From fmunoz at hispafuentes.com Sun Jul 1 22:17:06 2007 From: fmunoz at hispafuentes.com (Fernando =?ISO-8859-1?Q?Mu=F1oz?=) Date: Mon, 02 Jul 2007 00:17:06 +0200 Subject: [Fedora-directory-users] Console Templates Message-ID: <1183328226.6132.9.camel@hispafuentes> Hi, I installed FedoraDS 1.0.4, and I would like to modify the console templates for make user,groups,roles..., adding new objectclass and attributes (or new templates) for displayed in console templates. It's possible?, why?. Thanks, From iferreir at personal.com.py Mon Jul 2 02:01:41 2007 From: iferreir at personal.com.py (Ivan Ferreira) Date: Sun, 1 Jul 2007 22:01:41 -0400 Subject: [Fedora-directory-users] Ivan Ferreira =?iso-8859-1?q?est=E1_ausente_de_la_oficina=2E?= Message-ID: Estar? ausente de la oficina desde el 01/07/2007 y no volver? hasta el 02/07/2007. Responder? a su mensaje cuando regrese. ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. From maumar.marini at cost.it Mon Jul 2 09:56:24 2007 From: maumar.marini at cost.it (Maurizio Marini) Date: Mon, 2 Jul 2007 11:56:24 +0200 Subject: [Fedora-directory-users] replica multi-master, clock skew and /etc/ntp.conf Message-ID: <200707021156.26083.maumar.marini@cost.it> Hi there, i am setupping replica multi-master, and things seems to go ahead; for other newbies like me, i suggest to have file hosts and named daemon setupped very carefully regarding reverse resolution of the other master in replica agreement. The only trouble, now, is clock skew: i am developing on a server with vmware server; 2 master are 2 virtual centos on vmware server. I am trying to get their clock synced each other or, at least, with dom0 server, with no success. Someone there has a very bare and simple /etc/ntp.conf to get 2 master servers time synced? Any help will be very appreciated Maurizio From rmeggins at redhat.com Mon Jul 2 12:43:46 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 02 Jul 2007 06:43:46 -0600 Subject: [Fedora-directory-users] Console Templates In-Reply-To: <1183328226.6132.9.camel@hispafuentes> References: <1183328226.6132.9.camel@hispafuentes> Message-ID: <4688F302.9050204@redhat.com> Fernando Mu?oz wrote: > Hi, > > I installed FedoraDS 1.0.4, and I would like to modify the console > templates for make user,groups,roles..., adding new objectclass and > attributes (or new templates) for displayed in console templates. > > It's possible?, why?. > You'll have to write some Java code. See http://cvs.fedora.redhat.com/viewcvs/console/examples/?root=dirsec > Thanks, > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From edlinuxguru at gmail.com Mon Jul 2 13:52:23 2007 From: edlinuxguru at gmail.com (Eddie C) Date: Mon, 2 Jul 2007 09:52:23 -0400 Subject: [Fedora-directory-users] replica multi-master, clock skew and /etc/ntp.conf In-Reply-To: <200707021156.26083.maumar.marini@cost.it> References: <200707021156.26083.maumar.marini@cost.it> Message-ID: VM-ware somtimes has annoying clock issues. If you are using a VMware supported Kernel on a VMware supported OS you should be able to 'install vmware tools' - run the RPM be ok. I am on Fedora Core 5. This is what I have to do. My VMWare machines have I have found that using VMWare server with the stock FC5 kernel works and vmware 1.0.1 works 'OK' as long as: -You install VMware tools on the guest os -You turn on the real time clock in the configuration of vmware tools -You change clock=PIT in the kernel boot -You only use one processor for the system. Your milage on this may vary depending on what kernel / vmware combination you are using. With two processor emulation I found the clock totally irradic, and the host system was telling me about soft lockups. I found that for most things one processor emulation works well enough. Here is what I do: install kernel-source/kernel-devel In vmware click 'install vmware tools' This creats a pseudo CD device that you have to mount ( I do not remember how) In the psuedo cd-rom device there are two files VMware-Tools-1.0.1-(version).rpm and the tar I RPM install the tar download vmware-any-any-update105.tar.gz vmware-tools-any-update1.tar.gz tar -xf vmware-tools-any-update1.tar.gz tar -xf vmware-any-any-update105.tar.gz cp vmware-tools-any-update/runme.pl vmware-any-any-update/runme.pl cd vmware-any-any-update perl runme.pl Set clock=pit in kernel config Reboot Still, I find if the system is very busy I have found the clock jumping a minute and then jumping back. I still run ntp sometimes against suggestion of vmware. Then again I am not on a supported OS. On 7/2/07, Maurizio Marini wrote: > Hi there, > i am setupping replica multi-master, and things seems to go ahead; for other > newbies like me, i suggest to have file hosts and named daemon setupped very > carefully regarding reverse resolution of the other master in replica > agreement. > The only trouble, now, is clock skew: i am developing on a server with vmware > server; 2 master are 2 virtual centos on vmware server. > I am trying to get their clock synced each other or, at least, with dom0 > server, with no success. > Someone there has a very bare and simple /etc/ntp.conf to get 2 master servers > time synced? > Any help will be very appreciated > Maurizio > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Mon Jul 2 14:22:43 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 02 Jul 2007 08:22:43 -0600 Subject: [Fedora-directory-users] how to reset admin password? In-Reply-To: <78926d250706291736g5635529bu23c1e98766e08b0@mail.gmail.com> References: <78926d250706291310v6c51f68eu8206130a2cd2accb@mail.gmail.com> <4685670C.3010400@redhat.com> <78926d250706291325l11041d68ice420cefb0f947c4@mail.gmail.com> <46857192.40705@redhat.com> <78926d250706291736g5635529bu23c1e98766e08b0@mail.gmail.com> Message-ID: <46890A33.604@redhat.com> slamp slamp wrote: > [Fri Jun 29 16:12:21 2007] [error] [client xx.xx.xxx.xx] user admin: > authentication failure for "/admin-serv/authenticate": Password > Mismatch > [Fri Jun 29 16:12:25 2007] [error] [client xx.xx.xxx.xx] user admin: > authentication failure for "/admin-serv/authenticate": Password > Mismatch What about the configuration directory server access log? /opt/fedora-ds/slapd-instance/logs/access? > > On 6/29/07, Richard Megginson wrote: >> slamp slamp wrote: >> > yes i did. i changed the password using the admin console. >> > >> > ./startconsole >> > Logged in >> > Double clicked on Administration Server under Server Group >> > Under Configuration there is Access tab and thats where I changed it. >> What does the configuration directory server access log show for BIND >> attempts? >> > >> > On 6/29/07, Richard Megginson wrote: >> >> slamp slamp wrote: >> >> > i changed the admin password using the admin console and now i >> cannot >> >> > log back in with the new or the old password. i saw a way to change >> >> > the directory manager password but i do not know if its the same >> for >> >> > the admin password. please help. >> >> Did you restart the admin server afterwards? How did you change the >> >> password? >> >> > >> >> > -- >> >> > Fedora-directory-users mailing list >> >> > Fedora-directory-users at redhat.com >> >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> -- >> >> Fedora-directory-users mailing list >> >> Fedora-directory-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> >> >> >> > >> > -- >> > Fedora-directory-users mailing list >> > Fedora-directory-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From slackamp at gmail.com Mon Jul 2 15:52:33 2007 From: slackamp at gmail.com (slamp slamp) Date: Mon, 2 Jul 2007 11:52:33 -0400 Subject: [Fedora-directory-users] how to reset admin password? In-Reply-To: <46890A33.604@redhat.com> References: <78926d250706291310v6c51f68eu8206130a2cd2accb@mail.gmail.com> <4685670C.3010400@redhat.com> <78926d250706291325l11041d68ice420cefb0f947c4@mail.gmail.com> <46857192.40705@redhat.com> <78926d250706291736g5635529bu23c1e98766e08b0@mail.gmail.com> <46890A33.604@redhat.com> Message-ID: <78926d250707020852p2723389dubc06836693b3ea12@mail.gmail.com> [02/Jul/2007:11:48:09 -0400] conn=134 fd=73 slot=73 SSL connection from xx.xx.xxx.xx to xx.xx.xxx.xx [02/Jul/2007:11:48:09 -0400] conn=134 SSL 128-bit RC4 [02/Jul/2007:11:48:09 -0400] conn=134 op=0 BIND dn="cn=admin-serv-fds, cn=Fedora Administration Server, cn=Server Group, cn=fds.domain.com, ou=domain.com, o=NetscapeRoot" method=128 version=3 [02/Jul/2007:11:48:09 -0400] conn=134 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [02/Jul/2007:11:48:09 -0400] conn=134 op=1 SRCH base="o=NetscapeRoot" scope=2 filter="(uid=admin)" attrs="c" [02/Jul/2007:11:48:09 -0400] conn=134 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [02/Jul/2007:11:48:09 -0400] conn=134 op=2 BIND dn="uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" method=128 version=3 [02/Jul/2007:11:48:09 -0400] conn=134 op=2 RESULT err=49 tag=97 nentries=0 etime=0 [02/Jul/2007:11:48:09 -0400] conn=134 op=3 UNBIND [02/Jul/2007:11:48:09 -0400] conn=134 op=3 fd=73 closed - U1 There is no easy way to do this? I have access to Directory Manager. On 7/2/07, Richard Megginson wrote: > slamp slamp wrote: > > [Fri Jun 29 16:12:21 2007] [error] [client xx.xx.xxx.xx] user admin: > > authentication failure for "/admin-serv/authenticate": Password > > Mismatch > > [Fri Jun 29 16:12:25 2007] [error] [client xx.xx.xxx.xx] user admin: > > authentication failure for "/admin-serv/authenticate": Password > > Mismatch > What about the configuration directory server access log? > /opt/fedora-ds/slapd-instance/logs/access? > > > > On 6/29/07, Richard Megginson wrote: > >> slamp slamp wrote: > >> > yes i did. i changed the password using the admin console. > >> > > >> > ./startconsole > >> > Logged in > >> > Double clicked on Administration Server under Server Group > >> > Under Configuration there is Access tab and thats where I changed it. > >> What does the configuration directory server access log show for BIND > >> attempts? > >> > > >> > On 6/29/07, Richard Megginson wrote: > >> >> slamp slamp wrote: > >> >> > i changed the admin password using the admin console and now i > >> cannot > >> >> > log back in with the new or the old password. i saw a way to change > >> >> > the directory manager password but i do not know if its the same > >> for > >> >> > the admin password. please help. > >> >> Did you restart the admin server afterwards? How did you change the > >> >> password? > >> >> > > >> >> > -- > >> >> > Fedora-directory-users mailing list > >> >> > Fedora-directory-users at redhat.com > >> >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> >> > >> >> -- > >> >> Fedora-directory-users mailing list > >> >> Fedora-directory-users at redhat.com > >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> >> > >> >> > >> >> > >> > > >> > -- > >> > Fedora-directory-users mailing list > >> > Fedora-directory-users at redhat.com > >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > >> > >> > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > From rmeggins at redhat.com Mon Jul 2 15:49:55 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 02 Jul 2007 09:49:55 -0600 Subject: [Fedora-directory-users] how to reset admin password? In-Reply-To: <78926d250707020852p2723389dubc06836693b3ea12@mail.gmail.com> References: <78926d250706291310v6c51f68eu8206130a2cd2accb@mail.gmail.com> <4685670C.3010400@redhat.com> <78926d250706291325l11041d68ice420cefb0f947c4@mail.gmail.com> <46857192.40705@redhat.com> <78926d250706291736g5635529bu23c1e98766e08b0@mail.gmail.com> <46890A33.604@redhat.com> <78926d250707020852p2723389dubc06836693b3ea12@mail.gmail.com> Message-ID: <46891EA3.9040509@redhat.com> slamp slamp wrote: > [02/Jul/2007:11:48:09 -0400] conn=134 fd=73 slot=73 SSL connection > from xx.xx.xxx.xx to xx.xx.xxx.xx > [02/Jul/2007:11:48:09 -0400] conn=134 SSL 128-bit RC4 > [02/Jul/2007:11:48:09 -0400] conn=134 op=0 BIND dn="cn=admin-serv-fds, > cn=Fedora Administration Server, cn=Server Group, cn=fds.domain.com, > ou=domain.com, o=NetscapeRoot" method=128 version=3 > [02/Jul/2007:11:48:09 -0400] conn=134 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="" > [02/Jul/2007:11:48:09 -0400] conn=134 op=1 SRCH base="o=NetscapeRoot" > scope=2 filter="(uid=admin)" attrs="c" > [02/Jul/2007:11:48:09 -0400] conn=134 op=1 RESULT err=0 tag=101 > nentries=1 etime=0 > [02/Jul/2007:11:48:09 -0400] conn=134 op=2 BIND dn="uid=admin, > ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" method=128 > version=3 > [02/Jul/2007:11:48:09 -0400] conn=134 op=2 RESULT err=49 tag=97 > nentries=0 etime=0 Try using ldapsearch from the command line with -D "uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" -w yourpassword If that still gives error 49, then try using -w youroldpassword If that works, then the password change did not take effect for some reason. Try using ldapmodify from the command line to change the password. > [02/Jul/2007:11:48:09 -0400] conn=134 op=3 UNBIND > [02/Jul/2007:11:48:09 -0400] conn=134 op=3 fd=73 closed - U1 > > > There is no easy way to do this? I have access to Directory Manager. > > On 7/2/07, Richard Megginson wrote: >> slamp slamp wrote: >> > [Fri Jun 29 16:12:21 2007] [error] [client xx.xx.xxx.xx] user admin: >> > authentication failure for "/admin-serv/authenticate": Password >> > Mismatch >> > [Fri Jun 29 16:12:25 2007] [error] [client xx.xx.xxx.xx] user admin: >> > authentication failure for "/admin-serv/authenticate": Password >> > Mismatch >> What about the configuration directory server access log? >> /opt/fedora-ds/slapd-instance/logs/access? >> > >> > On 6/29/07, Richard Megginson wrote: >> >> slamp slamp wrote: >> >> > yes i did. i changed the password using the admin console. >> >> > >> >> > ./startconsole >> >> > Logged in >> >> > Double clicked on Administration Server under Server Group >> >> > Under Configuration there is Access tab and thats where I >> changed it. >> >> What does the configuration directory server access log show for BIND >> >> attempts? >> >> > >> >> > On 6/29/07, Richard Megginson wrote: >> >> >> slamp slamp wrote: >> >> >> > i changed the admin password using the admin console and now i >> >> cannot >> >> >> > log back in with the new or the old password. i saw a way to >> change >> >> >> > the directory manager password but i do not know if its the same >> >> for >> >> >> > the admin password. please help. >> >> >> Did you restart the admin server afterwards? How did you >> change the >> >> >> password? >> >> >> > >> >> >> > -- >> >> >> > Fedora-directory-users mailing list >> >> >> > Fedora-directory-users at redhat.com >> >> >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> >> >> -- >> >> >> Fedora-directory-users mailing list >> >> >> Fedora-directory-users at redhat.com >> >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> >> >> >> >> >> >> >> > >> >> > -- >> >> > Fedora-directory-users mailing list >> >> > Fedora-directory-users at redhat.com >> >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> -- >> >> Fedora-directory-users mailing list >> >> Fedora-directory-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> >> >> >> > >> > -- >> > Fedora-directory-users mailing list >> > Fedora-directory-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From maurizio.marini at cost.it Mon Jul 2 13:36:30 2007 From: maurizio.marini at cost.it (Maurizio Marini) Date: Mon, 2 Jul 2007 15:36:30 +0200 Subject: [Fedora-directory-users] replica multi-master, clock skew and /etc/ntp.conf In-Reply-To: <200707021156.26083.maumar.marini@cost.it> References: <200707021156.26083.maumar.marini@cost.it> Message-ID: <200707021536.31362.maurizio.marini@cost.it> On Mon July 2 2007 11:56, Maurizio Marini wrote: > Someone there has a very bare and simple /etc/ntp.conf to get 2 master > servers time synced? The distro configuration is ok, it is necessary to wait half an hour after ntpd restart on server, before trying to sync time from clients. m. From maumar at cost.it Tue Jul 3 13:04:56 2007 From: maumar at cost.it (Maurizio Marini) Date: Tue, 3 Jul 2007 15:04:56 +0200 Subject: [Fedora-directory-users] 1 question and 2 issues Message-ID: <200707031504.57287.maumar@cost.it> Newbie question: how can i create a new suffix with all the stuff that i find on a fresh fds installation? I tried to issue New Suffix, i add a new database named user2Root and it was created empty. 2^ issue: Configuring a Subtree/User Password Policy Using the Console 1. Enable fine-grained password policy. 2. Create the local password policy for the subtree or user. a. ... b. ... c. From the Object menu, select the Manage Password Policy option, and then select the "For user" or "For subtree." Depending on your selection, the User Password Policy or Subtree Password Policy window appears. when i select "For user" or "For subtree.", the Password Policy window appears, and after a second all the content disappear; i can see only a small grey square on the center of the window. 3^ issue: when an account is expiring or expired and i use a small php script to authenticate, what is returned for warning message (if enabled) and for expired ones? Which return codes are sent back to application? Maurizio From edlinuxguru at gmail.com Tue Jul 3 14:42:08 2007 From: edlinuxguru at gmail.com (Eddie C) Date: Tue, 3 Jul 2007 10:42:08 -0400 Subject: [Fedora-directory-users] replica multi-master, clock skew and /etc/ntp.conf In-Reply-To: <200707021536.31362.maurizio.marini@cost.it> References: <200707021156.26083.maumar.marini@cost.it> <200707021536.31362.maurizio.marini@cost.it> Message-ID: VMWare suggests you do NOT run NTP on the guest OS, only the master. You do not need your own ntp server to run ntp. If you go to the VMWare site and forums there are many discussions on clock scew. The way VMware virtualzes the system plays total havoc on the clocks. They might count slow or really fast, or jump forward and backwards. Also your terminology is confusing 'dom0' is a XEN thing ' guest os' is a vmware thing. It is hard to tell which product you are using. If you are using VMware and the clock is slow or jumping around refer to my first post. If you are XEN I can not help much. On 7/2/07, Maurizio Marini wrote: > > On Mon July 2 2007 11:56, Maurizio Marini wrote: > > Someone there has a very bare and simple /etc/ntp.conf to get 2 master > > servers time synced? > The distro configuration is ok, it is necessary to wait half an hour after > ntpd restart on server, before trying to sync time from clients. > m. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tour9 at ece.lsu.edu Tue Jul 3 18:33:31 2007 From: tour9 at ece.lsu.edu (SWA) Date: Tue, 3 Jul 2007 13:33:31 -0500 Subject: [Fedora-directory-users] FDS-1.1 question Message-ID: <20070703133331.4658d0b6@control.ece.lsu.edu> Does anyone know of any time-frame for the up coming release of FDS-1.1? The DS-1.1 I think is already released, but, the accompanying Admin and the Console are not bundled yet... SWA From rmeggins at redhat.com Tue Jul 3 18:42:40 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 03 Jul 2007 12:42:40 -0600 Subject: [Fedora-directory-users] FDS-1.1 question In-Reply-To: <20070703133331.4658d0b6@control.ece.lsu.edu> References: <20070703133331.4658d0b6@control.ece.lsu.edu> Message-ID: <468A98A0.5050105@redhat.com> SWA wrote: > Does anyone know of any time-frame for the up coming release of > FDS-1.1? The DS-1.1 I think is already released, but, the > accompanying Admin and the Console are not bundled yet... > DS 1.1 is not quite released. Admin and console integration require quite a few changes to the ds-base package, as well as adding things like easy setup and migration to the base package, that admin and console will also use. So, not quite ready yet, but soon. > SWA > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From brzurom at tycho.ncsc.mil Tue Jul 3 19:15:01 2007 From: brzurom at tycho.ncsc.mil (Brian Zuromski) Date: Tue, 03 Jul 2007 15:15:01 -0400 Subject: [Fedora-directory-users] how to autofs Message-ID: <468AA035.1030603@tycho.ncsc.mil> Hello, I'm looking to setup autofs for a bunch of linux hosts. What schema should I use? The automount page on the wiki does not exactly paint a very clear picture. http://directory.fedoraproject.org/wiki/Howto:Automount From srigler at marathonoil.com Tue Jul 3 19:48:15 2007 From: srigler at marathonoil.com (Steve Rigler) Date: Tue, 03 Jul 2007 14:48:15 -0500 Subject: [Fedora-directory-users] how to autofs In-Reply-To: <468AA035.1030603@tycho.ncsc.mil> References: <468AA035.1030603@tycho.ncsc.mil> Message-ID: <1183492095.14604.34.camel@houuc8> On Tue, 2007-07-03 at 15:15 -0400, Brian Zuromski wrote: > Hello, > I'm looking to setup autofs for a bunch of linux hosts. What > schema should I use? The automount page on the wiki does not exactly > paint a very clear picture. > http://directory.fedoraproject.org/wiki/Howto:Automount > These instructions look similar to how ours are setup except that: 1. We use "automountmapname" as the naming attribute for the maps. 2. We use "automountkey" as the naming attribute for the map keys. 3. We don't specify the server name in the "automountinformation". 4. We have to run a different auto.master for Linux than Solaris clients. Here's an example auto.master (for Linux): dn: automountmapname=auto.master,dc=example,dc=com automountmapname: auto.master objectclass: top objectclass: automountmap dn: automountkey=/home,dc=example,dc=com automountkey: /home objectclass: top objectclass: automount automountinformation: ldap:automountmapname=auto_home,dc=example,dc=com Here's an example auto_home: dn: automountmapname=auto_home,dc=example,dc=com automountmapname: auto_home objectclass: top objectclass: automountmap dn: automountkey=someuser,dc=example,dc=com automountkey: someuser objectclass: top objectclass: automount automountinformation: -rw,hard,intr someserver:/export/home/someuser -Steve From jamesdeuchar at hotmail.com Tue Jul 3 21:34:28 2007 From: jamesdeuchar at hotmail.com (James Deuchar) Date: Tue, 03 Jul 2007 22:34:28 +0100 Subject: [Fedora-directory-users] Creating server instances via command line In-Reply-To: Message-ID: Hi, Is it possible to create new server instances via the command line as opposed to admin console? The same question goes for setting up replication...? Many thanks! _________________________________________________________________ Txt a lot? Get Messenger FREE on your mobile. https://livemessenger.mobile.uk.msn.com/ From rmeggins at redhat.com Tue Jul 3 22:12:46 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 03 Jul 2007 16:12:46 -0600 Subject: [Fedora-directory-users] Creating server instances via command line In-Reply-To: References: Message-ID: <468AC9DE.4020604@redhat.com> James Deuchar wrote: > Hi, > > Is it possible to create new server instances via the command line as > opposed to admin console? It's possible, but not well documented - http://directory.fedoraproject.org/wiki/Install_Guide#Installing_just_the_core_directory_server > > The same question goes for setting up replication...? http://directory.fedoraproject.org/wiki/Howto:MultiMasterReplication > > Many thanks! > > _________________________________________________________________ > Txt a lot? Get Messenger FREE on your mobile. > https://livemessenger.mobile.uk.msn.com/ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kekkou.a at cs.ucy.ac.cy Wed Jul 4 11:26:44 2007 From: kekkou.a at cs.ucy.ac.cy (Andreas Kekkou) Date: Wed, 04 Jul 2007 14:26:44 +0300 Subject: [Fedora-directory-users] how to autofs In-Reply-To: <1183492095.14604.34.camel@houuc8> References: <468AA035.1030603@tycho.ncsc.mil> <1183492095.14604.34.camel@houuc8> Message-ID: <468B83F4.9010804@cs.ucy.ac.cy> An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: kekkou.a.vcf Type: text/x-vcard Size: 303 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3655 bytes Desc: S/MIME Cryptographic Signature URL: From maumar at cost.it Thu Jul 5 11:32:49 2007 From: maumar at cost.it (Maurizio Marini) Date: Thu, 5 Jul 2007 13:32:49 +0200 Subject: [Fedora-directory-users] web administration unable to connect to ldap server Message-ID: <200707051332.50256.maumar@cost.it> Hi, after a fresh installation of 2 fds server, i put them on replica; after, i tested that all was ok, i connect by web administration and i dicovered that : An error occurred while contacting the LDAP server. (Can't connect to the LDAP server) A connection to the server could not be opened. Contact your server administrator for assistance. whatever i do; on logs there is nothing expecial; all 2 server suffer the same issue; now i re-installed one of them and all is ok, on this one. On the other, the access and error logs under slapd-serverid/logs doesn't report anything during web acces Domain Manager login, on the admin-serv/logs i see: tail -f access 192.168.45.1 - - [04/Jul/2007:16:08:23 +0200] "GET /clients/dsgw/bin/lang?context=dsgw&file=clear.gif HTTP/1.1" 302 306 192.168.45.1 - - [04/Jul/2007:16:08:23 +0200] "GET /clients/dsgw/html/clear.gif HTTP/1.1" 200 43 192.168.45.1 - - [04/Jul/2007:16:08:21 +0200] "POST /clients/dsgw/bin/doauth HTTP/1.1" 200 798 192.168.45.1 - - [04/Jul/2007:16:08:31 +0200] "GET /favicon.ico HTTP/1.1" 403 282 192.168.45.1 - - [04/Jul/2007:16:08:31 +0200] "GET /favicon.ico HTTP/1.1" 403 282 tail -f error Wed Jul 04 16:08:31 2007] [notice] [client 192.168.45.1] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.45.1 [Wed Jul 04 16:08:31 2007] [error] [client 192.168.45.1] client denied by server configuration: /opt/fedora-ds/favicon.ico [Wed Jul 04 16:08:31 2007] [notice] [client 192.168.45.1] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.45.1 [Wed Jul 04 16:08:31 2007] [error] [client 192.168.45.1] client denied by server configuration: /opt/fedora-ds/favicon.ico these same eror are on the server ok. So, i argue that really admin-server is unable to contact ldap server in any way. What can be happened? Maurizio From maumar.marini at cost.it Wed Jul 4 14:13:16 2007 From: maumar.marini at cost.it (Maurizio Marini) Date: Wed, 4 Jul 2007 16:13:16 +0200 Subject: [Fedora-directory-users] web administration unable to connect to ldap server Message-ID: <200707041613.17094.maumar.marini@cost.it> Hi, after a fresh installation of 2 fds server, i put them on replica; after, i tested that all was ok, i connect by web administration and i dicovered that : An error occurred while contacting the LDAP server. (Can't connect to the LDAP server) A connection to the server could not be opened. Contact your server administrator for assistance. whatever i do; on logs there is nothing expecial; all 2 server suffer the same issue; now i re-installed one of them and all is ok, on this one. On the other, the access and error logs under slapd-serverid/logs doesn't report anything during web acces Domain Manager login, on the admin-serv/logs i see: tail -f access 192.168.45.1 - - [04/Jul/2007:16:08:23 +0200] "GET /clients/dsgw/bin/lang?context=dsgw&file=clear.gif HTTP/1.1" 302 306 192.168.45.1 - - [04/Jul/2007:16:08:23 +0200] "GET /clients/dsgw/html/clear.gif HTTP/1.1" 200 43 192.168.45.1 - - [04/Jul/2007:16:08:21 +0200] "POST /clients/dsgw/bin/doauth HTTP/1.1" 200 798 192.168.45.1 - - [04/Jul/2007:16:08:31 +0200] "GET /favicon.ico HTTP/1.1" 403 282 192.168.45.1 - - [04/Jul/2007:16:08:31 +0200] "GET /favicon.ico HTTP/1.1" 403 282 tail -f error Wed Jul 04 16:08:31 2007] [notice] [client 192.168.45.1] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.45.1 [Wed Jul 04 16:08:31 2007] [error] [client 192.168.45.1] client denied by server configuration: /opt/fedora-ds/favicon.ico [Wed Jul 04 16:08:31 2007] [notice] [client 192.168.45.1] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.45.1 [Wed Jul 04 16:08:31 2007] [error] [client 192.168.45.1] client denied by server configuration: /opt/fedora-ds/favicon.ico these same eror are on the server ok. So, i argue that really admin-server is unable to contact ldap server in any way. What can be happened? Maurizio From maurizio.marini at cost.it Tue Jul 3 15:39:44 2007 From: maurizio.marini at cost.it (Maurizio Marini) Date: Tue, 3 Jul 2007 17:39:44 +0200 Subject: [Fedora-directory-users] replica multi-master, clock skew and /etc/ntp.conf In-Reply-To: References: <200707021156.26083.maumar.marini@cost.it> <200707021536.31362.maurizio.marini@cost.it> Message-ID: <200707031739.44261.maurizio.marini@cost.it> On Tue July 3 2007 16:42, Eddie C wrote: > VMWare suggests you do NOT run NTP on the guest OS, only the master. You do > not need your own ntp server to run ntp. > > If you go to the VMWare site and forums there are many discussions on clock > scew. > > The way VMware virtualzes the system plays total havoc on the clocks. They > might count slow or really fast, or jump forward and backwards. Yes, i saw :( > > Also your terminology is confusing 'dom0' is a XEN thing ' guest os' is a > vmware thing. It is hard to tell which product you are using. Sorry, i used dom0 instead of guest OS :) your help was very apreciated and i instaled vmware-tools after reading your post :) Many thnx :) Maurizio From tour9 at ece.lsu.edu Thu Jul 5 16:55:55 2007 From: tour9 at ece.lsu.edu (Saied W. Andalib) Date: Thu, 5 Jul 2007 11:55:55 -0500 Subject: [Fedora-directory-users] Problem with users' passwords Message-ID: <20070705115555.0648f369@control.ece.lsu.edu> I've migrated some users from openldap to fds-1.0.4. I got the ldif file with ldapsearch. Then, the resulting user ldif file was transferred to fds through the Directory Server Console via the "Import Databases" option under the "Tasks" tab. Everything seems fine. All users' data are imported to fds which can be verified in the Console. There's one problem, however. None of these users can log in. Their passwords are rejected with invalid credentials error. However, if I change their passwords manually in the Directory Console, they can log in fine! Is there a way to transfer their passwords correctly?! Thanks in advance, SWA From rmeggins at redhat.com Thu Jul 5 17:06:33 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 05 Jul 2007 11:06:33 -0600 Subject: [Fedora-directory-users] Problem with users' passwords In-Reply-To: <20070705115555.0648f369@control.ece.lsu.edu> References: <20070705115555.0648f369@control.ece.lsu.edu> Message-ID: <468D2519.7050407@redhat.com> Saied W. Andalib wrote: > I've migrated some users from openldap to fds-1.0.4. I got the ldif > file with ldapsearch. Then, the resulting user ldif file was > transferred to fds through the Directory Server Console via the "Import > Databases" option under the "Tasks" tab. Everything seems fine. All > users' data are imported to fds which can be verified in the Console. > > There's one problem, however. None of these users can log in. Their > passwords are rejected with invalid credentials error. However, if I > change their passwords manually in the Directory Console, they can log > in fine! Is there a way to transfer their passwords correctly?! > What does a typical user's userPassword attribute look like in the LDIF file from OpenLDAP? > Thanks in advance, > > SWA > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From tour9 at ece.lsu.edu Thu Jul 5 17:19:11 2007 From: tour9 at ece.lsu.edu (Saied W. Andalib) Date: Thu, 5 Jul 2007 12:19:11 -0500 Subject: [Fedora-directory-users] Problem with users' passwords In-Reply-To: <468D2519.7050407@redhat.com> References: <20070705115555.0648f369@control.ece.lsu.edu> <468D2519.7050407@redhat.com> Message-ID: <20070705121911.6ec0a328@control.ece.lsu.edu> Some look like this: userPassword: e1NTSEF9b0lZeWJsWDdPOTNkUVliY215UDZXaDFIdURIQ2tmQjA= Others use SSHA hash: userPassword: {SSHA}vzuh+zzerKQa3BnzcvUgHF8WwSZydeN+ SWA From rmeggins at redhat.com Thu Jul 5 17:20:52 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 05 Jul 2007 11:20:52 -0600 Subject: [Fedora-directory-users] Problem with users' passwords In-Reply-To: <20070705121911.6ec0a328@control.ece.lsu.edu> References: <20070705115555.0648f369@control.ece.lsu.edu> <468D2519.7050407@redhat.com> <20070705121911.6ec0a328@control.ece.lsu.edu> Message-ID: <468D2874.4060001@redhat.com> Saied W. Andalib wrote: > Some look like this: > > userPassword: e1NTSEF9b0lZeWJsWDdPOTNkUVliY215UDZXaDFIdURIQ2tmQjA= > I'm not sure what this is. Fedora DS expects the userPassword to either be the clear text value userPassword: mypassword or a hash with the hash type in the front userPassword: {SSHA}POTNkUVliY215UDZXaDFIdURI== I'm not sure what e1NTSEF9b0lZeWJsWDdPOTNkUVliY215UDZXaDFIdURIQ2tmQjA= is. > > > Others use SSHA hash: > > userPassword: {SSHA}vzuh+zzerKQa3BnzcvUgHF8WwSZydeN+ > > > > SWA > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From nalin at redhat.com Thu Jul 5 17:31:30 2007 From: nalin at redhat.com (Nalin Dahyabhai) Date: Thu, 5 Jul 2007 13:31:30 -0400 Subject: [Fedora-directory-users] Problem with users' passwords In-Reply-To: <468D2874.4060001@redhat.com> References: <20070705115555.0648f369@control.ece.lsu.edu> <468D2519.7050407@redhat.com> <20070705121911.6ec0a328@control.ece.lsu.edu> <468D2874.4060001@redhat.com> Message-ID: <20070705173130.GE15305@redhat.com> On Thu, Jul 05, 2007 at 11:20:52AM -0600, Richard Megginson wrote: > Saied W. Andalib wrote: >> Some look like this: >> >> userPassword: e1NTSEF9b0lZeWJsWDdPOTNkUVliY215UDZXaDFIdURIQ2tmQjA= > > I'm not sure what this is. Fedora DS expects the userPassword to either be > the clear text value > userPassword: mypassword > or a hash with the hash type in the front > userPassword: {SSHA}POTNkUVliY215UDZXaDFIdURI== > > I'm not sure what e1NTSEF9b0lZeWJsWDdPOTNkUVliY215UDZXaDFIdURIQ2tmQjA= is. The "=" on the end suggests that it's base64, and the example was missing the extra ":" which would indicate that it is. Decoding that gives "{SSHA}oIYyblX7O93dQYbcmyP6Wh1HuDHCkfB0". Perhaps the value was accidentally converted so that it's actually being stored that way in the directory, when it shouldn't be. HTH, Nalin From gholbert at broadcom.com Thu Jul 5 17:36:13 2007 From: gholbert at broadcom.com (George Holbert) Date: Thu, 05 Jul 2007 10:36:13 -0700 Subject: [Fedora-directory-users] Problem with users' passwords In-Reply-To: <20070705173130.GE15305@redhat.com> References: <20070705115555.0648f369@control.ece.lsu.edu> <468D2519.7050407@redhat.com> <20070705121911.6ec0a328@control.ece.lsu.edu> <468D2874.4060001@redhat.com> <20070705173130.GE15305@redhat.com> Message-ID: <468D2C0D.4020008@broadcom.com> Some ldapsearch binaries base64-encode password strings in their output. Not sure if this is what's happening for you, or if you actually have the password string stored as a base64 string in your directory database. If you want to decode the base64 strings, this link might be useful for you: http://www.openldap.org/faq/data/cache/1353.html Nalin Dahyabhai wrote: > On Thu, Jul 05, 2007 at 11:20:52AM -0600, Richard Megginson wrote: > >> Saied W. Andalib wrote: >> >>> Some look like this: >>> >>> userPassword: e1NTSEF9b0lZeWJsWDdPOTNkUVliY215UDZXaDFIdURIQ2tmQjA= >>> >> >> I'm not sure what this is. Fedora DS expects the userPassword to either be >> the clear text value >> userPassword: mypassword >> or a hash with the hash type in the front >> userPassword: {SSHA}POTNkUVliY215UDZXaDFIdURI== >> >> I'm not sure what e1NTSEF9b0lZeWJsWDdPOTNkUVliY215UDZXaDFIdURIQ2tmQjA= is. >> > > The "=" on the end suggests that it's base64, and the example was > missing the extra ":" which would indicate that it is. Decoding that > gives "{SSHA}oIYyblX7O93dQYbcmyP6Wh1HuDHCkfB0". > > Perhaps the value was accidentally converted so that it's actually being > stored that way in the directory, when it shouldn't be. > > HTH, > > Nalin From tour9 at ece.lsu.edu Thu Jul 5 17:41:47 2007 From: tour9 at ece.lsu.edu (Saied W. Andalib) Date: Thu, 5 Jul 2007 12:41:47 -0500 Subject: [Fedora-directory-users] Problem with users' passwords In-Reply-To: <468D2C0D.4020008@broadcom.com> References: <20070705115555.0648f369@control.ece.lsu.edu> <468D2519.7050407@redhat.com> <20070705121911.6ec0a328@control.ece.lsu.edu> <468D2874.4060001@redhat.com> <20070705173130.GE15305@redhat.com> <468D2C0D.4020008@broadcom.com> Message-ID: <20070705124147.7daee4c7@control.ece.lsu.edu> Thanks for replying. It seems ldapsearch converts all the SSHA hashed passwords to some other type maybe base64. Is there a way to get the original {SSHA} hashed passwords back? SWA From rmeggins at redhat.com Thu Jul 5 19:45:16 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 05 Jul 2007 13:45:16 -0600 Subject: [Fedora-directory-users] web administration unable to connect to ldap server In-Reply-To: <200707041613.17094.maumar.marini@cost.it> References: <200707041613.17094.maumar.marini@cost.it> Message-ID: <468D4A4C.9090002@redhat.com> Maurizio Marini wrote: > Hi, > after a fresh installation of 2 fds server, i put them on replica; after, i tested that all was ok, i connect by web administration and i dicovered that : > An error occurred while contacting the LDAP server. > (Can't connect to the LDAP server) > > A connection to the server could not be opened. Contact your server administrator for assistance. > > whatever i do; on logs there is nothing expecial; all 2 server suffer the same issue; now i re-installed one of them and all is ok, on this one. > > On the other, the access and error logs under slapd-serverid/logs doesn't report anything during web acces Domain Manager login, on the admin-serv/logs i see: > tail -f access > > 192.168.45.1 - - [04/Jul/2007:16:08:23 +0200] "GET /clients/dsgw/bin/lang?context=dsgw&file=clear.gif HTTP/1.1" 302 306 > 192.168.45.1 - - [04/Jul/2007:16:08:23 +0200] "GET /clients/dsgw/html/clear.gif HTTP/1.1" 200 43 > 192.168.45.1 - - [04/Jul/2007:16:08:21 +0200] "POST /clients/dsgw/bin/doauth HTTP/1.1" 200 798 > 192.168.45.1 - - [04/Jul/2007:16:08:31 +0200] "GET /favicon.ico HTTP/1.1" 403 282 > 192.168.45.1 - - [04/Jul/2007:16:08:31 +0200] "GET /favicon.ico HTTP/1.1" 403 282 > > tail -f error > Wed Jul 04 16:08:31 2007] [notice] [client 192.168.45.1] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.45.1 > [Wed Jul 04 16:08:31 2007] [error] [client 192.168.45.1] client denied by server configuration: /opt/fedora-ds/favicon.ico > [Wed Jul 04 16:08:31 2007] [notice] [client 192.168.45.1] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.45.1 > [Wed Jul 04 16:08:31 2007] [error] [client 192.168.45.1] client denied by server configuration: /opt/fedora-ds/favicon.ico > > these same eror are on the server ok. > > So, i argue that really admin-server is unable to contact ldap server in any way. > What can be happened? > Check your /opt/fedora-ds/shared/config/dbswitch.conf file > Maurizio > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jheenan at fairfax.com.au Fri Jul 6 04:54:19 2007 From: jheenan at fairfax.com.au (Joel Heenan) Date: Fri, 06 Jul 2007 14:54:19 +1000 Subject: [Fedora-directory-users] Admin Server connecting to two Directory Servers within the same domain Message-ID: <1183697659.11975.4.camel@localhost> Hey, I have successfully setup multi-master replication between two servers using SSL. Life is good. I would like to have a single Administration server that connects to both Directory Servers. Seems to make more sense than running one Admin server per Directory Server instance. I can't work out how I can add two Directory Servers who have the same domain. When I open the Admin Server console it has the domain "blah.example.com" which includes an IP address and port. I can add another domain but both servers are managing the same domain. I couldn't see an easy way to add another server, I poked around trying to do this behind the scenes in the Directory Server backend and I got another IP address and server group to appear but it seems that ip address (the one shown with the computer icon) is only cosmetic and the real IP address it uses to connect is the one in the domain. Am I going about this the wrong way? Guide you can point me to? Thanks -- Joel The information contained in this e-mail message and any accompanying files is or may be confidential. If you are not the intended recipient, any use, dissemination, reliance, forwarding, printing or copying of this e-mail or any attached files is unauthorised. This e-mail is subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If you have received this e-mail in error please advise the sender immediately by return e-mail or telephone and delete all copies. Fairfax does not guarantee the accuracy or completeness of any information contained in this e-mail or attached files. Internet communications are not secure, therefore Fairfax does not accept legal responsibility for the contents of this message or attached files. From maumar at cost.it Fri Jul 6 08:10:18 2007 From: maumar at cost.it (Maurizio Marini) Date: Fri, 6 Jul 2007 10:10:18 +0200 Subject: [Fedora-directory-users] window policymanager, problem solved Message-ID: <200707061010.19021.maumar@cost.it> the problem was: "when i select "For user" or "For subtree.", the Password Policy window appears, and after a second all the content disappear; i can see only a small grey square on the center of the window." Solution: the window appear empty due my notebook screen resolution, very narrow (1280x880); the server fds is on a vmware on this notebook, even more narrow!, 1024x768; the window that should appear, instead, is very height, i could see it on another pc fyi Maurizio From maumar at cost.it Fri Jul 6 10:31:33 2007 From: maumar at cost.it (Maurizio Marini) Date: Fri, 6 Jul 2007 12:31:33 +0200 Subject: [Fedora-directory-users] last login Message-ID: <200707061231.33828.maumar@cost.it> is avalable the last login (last bind, successuful?) info? if yes, which is its name? Maurizio From maumar at cost.it Fri Jul 6 13:12:12 2007 From: maumar at cost.it (Maurizio Marini) Date: Fri, 6 Jul 2007 15:12:12 +0200 Subject: [Fedora-directory-users] window policy manager, again doesn't appear Message-ID: <200707061512.13190.maumar@cost.it> i am astonished on this incredible but true issue :( after some hours of testing on login and password changes (nothing of strange), now window policy manager (title: Subtree Password Policy), does appear for a fraction of second, then disappear lasting the window empty with the grey background and a small square in center of it :( m. From rmeggins at redhat.com Fri Jul 6 14:14:54 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 06 Jul 2007 08:14:54 -0600 Subject: [Fedora-directory-users] Admin Server connecting to two Directory Servers within the same domain In-Reply-To: <1183697659.11975.4.camel@localhost> References: <1183697659.11975.4.camel@localhost> Message-ID: <468E4E5E.2050308@redhat.com> Joel Heenan wrote: > Hey, > > I have successfully setup multi-master replication between two servers > using SSL. Life is good. > > I would like to have a single Administration server that connects to > both Directory Servers. Seems to make more sense than running one Admin > server per Directory Server instance. > How did you create your directory server instances? Usually the first one you create is your Configuration Directory Server, the one the console uses as sort of a network registry (the o=NetscapeRoot suffix). Subsequent directory server instance creation should use this one instead of creating a new Config DS. The setup program should give you these options. > I can't work out how I can add two Directory Servers who have the same > domain. When I open the Admin Server console it has the domain > "blah.example.com" which includes an IP address and port. I can add > another domain but both servers are managing the same domain. I couldn't > see an easy way to add another server, I poked around trying to do this > behind the scenes in the Directory Server backend and I got another IP > address and server group to appear but it seems that ip address (the one > shown with the computer icon) is only cosmetic and the real IP address > it uses to connect is the one in the domain. > > Am I going about this the wrong way? Guide you can point me to? > > Thanks > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Jul 6 14:19:36 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 06 Jul 2007 08:19:36 -0600 Subject: [Fedora-directory-users] last login In-Reply-To: <200707061231.33828.maumar@cost.it> References: <200707061231.33828.maumar@cost.it> Message-ID: <468E4F78.1010801@redhat.com> Maurizio Marini wrote: > is avalable the last login (last bind, successuful?) info? > if yes, which is its name? > No, Fedora DS has no such feature. However, a member of the community is working on such a feature, and has a design document here - http://directory.fedoraproject.org/wiki/Account_Policy_Design Your comments are welcome. > Maurizio > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Jul 6 17:20:32 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 06 Jul 2007 11:20:32 -0600 Subject: [Fedora-directory-users] Migration from 1.0 and 7.1 to 1.1 Message-ID: <468E79E0.2020804@redhat.com> With the new FHS paths and new configuration options, there is quite a bit of stuff that has to happen to migrate old servers. The current Fedora pre-release version 1.1 has a migrateTo11 script that handles most of these, and CVS HEAD has some newer scripts to handle both directory server and admin server/console migration. We've created this page - http://directory.fedoraproject.org/wiki/DS_Admin_Migration - to plan our migration strategy. One of the big issues is cross platform migration e.g. going from FC-5 i386 to F7 x86_64. There are a number of issues involved with this. We are trying to figure out the best way to do this and we need your help. If you could, please read the section about cross platform migration - http://directory.fedoraproject.org/wiki/DS_Admin_Migration#Cross_platform - and let us know what you think, especially if you are an admin who will actually be using this in a production environment. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From D.R.Barker at exeter.ac.uk Sun Jul 8 20:43:28 2007 From: D.R.Barker at exeter.ac.uk (David Barker) Date: Sun, 08 Jul 2007 21:43:28 +0100 Subject: [Fedora-directory-users] Migration from 1.0 and 7.1 to 1.1 In-Reply-To: <468E79E0.2020804@redhat.com> References: <468E79E0.2020804@redhat.com> Message-ID: <46914C70.3010208@exeter.ac.uk> Richard Megginson wrote: > > One of the big issues is cross platform migration e.g. going from FC-5 > i386 to F7 x86_64. There are a number of issues involved with this. > We are trying to figure out the best way to do this and we need your > help. If you could, please read the section about cross platform > migration - > http://directory.fedoraproject.org/wiki/DS_Admin_Migration#Cross_platform > - and let us know what you think, especially if you are an admin who > will actually be using this in a production environment. I'd guess the "worst-case upgrade" is a single directory server deployment where a cross platform upgrade could imply only 1 host is available for reformat? If so, doing a "Local Source to Remote Target" migration doesn't make much sense. In such cases, an export to ldif first, backup/ reinstall / restore "/opt/fedora-ds" and then do the upgrade against the restored data seems like the best way to do things. Multi-directory-server sites probably have spare hardware kicking around - I wouldn't worry about wasting disk space ;-) From jheenan at fairfax.com.au Mon Jul 9 00:56:01 2007 From: jheenan at fairfax.com.au (Joel Heenan) Date: Mon, 09 Jul 2007 10:56:01 +1000 Subject: [Fedora-directory-users] Admin Server connecting to two Directory Servers within the same domain In-Reply-To: <468E4E5E.2050308@redhat.com> References: <1183697659.11975.4.camel@localhost> <468E4E5E.2050308@redhat.com> Message-ID: <1183942561.353.0.camel@localhost> On Sat, 2007-07-07 at 00:14 +1000, Richard Megginson wrote: > How did you create your directory server instances? Usually the first > one you create is your Configuration Directory Server, the one the > console uses as sort of a network registry (the o=NetscapeRoot suffix). > Subsequent directory server instance creation should use this one > instead of creating a new Config DS. The setup program should give you > these options. Oh ok I made a mistake during the setup process then. Anyway to change this after the fact? Setting up SSL replication was very difficult. Thanks -- Joel Heenan The information contained in this e-mail message and any accompanying files is or may be confidential. If you are not the intended recipient, any use, dissemination, reliance, forwarding, printing or copying of this e-mail or any attached files is unauthorised. This e-mail is subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If you have received this e-mail in error please advise the sender immediately by return e-mail or telephone and delete all copies. Fairfax does not guarantee the accuracy or completeness of any information contained in this e-mail or attached files. Internet communications are not secure, therefore Fairfax does not accept legal responsibility for the contents of this message or attached files. From fmunoz at hispafuentes.com Mon Jul 9 06:14:32 2007 From: fmunoz at hispafuentes.com (Fernando =?ISO-8859-1?Q?Mu=F1oz?=) Date: Mon, 09 Jul 2007 08:14:32 +0200 Subject: [Fedora-directory-users] window policy manager, again doesn't appear In-Reply-To: <200707061512.13190.maumar@cost.it> References: <200707061512.13190.maumar@cost.it> Message-ID: <1183961672.6192.0.camel@hispafuentes> stretch the window, and the problem it`s solve. El vie, 06-07-2007 a las 15:12 +0200, Maurizio Marini escribi?: > i am astonished on this incredible but true issue :( > after some hours of testing on login and password changes (nothing of > strange), now window policy manager (title: Subtree Password Policy), does > appear for a fraction of second, then disappear lasting the window empty with > the grey background and a small square in center of it :( > > m. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Mon Jul 9 14:38:12 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 09 Jul 2007 08:38:12 -0600 Subject: [Fedora-directory-users] Migration from 1.0 and 7.1 to 1.1 In-Reply-To: <46914C70.3010208@exeter.ac.uk> References: <468E79E0.2020804@redhat.com> <46914C70.3010208@exeter.ac.uk> Message-ID: <46924854.2020505@redhat.com> David Barker wrote: > Richard Megginson wrote: >> >> One of the big issues is cross platform migration e.g. going from >> FC-5 i386 to F7 x86_64. There are a number of issues involved with >> this. We are trying to figure out the best way to do this and we >> need your help. If you could, please read the section about cross >> platform migration - >> http://directory.fedoraproject.org/wiki/DS_Admin_Migration#Cross_platform >> - and let us know what you think, especially if you are an admin who >> will actually be using this in a production environment. > > I'd guess the "worst-case upgrade" is a single directory server > deployment where a cross platform upgrade could imply only 1 host is > available for reformat? If so, doing a "Local Source to Remote Target" > migration doesn't make much sense. In such cases, an export to ldif > first, backup/ reinstall / restore "/opt/fedora-ds" and then do the > upgrade against the restored data seems like the best way to do things. Do you mean, you reformat the disk and install the new version of the OS? On the same machine? In that case, if the architecture is the same, no data conversion is needed - the data in the databases can just be used directly. > > Multi-directory-server sites probably have spare hardware kicking > around - I wouldn't worry about wasting disk space ;-) Sure, but there are some cases where folks will have multi-GB databases on old machines. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From edlinuxguru at gmail.com Mon Jul 9 15:33:19 2007 From: edlinuxguru at gmail.com (Eddie C) Date: Mon, 9 Jul 2007 11:33:19 -0400 Subject: [Fedora-directory-users] Migration from 1.0 and 7.1 to 1.1 In-Reply-To: <46924854.2020505@redhat.com> References: <468E79E0.2020804@redhat.com> <46914C70.3010208@exeter.ac.uk> <46924854.2020505@redhat.com> Message-ID: I will tell a little about how we handled are cutover from iplanet 5.2running on SPARC hardware to FC5 on x86-64. I had some extra ports on our terminal server so I connected the old SPARC systems to the terminal server so I can manage them out-of-band (and later after I took their IP addresses away) Remember LDAP is a directory service. Directory services support frequent read operations and infrequent write operations. Not every application fits this profile but in our case we shut down/disabled our web application that modifies our LDAP. We have a multi-GB database approx 2 GB. We ran an LDAP search command/db2ldif. I do not remember this taking a long time probably < 8 minutes. Remember LDAPsearch is very fast. We were moving from master/slave to multi-master. At that point I setup multi-master on the new systems. We used SCP to copy over the ldif data, then I added it to one side using Ldapmodify. Again this took less then 20 minutes. I quickly re-added indexes and verified final settings. Then I disabled the old systems using the Terminal Server and added a sub-ip-interface to the new systems for an IP take-over. When we had done testing and all was well and good again we re-enabled out web application. For us the migration was a Friday process and our window was based on how long we could live without database changes. All our applications that have read access suffered a small intermittent outage when we switched the IP. The good part about this process is you can completely test the dump and restore without doing the actual cut-over to see how long the entire process will take. Dump from your old harware/restore to new. Tools to move the database real time/cross platform would be nice, but in our case they would be overkill if you have a small amount of data the standard tools can probably do it in soft-real time. On 7/9/07, Richard Megginson wrote: > > David Barker wrote: > > Richard Megginson wrote: > >> > >> One of the big issues is cross platform migration e.g. going from > >> FC-5 i386 to F7 x86_64. There are a number of issues involved with > >> this. We are trying to figure out the best way to do this and we > >> need your help. If you could, please read the section about cross > >> platform migration - > >> > http://directory.fedoraproject.org/wiki/DS_Admin_Migration#Cross_platform > >> - and let us know what you think, especially if you are an admin who > >> will actually be using this in a production environment. > > > > I'd guess the "worst-case upgrade" is a single directory server > > deployment where a cross platform upgrade could imply only 1 host is > > available for reformat? If so, doing a "Local Source to Remote Target" > > migration doesn't make much sense. In such cases, an export to ldif > > first, backup/ reinstall / restore "/opt/fedora-ds" and then do the > > upgrade against the restored data seems like the best way to do things. > Do you mean, you reformat the disk and install the new version of the > OS? On the same machine? In that case, if the architecture is the > same, no data conversion is needed - the data in the databases can just > be used directly. > > > > Multi-directory-server sites probably have spare hardware kicking > > around - I wouldn't worry about wasting disk space ;-) > Sure, but there are some cases where folks will have multi-GB databases > on old machines. > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Jul 9 15:41:39 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 09 Jul 2007 09:41:39 -0600 Subject: [Fedora-directory-users] Migration from 1.0 and 7.1 to 1.1 In-Reply-To: References: <468E79E0.2020804@redhat.com> <46914C70.3010208@exeter.ac.uk> <46924854.2020505@redhat.com> Message-ID: <46925733.107@redhat.com> Eddie C wrote: > I will tell a little about how we handled are cutover from iplanet 5.2 > running on SPARC hardware to FC5 on x86-64. This is very good information. Thanks! > > I had some extra ports on our terminal server so I connected the old > SPARC systems to the terminal server so I can manage them out-of-band > (and later after I took their IP addresses away) > > Remember LDAP is a directory service. Directory services support > frequent read operations and infrequent write operations. Not every > application fits this profile but in our case we shut down/disabled > our web application that modifies our LDAP. > > We have a multi-GB database approx 2 GB. We ran an LDAP search > command/db2ldif. I do not remember this taking a long time probably < > 8 minutes. Remember LDAPsearch is very fast. db2ldif is much, much faster than ldapsearch. > > We were moving from master/slave to multi-master. At that point I > setup multi-master on the new systems. We used SCP to copy over the > ldif data, then I added it to one side using Ldapmodify. Again this > took less then 20 minutes. ldif2db is much, much faster than ldapmodify. > > I quickly re-added indexes and verified final settings. Then I > disabled the old systems using the Terminal Server and added a > sub-ip-interface to the new systems for an IP take-over. > > When we had done testing and all was well and good again we re-enabled > out web application. > > For us the migration was a Friday process and our window was based on > how long we could live without database changes. All our applications > that have read access suffered a small intermittent outage when we > switched the IP. > > The good part about this process is you can completely test the dump > and restore without doing the actual cut-over to see how long the > entire process will take. Dump from your old harware/restore to new. > > Tools to move the database real time/cross platform would be nice, but > in our case they would be overkill if you have a small amount of data > the standard tools can probably do it in soft-real time. > > > On 7/9/07, *Richard Megginson* > wrote: > > David Barker wrote: > > Richard Megginson wrote: > >> > >> One of the big issues is cross platform migration e.g. going from > >> FC-5 i386 to F7 x86_64. There are a number of issues involved > with > >> this. We are trying to figure out the best way to do this and we > >> need your help. If you could, please read the section about cross > >> platform migration - > >> > http://directory.fedoraproject.org/wiki/DS_Admin_Migration#Cross_platform > >> - and let us know what you think, especially if you are an > admin who > >> will actually be using this in a production environment. > > > > I'd guess the "worst-case upgrade" is a single directory server > > deployment where a cross platform upgrade could imply only 1 host is > > available for reformat? If so, doing a "Local Source to Remote > Target" > > migration doesn't make much sense. In such cases, an export to ldif > > first, backup/ reinstall / restore "/opt/fedora-ds" and then do the > > upgrade against the restored data seems like the best way to do > things. > Do you mean, you reformat the disk and install the new version of the > OS? On the same machine? In that case, if the architecture is the > same, no data conversion is needed - the data in the databases can > just > be used directly. > > > > Multi-directory-server sites probably have spare hardware kicking > > around - I wouldn't worry about wasting disk space ;-) > Sure, but there are some cases where folks will have multi-GB > databases > on old machines. > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Jul 9 15:44:14 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 09 Jul 2007 09:44:14 -0600 Subject: [Fedora-directory-users] Admin Server connecting to two Directory Servers within the same domain In-Reply-To: <1183942561.353.0.camel@localhost> References: <1183697659.11975.4.camel@localhost> <468E4E5E.2050308@redhat.com> <1183942561.353.0.camel@localhost> Message-ID: <469257CE.9020500@redhat.com> Joel Heenan wrote: > On Sat, 2007-07-07 at 00:14 +1000, Richard Megginson wrote: > > >> How did you create your directory server instances? Usually the first >> one you create is your Configuration Directory Server, the one the >> console uses as sort of a network registry (the o=NetscapeRoot suffix). >> Subsequent directory server instance creation should use this one >> instead of creating a new Config DS. The setup program should give you >> these options. >> > > Oh ok I made a mistake during the setup process then. > > Anyway to change this after the fact? Setting up SSL replication was > very difficult. > It's probably going to be more difficult to register the servers after the fact with the console. However, if you are really determined to do it this way, I suggest you start first by hacking on some perl scripts in CVS head - adminserver/admserv/newinst/src/register_servers.pl - you'll need the new perl modules from Fedora DS CVS head, adminutil, and adminserver also from CVS head. http://directory.fedoraproject.org/wiki/Developers > Thanks > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From daryle at micralyne.com Mon Jul 9 16:30:11 2007 From: daryle at micralyne.com (Daryle A. Tilroe) Date: Mon, 09 Jul 2007 10:30:11 -0600 Subject: [Fedora-directory-users] Admin Server connecting to two Directory Servers within the same domain In-Reply-To: <1183942561.353.0.camel@localhost> References: <1183697659.11975.4.camel@localhost> <468E4E5E.2050308@redhat.com> <1183942561.353.0.camel@localhost> Message-ID: <46926293.2070806@micralyne.com> Joel Heenan wrote: > On Sat, 2007-07-07 at 00:14 +1000, Richard Megginson wrote: > >>How did you create your directory server instances? Usually the first >>one you create is your Configuration Directory Server, the one the >>console uses as sort of a network registry (the o=NetscapeRoot suffix). >>Subsequent directory server instance creation should use this one >>instead of creating a new Config DS. The setup program should give you >>these options. I have a closely related question. Is there a correct way in a simple dual multimaster setup to have the two servers both be config servers for the same DB? I tried just replicating NetscapeRoot but I ended up with things messed up. I have not yet tried again but was curious if there was a 'correct' method. Otherwise I was just going to have the two be independent insofar as the config DB went. I require this so either will be completely, and indefinitely, functional when the other is down. -- Daryle A. Tilroe From rmeggins at redhat.com Mon Jul 9 16:29:19 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 09 Jul 2007 10:29:19 -0600 Subject: [Fedora-directory-users] Admin Server connecting to two Directory Servers within the same domain In-Reply-To: <46926293.2070806@micralyne.com> References: <1183697659.11975.4.camel@localhost> <468E4E5E.2050308@redhat.com> <1183942561.353.0.camel@localhost> <46926293.2070806@micralyne.com> Message-ID: <4692625F.2030205@redhat.com> Daryle A. Tilroe wrote: > Joel Heenan wrote: > >> On Sat, 2007-07-07 at 00:14 +1000, Richard Megginson wrote: >> >>> How did you create your directory server instances? Usually the >>> first one you create is your Configuration Directory Server, the one >>> the console uses as sort of a network registry (the o=NetscapeRoot >>> suffix). Subsequent directory server instance creation should use >>> this one instead of creating a new Config DS. The setup program >>> should give you these options. > > I have a closely related question. Is there a correct way in a simple > dual multimaster setup to have the two servers both be config servers > for the same DB? I tried just replicating NetscapeRoot but I ended up > with things messed up. How so? > I have not yet tried again but was curious > if there was a 'correct' method. Not really. There are too many places where the host:port of the config DS are hard coded, and there is not really a provision for specifying more than one for failover. > Otherwise I was just going to have > the two be independent insofar as the config DB went. I require > this so either will be completely, and indefinitely, functional when > the other is down. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From daryle at micralyne.com Mon Jul 9 16:52:05 2007 From: daryle at micralyne.com (Daryle A. Tilroe) Date: Mon, 09 Jul 2007 10:52:05 -0600 Subject: [Fedora-directory-users] Admin Server connecting to two Directory Servers within the same domain In-Reply-To: <4692625F.2030205@redhat.com> References: <1183697659.11975.4.camel@localhost> <468E4E5E.2050308@redhat.com> <1183942561.353.0.camel@localhost> <46926293.2070806@micralyne.com> <4692625F.2030205@redhat.com> Message-ID: <469267B5.6090607@micralyne.com> Richard Megginson wrote: > Daryle A. Tilroe wrote: > >> I have a closely related question. Is there a correct way in a simple >> dual multimaster setup to have the two servers both be config servers >> for the same DB? I tried just replicating NetscapeRoot but I ended up >> with things messed up. > > How so? It was a couple weeks ago but IIRC the admin server on the second master would not run properly. I will really have to try it again to confirm. >> I have not yet tried again but was curious >> if there was a 'correct' method. > > Not really. There are too many places where the host:port of the config > DS are hard coded, and there is not really a provision for specifying > more than one for failover. So basically I should have my two multimasters run independent admin servers? I did notice that I can admin the other "independent" secondary master with the 'left over' entry in the config DB of the primary (it was left there after I redid the secondary since the I left the primary). This suggests I could probably add each of the two master to each other's config DB manually. I'm not really sure that this is even useful though in a small install. Probably best to leave them as separate admin servers with the userRoot replicated; that seems to work just fine. -- Daryle A. Tilroe From rmeggins at redhat.com Mon Jul 9 16:49:07 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 09 Jul 2007 10:49:07 -0600 Subject: [Fedora-directory-users] Admin Server connecting to two Directory Servers within the same domain In-Reply-To: <469267B5.6090607@micralyne.com> References: <1183697659.11975.4.camel@localhost> <468E4E5E.2050308@redhat.com> <1183942561.353.0.camel@localhost> <46926293.2070806@micralyne.com> <4692625F.2030205@redhat.com> <469267B5.6090607@micralyne.com> Message-ID: <46926703.1040305@redhat.com> Daryle A. Tilroe wrote: > Richard Megginson wrote: > >> Daryle A. Tilroe wrote: >> >>> I have a closely related question. Is there a correct way in a simple >>> dual multimaster setup to have the two servers both be config servers >>> for the same DB? I tried just replicating NetscapeRoot but I ended up >>> with things messed up. >> >> How so? > > It was a couple weeks ago but IIRC the admin server on the second > master would not run properly. I will really have to try it again > to confirm. > >>> I have not yet tried again but was curious >>> if there was a 'correct' method. >> >> Not really. There are too many places where the host:port of the >> config DS are hard coded, and there is not really a provision for >> specifying more than one for failover. > > So basically I should have my two multimasters run independent admin > servers? I did notice that I can admin the other "independent" > secondary master with the 'left over' entry in the config DB of > the primary (it was left there after I redid the secondary since > the I left the primary). This suggests I could probably add each > of the two master to each other's config DB manually. Yes, you could do that too. > I'm not really > sure that this is even useful though in a small install. Probably > best to leave them as separate admin servers with the userRoot > replicated; that seems to work just fine. > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From surendharsurya at yahoo.co.in Tue Jul 10 10:15:46 2007 From: surendharsurya at yahoo.co.in (surendhar surya) Date: Tue, 10 Jul 2007 11:15:46 +0100 (BST) Subject: [Fedora-directory-users] Regarding fds with samba Message-ID: <89864.12273.qm@web8903.mail.in.yahoo.com> I have installed fedora directory server and i tried to integreate with samba. When i tried to groupmap using this command. I get a error message. what will be the problem. can anyone provide me a solution.? [root at fds ~]# net groupmap add rid=512 ntgroup="Domain Admins" unixgroup="Domain Admins" Can't lookup UNIX group Domain Admins Thanks and Regard Surendhar P Chennai --------------------------------- Download prohibited? No problem. CHAT from any browser, without download. -------------- next part -------------- An HTML attachment was scrubbed... URL: From vampired at gmail.com Tue Jul 10 15:08:13 2007 From: vampired at gmail.com (Vampire D) Date: Tue, 10 Jul 2007 11:08:13 -0400 Subject: [Fedora-directory-users] No X Message-ID: <4ca8a4870707100808o12705142me70ea9af5cbf7a13@mail.gmail.com> Is there anything you cannot do with FDS when using the HTTP Control Panel rather than using the X Windows Java Control Panel? Is it highly recommended to use the X Windows Java Control Panel in production? -- "Do the actors on Unsolved Mysteries ever get arrested because they look just like the criminal they are playing?" Christopher -------------- next part -------------- An HTML attachment was scrubbed... URL: From iferreir at personal.com.py Tue Jul 10 15:22:30 2007 From: iferreir at personal.com.py (Ivan Ferreira) Date: Tue, 10 Jul 2007 11:22:30 -0400 Subject: [Fedora-directory-users] Regarding fds with samba In-Reply-To: <89864.12273.qm@web8903.mail.in.yahoo.com> Message-ID: You have to creaete the "Domain Admins" Unix Group (PosixGroup) in the Directory Server. If you already created id, check if you can list the group with: getent group If you cannot see the "Domain Admins" unix group, then you have a problem with your LDAP client conrfuration, check ldap.conf. Para fedora-directory-users at redhat.co m surendhar surya cc Asunto Enviado por: [Fedora-directory-users] fedora-directory-users-b Regarding fds with samba ounces at redhat.com Clasificaci?n Uso Interno 10/07/2007 06:15 a.m. Por favor, responda a "General discussion list for the Fedora Directory server project." I have installed fedora directory server and i tried to integreate with samba. When i tried to groupmap using this command. I get a error message. what will be the problem. can anyone provide me a solution.? [root at fds ~]# net groupmap add rid=512 ntgroup="Domain Admins" unixgroup="Domain Admins" Can't lookup UNIX group Domain Admins Thanks and Regard Surendhar P Chennai Download prohibited? No problem. CHAT from any browser, without download. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. From rmeggins at redhat.com Tue Jul 10 15:27:12 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 10 Jul 2007 09:27:12 -0600 Subject: [Fedora-directory-users] No X In-Reply-To: <4ca8a4870707100808o12705142me70ea9af5cbf7a13@mail.gmail.com> References: <4ca8a4870707100808o12705142me70ea9af5cbf7a13@mail.gmail.com> Message-ID: <4693A550.4060309@redhat.com> Vampire D wrote: > Is there anything you cannot do with FDS when using the HTTP Control > Panel rather than using the X Windows Java Control Panel? The HTTP control panel (aka phonebook/gateway or admin express) just allows limited user/group management, server log viewing, and server start/stop. The Java Control Panel (aka console) allows you do perform all aspects of server, user, and group management. > > Is it highly recommended to use the X Windows Java Control Panel in > production? If you require a management GUI, then yes. All administration can be performed via the command line and via LDAP. > > -- > "Do the actors on Unsolved Mysteries ever get arrested because they > look just like the criminal they are playing?" > > Christopher > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From dfulton at concepttechnologyinc.com Tue Jul 10 15:44:29 2007 From: dfulton at concepttechnologyinc.com (Darren Fulton - CTI) Date: Tue, 10 Jul 2007 10:44:29 -0500 Subject: [Fedora-directory-users] add new customer to Quickbooks from Directory Server Message-ID: <4693A95D.10409@concepttechnologyinc.com> Disclaimer: Shot in the dark and possibly off-topic. Situation: We add client contacts to our Fedora Directory Server. The billing department has to also manually add client contacts into Quickbooks to generate bills and such. Goal: Make it so the client contacts only have to be manually added into only one system. Proposed Solutions: Make Quickbooks look for clients in the directory _or_ create a simple way to export from the directory client contact info (I think Quickbooks uses an IIF file). [BTW, wouldn't it be cool if there was a link in Directory Express web app to generate this like the vCard link?] Question for List: Has anybody had any experience getting either of these done that they would like to share? Final Disclaimer: Google searches revealed one or more commercial third-party applications that allow Quickbooks to "integrate" with LDAP. A quick look at these programs didn't impress me, but I have _not_ tested them. Google searches also revealed a Finance::IIF perl module that I will keep in mind. Thank you for any input. -- Best Regards, Darren Fulton Concept Technology, Inc. 1106 17th Avenue South Nashville, TN 37212 Phone - 615.321.6428 Ext. 105 Fax - 615.321.5598 From slackamp at gmail.com Tue Jul 10 16:05:11 2007 From: slackamp at gmail.com (slamp slamp) Date: Tue, 10 Jul 2007 12:05:11 -0400 Subject: [Fedora-directory-users] Posix User Message-ID: <78926d250707100905g704355d2l2f049f8f4766a96a@mail.gmail.com> when i create an account and enable the Posix User, I have to supply UID number and GID number and Home Directory. Is there a way to automate this?? I'll be happy if UID can be auto incremented from the last user created. From iferreir at personal.com.py Tue Jul 10 16:12:59 2007 From: iferreir at personal.com.py (Ivan Ferreira) Date: Tue, 10 Jul 2007 12:12:59 -0400 Subject: [Fedora-directory-users] Posix User In-Reply-To: <78926d250707100905g704355d2l2f049f8f4766a96a@mail.gmail.com> Message-ID: I really like a couple of tools to create users: phpldapadmin. (WEB) ldapadmin.exe (Windows client GUI) These tools can handle that kind of information. Para "General discussion list for the Fedora Directory server "slamp slamp" project." fedora-directory-users-b cc ounces at redhat.com Asunto 10/07/2007 12:05 p.m. [Fedora-directory-users] Posix User Clasificaci?n Uso Interno Por favor, responda a "General discussion list for the Fedora Directory server project." when i create an account and enable the Posix User, I have to supply UID number and GID number and Home Directory. Is there a way to automate this?? I'll be happy if UID can be auto incremented from the last user created. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. From rmeggins at redhat.com Tue Jul 10 16:06:49 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 10 Jul 2007 10:06:49 -0600 Subject: [Fedora-directory-users] Posix User In-Reply-To: <78926d250707100905g704355d2l2f049f8f4766a96a@mail.gmail.com> References: <78926d250707100905g704355d2l2f049f8f4766a96a@mail.gmail.com> Message-ID: <4693AE99.2060407@redhat.com> slamp slamp wrote: > when i create an account and enable the Posix User, I have to supply > UID number and GID number and Home Directory. Is there a way to > automate this?? I'll be happy if UID can be auto incremented from the > last user created. http://cvs.fedora.redhat.com/viewcvs/ldapserver/ldap/servers/plugins/dna/?root=dirsec This feature is in the 1.1 pre-release available with Fedora as fedora-ds-base. However, the admin server and console are not yet available for 1.1. With some hacking, you might be able to get the dna plugin to work with 1.0.4. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From vampired at gmail.com Wed Jul 11 07:41:23 2007 From: vampired at gmail.com (Vampire D) Date: Wed, 11 Jul 2007 03:41:23 -0400 Subject: [Fedora-directory-users] No X In-Reply-To: <4693A550.4060309@redhat.com> References: <4ca8a4870707100808o12705142me70ea9af5cbf7a13@mail.gmail.com> <4693A550.4060309@redhat.com> Message-ID: <4ca8a4870707110041i7d6e06a7tc2762bd09848d9fa@mail.gmail.com> Is it possible to do ALL management through CLI/LDAP? Do you see many installations in production NOT using the java console or is using it pretty standard? On 7/10/07, Richard Megginson wrote: > > Vampire D wrote: > > Is there anything you cannot do with FDS when using the HTTP Control > > Panel rather than using the X Windows Java Control Panel? > The HTTP control panel (aka phonebook/gateway or admin express) just > allows limited user/group management, server log viewing, and server > start/stop. The Java Control Panel (aka console) allows you do perform > all aspects of server, user, and group management. > > > > Is it highly recommended to use the X Windows Java Control Panel in > > production? > If you require a management GUI, then yes. All administration can be > performed via the command line and via LDAP. > > > > -- > > "Do the actors on Unsolved Mysteries ever get arrested because they > > look just like the criminal they are playing?" > > > > Christopher > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- "Do the actors on Unsolved Mysteries ever get arrested because they look just like the criminal they are playing?" Christopher -------------- next part -------------- An HTML attachment was scrubbed... URL: From vampired at gmail.com Wed Jul 11 07:43:21 2007 From: vampired at gmail.com (Vampire D) Date: Wed, 11 Jul 2007 03:43:21 -0400 Subject: [Fedora-directory-users] http://directory.fedoraproject.org/ Message-ID: <4ca8a4870707110043w504bfe9ek5d64739221fe7a6e@mail.gmail.com> Can anyone access http://directory.fedoraproject.org/ right now? It has been down for a while now. -- "Do the actors on Unsolved Mysteries ever get arrested because they look just like the criminal they are playing?" Christopher -------------- next part -------------- An HTML attachment was scrubbed... URL: From surendharsurya at yahoo.co.in Wed Jul 11 09:05:37 2007 From: surendharsurya at yahoo.co.in (surendhar surya) Date: Wed, 11 Jul 2007 10:05:37 +0100 (BST) Subject: [Fedora-directory-users] Re: Fedora-directory-users Digest, Vol 26, Issue 9 In-Reply-To: <20070710160007.E6E067341A@hormel.redhat.com> Message-ID: <104136.37585.qm@web8909.mail.in.yahoo.com> Thank you for information. I have fixed the issue finally once i run the authconfig and configured ldap server details. Now i have a problem! when i try to add windows clinet machine in FDS it give a error message. fedora-directory-users-request at redhat.com wrote: Send Fedora-directory-users mailing list submissions to fedora-directory-users at redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/fedora-directory-users or, via email, send a message with subject or body 'help' to fedora-directory-users-request at redhat.com You can reach the person managing the list at fedora-directory-users-owner at redhat.com When replying, please edit your Subject line so it is more specific than "Re: Contents of Fedora-directory-users digest..." Today's Topics: 1. Re: Admin Server connecting to two Directory Servers within the same domain (Daryle A. Tilroe) 2. Re: Admin Server connecting to two Directory Servers within the same domain (Richard Megginson) 3. Re: Admin Server connecting to two Directory Servers within the same domain (Daryle A. Tilroe) 4. Re: Admin Server connecting to two Directory Servers within the same domain (Richard Megginson) 5. Regarding fds with samba (surendhar surya) 6. No X (Vampire D) 7. Re: Regarding fds with samba (Ivan Ferreira) 8. Re: No X (Richard Megginson) 9. add new customer to Quickbooks from Directory Server (Darren Fulton - CTI) ---------------------------------------------------------------------- Message: 1 Date: Mon, 09 Jul 2007 10:30:11 -0600 From: "Daryle A. Tilroe" Subject: Re: [Fedora-directory-users] Admin Server connecting to two Directory Servers within the same domain To: "General discussion list for the Fedora Directory server project." Message-ID: <46926293.2070806 at micralyne.com> Content-Type: text/plain; charset=us-ascii; format=flowed Joel Heenan wrote: > On Sat, 2007-07-07 at 00:14 +1000, Richard Megginson wrote: > >>How did you create your directory server instances? Usually the first >>one you create is your Configuration Directory Server, the one the >>console uses as sort of a network registry (the o=NetscapeRoot suffix). >>Subsequent directory server instance creation should use this one >>instead of creating a new Config DS. The setup program should give you >>these options. I have a closely related question. Is there a correct way in a simple dual multimaster setup to have the two servers both be config servers for the same DB? I tried just replicating NetscapeRoot but I ended up with things messed up. I have not yet tried again but was curious if there was a 'correct' method. Otherwise I was just going to have the two be independent insofar as the config DB went. I require this so either will be completely, and indefinitely, functional when the other is down. -- Daryle A. Tilroe ------------------------------ Message: 2 Date: Mon, 09 Jul 2007 10:29:19 -0600 From: Richard Megginson Subject: Re: [Fedora-directory-users] Admin Server connecting to two Directory Servers within the same domain To: "General discussion list for the Fedora Directory server project." Message-ID: <4692625F.2030205 at redhat.com> Content-Type: text/plain; charset="iso-8859-1" Daryle A. Tilroe wrote: > Joel Heenan wrote: > >> On Sat, 2007-07-07 at 00:14 +1000, Richard Megginson wrote: >> >>> How did you create your directory server instances? Usually the >>> first one you create is your Configuration Directory Server, the one >>> the console uses as sort of a network registry (the o=NetscapeRoot >>> suffix). Subsequent directory server instance creation should use >>> this one instead of creating a new Config DS. The setup program >>> should give you these options. > > I have a closely related question. Is there a correct way in a simple > dual multimaster setup to have the two servers both be config servers > for the same DB? I tried just replicating NetscapeRoot but I ended up > with things messed up. How so? > I have not yet tried again but was curious > if there was a 'correct' method. Not really. There are too many places where the host:port of the config DS are hard coded, and there is not really a provision for specifying more than one for failover. > Otherwise I was just going to have > the two be independent insofar as the config DB went. I require > this so either will be completely, and indefinitely, functional when > the other is down. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature Url : https://www.redhat.com/archives/fedora-directory-users/attachments/20070709/c3cda3ee/smime.bin ------------------------------ Message: 3 Date: Mon, 09 Jul 2007 10:52:05 -0600 From: "Daryle A. Tilroe" Subject: Re: [Fedora-directory-users] Admin Server connecting to two Directory Servers within the same domain To: "General discussion list for the Fedora Directory server project." Message-ID: <469267B5.6090607 at micralyne.com> Content-Type: text/plain; charset=us-ascii; format=flowed Richard Megginson wrote: > Daryle A. Tilroe wrote: > >> I have a closely related question. Is there a correct way in a simple >> dual multimaster setup to have the two servers both be config servers >> for the same DB? I tried just replicating NetscapeRoot but I ended up >> with things messed up. > > How so? It was a couple weeks ago but IIRC the admin server on the second master would not run properly. I will really have to try it again to confirm. >> I have not yet tried again but was curious >> if there was a 'correct' method. > > Not really. There are too many places where the host:port of the config > DS are hard coded, and there is not really a provision for specifying > more than one for failover. So basically I should have my two multimasters run independent admin servers? I did notice that I can admin the other "independent" secondary master with the 'left over' entry in the config DB of the primary (it was left there after I redid the secondary since the I left the primary). This suggests I could probably add each of the two master to each other's config DB manually. I'm not really sure that this is even useful though in a small install. Probably best to leave them as separate admin servers with the userRoot replicated; that seems to work just fine. -- Daryle A. Tilroe ------------------------------ Message: 4 Date: Mon, 09 Jul 2007 10:49:07 -0600 From: Richard Megginson Subject: Re: [Fedora-directory-users] Admin Server connecting to two Directory Servers within the same domain To: "General discussion list for the Fedora Directory server project." Message-ID: <46926703.1040305 at redhat.com> Content-Type: text/plain; charset="iso-8859-1" Daryle A. Tilroe wrote: > Richard Megginson wrote: > >> Daryle A. Tilroe wrote: >> >>> I have a closely related question. Is there a correct way in a simple >>> dual multimaster setup to have the two servers both be config servers >>> for the same DB? I tried just replicating NetscapeRoot but I ended up >>> with things messed up. >> >> How so? > > It was a couple weeks ago but IIRC the admin server on the second > master would not run properly. I will really have to try it again > to confirm. > >>> I have not yet tried again but was curious >>> if there was a 'correct' method. >> >> Not really. There are too many places where the host:port of the >> config DS are hard coded, and there is not really a provision for >> specifying more than one for failover. > > So basically I should have my two multimasters run independent admin > servers? I did notice that I can admin the other "independent" > secondary master with the 'left over' entry in the config DB of > the primary (it was left there after I redid the secondary since > the I left the primary). This suggests I could probably add each > of the two master to each other's config DB manually. Yes, you could do that too. > I'm not really > sure that this is even useful though in a small install. Probably > best to leave them as separate admin servers with the userRoot > replicated; that seems to work just fine. > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature Url : https://www.redhat.com/archives/fedora-directory-users/attachments/20070709/a50e6030/smime.bin ------------------------------ Message: 5 Date: Tue, 10 Jul 2007 11:15:46 +0100 (BST) From: surendhar surya Subject: [Fedora-directory-users] Regarding fds with samba To: fedora-directory-users at redhat.com Message-ID: <89864.12273.qm at web8903.mail.in.yahoo.com> Content-Type: text/plain; charset="iso-8859-1" I have installed fedora directory server and i tried to integreate with samba. When i tried to groupmap using this command. I get a error message. what will be the problem. can anyone provide me a solution.? [root at fds ~]# net groupmap add rid=512 ntgroup="Domain Admins" unixgroup="Domain Admins" Can't lookup UNIX group Domain Admins Thanks and Regard Surendhar P Chennai --------------------------------- Download prohibited? No problem. CHAT from any browser, without download. -------------- next part -------------- An HTML attachment was scrubbed... URL: https://www.redhat.com/archives/fedora-directory-users/attachments/20070710/4b014e42/attachment.html ------------------------------ Message: 6 Date: Tue, 10 Jul 2007 11:08:13 -0400 From: "Vampire D" Subject: [Fedora-directory-users] No X To: fedora-directory-users at redhat.com Message-ID: <4ca8a4870707100808o12705142me70ea9af5cbf7a13 at mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1" Is there anything you cannot do with FDS when using the HTTP Control Panel rather than using the X Windows Java Control Panel? Is it highly recommended to use the X Windows Java Control Panel in production? -- "Do the actors on Unsolved Mysteries ever get arrested because they look just like the criminal they are playing?" Christopher -------------- next part -------------- An HTML attachment was scrubbed... URL: https://www.redhat.com/archives/fedora-directory-users/attachments/20070710/3bf15536/attachment.html ------------------------------ Message: 7 Date: Tue, 10 Jul 2007 11:22:30 -0400 From: Ivan Ferreira Subject: Re: [Fedora-directory-users] Regarding fds with samba To: "General discussion list for the Fedora Directory server project." Cc: fedora-directory-users at redhat.com, fedora-directory-users-bounces at redhat.com Message-ID: Content-Type: text/plain; charset=ISO-8859-1 You have to creaete the "Domain Admins" Unix Group (PosixGroup) in the Directory Server. If you already created id, check if you can list the group with: getent group If you cannot see the "Domain Admins" unix group, then you have a problem with your LDAP client conrfuration, check ldap.conf. Para fedora-directory-users at redhat.co m surendhar surya cc .in> Asunto Enviado por: [Fedora-directory-users] fedora-directory-users-b Regarding fds with samba ounces at redhat.com Clasificaci?n Uso Interno 10/07/2007 06:15 a.m. Por favor, responda a "General discussion list for the Fedora Directory server project." redhat.com> I have installed fedora directory server and i tried to integreate with samba. When i tried to groupmap using this command. I get a error message. what will be the problem. can anyone provide me a solution.? [root at fds ~]# net groupmap add rid=512 ntgroup="Domain Admins" unixgroup="Domain Admins" Can't lookup UNIX group Domain Admins Thanks and Regard Surendhar P Chennai Download prohibited? No problem. CHAT from any browser, without download. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. ------------------------------ Message: 8 Date: Tue, 10 Jul 2007 09:27:12 -0600 From: Richard Megginson Subject: Re: [Fedora-directory-users] No X To: "General discussion list for the Fedora Directory server project." Message-ID: <4693A550.4060309 at redhat.com> Content-Type: text/plain; charset="iso-8859-1" Vampire D wrote: > Is there anything you cannot do with FDS when using the HTTP Control > Panel rather than using the X Windows Java Control Panel? The HTTP control panel (aka phonebook/gateway or admin express) just allows limited user/group management, server log viewing, and server start/stop. The Java Control Panel (aka console) allows you do perform all aspects of server, user, and group management. > > Is it highly recommended to use the X Windows Java Control Panel in > production? If you require a management GUI, then yes. All administration can be performed via the command line and via LDAP. > > -- > "Do the actors on Unsolved Mysteries ever get arrested because they > look just like the criminal they are playing?" > > Christopher > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature Url : https://www.redhat.com/archives/fedora-directory-users/attachments/20070710/2cbdf6dc/smime.bin ------------------------------ Message: 9 Date: Tue, 10 Jul 2007 10:44:29 -0500 From: Darren Fulton - CTI Subject: [Fedora-directory-users] add new customer to Quickbooks from Directory Server To: Fedora-directory-users at redhat.com Message-ID: <4693A95D.10409 at concepttechnologyinc.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Disclaimer: Shot in the dark and possibly off-topic. Situation: We add client contacts to our Fedora Directory Server. The billing department has to also manually add client contacts into Quickbooks to generate bills and such. Goal: Make it so the client contacts only have to be manually added into only one system. Proposed Solutions: Make Quickbooks look for clients in the directory _or_ create a simple way to export from the directory client contact info (I think Quickbooks uses an IIF file). [BTW, wouldn't it be cool if there was a link in Directory Express web app to generate this like the vCard link?] Question for List: Has anybody had any experience getting either of these done that they would like to share? Final Disclaimer: Google searches revealed one or more commercial third-party applications that allow Quickbooks to "integrate" with LDAP. A quick look at these programs didn't impress me, but I have _not_ tested them. Google searches also revealed a Finance::IIF perl module that I will keep in mind. Thank you for any input. -- Best Regards, Darren Fulton Concept Technology, Inc. 1106 17th Avenue South Nashville, TN 37212 Phone - 615.321.6428 Ext. 105 Fax - 615.321.5598 ------------------------------ -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users End of Fedora-directory-users Digest, Vol 26, Issue 9 ***************************************************** Thanks and Regard Surendhar P Chennai --------------------------------- 5, 50, 500, 5000. Store N number of mails in your inbox. Click here. -------------- next part -------------- An HTML attachment was scrubbed... URL: From surendharsurya at yahoo.co.in Wed Jul 11 09:21:19 2007 From: surendharsurya at yahoo.co.in (surendhar surya) Date: Wed, 11 Jul 2007 10:21:19 +0100 (BST) Subject: [Fedora-directory-users] FDS with samba Message-ID: <940175.33574.qm@web8903.mail.in.yahoo.com> When I try to add windows client machine in FDS DOMAIN. I get error Unknown username and password. I have created a Administrator account in FDS with samba server. Now what i have todo add machine in COMPUTERS. Thanks and Regard Surendhar P Chennai --------------------------------- Here?s a new way to find what you're looking for - Yahoo! Answers -------------- next part -------------- An HTML attachment was scrubbed... URL: From Dan.HAWKER at uk4.astrium.eads.net Wed Jul 11 12:42:18 2007 From: Dan.HAWKER at uk4.astrium.eads.net (HAWKER, Dan (external)) Date: Wed, 11 Jul 2007 13:42:18 +0100 Subject: [Fedora-directory-users] UNCLASSIFIED - Linux Client Configurations & LDAP Failover Message-ID: <7F6B06837A5DBD49AC6E1650EFF5490601223421@auk52177.ukr.astrium.corp> Hi All, First off, apologies for the tagline. Work has gone mad ensuring we tag all outgoing emails with appropriate classifications. Very irritating :( Anyway... Not sure if this is strictly OT, however I'm having some trouble configuring my Linux clients to failover to secondary FDS boxes quickly enough. By that I mean, it all works (ppl can login, get home dirs, etc) however, despite adding a second FDS server to the clients ldap.conf file, and fiddling with the bind_timelimit and other settings (with no real change), if the first FDS box in the list fails for whatever reason, (panic, scheduled downtime, upgrades, etc) it takes the client(s) some time to failover to using the second LDAP box. During this time general access and logins slow to a crawl until the primary is back up again. My FDS boxes are FC5 with FDS 1.0.2 and my clients are all RHEL4/5 and FC4-7 boxes. BIND is also running on these two FDS boxes, however that fails over as expected. Has anyone some *best practice* guidelines/docs they can point me towards or some personal experiences/anecdotes so I can hopefully configure my clients such that a failure in a FDS box is almost un-noticeable by my clients boxes. TIA Dan -- Dan Hawker Linux System Administrator PMS x5602 -- This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Astrium disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. --------------------------------------------------------------------- Astrium Limited, Registered in England and Wales No. 2449259 Registered Office: Gunnels Wood Road, Stevenage, Hertfordshire, SG1 2AS, England From rcritten at redhat.com Wed Jul 11 12:46:31 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 11 Jul 2007 08:46:31 -0400 Subject: [Fedora-directory-users] http://directory.fedoraproject.org/ In-Reply-To: <4ca8a4870707110043w504bfe9ek5d64739221fe7a6e@mail.gmail.com> References: <4ca8a4870707110043w504bfe9ek5d64739221fe7a6e@mail.gmail.com> Message-ID: <4694D127.7000402@redhat.com> Vampire D wrote: > Can anyone access http://directory.fedoraproject.org/ right now? > It has been down for a while now. > -- > "Do the actors on Unsolved Mysteries ever get arrested because they look > just like the criminal they are playing?" > > Christopher It is back up now. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From srigler at marathonoil.com Wed Jul 11 12:51:21 2007 From: srigler at marathonoil.com (Steve Rigler) Date: Wed, 11 Jul 2007 07:51:21 -0500 Subject: [Fedora-directory-users] UNCLASSIFIED - Linux Client Configurations & LDAP Failover In-Reply-To: <7F6B06837A5DBD49AC6E1650EFF5490601223421@auk52177.ukr.astrium.corp> References: <7F6B06837A5DBD49AC6E1650EFF5490601223421@auk52177.ukr.astrium.corp> Message-ID: <1184158281.27205.13.camel@houuc8> On Wed, 2007-07-11 at 13:42 +0100, HAWKER, Dan (external) wrote: > Not sure if this is strictly OT, however I'm having some trouble > configuring my Linux clients to failover to secondary FDS boxes quickly > enough. > Dan, We had the same issue. It seems like nss_ldap fails over after a reasonable timeout, but applications like autofs will take much longer. Also, if you have two servers and all of your clients are configured to talk to them in the same order (if server1 is down use server2), then server2 would be idle until server1 is down. We use Piranha to get around this. This way we can count on both servers being equally utilized and clients fail over seamlessly (so seamless they don't even realize they've failed over). I don't know if this is the "prescribed" way of handling it, but it works well for us. -Steve From marius at mail.communityconnect.com Wed Jul 11 14:39:44 2007 From: marius at mail.communityconnect.com (Marius Rex) Date: Wed, 11 Jul 2007 10:39:44 -0400 Subject: [Fedora-directory-users] No X In-Reply-To: <4ca8a4870707110041i7d6e06a7tc2762bd09848d9fa@mail.gmail.com> References: <4ca8a4870707100808o12705142me70ea9af5cbf7a13@mail.gmail.com> <4693A550.4060309@redhat.com> <4ca8a4870707110041i7d6e06a7tc2762bd09848d9fa@mail.gmail.com> Message-ID: <1184164784.17076.16.camel@forge.hq.communityconnect.com> On Wed, 2007-07-11 at 03:41 -0400, Vampire D wrote: > Is it possible to do ALL management through CLI/LDAP? > Do you see many installations in production NOT using the java console > or is using it pretty standard? > I cannot speak for anyone else, but I have yet to run into any management task that cannot be done through CLI tools. The java console in my experience, is an occasional convenience, not a necessity. Even so when I want convenience I am more likely to fire up some other ldap management tool, like phpldapadmin, to do quick and easy work. -- Marius Rex Community Connect Inc. From omer at faruk.net Wed Jul 11 13:24:59 2007 From: omer at faruk.net (Omer Faruk Sen) Date: Wed, 11 Jul 2007 16:24:59 +0300 (EEST) Subject: [Fedora-directory-users] disallow_pw_change_aci Message-ID: <2294.212.156.115.97.1184160299.squirrel@212.156.115.97> Hi, I have a problem with this aci. I have a dn like ou=x.com,dc=my,dc=domain,dc=com. I added aci to my dc=my,dc=domain,dc=com as depicted in: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html I add following aci: (targetattr="userPassword || homePhone || homePostalAddress") (version 3.0; acl "Write my.domain.com"; allow (write) userdn= "ldap:///self";) restart fedora-ds but when i try to change password with uid=user,oid=x.com,dc=my,dc=domain,dc=com i get following error: aci: (targetattr = "userPassword") ( version 3.0; acl "disallow_pw_change_aci"; deny (write ) userdn = "ldap:///self";) My question is how can I disable disallow_pw_change_aci. I couldn't find that aci anywhere? By the way as far as I understood child entries inherits parent acis am I right? Because if not there is no explanation to that error Best Regards, -- Omer Faruk Sen http://www.faruk.net From rmeggins at redhat.com Wed Jul 11 15:20:10 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 11 Jul 2007 09:20:10 -0600 Subject: [Fedora-directory-users] No X In-Reply-To: <4ca8a4870707110041i7d6e06a7tc2762bd09848d9fa@mail.gmail.com> References: <4ca8a4870707100808o12705142me70ea9af5cbf7a13@mail.gmail.com> <4693A550.4060309@redhat.com> <4ca8a4870707110041i7d6e06a7tc2762bd09848d9fa@mail.gmail.com> Message-ID: <4694F52A.1090204@redhat.com> Vampire D wrote: > Is it possible to do ALL management through CLI/LDAP? Yes. > Do you see many installations in production NOT using the java console > or is using it pretty standard? There are some people who will not use a GUI at all, especially once you learn how powerful scripting is using perl+ldap or python+ldap. > > On 7/10/07, *Richard Megginson* > wrote: > > Vampire D wrote: > > Is there anything you cannot do with FDS when using the HTTP Control > > Panel rather than using the X Windows Java Control Panel? > The HTTP control panel (aka phonebook/gateway or admin express) just > allows limited user/group management, server log viewing, and server > start/stop. The Java Control Panel (aka console) allows you do > perform > all aspects of server, user, and group management. > > > > Is it highly recommended to use the X Windows Java Control Panel in > > production? > If you require a management GUI, then yes. All administration can be > performed via the command line and via LDAP. > > > > -- > > "Do the actors on Unsolved Mysteries ever get arrested because they > > look just like the criminal they are playing?" > > > > Christopher > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > "Do the actors on Unsolved Mysteries ever get arrested because they > look just like the criminal they are playing?" > > Christopher > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ofsen at yahoo.com Wed Jul 11 14:03:45 2007 From: ofsen at yahoo.com (Omer Faruk Sen) Date: Wed, 11 Jul 2007 07:03:45 -0700 (PDT) Subject: [Fedora-directory-users] disallow_pw_change_aci problem Message-ID: <250764.47061.qm@web60522.mail.yahoo.com> Hi, I have installed fedora-ds 1.0.4 to Fedora 6 server. I am trying to install mail ldap cluster. I have added a domain like dc=my,dc=domain,dc=com and added a virtual domain like ou=virtdomain.com,dc=my,dc=domain,dc=com after adding a user like: uid=user,ou=virtdomain.com,dc=my,dc=domain,dc=com and changing its password gives me that error: aci: (targetattr = "userPassword") ( version 3.0; acl "disallow_pw_change_aci"; deny (write ) userdn = "ldap:///self";) I have read http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html and added an aci like: aci: (targetattr="userPassword || homePhone || homePostalAddress") (version 3.0; acl "Write my.domain.com"; allow (write) userdn= "ldap:///self";) for ou=virtdomain.com,dc=my,dc=domain,dc=com But I still get aci: (targetattr = "userPassword") ( version 3.0; acl "disallow_pw_change_aci"; deny (write ) userdn = "ldap:///self";) error. How can I disable disallow_pw_change aci since I couldn't find this aci anywhere using directory admin gui. By the way I think this comes from userRoot database. But I can't find a place to disable disallow_pw_change Best Regards, ____________________________________________________________________________________ Get the free Yahoo! toolbar and rest assured with the added security of spyware protection. http://new.toolbar.yahoo.com/toolbar/features/norton/index.php From Dan.HAWKER at uk4.astrium.eads.net Wed Jul 11 16:05:20 2007 From: Dan.HAWKER at uk4.astrium.eads.net (HAWKER, Dan (external)) Date: Wed, 11 Jul 2007 17:05:20 +0100 Subject: [Fedora-directory-users] UNCLASSIFIED - Linux ClientConfigurations & LDAP Failover Message-ID: <7F6B06837A5DBD49AC6E1650EFF5490601C64A27@auk52177.ukr.astrium.corp> > > We had the same issue. It seems like nss_ldap fails over > after a reasonable timeout, but applications like autofs will > take much longer. Also, if you have two servers and all of > your clients are configured to talk to them in the same order > (if server1 is down use server2), then server2 would be idle > until server1 is down. > > We use Piranha to get around this. This way we can count on > both servers being equally utilized and clients fail over > seamlessly (so seamless they don't even realize they've failed over). > > I don't know if this is the "prescribed" way of handling it, > but it works well for us. > Hi Steve, Thanks for the info and pointer. I'll do some digging and also have a look at Piranha. Thanks again Dan -- Dan Hawker Linux System Administrator PMS x5602 -- This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Astrium disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. --------------------------------------------------------------------- Astrium Limited, Registered in England and Wales No. 2449259 Registered Office: Gunnels Wood Road, Stevenage, Hertfordshire, SG1 2AS, England From ulf.weltman at hp.com Wed Jul 11 17:48:48 2007 From: ulf.weltman at hp.com (Ulf Weltman) Date: Wed, 11 Jul 2007 10:48:48 -0700 Subject: [Fedora-directory-users] disallow_pw_change_aci problem In-Reply-To: <250764.47061.qm@web60522.mail.yahoo.com> References: <250764.47061.qm@web60522.mail.yahoo.com> Message-ID: <46951800.1@hp.com> This ACI is automatically added to each root entry when the passwordChange global password policy is set to off (in the GUI, when "User may change password" is unchecked). Omer Faruk Sen wrote: > Hi, > > I have installed fedora-ds 1.0.4 to Fedora 6 server. I am trying to install mail ldap cluster. I have added a domain like dc=my,dc=domain,dc=com and added a virtual domain like ou=virtdomain.com,dc=my,dc=domain,dc=com after adding a user like: > > uid=user,ou=virtdomain.com,dc=my,dc=domain,dc=com > > and changing its password gives me that error: > > aci: (targetattr = "userPassword") ( version 3.0; acl "disallow_pw_change_aci"; deny (write ) userdn = "ldap:///self";) > > > I have read http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html and added an aci like: > > aci: (targetattr="userPassword || homePhone || > homePostalAddress") (version 3.0; acl "Write my.domain.com"; allow > (write) userdn= "ldap:///self";) > > for ou=virtdomain.com,dc=my,dc=domain,dc=com > > But I still get aci: (targetattr = "userPassword") ( version 3.0; acl "disallow_pw_change_aci"; deny (write ) userdn = "ldap:///self";) > > error. How can I disable disallow_pw_change aci since I couldn't find this aci anywhere using directory admin gui. > > > By the way I think this comes from userRoot database. But I can't find a place to disable disallow_pw_change > > Best Regards, > > > > > > > ____________________________________________________________________________________ > Get the free Yahoo! toolbar and rest assured with the added security of spyware protection. > http://new.toolbar.yahoo.com/toolbar/features/norton/index.php > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6097 bytes Desc: S/MIME Cryptographic Signature URL: From dcrissman at perimeterusa.com Thu Jul 12 20:21:18 2007 From: dcrissman at perimeterusa.com (Dennis Crissman) Date: Thu, 12 Jul 2007 16:21:18 -0400 Subject: [Fedora-directory-users] Fedora Core 7 and FDS In-Reply-To: <461A40D6.4020400@perimeterusa.com> References: <461A40D6.4020400@perimeterusa.com> Message-ID: <46968D3E.5050000@perimeterusa.com> I want to run Fedora Directory Server on FC7. I see an install on the website for FC6... but nothing for FC7. Where can I get the install files that are compatible with FC7? Also, it was not recommended to use yum to install FDS for FC6, is that still true for FC7? Finally, if I wanted to install FDS on another Linux distro, say Ubuntu (I am playing with multiple variations for a project), are there any install packages for them? Or can I just install the most recent FDS version? Thanks, Dennis -- The sender of this email subscribes to Perimeter eSecurity's email anti-virus service. This email has been scanned for malicious code and is believed to be virus free. For more information on email security please visit: http://www.perimeterusa.com/email-defense-content.html This communication is confidential, intended only for the named recipient(s) above and may contain trade secrets or other information that is exempt from disclosure under applicable law. Any use, dissemination, distribution or copying of this communication by anyone other than the named recipient(s) is strictly prohibited. If you have received this communication in error, please delete the email and immediately notify our Command Center at 203-541-3444. Thanks From rmeggins at redhat.com Thu Jul 12 20:58:50 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 12 Jul 2007 14:58:50 -0600 Subject: [Fedora-directory-users] Fedora Core 7 and FDS In-Reply-To: <46968D3E.5050000@perimeterusa.com> References: <461A40D6.4020400@perimeterusa.com> <46968D3E.5050000@perimeterusa.com> Message-ID: <4696960A.3070308@redhat.com> Dennis Crissman wrote: > I want to run Fedora Directory Server on FC7. I see an install on the > website for FC6... but nothing for FC7. Where can I get the install > files that are compatible with FC7? You should be able to run the FC6 binaries on FC7. > > Also, it was not recommended to use yum to install FDS for FC6, is that > still true for FC7? The current package in yum is fedora-ds-base, a pre-release of 1.1 that does not include admin server or console. If you want admin server and console, you will have to use FDS 1.0.4. > > Finally, if I wanted to install FDS on another Linux distro, say Ubuntu > (I am playing with multiple variations for a project), are there any > install packages for them? No. > Or can I just install the most recent FDS > version? The upcoming 1.1 should be much easier to port to these other platforms. For 1.0.4 - http://directory.fedoraproject.org/wiki/Howto:DebianUbuntu and http://directory.fedoraproject.org/wiki/Howto:GentooDsbuildInstallation > > Thanks, > Dennis > > > > > -- > The sender of this email subscribes to Perimeter eSecurity's email > anti-virus service. This email has been scanned for malicious code and is > believed to be virus free. For more information on email security please > visit: http://www.perimeterusa.com/email-defense-content.html > This communication is confidential, intended only for the named > recipient(s) > above and may contain trade secrets or other information that is > exempt from > disclosure under applicable law. Any use, dissemination, distribution or > copying of this communication by anyone other than the named > recipient(s) is > strictly prohibited. If you have received this communication in error, > please > delete the email and immediately notify our Command Center at > 203-541-3444. > > Thanks > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From vampired at gmail.com Fri Jul 13 03:45:57 2007 From: vampired at gmail.com (Vampire D) Date: Thu, 12 Jul 2007 23:45:57 -0400 Subject: [Fedora-directory-users] Performance Message-ID: <4ca8a4870707122045i4378df73jee9bcea1adffe5e@mail.gmail.com> As I understand it, OpenLDAP doesn't perform all that well under a high load. How does FDS perform in comparison to other LDAP implmentations like OpenLDAP and Sun? -- "Do the actors on Unsolved Mysteries ever get arrested because they look just like the criminal they are playing?" Christopher -------------- next part -------------- An HTML attachment was scrubbed... URL: From dcrissman at perimeterusa.com Fri Jul 13 11:53:50 2007 From: dcrissman at perimeterusa.com (Dennis Crissman) Date: Fri, 13 Jul 2007 07:53:50 -0400 Subject: [Fedora-directory-users] Fedora Core 7 and FDS In-Reply-To: <4696960A.3070308@redhat.com> References: <461A40D6.4020400@perimeterusa.com> <46968D3E.5050000@perimeterusa.com> <4696960A.3070308@redhat.com> Message-ID: <469767CE.3060309@perimeterusa.com> Thank you for the information. You mentioned version 1.1, any idea what the target release date is for that? Where might I find a breakdown of changes? If admin server and console are no longer going to be provided, there must be an alternative means for their various functionality, what might that be? Thanks again, Dennis Richard Megginson wrote: > Dennis Crissman wrote: >> I want to run Fedora Directory Server on FC7. I see an install on the >> website for FC6... but nothing for FC7. Where can I get the install >> files that are compatible with FC7? > You should be able to run the FC6 binaries on FC7. >> >> Also, it was not recommended to use yum to install FDS for FC6, is that >> still true for FC7? > The current package in yum is fedora-ds-base, a pre-release of 1.1 > that does not include admin server or console. If you want admin > server and console, you will have to use FDS 1.0.4. >> >> Finally, if I wanted to install FDS on another Linux distro, say Ubuntu >> (I am playing with multiple variations for a project), are there any >> install packages for them? > No. >> Or can I just install the most recent FDS >> version? > > The upcoming 1.1 should be much easier to port to these other platforms. > > For 1.0.4 - http://directory.fedoraproject.org/wiki/Howto:DebianUbuntu > and > http://directory.fedoraproject.org/wiki/Howto:GentooDsbuildInstallation >> >> Thanks, >> Dennis >> >> >> >> >> -- >> The sender of this email subscribes to Perimeter eSecurity's email >> anti-virus service. This email has been scanned for malicious code >> and is >> believed to be virus free. For more information on email security please >> visit: http://www.perimeterusa.com/email-defense-content.html >> This communication is confidential, intended only for the named >> recipient(s) >> above and may contain trade secrets or other information that is >> exempt from >> disclosure under applicable law. Any use, dissemination, distribution or >> copying of this communication by anyone other than the named >> recipient(s) is >> strictly prohibited. If you have received this communication in >> error, please >> delete the email and immediately notify our Command Center at >> 203-541-3444. >> >> Thanks >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- The sender of this email subscribes to Perimeter eSecurity's email anti-virus service. This email has been scanned for malicious code and is believed to be virus free. For more information on email security please visit: http://www.perimeterusa.com/email-defense-content.html This communication is confidential, intended only for the named recipient(s) above and may contain trade secrets or other information that is exempt from disclosure under applicable law. Any use, dissemination, distribution or copying of this communication by anyone other than the named recipient(s) is strictly prohibited. If you have received this communication in error, please delete the email and immediately notify our Command Center at 203-541-3444. Thanks From rmeggins at redhat.com Fri Jul 13 15:16:31 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 13 Jul 2007 09:16:31 -0600 Subject: [Fedora-directory-users] Fedora Core 7 and FDS In-Reply-To: <469767CE.3060309@perimeterusa.com> References: <461A40D6.4020400@perimeterusa.com> <46968D3E.5050000@perimeterusa.com> <4696960A.3070308@redhat.com> <469767CE.3060309@perimeterusa.com> Message-ID: <4697974F.3070406@redhat.com> Dennis Crissman wrote: > Thank you for the information. You mentioned version 1.1, any idea > what the target release date is for that? Where might I find a > breakdown of changes? You might want to start here - http://directory.fedoraproject.org/wiki/Documentation#Design_Docs > > If admin server and console are no longer going to be provided, there > must be an alternative means for their various functionality, what > might that be? They are going to be provided. They are not quite ready yet. Hopefully soon. > > Thanks again, > Dennis > > Richard Megginson wrote: >> Dennis Crissman wrote: >>> I want to run Fedora Directory Server on FC7. I see an install on the >>> website for FC6... but nothing for FC7. Where can I get the install >>> files that are compatible with FC7? >> You should be able to run the FC6 binaries on FC7. >>> >>> Also, it was not recommended to use yum to install FDS for FC6, is that >>> still true for FC7? >> The current package in yum is fedora-ds-base, a pre-release of 1.1 >> that does not include admin server or console. If you want admin >> server and console, you will have to use FDS 1.0.4. >>> >>> Finally, if I wanted to install FDS on another Linux distro, say Ubuntu >>> (I am playing with multiple variations for a project), are there any >>> install packages for them? >> No. >>> Or can I just install the most recent FDS >>> version? >> >> The upcoming 1.1 should be much easier to port to these other platforms. >> >> For 1.0.4 - >> http://directory.fedoraproject.org/wiki/Howto:DebianUbuntu and >> http://directory.fedoraproject.org/wiki/Howto:GentooDsbuildInstallation >>> >>> Thanks, >>> Dennis >>> >>> >>> >>> >>> -- >>> The sender of this email subscribes to Perimeter eSecurity's email >>> anti-virus service. This email has been scanned for malicious code >>> and is >>> believed to be virus free. For more information on email security >>> please >>> visit: http://www.perimeterusa.com/email-defense-content.html >>> This communication is confidential, intended only for the named >>> recipient(s) >>> above and may contain trade secrets or other information that is >>> exempt from >>> disclosure under applicable law. Any use, dissemination, >>> distribution or >>> copying of this communication by anyone other than the named >>> recipient(s) is >>> strictly prohibited. If you have received this communication in >>> error, please >>> delete the email and immediately notify our Command Center at >>> 203-541-3444. >>> >>> Thanks >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > > > -- > The sender of this email subscribes to Perimeter eSecurity's email > anti-virus service. This email has been scanned for malicious code and is > believed to be virus free. For more information on email security please > visit: http://www.perimeterusa.com/email-defense-content.html > This communication is confidential, intended only for the named > recipient(s) > above and may contain trade secrets or other information that is > exempt from > disclosure under applicable law. Any use, dissemination, distribution or > copying of this communication by anyone other than the named > recipient(s) is > strictly prohibited. If you have received this communication in error, > please > delete the email and immediately notify our Command Center at > 203-541-3444. > > Thanks > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Jul 13 15:24:48 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 13 Jul 2007 09:24:48 -0600 Subject: [Fedora-directory-users] Performance In-Reply-To: <4ca8a4870707122045i4378df73jee9bcea1adffe5e@mail.gmail.com> References: <4ca8a4870707122045i4378df73jee9bcea1adffe5e@mail.gmail.com> Message-ID: <46979940.4020804@redhat.com> Vampire D wrote: > As I understand it, OpenLDAP doesn't perform all that well under a > high load. OpenLDAP 2.3 does. > How does FDS perform in comparison to other LDAP implmentations like > OpenLDAP and Sun? It depends. What performance characteristics do you require? > > -- > "Do the actors on Unsolved Mysteries ever get arrested because they > look just like the criminal they are playing?" > > Christopher > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From vampired at gmail.com Fri Jul 13 15:40:50 2007 From: vampired at gmail.com (Vampire D) Date: Fri, 13 Jul 2007 11:40:50 -0400 Subject: [Fedora-directory-users] Performance In-Reply-To: <46979940.4020804@redhat.com> References: <4ca8a4870707122045i4378df73jee9bcea1adffe5e@mail.gmail.com> <46979940.4020804@redhat.com> Message-ID: <4ca8a4870707130840s50e94975meffb9636c98ce7c6@mail.gmail.com> We will not be using LDAP in the traditional sense. Instead of authentication, we will be using it to perform lookups upon incoming mail. We plan on having tens of thousands of email addresses stored in LDAP, every message that comes in is verified via LDAP that it is allowed, and then it is processed by our system. We plan on caching entries (positive and negative) for 24 hours, so as long as the look up has been done in the last 24 hours and the 1M record cache isn't exhausted it will not perform a look up. This should cut down a lot of the demand. Initially we are looking at about 100k lookups an hour, as we expand the service that can go up by 50-100k at a time. On 7/13/07, Richard Megginson wrote: > > Vampire D wrote: > > As I understand it, OpenLDAP doesn't perform all that well under a > > high load. > OpenLDAP 2.3 does. > > How does FDS perform in comparison to other LDAP implmentations like > > OpenLDAP and Sun? > It depends. What performance characteristics do you require? > > > > -- > > "Do the actors on Unsolved Mysteries ever get arrested because they > > look just like the criminal they are playing?" > > > > Christopher > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- "Do the actors on Unsolved Mysteries ever get arrested because they look just like the criminal they are playing?" Christopher -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Jul 13 15:44:22 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 13 Jul 2007 09:44:22 -0600 Subject: [Fedora-directory-users] Performance In-Reply-To: <4ca8a4870707130840s50e94975meffb9636c98ce7c6@mail.gmail.com> References: <4ca8a4870707122045i4378df73jee9bcea1adffe5e@mail.gmail.com> <46979940.4020804@redhat.com> <4ca8a4870707130840s50e94975meffb9636c98ce7c6@mail.gmail.com> Message-ID: <46979DD6.90906@redhat.com> Vampire D wrote: > We will not be using LDAP in the traditional sense. > > Instead of authentication, we will be using it to perform lookups upon > incoming mail. > We plan on having tens of thousands of email addresses stored in LDAP, > every message that comes in is verified via LDAP that it is allowed, > and then it is processed by our system. We plan on caching entries > (positive and negative) for 24 hours, so as long as the look up has > been done in the last 24 hours and the 1M record cache isn't exhausted > it will not perform a look up. This should cut down a lot of the > demand. Initially we are looking at about 100k lookups an hour, as we > expand the service that can go up by 50-100k at a time. Fedora DS, Sun DS, and OpenLDAP should all be able to handle this load very well. > > > > On 7/13/07, *Richard Megginson* > wrote: > > Vampire D wrote: > > As I understand it, OpenLDAP doesn't perform all that well under a > > high load. > OpenLDAP 2.3 does. > > How does FDS perform in comparison to other LDAP implmentations like > > OpenLDAP and Sun? > It depends. What performance characteristics do you require? > > > > -- > > "Do the actors on Unsolved Mysteries ever get arrested because they > > look just like the criminal they are playing?" > > > > Christopher > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > "Do the actors on Unsolved Mysteries ever get arrested because they > look just like the criminal they are playing?" > > Christopher > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From stpierre at NebrWesleyan.edu Fri Jul 13 15:50:43 2007 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Fri, 13 Jul 2007 10:50:43 -0500 (CDT) Subject: [Fedora-directory-users] Performance In-Reply-To: <4ca8a4870707130840s50e94975meffb9636c98ce7c6@mail.gmail.com> References: <4ca8a4870707122045i4378df73jee9bcea1adffe5e@mail.gmail.com> <46979940.4020804@redhat.com> <4ca8a4870707130840s50e94975meffb9636c98ce7c6@mail.gmail.com> Message-ID: On Fri, 13 Jul 2007, Vampire D wrote: > We will not be using LDAP in the traditional sense. > > Instead of authentication, we will be using it to perform lookups upon > incoming mail. > We plan on having tens of thousands of email addresses stored in LDAP, every > message that comes in is verified via LDAP that it is allowed, and then it > is processed by our system. We plan on caching entries (positive and > negative) for 24 hours, so as long as the look up has been done in the last > 24 hours and the 1M record cache isn't exhausted it will not perform a look > up. This should cut down a lot of the demand. Initially we are looking at > about 100k lookups an hour, as we expand the service that can go up by > 50-100k at a time. Lots of people (myself included) use LDAP for this, among other things. Fedora DS will not blink at 100K searches per hour. I have seen 50-80K ops/minute on our LDAP servers, which are HP DL145s with 2 cores and 4 Gb memory, without any performance degradation, and I've spoken with people doing far more than that on comparable hardware. At the rates you're talking about, performance will be a non-issue. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University ---------------------------- LOPSA Sysadmin Days: Professional Training for Professional SysAdmins August 6-7, Cherry Hill, NJ http://lopsa.org/SysadminDays From vampired at gmail.com Fri Jul 13 15:54:13 2007 From: vampired at gmail.com (Vampire D) Date: Fri, 13 Jul 2007 11:54:13 -0400 Subject: [Fedora-directory-users] Performance In-Reply-To: References: <4ca8a4870707122045i4378df73jee9bcea1adffe5e@mail.gmail.com> <46979940.4020804@redhat.com> <4ca8a4870707130840s50e94975meffb9636c98ce7c6@mail.gmail.com> Message-ID: <4ca8a4870707130854l79f361b3wfa80e7c5b02029ca@mail.gmail.com> Would you recommend more than 2GB for 100k/hr? On 7/13/07, Chris St. Pierre wrote: > > On Fri, 13 Jul 2007, Vampire D wrote: > > > We will not be using LDAP in the traditional sense. > > > > Instead of authentication, we will be using it to perform lookups upon > > incoming mail. > > We plan on having tens of thousands of email addresses stored in LDAP, > every > > message that comes in is verified via LDAP that it is allowed, and then > it > > is processed by our system. We plan on caching entries (positive and > > negative) for 24 hours, so as long as the look up has been done in the > last > > 24 hours and the 1M record cache isn't exhausted it will not perform a > look > > up. This should cut down a lot of the demand. Initially we are looking > at > > about 100k lookups an hour, as we expand the service that can go up by > > 50-100k at a time. > > Lots of people (myself included) use LDAP for this, among other > things. > > Fedora DS will not blink at 100K searches per hour. I have seen > 50-80K ops/minute on our LDAP servers, which are HP DL145s with 2 > cores and 4 Gb memory, without any performance degradation, and I've > spoken with people doing far more than that on comparable hardware. > > At the rates you're talking about, performance will be a non-issue. > > Chris St. Pierre > Unix Systems Administrator > Nebraska Wesleyan University > ---------------------------- > LOPSA Sysadmin Days: Professional Training for Professional SysAdmins > August 6-7, Cherry Hill, NJ > http://lopsa.org/SysadminDays > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- "Do the actors on Unsolved Mysteries ever get arrested because they look just like the criminal they are playing?" Christopher -------------- next part -------------- An HTML attachment was scrubbed... URL: From david_list at boreham.org Fri Jul 13 15:53:04 2007 From: david_list at boreham.org (David Boreham) Date: Fri, 13 Jul 2007 09:53:04 -0600 Subject: [Fedora-directory-users] Performance In-Reply-To: <4ca8a4870707130840s50e94975meffb9636c98ce7c6@mail.gmail.com> References: <4ca8a4870707122045i4378df73jee9bcea1adffe5e@mail.gmail.com> <46979940.4020804@redhat.com> <4ca8a4870707130840s50e94975meffb9636c98ce7c6@mail.gmail.com> Message-ID: <46979FE0.3070107@boreham.org> Vampire D wrote: > We will not be using LDAP in the traditional sense. > > Instead of authentication, we will be using it to perform lookups upon > incoming mail. > We plan on having tens of thousands of email addresses stored in LDAP, > every message that comes in is verified via LDAP that it is allowed, > and then it is processed by our system. We plan on caching entries > (positive and negative) for 24 hours, so as long as the look up has > been done in the last 24 hours and the 1M record cache isn't exhausted > it will not perform a look up. This should cut down a lot of the > demand. Initially we are looking at about 100k lookups an hour, as we > expand the service that can go up by 50-100k at a time. It isn't clear to me how often you'll be adding, deleting or modifying the LDAP entries. Your search workload seems very low -- you should be able to achieve on the order of 10-50k searches/s on modern hardware with on the order of a million entries. However, like all databases that use a WAL, you will struggle to achieve a few hundred writes/s without very high end storage hardware (solid state disks for example). It may not be worthwhile caching search results inside your application because the LDAP server is caching too. You'd only save the network round trip overhead. From david_list at boreham.org Fri Jul 13 15:54:48 2007 From: david_list at boreham.org (David Boreham) Date: Fri, 13 Jul 2007 09:54:48 -0600 Subject: [Fedora-directory-users] Performance In-Reply-To: <4ca8a4870707130854l79f361b3wfa80e7c5b02029ca@mail.gmail.com> References: <4ca8a4870707122045i4378df73jee9bcea1adffe5e@mail.gmail.com> <46979940.4020804@redhat.com> <4ca8a4870707130840s50e94975meffb9636c98ce7c6@mail.gmail.com> <4ca8a4870707130854l79f361b3wfa80e7c5b02029ca@mail.gmail.com> Message-ID: <4697A048.20109@boreham.org> Vampire D wrote: > Would you recommend more than 2GB for 100k/hr? Memory usage is unrelated to search workload. You need more memory to achieve good performance with a larger set of active data. I'd recommend you do some load testing. There are plenty of good tools available that make testing fairly easy. From Cary_Anderson at CalPERS.ca.gov Fri Jul 13 18:32:01 2007 From: Cary_Anderson at CalPERS.ca.gov (Anderson, Cary) Date: Fri, 13 Jul 2007 11:32:01 -0700 Subject: [Fedora-directory-users] last login and disabling accounts based on lack of activity In-Reply-To: <200707061231.33828.maumar@cost.it> Message-ID: <611085D774BEAE4C9E4959C53EB7A9760E4C2F4D@hqk110.calpers.ca.gov> I have a question of a similar nature. I was looking at using the shadowaccount object class in order to disable accounts that have been inactive for say 90 days. I thought to use the shadowinactive attribute, but after playing around with it for a couple of days I have not had any success. Does FDS not support the use of the shadowaccount attibrutes? Cary Anderson, Systems Software Specialist UNIX/Linux Services Information Technology Services Branch Technology Services & Support Division / Data Center Section System Software & Storage Infrastructure fCalPERS Phone: (916) 795-2588 Fax: (916) 795-2424 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Maurizio Marini Sent: Friday, July 06, 2007 3:32 AM To: fedora-directory-users at redhat.com Subject: [Fedora-directory-users] last login is avalable the last login (last bind, successuful?) info? if yes, which is its name? Maurizio -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Fri Jul 13 18:29:51 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 13 Jul 2007 12:29:51 -0600 Subject: [Fedora-directory-users] last login and disabling accounts based on lack of activity In-Reply-To: <611085D774BEAE4C9E4959C53EB7A9760E4C2F4D@hqk110.calpers.ca.gov> References: <611085D774BEAE4C9E4959C53EB7A9760E4C2F4D@hqk110.calpers.ca.gov> Message-ID: <4697C49F.9000702@redhat.com> Anderson, Cary wrote: > I have a question of a similar nature. I was looking at using the > shadowaccount object class in order to disable accounts that have been > inactive for say 90 days. I thought to use the shadowinactive > attribute, but after playing around with it for a couple of days I have > not had any success. Does FDS not support the use of the shadowaccount > attibrutes? > No. Those are for the client side only. > Cary Anderson, Systems Software Specialist > UNIX/Linux Services > Information Technology Services Branch > Technology Services & Support Division / Data Center Section > System Software & Storage Infrastructure > fCalPERS > Phone: (916) 795-2588 > Fax: (916) 795-2424 > > > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Maurizio > Marini > Sent: Friday, July 06, 2007 3:32 AM > To: fedora-directory-users at redhat.com > Subject: [Fedora-directory-users] last login > > > is avalable the last login (last bind, successuful?) info? > if yes, which is its name? > Maurizio > > -- > Fedora-directory-users mailing list Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From beyonddc.storage at gmail.com Mon Jul 16 13:03:36 2007 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Mon, 16 Jul 2007 09:03:36 -0400 Subject: [Fedora-directory-users] Performance In-Reply-To: <4697A048.20109@boreham.org> References: <4ca8a4870707122045i4378df73jee9bcea1adffe5e@mail.gmail.com> <46979940.4020804@redhat.com> <4ca8a4870707130840s50e94975meffb9636c98ce7c6@mail.gmail.com> <4ca8a4870707130854l79f361b3wfa80e7c5b02029ca@mail.gmail.com> <4697A048.20109@boreham.org> Message-ID: <20e4c38c0707160603o35e15c59p7e0f54499f043e53@mail.gmail.com> Can anyone recommend any tools that are available for testing LDAP? - dc On 7/13/07, David Boreham wrote: > > Vampire D wrote: > > Would you recommend more than 2GB for 100k/hr? > Memory usage is unrelated to search workload. > You need more memory to achieve good performance > with a larger set of active data. > > I'd recommend you do some load testing. There are > plenty of good tools available that make testing fairly easy. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ngaywood at une.edu.au Mon Jul 16 13:30:15 2007 From: ngaywood at une.edu.au (Norman Gaywood) Date: Mon, 16 Jul 2007 23:30:15 +1000 Subject: [Fedora-directory-users] Performance In-Reply-To: <4ca8a4870707122045i4378df73jee9bcea1adffe5e@mail.gmail.com> References: <4ca8a4870707122045i4378df73jee9bcea1adffe5e@mail.gmail.com> Message-ID: <7d7d864f0707160630y3b2232edq4f9135ec858c3a1a@mail.gmail.com> On 7/13/07, Vampire D wrote: > As I understand it, OpenLDAP doesn't perform all that well under a high > load. How does FDS perform in comparison to other LDAP implmentations like > OpenLDAP and Sun? Interesting. Where did you get the information that OpenLDAP does not perform under load? I was always under the impression that OpenLDAP was the fastest and most scalable LDAP server around. For example: http://www.symas.com/benchmark-auth.shtml I recall reading another benchmark somewhere comparing it with FDS but can't find it at the moment. -- Norman Gaywood, Systems Administrator University of New England, Armidale, NSW 2351, Australia From vampired at gmail.com Mon Jul 16 14:12:57 2007 From: vampired at gmail.com (Vampire D) Date: Mon, 16 Jul 2007 10:12:57 -0400 Subject: [Fedora-directory-users] Performance In-Reply-To: <7d7d864f0707160630y3b2232edq4f9135ec858c3a1a@mail.gmail.com> References: <4ca8a4870707122045i4378df73jee9bcea1adffe5e@mail.gmail.com> <7d7d864f0707160630y3b2232edq4f9135ec858c3a1a@mail.gmail.com> Message-ID: <4ca8a4870707160712w12d1b941v8f1872e66084f021@mail.gmail.com> I heard it from Cisco when working with them on a project as they claims it has a hard time keeping up under a heavy load. On 7/16/07, Norman Gaywood wrote: > > On 7/13/07, Vampire D wrote: > > As I understand it, OpenLDAP doesn't perform all that well under a high > > load. How does FDS perform in comparison to other LDAP implmentations > like > > OpenLDAP and Sun? > > Interesting. Where did you get the information that OpenLDAP does not > perform under load? I was always under the impression that OpenLDAP > was the fastest and most scalable LDAP server around. For example: > > http://www.symas.com/benchmark-auth.shtml > > I recall reading another benchmark somewhere comparing it with FDS but > can't find it at the moment. > > -- > Norman Gaywood, Systems Administrator > University of New England, Armidale, > NSW 2351, Australia > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- "Do the actors on Unsolved Mysteries ever get arrested because they look just like the criminal they are playing?" Christopher -------------- next part -------------- An HTML attachment was scrubbed... URL: From david_list at boreham.org Mon Jul 16 14:28:08 2007 From: david_list at boreham.org (David Boreham) Date: Mon, 16 Jul 2007 08:28:08 -0600 Subject: [Fedora-directory-users] Performance In-Reply-To: <20e4c38c0707160603o35e15c59p7e0f54499f043e53@mail.gmail.com> References: <4ca8a4870707122045i4378df73jee9bcea1adffe5e@mail.gmail.com> <46979940.4020804@redhat.com> <4ca8a4870707130840s50e94975meffb9636c98ce7c6@mail.gmail.com> <4ca8a4870707130854l79f361b3wfa80e7c5b02029ca@mail.gmail.com> <4697A048.20109@boreham.org> <20e4c38c0707160603o35e15c59p7e0f54499f043e53@mail.gmail.com> Message-ID: <469B8078.2000008@boreham.org> Chun Tat David Chu wrote: > Can anyone recommend any tools that are available for testing LDAP? SLAMD is popular, but I still like to use the simple command line tools like rsearch and its siblings : http://docs.sun.com/source/816-6400-10/rsearch.html http://docs.sun.com/source/816-5615-10/srchrate.htm http://docs.sun.com/source/816-5615-10/modrate.htm http://docs.sun.com/source/816-5615-10/authrate.htm http://docs.sun.com/source/816-5615-10/infadd.htm For me it's easier to craft a workload matching my requirements using these tools. From lesmikesell at gmail.com Mon Jul 16 15:20:23 2007 From: lesmikesell at gmail.com (Les Mikesell) Date: Mon, 16 Jul 2007 10:20:23 -0500 Subject: [Fedora-directory-users] Performance In-Reply-To: <7d7d864f0707160630y3b2232edq4f9135ec858c3a1a@mail.gmail.com> References: <4ca8a4870707122045i4378df73jee9bcea1adffe5e@mail.gmail.com> <7d7d864f0707160630y3b2232edq4f9135ec858c3a1a@mail.gmail.com> Message-ID: <469B8CB7.8090506@gmail.com> Norman Gaywood wrote: > On 7/13/07, Vampire D wrote: >> As I understand it, OpenLDAP doesn't perform all that well under a high >> load. How does FDS perform in comparison to other LDAP >> implmentations like >> OpenLDAP and Sun? > > Interesting. Where did you get the information that OpenLDAP does not > perform under load? I was always under the impression that OpenLDAP > was the fastest and most scalable LDAP server around. For example: > > http://www.symas.com/benchmark-auth.shtml > > I recall reading another benchmark somewhere comparing it with FDS but > can't find it at the moment. That looks to be a read-only test. What happens when you throw some updates at it? And are there any benchmarks for FDS running in multi-master mode with update activity? -- Les Mikesell lesmikesell at gmail.com From mrsalty0 at gmail.com Mon Jul 16 15:37:51 2007 From: mrsalty0 at gmail.com (J Davis) Date: Mon, 16 Jul 2007 11:37:51 -0400 Subject: [Fedora-directory-users] Using certs from MS CA server Message-ID: Hello, I have FDS 1.0.4 running using an SSL certificate generated by an Microsoft windows 2003 CA server. I choose this method as opposed to the setupssl.sh script from the wiki because I have read in the list archives that it is the best way to avoid trust issues when setting up PassSync over SSL between FDS and AD. I'm having a hard time finding references for configuring this properly and I know very little about SSL certificates so I'm making some guesses and likely missing a crucial step or two. The problem is that when trying to bind to the FDS using SSL I get certificate verification errors. > # ldapsearch -x -H ldaps://localhost/ > ldap_bind: Can't contact LDAP server (-1) > additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Here's how I set up the certificates... 1. Generated a CSR using the FDS console wizard and submitted it to the MS CA. 2. Imported the CA certificate (called "it") and the signed "server-cert" resulting from step 1 from the MS CA using the FDS admin console. 3. Enabled SSL (port 636) in the directory server using server-cert from step 1. I used certutil to display the list of certificates in the FDS cert db. > [alias]# ../shared/bin/certutil -L -d . -P slapd-- > server-cert u,u,u > it CT,, Then verified that "server-cert" was considered valid. > [alias]# ../shared/bin/certutil -V -n server-cert -e -u V -d . -P slapd-- > Enter Password or Pin for "NSS Certificate DB": > certutil-bin: certificate is valid I also verified that that I can connect using openssl client. > # openssl s_client -connect localhost:636 -showcerts -CAfile /path/to/it_ca.crt --snip-- > Verify return code: 0 (ok) > --- Any hints as to what I might be doing wrong are greatly appreciated. Thanks, -Jake -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Jul 16 15:42:53 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 16 Jul 2007 09:42:53 -0600 Subject: [Fedora-directory-users] Using certs from MS CA server In-Reply-To: References: Message-ID: <469B91FD.9010503@redhat.com> J Davis wrote: > Hello, > > I have FDS 1.0.4 running using an SSL certificate generated by an > Microsoft windows 2003 CA server. > I choose this method as opposed to the setupssl.sh script from the > wiki because I have read in the list archives that it is the best way > to avoid trust issues when setting up PassSync over SSL between FDS > and AD. I'm having a hard time finding references for configuring this > properly and I know very little about SSL certificates so I'm making > some guesses and likely missing a crucial step or two. > The problem is that when trying to bind to the FDS using SSL I get > certificate verification errors. > > > # ldapsearch -x -H ldaps://localhost/ > > ldap_bind: Can't contact LDAP server (-1) > > additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed /usr/bin/ldapsearch is OpenLDAP ldapsearch. Did you follow these steps to tell it where to find the CA cert? http://directory.fedoraproject.org/wiki/Howto:SSL#Configure_LDAP_clients > > Here's how I set up the certificates... > 1. Generated a CSR using the FDS console wizard and submitted it to > the MS CA. > 2. Imported the CA certificate (called "it") and the signed > "server-cert" resulting from step 1 from the MS CA using the FDS admin > console. > 3. Enabled SSL (port 636) in the directory server using server-cert > from step 1. Where you restarted the directory server, did it say it was listening for LDAPS requests on port 636 in the error log? > > I used certutil to display the list of certificates in the FDS cert db. > > [alias]# ../shared/bin/certutil -L -d . -P slapd-- > > server-cert u,u,u > > it CT,, > > Then verified that "server-cert" was considered valid. > > [alias]# ../shared/bin/certutil -V -n server-cert -e -u V -d . -P > slapd-- > > Enter Password or Pin for "NSS Certificate DB": > > certutil-bin: certificate is valid > > I also verified that that I can connect using openssl client. > > # openssl s_client -connect localhost:636 -showcerts -CAfile > /path/to/it_ca.crt > --snip-- > > Verify return code: 0 (ok) > > --- > > Any hints as to what I might be doing wrong are greatly appreciated. > > Thanks, > -Jake > > > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From adamaod at gmail.com Mon Jul 16 16:13:49 2007 From: adamaod at gmail.com (Adam Valenzuela) Date: Mon, 16 Jul 2007 09:13:49 -0700 Subject: [Fedora-directory-users] questions about FDS and distro/email groups Message-ID: <7d2291380707160913l463e620eqce20d343a6b5f648@mail.gmail.com> Hello all, I have a question about FDS and the ability to make a distro/email group. Here is some backgroud. Currently running openldap as my GAL and we want to switch to FDS because the people we sync with all use exchange. I have FDS 1.0.3 stood up and running. I exported my ldif file from my openldap server which has both email accounts and distro groups. When i imported them into FDS all the email address were stripped. At first I thought it was the syntax of the openldap leif file, and at first it was and i wanst able to import anything. Now i can import without any errors but no email address come up, just user account info. What did I do wrong? Thank you in advance, -- Thank you, Adam A. Valenzuela -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Jul 16 16:08:49 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 16 Jul 2007 10:08:49 -0600 Subject: [Fedora-directory-users] questions about FDS and distro/email groups In-Reply-To: <7d2291380707160913l463e620eqce20d343a6b5f648@mail.gmail.com> References: <7d2291380707160913l463e620eqce20d343a6b5f648@mail.gmail.com> Message-ID: <469B9811.7000101@redhat.com> Adam Valenzuela wrote: > Hello all, > > I have a question about FDS and the ability to make a > distro/email group. Here is some backgroud. Currently running > openldap as my GAL and we want to switch to FDS because the people we > sync with all use exchange. I have FDS 1.0.3 stood up and running. I > exported my ldif file from my openldap server which has both email > accounts and distro groups. When i imported them into FDS all the > email address were stripped. At first I thought it was the syntax of > the openldap leif file, and at first it was and i wanst able to import > anything. Now i can import without any errors but no email address > come up, just user account info. > > What did I do wrong? Did you migrate the access control information from openldap to Fedora DS? > > Thank you in advance, > > -- > Thank you, > Adam A. Valenzuela > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From joshua at itsecureadmin.com Mon Jul 16 16:19:29 2007 From: joshua at itsecureadmin.com (Joshua M. Miller) Date: Mon, 16 Jul 2007 09:19:29 -0700 Subject: [Fedora-directory-users] Using certs from MS CA server In-Reply-To: References: Message-ID: <469B9A91.5060401@itsecureadmin.com> Hi David, If you are using a self-signed certificate (ie, the CN on the CA cert is the same domain as the CN on the LDAP cert) then OpenLDAP will reject the certificate by default. You can see from the message that it found the certificate by the message "certificate verify failed" in the error message. If you want to keep using this certificate, you can add the following line to your /etc/openldap/ldap.conf: TLS_REQCERT never This will allow ldapsearch to function while ignoring this error. Please note the consequences of this action in the man page for ldap.conf. Good luck, -- Joshua M. Miller - RHCE,VCP J Davis wrote: > Hello, > > I have FDS 1.0.4 running using an SSL certificate generated by an > Microsoft windows 2003 CA server. > I choose this method as opposed to the setupssl.sh script from the wiki > because I have read in the list archives that it is the best way to > avoid trust issues when setting up PassSync over SSL between FDS and AD. > I'm having a hard time finding references for configuring this properly > and I know very little about SSL certificates so I'm making some guesses > and likely missing a crucial step or two. > The problem is that when trying to bind to the FDS using SSL I get > certificate verification errors. > > > # ldapsearch -x -H ldaps://localhost/ > > ldap_bind: Can't contact LDAP server (-1) > > additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > Here's how I set up the certificates... > 1. Generated a CSR using the FDS console wizard and submitted it to the > MS CA. > 2. Imported the CA certificate (called "it") and the signed > "server-cert" resulting from step 1 from the MS CA using the FDS admin > console. > 3. Enabled SSL (port 636) in the directory server using server-cert from > step 1. > > I used certutil to display the list of certificates in the FDS cert db. > > [alias]# ../shared/bin/certutil -L -d . -P slapd-- > > server-cert u,u,u > > it CT,, > > Then verified that "server-cert" was considered valid. > > [alias]# ../shared/bin/certutil -V -n server-cert -e -u V -d . -P > slapd-- > > Enter Password or Pin for "NSS Certificate DB": > > certutil-bin: certificate is valid > > I also verified that that I can connect using openssl client. > > # openssl s_client -connect localhost:636 -showcerts -CAfile > /path/to/it_ca.crt > --snip-- > > Verify return code: 0 (ok) > > --- > > Any hints as to what I might be doing wrong are greatly appreciated. > > Thanks, > -Jake > > > > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From joshua at itsecureadmin.com Mon Jul 16 16:21:59 2007 From: joshua at itsecureadmin.com (Joshua M. Miller) Date: Mon, 16 Jul 2007 09:21:59 -0700 Subject: UPDATED: [Fedora-directory-users] Using certs from MS CA server In-Reply-To: References: Message-ID: <469B9B27.6090201@itsecureadmin.com> Hi Jake, If you are using a self-signed certificate (ie, the CN on the CA cert is the same domain as the CN on the LDAP cert) then OpenLDAP will reject the certificate by default. You can see from the message that it found the certificate by the message "certificate verify failed" in the error message. If you want to keep using this certificate, you can add the following line to your /etc/openldap/ldap.conf: TLS_REQCERT never This will allow ldapsearch to function while ignoring this error. Please note the consequences of this action in the man page for ldap.conf. Good luck, -- Joshua M. Miller - RHCE,VCP J Davis wrote: > Hello, > > I have FDS 1.0.4 running using an SSL certificate generated by an > Microsoft windows 2003 CA server. > I choose this method as opposed to the setupssl.sh script from the wiki > because I have read in the list archives that it is the best way to > avoid trust issues when setting up PassSync over SSL between FDS and AD. > I'm having a hard time finding references for configuring this properly > and I know very little about SSL certificates so I'm making some guesses > and likely missing a crucial step or two. > The problem is that when trying to bind to the FDS using SSL I get > certificate verification errors. > > > # ldapsearch -x -H ldaps://localhost/ > > ldap_bind: Can't contact LDAP server (-1) > > additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > Here's how I set up the certificates... > 1. Generated a CSR using the FDS console wizard and submitted it to the > MS CA. > 2. Imported the CA certificate (called "it") and the signed > "server-cert" resulting from step 1 from the MS CA using the FDS admin > console. > 3. Enabled SSL (port 636) in the directory server using server-cert from > step 1. > > I used certutil to display the list of certificates in the FDS cert db. > > [alias]# ../shared/bin/certutil -L -d . -P slapd-- > > server-cert u,u,u > > it CT,, > > Then verified that "server-cert" was considered valid. > > [alias]# ../shared/bin/certutil -V -n server-cert -e -u V -d . -P > slapd-- > > Enter Password or Pin for "NSS Certificate DB": > > certutil-bin: certificate is valid > > I also verified that that I can connect using openssl client. > > # openssl s_client -connect localhost:636 -showcerts -CAfile > /path/to/it_ca.crt > --snip-- > > Verify return code: 0 (ok) > > --- > > Any hints as to what I might be doing wrong are greatly appreciated. > > Thanks, > -Jake > > > > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From Cary_Anderson at CalPERS.ca.gov Mon Jul 16 16:25:07 2007 From: Cary_Anderson at CalPERS.ca.gov (Anderson, Cary) Date: Mon, 16 Jul 2007 09:25:07 -0700 Subject: [Fedora-directory-users] Help creating aci for a password manager account In-Reply-To: <469B91FD.9010503@redhat.com> Message-ID: <611085D774BEAE4C9E4959C53EB7A9760E4C2F55@hqk110.calpers.ca.gov> I am trying to create an ldap user account that will have only the ability to change passwords on other ldap users. I have played around with the aci tool and have not had any success. Any help would be appreciated. Thanks Cary Anderson, Systems Software Specialist UNIX/Linux Services Information Technology Services Branch Technology Services & Support Division / Data Center Section System Software & Storage Infrastructure fCalPERS Phone: (916) 795-2588 Fax: (916) 795-2424 From rmeggins at redhat.com Mon Jul 16 16:28:26 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 16 Jul 2007 10:28:26 -0600 Subject: [Fedora-directory-users] Help creating aci for a password manager account In-Reply-To: <611085D774BEAE4C9E4959C53EB7A9760E4C2F55@hqk110.calpers.ca.gov> References: <611085D774BEAE4C9E4959C53EB7A9760E4C2F55@hqk110.calpers.ca.gov> Message-ID: <469B9CAA.5050204@redhat.com> Anderson, Cary wrote: > I am trying to create an ldap user account that will have only the > ability to change passwords on other ldap users. I have played around > with the aci tool and have not had any success. Any help would be > appreciated. > It could be a conflict with one of the default ACIs that are created when you run setup. > Thanks > > Cary Anderson, Systems Software Specialist > UNIX/Linux Services > Information Technology Services Branch > Technology Services & Support Division / Data Center Section > System Software & Storage Infrastructure > fCalPERS > Phone: (916) 795-2588 > Fax: (916) 795-2424 > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From tour9 at ece.lsu.edu Mon Jul 16 18:02:11 2007 From: tour9 at ece.lsu.edu (Saied W. Andalib) Date: Mon, 16 Jul 2007 13:02:11 -0500 Subject: [Fedora-directory-users] Creating a new group... In-Reply-To: <469B9811.7000101@redhat.com> References: <7d2291380707160913l463e620eqce20d343a6b5f648@mail.gmail.com> <469B9811.7000101@redhat.com> Message-ID: <20070716130211.5c798f6c@control.ece.lsu.edu> I'm trying to create a new group "cn=testgroup" under the "ou=Groups" which is already provided by default. The testgroup has an "entryid" attribute. However, when I try to add the "gidNumber" attribute through the "Add Attribute" Tab, it doesn't seem to be listed. SWA From mrsalty0 at gmail.com Mon Jul 16 19:11:38 2007 From: mrsalty0 at gmail.com (J Davis) Date: Mon, 16 Jul 2007 15:11:38 -0400 Subject: [Fedora-directory-users] Using certs from MS CA server In-Reply-To: <469B91FD.9010503@redhat.com> References: <469B91FD.9010503@redhat.com> Message-ID: On 7/16/07, Richard Megginson wrote: > > > # ldapsearch -x -H ldaps://localhost/ > > > ldap_bind: Can't contact LDAP server (-1) > > > additional info: error:14090086:SSL > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed /usr/bin/ldapsearch is OpenLDAP ldapsearch. Did you follow these steps > to tell it where to find the CA cert? > http://directory.fedoraproject.org/wiki/Howto:SSL#Configure_LDAP_clients I did not and, as you predicted, doing so has fixed the bind error. Thanks! -Jake -------------- next part -------------- An HTML attachment was scrubbed... URL: From mrsalty0 at gmail.com Mon Jul 16 19:14:19 2007 From: mrsalty0 at gmail.com (J Davis) Date: Mon, 16 Jul 2007 15:14:19 -0400 Subject: [Fedora-directory-users] Using certs from MS CA server In-Reply-To: <469B9A91.5060401@itsecureadmin.com> References: <469B9A91.5060401@itsecureadmin.com> Message-ID: Thanks, Joshua. This is very helpful. -Jake On 7/16/07, Joshua M. Miller wrote: > > Hi David, > > If you are using a self-signed certificate (ie, the CN on the CA cert is > the same domain as the CN on the LDAP cert) then OpenLDAP will reject > the certificate by default. > > You can see from the message that it found the certificate by the > message "certificate verify failed" in the error message. > > If you want to keep using this certificate, you can add the following > line to your /etc/openldap/ldap.conf: > > TLS_REQCERT never > > This will allow ldapsearch to function while ignoring this error. > > Please note the consequences of this action in the man page for ldap.conf. > > Good luck, > -- > Joshua M. Miller - RHCE,VCP > > > J Davis wrote: > > Hello, > > > > I have FDS 1.0.4 running using an SSL certificate generated by an > > Microsoft windows 2003 CA server. > > I choose this method as opposed to the setupssl.sh script from the wiki > > because I have read in the list archives that it is the best way to > > avoid trust issues when setting up PassSync over SSL between FDS and AD. > > I'm having a hard time finding references for configuring this properly > > and I know very little about SSL certificates so I'm making some guesses > > and likely missing a crucial step or two. > > The problem is that when trying to bind to the FDS using SSL I get > > certificate verification errors. > > > > > # ldapsearch -x -H ldaps://localhost/ > > > ldap_bind: Can't contact LDAP server (-1) > > > additional info: error:14090086:SSL > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > > > Here's how I set up the certificates... > > 1. Generated a CSR using the FDS console wizard and submitted it to the > > MS CA. > > 2. Imported the CA certificate (called "it") and the signed > > "server-cert" resulting from step 1 from the MS CA using the FDS admin > > console. > > 3. Enabled SSL (port 636) in the directory server using server-cert from > > step 1. > > > > I used certutil to display the list of certificates in the FDS cert db. > > > [alias]# ../shared/bin/certutil -L -d . -P slapd-- > > > server-cert u,u,u > > > it CT,, > > > > Then verified that "server-cert" was considered valid. > > > [alias]# ../shared/bin/certutil -V -n server-cert -e -u V -d . -P > > slapd-- > > > Enter Password or Pin for "NSS Certificate DB": > > > certutil-bin: certificate is valid > > > > I also verified that that I can connect using openssl client. > > > # openssl s_client -connect localhost:636 -showcerts -CAfile > > /path/to/it_ca.crt > > --snip-- > > > Verify return code: 0 (ok) > > > --- > > > > Any hints as to what I might be doing wrong are greatly appreciated. > > > > Thanks, > > -Jake > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From seriv at omniti.com Mon Jul 16 21:06:59 2007 From: seriv at omniti.com (Sergey Ivanov) Date: Mon, 16 Jul 2007 17:06:59 -0400 Subject: [Fedora-directory-users] how to search using attributes of the parent nodes Message-ID: <469BDDF3.5010602@omniti.com> Hi, I'm looking for a way to create a search filter, which can filter by specifying attributes not only at the destination object, but also it's parent's in directory tree. Namely, I have mail aliases for virtual domains stored in ldap tree. I have ou=mailAliases, and under it ou=, ou= and so on. Each of domains have entries cn= of class mailGroup, with attributes of mgrpRFC822MailMember having expansion for these aliases. The things became complicating because each of domain has different representations. I can store them in ou attributes of domain's entry. Can I search with filter requesting entry with cn= which belong to parent, having ou= in it's attributes? Till now I understand that I can't and the only way to do it is to create a copies of these subtrees with DNs for each representation of domain name. -- Sergey Ivanov. From seriv at omniti.com Mon Jul 16 21:43:05 2007 From: seriv at omniti.com (Sergey Ivanov) Date: Mon, 16 Jul 2007 17:43:05 -0400 Subject: [Fedora-directory-users] how to search using attributes of the parent nodes In-Reply-To: <469BDDF3.5010602@omniti.com> References: <469BDDF3.5010602@omniti.com> Message-ID: <469BE669.5040107@omniti.com> Sergey Ivanov wrote: > Hi, > I'm looking for a way to create a search filter, which can filter by > specifying attributes not only at the destination object, but also it's > parent's in directory tree. > Namely, I have mail aliases for virtual domains stored in ldap tree. > I have ou=mailAliases, and under it ou=, > ou= and so on. > Each of domains have entries cn= of class mailGroup, with > attributes of mgrpRFC822MailMember having expansion for these aliases. > The things became complicating because each of domain has different > representations. I can store them in ou attributes of domain's entry. > Can I search with filter requesting entry with cn= > which belong to parent, having ou= in it's > attributes? > > Till now I understand that I can't and the only way to do it is to > create a copies of these subtrees with DNs for each representation of > domain name. May be, aliasObject, or reference can help avoiding duplication of subtrees? If so, how to use them with Fedora DS? -- Sergey Ivanov From adamaod at gmail.com Mon Jul 16 23:01:01 2007 From: adamaod at gmail.com (Adam Valenzuela) Date: Mon, 16 Jul 2007 16:01:01 -0700 Subject: [Fedora-directory-users] questions about FDS and distro/email groups In-Reply-To: <469B9811.7000101@redhat.com> References: <7d2291380707160913l463e620eqce20d343a6b5f648@mail.gmail.com> <469B9811.7000101@redhat.com> Message-ID: <7d2291380707161601y2e70c88kbabfc336caab7587@mail.gmail.com> we had no aci's on the openldap side. On 7/16/07, Richard Megginson wrote: > > Adam Valenzuela wrote: > > Hello all, > > > > I have a question about FDS and the ability to make a > > distro/email group. Here is some backgroud. Currently running > > openldap as my GAL and we want to switch to FDS because the people we > > sync with all use exchange. I have FDS 1.0.3 stood up and running. I > > exported my ldif file from my openldap server which has both email > > accounts and distro groups. When i imported them into FDS all the > > email address were stripped. At first I thought it was the syntax of > > the openldap leif file, and at first it was and i wanst able to import > > anything. Now i can import without any errors but no email address > > come up, just user account info. > > > > What did I do wrong? > Did you migrate the access control information from openldap to Fedora DS? > > > > Thank you in advance, > > > > -- > > Thank you, > > Adam A. Valenzuela > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- Thank you, Adam A. Valenzuela -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Jul 16 22:57:15 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 16 Jul 2007 16:57:15 -0600 Subject: [Fedora-directory-users] questions about FDS and distro/email groups In-Reply-To: <7d2291380707161601y2e70c88kbabfc336caab7587@mail.gmail.com> References: <7d2291380707160913l463e620eqce20d343a6b5f648@mail.gmail.com> <469B9811.7000101@redhat.com> <7d2291380707161601y2e70c88kbabfc336caab7587@mail.gmail.com> Message-ID: <469BF7CB.3080809@redhat.com> Adam Valenzuela wrote: > we had no aci's on the openldap side. > > On 7/16/07, *Richard Megginson* > wrote: > > Adam Valenzuela wrote: > > Hello all, > > > > I have a question about FDS and the ability to make a > > distro/email group. Here is some backgroud. Currently running > > openldap as my GAL and we want to switch to FDS because the > people we > > sync with all use exchange. I have FDS 1.0.3 stood up and > running. I > > exported my ldif file from my openldap server which has both email > > accounts and distro groups. When i imported them into FDS all the > > email address were stripped. At first I thought it was the > syntax of > > the openldap leif file, and at first it was and i wanst able to > import > > anything. Now i can import without any errors but no email address > > come up, just user account info. > Can you post a relevant excerpt of the LDIF file you exported from OpenLDAP? > > > > > What did I do wrong? > Did you migrate the access control information from openldap to > Fedora DS? > > > > Thank you in advance, > > > > -- > > Thank you, > > Adam A. Valenzuela > > > ------------------------------------------------------------------------ > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > Thank you, > Adam A. Valenzuela > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From adamaod at gmail.com Tue Jul 17 00:52:52 2007 From: adamaod at gmail.com (Adam Valenzuela) Date: Mon, 16 Jul 2007 17:52:52 -0700 Subject: [Fedora-directory-users] questions about FDS and distro/email groups In-Reply-To: <469BF7CB.3080809@redhat.com> References: <7d2291380707160913l463e620eqce20d343a6b5f648@mail.gmail.com> <469B9811.7000101@redhat.com> <7d2291380707161601y2e70c88kbabfc336caab7587@mail.gmail.com> <469BF7CB.3080809@redhat.com> Message-ID: <7d2291380707161752h143ff206w601773fd1c04df57@mail.gmail.com> There is company sensitive information inside the ldif so i am unable to send you copy, but if you tell me what your lookig for i can troll for it. On 7/16/07, Richard Megginson wrote: > > Adam Valenzuela wrote: > > we had no aci's on the openldap side. > > > > On 7/16/07, *Richard Megginson* > > wrote: > > > > Adam Valenzuela wrote: > > > Hello all, > > > > > > I have a question about FDS and the ability to make a > > > distro/email group. Here is some backgroud. Currently running > > > openldap as my GAL and we want to switch to FDS because the > > people we > > > sync with all use exchange. I have FDS 1.0.3 stood up and > > running. I > > > exported my ldif file from my openldap server which has both email > > > accounts and distro groups. When i imported them into FDS all the > > > email address were stripped. At first I thought it was the > > syntax of > > > the openldap leif file, and at first it was and i wanst able to > > import > > > anything. Now i can import without any errors but no email > address > > > come up, just user account info. > > > > Can you post a relevant excerpt of the LDIF file you exported from > OpenLDAP? > > > > > > > > What did I do wrong? > > Did you migrate the access control information from openldap to > > Fedora DS? > > > > > > Thank you in advance, > > > > > > -- > > > Thank you, > > > Adam A. Valenzuela > > > > > > ------------------------------------------------------------------------ > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > -- > > Thank you, > > Adam A. Valenzuela > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- Thank you, Adam A. Valenzuela -------------- next part -------------- An HTML attachment was scrubbed... URL: From ngaywood at une.edu.au Tue Jul 17 01:35:26 2007 From: ngaywood at une.edu.au (Norman Gaywood) Date: Tue, 17 Jul 2007 11:35:26 +1000 Subject: [Fedora-directory-users] Performance In-Reply-To: <469B8CB7.8090506@gmail.com> References: <4ca8a4870707122045i4378df73jee9bcea1adffe5e@mail.gmail.com> <7d7d864f0707160630y3b2232edq4f9135ec858c3a1a@mail.gmail.com> <469B8CB7.8090506@gmail.com> Message-ID: <20070717013526.GA17149@turing.une.edu.au> On Mon, Jul 16, 2007 at 10:20:23AM -0500, Les Mikesell wrote: > Norman Gaywood wrote: > >perform under load? I was always under the impression that OpenLDAP > >was the fastest and most scalable LDAP server around. For example: > > > >http://www.symas.com/benchmark-auth.shtml > > > >I recall reading another benchmark somewhere comparing it with FDS but > >can't find it at the moment. > > That looks to be a read-only test. What happens when you throw some > updates at it? And are there any benchmarks for FDS running in > multi-master mode with update activity? Yes it was a read-only test. But then that's the main application of LDAP servers. Are there applications that require high LDAP write performance? I found the other benchmark paper here: http://highlandsun.com/hyc/SambaXP.pdf It includes figures for FDS. A summary can be found here: http://www.mail-archive.com/ldap at umich.edu/msg01151.html According to that paper, OpenLDAP pretty much blows away everyone else in performance and scalability. Nothing else is even close. Of course it is a benchmark. I'm sure someone will find some flaws :-) -- Norman Gaywood, Systems Administrator School of Mathematics, Statistics and Computer Science University of New England, Armidale, NSW 2351, Australia norm at turing.une.edu.au Phone: +61 (0)2 6773 2412 http://turing.une.edu.au/~norm Fax: +61 (0)2 6773 3312 Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html From rmeggins at redhat.com Tue Jul 17 02:15:23 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 16 Jul 2007 20:15:23 -0600 Subject: [Fedora-directory-users] questions about FDS and distro/email groups In-Reply-To: <7d2291380707161752h143ff206w601773fd1c04df57@mail.gmail.com> References: <7d2291380707160913l463e620eqce20d343a6b5f648@mail.gmail.com> <469B9811.7000101@redhat.com> <7d2291380707161601y2e70c88kbabfc336caab7587@mail.gmail.com> <469BF7CB.3080809@redhat.com> <7d2291380707161752h143ff206w601773fd1c04df57@mail.gmail.com> Message-ID: <469C263B.3040401@redhat.com> Adam Valenzuela wrote: > There is company sensitive information inside the ldif so i am unable > to send you copy, but if you tell me what your lookig for i can troll > for it. Well I'm not exactly sure, but I get the impression that something is wrong. What people usually do is obscure company sensitive information before posting e.g. dn: uid=XXXXX,ou=people,dc=example,dc=com uid: XXXXX userPassword: XXXXXXX > > On 7/16/07, * Richard Megginson* > wrote: > > Adam Valenzuela wrote: > > we had no aci's on the openldap side. > > > > On 7/16/07, *Richard Megginson* > > >> wrote: > > > > Adam Valenzuela wrote: > > > Hello all, > > > > > > I have a question about FDS and the ability > to make a > > > distro/email group. Here is some backgroud. Currently > running > > > openldap as my GAL and we want to switch to FDS because the > > people we > > > sync with all use exchange. I have FDS 1.0.3 stood up and > > running. I > > > exported my ldif file from my openldap server which has > both email > > > accounts and distro groups. When i imported them into FDS > all the > > > email address were stripped. At first I thought it was the > > syntax of > > > the openldap leif file, and at first it was and i wanst > able to > > import > > > anything. Now i can import without any errors but no > email address > > > come up, just user account info. > > > > Can you post a relevant excerpt of the LDIF file you exported from > OpenLDAP? > > > > > > > > What did I do wrong? > > Did you migrate the access control information from openldap to > > Fedora DS? > > > > > > Thank you in advance, > > > > > > -- > > > Thank you, > > > Adam A. Valenzuela > > > > > > ------------------------------------------------------------------------ > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > -- > > Thank you, > > Adam A. Valenzuela > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > Thank you, > Adam A. Valenzuela > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Tue Jul 17 02:24:51 2007 From: david_list at boreham.org (David Boreham) Date: Mon, 16 Jul 2007 20:24:51 -0600 Subject: [Fedora-directory-users] Performance In-Reply-To: <20070717013526.GA17149@turing.une.edu.au> References: <4ca8a4870707122045i4378df73jee9bcea1adffe5e@mail.gmail.com> <7d7d864f0707160630y3b2232edq4f9135ec858c3a1a@mail.gmail.com> <469B8CB7.8090506@gmail.com> <20070717013526.GA17149@turing.une.edu.au> Message-ID: <469C2873.7070005@boreham.org> Norman Gaywood wrote: > Yes it was a read-only test. But then that's the main application of > LDAP servers. Are there applications that require high LDAP write > performance? > It's pretty easy to achieve performance in excess of most applications' requirements for reads, but write performance it typically much lower (due to the need to maintain the WAL with many indices, usually). Replication makes the situation worse because the replication changelog also has to be written, reducing the available I/O resources for primary database writes. So in any given real-world application, it's often the write capacity that determines overall system capacity. From ashley at csse.uwa.edu.au Tue Jul 17 07:27:27 2007 From: ashley at csse.uwa.edu.au (ashley) Date: Tue, 17 Jul 2007 15:27:27 +0800 (WST) Subject: [Fedora-directory-users] Creating a new group... In-Reply-To: <20070716130211.5c798f6c@control.ece.lsu.edu> References: <7d2291380707160913l463e620eqce20d343a6b5f648@mail.gmail.com> <469B9811.7000101@redhat.com> <20070716130211.5c798f6c@control.ece.lsu.edu> Message-ID: You have to add the objectClass first before you can add certain attributes because it belongs to that objectclass. ie ObjectClass in your case would be posixGroup then you can gidNumber. Or better yet if doing lots of object manipulation I strongly recommend you learn how to edit objects via the command line its more powerful and adapt if you are modifying/adding/deleting several objects in the LDAP direcotory. Ie in your case, Unix groups and membership which I've documented for reference on my website http://www.csse.uwa.edu.au/~ashley, look at "LDAP HOWTO Fedora Directory Server via Command line" Cheers then, Ashley > > I'm trying to create a new group "cn=testgroup" under the "ou=Groups" > which is already provided by default. The testgroup has an "entryid" > attribute. However, when I try to add the "gidNumber" attribute through > the "Add Attribute" Tab, it doesn't seem to be listed. > > SWA > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > !DSPAM:272,469bb2c7146121416619726! > -- Ashley Chew - Systems Administrator School of Computer Science and Software Engineering University of Western Australia Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089 Ashley[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ashley "There is no such thing as Fate, Fate is what you make of it!" From stpierre at NebrWesleyan.edu Tue Jul 17 14:44:27 2007 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Tue, 17 Jul 2007 09:44:27 -0500 (CDT) Subject: [Fedora-directory-users] Performance In-Reply-To: <4ca8a4870707130854l79f361b3wfa80e7c5b02029ca@mail.gmail.com> References: <4ca8a4870707122045i4378df73jee9bcea1adffe5e@mail.gmail.com> <46979940.4020804@redhat.com> <4ca8a4870707130840s50e94975meffb9636c98ce7c6@mail.gmail.com> <4ca8a4870707130854l79f361b3wfa80e7c5b02029ca@mail.gmail.com> Message-ID: On Fri, 13 Jul 2007, Vampire D wrote: > Would you recommend more than 2GB for 100k/hr? If you can afford it, I'd recommend enough memory to keep your entire database resident in memory. That's obviously not a function of queries per hour, but of number of entries, entry size, etc. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University ---------------------------- LOPSA Sysadmin Days: Professional Training for Professional SysAdmins August 6-7, Cherry Hill, NJ http://lopsa.org/SysadminDays From adamaod at gmail.com Tue Jul 17 15:52:24 2007 From: adamaod at gmail.com (Adam Valenzuela) Date: Tue, 17 Jul 2007 08:52:24 -0700 Subject: [Fedora-directory-users] questions about FDS and distro/email groups In-Reply-To: <469C263B.3040401@redhat.com> References: <7d2291380707160913l463e620eqce20d343a6b5f648@mail.gmail.com> <469B9811.7000101@redhat.com> <7d2291380707161601y2e70c88kbabfc336caab7587@mail.gmail.com> <469BF7CB.3080809@redhat.com> <7d2291380707161752h143ff206w601773fd1c04df57@mail.gmail.com> <469C263B.3040401@redhat.com> Message-ID: <7d2291380707170852t7e1b0fb7ldea4f3146567dce7@mail.gmail.com> ok, let me mod my file and ill shoot it off to you. On 7/16/07, Richard Megginson wrote: > > Adam Valenzuela wrote: > > There is company sensitive information inside the ldif so i am unable > > to send you copy, but if you tell me what your lookig for i can troll > > for it. > Well I'm not exactly sure, but I get the impression that something is > wrong. > > What people usually do is obscure company sensitive information before > posting e.g. > dn: uid=XXXXX,ou=people,dc=example,dc=com > uid: XXXXX > userPassword: XXXXXXX > > > > > On 7/16/07, * Richard Megginson* > > wrote: > > > > Adam Valenzuela wrote: > > > we had no aci's on the openldap side. > > > > > > On 7/16/07, *Richard Megginson* > > > > >> wrote: > > > > > > Adam Valenzuela wrote: > > > > Hello all, > > > > > > > > I have a question about FDS and the ability > > to make a > > > > distro/email group. Here is some backgroud. Currently > > running > > > > openldap as my GAL and we want to switch to FDS because the > > > people we > > > > sync with all use exchange. I have FDS 1.0.3 stood up and > > > running. I > > > > exported my ldif file from my openldap server which has > > both email > > > > accounts and distro groups. When i imported them into FDS > > all the > > > > email address were stripped. At first I thought it was the > > > syntax of > > > > the openldap leif file, and at first it was and i wanst > > able to > > > import > > > > anything. Now i can import without any errors but no > > email address > > > > come up, just user account info. > > > > > > > Can you post a relevant excerpt of the LDIF file you exported from > > OpenLDAP? > > > > > > > > > > > What did I do wrong? > > > Did you migrate the access control information from openldap > to > > > Fedora DS? > > > > > > > > Thank you in advance, > > > > > > > > -- > > > > Thank you, > > > > Adam A. Valenzuela > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > -- > > > > Fedora-directory-users mailing list > > > > Fedora-directory-users at redhat.com > > > > > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > -- > > > Thank you, > > > Adam A. Valenzuela > > > > > > ------------------------------------------------------------------------ > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > -- > > Thank you, > > Adam A. Valenzuela > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- Thank you, Adam A. Valenzuela -------------- next part -------------- An HTML attachment was scrubbed... URL: From anh at thespringrollhouse.com Tue Jul 17 16:52:40 2007 From: anh at thespringrollhouse.com (Anh Nguyen) Date: Tue, 17 Jul 2007 09:52:40 -0700 (PDT) Subject: [Fedora-directory-users] Performance In-Reply-To: <20e4c38c0707160603o35e15c59p7e0f54499f043e53@mail.gmail.com> Message-ID: <361064.24108.qm@web1003.biz.mail.sp1.yahoo.com> You may want to look at SLAMD. Chun Tat David Chu wrote: Can anyone recommend any tools that are available for testing LDAP? - dc On 7/13/07, David Boreham wrote:Vampire D wrote: > Would you recommend more than 2GB for 100k/hr? Memory usage is unrelated to search workload. You need more memory to achieve good performance with a larger set of active data. I'd recommend you do some load testing. There are plenty of good tools available that make testing fairly easy. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From nhosoi at redhat.com Tue Jul 17 22:29:31 2007 From: nhosoi at redhat.com (Noriko Hosoi) Date: Tue, 17 Jul 2007 15:29:31 -0700 Subject: [Fedora-directory-users] rpm -e behavior Message-ID: <469D42CB.9060507@redhat.com> Hello, fedora-directory-users list; We are working on the setup and clean-up code in the next version: (please see also http://directory.fedoraproject.org/wiki/New_Setup_Design). I'd like to have your thoughts on the behavior when you run "rpm -e fedora-ds". The previous version cleaned up all the binaries and instances but the certificate and key dbs. # ls alias secmod.db slapd-ID-key3.db slapd-ID-cert8.db Do we want to leave them untouched on the next version, as well? How about other files such as ldif files or backup files? Or do we want to remove all the fedora-ds related files? Your input would be greatly appreciated. --noriko -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From vampired at gmail.com Tue Jul 17 23:00:20 2007 From: vampired at gmail.com (Vampire D) Date: Tue, 17 Jul 2007 19:00:20 -0400 Subject: [Fedora-directory-users] FDS Console on Windows Message-ID: <4ca8a4870707171600nfa2e14ydd40bea4c6f5923c@mail.gmail.com> Has anyone use the FDS console on windows before, if so how? -- "Do the actors on Unsolved Mysteries ever get arrested because they look just like the criminal they are playing?" Christopher -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jul 17 23:00:20 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 17 Jul 2007 17:00:20 -0600 Subject: [Fedora-directory-users] FDS Console on Windows In-Reply-To: <4ca8a4870707171600nfa2e14ydd40bea4c6f5923c@mail.gmail.com> References: <4ca8a4870707171600nfa2e14ydd40bea4c6f5923c@mail.gmail.com> Message-ID: <469D4A04.9030804@redhat.com> Vampire D wrote: > Has anyone use the FDS console on windows before, if so how? Did you try this - http://directory.fedoraproject.org/wiki/Howto:WindowsConsole > > -- > "Do the actors on Unsolved Mysteries ever get arrested because they > look just like the criminal they are playing?" > > Christopher > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From hyc at symas.com Wed Jul 18 09:31:38 2007 From: hyc at symas.com (Howard Chu) Date: Wed, 18 Jul 2007 02:31:38 -0700 Subject: [Fedora-directory-users] Performance In-Reply-To: <20070717155232.5EC2B733C9@hormel.redhat.com> References: <20070717155232.5EC2B733C9@hormel.redhat.com> Message-ID: <469DDDFA.4020602@symas.com> > Date: Tue, 17 Jul 2007 11:35:26 +1000 > From: Norman Gaywood >> > Norman Gaywood wrote: >>> > >perform under load? I was always under the impression that OpenLDAP >>> > >was the fastest and most scalable LDAP server around. For example: >>> > > >>> > >http://www.symas.com/benchmark-auth.shtml >>> > > >>> > >I recall reading another benchmark somewhere comparing it with FDS but >>> > >can't find it at the moment. >> > >> > That looks to be a read-only test. What happens when you throw some >> > updates at it? And are there any benchmarks for FDS running in >> > multi-master mode with update activity? > > Yes it was a read-only test. But then that's the main application of > LDAP servers. Are there applications that require high LDAP write > performance? > > I found the other benchmark paper here: > > http://highlandsun.com/hyc/SambaXP.pdf > > It includes figures for FDS. A summary can be found here: > > http://www.mail-archive.com/ldap at umich.edu/msg01151.html > > According to that paper, OpenLDAP pretty much blows away everyone else > in performance and scalability. Nothing else is even close. > > Of course it is a benchmark. I'm sure someone will find some flaws :-) Since everything in the code and benchmark tool set are freely available, you can easily conduct tests on your own using your actual data. That's the best way to get relevant results. But I'll note that on an earlier benchmark we conducted, with a >150 million entry database at over 1 terabyte on disk, OpenLDAP 2.3.21 was able to sustain over 4800 modifies per second concurrently with 16000 reads per second, and full delta-syncrepl replication. (Without writes, we were hitting 28000 reads per second, so there is definitely a noticable cost for writes.) Granted this was a large server with 480GB of RAM and multiple strings of RAID storage, so I/O throughput wasn't a really huge problem. I.e., our write rate at 150M entries (4800/sec) is still higher than anyone else's fastest read rate at 10M entries, and their performance only gets worse if you can even stand how long it takes to load a bigger DB. At the time we ran this test (over a year ago now) we used an SGI Altix for the server, since Itanium systems were pretty much the only hardware that supported a single system image with so much RAM. Today I think you could outfit a Sun Ultrasparc with the equivalent amount of RAM. It would be interesting to rerun this test to see how Sparc performs against Itanium. > Date: Mon, 16 Jul 2007 20:24:51 -0600 > From: David Boreham > Norman Gaywood wrote: >> > Yes it was a read-only test. But then that's the main application of >> > LDAP servers. Are there applications that require high LDAP write >> > performance? >> > > It's pretty easy to achieve performance in excess of most applications' > requirements for reads, but write performance it typically much lower > (due to the need to maintain the WAL with many indices, usually). > Replication makes the situation worse because the replication changelog > also has to be written, reducing the available I/O resources for primary > database writes. So in any given real-world application, it's often the > write capacity that determines overall system capacity. Yes, eventually hardware becomes the limiting factor (disk throughput in this case) but most software in the world today is written so inefficiently that you'll never see the true hardware limits. That tends to come from people writing code with the mindset "it's OK to use inefficient algorithms, CPUs will always get faster." Of course, we see that CPUs have now stopped getting faster, at least in the single-threaded sense, and the real cost of that inefficiency (in raw electricity as well as simple hardware provisioning cost) is hitting home. We've spent a lot of effort trimming the fat from OpenLDAP, deleting most of the original junk code and rewriting it extensively. As a result, you rarely see anything but actual hardware limits in its performance, and a single OpenLDAP installation can often support the load of 3-10 times as many other products on identical hardware. It pays to sweat the small stuff. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From rubin at xs4all.nl Wed Jul 18 09:33:59 2007 From: rubin at xs4all.nl (Rubin) Date: Wed, 18 Jul 2007 11:33:59 +0200 (CEST) Subject: [Fedora-directory-users] Failover and SSL Message-ID: <16882.145.7.182.188.1184751239.squirrel@webmail.xs4all.nl> Hi all! I'm trying to figure out how to handle high availability in combination with ssl. I have ssl working for both clients and server to server connections. The problem is that i would like to give a client only one ip/fqdn for the ldap server, like ldap.example.com and manage failover to a second ldap multimaster machine by bringing up that ip or switching the dns entry of the fqdn to the at that moment designated as active ldap server. The problem lies in the fact that the certificate on the client has a dn that has to match the hostname to be contacted (ie. ldap.example.com) but i don't want to have identical certificates on the ldap servers (if the dn does not match the hostname to be contacted, connection will fail, verified with openssl). So how can you have a client contact ldap.example.com with ssl enabled while having the ability to switch ldap.example.com between two machines without douing something evilish like having identical certificates for both ldap servers? How are others handling these things? The reason i want to do failover this way has to do with wanting to avoid the posibility of possible conflicts when having the ability to write to 2 masters at the same time. Thanks for any pointers and/or eyeopeners! Grtz, Rubin. From hyc at symas.com Wed Jul 18 10:55:34 2007 From: hyc at symas.com (Howard Chu) Date: Wed, 18 Jul 2007 03:55:34 -0700 Subject: [Fedora-directory-users] Performance In-Reply-To: <20070716160008.23B2A733AE@hormel.redhat.com> References: <20070716160008.23B2A733AE@hormel.redhat.com> Message-ID: <469DF1A6.9090908@symas.com> > Date: Mon, 16 Jul 2007 10:12:57 -0400 > From: "Vampire D" > I heard it from Cisco when working with them on a project as they claims it > has a hard time keeping up under a heavy load. In my experience, the Cisco folks don't have a clue what they're talking about. We recently had a customer come to us asking why OpenLDAP doesn't support LDAPv3 (it does; it has since 2000), saying their Cisco product wasn't able to Bind to OpenLDAP. Cisco of course claimed they were supporting LDAPv3 correctly and that the OpenLDAP server was defective, but we asked the customer for a network trace and they saw that the Cisco product was actually sending an LDAPv2 Bind request. Your mileage may vary of course, but it's best to take anything Cisco says about LDAP with a large helping of salt. >>On 7/16/07, Norman Gaywood wrote: >> > >> > On 7/13/07, Vampire D wrote: >>> > > As I understand it, OpenLDAP doesn't perform all that well under a high >>> > > load. How does FDS perform in comparison to other LDAP implmentations >> > like >>> > > OpenLDAP and Sun? >> > >> > Interesting. Where did you get the information that OpenLDAP does not >> > perform under load? I was always under the impression that OpenLDAP >> > was the fastest and most scalable LDAP server around. For example: >> > >> > http://www.symas.com/benchmark-auth.shtml >> > >> > I recall reading another benchmark somewhere comparing it with FDS but >> > can't find it at the moment. >> > >> > -- >> > Norman Gaywood, Systems Administrator >> > University of New England, Armidale, >> > NSW 2351, Australia >> > -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From jon at compbio.dundee.ac.uk Wed Jul 18 11:10:35 2007 From: jon at compbio.dundee.ac.uk (Jonathan Barber) Date: Wed, 18 Jul 2007 12:10:35 +0100 Subject: [Fedora-directory-users] Failover and SSL In-Reply-To: <16882.145.7.182.188.1184751239.squirrel@webmail.xs4all.nl> References: <16882.145.7.182.188.1184751239.squirrel@webmail.xs4all.nl> Message-ID: <20070718111028.GA10524@compbio.dundee.ac.uk> On Wed, Jul 18, 2007 at 11:33:59AM +0200, Rubin wrote: > Hi all! > > I'm trying to figure out how to handle high availability in > combination with ssl. I have ssl working for both clients and > server to server connections. The problem is that i would like to > give a client only one ip/fqdn for the ldap server, like > ldap.example.com and manage failover to a second ldap multimaster > machine by bringing up that ip or switching the dns entry of the > fqdn to the at that moment designated as active ldap server. You have to bring up the machine with the same IP, clients may be caching the DNS results - so unless you've set the DNS TTL very low, clients may still reference the old IP. > The problem lies in the fact that the certificate on the client > has a dn that has to match the hostname to be contacted (ie. > ldap.example.com) but i don't want to have identical certificates > on the ldap servers (if the dn does not match the hostname to be contacted, > connection will fail, verified with openssl). > > So how can you have a client contact ldap.example.com with ssl enabled > while having the ability to switch ldap.example.com between two machines > without douing something evilish like having identical certificates for > both ldap servers? How are others handling these things? I don't understand why this is evil. If the connection is to the FQDN that's reference in the x509 cert, then it will pass that part of the validation chain, no matter what IP the host is on. > The reason i want to do failover this way has to do with wanting > to avoid the posibility of possible conflicts when having the > ability to write to 2 masters at the same time. The situation I have is: ldap ldap1 ldap2 Where ldap is a virtual IP for one of either ldap{1,2}. They have the same x509 certificate on each host, with the subject cn=ldap, and a subjectAltName for ldap1 and ldap2. This way it doesn't matter if the host is being refered to as ldap/ldap1/ldap2, it all just works (in production with a varity of linux distros). > Thanks for any pointers and/or eyeopeners! > > Grtz, > > Rubin. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389 From srigler at marathonoil.com Wed Jul 18 11:47:08 2007 From: srigler at marathonoil.com (Steve Rigler) Date: Wed, 18 Jul 2007 06:47:08 -0500 Subject: [Fedora-directory-users] rpm -e behavior In-Reply-To: <469D42CB.9060507@redhat.com> References: <469D42CB.9060507@redhat.com> Message-ID: <1184759228.20174.3.camel@houuc8> On Tue, 2007-07-17 at 15:29 -0700, Noriko Hosoi wrote: > Hello, fedora-directory-users list; > > We are working on the setup and clean-up code in the next version: > (please see also > http://directory.fedoraproject.org/wiki/New_Setup_Design). I'd like to > have your thoughts on the behavior when you run "rpm -e fedora-ds". The > previous version cleaned up all the binaries and instances but the > certificate and key dbs. > # ls alias > secmod.db slapd-ID-key3.db slapd-ID-cert8.db > > Do we want to leave them untouched on the next version, as well? How > about other files such as ldif files or backup files? Or do we want to > remove all the fedora-ds related files? > > Your input would be greatly appreciated. > > --noriko Personally, I prefer "rpm -e" to remove only the files that were originally installed by the package. -Steve From stpierre at NebrWesleyan.edu Wed Jul 18 14:02:32 2007 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Wed, 18 Jul 2007 09:02:32 -0500 (CDT) Subject: [Fedora-directory-users] rpm -e behavior In-Reply-To: <1184759228.20174.3.camel@houuc8> References: <469D42CB.9060507@redhat.com> <1184759228.20174.3.camel@houuc8> Message-ID: On Wed, 18 Jul 2007, Steve Rigler wrote: > Personally, I prefer "rpm -e" to remove only the files that were > originally installed by the package. I'll second that. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University ---------------------------- LOPSA Sysadmin Days: Professional Training for Professional SysAdmins August 6-7, Cherry Hill, NJ http://lopsa.org/SysadminDays From rmeggins at redhat.com Wed Jul 18 14:49:24 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 18 Jul 2007 08:49:24 -0600 Subject: [Fedora-directory-users] rpm -e behavior In-Reply-To: References: <469D42CB.9060507@redhat.com> <1184759228.20174.3.camel@houuc8> Message-ID: <469E2874.8050502@redhat.com> Chris St. Pierre wrote: > On Wed, 18 Jul 2007, Steve Rigler wrote: > >> Personally, I prefer "rpm -e" to remove only the files that were >> originally installed by the package. > > I'll second that. Ok. The way Fedora DS works with respect to RPM install is a little different than OpenLDAP or other similar server software packages. With those, you generally get some of the configuration for your "instance" with the RPM package (there is usually only the one instance, and if you want to run another server, you have to manually configure it yourself). With Fedora DS, there are no instance specific files/directories in the RPM. You have to run the setup command to create these, and this will create the following directories: /etc/fedora-ds/slapd-instance - contains dse.ldif and key and cert databases, pin.txt file, maybe the keytab as well /usr/lib64/fedora-ds/slapd-instance - scripts like db2ldif, ldif2db, etc. /var/lib/fedora-ds/slapd-instance - databases /var/log/fedora-ds/slapd-instance - logs /var/tmp/fedora-ds/slapd-instance - tmp files /var/lock/fedora-ds/slapd-instance - lock files/dirs So if you rpm -e, all of these will be left behind. I don't know if that is expected or desired. > > Chris St. Pierre > Unix Systems Administrator > Nebraska Wesleyan University > ---------------------------- > LOPSA Sysadmin Days: Professional Training for Professional SysAdmins > August 6-7, Cherry Hill, NJ > http://lopsa.org/SysadminDays > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From srigler at marathonoil.com Wed Jul 18 15:04:03 2007 From: srigler at marathonoil.com (Steve Rigler) Date: Wed, 18 Jul 2007 10:04:03 -0500 Subject: [Fedora-directory-users] rpm -e behavior In-Reply-To: <469E2874.8050502@redhat.com> References: <469D42CB.9060507@redhat.com> <1184759228.20174.3.camel@houuc8> <469E2874.8050502@redhat.com> Message-ID: <1184771043.20174.26.camel@houuc8> On Wed, 2007-07-18 at 08:49 -0600, Richard Megginson wrote: > Chris St. Pierre wrote: > > On Wed, 18 Jul 2007, Steve Rigler wrote: > > > >> Personally, I prefer "rpm -e" to remove only the files that were > >> originally installed by the package. > > > > I'll second that. > Ok. The way Fedora DS works with respect to RPM install is a little > different than OpenLDAP or other similar server software packages. With > those, you generally get some of the configuration for your "instance" > with the RPM package (there is usually only the one instance, and if you > want to run another server, you have to manually configure it > yourself). With Fedora DS, there are no instance specific > files/directories in the RPM. You have to run the setup command to > create these, and this will create the following directories: > /etc/fedora-ds/slapd-instance - contains dse.ldif and key and cert > databases, pin.txt file, maybe the keytab as well > /usr/lib64/fedora-ds/slapd-instance - scripts like db2ldif, ldif2db, etc. > /var/lib/fedora-ds/slapd-instance - databases > /var/log/fedora-ds/slapd-instance - logs > /var/tmp/fedora-ds/slapd-instance - tmp files > /var/lock/fedora-ds/slapd-instance - lock files/dirs > > So if you rpm -e, all of these will be left behind. I don't know if > that is expected or desired. That's fine for me. It's actually good because when I'm testing a new piece of software I might reinstall it from scratch. If it leaves some old files behind I can always go back and compare to a working install to see where I screwed up. -Steve From rcritten at redhat.com Wed Jul 18 15:11:25 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 18 Jul 2007 11:11:25 -0400 Subject: [Fedora-directory-users] rpm -e behavior In-Reply-To: <1184771043.20174.26.camel@houuc8> References: <469D42CB.9060507@redhat.com> <1184759228.20174.3.camel@houuc8> <469E2874.8050502@redhat.com> <1184771043.20174.26.camel@houuc8> Message-ID: <469E2D9D.2050806@redhat.com> Steve Rigler wrote: > On Wed, 2007-07-18 at 08:49 -0600, Richard Megginson wrote: >> Chris St. Pierre wrote: >>> On Wed, 18 Jul 2007, Steve Rigler wrote: >>> >>>> Personally, I prefer "rpm -e" to remove only the files that were >>>> originally installed by the package. >>> I'll second that. >> Ok. The way Fedora DS works with respect to RPM install is a little >> different than OpenLDAP or other similar server software packages. With >> those, you generally get some of the configuration for your "instance" >> with the RPM package (there is usually only the one instance, and if you >> want to run another server, you have to manually configure it >> yourself). With Fedora DS, there are no instance specific >> files/directories in the RPM. You have to run the setup command to >> create these, and this will create the following directories: >> /etc/fedora-ds/slapd-instance - contains dse.ldif and key and cert >> databases, pin.txt file, maybe the keytab as well >> /usr/lib64/fedora-ds/slapd-instance - scripts like db2ldif, ldif2db, etc. >> /var/lib/fedora-ds/slapd-instance - databases >> /var/log/fedora-ds/slapd-instance - logs >> /var/tmp/fedora-ds/slapd-instance - tmp files >> /var/lock/fedora-ds/slapd-instance - lock files/dirs >> >> So if you rpm -e, all of these will be left behind. I don't know if >> that is expected or desired. > > That's fine for me. It's actually good because when I'm testing a new > piece of software I might reinstall it from scratch. If it leaves some > old files behind I can always go back and compare to a working install > to see where I screwed up. Certs and keys are particularly important to keep around because they may have a financial value if purchased from a CA like VeriSign. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From nhosoi at redhat.com Wed Jul 18 16:48:18 2007 From: nhosoi at redhat.com (Noriko Hosoi) Date: Wed, 18 Jul 2007 09:48:18 -0700 Subject: [Fedora-directory-users] rpm -e behavior In-Reply-To: <1184771043.20174.26.camel@houuc8> References: <469D42CB.9060507@redhat.com> <1184759228.20174.3.camel@houuc8> <469E2874.8050502@redhat.com> <1184771043.20174.26.camel@houuc8> Message-ID: <469E4452.7070203@redhat.com> Steve Rigler wrote: > On Wed, 2007-07-18 at 08:49 -0600, Richard Megginson wrote: > >> Chris St. Pierre wrote: >> >>> On Wed, 18 Jul 2007, Steve Rigler wrote: >>> >>> >>>> Personally, I prefer "rpm -e" to remove only the files that were >>>> originally installed by the package. >>>> >>> I'll second that. >>> >> Ok. The way Fedora DS works with respect to RPM install is a little >> different than OpenLDAP or other similar server software packages. With >> those, you generally get some of the configuration for your "instance" >> with the RPM package (there is usually only the one instance, and if you >> want to run another server, you have to manually configure it >> yourself). With Fedora DS, there are no instance specific >> files/directories in the RPM. You have to run the setup command to >> create these, and this will create the following directories: >> /etc/fedora-ds/slapd-instance - contains dse.ldif and key and cert >> databases, pin.txt file, maybe the keytab as well >> /usr/lib64/fedora-ds/slapd-instance - scripts like db2ldif, ldif2db, etc. >> /var/lib/fedora-ds/slapd-instance - databases >> /var/log/fedora-ds/slapd-instance - logs >> /var/tmp/fedora-ds/slapd-instance - tmp files >> /var/lock/fedora-ds/slapd-instance - lock files/dirs >> >> So if you rpm -e, all of these will be left behind. I don't know if >> that is expected or desired. >> > > That's fine for me. It's actually good because when I'm testing a new > piece of software I might reinstall it from scratch. If it leaves some > old files behind I can always go back and compare to a working install > to see where I screwed up. > > -Steve > If "rpm -e fedora-ds" leaves all the directories listed above, the following "rpm -i fedora-ds" + setup operation would be the in-place upgrade instead of the fresh install if the same server ID (slapd-ID) is chosen. Maybe, that'd be the expected behavior for many administrators. For others, we could have one more question in the setup/upgrade dialog if the setup is a fresh install (wipe out the old files) or a in-place upgrade (use the old files). If the answer is "fresh install", we can clean up the old files, then. Another thing is if the host is no longer used for the Fedora Directory Server, you may want to clean up the disk eventually. At that time, there is no tool to remove them. Theoretically, all the files/directories are under fedora-ds somewhere, so it won't be difficult to remove them manually, though. But it looks a little lame... Thank you for your feedbacks. --noriko -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From GCopeland at efjohnson.com Wed Jul 18 17:08:35 2007 From: GCopeland at efjohnson.com (Greg Copeland) Date: Wed, 18 Jul 2007 12:08:35 -0500 Subject: [Fedora-directory-users] LDAP Server Crashed - Now Read-Only Message-ID: <273A72C669F45B4996896A031B88CCEF870C81@EFJDFWMX01.EFJDFW.local> My LDAP server crashed while I was adding a user. After getting it restarted, the database is now read-only. Where/how do I change the database back to read/write mode? I've had to do this once before but it's been a very long time and I no longer remember where it is at. Help. Best Regards, Greg Copeland -------------- next part -------------- An HTML attachment was scrubbed... URL: From GCopeland at efjohnson.com Wed Jul 18 17:17:16 2007 From: GCopeland at efjohnson.com (Greg Copeland) Date: Wed, 18 Jul 2007 12:17:16 -0500 Subject: [Fedora-directory-users] LDAP Server Crashed - Now Read-Only In-Reply-To: <273A72C669F45B4996896A031B88CCEF870C81@EFJDFWMX01.EFJDFW.local> Message-ID: <273A72C669F45B4996896A031B88CCEF870C8C@EFJDFWMX01.EFJDFW.local> I finally found it. Sorry. Cheers, Greg Copeland ________________________________ From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Greg Copeland Sent: Wednesday, July 18, 2007 12:09 PM To: General discussion list for the Fedora Directory server project. Subject: [Fedora-directory-users] LDAP Server Crashed - Now Read-Only My LDAP server crashed while I was adding a user. After getting it restarted, the database is now read-only. Where/how do I change the database back to read/write mode? I've had to do this once before but it's been a very long time and I no longer remember where it is at. Help. Best Regards, Greg Copeland -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Jul 18 17:20:43 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 18 Jul 2007 11:20:43 -0600 Subject: [Fedora-directory-users] LDAP Server Crashed - Now Read-Only In-Reply-To: <273A72C669F45B4996896A031B88CCEF870C81@EFJDFWMX01.EFJDFW.local> References: <273A72C669F45B4996896A031B88CCEF870C81@EFJDFWMX01.EFJDFW.local> Message-ID: <469E4BEB.6050301@redhat.com> Greg Copeland wrote: > > My LDAP server crashed while I was adding a user. After getting it > restarted, the database is now read-only. Where/how do I change the > database back to read/write mode? I?ve had to do this once before but > it?s been a very long time and I no longer remember where it is at. > Can you reproduce the crash? If so, can you file a bug in bugzilla.redhat.com against Fedora Directory Server with the reproduce information? Thanks! > > Help. > > Best Regards, > > Greg Copeland > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From triswimjoe at hotmail.com Wed Jul 18 17:36:52 2007 From: triswimjoe at hotmail.com (Joe Sheehan) Date: Wed, 18 Jul 2007 13:36:52 -0400 Subject: [Fedora-directory-users] Another LDAP crashing question In-Reply-To: <469E4BEB.6050301@redhat.com> Message-ID: Sorry to bother everyone but can anyone tell me where I can get more information on the following error. Thanks Sometimes are ns-slapd process dies. Here is the entry in the /opt/fedora-ds/nodename/logs/errors file [date time] get_ldapmessage_controls failed 12 (Unavailable critical extension) (op=Abandon) From rmeggins at redhat.com Wed Jul 18 17:50:43 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 18 Jul 2007 11:50:43 -0600 Subject: [Fedora-directory-users] Another LDAP crashing question In-Reply-To: References: Message-ID: <469E52F3.4020805@redhat.com> Joe Sheehan wrote: > Sorry to bother everyone but can anyone tell me where I can get more > information > on the following error. Thanks > > Sometimes are ns-slapd process dies. > Here is the entry in the /opt/fedora-ds/nodename/logs/errors file > > [date time] get_ldapmessage_controls failed 12 (Unavailable critical > extension) (op=Abandon) Looks like some client is sending the LDAP Abandon operation with one or more controls attached, and one or more of them is marked Critical, and either one of the controls is not supported by Fedora DS, or is not supported for this particular operation. What is your OS and Fedora DS version? Could you help us track down the client? Is there any information about this request in the access log? > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From GCopeland at efjohnson.com Wed Jul 18 20:45:11 2007 From: GCopeland at efjohnson.com (Greg Copeland) Date: Wed, 18 Jul 2007 15:45:11 -0500 Subject: [Fedora-directory-users] LDAP Server Crashed - Now Read-Only In-Reply-To: <469E4BEB.6050301@redhat.com> References: <273A72C669F45B4996896A031B88CCEF870C81@EFJDFWMX01.EFJDFW.local> <469E4BEB.6050301@redhat.com> Message-ID: <273A72C669F45B4996896A031B88CCEF870D71@EFJDFWMX01.EFJDFW.local> Sorry, can't reproduce the crash. Cheers, Greg Copeland > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory- > users-bounces at redhat.com] On Behalf Of Richard Megginson > Sent: Wednesday, July 18, 2007 12:21 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] LDAP Server Crashed - Now Read-Only > > Greg Copeland wrote: > > > > My LDAP server crashed while I was adding a user. After getting it > > restarted, the database is now read-only. Where/how do I change the > > database back to read/write mode? I've had to do this once before but > > it's been a very long time and I no longer remember where it is at. > > > Can you reproduce the crash? If so, can you file a bug in > bugzilla.redhat.com against Fedora Directory Server with the reproduce > information? Thanks! > > > > Help. > > > > Best Regards, > > > > Greg Copeland > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From joshkel at gmail.com Wed Jul 18 21:01:18 2007 From: joshkel at gmail.com (Josh Kelley) Date: Wed, 18 Jul 2007 17:01:18 -0400 Subject: [Fedora-directory-users] 64-bit PassSync? Message-ID: <97cbd1a90707181401j47babf94mf2e41a9ccf6341a4@mail.gmail.com> Is a 64-bit version of the Windows PassSync program available anywhere? If not, are there currently any plans to provide a 64-bit version? Thank you. Josh Kelley From etorres at dap.es Thu Jul 19 10:35:54 2007 From: etorres at dap.es (Esteban Torres Rodriguez) Date: Thu, 19 Jul 2007 12:35:54 +0200 Subject: [Fedora-directory-users] Enable SSL server In-Reply-To: <4ca8a4870707130840s50e94975meffb9636c98ce7c6@mail.gmail.com> References: <4ca8a4870707122045i4378df73jee9bcea1adffe5e@mail.gmail.com> <46979940.4020804@redhat.com> <4ca8a4870707130840s50e94975meffb9636c98ce7c6@mail.gmail.com> Message-ID: <469F5AAA020000180010AA05@mail.dap.es> Hello, I receipt error when I execute start-slapd Enter PIN for Internal (Software) Token: [19/Jul/2007:12:21:41 +0200] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Cert-DS-Server of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8182 - Peer's certificate has an invalid signature.) [19/Jul/2007:12:21:41 +0200] - SSL failure: None of the cipher are valid I following this document: http://www.csse.uwa.edu.au/~ashley/fedora-ds/fedora-ds-26072006.html I have been one week to synchronize password de AD to FDS. In order to synchronize the users I did not have problems. exists any document to synchronize users and passwords step by step? :( bye. Esteban Torres Rodr?guez ?REA DE SOPORTE T?CNICO - Administraci?n de Servidores Subdirecci?n de Sistemas Inform?ticos Empresa P?blica Desarrollo Agrario y Pesquero, email: etorres at dap.es From stpierre at NebrWesleyan.edu Thu Jul 19 15:16:11 2007 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Thu, 19 Jul 2007 10:16:11 -0500 (CDT) Subject: [Fedora-directory-users] rpm -e behavior In-Reply-To: <469E4452.7070203@redhat.com> References: <469D42CB.9060507@redhat.com> <1184759228.20174.3.camel@houuc8> <469E2874.8050502@redhat.com> <1184771043.20174.26.camel@houuc8> <469E4452.7070203@redhat.com> Message-ID: On Wed, 18 Jul 2007, Noriko Hosoi wrote: > If "rpm -e fedora-ds" leaves all the directories listed above, the following > "rpm -i fedora-ds" + setup operation would be the in-place upgrade instead of > the fresh install if the same server ID (slapd-ID) is chosen. Maybe, that'd > be the expected behavior for many administrators. For others, we could have > one more question in the setup/upgrade dialog if the setup is a fresh install > (wipe out the old files) or a in-place upgrade (use the old files). If the > answer is "fresh install", we can clean up the old files, then. > > Another thing is if the host is no longer used for the Fedora Directory > Server, you may want to clean up the disk eventually. At that time, there is > no tool to remove them. Theoretically, all the files/directories are under > fedora-ds somewhere, so it won't be difficult to remove them manually, though. > But it looks a little lame... If 'setup' creates all of that stuff, could there be an 'unsetup' command that removes it all? I.e., if installation is: rpm -hvU fedora-ds-.... /path/to/setup Then uninstallation could be: /path/to/unsetup rpm -e fedora-ds That way removal of all of the other stuff could be at the option of the administrator. Just a thought. I'm sure you have nothing better to do than write scripts consisting of a few hundred lines of rm. :) Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University ---------------------------- LOPSA Sysadmin Days: Professional Training for Professional SysAdmins August 6-7, Cherry Hill, NJ http://lopsa.org/SysadminDays From rmeggins at redhat.com Thu Jul 19 15:12:17 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 19 Jul 2007 09:12:17 -0600 Subject: [Fedora-directory-users] rpm -e behavior In-Reply-To: References: <469D42CB.9060507@redhat.com> <1184759228.20174.3.camel@houuc8> <469E2874.8050502@redhat.com> <1184771043.20174.26.camel@houuc8> <469E4452.7070203@redhat.com> Message-ID: <469F7F51.2010004@redhat.com> Chris St. Pierre wrote: > On Wed, 18 Jul 2007, Noriko Hosoi wrote: > >> If "rpm -e fedora-ds" leaves all the directories listed above, the >> following "rpm -i fedora-ds" + setup operation would be the in-place >> upgrade instead of the fresh install if the same server ID (slapd-ID) >> is chosen. Maybe, that'd be the expected behavior for many >> administrators. For others, we could have one more question in the >> setup/upgrade dialog if the setup is a fresh install (wipe out the >> old files) or a in-place upgrade (use the old files). If the answer >> is "fresh install", we can clean up the old files, then. >> >> Another thing is if the host is no longer used for the Fedora >> Directory Server, you may want to clean up the disk eventually. At >> that time, there is no tool to remove them. Theoretically, all the >> files/directories are under fedora-ds somewhere, so it won't be >> difficult to remove them manually, though. But it looks a little lame... > > If 'setup' creates all of that stuff, could there be an 'unsetup' > command that removes it all? I.e., if installation is: > > rpm -hvU fedora-ds-.... > /path/to/setup > > Then uninstallation could be: > > /path/to/unsetup > rpm -e fedora-ds > > That way removal of all of the other stuff could be at the option of > the administrator. > > Just a thought. I'm sure you have nothing better to do than write > scripts consisting of a few hundred lines of rm. :) find / -name fedora-ds -exec rm -rf {} \; :-) > > Chris St. Pierre > Unix Systems Administrator > Nebraska Wesleyan University > ---------------------------- > LOPSA Sysadmin Days: Professional Training for Professional SysAdmins > August 6-7, Cherry Hill, NJ > http://lopsa.org/SysadminDays > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jul 19 15:28:15 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 19 Jul 2007 09:28:15 -0600 Subject: [Fedora-directory-users] Enable SSL server In-Reply-To: <469F5AAA020000180010AA05@mail.dap.es> References: <4ca8a4870707122045i4378df73jee9bcea1adffe5e@mail.gmail.com> <46979940.4020804@redhat.com> <4ca8a4870707130840s50e94975meffb9636c98ce7c6@mail.gmail.com> <469F5AAA020000180010AA05@mail.dap.es> Message-ID: <469F830F.5010905@redhat.com> Esteban Torres Rodriguez wrote: > Hello, > > I receipt error when I execute start-slapd > > Enter PIN for Internal (Software) Token: > [19/Jul/2007:12:21:41 +0200] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Cert-DS-Server of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8182 - Peer's certificate has an invalid signature.) > [19/Jul/2007:12:21:41 +0200] - SSL failure: None of the cipher are valid > > > I following this document: http://www.csse.uwa.edu.au/~ashley/fedora-ds/fedora-ds-26072006.html > 1) cd /opt/fedora-ds/alias ; ../shared/bin/certutil -L -d . -P slapd-instance- 2) ../shared/bin/certutil -L -d . -P slapd-instance- -n Cert-DS-Server 3) ../shared/bin/certutil -L -d . -P slapd-instance- -n 4) ../shared/bin/certutil -V -d . -P slapd-instance- -n Cert-DS-Server -e -u V 5) ../shared/bin/certutil -V -d . -P slapd-instance- -n > I have been one week to synchronize password de AD to FDS. In order to synchronize the users I did not have problems. > That's because AD requires the use of SSL for password sync. > exists any document to synchronize users and passwords step by step? :( > > bye. > > > > Esteban Torres Rodr?guez > ?REA DE SOPORTE T?CNICO - Administraci?n de Servidores > Subdirecci?n de Sistemas Inform?ticos > Empresa P?blica Desarrollo Agrario y Pesquero, > email: etorres at dap.es > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From triswimjoe at hotmail.com Thu Jul 19 19:24:58 2007 From: triswimjoe at hotmail.com (Joe Sheehan) Date: Thu, 19 Jul 2007 15:24:58 -0400 Subject: [Fedora-directory-users] Another LDAP crashing question In-Reply-To: <469E52F3.4020805@redhat.com> Message-ID: We are running RHEL Linux Update 4 with an updated kernel of 2.6.16 with fedora 1.0.2. I'll need to look at the logs again to see if I can isolate who the client was during that time. Would you think this would kill fedora though? Thanks Joe >From: Richard Megginson >Reply-To: "General discussion list for the Fedora Directory server >project." >To: "General discussion list for the Fedora Directory server project." > >Subject: Re: [Fedora-directory-users] Another LDAP crashing question >Date: Wed, 18 Jul 2007 11:50:43 -0600 > >Joe Sheehan wrote: >>Sorry to bother everyone but can anyone tell me where I can get more >>information >>on the following error. Thanks >> >>Sometimes are ns-slapd process dies. >>Here is the entry in the /opt/fedora-ds/nodename/logs/errors file >> >>[date time] get_ldapmessage_controls failed 12 (Unavailable critical >>extension) (op=Abandon) >Looks like some client is sending the LDAP Abandon operation with one or >more controls attached, and one or more of them is marked Critical, and >either one of the controls is not supported by Fedora DS, or is not >supported for this particular operation. > >What is your OS and Fedora DS version? Could you help us track down the >client? Is there any information about this request in the access log? >> >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users > ><< smime.p7s >> >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Thu Jul 19 19:30:13 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 19 Jul 2007 13:30:13 -0600 Subject: [Fedora-directory-users] Another LDAP crashing question In-Reply-To: References: Message-ID: <469FBBC5.2050604@redhat.com> Joe Sheehan wrote: > We are running RHEL Linux Update 4 with an updated kernel of 2.6.16 > with fedora 1.0.2. You might want to use Fedora DS 1.0.4 instead, but I don't know if this will fix the problem. > I'll need to look at the logs again to see if I can isolate who the > client was during that time. > Would you think this would kill fedora though? Well, if it is a bug in the server, then yes. It might be possible to simulate this client, by using Net::LDAP to send an abandon request with bogus critical controls. > > Thanks > > Joe > >> From: Richard Megginson >> Reply-To: "General discussion list for the Fedora Directory server >> project." >> To: "General discussion list for the Fedora Directory server >> project." >> Subject: Re: [Fedora-directory-users] Another LDAP crashing question >> Date: Wed, 18 Jul 2007 11:50:43 -0600 >> >> Joe Sheehan wrote: >>> Sorry to bother everyone but can anyone tell me where I can get more >>> information >>> on the following error. Thanks >>> >>> Sometimes are ns-slapd process dies. >>> Here is the entry in the /opt/fedora-ds/nodename/logs/errors file >>> >>> [date time] get_ldapmessage_controls failed 12 (Unavailable critical >>> extension) (op=Abandon) >> Looks like some client is sending the LDAP Abandon operation with one >> or more controls attached, and one or more of them is marked >> Critical, and either one of the controls is not supported by Fedora >> DS, or is not supported for this particular operation. >> >> What is your OS and Fedora DS version? Could you help us track down >> the client? Is there any information about this request in the >> access log? >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > >> << smime.p7s >> > > > > >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From triswimjoe at hotmail.com Thu Jul 19 20:02:13 2007 From: triswimjoe at hotmail.com (Joe Sheehan) Date: Thu, 19 Jul 2007 16:02:13 -0400 Subject: [Fedora-directory-users] Another LDAP crashing question In-Reply-To: <469FBBC5.2050604@redhat.com> Message-ID: Thanks - I will try to reproduce it via your suggestion then change versions to see if it occurs in the later version. Thanks Joe >From: Richard Megginson >Reply-To: "General discussion list for the Fedora Directory server >project." >To: "General discussion list for the Fedora Directory server project." > >Subject: Re: [Fedora-directory-users] Another LDAP crashing question >Date: Thu, 19 Jul 2007 13:30:13 -0600 > >Joe Sheehan wrote: >>We are running RHEL Linux Update 4 with an updated kernel of 2.6.16 with >>fedora 1.0.2. >You might want to use Fedora DS 1.0.4 instead, but I don't know if this >will fix the problem. >>I'll need to look at the logs again to see if I can isolate who the client >>was during that time. >>Would you think this would kill fedora though? >Well, if it is a bug in the server, then yes. It might be possible to >simulate this client, by using Net::LDAP to send an abandon request with >bogus critical controls. >> >>Thanks >> >>Joe >> >>>From: Richard Megginson >>>Reply-To: "General discussion list for the Fedora Directory server >>>project." >>>To: "General discussion list for the Fedora Directory server project." >>> >>>Subject: Re: [Fedora-directory-users] Another LDAP crashing question >>>Date: Wed, 18 Jul 2007 11:50:43 -0600 >>> >>>Joe Sheehan wrote: >>>>Sorry to bother everyone but can anyone tell me where I can get more >>>>information >>>>on the following error. Thanks >>>> >>>>Sometimes are ns-slapd process dies. >>>>Here is the entry in the /opt/fedora-ds/nodename/logs/errors file >>>> >>>>[date time] get_ldapmessage_controls failed 12 (Unavailable critical >>>>extension) (op=Abandon) >>>Looks like some client is sending the LDAP Abandon operation with one or >>>more controls attached, and one or more of them is marked Critical, and >>>either one of the controls is not supported by Fedora DS, or is not >>>supported for this particular operation. >>> >>>What is your OS and Fedora DS version? Could you help us track down the >>>client? Is there any information about this request in the access log? >>>> >>>> >>>>-- >>>>Fedora-directory-users mailing list >>>>Fedora-directory-users at redhat.com >>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> >>><< smime.p7s >> >> >> >> >> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users > ><< smime.p7s >> >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users From anh at thespringrollhouse.com Fri Jul 20 15:54:42 2007 From: anh at thespringrollhouse.com (Anh Nguyen) Date: Fri, 20 Jul 2007 08:54:42 -0700 (PDT) Subject: [Fedora-directory-users] Performance In-Reply-To: <469B8078.2000008@boreham.org> Message-ID: <994298.99148.qm@web1009.biz.mail.sp1.yahoo.com> Some pros with SLAMD include: 1. Detailed resource statistics are built-in 2. It came with a relatively large set of tests. 3. Addition of new tests are relatively easy with some Java skills Anh, David Boreham wrote: Chun Tat David Chu wrote: > Can anyone recommend any tools that are available for testing LDAP? SLAMD is popular, but I still like to use the simple command line tools like rsearch and its siblings : http://docs.sun.com/source/816-6400-10/rsearch.html http://docs.sun.com/source/816-5615-10/srchrate.htm http://docs.sun.com/source/816-5615-10/modrate.htm http://docs.sun.com/source/816-5615-10/authrate.htm http://docs.sun.com/source/816-5615-10/infadd.htm For me it's easier to craft a workload matching my requirements using these tools. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From yinyang at eburg.com Sat Jul 21 06:25:31 2007 From: yinyang at eburg.com (Gordon Messmer) Date: Fri, 20 Jul 2007 23:25:31 -0700 Subject: [Fedora-directory-users] Performance In-Reply-To: <46979940.4020804@redhat.com> References: <4ca8a4870707122045i4378df73jee9bcea1adffe5e@mail.gmail.com> <46979940.4020804@redhat.com> Message-ID: <46A1A6DB.8070802@eburg.com> Richard Megginson wrote: > Vampire D wrote: >> As I understand it, OpenLDAP doesn't perform all that well under a >> high load. > OpenLDAP 2.3 does. Howard Chu's "SambaXP" key notes certainly seem to make that argument. He makes the bold claim that "OpenLDAP is the only directory software that matters." Do you agree? Is there a future for Fedora DS, or will OpenLDAP own the Free Software directory service market? Will the two projects share technology and converge? From vampired at gmail.com Sat Jul 21 07:44:25 2007 From: vampired at gmail.com (Vampire D) Date: Sat, 21 Jul 2007 03:44:25 -0400 Subject: [Fedora-directory-users] Performance In-Reply-To: <46A1A6DB.8070802@eburg.com> References: <4ca8a4870707122045i4378df73jee9bcea1adffe5e@mail.gmail.com> <46979940.4020804@redhat.com> <46A1A6DB.8070802@eburg.com> Message-ID: <4ca8a4870707210044t28ad2c7ax69e9f94a74641439@mail.gmail.com> I was under the impression FDS was better implementation than OpenLDAP in terms of Performance, Reliability, and especially replication? On 7/21/07, Gordon Messmer wrote: > > Richard Megginson wrote: > > Vampire D wrote: > >> As I understand it, OpenLDAP doesn't perform all that well under a > >> high load. > > OpenLDAP 2.3 does. > > Howard Chu's "SambaXP" key notes certainly seem to make that argument. > He makes the bold claim that "OpenLDAP is the only directory software > that matters." > > Do you agree? Is there a future for Fedora DS, or will OpenLDAP own the > Free Software directory service market? Will the two projects share > technology and converge? > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- "Do the actors on Unsolved Mysteries ever get arrested because they look just like the criminal they are playing?" Christopher -------------- next part -------------- An HTML attachment was scrubbed... URL: From fmunoz at hispafuentes.com Sun Jul 22 17:03:06 2007 From: fmunoz at hispafuentes.com (Fernando =?ISO-8859-1?Q?Mu=F1oz?=) Date: Sun, 22 Jul 2007 19:03:06 +0200 Subject: [Fedora-directory-users] Problem with Massive Replication Agreements Message-ID: <1185123786.13401.35.camel@hispafuentes> Hi all, I have a distributed Directory Service on 25 servers with FDS 1.0.4. The replication configuration it's some complex: - One HUB server with 26 Databases(26 enabled Replicas)-> 25 HUB-Replicas with 24 replication agreements and one Multimaster-Replica with 26 replication agreements. Total replication agreements in this server it's 626 replication agreements. - 25 Supplier (on our database) with Hub server and consummers (for others databases) of Hub server. When i try to configure (automatically by script) this 626 replication agreements (on HUB server) i show this errorlog(/opt/fedora-ds/slapd-prueba/logs/errors) for each new replication agreement after 250 replication agreements aprox.: [22/Jul/2007:20:55:52 +0200] NSMMReplicationPlugin - agmt="cn=prueba1-prueba2" (prueba1:636): Unable to create protocol thread; NSPR error - -5974, Insufficient system resources. Exist some FDS limitation about massive replication agreements? or some FDS performance settings (maximun entries, cach?,look-through limit, size limit, file descriptors,connection management...)? How can i solved this problem? thanks, From david_list at boreham.org Sun Jul 22 17:09:57 2007 From: david_list at boreham.org (David Boreham) Date: Sun, 22 Jul 2007 11:09:57 -0600 Subject: [Fedora-directory-users] Problem with Massive Replication Agreements In-Reply-To: <1185123786.13401.35.camel@hispafuentes> References: <1185123786.13401.35.camel@hispafuentes> Message-ID: <46A38F65.7010603@boreham.org> The message tells you that the server failed to create a thread because the OS wouldn't let it. Typically this happens either because there's some OS limit that needs to be increased, or because the thread stack stride is very large and you're running a 32-bit server (the fix for that is to reduce the stack size). Fernando Mu?oz wrote: > Hi all, > > I have a distributed Directory Service on 25 servers with FDS 1.0.4. The > replication configuration it's some complex: > > - One HUB server with 26 Databases(26 enabled Replicas)-> 25 > HUB-Replicas with 24 replication agreements and one Multimaster-Replica > with 26 replication agreements. Total replication agreements in this > server it's 626 replication agreements. > > - 25 Supplier (on our database) with Hub server and consummers (for > others databases) of Hub server. > > When i try to configure (automatically by script) this 626 replication > agreements (on HUB server) i show this > errorlog(/opt/fedora-ds/slapd-prueba/logs/errors) for each new > replication agreement after 250 replication agreements aprox.: > > [22/Jul/2007:20:55:52 +0200] NSMMReplicationPlugin - > agmt="cn=prueba1-prueba2" (prueba1:636): Unable to create protocol > thread; NSPR error - -5974, Insufficient system resources. > > Exist some FDS limitation about massive replication agreements? or some > FDS performance settings (maximun entries, cach?,look-through limit, > size limit, file descriptors,connection management...)? > > How can i solved this problem? > > thanks, > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From fmunoz at hispafuentes.com Sun Jul 22 21:46:28 2007 From: fmunoz at hispafuentes.com (Fernando =?ISO-8859-1?Q?Mu=F1oz?=) Date: Sun, 22 Jul 2007 23:46:28 +0200 Subject: [Fedora-directory-users] Problem with Massive Replication Agreements In-Reply-To: <46A38F65.7010603@boreham.org> References: <1185123786.13401.35.camel@hispafuentes> <46A38F65.7010603@boreham.org> Message-ID: <1185140788.19081.3.camel@hispafuentes> I've installed FDS over Centos 4.5. How can i modify this OS limits or thread stack in Centos (RedHat)? and then probe the replication configuration. thanks, El dom, 22-07-2007 a las 11:09 -0600, David Boreham escribi?: > The message tells you that the server failed to create a thread > because the OS wouldn't let it. Typically this happens either because > there's some OS limit that needs to be increased, or because the > thread stack stride is very large and you're running a 32-bit server > (the fix for that is to reduce the stack size). > > Fernando Mu?oz wrote: > > Hi all, > > > > I have a distributed Directory Service on 25 servers with FDS 1.0.4. The > > replication configuration it's some complex: > > > > - One HUB server with 26 Databases(26 enabled Replicas)-> 25 > > HUB-Replicas with 24 replication agreements and one Multimaster-Replica > > with 26 replication agreements. Total replication agreements in this > > server it's 626 replication agreements. > > > > - 25 Supplier (on our database) with Hub server and consummers (for > > others databases) of Hub server. > > > > When i try to configure (automatically by script) this 626 replication > > agreements (on HUB server) i show this > > errorlog(/opt/fedora-ds/slapd-prueba/logs/errors) for each new > > replication agreement after 250 replication agreements aprox.: > > > > [22/Jul/2007:20:55:52 +0200] NSMMReplicationPlugin - > > agmt="cn=prueba1-prueba2" (prueba1:636): Unable to create protocol > > thread; NSPR error - -5974, Insufficient system resources. > > > > Exist some FDS limitation about massive replication agreements? or some > > FDS performance settings (maximun entries, cach?,look-through limit, > > size limit, file descriptors,connection management...)? > > > > How can i solved this problem? > > > > thanks, > > > > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From kekkou.a at cs.ucy.ac.cy Mon Jul 23 07:05:22 2007 From: kekkou.a at cs.ucy.ac.cy (Andreas Kekkou) Date: Mon, 23 Jul 2007 10:05:22 +0300 Subject: [Fedora-directory-users] Failover and SSL In-Reply-To: <16882.145.7.182.188.1184751239.squirrel@webmail.xs4all.nl> References: <16882.145.7.182.188.1184751239.squirrel@webmail.xs4all.nl> Message-ID: <46A45332.2020905@cs.ucy.ac.cy> Hi Rubin, You can achieve this very easily. Just setup a CA and have your servers' certificates signed by your CA. Then copy the CA certificate to your clients (/etc/openldap/cacerts) and you are done. Andreas Rubin wrote: > Hi all! > > I'm trying to figure out how to handle high availability in > combination with ssl. I have ssl working for both clients and > server to server connections. The problem is that i would like to > give a client only one ip/fqdn for the ldap server, like > ldap.example.com and manage failover to a second ldap multimaster > machine by bringing up that ip or switching the dns entry of the > fqdn to the at that moment designated as active ldap server. > > The problem lies in the fact that the certificate on the client > has a dn that has to match the hostname to be contacted (ie. > ldap.example.com) but i don't want to have identical certificates > on the ldap servers (if the dn does not match the hostname to be contacted, > connection will fail, verified with openssl). > > So how can you have a client contact ldap.example.com with ssl enabled > while having the ability to switch ldap.example.com between two machines > without douing something evilish like having identical certificates for > both ldap servers? How are others handling these things? > > The reason i want to do failover this way has to do with wanting > to avoid the posibility of possible conflicts when having the > ability to write to 2 masters at the same time. > > Thanks for any pointers and/or eyeopeners! > > Grtz, > > Rubin. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: kekkou.a.vcf Type: text/x-vcard Size: 303 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3655 bytes Desc: S/MIME Cryptographic Signature URL: From ando at sys-net.it Mon Jul 23 08:55:14 2007 From: ando at sys-net.it (Pierangelo Masarati) Date: Mon, 23 Jul 2007 10:55:14 +0200 Subject: [Fedora-directory-users] Performance In-Reply-To: <4ca8a4870707210044t28ad2c7ax69e9f94a74641439@mail.gmail.com> References: <4ca8a4870707122045i4378df73jee9bcea1adffe5e@mail.gmail.com> <46979940.4020804@redhat.com> <46A1A6DB.8070802@eburg.com> <4ca8a4870707210044t28ad2c7ax69e9f94a74641439@mail.gmail.com> Message-ID: <46A46CF2.2010902@sys-net.it> Vampire D wrote: > I was under the impression FDS was better implementation than OpenLDAP > in terms of Performance, Reliability, and especially replication? It would be interesting to know what/where you got that impression from. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati at sys-net.it --------------------------------------- From vampired at gmail.com Mon Jul 23 08:52:23 2007 From: vampired at gmail.com (Vampire D) Date: Mon, 23 Jul 2007 04:52:23 -0400 Subject: [Fedora-directory-users] Performance In-Reply-To: <46A46CF2.2010902@sys-net.it> References: <4ca8a4870707122045i4378df73jee9bcea1adffe5e@mail.gmail.com> <46979940.4020804@redhat.com> <46A1A6DB.8070802@eburg.com> <4ca8a4870707210044t28ad2c7ax69e9f94a74641439@mail.gmail.com> <46A46CF2.2010902@sys-net.it> Message-ID: <4ca8a4870707230152x57e3712fm4064b21a0a90d14f@mail.gmail.com> Another member on the list who does consulting with LDAP as well as someone who works for Cisco/IronPort. That's why we have been looking at FDS. On 7/23/07, Pierangelo Masarati wrote: > > Vampire D wrote: > > I was under the impression FDS was better implementation than OpenLDAP > > in terms of Performance, Reliability, and especially replication? > > It would be interesting to know what/where you got that impression from. > > p. > > > > Ing. Pierangelo Masarati > OpenLDAP Core Team > > SysNet s.r.l. > via Dossi, 8 - 27100 Pavia - ITALIA > http://www.sys-net.it > --------------------------------------- > Office: +39 02 23998309 > Mobile: +39 333 4963172 > Email: pierangelo.masarati at sys-net.it > --------------------------------------- > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- "Do the actors on Unsolved Mysteries ever get arrested because they look just like the criminal they are playing?" Christopher -------------- next part -------------- An HTML attachment was scrubbed... URL: From Julien.Garet at inria.fr Mon Jul 23 09:59:37 2007 From: Julien.Garet at inria.fr (Julien Garet) Date: Mon, 23 Jul 2007 11:59:37 +0200 Subject: [Fedora-directory-users] Managing openLDAP et Active Directory users via Fedora DS Message-ID: <46A47C09.9040800@inria.fr> Hi, I am currently looking for a solution which allows me to manage both Windows Users in Active Directory and unix users in openLDAP, and users in the two worlds. In fact, we have softs plugged to an openldap server, and we need some functionalities offered by AD for Windows extensive users. It seems Fedora Directory Server will match the requirements. But I have a couple of questions on what can be done. - I have seen that AD users and groups synchro was possible, are passwords also synchro ? (will a user changing its password in Windows will be also changed in openldap ?) - does directory server fills the kerberos part of AD ? (we have cifs mounts to be done by Windows Users) - is it possible to replicate FDS base with a simple openldap server (with syncrepl) ? In fact, I realize I do not understand well yet what FDS is in deep, and is able to perform, and I'd be very happy if someone explained me a little further. Julien GARET INRIA Futurs, Moyens Informatiques From glenn at mail.txwes.edu Mon Jul 23 15:37:42 2007 From: glenn at mail.txwes.edu (Glenn) Date: Mon, 23 Jul 2007 10:37:42 -0500 Subject: [Fedora-directory-users] FD sync with NT4? Message-ID: <20070723153528.M17083@mail.txwes.edu> So I have a successful Windows Sync agreement set up between Fedora DS and Active Directory, but I'm having difficulty setting up a sync agreement with an NT4 domain. I'm at the point where I've entered the NT server info in the agreement form. When I click Next, I get an error message: "Unable to contact Active Directory server. Continue?" I think this means I've entered something wrong in the form, and I'm hoping someone can narrow down the possible things that can be entered in the form. For instance, Windows Domain Name. The example given in the documentation is "example.com". However, NT domains do not conform to DNS standards. Will it work if I enter the NT domain name, e.g., "example"? If not, is there a workaround? The next item is Windows Subtree. This field gets filled in automatically with "cn=Users,dc=example" using the example above. Again, can Windows Sync use this NT domain name, or does it require a DNS name? For Domain Controller Host, what is expected? If I put in the host name alone, I get the error message. If I put in the fully qualified DNS host name, the application locks up and must be terminated with Task Manager (I'm using the console on a Windows XP machine). Bind As seems to expect an LDAP distinguished name. How can I translate the NT replication user name into LDAP terminology, i.e., what in NT corresponds with cn, ou, dn, etc.? Thanks for any ideas. -G. From fmunoz at hispafuentes.com Mon Jul 23 16:25:41 2007 From: fmunoz at hispafuentes.com (Fernando =?ISO-8859-1?Q?Mu=F1oz?=) Date: Mon, 23 Jul 2007 18:25:41 +0200 Subject: [Fedora-directory-users] Problem with Massive Replication Agreements In-Reply-To: <1185140788.19081.3.camel@hispafuentes> References: <1185123786.13401.35.camel@hispafuentes> <46A38F65.7010603@boreham.org> <1185140788.19081.3.camel@hispafuentes> Message-ID: <1185207941.6404.4.camel@hispafuentes> I solved the problem, I reduced the stack size to 1024 (it was 10240) with ulimit -s 1024. Thanks David, El dom, 22-07-2007 a las 23:46 +0200, Fernando Mu?oz escribi?: > I've installed FDS over Centos 4.5. > > How can i modify this OS limits or thread stack in Centos (RedHat)? and > then probe the replication configuration. > > thanks, > > El dom, 22-07-2007 a las 11:09 -0600, David Boreham escribi?: > > The message tells you that the server failed to create a thread > > because the OS wouldn't let it. Typically this happens either because > > there's some OS limit that needs to be increased, or because the > > thread stack stride is very large and you're running a 32-bit server > > (the fix for that is to reduce the stack size). > > > > Fernando Mu?oz wrote: > > > Hi all, > > > > > > I have a distributed Directory Service on 25 servers with FDS 1.0.4. The > > > replication configuration it's some complex: > > > > > > - One HUB server with 26 Databases(26 enabled Replicas)-> 25 > > > HUB-Replicas with 24 replication agreements and one Multimaster-Replica > > > with 26 replication agreements. Total replication agreements in this > > > server it's 626 replication agreements. > > > > > > - 25 Supplier (on our database) with Hub server and consummers (for > > > others databases) of Hub server. > > > > > > When i try to configure (automatically by script) this 626 replication > > > agreements (on HUB server) i show this > > > errorlog(/opt/fedora-ds/slapd-prueba/logs/errors) for each new > > > replication agreement after 250 replication agreements aprox.: > > > > > > [22/Jul/2007:20:55:52 +0200] NSMMReplicationPlugin - > > > agmt="cn=prueba1-prueba2" (prueba1:636): Unable to create protocol > > > thread; NSPR error - -5974, Insufficient system resources. > > > > > > Exist some FDS limitation about massive replication agreements? or some > > > FDS performance settings (maximun entries, cach?,look-through limit, > > > size limit, file descriptors,connection management...)? > > > > > > How can i solved this problem? > > > > > > thanks, > > > > > > > > > > > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From yinyang at eburg.com Mon Jul 23 17:20:23 2007 From: yinyang at eburg.com (Gordon Messmer) Date: Mon, 23 Jul 2007 10:20:23 -0700 Subject: [Fedora-directory-users] Performance In-Reply-To: <4ca8a4870707230152x57e3712fm4064b21a0a90d14f@mail.gmail.com> References: <4ca8a4870707122045i4378df73jee9bcea1adffe5e@mail.gmail.com> <46979940.4020804@redhat.com> <46A1A6DB.8070802@eburg.com> <4ca8a4870707210044t28ad2c7ax69e9f94a74641439@mail.gmail.com> <46A46CF2.2010902@sys-net.it> <4ca8a4870707230152x57e3712fm4064b21a0a90d14f@mail.gmail.com> Message-ID: <46A4E357.5010803@eburg.com> Vampire D wrote: > Another member on the list who does consulting with LDAP as well as > someone who works for Cisco/IronPort. > That's why we have been looking at FDS. If you Howard Chu is to be believed, Cisco is a lousy reference for LDAP (see message from 7/18). http://highlandsun.com/hyc/SambaXP.pdf Howard notes that Richard Megginson reviewed the configuration of the FDS server used in the benchmark. In my own experience, OpenLDAP leaked memory, was prone to db corruption, and was a lousy development platform (attributes requested by alias were returned by canonical name, which makes aliases useless in application development). Those were pretty serious problems, but I haven't used OpenLDAP in several years. Symas *looks* like it's pretty serious about making OpenLDAP a better platform. A lot can change in several years' time. I'm comfortable with FDS. It's more than fast enough for what I need, it's stable, and applications developed on FDS are easily portable to Sun's directory server. However, if OpenLDAP is developing into a compelling platform, then I'm more inclined to test my applications against it, and consider it for future deployments. From rmeggins at redhat.com Mon Jul 23 18:06:57 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 23 Jul 2007 12:06:57 -0600 Subject: [Fedora-directory-users] Performance In-Reply-To: <46A1A6DB.8070802@eburg.com> References: <4ca8a4870707122045i4378df73jee9bcea1adffe5e@mail.gmail.com> <46979940.4020804@redhat.com> <46A1A6DB.8070802@eburg.com> Message-ID: <46A4EE41.90502@redhat.com> Gordon Messmer wrote: > Richard Megginson wrote: >> Vampire D wrote: >>> As I understand it, OpenLDAP doesn't perform all that well under a >>> high load. >> OpenLDAP 2.3 does. > > Howard Chu's "SambaXP" key notes certainly seem to make that > argument. He makes the bold claim that "OpenLDAP is the only > directory software that matters." > > Do you agree? No. > Is there a future for Fedora DS, Yes. Red Hat has invested, and continues to invest, a lot of resources in Fedora DS. Since December, 2004, the directory server team at Red Hat has spent the majority of effort on making everything about Fedora DS open source developer friendly: * replace the proprietary admin server with Apache * use FHS style paths * use autotools for building * including the software in the Fedora OS distribution This has represented an enormous amount of work, and we're almost finished. At the same time, we've also managed to add some new features (password syntax checking, ldapi, distributed numeric assignment, bitwise matching rules, other features) as well as many bug fixes. We have a lot of ideas for the future after we complete this work. In general, we want to make LDAP easier to use, easier to deploy, and easier to fit in with other applications. We also want to find out what features you want. We really want to make this a community effort. We are not going anywhere - we are committed to continual improvement of Fedora DS. > or will OpenLDAP own the Free Software directory service market? I think there is room for both projects. Some people prefer OpenLDAP, and some prefer Fedora DS. Although it's too early to tell, some may prefer Sun's OpenDS or Apache DS. > Will the two projects share technology and converge? I don't know, but this is something I would like to pursue, to find ways that we can share technology. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From robert.ludvik at zd-lj.si Tue Jul 24 07:38:56 2007 From: robert.ludvik at zd-lj.si (Robert Ludvik) Date: Tue, 24 Jul 2007 09:38:56 +0200 Subject: [Fedora-directory-users] FDS / HR synchronization Message-ID: <46A5AC90.4070906@zd-lj.si> Hi Where should I start to read/look for if I'd like to achieve that user data in FDS (username and passwd for domain logon, email address, group membership (based on some employee data) ...) is synchronized with data of our HR application, which stores data in SQL (Oracle)? HR application and database are outsourced, FDS is at our company. For example, when a new employee comes and his data in entered in HR application, generated username, password, email address ... should be somehow synchronized to FDS. And, when some employee leave our company, his account in FDS becomes inactive. One way is to export date from SQL to CSV, use csv2ldif and import this LDIF to FDS. This can be done manually (or maybe even automated in some strange way). Is there a more elegant way? Thanks Robert Ludvik From rmeggins at redhat.com Tue Jul 24 14:49:17 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 24 Jul 2007 08:49:17 -0600 Subject: [Fedora-directory-users] FDS / HR synchronization In-Reply-To: <46A5AC90.4070906@zd-lj.si> References: <46A5AC90.4070906@zd-lj.si> Message-ID: <46A6116D.8010702@redhat.com> Robert Ludvik wrote: > Hi > Where should I start to read/look for if I'd like to achieve that user > data in FDS (username and passwd for domain logon, email address, group > membership (based on some employee data) ...) is synchronized with data > of our HR application, which stores data in SQL (Oracle)? HR application > and database are outsourced, FDS is at our company. > > For example, when a new employee comes and his data in entered in HR > application, generated username, password, email address ... should be > somehow synchronized to FDS. > And, when some employee leave our company, his account in FDS becomes > inactive. > > One way is to export date from SQL to CSV, use csv2ldif and import this > LDIF to FDS. This can be done manually (or maybe even automated in some > strange way). > Is there a more elegant way? > I'm not sure, but here is a collection of perl-ldap scripts written by the Mozilla PerLDAP author at Netscape, which was used to sync up the LDAP data from PeopleSoft. These are very old but might be useful if you are a perl hacker. ftp://ftp.mozilla.org/pub/mozilla.org/directory/tools > Thanks > Robert Ludvik > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From glenn at mail.txwes.edu Tue Jul 24 15:44:22 2007 From: glenn at mail.txwes.edu (Glenn) Date: Tue, 24 Jul 2007 10:44:22 -0500 Subject: [Fedora-directory-users] NT4 Sync Hassle Message-ID: <20070724152101.M78608@mail.txwes.edu> I can't seem to contact my NT4 server to create a sync agreement with Fedora DS. I tried ldapsearch and it just hangs: # ldapsearch -v -H ldaps://nt4testbox.mydomain.edu -D "uid=admin,ou=system" - w password -b "dc=mydomain,dc=edu" ldap_initialize( ldaps://nt4testbox.mydomain.edu ) On the NT server, the wrapper.log reports: java.lang.NoSuchMethodError: javax.net.ssl.SSLContext.createSSLEngine() Ljavax/net/ssl/SSLEngine; It shows a lot of additional stuff with the same time stamp, ending with: org.apache.mina.util.BaseThreadPool$Worker.run(BaseThreadPool.java:279) Any idea what is wrong or how I can narrow it down? Thanks. -Glenn. From etorres at dap.es Wed Jul 25 13:16:49 2007 From: etorres at dap.es (Esteban Torres Rodriguez) Date: Wed, 25 Jul 2007 15:16:49 +0200 Subject: [Fedora-directory-users] Enabling SSL for PassSync In-Reply-To: <1185123786.13401.35.camel@hispafuentes> References: <1185123786.13401.35.camel@hispafuentes> Message-ID: <46A76961020000180010BCCD@mail.dap.es> when mattering the copied certificate of the servant in the data base of the certificate using pk12util.exe. I hava a problem: C:\Archivos de programa\Red Hat Directory Password Synchronization>pk12util.exe -d . -i adminserver.p12 Enter Password or Pin for "NSS Certificate DB": Enter password for PKCS12 file: pk12util.exe: PKCS12 decode not verified: The security password entered is incorrect. Thanks Esteban Torres Rodr?guez ?REA DE SOPORTE T?CNICO - Administraci?n de Servidores Subdirecci?n de Sistemas Inform?ticos Empresa P?blica Desarrollo Agrario y Pesquero, email: etorres at dap.es From glenn at mail.txwes.edu Wed Jul 25 13:35:55 2007 From: glenn at mail.txwes.edu (Glenn) Date: Wed, 25 Jul 2007 08:35:55 -0500 Subject: [Fedora-directory-users] Windows Sync NT4 Search Base? Message-ID: <20070725132802.M45815@mail.txwes.edu> I finally can communicate with the ldap service on my NT4 test machine, although without SSL. Now I need to know what search base to use. dc=mydomain,dc=edu doesn't work, and I have a feeling it is something unique to Windows NT rather than something unique to my installation. Anyone got a clue? Thanks. -Glenn. # ldapsearch -v -H ldap://nt4testbox.mydomain.edu -D "uid=admin,ou=system" - b "dc=mydomain,dc=edu" ldap_initialize( ldap://nt4testbox.mydomain.edu ) ldap_sasl_interactive_bind_s: No such attribute (16) From hintermayer.johannes at afb.de Wed Jul 25 14:06:12 2007 From: hintermayer.johannes at afb.de (Hintermayer Johannes) Date: Wed, 25 Jul 2007 16:06:12 +0200 Subject: [Fedora-directory-users] FDS, Kerberos, SASL confusion Message-ID: <1185372372.3746.34.camel@tecra01.afb.lan> Hi all, currently I'm battling with FDS, Kerberos and SASL to get a working Single-Sign-On setup. At the moment I have a working Kerberos Realm to which I can successfully connect. I also have a working FDS with one user for testing purposes. Saslauthd is also configured and executing testsaslauthd is ok. But now I have problems to convince FDS to authenticate users via Kerberos. I have read http://directory.fedoraproject.org/wiki/Howto:Kerberos and http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1083165 but I don't think it's that simple. At least it's not yet working for me. When I try to bind to FDS via GSSAPI the following error occurs: #klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: bsmith at AFB.LAN #ldapsearch -Y GSSAPI -D "uid=bsmith,ou=People,dc=afb,dc=lan" -v ldap_initialize( ) SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (Permission denied) I have tried several combinations of config files and password entries but none worked. So first of all I'd like to ask a few questions to shed light on a few things: 1. Do I need saslauthd on every client which I want to authenticate via FDS/Kerberos? 2. Do I need a host principal for every client? Here is my current configuration, please correct me if there are some unneeded files (these were built together from several tutorials): /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = AFB.LAN dns_lookup_realm = false dns_lookup_kdc = false [realms] AFB.LAN = { kdc = vafbkrb01.afb.lan:88 admin_server = vafbkrb01.afb.lan:749 default_domain = afb.lan } [domain_realm] .afb.lan = AFB.LAN afb.lan = AFB.LAN [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = true ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } /etc/ldap.conf host 172.16.50.2 base dc=afb,dc=lan ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5 SASL_MECH GSSAPI SASL_REALM AFB.LAN use_sasl on sasl_auth_id ldap/vafbds01.afb.lan /etc/sysconfig/saslauthd SOCKETDIR=/var/run/saslauthd MECH=kerberos5 FLAGS= /usr/lib/sasl2/slapd.conf mech_list: plain gssapi digest-md5 cram-md5 external pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab SASL Mapping: nssaslmapfiltertemplate: (uid=\1) nssaslmapregexstring: \(.*\)@\(.*\) /opt/fedora-ds/slapd-vafbds01/start-slapd contains: "export KRB5_KTNAME=/etc/krb5.keytab" The password entry for bsmith in FDS contains: {SASL}bsmith at AFB.LAN FDS supports the following SASLMechanisms #ldapsearch -x -D "uid=bsmith,ou=People,dc=afb,dc=lan" -b "" -s base supportedSASLMechanisms # extended LDIF # # LDAPv3 # base <> with scope base # filter: (objectclass=*) # requesting: supportedSASLMechanisms # # dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: ANONYMOUS supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: PLAIN supportedSASLMechanisms: LOGIN supportedSASLMechanisms: CRAM-MD5 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 DNS (forward & reverse) as well as NTP settings are correct on all hosts. Are there any obvious mistakes in my configuration or am I on the right track? Thanks in advance! Best regards, Johannes Hintermayer From rmeggins at redhat.com Wed Jul 25 15:11:47 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 25 Jul 2007 09:11:47 -0600 Subject: [Fedora-directory-users] Enabling SSL for PassSync In-Reply-To: <46A76961020000180010BCCD@mail.dap.es> References: <1185123786.13401.35.camel@hispafuentes> <46A76961020000180010BCCD@mail.dap.es> Message-ID: <46A76833.1090304@redhat.com> Esteban Torres Rodriguez wrote: > when mattering the copied certificate of the servant in the data base of the certificate using pk12util.exe. > > I hava a problem: > > C:\Archivos de programa\Red Hat Directory Password Synchronization>pk12util.exe -d . -i adminserver.p12 > Enter Password or Pin for "NSS Certificate DB": > Enter password for PKCS12 file: > pk12util.exe: PKCS12 decode not verified: The security password entered is incorrect. > The password you used to encrypt your adminserver.p12 file is incorrect? Also, I don't think you need adminserver.p12 on the windows side - all you need is the ca cert of the CA that issued your directory server SSL cert. > > Thanks > > > > Esteban Torres Rodr?guez > ?REA DE SOPORTE T?CNICO - Administraci?n de Servidores > Subdirecci?n de Sistemas Inform?ticos > Empresa P?blica Desarrollo Agrario y Pesquero, > email: etorres at dap.es > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Jul 25 15:19:23 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 25 Jul 2007 11:19:23 -0400 Subject: [Fedora-directory-users] FDS, Kerberos, SASL confusion In-Reply-To: <1185372372.3746.34.camel@tecra01.afb.lan> References: <1185372372.3746.34.camel@tecra01.afb.lan> Message-ID: <46A769FB.20408@redhat.com> Hintermayer Johannes wrote: > Hi all, > > currently I'm battling with FDS, Kerberos and SASL to get a working > Single-Sign-On setup. > > At the moment I have a working Kerberos Realm to which I can > successfully connect. I also have a working FDS with one user for > testing purposes. Saslauthd is also configured and executing > testsaslauthd is ok. > > But now I have problems to convince FDS to authenticate users via > Kerberos. I have read > http://directory.fedoraproject.org/wiki/Howto:Kerberos and > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1083165 > but I don't think it's that simple. At least it's not yet working for > me. > > When I try to bind to FDS via GSSAPI the following error occurs: > > #klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: bsmith at AFB.LAN > > #ldapsearch -Y GSSAPI -D "uid=bsmith,ou=People,dc=afb,dc=lan" -v > ldap_initialize( ) > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Invalid credentials (49) > additional info: SASL(-1): generic failure: GSSAPI Error: > Miscellaneous failure (Permission denied) Does the user that FDS runs as have read access to your keytab, /etc/krb5.keytab? rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From patrick.morris at hp.com Wed Jul 25 16:07:13 2007 From: patrick.morris at hp.com (Morris, Patrick) Date: Wed, 25 Jul 2007 12:07:13 -0400 Subject: [Fedora-directory-users] Windows Sync NT4 Search Base? In-Reply-To: <20070725132802.M45815@mail.txwes.edu> References: <20070725132802.M45815@mail.txwes.edu> Message-ID: > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora- > directory-users-bounces at redhat.com] On Behalf Of Glenn > Sent: Wednesday, July 25, 2007 6:36 AM > To: Fedora DS List > Subject: [Fedora-directory-users] Windows Sync NT4 Search Base? > > I finally can communicate with the ldap service on my NT4 test machine, > although without SSL. Now I need to know what search base to use. > dc=mydomain,dc=edu doesn't work, and I have a feeling it is something > unique > to Windows NT rather than something unique to my installation. Anyone > got a > clue? Thanks. -Glenn. > > # ldapsearch -v -H ldap://nt4testbox.mydomain.edu -D > "uid=admin,ou=system" - > b "dc=mydomain,dc=edu" > ldap_initialize( ldap://nt4testbox.mydomain.edu ) > ldap_sasl_interactive_bind_s: No such attribute (16) Try using the ldapsearch provided with Fedora DS, or use the "-x" switch with the OpenLDAP version of ldapsearch you're currently using to disable SASL authentication. From mjdshop at earthlink.net Wed Jul 25 19:11:19 2007 From: mjdshop at earthlink.net (MJD Shop Account) Date: Wed, 25 Jul 2007 15:11:19 -0400 (GMT-04:00) Subject: [Fedora-directory-users] FDS, Kerberos, SASL confusion Message-ID: <13303221.1185390679846.JavaMail.root@elwamui-milano.atl.sa.earthlink.net> >#klist >Ticket cache: FILE:/tmp/krb5cc_0 >Default principal: bsmith at AFB.LAN > >#ldapsearch -Y GSSAPI -D "uid=bsmith,ou=People,dc=afb,dc=lan" -v No credentials?? or did you just edit out the result of klist? You should see at the very least a ticket-granting ticket >2. Do I need a host principal for every client? > This I am pretty sure is a 'yes you do' -Marty From glenn at mail.txwes.edu Wed Jul 25 19:46:43 2007 From: glenn at mail.txwes.edu (Glenn) Date: Wed, 25 Jul 2007 14:46:43 -0500 Subject: [Fedora-directory-users] Windows Sync NT4 Search Base? In-Reply-To: References: <20070725132802.M45815@mail.txwes.edu> Message-ID: <20070725194108.M79045@mail.txwes.edu> ---------- Original Message ----------- From: "Morris, Patrick" To: "General discussion list for the Fedora Directory server project." Sent: Wed, 25 Jul 2007 12:07:13 -0400 Subject: RE: [Fedora-directory-users] Windows Sync NT4 Search Base? > > -----Original Message----- > > From: fedora-directory-users-bounces at redhat.com [mailto:fedora- > > directory-users-bounces at redhat.com] On Behalf Of Glenn > > Sent: Wednesday, July 25, 2007 6:36 AM > > To: Fedora DS List > > Subject: [Fedora-directory-users] Windows Sync NT4 Search Base? > > > > I finally can communicate with the ldap service on my NT4 test > machine, > > although without SSL. Now I need to know what search base to use. > > dc=mydomain,dc=edu doesn't work, and I have a feeling it is something > > unique > > to Windows NT rather than something unique to my installation. Anyone > > got a > > clue? Thanks. -Glenn. > > > > # ldapsearch -v -H ldap://nt4testbox.mydomain.edu -D > > "uid=admin,ou=system" - > > b "dc=mydomain,dc=edu" > > ldap_initialize( ldap://nt4testbox.mydomain.edu ) > > ldap_sasl_interactive_bind_s: No such attribute (16) > > Try using the ldapsearch provided with Fedora DS, or use the "-x" switch > with the OpenLDAP version of ldapsearch you're currently using to > disable SASL authentication. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users ------- End of Original Message ------- Thanks so much for the info. The -x switch did the trick. While I was waiting for an answer, I discovered from reading the manual that the search base on the NT server should be whatever you put in the usersync.conf file after "server.db.partition.suffix.usersync=", so tried that, and it worked! Now on to the next question (stay tuned). -G. From glenn at mail.txwes.edu Wed Jul 25 20:30:21 2007 From: glenn at mail.txwes.edu (Glenn) Date: Wed, 25 Jul 2007 15:30:21 -0500 Subject: [Fedora-directory-users] Windows Sync or Replication with NT4? Message-ID: <20070725194706.M80130@mail.txwes.edu> O.K., so now I can search the NT4 LDAP service using ldapsearch from a Linux machine, but I still can't get that confounded sync agreement to work. I have read the Windows Sync manual several times, and it implies heavily that you should be able to create a Windows Sync agreement with NT4. But no matter what I try, I get "unable to contact Active Directory server" after filling out the sync agreement form. Just for kicks, I decided to try creating a "Replication Agreement" as opposed to a "Windows Sync" agreement. Oddly enough, I can carry this through to completion, with the Fedora server as supplier and the NT server as consumer (this is what we need anyway). But immediately after completing the agreement, the replica fails to initialize. All suggestions warmly accepted. Thanks. -Glenn. ldapsearch options that work: # ldapsearch -v -H ldap://nt4testbox.mydomain.edu -x - D "uid=admin,ou=system" -w password -b "o=mydomain.edu" Windows Sync form options Error: Unable to contact Active Directory server, continue? Windows Domain Name: mydomain.edu Sync New Windows Users: unchecked Sync New Windows Groups: unchecked Windows Subtree: o=mydomain.edu DS Subtree: o=mydomain.edu Domain Controller Host: nt4testbox Port Num: 389 Using Encrypted SSL Connection: not checked Bind As: uid=admin,ou=system Password: password Subtree: o=mydomain.edu Replication Agreement options Error: Replication error acquiring replica: unknown error. Error code 255. Supplier (filled in already): fdserver.mydomain.edu:636 Consumer: nt4testbox.mydomain.edu:389 Using encrypted SSL connection: unchecked Simple authentication: checked Bind as: uid=admin,ou=system Password: password Enable fractional replication: unchecked Always keep directories in sync: checked Initialize consumer now: checked From hintermayer.johannes at afb.de Thu Jul 26 06:44:24 2007 From: hintermayer.johannes at afb.de (Hintermayer Johannes) Date: Thu, 26 Jul 2007 08:44:24 +0200 Subject: [Fedora-directory-users] FDS, Kerberos, SASL confusion In-Reply-To: <13303221.1185390679846.JavaMail.root@elwamui-milano.atl.sa.earthlink.net> References: <13303221.1185390679846.JavaMail.root@elwamui-milano.atl.sa.earthlink.net> Message-ID: <1185432264.3145.13.camel@tecra01.afb.lan> Hi Marty and Rob, thanks for your answers. The FDS user indeed wasn't able to access /etc/krb5.keytab. After I changed that, the error message changed to: [root at vafbds01 ~]# ldapsearch -Y GSSAPI -D "uid=bsmith,ou=People,dc=afb,dc=lan" -v ldap_initialize( ) SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-14): authorization failure: My klist is as follows: [root at vafbds01 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: bsmith at AFB.LAN Valid starting Expires Service principal 07/26/07 08:35:05 07/27/07 08:33:33 krbtgt/AFB.LAN at AFB.LAN Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached After that it changes to [root at vafbds01 tmp]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: bsmith at AFB.LAN Valid starting Expires Service principal 07/26/07 08:41:36 07/27/07 08:39:33 krbtgt/AFB.LAN at AFB.LAN 07/26/07 08:41:40 07/27/07 08:39:33 ldap/vafbds01.afb.lan at AFB.LAN Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached So, at least I do get a ticket for ldap. When I run "kinit bsmith" I get the following log message on my Kerberos Server: Jul 26 08:35:05 vafbkrb01 krb5kdc[13704](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.50.2: ISSUE: authtime 1185431705, etypes {rep=16 tkt=16 ses=16}, bsmith at AFB.LAN for krbtgt/AFB.LAN at AFB.LAN Jul 26 08:35:05 vafbkrb01 krb5kdc[13704](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.50.2: ISSUE: authtime 1185431705, etypes {rep=16 tkt=16 ses=16}, bsmith at AFB.LAN for krbtgt/AFB.LAN at AFB.LAN When I run "testsaslauthd -s ldap -u bsmith -p letmein" I see the following log entries: Jul 26 08:36:37 vafbkrb01 krb5kdc[13704](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.50.2: ISSUE: authtime 1185431797, etypes {rep=16 tkt=16 ses=16}, bsmith at AFB.LAN for krbtgt/AFB.LAN at AFB.LAN Jul 26 08:36:37 vafbkrb01 krb5kdc[13704](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.50.2: ISSUE: authtime 1185431797, etypes {rep=16 tkt=16 ses=16}, bsmith at AFB.LAN for krbtgt/AFB.LAN at AFB.LAN Jul 26 08:36:37 vafbkrb01 krb5kdc[13704](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.50.2: ISSUE: authtime 1185431797, etypes {rep=16 tkt=16 ses=16}, bsmith at AFB.LAN for host/vafbds01.afb.lan at AFB.LAN Jul 26 08:36:37 vafbkrb01 krb5kdc[13704](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.50.2: ISSUE: authtime 1185431797, etypes {rep=16 tkt=16 ses=16}, bsmith at AFB.LAN for host/vafbds01.afb.lan at AFB.LAN How do I have to set the password for the user bsmith in FDS? The current setting is: {SASL}bmsith at AFB.LAN Is that correct? Regards, Johannes Hintermayer On Wed, 2007-07-25 at 15:11 -0400, MJD Shop Account wrote: > > >#klist > >Ticket cache: FILE:/tmp/krb5cc_0 > >Default principal: bsmith at AFB.LAN > > > >#ldapsearch -Y GSSAPI -D "uid=bsmith,ou=People,dc=afb,dc=lan" -v > > No credentials?? or did you just edit out the result of klist? You should see at the very least a ticket-granting ticket > > >2. Do I need a host principal for every client? > > > > This I am pretty sure is a 'yes you do' > > > -Marty > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From cloudyvdb at gmail.com Thu Jul 26 12:18:05 2007 From: cloudyvdb at gmail.com (thierry vandenbroucke) Date: Thu, 26 Jul 2007 09:18:05 -0300 Subject: [Fedora-directory-users] Samba + Fedora-DS Message-ID: Hello folks, I'm having problems setting samba with fedora-ds, i'm following the how-to samba. The problem follows: net groupmap add rid=512 ntgroup='Domain Admins' unixgroup='Domain Admins' I get the following error Can't lookup UNIX group DomainAdmins I'm using fedora core 6 Thanks, Thierry Vanden Broucke ---- -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jul 26 12:43:39 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 26 Jul 2007 08:43:39 -0400 Subject: [Fedora-directory-users] FDS, Kerberos, SASL confusion In-Reply-To: <1185432264.3145.13.camel@tecra01.afb.lan> References: <13303221.1185390679846.JavaMail.root@elwamui-milano.atl.sa.earthlink.net> <1185432264.3145.13.camel@tecra01.afb.lan> Message-ID: <46A896FB.2010908@redhat.com> Hintermayer Johannes wrote: > Hi Marty and Rob, > > thanks for your answers. > > The FDS user indeed wasn't able to access /etc/krb5.keytab. After I > changed that, the error message changed to: > > [root at vafbds01 ~]# ldapsearch -Y GSSAPI -D "uid=bsmith,ou=People,dc=afb,dc=lan" -v > ldap_initialize( ) > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Invalid credentials (49) > additional info: SASL(-14): authorization failure: > > Have you seen this: http://directory.fedoraproject.org/wiki/Howto:Kerberos rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From srigler at marathonoil.com Thu Jul 26 12:43:46 2007 From: srigler at marathonoil.com (Steve Rigler) Date: Thu, 26 Jul 2007 07:43:46 -0500 Subject: [Fedora-directory-users] db2bak Question Message-ID: <1185453826.6378.13.camel@houuc8> We use Netbackup for our backup environment and I'd like to incorporate "db2bak" into our bpstart_notify script (which is run every time a backup starts). The one thing I've noticed is these messages that appear syslog when db2bak is run: ns-slapd: sql_select option missing ns-slapd: auxpropfunc error no mechanism available Are these messages indicative of a problem? This is on RHEL4 U4 on an AMD64 system using Fedora DS 1.0.4. Thanks, Steve From rmeggins at redhat.com Thu Jul 26 12:39:54 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 26 Jul 2007 06:39:54 -0600 Subject: [Fedora-directory-users] db2bak Question In-Reply-To: <1185453826.6378.13.camel@houuc8> References: <1185453826.6378.13.camel@houuc8> Message-ID: <46A8961A.2000901@redhat.com> Steve Rigler wrote: > We use Netbackup for our backup environment and I'd like to incorporate > "db2bak" into our bpstart_notify script (which is run every time a > backup starts). The one thing I've noticed is these messages that > appear syslog when db2bak is run: > > ns-slapd: sql_select option missing > ns-slapd: auxpropfunc error no mechanism available > > Are these messages indicative of a problem? This is on RHEL4 U4 on an > AMD64 system using Fedora DS 1.0.4. > I think you can ignore these. We do not use the sasl sql auxprop code. Do you see those at normal ns-slapd startup, or only in db2bak mode? > Thanks, > Steve > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From srigler at marathonoil.com Thu Jul 26 12:55:16 2007 From: srigler at marathonoil.com (Steve Rigler) Date: Thu, 26 Jul 2007 07:55:16 -0500 Subject: [Fedora-directory-users] db2bak Question In-Reply-To: <46A8961A.2000901@redhat.com> References: <1185453826.6378.13.camel@houuc8> <46A8961A.2000901@redhat.com> Message-ID: <1185454516.6378.17.camel@houuc8> On Thu, 2007-07-26 at 06:39 -0600, Richard Megginson wrote: > Steve Rigler wrote: > > We use Netbackup for our backup environment and I'd like to incorporate > > "db2bak" into our bpstart_notify script (which is run every time a > > backup starts). The one thing I've noticed is these messages that > > appear syslog when db2bak is run: > > > > ns-slapd: sql_select option missing > > ns-slapd: auxpropfunc error no mechanism available > > > > Are these messages indicative of a problem? This is on RHEL4 U4 on an > > AMD64 system using Fedora DS 1.0.4. > > > I think you can ignore these. We do not use the sasl sql auxprop code. > Do you see those at normal ns-slapd startup, or only in db2bak mode? I see them both at startup and when db2bak is run. It doesn't look like it's preventing anything from working since ns-slapd starts fine and the backup files are created. -Steve From hintermayer.johannes at afb.de Thu Jul 26 13:04:26 2007 From: hintermayer.johannes at afb.de (Hintermayer Johannes) Date: Thu, 26 Jul 2007 15:04:26 +0200 Subject: [Fedora-directory-users] FDS, Kerberos, SASL confusion In-Reply-To: <46A896FB.2010908@redhat.com> References: <13303221.1185390679846.JavaMail.root@elwamui-milano.atl.sa.earthlink.net> <1185432264.3145.13.camel@tecra01.afb.lan> <46A896FB.2010908@redhat.com> Message-ID: <1185455066.3110.6.camel@tecra01.afb.lan> Hi Rob, yes,I did follow this one and do have a SASL mapping. Is that really anything I need? What about the configuration of saslauthd? For now I have the following configuration: /etc/sysconfig/saslauthd SOCKETDIR=/var/run/saslauthd MECH=kerberos5 FLAGS= /usr/lib/sasl2/slapd.conf mech_list: plain gssapi digest-md5 cram-md5 external pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab SASL Mapping: nssaslmapfiltertemplate: (uid=\1) nssaslmapregexstring: \(.*\)@\(.*\) Regards, Johannes Hintermayer On Thu, 2007-07-26 at 08:43 -0400, Rob Crittenden wrote: > Hintermayer Johannes wrote: > > Hi Marty and Rob, > > > > thanks for your answers. > > > > The FDS user indeed wasn't able to access /etc/krb5.keytab. After I > > changed that, the error message changed to: > > > > [root at vafbds01 ~]# ldapsearch -Y GSSAPI -D "uid=bsmith,ou=People,dc=afb,dc=lan" -v > > ldap_initialize( ) > > SASL/GSSAPI authentication started > > ldap_sasl_interactive_bind_s: Invalid credentials (49) > > additional info: SASL(-14): authorization failure: > > > > > > Have you seen this: http://directory.fedoraproject.org/wiki/Howto:Kerberos > > rob > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From jamesdeuchar at hotmail.com Thu Jul 26 15:23:24 2007 From: jamesdeuchar at hotmail.com (James Deuchar) Date: Thu, 26 Jul 2007 16:23:24 +0100 Subject: [Fedora-directory-users] Configuration Directory Question Message-ID: Hi,I've got a what I thought was a relatively simple DS setup with two master DS servers doing master-master replication. In the future slaves may be added into the equation.Initially I installed both servers the same - as standalone DS' each with it's own admin server and 'in-house' o=NetscapeRoot configuration directory.Reading some of the Redhat docs on 'Configuration decisions' it talks about having the configuration directory in a separate directory instance - based on what I've seen from the DS setup script this implies supplying those details during the install of the real DS instances that will contain the data.Is my understanding correct? Does this mean I should be installing an independent configuration directory on both masters and setup replication between them to provide a redundant configuration directory alongside the redundant data directories?If so is the install procedure reasonable?: - install fedora RPM on server 1 - Run setup script to create server 1 config directory - Run ds_newinst.pl to create data directory on the same server pointing it to the local config directory during setup - Repeat on server 2 - Setup replication on data masters and on config directoriesMany thanks! _________________________________________________________________ Try Live.com - your fast, personalised homepage with all the things you care about in one place. http://www.live.com/?mkt=en-gb -------------- next part -------------- An HTML attachment was scrubbed... URL: From kingttx at tomslinux.homelinux.org Thu Jul 26 14:45:38 2007 From: kingttx at tomslinux.homelinux.org (Thomas King) Date: Thu, 26 Jul 2007 09:45:38 -0500 (CDT) Subject: [Fedora-directory-users] db2bak Question In-Reply-To: <1185454516.6378.17.camel@houuc8> References: <1185453826.6378.13.camel@houuc8> <46A8961A.2000901@redhat.com> <1185454516.6378.17.camel@houuc8> Message-ID: <5089.143.166.226.43.1185461138.squirrel@tomslinux.homelinux.org> > I see them both at startup and when db2bak is run. It doesn't look like > it's preventing anything from working since ns-slapd starts fine and the > backup files are created. > > -Steve This is a bit of a tangent, but have you confirmed the backup files are valid? From rmeggins at redhat.com Thu Jul 26 15:33:37 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 26 Jul 2007 09:33:37 -0600 Subject: [Fedora-directory-users] Configuration Directory Question In-Reply-To: References: Message-ID: <46A8BED1.40008@redhat.com> James Deuchar wrote: > Hi, > > I've got a what I thought was a relatively simple DS setup with two > master DS servers doing master-master replication. In the future > slaves may be added into the equation. > > Initially I installed both servers the same - as standalone DS' each > with it's own admin server and 'in-house' o=NetscapeRoot configuration > directory. > > Reading some of the Redhat docs on 'Configuration decisions' it talks > about having the configuration directory in a separate directory > instance - based on what I've seen from the DS setup script this > implies supplying those details during the install of the real DS > instances that will contain the data. > > Is my understanding correct? Does this mean I should be installing an > independent configuration directory on both masters and setup > replication between them to provide a redundant configuration > directory alongside the redundant data directories? For small deployments, you can have your config DS and data DS be the same. > > If so is the install procedure reasonable?: > > - install fedora RPM on server 1 > - Run setup script to create server 1 config directory > - Run ds_newinst.pl to create data directory on the same server > pointing it to the local config directory during setup > - Repeat on server 2 > - Setup replication on data masters and on config directories Sure. > > Many thanks! > > ------------------------------------------------------------------------ > Are you the Quizmaster? Play BrainBattle with a friend now! > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jamesdeuchar at hotmail.com Thu Jul 26 15:59:22 2007 From: jamesdeuchar at hotmail.com (James Deuchar) Date: Thu, 26 Jul 2007 16:59:22 +0100 Subject: [Fedora-directory-users] Configuration Directory Question Message-ID: Thanks for the swift response - size depends on the success of the project - am tempted to go with external config directory assuming I can get it working...I tried to the procedure I listed below i.e. installed the RPM, ran setup to create a 'dsconfig' instance on port 5555.Then I created a master.inf file for inputing into the ds_newinst.pl script:[General]FullMachineName= server1.jamesd.comSuiteSpotUserID= ldapServerRoot= /opt/fedora-dsConfigDirectoryAdminID= adminConfigDirectoryAdminPwd= blahConfigDirectoryLdapURL= ldap://server1.jamesd.com:5555/o=NetscapeRootAdminDomain= jamesd.com[slapd]ServerPort= 389ServerIdentifier= master01Suffix= dc=jamesd,dc=comRootDN= cn=Directory ManagerRootDNPwd= blahUserExistingMC=1When I ran that it seemed to work - instance called master01 was created and is running.When running the console though, it's not listed - only the Administration Server and 'dsconfig' Directory Server instance. How can I make the master01 instance appear in the admin console and also verify that master01 is using dsconfig to stores is configuration data?Thanks again> Date: Thu, 26 Jul 2007 09:33:37 -0600> From: rmeggins at redhat.com> To: fedora-directory-users at redhat.com> Subject: Re: [Fedora-directory-users] Configuration Directory Question> > James Deuchar wrote:> > Hi,> >> > I've got a what I thought was a relatively simple DS setup with two > > master DS servers doing master-master replication. In the future > > slaves may be added into the equation.> >> > Initially I installed both servers the same - as standalone DS' each > > with it's own admin server and 'in-house' o=NetscapeRoot configuration > > directory.> >> > Reading some of the Redhat docs on 'Configuration decisions' it talks > > about having the configuration directory in a separate directory > > instance - based on what I've seen from the DS setup script this > > implies supplying those details during the install of the real DS > > instances that will contain the data.> >> > Is my understanding correct? Does this mean I should be installing an > > independent configuration directory on both masters and setup > > replication between them to provide a redundant configuration > > directory alongside the redundant data directories?> For small deployments, you can have your config DS and data DS be the same.> >> > If so is the install procedure reasonable?:> >> > - install fedora RPM on server 1> > - Run setup script to create server 1 config directory> > - Run ds_newinst.pl to create data directory on the same server > > pointing it to the local config directory during setup> > - Repeat on server 2> > - Setup replication on data masters and on config directories> Sure.> >> > Many thanks!> >> > ------------------------------------------------------------------------> > Are you the Quizmaster? Play BrainBattle with a friend now! > > > > ------------------------------------------------------------------------> >> > --> > Fedora-directory-users mailing list> > Fedora-directory-users at redhat.com> > https://www.redhat.com/mailman/listinfo/fedora-directory-users> > > _________________________________________________________________ Feel like a local wherever you go with BackOfMyHand.com http://www.backofmyhand.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Jul 26 16:03:28 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 26 Jul 2007 10:03:28 -0600 Subject: [Fedora-directory-users] Configuration Directory Question In-Reply-To: References: Message-ID: <46A8C5D0.3010200@redhat.com> James Deuchar wrote: > Thanks for the swift response - size depends on the success of the > project - am tempted to go with external config directory assuming I > can get it working... > > I tried to the procedure I listed below i.e. installed the RPM, ran > setup to create a 'dsconfig' instance on port 5555. > > Then I created a master.inf file for inputing into the ds_newinst.pl > script: > > [General] > FullMachineName= server1.jamesd.com > SuiteSpotUserID= ldap > ServerRoot= /opt/fedora-ds > ConfigDirectoryAdminID= admin > ConfigDirectoryAdminPwd= blah > ConfigDirectoryLdapURL= ldap://server1.jamesd.com:5555/o=NetscapeRoot > AdminDomain= jamesd.com > > [slapd] > ServerPort= 389 > ServerIdentifier= master01 > Suffix= dc=jamesd,dc=com > RootDN= cn=Directory Manager > RootDNPwd= blah > UserExistingMC=1 This should be "UseExistingMC" not "User" > > When I ran that it seemed to work - instance called master01 was > created and is running. > > When running the console though, it's not listed - only the > Administration Server and 'dsconfig' Directory Server instance. > > How can I make the master01 instance appear in the admin console and > also verify that master01 is using dsconfig to stores is configuration > data? > > Thanks again > > > > Date: Thu, 26 Jul 2007 09:33:37 -0600 > > From: rmeggins at redhat.com > > To: fedora-directory-users at redhat.com > > Subject: Re: [Fedora-directory-users] Configuration Directory Question > > > > James Deuchar wrote: > > > Hi, > > > > > > I've got a what I thought was a relatively simple DS setup with two > > > master DS servers doing master-master replication. In the future > > > slaves may be added into the equation. > > > > > > Initially I installed both servers the same - as standalone DS' each > > > with it's own admin server and 'in-house' o=NetscapeRoot > configuration > > > directory. > > > > > > Reading some of the Redhat docs on 'Configuration decisions' it talks > > > about having the configuration directory in a separate directory > > > instance - based on what I've seen from the DS setup script this > > > implies supplying those details during the install of the real DS > > > instances that will contain the data. > > > > > > Is my understanding correct? Does this mean I should be installing an > > > independent configuration directory on both masters and setup > > > replication between them to provide a redundant configuration > > > directory alongside the redundant data directories? > > For small deployments, you can have your config DS and data DS be > the same. > > > > > > If so is the install procedure reasonable?: > > > > > > - install fedora RPM on server 1 > > > - Run setup script to create server 1 config directory > > > - Run ds_newinst.pl to create data directory on the same server > > > pointing it to the local config directory during setup > > > - Repeat on server 2 > > > - Setup replication on data masters and on config directories > > Sure. > > > > > > Many thanks! > > > > > > > ------------------------------------------------------------------------ > > > Are you the Quizmaster? Play BrainBattle with a friend now! > > > > > > > ------------------------------------------------------------------------ > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > ------------------------------------------------------------------------ > Email straight to your blog, upload jokes, photos and more. Windows > Live Spaces, it's FREE! > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From srigler at marathonoil.com Thu Jul 26 17:19:21 2007 From: srigler at marathonoil.com (Steve Rigler) Date: Thu, 26 Jul 2007 12:19:21 -0500 Subject: [Fedora-directory-users] db2bak Question In-Reply-To: <5089.143.166.226.43.1185461138.squirrel@tomslinux.homelinux.org> References: <1185453826.6378.13.camel@houuc8> <46A8961A.2000901@redhat.com> <1185454516.6378.17.camel@houuc8> <5089.143.166.226.43.1185461138.squirrel@tomslinux.homelinux.org> Message-ID: <1185470361.6378.41.camel@houuc8> On Thu, 2007-07-26 at 09:45 -0500, Thomas King wrote: > > I see them both at startup and when db2bak is run. It doesn't look like > > it's preventing anything from working since ns-slapd starts fine and the > > backup files are created. > > > > -Steve > > This is a bit of a tangent, but have you confirmed the backup files are valid? I haven't had the opportunity to try it yet. Hopefully I'll be able to get around to it in the next few days. From jamesdeuchar at hotmail.com Thu Jul 26 17:33:48 2007 From: jamesdeuchar at hotmail.com (James Deuchar) Date: Thu, 26 Jul 2007 18:33:48 +0100 Subject: [Fedora-directory-users] Configuration Directory Question Message-ID: Thanks for your patience - and apoloiges for that rookie typo error.Fixed that and retried a few times but still to no avail - new instance is created and running ok but doesn't show up in the admin console. Where does the admin server get this list of servers etc from (and will that info help me!?).If I install an instance on server2 and point it towards the config instance on server1 as part of the setup script then it does appear in the console and all is well in my DS world...Seems only to cause problems when I'm trying to create a new data instance (using ds_newinst.pl) on the server1 when the config instance (created during install/setup) is already there. If there were an option to create a new instance via the console and specify a separate configuration directory it'd be easy...presumably!Is this the normal way to do this? Kind regards,James> Date: Thu, 26 Jul 2007 10:03:28 -0600> From: rmeggins at redhat.com> To: fedora-directory-users at redhat.com> Subject: Re: [Fedora-directory-users] Configuration Directory Question> > James Deuchar wrote:> > Thanks for the swift response - size depends on the success of the > > project - am tempted to go with external config directory assuming I > > can get it working...> >> > I tried to the procedure I listed below i.e. installed the RPM, ran > > setup to create a 'dsconfig' instance on port 5555.> >> > Then I created a master.inf file for inputing into the ds_newinst.pl > > script:> >> > [General]> > FullMachineName= server1.jamesd.com> > SuiteSpotUserID= ldap> > ServerRoot= /opt/fedora-ds> > ConfigDirectoryAdminID= admin> > ConfigDirectoryAdminPwd= blah> > ConfigDirectoryLdapURL= ldap://server1.jamesd.com:5555/o=NetscapeRoot> > AdminDomain= jamesd.com> >> > [slapd]> > ServerPort= 389> > ServerIdentifier= master01> > Suffix= dc=jamesd,dc=com> > RootDN= cn=Directory Manager> > RootDNPwd= blah> > UserExistingMC=1> This should be "UseExistingMC" not "User"> >> > When I ran that it seemed to work - instance called master01 was > > created and is running.> >> > When running the console though, it's not listed - only the > > Administration Server and 'dsconfig' Directory Server instance.> >> > How can I make the master01 instance appear in the admin console and > > also verify that master01 is using dsconfig to stores is configuration > > data?> >> > Thanks again> >> >> > > Date: Thu, 26 Jul 2007 09:33:37 -0600> > > From: rmeggins at redhat.com> > > To: fedora-directory-users at redhat.com> > > Subject: Re: [Fedora-directory-users] Configuration Directory Question> > >> > > James Deuchar wrote:> > > > Hi,> > > >> > > > I've got a what I thought was a relatively simple DS setup with two> > > > master DS servers doing master-master replication. In the future> > > > slaves may be added into the equation.> > > >> > > > Initially I installed both servers the same - as standalone DS' each> > > > with it's own admin server and 'in-house' o=NetscapeRoot > > configuration> > > > directory.> > > >> > > > Reading some of the Redhat docs on 'Configuration decisions' it talks> > > > about having the configuration directory in a separate directory> > > > instance - based on what I've seen from the DS setup script this> > > > implies supplying those details during the install of the real DS> > > > instances that will contain the data.> > > >> > > > Is my understanding correct? Does this mean I should be installing an> > > > independent configuration directory on both masters and setup> > > > replication between them to provide a redundant configuration> > > > directory alongside the redundant data directories?> > > For small deployments, you can have your config DS and data DS be > > the same.> > > >> > > > If so is the install procedure reasonable?:> > > >> > > > - install fedora RPM on server 1> > > > - Run setup script to create server 1 config directory> > > > - Run ds_newinst.pl to create data directory on the same server> > > > pointing it to the local config directory during setup> > > > - Repeat on server 2> > > > - Setup replication on data masters and on config directories> > > Sure.> > > >> > > > Many thanks!> > > >> > > > > > ------------------------------------------------------------------------> > > > Are you the Quizmaster? Play BrainBattle with a friend now!> > > > > > > > > > ------------------------------------------------------------------------> > > >> > > > --> > > > Fedora-directory-users mailing list> > > > Fedora-directory-users at redhat.com> > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users> > > >> > >> >> > ------------------------------------------------------------------------> > Email straight to your blog, upload jokes, photos and more. Windows > > Live Spaces, it's FREE! > > > > ------------------------------------------------------------------------> >> > --> > Fedora-directory-users mailing list> > Fedora-directory-users at redhat.com> > https://www.redhat.com/mailman/listinfo/fedora-directory-users> > > _________________________________________________________________ Celeb spotting ? Play CelebMashup and win cool prizes https://www.celebmashup.com/index2.html -------------- next part -------------- An HTML attachment was scrubbed... URL: From kingttx at tomslinux.homelinux.org Thu Jul 26 18:03:44 2007 From: kingttx at tomslinux.homelinux.org (Thomas King) Date: Thu, 26 Jul 2007 13:03:44 -0500 (CDT) Subject: [Fedora-directory-users] db2bak Question In-Reply-To: <1185470361.6378.41.camel@houuc8> References: <1185453826.6378.13.camel@houuc8> <46A8961A.2000901@redhat.com> <1185454516.6378.17.camel@houuc8> <5089.143.166.226.43.1185461138.squirrel@tomslinux.homelinux.org> <1185470361.6378.41.camel@houuc8> Message-ID: <20260.143.166.226.41.1185473024.squirrel@tomslinux.homelinux.org> > On Thu, 2007-07-26 at 09:45 -0500, Thomas King wrote: >> > I see them both at startup and when db2bak is run. It doesn't look like >> > it's preventing anything from working since ns-slapd starts fine and the >> > backup files are created. >> > >> > -Steve >> >> This is a bit of a tangent, but have you confirmed the backup files are valid? > > I haven't had the opportunity to try it yet. Hopefully I'll be able to > get around to it in the next few days. Aye, I'd check it out to ensure the backup script worked, especially in light of the error messages. I'll have to claim ignorance since I am not familiar with the script and if it has a validation process. From rmeggins at redhat.com Thu Jul 26 17:59:56 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 26 Jul 2007 11:59:56 -0600 Subject: [Fedora-directory-users] Configuration Directory Question In-Reply-To: References: Message-ID: <46A8E11C.7070402@redhat.com> James Deuchar wrote: > Thanks for your patience - and apoloiges for that rookie typo error. > > Fixed that and retried a few times but still to no avail - new > instance is created and running ok but doesn't show up in the admin > console. Where does the admin server get this list of servers etc from > (and will that info help me!?). /opt/fedora-ds/shared/config/dbswitch.conf points to only one config DS at a time. There is no provision for multiple active config DS or automatic failover. > > If I install an instance on server2 and point it towards the config > instance on server1 as part of the setup script then it does appear in > the console and all is well in my DS world... > > Seems only to cause problems when I'm trying to create a new data > instance (using ds_newinst.pl) on the server1 when the config instance > (created during install/setup) is already there. If there were an > option to create a new instance via the console and specify a separate > configuration directory it'd be easy...presumably! > > Is this the normal way to do this? > > Kind regards, > > James > > > Date: Thu, 26 Jul 2007 10:03:28 -0600 > > From: rmeggins at redhat.com > > To: fedora-directory-users at redhat.com > > Subject: Re: [Fedora-directory-users] Configuration Directory Question > > > > James Deuchar wrote: > > > Thanks for the swift response - size depends on the success of the > > > project - am tempted to go with external config directory assuming I > > > can get it working... > > > > > > I tried to the procedure I listed below i.e. installed the RPM, ran > > > setup to create a 'dsconfig' instance on port 5555. > > > > > > Then I created a master.inf file for inputing into the ds_newinst.pl > > > script: > > > > > > [General] > > > FullMachineName= server1.jamesd.com > > > SuiteSpotUserID= ldap > > > ServerRoot= /opt/fedora-ds > > > ConfigDirectoryAdminID= admin > > > ConfigDirectoryAdminPwd= blah > > > ConfigDirectoryLdapURL= ldap://server1.jamesd.com:5555/o=NetscapeRoot > > > AdminDomain= jamesd.com > > > > > > [slapd] > > > ServerPort= 389 > > > ServerIdentifier= master01 > > > Suffix= dc=jamesd,dc=com > > > RootDN= cn=Directory Manager > > > RootDNPwd= blah > > > UserExistingMC=1 > > This should be "UseExistingMC" not "User" > > > > > > When I ran that it seemed to work - instance called master01 was > > > created and is running. > > > > > > When running the console though, it's not listed - only the > > > Administration Server and 'dsconfig' Directory Server instance. > > > > > > How can I make the master01 instance appear in the admin console and > > > also verify that master01 is using dsconfig to stores is > configuration > > > data? > > > > > > Thanks again > > > > > > > > > > Date: Thu, 26 Jul 2007 09:33:37 -0600 > > > > From: rmeggins at redhat.com > > > > To: fedora-directory-users at redhat.com > > > > Subject: Re: [Fedora-directory-users] Configuration Directory > Question > > > > > > > > James Deuchar wrote: > > > > > Hi, > > > > > > > > > > I've got a what I thought was a relatively simple DS setup > with two > > > > > master DS servers doing master-master replication. In the future > > > > > slaves may be added into the equation. > > > > > > > > > > Initially I installed both servers the same - as standalone > DS' each > > > > > with it's own admin server and 'in-house' o=NetscapeRoot > > > configuration > > > > > directory. > > > > > > > > > > Reading some of the Redhat docs on 'Configuration decisions' > it talks > > > > > about having the configuration directory in a separate directory > > > > > instance - based on what I've seen from the DS setup script this > > > > > implies supplying those details during the install of the real DS > > > > > instances that will contain the data. > > > > > > > > > > Is my understanding correct? Does this mean I should be > installing an > > > > > independent configuration directory on both masters and setup > > > > > replication between them to provide a redundant configuration > > > > > directory alongside the redundant data directories? > > > > For small deployments, you can have your config DS and data DS be > > > the same. > > > > > > > > > > If so is the install procedure reasonable?: > > > > > > > > > > - install fedora RPM on server 1 > > > > > - Run setup script to create server 1 config directory > > > > > - Run ds_newinst.pl to create data directory on the same server > > > > > pointing it to the local config directory during setup > > > > > - Repeat on server 2 > > > > > - Setup replication on data masters and on config directories > > > > Sure. > > > > > > > > > > Many thanks! > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > Are you the Quizmaster? Play BrainBattle with a friend now! > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > -- > > > > > Fedora-directory-users mailing list > > > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > Email straight to your blog, upload jokes, photos and more. Windows > > > Live Spaces, it's FREE! > > > > > > > ------------------------------------------------------------------------ > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > ------------------------------------------------------------------------ > The future of MSN Messenger! Windows Live Messenger > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From yinyang at eburg.com Thu Jul 26 18:07:55 2007 From: yinyang at eburg.com (Gordon Messmer) Date: Thu, 26 Jul 2007 11:07:55 -0700 Subject: [Fedora-directory-users] Samba + Fedora-DS In-Reply-To: References: Message-ID: <46A8E2FB.70509@eburg.com> thierry vandenbroucke wrote: > > net groupmap add rid=512 ntgroup='Domain Admins' unixgroup='Domain Admins' > > I get the following error > Can't lookup UNIX group Domain > > Admins What happens when you type: getent group 'Domain Admins' From yinyang at eburg.com Thu Jul 26 19:45:13 2007 From: yinyang at eburg.com (Gordon Messmer) Date: Thu, 26 Jul 2007 12:45:13 -0700 Subject: [Fedora-directory-users] FDS, Kerberos, SASL confusion In-Reply-To: <1185372372.3746.34.camel@tecra01.afb.lan> References: <1185372372.3746.34.camel@tecra01.afb.lan> Message-ID: <46A8F9C9.10106@eburg.com> Hintermayer Johannes wrote: > > #ldapsearch -Y GSSAPI -D "uid=bsmith,ou=People,dc=afb,dc=lan" -v > ldap_initialize( ) > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Invalid credentials (49) > additional info: SASL(-1): generic failure: GSSAPI Error: > Miscellaneous failure (Permission denied) I see that having fixed your permissions, that error is now "SASL(-14): authorization failure:". Is there any more information in the error logs? > I have tried several combinations of config files and password entries > but none worked. As far as I know, the userpassword contents are evaluated by OpenLDAP, but not by Fedora DS. That attributes contents shouldn't make any difference when you're using GSSAPI authentication. You can delete the attribute if you're not storing an actual password. > 1. Do I need saslauthd on every client which I want to authenticate via > FDS/Kerberos? No. You don't need to configure it on the server, either. > 2. Do I need a host principal for every client? No. You don't even need one on the server for authenticating LDAP connections. > Here is my current configuration, please correct me if there are some > unneeded files (these were built together from several tutorials): > > /etc/krb5.conf That looks fine. > /etc/ldap.conf > > host 172.16.50.2 > base dc=afb,dc=lan > ssl no > tls_cacertdir /etc/openldap/cacerts > pam_password md5 > SASL_MECH GSSAPI > SASL_REALM AFB.LAN > use_sasl on > sasl_auth_id ldap/vafbds01.afb.lan I'm not sure how much of the SASL stuff is required. I don't have any of it in my own configs. Try commenting all of the SASL related lines, and see if anything changes. > /etc/sysconfig/saslauthd You don't need saslauthd. > /usr/lib/sasl2/slapd.conf ...nor do you need this. > SASL Mapping: > nssaslmapfiltertemplate: (uid=\1) > nssaslmapregexstring: \(.*\)@\(.*\) Under what DN are you storing that? Have you tried without the '\' characters in nssaslmapregexstring? The Howto disagrees with the manual about this... I don't use '\' characters in my working configuration. > /opt/fedora-ds/slapd-vafbds01/start-slapd contains: > "export KRB5_KTNAME=/etc/krb5.keytab" In order to protect your host keytab, you should store the LDAP server's keytab in a different file. The host keytab should be readable only by root. From glenn at mail.txwes.edu Thu Jul 26 21:47:29 2007 From: glenn at mail.txwes.edu (Glenn) Date: Thu, 26 Jul 2007 16:47:29 -0500 Subject: [Fedora-directory-users] Usersync Error Message-ID: <20070726213445.M99316@mail.txwes.edu> I'm still trying to get Fedora Directory to contact an NT4 server for replication. After I fill out the Windows Sync agreement form and click "Next", the console freezes. If I go to the NT4 machine and stop the User Sync service, the console unfreezes and gives the dreaded "Unable to contact Active Directory server" message. I appear to have SSL set up correctly. An error message appears in the wrapper.log on the NT machine when I stop the User Sync service while FD is trying to make the sync agreement: java.lang.NoSuchMethodError: javax.net.ssl.SSLContext.createSSLEngine() Ljavax/net/ssl/SSLEngine; Is the Windows Sync function known to work with FDS 1.0.3 and NT4? Hoping someone can help. Thanks. -Glenn. From wilmer at fedoraproject.org Fri Jul 27 06:38:07 2007 From: wilmer at fedoraproject.org (Wilmer Jaramillo M.) Date: Fri, 27 Jul 2007 02:38:07 -0400 Subject: [Fedora-directory-users] Samba + Fedora-DS In-Reply-To: References: Message-ID: <2b26c4260707262338y57ec2bf5yd473963679cd9e52@mail.gmail.com> On 7/26/07, thierry vandenbroucke wrote: > Hello folks, > I'm having problems setting samba with fedora-ds, i'm following the how-to > samba. > The problem follows: > > > net groupmap add rid=512 ntgroup='Domain Admins' unixgroup='Domain Admins' > > I get the following error > Can't lookup UNIX group Domain Admins I think that can be the blank-space-expand, anyway test with 'debuglevel' option and see any messages that should indicative some problem. -- Wilmer Jaramillo M. GPG Key Fingerprint = 0666 D0D3 24CE 8935 9C24 BBF1 87DD BEA2 A4B2 1E8A From wilmer at fedoraproject.org Fri Jul 27 06:48:23 2007 From: wilmer at fedoraproject.org (Wilmer Jaramillo M.) Date: Fri, 27 Jul 2007 02:48:23 -0400 Subject: [Fedora-directory-users] Usersync Error In-Reply-To: <20070726213445.M99316@mail.txwes.edu> References: <20070726213445.M99316@mail.txwes.edu> Message-ID: <2b26c4260707262348tdfc83edq76e1865bfa5bfc2e@mail.gmail.com> On 7/26/07, Glenn wrote: > I'm still trying to get Fedora Directory to contact an NT4 server for > replication. After I fill out the Windows Sync agreement form and > click "Next", the console freezes. If I go to the NT4 machine and stop the > User Sync service, the console unfreezes and gives the dreaded "Unable to > contact Active Directory server" message. I appear to have SSL set up > correctly. > > An error message appears in the wrapper.log on the NT machine when I stop the > User Sync service while FD is trying to make the sync agreement: > > java.lang.NoSuchMethodError: javax.net.ssl.SSLContext.createSSLEngine() > Ljavax/net/ssl/SSLEngine; > > Is the Windows Sync function known to work with FDS 1.0.3 and NT4? Hoping > someone can help. Work for me Windows Sync on SSL in a environment AD=>FDS, the only issue was imported the certificate with "mmc" in the Windows 2000 machine, really 'mmc' not working for me, instead I loaded it with certutil command manually. -- Wilmer Jaramillo M. GPG Key Fingerprint = 0666 D0D3 24CE 8935 9C24 BBF1 87DD BEA2 A4B2 1E8A From ivanelterrible at ivanyvenian.com Fri Jul 27 00:01:13 2007 From: ivanelterrible at ivanyvenian.com (Ivan V.) Date: Thu, 26 Jul 2007 19:01:13 -0500 Subject: [Fedora-directory-users] Fedora Directory Server on Ubuntu, problem with libsasldb (reward) Message-ID: <46A935C9.4050004@ivanyvenian.com> Hi, I have an Ubuntu 7.04 server with Fedora Directory Server (the one for FC5) installed and running. I want to enable LDAP authentication with PAM, but it seems I have a problem with the libsasldb.so.2 library. When ns-slapd starts it throws this error on auth.log: unable to dlopen /usr/lib/sasl2/libsasldb.so.2: undefined symbol: db_strerror_4002 After some digging, it seems it's caused by the incompatibility between my libsasldb and the one required by FDS. And when I try to login, on the same auth.log pam_ldap throws this error: ldap_simple_bind: Can't contact LDAP server Which I think is caused by the same problem, because otherwise my LDAP directory is working just fine. What version of libsasldb do I need exactly for FDS? Is it possible to install it on Ubuntu or somehow tell FDS to use one located at a different place? Are these the right questions? Reward of $100 USD to the person that helps me get LDAP authentication working (via PayPal), without suggesting I place FDS on a Fedora Core server, because this is actually for a guide (free) I'm writing to help other small companies replace Active Directory with Ubuntu/FDS/SAMBA. To be able to collect the reward and be fair, please post on this site: http://www.experts-exchange.com/Networking/Linux_Networking/Q_22724351.html I hope you don't find my request out of place. I'm just trying to learn, to help other small companies, and to give my grain of sand to the OS community. - Ivan V. From rmeggins at redhat.com Fri Jul 27 14:53:54 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 27 Jul 2007 08:53:54 -0600 Subject: [Fedora-directory-users] Fedora Directory Server on Ubuntu, problem with libsasldb (reward) In-Reply-To: <46A935C9.4050004@ivanyvenian.com> References: <46A935C9.4050004@ivanyvenian.com> Message-ID: <46AA0702.1060100@redhat.com> Ivan V. wrote: > Hi, > > I have an Ubuntu 7.04 server with Fedora Directory Server (the one for > FC5) installed and running. > > I want to enable LDAP authentication with PAM, but it seems I have a > problem with the libsasldb.so.2 library. > > When ns-slapd starts it throws this error on auth.log: > > unable to dlopen /usr/lib/sasl2/libsasldb.so.2: undefined symbol: > db_strerror_4002 > > After some digging, it seems it's caused by the incompatibility > between my libsasldb and the one required by FDS. What version of sasl2 is Ubuntu 7.04 using? Note that if you build your own private version of sasl, you can just put it somewhere under /opt/fedora-ds, and edit the start-slapd shell script to set LD_LIBRARY_PATH to point to libsasl2.so, and point SASL_PATH at the sasl plugins. Also, what version of Apache is Ubuntu 7.04 using? > > And when I try to login, on the same auth.log pam_ldap throws this error: > > ldap_simple_bind: Can't contact LDAP server > > Which I think is caused by the same problem, because otherwise my LDAP > directory is working just fine. > > What version of libsasldb do I need exactly for FDS? Is it possible to > install it on Ubuntu or somehow tell FDS to use one located at a > different place? Are these the right questions? > > Reward of $100 USD to the person that helps me get LDAP authentication > working (via PayPal), without suggesting I place FDS on a Fedora Core > server, because this is actually for a guide (free) I'm writing to > help other small companies replace Active Directory with > Ubuntu/FDS/SAMBA. > > To be able to collect the reward and be fair, please post on this > site: > http://www.experts-exchange.com/Networking/Linux_Networking/Q_22724351.html > > > I hope you don't find my request out of place. I'm just trying to > learn, to help other small companies, and to give my grain of sand to > the OS community. > > - Ivan V. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From wilmer at fedoraproject.org Mon Jul 30 02:48:04 2007 From: wilmer at fedoraproject.org (Wilmer Jaramillo M.) Date: Sun, 29 Jul 2007 22:48:04 -0400 Subject: [Fedora-directory-users] Unlimited line width for ldapsearch Message-ID: <2b26c4260707291948r6955c084s9ae5d750b9bd1f02@mail.gmail.com> I found that ../shared/bin/ldasearch only show a output of 76 chars per line, and manual page not described how be longer the output, i want set the line-width used to implement filter in long strings 'OU' in perl scripts. Also i found a very simple patch for ldapsearch of openldap tools in: http://www.openldap.org/lists/openldap-bugs/199912/msg00099.html openldap it does not have support still. Probably some method of Net::LDAP can do it, I'm investigating a module or regex that can help me in this, any suggestion? thanks. -- Wilmer Jaramillo M. GPG Key Fingerprint = 0666 D0D3 24CE 8935 9C24 BBF1 87DD BEA2 A4B2 1E8A From howard at cohtech.com Mon Jul 30 07:26:00 2007 From: howard at cohtech.com (Howard Wilkinson) Date: Mon, 30 Jul 2007 08:26:00 +0100 Subject: [Fedora-directory-users] Unlimited line width for ldapsearch In-Reply-To: <2b26c4260707291948r6955c084s9ae5d750b9bd1f02@mail.gmail.com> References: <2b26c4260707291948r6955c084s9ae5d750b9bd1f02@mail.gmail.com> Message-ID: <46AD9288.4090101@cohtech.com> Wilmer Jaramillo M. wrote: > I found that ../shared/bin/ldasearch only show a output of 76 chars > per line, and manual page not described how be longer the output, i > want set the line-width used to implement filter in long strings 'OU' > in perl scripts. Also i found a very simple patch for ldapsearch of > openldap tools in: > http://www.openldap.org/lists/openldap-bugs/199912/msg00099.html > openldap it does not have support still. > > Probably some method of Net::LDAP can do it, I'm investigating a > module or regex that can help me in this, any suggestion? thanks. > > > > Take a look at Net::LDAP::LDIF an option to new is called 'wrap' which is normally set to 78 (one space, 76 printing characters, and the newline for continuation lines) this should give you what you want. -- Howard Wilkinson Phone: +44(20)76907075 Coherent Technology Limited Fax: 23 Northampton Square, Mobile: +44(7980)639379 United Kingdom, EC1V 0HL Email: howard at cohtech.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From ivanelterrible at ivanyvenian.com Sat Jul 28 01:09:38 2007 From: ivanelterrible at ivanyvenian.com (Ivan V.) Date: Fri, 27 Jul 2007 20:09:38 -0500 Subject: [Fedora-directory-users] Fedora Directory Server on Ubuntu, problem with libsasldb (reward) Message-ID: <46AA9752.1070704@ivanyvenian.com> Hi, Thanks for replying! sasl2 version: libsasl2-2 (2.1.22) apache2-mpm-worker: 2.2.3-3.2build1 Apparently that wasn't an issue after all, as I managed to get everything working. Ubuntu 7 + Samba PDC w/FDS as backend, DHCP, DNS w/DDNS via DHCP... my dream server! Now to implement an OpenID provider! Thanks. Ivan V. On 7/27/07, *Richard Megginson* wrote: Ivan V. wrote: > Hi, > > I have an Ubuntu 7.04 server with Fedora Directory Server (the one for > FC5) installed and running. > > I want to enable LDAP authentication with PAM, but it seems I have a > problem with the libsasldb.so.2 library. > > When ns-slapd starts it throws this error on auth.log: > > unable to dlopen /usr/lib/sasl2/libsasldb.so.2: undefined symbol: > db_strerror_4002 > > After some digging, it seems it's caused by the incompatibility > between my libsasldb and the one required by FDS. What version of sasl2 is Ubuntu 7.04 using? Note that if you build your own private version of sasl, you can just put it somewhere under /opt/fedora-ds, and edit the start-slapd shell script to set LD_LIBRARY_PATH to point to libsasl2.so, and point SASL_PATH at the sasl plugins. Also, what version of Apache is Ubuntu 7.04 using? > > And when I try to login, on the same auth.log pam_ldap throws this error: > > ldap_simple_bind: Can't contact LDAP server > > Which I think is caused by the same problem, because otherwise my LDAP > directory is working just fine. > > What version of libsasldb do I need exactly for FDS? Is it possible to > install it on Ubuntu or somehow tell FDS to use one located at a > different place? Are these the right questions? > > Reward of $100 USD to the person that helps me get LDAP authentication > working (via PayPal), without suggesting I place FDS on a Fedora Core > server, because this is actually for a guide (free) I'm writing to > help other small companies replace Active Directory with > Ubuntu/FDS/SAMBA. > > To be able to collect the reward and be fair, please post on this > site: > http://www.experts-exchange.com/Networking/Linux_Networking/Q_22724351.html > > > I hope you don't find my request out of place. I'm just trying to > learn, to help other small companies, and to give my grain of sand to > the OS community. > > - Ivan V. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Mon Jul 30 16:03:58 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 30 Jul 2007 10:03:58 -0600 Subject: [Fedora-directory-users] Fedora Directory Server on Ubuntu, problem with libsasldb (reward) In-Reply-To: <46AA9752.1070704@ivanyvenian.com> References: <46AA9752.1070704@ivanyvenian.com> Message-ID: <46AE0BEE.5060801@redhat.com> Ivan V. wrote: > Hi, > > Thanks for replying! > > sasl2 version: libsasl2-2 (2.1.22) > apache2-mpm-worker: 2.2.3-3.2build1 > > Apparently that wasn't an issue after all, as I managed to get > everything working. Would you be so kind as to update this page - http://directory.fedoraproject.org/wiki/Howto:DebianUbuntu - with what you have discovered, that would be of use to someone trying to reproduce what you have done? Any information would be appreciated. > > Ubuntu 7 + Samba PDC w/FDS as backend, DHCP, DNS w/DDNS via DHCP... my > dream server! Now to implement an OpenID provider! > > Thanks. > > Ivan V. > > On 7/27/07, *Richard Megginson* wrote: > > Ivan V. wrote: > > Hi, > > > > I have an Ubuntu 7.04 server with Fedora Directory Server (the > one for > > FC5) installed and running. > > > > I want to enable LDAP authentication with PAM, but it seems I > have a > > problem with the libsasldb.so.2 library. > > > > When ns-slapd starts it throws this error on auth.log: > > > > unable to dlopen /usr/lib/sasl2/libsasldb.so.2: undefined symbol: > > db_strerror_4002 > > > > After some digging, it seems it's caused by the incompatibility > > between my libsasldb and the one required by FDS. > What version of sasl2 is Ubuntu 7.04 using? Note that if you build > your > own private version of sasl, you can just put it somewhere under > /opt/fedora-ds, and edit the start-slapd shell script to set > LD_LIBRARY_PATH to point to libsasl2.so, and point SASL_PATH at the > sasl > plugins. > > Also, what version of Apache is Ubuntu 7.04 using? > > > > And when I try to login, on the same auth.log pam_ldap throws > this error: > > > > ldap_simple_bind: Can't contact LDAP server > > > > Which I think is caused by the same problem, because otherwise my > LDAP > > directory is working just fine. > > > > What version of libsasldb do I need exactly for FDS? Is it > possible to > > install it on Ubuntu or somehow tell FDS to use one located at a > > different place? Are these the right questions? > > > > Reward of $100 USD to the person that helps me get LDAP > authentication > > working (via PayPal), without suggesting I place FDS on a Fedora > Core > > server, because this is actually for a guide (free) I'm writing to > > help other small companies replace Active Directory with > > Ubuntu/FDS/SAMBA. > > > > To be able to collect the reward and be fair, please post on this > > site: > > > > http://www.experts-exchange.com/Networking/Linux_Networking/Q_22724351.html > > > > > > > I hope you don't find my request out of place. I'm just trying to > > learn, to help other small companies, and to give my grain of > sand to > > the OS community. > > > > - Ivan V. > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Cary_Anderson at CalPERS.ca.gov Mon Jul 30 16:38:15 2007 From: Cary_Anderson at CalPERS.ca.gov (Anderson, Cary) Date: Mon, 30 Jul 2007 09:38:15 -0700 Subject: [Fedora-directory-users] Replicating the configuration database Message-ID: <611085D774BEAE4C9E4959C53EB7A9760E4C2F74@hqk110.calpers.ca.gov> I have setup a multi-master environment with only one NetscapeRoot configuration database for all slaves and masters. Is it recommended to have only one NetscapeRoot or should that be replicated to the other master servers. If the recommendation is to replicate the NetscapeRoot, I am a little unclear on the steps to take to copy database to the other master so that I can setup replication. Any help would be greatly appreciated. Thanks Cary Anderson, Systems Software Specialist UNIX/Linux Services Information Technology Services Branch Technology Services & Support Division / Data Center Section System Software & Storage Infrastructure fCalPERS Phone: (916) 795-2588 Fax: (916) 795-2424 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Jul 30 16:40:41 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 30 Jul 2007 10:40:41 -0600 Subject: [Fedora-directory-users] Replicating the configuration database In-Reply-To: <611085D774BEAE4C9E4959C53EB7A9760E4C2F74@hqk110.calpers.ca.gov> References: <611085D774BEAE4C9E4959C53EB7A9760E4C2F74@hqk110.calpers.ca.gov> Message-ID: <46AE1489.1010202@redhat.com> Anderson, Cary wrote: > > I have setup a multi-master environment with only one NetscapeRoot > configuration database for all slaves and masters. Is it recommended > to have only one NetscapeRoot or should that be replicated to the > other master servers. > If you require failover capability for the configuration data, then you should set up replication for it. > > If the recommendation is to replicate the NetscapeRoot, I am a little > unclear on the steps to take to copy database to the other master so > that I can setup replication. > It's the same as setting up replication for userRoot. > > Any help would be greatly appreciated. > > Thanks > > */Cary Anderson/, Systems Software Specialist* > *UNIX/Linux Services* > > /Information Technology Services Branch > Technology Services & Support Division / Data Center Section/ > > /System Software & Storage Infrastructure/ > /f/*CalPERS* > Phone: (916) 795-2588 > Fax: (916) 795-2424 > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Cary_Anderson at CalPERS.ca.gov Mon Jul 30 16:49:12 2007 From: Cary_Anderson at CalPERS.ca.gov (Anderson, Cary) Date: Mon, 30 Jul 2007 09:49:12 -0700 Subject: [Fedora-directory-users] Replicating the configuration database In-Reply-To: <46AE1489.1010202@redhat.com> Message-ID: <611085D774BEAE4C9E4959C53EB7A9760E4C2F75@hqk110.calpers.ca.gov> Thanks for the quick response. The reason for my confusion regarding setting up replication for the NetscapeRoot, is that there is only one copy of the NetscapeRoot. When I use the administration console, in the configuration tab, selecting Data or Replication on the second master server, I only see the database for the userRoot not NetscapeRoot. So what I am unclear on is how to setup replication when I don't have a NetscapeRoot database on the second master server to replicate to. Thanks Cary Anderson, Systems Software Specialist UNIX/Linux Services Information Technology Services Branch Technology Services & Support Division / Data Center Section System Software & Storage Infrastructure fCalPERS Phone: (916) 795-2588 Fax: (916) 795-2424 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Monday, July 30, 2007 9:41 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Replicating the configuration database Anderson, Cary wrote: > > I have setup a multi-master environment with only one NetscapeRoot > configuration database for all slaves and masters. Is it recommended > to have only one NetscapeRoot or should that be replicated to the > other master servers. > If you require failover capability for the configuration data, then you should set up replication for it. > > If the recommendation is to replicate the NetscapeRoot, I am a little > unclear on the steps to take to copy database to the other master so > that I can setup replication. > It's the same as setting up replication for userRoot. > > Any help would be greatly appreciated. > > Thanks > > */Cary Anderson/, Systems Software Specialist* > *UNIX/Linux Services* > > /Information Technology Services Branch > Technology Services & Support Division / Data Center Section/ > > /System Software & Storage Infrastructure/ > /f/*CalPERS* > Phone: (916) 795-2588 > Fax: (916) 795-2424 > > > ---------------------------------------------------------------------- > -- > > -- > Fedora-directory-users mailing list Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Mon Jul 30 17:04:29 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 30 Jul 2007 11:04:29 -0600 Subject: [Fedora-directory-users] Replicating the configuration database In-Reply-To: <611085D774BEAE4C9E4959C53EB7A9760E4C2F75@hqk110.calpers.ca.gov> References: <611085D774BEAE4C9E4959C53EB7A9760E4C2F75@hqk110.calpers.ca.gov> Message-ID: <46AE1A1D.3010601@redhat.com> Anderson, Cary wrote: > Thanks for the quick response. > > The reason for my confusion regarding setting up replication for the > NetscapeRoot, is that there is only one copy of the NetscapeRoot. When > I use the administration console, in the configuration tab, selecting > Data or Replication on the second master server, I only see the database > for the userRoot not NetscapeRoot. So what I am unclear on is how to > setup replication when I don't have a NetscapeRoot database on the > second master server to replicate to. > Ok. In the Configuration tab, on the data node, select New Root Suffix, and create a suffix o=NetscapeRoot with a database named NetscapeRoot. > Thanks > > > > > Cary Anderson, Systems Software Specialist > UNIX/Linux Services > Information Technology Services Branch > Technology Services & Support Division / Data Center Section > System Software & Storage Infrastructure > fCalPERS > Phone: (916) 795-2588 > Fax: (916) 795-2424 > > > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard > Megginson > Sent: Monday, July 30, 2007 9:41 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Replicating the configuration > database > > > Anderson, Cary wrote: > >> I have setup a multi-master environment with only one NetscapeRoot >> configuration database for all slaves and masters. Is it recommended >> to have only one NetscapeRoot or should that be replicated to the >> other master servers. >> >> > If you require failover capability for the configuration data, then you > should set up replication for it. > >> If the recommendation is to replicate the NetscapeRoot, I am a little >> unclear on the steps to take to copy database to the other master so >> that I can setup replication. >> >> > It's the same as setting up replication for userRoot. > >> Any help would be greatly appreciated. >> >> Thanks >> >> */Cary Anderson/, Systems Software Specialist* >> *UNIX/Linux Services* >> >> /Information Technology Services Branch >> Technology Services & Support Division / Data Center Section/ >> >> /System Software & Storage Infrastructure/ >> /f/*CalPERS* >> Phone: (916) 795-2588 >> Fax: (916) 795-2424 >> >> >> ---------------------------------------------------------------------- >> -- >> >> -- >> Fedora-directory-users mailing list Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Cary_Anderson at CalPERS.ca.gov Mon Jul 30 17:33:38 2007 From: Cary_Anderson at CalPERS.ca.gov (Anderson, Cary) Date: Mon, 30 Jul 2007 10:33:38 -0700 Subject: [Fedora-directory-users] Replicating the configuration database In-Reply-To: <46AE1A1D.3010601@redhat.com> Message-ID: <611085D774BEAE4C9E4959C53EB7A9760E4C2F76@hqk110.calpers.ca.gov> Thanks Richard, that got me over the hump. Cary Anderson, Systems Software Specialist UNIX/Linux Services Information Technology Services Branch Technology Services & Support Division / Data Center Section System Software & Storage Infrastructure fCalPERS Phone: (916) 795-2588 Fax: (916) 795-2424 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Monday, July 30, 2007 10:04 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Replicating the configuration database Anderson, Cary wrote: > Thanks for the quick response. > > The reason for my confusion regarding setting up replication for the > NetscapeRoot, is that there is only one copy of the NetscapeRoot. > When I use the administration console, in the configuration tab, > selecting Data or Replication on the second master server, I only see > the database for the userRoot not NetscapeRoot. So what I am unclear > on is how to setup replication when I don't have a NetscapeRoot > database on the second master server to replicate to. > Ok. In the Configuration tab, on the data node, select New Root Suffix, and create a suffix o=NetscapeRoot with a database named NetscapeRoot. > Thanks > > > > > Cary Anderson, Systems Software Specialist > UNIX/Linux Services > Information Technology Services Branch > Technology Services & Support Division / Data Center Section System > Software & Storage Infrastructure fCalPERS > Phone: (916) 795-2588 > Fax: (916) 795-2424 > > > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard > Megginson > Sent: Monday, July 30, 2007 9:41 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Replicating the configuration > database > > > Anderson, Cary wrote: > >> I have setup a multi-master environment with only one NetscapeRoot >> configuration database for all slaves and masters. Is it recommended >> to have only one NetscapeRoot or should that be replicated to the >> other master servers. >> >> > If you require failover capability for the configuration data, then you > should set up replication for it. > >> If the recommendation is to replicate the NetscapeRoot, I am a little >> unclear on the steps to take to copy database to the other master so >> that I can setup replication. >> >> > It's the same as setting up replication for userRoot. > >> Any help would be greatly appreciated. >> >> Thanks >> >> */Cary Anderson/, Systems Software Specialist* >> *UNIX/Linux Services* >> >> /Information Technology Services Branch >> Technology Services & Support Division / Data Center Section/ >> >> /System Software & Storage Infrastructure/ >> /f/*CalPERS* >> Phone: (916) 795-2588 >> Fax: (916) 795-2424 >> >> >> ---------------------------------------------------------------------- >> -- >> >> -- >> Fedora-directory-users mailing list Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From wilmer at fedoraproject.org Mon Jul 30 18:26:53 2007 From: wilmer at fedoraproject.org (Wilmer Jaramillo M.) Date: Mon, 30 Jul 2007 14:26:53 -0400 Subject: [Fedora-directory-users] Unlimited line width for ldapsearch In-Reply-To: <46AD9288.4090101@cohtech.com> References: <2b26c4260707291948r6955c084s9ae5d750b9bd1f02@mail.gmail.com> <46AD9288.4090101@cohtech.com> Message-ID: <2b26c4260707301126g293743b9na88fdc35d01babfc@mail.gmail.com> On 7/30/07, Howard Wilkinson wrote: > > Wilmer Jaramillo M. wrote: > I found that ../shared/bin/ldasearch only show a output of 76 chars > per line, and manual page not described how be longer the output, i > want set the line-width used to implement filter in long strings 'OU' > in perl scripts. Also i found a very simple patch for ldapsearch of > openldap tools in: > http://www.openldap.org/lists/openldap-bugs/199912/msg00099.html > openldap it does not have support still. > > Probably some method of Net::LDAP can do it, I'm investigating a > module or regex that can help me in this, any suggestion? thanks. > > Take a look at Net::LDAP::LDIF an option to new is called 'wrap' which is normally set to 78 (one space, 76 printing characters, and the newline for continuation lines) this should give you what you want. > I'm looking to replace the following query to a Windows ADS for a Perl sintax because the output is limited for line-width: my $ldapsearch = "(ldapsearch - x - H ldap: To //$adserver - D "to $aduser" - w $adpass - s sub - b "$baseDN"" (cn=*) '| grep - i "ou=" | cut - d, - F2 | grep - v - i "CN= " | uniq)` I want search in the directory for all entries firts level OrganizationalUnit (ou) just now I'm using Mozilla::LDAP::Conn with very good results, nevertheless, the searches are very slow, anyway that just do right what I need, according to man: use Mozilla::LDAP::Conn; .... $conn = new Mozilla::LDAP::Conn($adserver,$adport,$aduser,$adpass); die "LDAP not connect $adserver" unless ($conn); &org_unit($baseDN); exit(0); sub org_unit() { my ($entry, $dn, $scope, $filter, $dn) = ""; my (@ouDN, @attrs) = (); @attrs = ( "ou" ); $scope = "sub"; $filter = "(ou=*)"; # Busca en el directorio las entradas ous $entry = $conn->search($baseDN, $scope, $filter, 0, @attrs); $cld = $conn->getLD(); $res = $conn->getRes(); $count = Mozilla::LDAP::API::ldap_count_entries($cld, $res); while ($entry) { # Coloca en un array cada entrada DN $ouDN = $entry->getDN(); push (@ouDN,$dn); print "$dn\n"; $entry = $conn->nextEntry(); } foreach $dn (@ouDNS) { &org_unit($dn) } } thanks for all. -- Wilmer Jaramillo M. GPG Key Fingerprint = 0666 D0D3 24CE 8935 9C24 BBF1 87DD BEA2 A4B2 1E8A From howard at cohtech.com Mon Jul 30 18:34:27 2007 From: howard at cohtech.com (Howard Wilkinson) Date: Mon, 30 Jul 2007 19:34:27 +0100 Subject: [Fedora-directory-users] Unlimited line width for ldapsearch In-Reply-To: <2b26c4260707301126g293743b9na88fdc35d01babfc@mail.gmail.com> References: <2b26c4260707291948r6955c084s9ae5d750b9bd1f02@mail.gmail.com> <46AD9288.4090101@cohtech.com> <2b26c4260707301126g293743b9na88fdc35d01babfc@mail.gmail.com> Message-ID: <46AE2F33.2070703@cohtech.com> Wilmer Jaramillo M. wrote: > On 7/30/07, Howard Wilkinson wrote: > >> Wilmer Jaramillo M. wrote: >> I found that ../shared/bin/ldasearch only show a output of 76 chars >> per line, and manual page not described how be longer the output, i >> want set the line-width used to implement filter in long strings 'OU' >> in perl scripts. Also i found a very simple patch for ldapsearch of >> openldap tools in: >> http://www.openldap.org/lists/openldap-bugs/199912/msg00099.html >> openldap it does not have support still. >> >> Probably some method of Net::LDAP can do it, I'm investigating a >> module or regex that can help me in this, any suggestion? thanks. >> >> Take a look at Net::LDAP::LDIF an option to new is called 'wrap' which is normally set to 78 (one space, 76 printing characters, and the newline for continuation lines) this should give you what you want. >> >> > > I'm looking to replace the following query to a Windows ADS for a > Perl sintax because the output is limited for line-width: > my $ldapsearch = "(ldapsearch - x - H ldap: To //$adserver - D "to > $aduser" - w $adpass - s sub - b "$baseDN"" (cn=*) '| grep - i "ou=" | > cut - d, - F2 | grep - v - i "CN= " | uniq)` > > I want search in the directory for all entries firts level > OrganizationalUnit (ou) just now I'm using Mozilla::LDAP::Conn with > very good results, nevertheless, the searches are very slow, anyway > that just do right what I need, according to man: > > use Mozilla::LDAP::Conn; > .... > $conn = new Mozilla::LDAP::Conn($adserver,$adport,$aduser,$adpass); > die "LDAP not connect $adserver" unless ($conn); > > &org_unit($baseDN); > exit(0); > > sub org_unit() > { > my ($entry, $dn, $scope, $filter, $dn) = ""; > my (@ouDN, @attrs) = (); > > @attrs = ( "ou" ); > $scope = "sub"; > $filter = "(ou=*)"; > > # Busca en el directorio las entradas ous > $entry = $conn->search($baseDN, $scope, $filter, 0, @attrs); > $cld = $conn->getLD(); > $res = $conn->getRes(); > $count = Mozilla::LDAP::API::ldap_count_entries($cld, $res); > while ($entry) { > # Coloca en un array cada entrada DN > $ouDN = $entry->getDN(); > push (@ouDN,$dn); > print "$dn\n"; > $entry = $conn->nextEntry(); > } > foreach $dn (@ouDNS) > { > &org_unit($dn) > } > } > > > thanks for all. > You should use the Net::LDAP (perl-ldap) package. Make sure you use page mode access (pages are ~1000 entries for Windows 2000 and ~1500 for Windows 2003) and process each record in a call back. If you set the line wrap in the Net::LDAP::LDIF object you use to write the output you should get the results you want. I have production code using this technology that will process over 120,000 records in less than 15 minutes from a moderately loaded Active Directory. So this should be good enough for what you want. -- Howard Wilkinson Phone: +44(20)76907075 Coherent Technology Limited Fax: 23 Northampton Square, Mobile: +44(7980)639379 United Kingdom, EC1V 0HL Email: howard at cohtech.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From tour9 at ece.lsu.edu Mon Jul 30 18:44:22 2007 From: tour9 at ece.lsu.edu (Saied W. Andalib) Date: Mon, 30 Jul 2007 13:44:22 -0500 Subject: [Fedora-directory-users] Solaris client question In-Reply-To: <20070716130211.5c798f6c@control.ece.lsu.edu> References: <7d2291380707160913l463e620eqce20d343a6b5f648@mail.gmail.com> <469B9811.7000101@redhat.com> <20070716130211.5c798f6c@control.ece.lsu.edu> Message-ID: <20070730134422.63e8d73f@control.ece.lsu.edu> I have a Solaris 9 client and have configured it as a client of fds-1.0.4 which runs on RHEL5. Without TLS, the Solaris client authenticates against the fds fine. But, if TLS is enabled on the Sun client, the ldapsearch commands runs ok, but, authentication fails. The nscd logs the following error message: Jul 30 13:31:01 thread nscd[1172]: [ID 293258 user.error] libsldap: Status: 91 Mesg: openConnection: failed to initialize TLS security (security library: bad database.) Jul 30 13:31:01 thread nscd[1172]: [ID 293258 user.error] libsldap: Status: 7 Mesg: Session error no available conn. I think the problem is related to the certificates on the Sun client but I'm not sure... Thanks, SWA From rmeggins at redhat.com Mon Jul 30 18:44:11 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 30 Jul 2007 12:44:11 -0600 Subject: [Fedora-directory-users] Unlimited line width for ldapsearch In-Reply-To: <2b26c4260707301126g293743b9na88fdc35d01babfc@mail.gmail.com> References: <2b26c4260707291948r6955c084s9ae5d750b9bd1f02@mail.gmail.com> <46AD9288.4090101@cohtech.com> <2b26c4260707301126g293743b9na88fdc35d01babfc@mail.gmail.com> Message-ID: <46AE317B.20608@redhat.com> Wilmer Jaramillo M. wrote: > On 7/30/07, Howard Wilkinson wrote: > >> Wilmer Jaramillo M. wrote: >> I found that ../shared/bin/ldasearch only show a output of 76 chars >> per line, and manual page not described how be longer the output, i >> want set the line-width used to implement filter in long strings 'OU' >> in perl scripts. Also i found a very simple patch for ldapsearch of >> openldap tools in: >> http://www.openldap.org/lists/openldap-bugs/199912/msg00099.html >> openldap it does not have support still. >> >> Probably some method of Net::LDAP can do it, I'm investigating a >> module or regex that can help me in this, any suggestion? thanks. >> >> Take a look at Net::LDAP::LDIF an option to new is called 'wrap' which is normally set to 78 (one space, 76 printing characters, and the newline for continuation lines) this should give you what you want. >> >> > > I'm looking to replace the following query to a Windows ADS for a > Perl sintax because the output is limited for line-width: > my $ldapsearch = "(ldapsearch - x - H ldap: To //$adserver - D "to > $aduser" - w $adpass - s sub - b "$baseDN"" (cn=*) '| grep - i "ou=" | > cut - d, - F2 | grep - v - i "CN= " | uniq)` > If you use the ldapsearch bundled with Fedora DS (cd /opt/fedora-ds/shared/bin ; ./ldapsearch) rather than openldap /usr/bin/ldapsearch, you can use the -T option, which disables line wrapping, making it easier to pass the output to scripts such as grep/sed/awk/perl without using a separate LDIF parser. The command line options are very similar, just omit the -x. > I want search in the directory for all entries firts level > OrganizationalUnit (ou) just now I'm using Mozilla::LDAP::Conn with > very good results, nevertheless, the searches are very slow, anyway > that just do right what I need, according to man: > > use Mozilla::LDAP::Conn; > .... > $conn = new Mozilla::LDAP::Conn($adserver,$adport,$aduser,$adpass); > die "LDAP not connect $adserver" unless ($conn); > > &org_unit($baseDN); > exit(0); > > sub org_unit() > { > my ($entry, $dn, $scope, $filter, $dn) = ""; > my (@ouDN, @attrs) = (); > > @attrs = ( "ou" ); > $scope = "sub"; > $filter = "(ou=*)"; > > # Busca en el directorio las entradas ous > $entry = $conn->search($baseDN, $scope, $filter, 0, @attrs); > $cld = $conn->getLD(); > $res = $conn->getRes(); > $count = Mozilla::LDAP::API::ldap_count_entries($cld, $res); > while ($entry) { > # Coloca en un array cada entrada DN > $ouDN = $entry->getDN(); > push (@ouDN,$dn); > print "$dn\n"; > $entry = $conn->nextEntry(); > } > foreach $dn (@ouDNS) > { > &org_unit($dn) > } > } > > > thanks for all. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From srigler at marathonoil.com Mon Jul 30 18:53:14 2007 From: srigler at marathonoil.com (Steve Rigler) Date: Mon, 30 Jul 2007 13:53:14 -0500 Subject: [Fedora-directory-users] Solaris client question In-Reply-To: <20070730134422.63e8d73f@control.ece.lsu.edu> References: <7d2291380707160913l463e620eqce20d343a6b5f648@mail.gmail.com> <469B9811.7000101@redhat.com> <20070716130211.5c798f6c@control.ece.lsu.edu> <20070730134422.63e8d73f@control.ece.lsu.edu> Message-ID: <1185821594.14444.7.camel@houuc8> On Mon, 2007-07-30 at 13:44 -0500, Saied W. Andalib wrote: > I have a Solaris 9 client and have configured it as a client of > fds-1.0.4 which runs on RHEL5. Without TLS, the Solaris client > authenticates against the fds fine. But, if TLS is enabled on the Sun > client, the ldapsearch commands runs ok, but, authentication fails. > The nscd logs the following error message: > > > > Jul 30 13:31:01 thread nscd[1172]: [ID 293258 user.error] libsldap: > Status: 91 Mesg: openConnection: failed to initialize TLS security > (security library: bad database.) > > Jul 30 13:31:01 thread nscd[1172]: [ID 293258 user.error] libsldap: > Status: 7 Mesg: Session error no available conn. > > > > > I think the problem is related to the certificates on the Sun client > but I'm not sure... > > > Thanks, > > SWA > Do you have the certs copied to you Solaris client? There's an example here: http://blogs.sun.com/baban/entry/steps_to_setup_ssl_using and here: http://directory.fedoraproject.org/wiki/Howto:SolarisClient I've also seen references that say to point netscape at https://yourserver:636, keep the certificate forever and copy .netscape/{cert7.db,key3.db} to /var/ldap on your Solaris client. -Steve From gholbert at broadcom.com Mon Jul 30 19:08:25 2007 From: gholbert at broadcom.com (George Holbert) Date: Mon, 30 Jul 2007 12:08:25 -0700 Subject: [Fedora-directory-users] Solaris client question In-Reply-To: <1185821594.14444.7.camel@houuc8> References: <7d2291380707160913l463e620eqce20d343a6b5f648@mail.gmail.com> <469B9811.7000101@redhat.com> <20070716130211.5c798f6c@control.ece.lsu.edu> <20070730134422.63e8d73f@control.ece.lsu.edu> <1185821594.14444.7.camel@houuc8> Message-ID: <46AE3729.2020501@broadcom.com> The Solaris docs will also be somewhat helpful for this: http://docs.sun.com/app/docs/doc/816-4556/6maort2st?a=view#clientsetup-57 Steve Rigler wrote: > On Mon, 2007-07-30 at 13:44 -0500, Saied W. Andalib wrote: > >> I have a Solaris 9 client and have configured it as a client of >> fds-1.0.4 which runs on RHEL5. Without TLS, the Solaris client >> authenticates against the fds fine. But, if TLS is enabled on the Sun >> client, the ldapsearch commands runs ok, but, authentication fails. >> The nscd logs the following error message: >> >> >> >> Jul 30 13:31:01 thread nscd[1172]: [ID 293258 user.error] libsldap: >> Status: 91 Mesg: openConnection: failed to initialize TLS security >> (security library: bad database.) >> >> Jul 30 13:31:01 thread nscd[1172]: [ID 293258 user.error] libsldap: >> Status: 7 Mesg: Session error no available conn. >> >> >> >> >> I think the problem is related to the certificates on the Sun client >> but I'm not sure... >> >> >> Thanks, >> >> SWA >> >> > > Do you have the certs copied to you Solaris client? > > There's an example here: > http://blogs.sun.com/baban/entry/steps_to_setup_ssl_using > > and here: > http://directory.fedoraproject.org/wiki/Howto:SolarisClient > > I've also seen references that say to point netscape at > https://yourserver:636, keep the certificate forever and > copy .netscape/{cert7.db,key3.db} to /var/ldap on your Solaris client. > > -Steve From tour9 at ece.lsu.edu Mon Jul 30 19:19:56 2007 From: tour9 at ece.lsu.edu (Saied W. Andalib) Date: Mon, 30 Jul 2007 14:19:56 -0500 Subject: [Fedora-directory-users] Solaris client question In-Reply-To: <1185821594.14444.7.camel@houuc8> References: <7d2291380707160913l463e620eqce20d343a6b5f648@mail.gmail.com> <469B9811.7000101@redhat.com> <20070716130211.5c798f6c@control.ece.lsu.edu> <20070730134422.63e8d73f@control.ece.lsu.edu> <1185821594.14444.7.camel@houuc8> Message-ID: <20070730141956.3cb8f93c@control.ece.lsu.edu> Thanks for replying. It works now! My mistake was that I was trying to get the certificates via Netscape with URL "http://fds-server:636", which always refused. The correct URL is "https://fds-server:636". SWA From wilmer at fedoraproject.org Mon Jul 30 20:20:22 2007 From: wilmer at fedoraproject.org (Wilmer Jaramillo M.) Date: Mon, 30 Jul 2007 16:20:22 -0400 Subject: [Fedora-directory-users] Unlimited line width for ldapsearch In-Reply-To: <46AE317B.20608@redhat.com> References: <2b26c4260707291948r6955c084s9ae5d750b9bd1f02@mail.gmail.com> <46AD9288.4090101@cohtech.com> <2b26c4260707301126g293743b9na88fdc35d01babfc@mail.gmail.com> <46AE317B.20608@redhat.com> Message-ID: <2b26c4260707301320y3bc95f53wbb47e5ffc52be71e@mail.gmail.com> On 7/30/07, Richard Megginson wrote: > Wilmer Jaramillo M. wrote: > > On 7/30/07, Howard Wilkinson wrote: > > > >> Wilmer Jaramillo M. wrote: > >> I found that ../shared/bin/ldasearch only show a output of 76 chars > >> per line, and manual page not described how be longer the output, i > >> want set the line-width used to implement filter in long strings 'OU' > >> in perl scripts. Also i found a very simple patch for ldapsearch of > >> openldap tools in: > >> http://www.openldap.org/lists/openldap-bugs/199912/msg00099.html > >> openldap it does not have support still. > >> > >> Probably some method of Net::LDAP can do it, I'm investigating a > >> module or regex that can help me in this, any suggestion? thanks. > >> > >> Take a look at Net::LDAP::LDIF an option to new is called 'wrap' which is normally set to 78 (one space, 76 printing characters, and the newline for continuation lines) this should give you what you want. > >> > >> > > > > I'm looking to replace the following query to a Windows ADS for a > > Perl sintax because the output is limited for line-width: > > my $ldapsearch = "(ldapsearch - x - H ldap: To //$adserver - D "to > > $aduser" - w $adpass - s sub - b "$baseDN"" (cn=*) '| grep - i "ou=" | > > cut - d, - F2 | grep - v - i "CN= " | uniq)` > > > If you use the ldapsearch bundled with Fedora DS (cd > /opt/fedora-ds/shared/bin ; ./ldapsearch) rather than openldap > /usr/bin/ldapsearch, you can use the -T option, which disables line > wrapping, making it easier to pass the output to scripts such as > grep/sed/awk/perl without using a separate LDIF parser. The command > line options are very similar, just omit the -x. Excelent, it also now working for me. Thanks Richard and Howard. -- Wilmer Jaramillo M. GPG Key Fingerprint = 0666 D0D3 24CE 8935 9C24 BBF1 87DD BEA2 A4B2 1E8A From wilmer at fedoraproject.org Mon Jul 30 20:22:36 2007 From: wilmer at fedoraproject.org (Wilmer Jaramillo M.) Date: Mon, 30 Jul 2007 16:22:36 -0400 Subject: [Fedora-directory-users] Samba + Fedora-DS In-Reply-To: References: Message-ID: <2b26c4260707301322x48ac2ceekae40b81059b2401d@mail.gmail.com> On 7/26/07, thierry vandenbroucke wