test with a manual ldapsearch, e.g.: # ldapsearch -x -h ldap.example.com -D -b dc=example,dc=com (&(objectClass=posixGroup)(gidNumber=1676)) Brandon Young wrote: > I have recently attempted to set up a Fedora Directory Server for > evaluation as a replacement for NIS. Overall, the set up process was > pretty painless. I spent some time reading the Installation Guide, > Administrator's Guide, and Deployment Guide beforehand. Additionally, > I tracked down this wonderful guide > (http://www.csse.uwa.edu.au/~ashley/fedora-ds/fedora-ds-26072006.html) > which seemed like exactly what I needed. > > I am trying to (ultimately) set up a directory service which provides > user authentication for Linux and OS X clients. > > The problem I have run in to is the following: when I issue the > command `ls`, I see the following: > ~$ ls -l > total 1 > drwxr-xr-x 2 bky 1676 336 Jan 23 09:12 Desktop > drwxr-xr-x 4 bky 1676 216 Jan 17 10:24 Documents > drwx------ 19 bky 1676 544 Jan 22 12:19 Library > drwxr-xr-x 2 bky 1676 48 Jan 17 08:33 Movies > drwxr-xr-x 3 bky 1676 72 Jan 17 09:45 Music > drwxr-xr-x 2 bky 1676 48 Jan 17 08:30 Pictures > drwxrwxr-x 2 bky 1676 96 Dec 20 14:29 bin > drwxrwxr-x 3 bky 1676 72 Dec 20 15:53 svn > drwxr-xr-x 2 bky 1676 48 Jan 17 09:48 vmware > ~$ > > > if I issue the 'groups' command for the user, it tells me: > > # groups bky > id: cannot find name for group ID 1676 > # > > So, it seems obvious to me that group mappings are not configured > correctly. On the client side, I am using a CentOS 4.4 machine, > configured to use ldap using system-config-authentication, and further > tweaking /etc/ldap.conf values for nss_base_passwd, nss_base_shadow, > and nss_base_group. Further, in digging through the mailing list > archives I found a suggestion to make sure pam_member_attribute was > set to uniqueMember -- which I tried, to no avail. I also tried > starting nscd which does not fix it (but I didn't really feel like > that was the problem, anyway). > > I will further mention here that the ldap-client package is installed > and I have not tried to configure SSL or TLS, yet. > > So, with that in mind ... what very obvious thing am I missing? Has > anyone seen and resolved this issue for themselves? Any help would be > greatly appreciated. > From bkyoung at gmail.com Tue Jan 23 22:30:58 2007 From: bkyoung at gmail.com (Brandon Young) Date: Tue, 23 Jan 2007 16:30:58 -0600 Subject: [Fedora-directory-users] Fwd: group mapping issue In-Reply-To: <824ffea00701231320q4281760fk4cff350ca62560d9@mail.gmail.com> References: <824ffea00701231320q4281760fk4cff350ca62560d9@mail.gmail.com> Message-ID: <824ffea00701231430m120cff16nede4535158f9de5f@mail.gmail.com> Alright, I solved the problem. And for the sake of others who may follow in my wake, here's the answer: When you create the group, you must add the objectclass type posixGroup (which then allows define the group number, which is where you get the gid to group name mapping). 1. Open Directory Server COnsole 2. Click the Directory tab 3. Expand your base dn 4. Highlight Groups 5. In the right pane, right click and select add group 6. Click the advanced tab 7. Click in one of the fields where it says Object class (top or groupofuniquenames) 8. Click Add Value 9. Select posixGroup, then OK 10. Now you have a field gidnumber, which you can fill in. I'm sure there's a good reason why this isn't included by default during group creation, but I can't think of it right now. I suppose it would be kind of a pain if you weren't trying to create a posix group but were required to provide such information as gidnumber. ---------- Forwarded message ---------- From: Brandon Young Date: Jan 23, 2007 3:20 PM Subject: group mapping issue To: Fedora-directory-users at redhat.com I have recently attempted to set up a Fedora Directory Server for evaluation as a replacement for NIS. Overall, the set up process was pretty painless. I spent some time reading the Installation Guide, Administrator's Guide, and Deployment Guide beforehand. Additionally, I tracked down this wonderful guide (http://www.csse.uwa.edu.au/~ashley/fedora-ds/fedora-ds-26072006.html) which seemed like exactly what I needed. I am trying to (ultimately) set up a directory service which provides user authentication for Linux and OS X clients. The problem I have run in to is the following: when I issue the command `ls`, I see the following: ~$ ls -l total 1 drwxr-xr-x 2 bky 1676 336 Jan 23 09:12 Desktop drwxr-xr-x 4 bky 1676 216 Jan 17 10:24 Documents drwx------ 19 bky 1676 544 Jan 22 12:19 Library drwxr-xr-x 2 bky 1676 48 Jan 17 08:33 Movies drwxr-xr-x 3 bky 1676 72 Jan 17 09:45 Music drwxr-xr-x 2 bky 1676 48 Jan 17 08:30 Pictures drwxrwxr-x 2 bky 1676 96 Dec 20 14:29 bin drwxrwxr-x 3 bky 1676 72 Dec 20 15:53 svn drwxr-xr-x 2 bky 1676 48 Jan 17 09:48 vmware ~$ if I issue the 'groups' command for the user, it tells me: # groups bky id: cannot find name for group ID 1676 # So, it seems obvious to me that group mappings are not configured correctly. On the client side, I am using a CentOS 4.4 machine, configured to use ldap using system-config-authentication, and further tweaking /etc/ldap.conf values for nss_base_passwd, nss_base_shadow, and nss_base_group. Further, in digging through the mailing list archives I found a suggestion to make sure pam_member_attribute was set to uniqueMember -- which I tried, to no avail. I also tried starting nscd which does not fix it (but I didn't really feel like that was the problem, anyway). I will further mention here that the ldap-client package is installed and I have not tried to configure SSL or TLS, yet. So, with that in mind ... what very obvious thing am I missing? Has anyone seen and resolved this issue for themselves? Any help would be greatly appreciated. -- Brandon -- Brandon From koniczynek at uaznia.net Wed Jan 24 14:03:26 2007 From: koniczynek at uaznia.net (=?ISO-8859-2?Q?Micha=B3_Dro=BCdziewicz?=) Date: Wed, 24 Jan 2007 15:03:26 +0100 Subject: [Fedora-directory-users] SSL Certs without password Message-ID: <45B7672E.1080402@uaznia.net> Hello, I know how to generate certs with passwords, but this results in password prompt at server startup and reboot. Is there a way to generate SSL certificate without password? -- xmpp/email: koniczynek at uaznia.net xmpp/email: koniczynek at gmail.com From rmeggins at redhat.com Wed Jan 24 14:03:47 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 24 Jan 2007 07:03:47 -0700 Subject: [Fedora-directory-users] SSL Certs without password In-Reply-To: <45B7672E.1080402@uaznia.net> References: <45B7672E.1080402@uaznia.net> Message-ID: <45B76743.2040301@redhat.com> Micha? Dro?dziewicz wrote: > Hello, > I know how to generate certs with passwords, but this results in > password prompt at server startup and reboot. Is there a way to > generate SSL certificate without password? NSS always requires a password in order to unlock your server key. See the shell script at http://directory.fedora.redhat.com/wiki/Howto:SSL#Script for an example of how to create a password file. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Jan 24 14:17:09 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 24 Jan 2007 09:17:09 -0500 Subject: [Fedora-directory-users] SSL Certs without password In-Reply-To: <45B76743.2040301@redhat.com> References: <45B7672E.1080402@uaznia.net> <45B76743.2040301@redhat.com> Message-ID: <45B76A65.1000601@redhat.com> Richard Megginson wrote: > Micha? Dro?dziewicz wrote: >> Hello, >> I know how to generate certs with passwords, but this results in >> password prompt at server startup and reboot. Is there a way to >> generate SSL certificate without password? > NSS always requires a password in order to unlock your server key. See > the shell script at > http://directory.fedora.redhat.com/wiki/Howto:SSL#Script for an example > of how to create a password file. Actually, a password isn't required by NSS. To change an existing database to a NULL password use the modutil command. Its syntax is slightly different from the other NSS utilities but it has a decent help output if you don't get it quite right. To change an existing database to be a blank password: % modutil -dbdir /opt/fedora-ds/alias -dbprefix slapd-foo- -changepw "NSS Certificate DB" Enter the old password then press Enter twice for the new password to blank it out. To generate a new database with a blank password with certutil do something like: % certutil -N -d /opt/fedora-ds/alias -P slapd-foo- Press Enter twice. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From koniczynek at uaznia.net Wed Jan 24 14:56:36 2007 From: koniczynek at uaznia.net (=?ISO-8859-2?Q?Micha=B3_Dro=BCdziewicz?=) Date: Wed, 24 Jan 2007 15:56:36 +0100 Subject: [Fedora-directory-users] SSL Certs without password In-Reply-To: <45B76A65.1000601@redhat.com> References: <45B7672E.1080402@uaznia.net> <45B76743.2040301@redhat.com> <45B76A65.1000601@redhat.com> Message-ID: <45B773A4.4010402@uaznia.net> Rob Crittenden napisa?(a): > % modutil -dbdir /opt/fedora-ds/alias -dbprefix slapd-foo- -changepw > "NSS Certificate DB" > > Enter the old password then press Enter twice for the new password to > blank it out. This is what I need and it works perfectly, thanks :) -- xmpp/email: koniczynek at uaznia.net xmpp/email: koniczynek at gmail.com From rmeggins at redhat.com Wed Jan 24 15:19:58 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 24 Jan 2007 08:19:58 -0700 Subject: [Fedora-directory-users] SSL Certs without password In-Reply-To: <45B773A4.4010402@uaznia.net> References: <45B7672E.1080402@uaznia.net> <45B76743.2040301@redhat.com> <45B76A65.1000601@redhat.com> <45B773A4.4010402@uaznia.net> Message-ID: <45B7791E.3010104@redhat.com> Micha? Dro?dziewicz wrote: > Rob Crittenden napisa?(a): >> % modutil -dbdir /opt/fedora-ds/alias -dbprefix slapd-foo- -changepw >> "NSS Certificate DB" >> >> Enter the old password then press Enter twice for the new password to >> blank it out. > This is what I need and it works perfectly, thanks :) Thanks Rob. I added this - http://directory.fedora.redhat.com/wiki/Howto:SSL#How_to_remove_the_key.2Fcert_password -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From oscar.valdez at duraflex.com.sv Thu Jan 25 15:45:09 2007 From: oscar.valdez at duraflex.com.sv (Oscar A. Valdez) Date: Thu, 25 Jan 2007 09:45:09 -0600 Subject: [Fedora-directory-users] Admin console's default view is empty Message-ID: <1169739910.2326.20.camel@wzowski.duraflex.com.sv> I'm running fedora-ds-1.0.4 on FC5. The server starts normally with /opt/fedora-ds/slapd-pendragon/start-slapd, and serves ldap queries normally. However, when I start-admin or restart-admin, and then startconsole (with the J2RE properly in my $PATH), I can log into the console, but it's "Servers and Applications" tab is empty. The admin-serv logs don't record anything out of the ordinary. I'll appreciate help in getting my console back to work. -- Oscar A. Valdez Industrias Duraflex, S.A. de C.V. From rmattier at Endeca.com Thu Jan 25 16:52:26 2007 From: rmattier at Endeca.com (Ricardo Mattier) Date: Thu, 25 Jan 2007 11:52:26 -0500 Subject: [Fedora-directory-users] Ldap newbie Message-ID: Hello, I'm pretty new to ldap. I have installed Fedora Directory Server on RHEL4. I currently have a NIS server I would like to convert to LDAP. Also, I would like to know how to configure a client to authenticate to my ldap server. What would be the prerequisites in doing so? find / analyze / understand -------------- next part -------------- An HTML attachment was scrubbed... URL: From heath at a5.com Thu Jan 25 18:28:05 2007 From: heath at a5.com (Heath Henderson) Date: Thu, 25 Jan 2007 12:28:05 -0600 Subject: [Fedora-directory-users] FDS and phpLDAPadmin Message-ID: I am new to LDAP and more specifically FDS. I had an OpenLDAP server setup a year or so ago which I used an older version of phpldapadmin with. It seemed to work without too much trouble, but I can't seem to get either FDS or OpenLDAP working with phpldapamdin. I found some information in the list archives as well as other places, but my problem seems to be still existing. The error I get from phpLDAPadmin Could not determine the root of your LDAP tree. It appears that the LDAP server has been configured to not reveal its root. Please specify it in config.php I would really like to use FDS and have it running what I consider very well. I am not able to get this plugged into it and I really don't know enough yet on where to look to configure either FDS to reveal its root or phpldapadmin to know what the rootDSE is set to? Any help would be great. I have read the docs, but just need a little push in the right direction. -- Heath Henderson System Support Engineer heath at gaggle.net 1800 288 7750 -- From koippa at gmail.com Thu Jan 25 19:43:32 2007 From: koippa at gmail.com (Kimmo Koivisto) Date: Thu, 25 Jan 2007 21:43:32 +0200 Subject: [Fedora-directory-users] FDS and phpLDAPadmin In-Reply-To: References: Message-ID: <200701252143.32452.koippa@gmail.com> On Thursday 25 January 2007 20:28, Heath Henderson wrote: > I am new to LDAP and more specifically FDS. I had an OpenLDAP server setup > a year or so ago which I used an older version of phpldapadmin with. It > seemed to work without too much trouble, but I can't seem to get either FDS > or OpenLDAP working with phpldapamdin. > > I found some information in the list archives as well as other places, but > my problem seems to be still existing. > > The error I get from phpLDAPadmin > > Could not determine the root of your LDAP tree. > It appears that the LDAP server has been configured to not reveal its root. > Please specify it in config.php In PLA you have config.php, you can define your base as follows: $ldapservers->SetValue($i,'server','base',array('dc=your,dc=base')); Best Regards Kimmo Koivisto From patrick.morris at hp.com Thu Jan 25 19:44:07 2007 From: patrick.morris at hp.com (Patrick Morris) Date: Thu, 25 Jan 2007 11:44:07 -0800 Subject: [Fedora-directory-users] FDS and phpLDAPadmin In-Reply-To: References: Message-ID: <20070125194407.GH11333@pmorris.usa.hp.com> On Thu, 25 Jan 2007, Heath Henderson wrote: > I am new to LDAP and more specifically FDS. I had an OpenLDAP server setup > a year or so ago which I used an older version of phpldapadmin with. It > seemed to work without too much trouble, but I can't seem to get either FDS > or OpenLDAP working with phpldapamdin. > > I found some information in the list archives as well as other places, but > my problem seems to be still existing. > > The error I get from phpLDAPadmin > > Could not determine the root of your LDAP tree. > It appears that the LDAP server has been configured to not reveal its root. > Please specify it in config.php > > > I would really like to use FDS and have it running what I consider very > well. I am not able to get this plugged into it and I really don't know > enough yet on where to look to configure either FDS to reveal its root or > phpldapadmin to know what the rootDSE is set to? In your phpLDAPadmin config, you need to set this: /* Array of base DNs of your LDAP server. Leave this blank to have * phpLDAPadmin auto-detect it for you. */ // $ldapservers->SetValue($i,'server','base',array('')); It should be an array of the DNs you want to appear there. From heath at a5.com Thu Jan 25 20:37:59 2007 From: heath at a5.com (Heath Henderson) Date: Thu, 25 Jan 2007 14:37:59 -0600 Subject: [Fedora-directory-users] FDS and phpLDAPadmin In-Reply-To: <20070125194407.GH11333@pmorris.usa.hp.com> Message-ID: Thanks, I had tried this last night, but will give it another go today. At least I know I was in the right place. -- Heath Henderson heath at a5.com -- > From: Patrick Morris > Reply-To: "General discussion list for the Fedora Directory server project." > > Date: Thu, 25 Jan 2007 11:44:07 -0800 > To: "General discussion list for the Fedora Directory server project." > > Subject: Re: [Fedora-directory-users] FDS and phpLDAPadmin > > On Thu, 25 Jan 2007, Heath Henderson wrote: > >> I am new to LDAP and more specifically FDS. I had an OpenLDAP server setup >> a year or so ago which I used an older version of phpldapadmin with. It >> seemed to work without too much trouble, but I can't seem to get either FDS >> or OpenLDAP working with phpldapamdin. >> >> I found some information in the list archives as well as other places, but >> my problem seems to be still existing. >> >> The error I get from phpLDAPadmin >> >> Could not determine the root of your LDAP tree. >> It appears that the LDAP server has been configured to not reveal its root. >> Please specify it in config.php >> >> >> I would really like to use FDS and have it running what I consider very >> well. I am not able to get this plugged into it and I really don't know >> enough yet on where to look to configure either FDS to reveal its root or >> phpldapadmin to know what the rootDSE is set to? > > In your phpLDAPadmin config, you need to set this: > > /* Array of base DNs of your LDAP server. Leave this blank to have > * phpLDAPadmin > auto-detect it for you. */ > // $ldapservers->SetValue($i,'server','base',array('')); > > It should be an array of the DNs you want to appear there. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From capareci at uol.com.br Fri Jan 26 12:15:23 2007 From: capareci at uol.com.br (Renato Ribeiro da Silva) Date: Fri, 26 Jan 2007 10:15:23 -0200 Subject: [Fedora-directory-users] CPU utilization Message-ID: I'm having questions about CPU utilization of Directory Server. The process ns-slapd take 99.9% of CPU almost all the time. Is there any way to know why this is happening? Any performance counter ( DS Console ) can show me the answer ? Is is possible to know the apps that are using the Directory in this moment ? Best Regards, Renato > David J. Schnardthorst wrote: > > I am having issues with replication and need some assistance. I have > > setup multi-master replication using the mmr.pl script. However, > > replication is not occurring. I show the following messages in my LDAP > > error log. > > > > [14/Jan/2007:01:02:49 -0600] - Fedora-Directory/1.0.2 B2006.060.1928 > > starting up > > [15/Jan/2007:00:00:00 -0600] NSMMReplicationPlugin - > > agmt="cn="Replication to xxxxxx.com"" (xxxxxx:389): Incremental > > protocol: event update_window_opened should not occur in state > > wait_for_changes > > [16/Jan/2007:00:00:00 -0600] NSMMReplicationPlugin - > > agmt="cn="Replication to xxxxxx.com"" (xxxxxx:389): Incremental > > protocol: event update_window_opened should not occur in state > > wait_for_changes > > > > Any thoughts would be greatly appreciated. > What is your replication schedule? > From capareci at uol.com.br Fri Jan 26 12:18:25 2007 From: capareci at uol.com.br (Renato Ribeiro da Silva) Date: Fri, 26 Jan 2007 10:18:25 -0200 Subject: [Fedora-directory-users] CPU utilization Message-ID: I'm having questions about CPU utilization of Directory Server. The process ns-slapd take 99.9% of CPU almost all the time. Is there any way to know why this is happening? Any performance counter ( DS Console ) can show me the answer ? Is is possible to know the apps that are using the Directory in this moment ? Best Regards, Renato From Andreas.Kasenides at cs.ucy.ac.cy Fri Jan 26 12:38:24 2007 From: Andreas.Kasenides at cs.ucy.ac.cy (Andreas Kasenides) Date: Fri, 26 Jan 2007 14:38:24 +0200 Subject: [Fedora-directory-users] LAM with FDS In-Reply-To: References: Message-ID: <45B9F640.6080606@cs.ucy.ac.cy> The LDAP Account Manager (LAM) is a nifty application for doing LDAP user management (http://lam.sourceforge.net/) with some nice features that make life easy. Has anyone attempted to modify it for use on the FDS? Apparently it requires the existence of the samba schema in the LDAP server to function (which is not at all necessary at least in my case). thanks ofr any help Andreas Kasenides From kevin.mccarthy at teligent.co.uk Fri Jan 26 12:30:44 2007 From: kevin.mccarthy at teligent.co.uk (Kevin McCarthy) Date: Fri, 26 Jan 2007 12:30:44 -0000 Subject: [Fedora-directory-users] Request for any additional live experience issues with Fedora Multi-Master replication... Message-ID: <02c001c74145$ccf20370$eb90a8c0@teligent.org> Dear All, After a successful c. 3 month trial period of using Multi-Master (*4) replication (RHEL4) on our test networks we are planning to progress to live operation in the near term. Since this trial went a little too well (.healthy paranoia!?) I would welcome any feedback with respect to other users' experiences with live operation, for example: 1) Your preferred approach to replacing a Master DS after underlying hardware failure, in terms of ensuring that recovery from the other three Masters is indeed achieved in a very timely manner (e.g. usage of any variants on forced replication updates?). 2) Replication degradation and eventual recovery where the intermediate network links degrade appreciably or are completely lost for a significant period, before returning and allowing the replication to recover. Thanks in advance! Regards, Kevin -------------- next part -------------- An HTML attachment was scrubbed... URL: From pengle at rice.edu Fri Jan 26 13:59:25 2007 From: pengle at rice.edu (Paul Engle) Date: Fri, 26 Jan 2007 07:59:25 -0600 Subject: [Fedora-directory-users] CPU utilization In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We were seeing similar CPU utilization recently. The problem turned out to be a lack of indexes. The web app for looking up people had changed recently and was doing substring matches on two attributes that were not indexed at all, much less for substrings. Once I created the indexes, CPU utilization dropped from 99% to under 2%. You might check your access logs to see what sorts of searches are being done and confirm that you have indexes in place to speed things up. -paul - --On Friday, January 26, 2007 10:18:25 AM -0200 Renato Ribeiro da Silva wrote: > I'm having questions about CPU utilization of Directory Server. The > process ns-slapd take 99.9% of CPU almost all the time. Is there any way > to know why this is happening? Any performance counter ( DS Console ) can > show me the answer ? Is is possible to know the apps that are using the > Directory in this moment ? > > Best Regards, > Renato > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > - -- Paul D. Engle | Rice University Sr. Systems Administrator | Information Technology - MS119 (713) 348-4702 | P.O. Box 1892 pengle at rice.edu | Houston, TX 77251-1892 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFFuglNCpkISWtyHNsRAir0AKDzxxAfdzWuP8cENHFo08pWoHwfpgCg/YcK Nw7zT5Msb6b3eakxPaAOEys= =mcCv -----END PGP SIGNATURE----- From ABliss at preferredcare.org Fri Jan 26 14:08:12 2007 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Fri, 26 Jan 2007 09:08:12 -0500 Subject: [Fedora-directory-users] CPU utilization In-Reply-To: References: Message-ID: I had this same problem, turned out that one of our analysts had a bad piece of code that was constantly querying the directory server for a username and password... Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Renato Ribeiro da Silva Sent: Friday, January 26, 2007 7:18 AM To: fedora-directory-users Subject: [Fedora-directory-users] CPU utilization I'm having questions about CPU utilization of Directory Server. The process ns-slapd take 99.9% of CPU almost all the time. Is there any way to know why this is happening? Any performance counter ( DS Console ) can show me the answer ? Is is possible to know the apps that are using the Directory in this moment ? Best Regards, Renato -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From rmeggins at redhat.com Fri Jan 26 14:40:57 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 26 Jan 2007 07:40:57 -0700 Subject: [Fedora-directory-users] CPU utilization In-Reply-To: References: Message-ID: <45BA12F9.8090505@redhat.com> Renato Ribeiro da Silva wrote: > I'm having questions about CPU utilization of Directory Server. The process ns-slapd take 99.9% of CPU almost all the time. Is there any way to know why this is happening? Any performance counter ( DS Console ) can show me the answer ? Is is possible to know the apps that are using the Directory in this moment ? > There is a lot of monitoring that can be done. I don't believe there is any way to know which apps are using the Directory, unless you use a unique combination of IP address and/or bind DN for each app. See http://www.redhat.com/docs/manuals/dir-server/ag/7.1/dsstats.html#996824 and especially http://www.redhat.com/docs/manuals/dir-server/ag/7.1/dsstats.html#1004977 > Best Regards, > Renato > > >> David J. Schnardthorst wrote: >> >>> I am having issues with replication and need some assistance. I have >>> setup multi-master replication using the mmr.pl script. However, >>> replication is not occurring. I show the following messages in my LDAP >>> error log. >>> >>> [14/Jan/2007:01:02:49 -0600] - Fedora-Directory/1.0.2 B2006.060.1928 >>> starting up >>> [15/Jan/2007:00:00:00 -0600] NSMMReplicationPlugin - >>> agmt="cn="Replication to xxxxxx.com"" (xxxxxx:389): Incremental >>> protocol: event update_window_opened should not occur in state >>> wait_for_changes >>> [16/Jan/2007:00:00:00 -0600] NSMMReplicationPlugin - >>> agmt="cn="Replication to xxxxxx.com"" (xxxxxx:389): Incremental >>> protocol: event update_window_opened should not occur in state >>> wait_for_changes >>> >>> Any thoughts would be greatly appreciated. >>> >> What is your replication schedule? >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Fri Jan 26 15:27:48 2007 From: david_list at boreham.org (David Boreham) Date: Fri, 26 Jan 2007 08:27:48 -0700 Subject: [Fedora-directory-users] CPU utilization In-Reply-To: References: Message-ID: <45BA1DF4.6070203@boreham.org> Renato Ribeiro da Silva wrote: >I'm having questions about CPU utilization of Directory Server. The process ns-slapd take 99.9% of CPU almost all the time. Is there any way to know why this is happening? Any performance counter ( DS Console ) can show me the answer ? Is is possible to know the apps that are using the Directory in this moment ? > > Look in the access log. If there is an application loading the server then its operations will show up in quantity in the log. Also try running the 'pstack' command on the slapd process. This will give you a stack trace for where the CPU is being burned, which in turn may indicate the cause. From edlinuxguru at gmail.com Sat Jan 27 18:38:09 2007 From: edlinuxguru at gmail.com (Eddie C) Date: Sat, 27 Jan 2007 13:38:09 -0500 Subject: [Fedora-directory-users] CPU utilization In-Reply-To: <45BA1DF4.6070203@boreham.org> References: <45BA1DF4.6070203@boreham.org> Message-ID: The best way to handle performance issues is look in the acccess log for notes=U. These are unindexed searches. Its amazing to add the index and then watch the processor move from 99% to 0% thats what happened with one of our applications. It is definately a good idea to make different usernames for you different applications. If you give each application a different login it later allows you to go back and write individual ACI's. If all your applications share the same login you will eventually have to move all applications to a different user. Here is a question for all. Does anyone know of a log tool specifically for LDAP logs? I think there are big possibilites for something like this. Edward On 1/26/07, David Boreham wrote: > > Renato Ribeiro da Silva wrote: > > >I'm having questions about CPU utilization of Directory Server. The > process ns-slapd take 99.9% of CPU almost all the time. Is there any way > to know why this is happening? Any performance counter ( DS Console ) can > show me the answer ? Is is possible to know the apps that are using the > Directory in this moment ? > > > > > Look in the access log. If there is an application loading the server > then its operations will show up in quantity in the log. > Also try running the 'pstack' command on the slapd process. > This will give you a stack trace for where the CPU is being > burned, which in turn may indicate the cause. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From koniczynek at uaznia.net Mon Jan 29 10:16:29 2007 From: koniczynek at uaznia.net (=?UTF-8?B?TWljaGHFgiBEcm/FumR6aWV3aWN6?=) Date: Mon, 29 Jan 2007 11:16:29 +0100 Subject: [Fedora-directory-users] CPU utilization In-Reply-To: References: <45BA1DF4.6070203@boreham.org> Message-ID: <45BDC97D.4000106@uaznia.net> Eddie C napisa?(a): > The best way to handle performance issues is look in the acccess log for > notes=U. These are unindexed searches. Its amazing to add the index and > then watch the processor move from 99% to 0% thats what happened with > one of our applications. could You be more specific? How does this log entry looks like and where to turn on the indexes? I've searched a wiki but found noting (maybe I can't find it ;) ). Any help would be appreciated :) -- xmpp/email: koniczynek at uaznia.net xmpp/email: koniczynek at gmail.com From Andreas.Kasenides at cs.ucy.ac.cy Mon Jan 29 10:50:20 2007 From: Andreas.Kasenides at cs.ucy.ac.cy (Andreas Kasenides) Date: Mon, 29 Jan 2007 12:50:20 +0200 Subject: [Fedora-directory-users] LAM and FDS Message-ID: <45BDD16C.3080107@cs.ucy.ac.cy> Sorry for putting this in the wrong thread. Here it goes again. The LDAP Account Manager (LAM) is a nifty application for doing LDAP user management (http://lam.sourceforge.net/) with some nice features that make life easy. Has anyone attempted to modify it for use on the FDS? Apparently it requires the existence of the samba schema in the LDAP server to function (which is not at all necessary, at least in my case). thanks for any help Andreas Kasenides From capareci at uol.com.br Mon Jan 29 11:27:49 2007 From: capareci at uol.com.br (Renato Ribeiro da Silva) Date: Mon, 29 Jan 2007 09:27:49 -0200 Subject: [Fedora-directory-users] CPU utilization Message-ID: Thank you. The problem was really related to indexes. I indexed the attribute gidnumber and the CPU utilization decreased a lot. Best Regards, Renato. > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > We were seeing similar CPU utilization recently. The problem turned out to > be a lack of indexes. The web app for looking up people had changed > recently and was doing substring matches on two attributes that were not > indexed at all, much less for substrings. Once I created the indexes, CPU > utilization dropped from 99% to under 2%. You might check your access logs > to see what sorts of searches are being done and confirm that you have > indexes in place to speed things up. > > -paul > > - --On Friday, January 26, 2007 10:18:25 AM -0200 Renato Ribeiro da Silva > wrote: > > > I'm having questions about CPU utilization of Directory Server. The > > process ns-slapd take 99.9% of CPU almost all the time. Is there any way > > to know why this is happening? Any performance counter ( DS Console ) can > > show me the answer ? Is is possible to know the apps that are using the > > Directory in this moment ? > > > > Best Regards, > > Renato > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > - -- > Paul D. Engle | Rice University > Sr. Systems Administrator | Information Technology - MS119 > (713) 348-4702 | P.O. Box 1892 > pengle at rice.edu | Houston, TX 77251-1892 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (GNU/Linux) > > iD8DBQFFuglNCpkISWtyHNsRAir0AKDzxxAfdzWuP8cENHFo08pWoHwfpgCg/YcK > Nw7zT5Msb6b3eakxPaAOEys= > =mcCv > -----END PGP SIGNATURE----- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From g.digiambelardini at fabaris.it Mon Jan 29 11:33:30 2007 From: g.digiambelardini at fabaris.it (Di Giambelardini Gabriele) Date: Mon, 29 Jan 2007 12:33:30 +0100 (CET) Subject: [Fedora-directory-users] set dite end time to fedora-ds In-Reply-To: References: Message-ID: <42091.192.168.1.1.1170070410.squirrel@webmail2.fabaris.it> Hi to all, i have a problem with passwordExpirationTime. the problem is: my fedora-ds is set to " password expires after 180 days. and every user have "passwordExpirationTime: 20070807102527Z" but when i try to import this messagge appear "The error sent by the server was 'Object class violation. single-valued attribute "passwordExpirationTime" has multiple values". so if i delete the attribute "passwordExpirationTime" from the user, import work fine, but the date for the expiration password is set automatically by fedora-ds to "19001023000000Z ( or simil )". How i shoud set the ntp or the right date from fedora-ds 1.0.4 ??? thanks to all From jonathanschreiter at yahoo.com Mon Jan 29 13:04:33 2007 From: jonathanschreiter at yahoo.com (Jonathan Schreiter) Date: Mon, 29 Jan 2007 05:04:33 -0800 (PST) Subject: [Fedora-directory-users] FDS / PAM Integration Questions Message-ID: <607182.62079.qm@web34404.mail.mud.yahoo.com> Hi All, I am interested in switching from MIT Kerberos5 (GSSAPI/SASL), OpenLDAP to FDS. Primarily, I'm looking for authentication and authorization for fedora / centos console logins (via PAM). Currently I have a cron job that keeps a kerberos service principal alive to allow slapd to bind to openldap (as I've also disabled anonymous binds). I also have startTLS running w/o client authentication (just server certificates and the local client has the CA pub cert). I then have nsswitch/pam configured to use these for console (console,ssh,etc) logins. I'm currently using the pam_sasl_mech GSSAPI and pam_groupdn features of the /etc/ldap.conf (/etc/openldap/ldap.conf) to manage authorization to the local system (by pointint to a posix group dn). I was able to setup FDS to for console sessions with cleartext and nsswitch. I'm not sure which route to take in terms of locking down FDS with a pure linux environment. The straight SSL certificate approach seems to want the user to enter a password before a bind, so I'm not sure that's compatible with PAM. Is TLS a better option for this? The last option seems to be to keep Kerberos / GSSAPI, but I've read some posts where you can't easily do this. I've tried to make the SASL mapping as the docs show, but was unsuccessful. Can anyone point me in the right direction for the best way to accomplish secure PAM / FDS integraion? Any help would be greatly appreciated. Many thanks! Jonathan From rmeggins at redhat.com Mon Jan 29 14:47:02 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 29 Jan 2007 07:47:02 -0700 Subject: [Fedora-directory-users] CPU utilization In-Reply-To: References: <45BA1DF4.6070203@boreham.org> Message-ID: <45BE08E6.8030603@redhat.com> Eddie C wrote: > The best way to handle performance issues is look in the acccess log > for notes=U. These are unindexed searches. Its amazing to add the > index and then watch the processor move from 99% to 0% thats what > happened with one of our applications. > > It is definately a good idea to make different usernames for you > different applications. If you give each application a different login > it later allows you to go back and write individual ACI's. If all your > applications share the same login you will eventually have to move all > applications to a different user. > > Here is a question for all. Does anyone know of a log tool > specifically for LDAP logs? I think there are big possibilites for > something like this. bin/slapd/admin/bin/logconv.pl can help diagnose some problems like this. > > Edward > > > > On 1/26/07, *David Boreham* > wrote: > > Renato Ribeiro da Silva wrote: > > >I'm having questions about CPU utilization of Directory Server. > The process ns-slapd take 99.9% of CPU almost all the time. Is > there any way to know why this is happening? Any performance > counter ( DS Console ) can show me the answer ? Is is possible to > know the apps that are using the Directory in this moment ? > > > > > Look in the access log. If there is an application loading the server > then its operations will show up in quantity in the log. > Also try running the 'pstack' command on the slapd process. > This will give you a stack trace for where the CPU is being > burned, which in turn may indicate the cause. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Jan 29 17:41:24 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 29 Jan 2007 10:41:24 -0700 Subject: [Fedora-directory-users] set dite end time to fedora-ds In-Reply-To: <42091.192.168.1.1.1170070410.squirrel@webmail2.fabaris.it> References: <42091.192.168.1.1.1170070410.squirrel@webmail2.fabaris.it> Message-ID: <45BE31C4.8020301@redhat.com> Di Giambelardini Gabriele wrote: > Hi to all, i have a problem with passwordExpirationTime. > the problem is: > my fedora-ds is set to " password expires after 180 days. > and every user have "passwordExpirationTime: 20070807102527Z" > but when i try to import How are you trying to import? What command? What arguments? > this messagge appear "The error sent by the > server was 'Object class violation. single-valued attribute > "passwordExpirationTime" has multiple values". > so if i delete the attribute "passwordExpirationTime" from the user, > import work fine, but the date for the expiration password is set > automatically by fedora-ds to "19001023000000Z ( or simil )". > How i shoud set the ntp or the right date from fedora-ds 1.0.4 ??? > thanks to all > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From davea at support.kcm.org Mon Jan 29 21:45:38 2007 From: davea at support.kcm.org (Dave Augustus) Date: Mon, 29 Jan 2007 15:45:38 -0600 Subject: [Fedora-directory-users] How can I force All users to reset their passwords on next login? Message-ID: <1170107138.6919.8.camel@kcm40202.kcmhq.org> Does FDS provide this feature? From mj at sci.fi Mon Jan 29 21:37:22 2007 From: mj at sci.fi (Mike Jackson) Date: Mon, 29 Jan 2007 23:37:22 +0200 Subject: [Fedora-directory-users] How can I force All users to reset their passwords on next login? In-Reply-To: <1170107138.6919.8.camel@kcm40202.kcmhq.org> References: <1170107138.6919.8.camel@kcm40202.kcmhq.org> Message-ID: <45BE6912.7080206@sci.fi> Dave Augustus wrote: > Does FDS provide this feature? On next login to what? Mike -- http://www.netauth.com - LDAP Directory Consulting -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3277 bytes Desc: S/MIME Cryptographic Signature URL: From davea at support.kcm.org Mon Jan 29 22:47:01 2007 From: davea at support.kcm.org (Dave Augustus) Date: Mon, 29 Jan 2007 16:47:01 -0600 Subject: [Fedora-directory-users] How can I force All users to reset their passwords on next login? In-Reply-To: <45BE6912.7080206@sci.fi> References: <1170107138.6919.8.camel@kcm40202.kcmhq.org> <45BE6912.7080206@sci.fi> Message-ID: <1170110821.6919.10.camel@kcm40202.kcmhq.org> To set it to something that the user selects that complies with the current password policy. Dave On Mon, 2007-01-29 at 23:37 +0200, Mike Jackson wrote: > Dave Augustus wrote: > > Does FDS provide this feature? > > On next login to what? > > > Mike > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Mon Jan 29 22:50:54 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 29 Jan 2007 15:50:54 -0700 Subject: [Fedora-directory-users] How can I force All users to reset their passwords on next login? In-Reply-To: <1170110821.6919.10.camel@kcm40202.kcmhq.org> References: <1170107138.6919.8.camel@kcm40202.kcmhq.org> <45BE6912.7080206@sci.fi> <1170110821.6919.10.camel@kcm40202.kcmhq.org> Message-ID: <45BE7A4E.7060902@redhat.com> Dave Augustus wrote: > To set it to something that the user selects that complies with the > current password policy. > It depends. On some platforms, PAM can understand the LDAP password policy settings, and on some it cannot. Of course, this only applies to PAM logins (i.e. OS logins). I assume you mean OS login via PAM LDAP. If not, then you'll need to explain more about your app. Fedora DS password policy supports change at login - see http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1088351 > Dave > > > On Mon, 2007-01-29 at 23:37 +0200, Mike Jackson wrote: > >> Dave Augustus wrote: >> >>> Does FDS provide this feature? >>> >> On next login to what? >> >> >> Mike >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From dennis at ausil.us Mon Jan 29 23:06:56 2007 From: dennis at ausil.us (Dennis Gilmore) Date: Mon, 29 Jan 2007 17:06:56 -0600 Subject: [Fedora-directory-users] How can I force All users to =?iso-8859-15?q?reset=09their_passwords_on_next?= login? In-Reply-To: <45BE7A4E.7060902@redhat.com> References: <1170107138.6919.8.camel@kcm40202.kcmhq.org> <1170110821.6919.10.camel@kcm40202.kcmhq.org> <45BE7A4E.7060902@redhat.com> Message-ID: <200701291706.57441.dennis@ausil.us> On Monday 29 January 2007 16:50, Richard Megginson wrote: > Dave Augustus wrote: > > To set it to something that the user selects that complies with the > > current password policy. > > It depends. On some platforms, PAM can understand the LDAP password > policy settings, and on some it cannot. Of course, this only applies to > PAM logins (i.e. OS logins). I assume you mean OS login via PAM LDAP. > If not, then you'll need to explain more about your app. > > Fedora DS password policy supports change at login - see > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1088351 > >From Experience OSX does not support any kind of the Posix Password policy attributes. the only way there that i could find was to use Open Directory server to enforce them. It is indeed a very Os dependent process -- ?,-._|\ ? ?Dennis Gilmore, RHCE /Aussie\ ? Proud Australian \_.--._/ ? | Aurora | Fedora | ? ? ? v ? ? From rmeggins at redhat.com Mon Jan 29 23:07:31 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 29 Jan 2007 16:07:31 -0700 Subject: [Fedora-directory-users] FDS / PAM Integration Questions In-Reply-To: <607182.62079.qm@web34404.mail.mud.yahoo.com> References: <607182.62079.qm@web34404.mail.mud.yahoo.com> Message-ID: <45BE7E33.9020104@redhat.com> Jonathan Schreiter wrote: > Hi All, > I am interested in switching from MIT Kerberos5 (GSSAPI/SASL), OpenLDAP to FDS. Primarily, I'm looking for authentication and authorization for fedora / centos console logins (via PAM). > > Currently I have a cron job that keeps a kerberos service principal alive to allow slapd to bind to openldap (as I've also disabled anonymous binds). I also have startTLS running w/o client authentication (just server certificates and the local client has the CA pub cert). > > I then have nsswitch/pam configured to use these for console (console,ssh,etc) logins. > I'm currently using the pam_sasl_mech GSSAPI and pam_groupdn features of the /etc/ldap.conf (/etc/openldap/ldap.conf) to manage authorization to the local system (by pointint to a posix group dn). > > I was able to setup FDS to for console sessions with cleartext and nsswitch. I'm not sure which route to take in terms of locking down FDS with a pure linux environment. The straight SSL certificate approach seems to want the user to enter a password before a bind, so I'm not sure that's compatible with PAM. Is TLS a better option for this? The last option seems to be to keep Kerberos / GSSAPI, but I've read some posts where you can't easily do this. It's not that bad. > I've tried to make the SASL mapping as the docs show, but was unsuccessful. > I think your best option is to just keep Kerberos for authentication, especially if you are already using it successfully for other apps. What problems did you have with SASL mapping? Did you see this - http://directory.fedora.redhat.com/wiki/Howto:Kerberos > Can anyone point me in the right direction for the best way to accomplish secure PAM / FDS integraion? Any help would be greatly appreciated. > Many thanks! > Jonathan > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From davea at support.kcm.org Mon Jan 29 23:24:14 2007 From: davea at support.kcm.org (Dave Augustus) Date: Mon, 29 Jan 2007 17:24:14 -0600 Subject: [Fedora-directory-users] How can I force All users to reset their passwords on next login? In-Reply-To: <45BE7A4E.7060902@redhat.com> References: <1170107138.6919.8.camel@kcm40202.kcmhq.org> <45BE6912.7080206@sci.fi> <1170110821.6919.10.camel@kcm40202.kcmhq.org> <45BE7A4E.7060902@redhat.com> Message-ID: <1170113054.6919.16.camel@kcm40202.kcmhq.org> We are migrating to well known CRM from an in-house app. This CRM can use LDAP for authentication. So far, so good. So we are preloading the directory with exported accounts from our old system. We want to harden the password requirements in the process. When we turn this on, we want to force everyone that logs in to create a new password, thereby enforcing our policy change. We currently have the PasswordMustChange set to ON. However, we aren't seeing the expected behavior- that is, the end user is NOT prompted in any other fashion other than the normal login. Thanks, Dave On Mon, 2007-01-29 at 15:50 -0700, Richard Megginson wrote: > Dave Augustus wrote: > > To set it to something that the user selects that complies with the > > current password policy. > > > It depends. On some platforms, PAM can understand the LDAP password > policy settings, and on some it cannot. Of course, this only applies to > PAM logins (i.e. OS logins). I assume you mean OS login via PAM LDAP. > If not, then you'll need to explain more about your app. > > Fedora DS password policy supports change at login - see > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1088351 > > Dave > > > > > > On Mon, 2007-01-29 at 23:37 +0200, Mike Jackson wrote: > > > >> Dave Augustus wrote: > >> > >>> Does FDS provide this feature? > >>> > >> On next login to what? > >> > >> > >> Mike > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From dennis at ausil.us Mon Jan 29 23:36:55 2007 From: dennis at ausil.us (Dennis Gilmore) Date: Mon, 29 Jan 2007 17:36:55 -0600 Subject: [Fedora-directory-users] How can I force All users to =?iso-8859-15?q?reset=09their_passwords_on_next?= login? In-Reply-To: <1170113054.6919.16.camel@kcm40202.kcmhq.org> References: <1170107138.6919.8.camel@kcm40202.kcmhq.org> <45BE7A4E.7060902@redhat.com> <1170113054.6919.16.camel@kcm40202.kcmhq.org> Message-ID: <200701291736.56221.dennis@ausil.us> On Monday 29 January 2007 17:24, Dave Augustus wrote: > We are migrating to well known CRM from an in-house app. This CRM can > use LDAP for authentication. So far, so good. So we are preloading the > directory with exported accounts from our old system. We want to harden > the password requirements in the process. > > When we turn this on, we want to force everyone that logs in to create a > new password, thereby enforcing our policy change. > > We currently have the PasswordMustChange set to ON. However, we aren't > seeing the expected behavior- that is, the end user is NOT prompted in > any other fashion other than the normal login. So your CRM application needs to check for the password expiry flag. -- ?,-._|\ ? ?Dennis Gilmore, RHCE /Aussie\ ? Proud Australian \_.--._/ ? | Aurora | Fedora | ? ? ? v ? ? From jonathanschreiter at yahoo.com Tue Jan 30 01:07:04 2007 From: jonathanschreiter at yahoo.com (Jonathan Schreiter) Date: Mon, 29 Jan 2007 17:07:04 -0800 (PST) Subject: [Fedora-directory-users] FDS / PAM Integration Questions Message-ID: <660053.66595.qm@web34409.mail.mud.yahoo.com> >I think your best option is to just keep Kerberos for authentication, >especially if you are already using it successfully for other apps. >What problems did you have with SASL mapping? Hi Richad, Thanks for your reply. I've followed the documentation on the FDS website, basically to keep it as compatible as possible, I've added (under confg - sasl - mapping): objectclass: top objectclass: nsSaslMapping cn: mapname nsSaslMapRegexString: .* nsSaslMapBaseDNTemplate: ou=People,dc=example,dc=com nsSaslMapFilterTemplate: (cn=&) On the server I've added export KRB5_KTNAME=/etc/ldap.keytab to /opt/fedora-ds/start-slapd. (I've done a ktdump to this file from kadmin). On the client that previously connected to OpenLDAP, I've changed the /etc/ldap.conf (and /etc/openldap/ldap.conf) to: host: myfds.example.com base dc=example, dc=com SASL_MECH GSSAPI SASL_REALM MYEXAMPLE.COM use_sasl on sasl_auth_id nssldap/myclient.myexample.com When trying to do an ldapwoami I recieve: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneus failure (Permission Denied). I have already done a kinit username to my KRB5 REALM and that user exists in the base ou=People, dc=example, dc=com on the FDS. One thing that was not clear to me was if I needed to add a SASL Mapping entry under the configuration tab when I already have the added entry above - and if so what it should look like). Also, I'm not sure if I need all the settings (such as a sasl_auth_id) but they are left over from configuration of openldap. Any help would be appreciated. Regards, Jonathan From rmeggins at redhat.com Tue Jan 30 02:27:38 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 29 Jan 2007 19:27:38 -0700 Subject: [Fedora-directory-users] FDS / PAM Integration Questions In-Reply-To: <660053.66595.qm@web34409.mail.mud.yahoo.com> References: <660053.66595.qm@web34409.mail.mud.yahoo.com> Message-ID: <45BEAD1A.70302@redhat.com> Jonathan Schreiter wrote: >> I think your best option is to just keep Kerberos for authentication, >> especially if you are already using it successfully for other apps. >> What problems did you have with SASL mapping? >> > > Hi Richad, > Thanks for your reply. I've followed the documentation on the FDS website, basically to keep it as compatible as possible, I've added (under confg - sasl - mapping): > > objectclass: top > objectclass: nsSaslMapping > cn: mapname > nsSaslMapRegexString: .* > nsSaslMapBaseDNTemplate: ou=People,dc=example,dc=com > nsSaslMapFilterTemplate: (cn=&) > Hmm - this doesn't seem quite right. For one (cn=&) is not the correct syntax. What does & mean here? If by & you mean "the entire string matched by nsSaslMapRegexString" then this means you expect a SASL username of something like "John Doe" which is mapped to an entry with cn=John Doe under ou=People. But this still won't work unless you do something like this: nsSaslMapRegexString: \(.*\) ... nsSaslMapFilterTemplate: (cn=\1) You have to use the escaped parentheses in the regexstring to put the match into a matching group (referenced by \1). But I still don't think this will work unless you have a very nonstandard Kerberos set up. The regex string is supposed to match against the Kerberos principal, which is usually something like jdoe at DOMAIN.COM, or the domain is omitted and the principal sent to the DS is just "jdoe". The examples at http://directory.fedora.redhat.com/wiki/Howto:Kerberos describe both of these situations. > On the server I've added export KRB5_KTNAME=/etc/ldap.keytab to /opt/fedora-ds/start-slapd. (I've done a ktdump to this file from kadmin). > > On the client that previously connected to OpenLDAP, I've changed the /etc/ldap.conf (and /etc/openldap/ldap.conf) to: > host: myfds.example.com > base dc=example, dc=com > SASL_MECH GSSAPI > SASL_REALM MYEXAMPLE.COM > use_sasl on > sasl_auth_id nssldap/myclient.myexample.com > > When trying to do an ldapwoami I recieve: > ldap_sasl_interactive_bind_s: Invalid credentials (49) > additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneus failure (Permission Denied). > > I have already done a kinit username to my KRB5 REALM and that user exists in the base ou=People, dc=example, dc=com on the FDS. > > One thing that was not clear to me was if I needed to add a SASL Mapping entry under the configuration tab when I already have the added entry above - and if so what it should look like). You're pretty close, just refer to http://directory.fedora.redhat.com/wiki/Howto:Kerberos > Also, I'm not sure if I need all the settings (such as a sasl_auth_id) but they are left over from configuration of openldap. > What settings? > Any help would be appreciated. > > Regards, > Jonathan > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From g.digiambelardini at fabaris.it Tue Jan 30 08:30:24 2007 From: g.digiambelardini at fabaris.it (Di Giambelardini Gabriele) Date: Tue, 30 Jan 2007 09:30:24 +0100 (CET) Subject: [Fedora-directory-users] set dite end time to fedora-ds In-Reply-To: <45BE31C4.8020301@redhat.com> References: <42091.192.168.1.1.1170070410.squirrel@webmail2.fabaris.it> <45BE31C4.8020301@redhat.com> Message-ID: <34971.192.168.1.1.1170145824.squirrel@webmail2.fabaris.it> from console and command line, ldif: dn: uid=testd at test.it,ou=People,dc=test,dc=it stato: nuovo passwordExpirationTime: 20070701102527Z **************** give problem ********* givenName: TEST objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: "my objectClass" reparto: REPARTO userPin: osP8tqi3 mailQuota: 251658243S mailMessageStore: /var/vmail/test.it/t/e/s/t/Maildir uid: test at test.it mail: test at test.it cn: REPARTO homeDirectory: /var/vmail userPassword: {CRYPT}$1$JOXbkPlU$L5RTfr56Milp54GTs. > Di Giambelardini Gabriele wrote: >> Hi to all, i have a problem with passwordExpirationTime. >> the problem is: >> my fedora-ds is set to " password expires after 180 days. >> and every user have "passwordExpirationTime: 20070807102527Z" >> but when i try to import > How are you trying to import? What command? What arguments? >> this messagge appear "The error sent by the >> server was 'Object class violation. single-valued attribute >> "passwordExpirationTime" has multiple values". >> so if i delete the attribute "passwordExpirationTime" from the user, >> import work fine, but the date for the expiration password is set >> automatically by fedora-ds to "19001023000000Z ( or simil )". >> How i shoud set the ntp or the right date from fedora-ds 1.0.4 ??? >> thanks to all >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > Di Giambelardini Gabriele System/Network Administrator __________________________________________ FABARIS s.r.l. Cel. +39 3488504467 Tel. +39 0765 22181 - Fax +39 0765 410100 Via G. Mameli, 90 02047 Poggio Mirteto (RI) Filiale: Viale dell'Universit?, 25 00185 Roma (RM) www.fabaris.it __________________________________________ From skonstant at sgul.ac.uk Tue Jan 30 12:15:23 2007 From: skonstant at sgul.ac.uk (=?utf-8?q?St=C3=A9phane_Konstantaropoulos?=) Date: Tue, 30 Jan 2007 12:15:23 +0000 Subject: [Fedora-directory-users] replication with sun JES Message-ID: <200701301215.24376.skonstant@sgul.ac.uk> Hello, Is it possible to replicate (multi-master preferably) a FDS 1.0.4 with a Sun JES directory? If so, anybody can point me to some documentation about it? Thanks -- St?phane Konstantaropoulos -- Web Developer - Computing Services --- St George's University of London -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From jonathanschreiter at yahoo.com Tue Jan 30 14:29:42 2007 From: jonathanschreiter at yahoo.com (Jonathan Schreiter) Date: Tue, 30 Jan 2007 06:29:42 -0800 (PST) Subject: [Fedora-directory-users] FDS / PAM Integration Questions Message-ID: <20070130142942.13253.qmail@web34408.mail.mud.yahoo.com> Hi Richard, I should have probably provided more detail. I followed the HOWTO:kerberos and entered the config - sasl - mapping as it explained, namely: dn: cn=mapname,cn=mapping,cn=sasl,cn=config objectclass: top objectclass: nsSaslMapping cn: mapname nsSaslMapRegexString: \(.*\)@\(.*\) nsSaslMapBaseDNTemplate: uid=\1,dc=myexample,dc=com nsSaslMapFilterTemplate: (objectclass=inetOrgPerson) And that poduces the same SASL GSSAPI errors as in the last post. The link on that HOWTO that points to the SASL configurations shows the other configuraton paramaters (the ones that I also tried and posted in my last message). The install isa standard user at mydomain.com so you're probably correct and I've canged that entry to the above settings. The SASL documenation: Configuring SASL Identity Mapping from the Console In the Console, open the Directory Server. Open the "Configuration" tab. Select the "SASL Mapping" tab. To add new SASL identities, select the "Add" button, and fill in the required values. The Kerberos HOWTO doesn't discuss adding any mappings on the console, so it wasn't clear if this was required or not. Can you confirm? If it is required, what would the fields be filled with - do we need to link to the dn: cn=mapname,cn=mapping,cn=sasl,cn=config above? Also, because the service principal that FDS is going to use is ldap/fqdnoffds.myexample.com, do I need to add a second dn in order for this to work...such as: dn: cn=mapname2,cn=mapping,cn=sasl,cn=config objectclass: top objectclass: nsSaslMapping cn: mapname nsSaslMapRegexString: [^/]+/\(.+\) nsSaslMapBaseDNTemplate: uid=\1,ou=hosts,dc=myexample,dc=com nsSaslMapFilterTemplate: .* > Also, I'm not sure if I need all the settings (such as a sasl_auth_id) but they are left over from configuration of openldap. > What settings? The SASL settings that openldap used (they aren't mentioned in the howto: kerberos or SASL on the FDS sites), but they are: SASL_MECH GSSAPI SASL_REALM MYEXAMPLE.COM use_sasl_on sasl_auhid nssldap/myclient.myexample.com I've tried with and without these settings and I still get the the error: invalid credentials (49) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (Permission denied). When I set these, I beleve it is used for default settings (such as you don't have to type ldapwhoami -Y GSSAPI, just ldapwhoami). Any thoughts would be appreciated! Many thanks again, Jonathan From rmeggins at redhat.com Tue Jan 30 15:55:49 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 30 Jan 2007 08:55:49 -0700 Subject: [Fedora-directory-users] set dite end time to fedora-ds In-Reply-To: <34971.192.168.1.1.1170145824.squirrel@webmail2.fabaris.it> References: <42091.192.168.1.1.1170070410.squirrel@webmail2.fabaris.it> <45BE31C4.8020301@redhat.com> <34971.192.168.1.1.1170145824.squirrel@webmail2.fabaris.it> Message-ID: <45BF6A85.8000505@redhat.com> Di Giambelardini Gabriele wrote: > from console and command line, > ldif: > > dn: uid=testd at test.it,ou=People,dc=test,dc=it > stato: nuovo > passwordExpirationTime: 20070701102527Z **************** give problem > ********* > givenName: TEST > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > objectClass: "my objectClass" > reparto: REPARTO > userPin: osP8tqi3 > mailQuota: 251658243S > mailMessageStore: /var/vmail/test.it/t/e/s/t/Maildir > uid: test at test.it > mail: test at test.it > cn: REPARTO > homeDirectory: /var/vmail > userPassword: {CRYPT}$1$JOXbkPlU$L5RTfr56Milp54GTs. > Try using ldif2db from the command line (or ldif2db.pl) > > > > >> Di Giambelardini Gabriele wrote: >> >>> Hi to all, i have a problem with passwordExpirationTime. >>> the problem is: >>> my fedora-ds is set to " password expires after 180 days. >>> and every user have "passwordExpirationTime: 20070807102527Z" >>> but when i try to import >>> >> How are you trying to import? What command? What arguments? >> >>> this messagge appear "The error sent by the >>> server was 'Object class violation. single-valued attribute >>> "passwordExpirationTime" has multiple values". >>> so if i delete the attribute "passwordExpirationTime" from the user, >>> import work fine, but the date for the expiration password is set >>> automatically by fedora-ds to "19001023000000Z ( or simil )". >>> How i shoud set the ntp or the right date from fedora-ds 1.0.4 ??? >>> thanks to all >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > Di Giambelardini Gabriele > System/Network Administrator > __________________________________________ > FABARIS s.r.l. > Cel. +39 3488504467 > Tel. +39 0765 22181 - Fax +39 0765 410100 > Via G. Mameli, 90 02047 Poggio Mirteto (RI) > Filiale: Viale dell'Universit?, 25 00185 Roma (RM) > www.fabaris.it > __________________________________________ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jan 30 16:13:40 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 30 Jan 2007 09:13:40 -0700 Subject: [Fedora-directory-users] FDS / PAM Integration Questions In-Reply-To: <20070130142942.13253.qmail@web34408.mail.mud.yahoo.com> References: <20070130142942.13253.qmail@web34408.mail.mud.yahoo.com> Message-ID: <45BF6EB4.9030605@redhat.com> Jonathan Schreiter wrote: > Hi Richard, > I should have probably provided more detail. I followed the HOWTO:kerberos and entered the config - sasl - mapping as it explained, namely: > > dn: cn=mapname,cn=mapping,cn=sasl,cn=config > objectclass: top > objectclass: nsSaslMapping > cn: mapname > nsSaslMapRegexString: \(.*\)@\(.*\) > If you don't need the DOMAIN part, you can omit the second set of parentheses and just have \(.*\)@.* > nsSaslMapBaseDNTemplate: uid=\1,dc=myexample,dc=com > Do your users have a DN of uid=jdoe,dc=myexample,dc=com or uid=jdoe,ou=People,dc=myexample,dc=com? If the latter, then this won't work. You'll have to use nsSaslMapBaseDNTemplate: uid=\1,ou=People,dc=myexample,dc=com This is good if you are sure that all of your users' entries are under ou=People and have a uid that matches the principal name. > nsSaslMapFilterTemplate: (objectclass=inetOrgPerson) > Or, just use nsSaslMapBaseDNTemplate: ou=People,dc=myexample,dc=com nsSaslMapFilterTemplate: (uid=\1) > And that poduces the same SASL GSSAPI errors as in the last post. The link on that HOWTO that points to the SASL configurations shows the other configuraton paramaters (the ones that I also tried and posted in my last message). The install isa standard user at mydomain.com so you're probably correct and I've canged that entry to the above settings. > > The SASL documenation: > Configuring SASL Identity Mapping from the Console > In the Console, open the Directory Server. > Open the "Configuration" tab. > Select the "SASL Mapping" tab. > To add new SASL identities, select the "Add" button, and fill in the required values. > > The Kerberos HOWTO doesn't discuss adding any mappings on the console, so it wasn't clear if this was required or not. Can you confirm? If you've added the above entry using ldapmodify or by editing dse.ldif, then you do not have to add it with the console - although it is a good idea to use the console to add this configuration unless you really know what you're doing, because you'll have to add the cn=mapping entry parent before the cn=mapname child config entry. > If it is required, what would the fields be filled with - do we need to link to the dn: cn=mapname,cn=mapping,cn=sasl,cn=config above? > I'm not sure what you mean. > Also, because the service principal that FDS is going to use is ldap/fqdnoffds.myexample.com, do I need to add a second dn in order for this to work...such as: > No, not unless FDS is going to use it's service principal to do a SASL/GSSAPI BIND to another FDS. > dn: cn=mapname2,cn=mapping,cn=sasl,cn=config > objectclass: top > objectclass: nsSaslMapping > cn: mapname > nsSaslMapRegexString: [^/]+/\(.+\) > nsSaslMapBaseDNTemplate: uid=\1,ou=hosts,dc=myexample,dc=com > nsSaslMapFilterTemplate: .* > > > >> Also, I'm not sure if I need all the settings (such as a sasl_auth_id) but they are left over from configuration of openldap. >> >> > What settings? > > The SASL settings that openldap used (they aren't mentioned in the howto: kerberos or SASL on the FDS sites), but they are: > SASL_MECH GSSAPI > SASL_REALM MYEXAMPLE.COM > use_sasl_on > sasl_auhid nssldap/myclient.myexample.com > > I've tried with and without these settings and I still get the the error: invalid credentials (49) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (Permission denied). When I set these, I beleve it is used for default settings (such as you don't have to type ldapwhoami -Y GSSAPI, just ldapwhoami). > Ok. Those are client side settings that do not affect Fedora DS. > Any thoughts would be appreciated! > > Many thanks again, > Jonathan > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From capareci at uol.com.br Wed Jan 31 16:01:57 2007 From: capareci at uol.com.br (Renato Ribeiro da Silva) Date: Wed, 31 Jan 2007 14:01:57 -0200 Subject: [Fedora-directory-users] set dite end time to fedora-ds Message-ID: This is happening because you enabled the option "User must change password after reset". In the Directory Server Console go to Configuration Tab, select Data, go to "Passwords" Tab and then uncheck this option. > Hi to all, i have a problem with passwordExpirationTime. > the problem is: > my fedora-ds is set to " password expires after 180 days. > and every user have "passwordExpirationTime: 20070807102527Z" > but when i try to import this messagge appear "The error sent by the > server was 'Object class violation. single-valued attribute > "passwordExpirationTime" has multiple values". > so if i delete the attribute "passwordExpirationTime" from the user, > import work fine, but the date for the expiration password is set > automatically by fedora-ds to "19001023000000Z ( or simil )". > How i shoud set the ntp or the right date from fedora-ds 1.0.4 ??? > thanks to all > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >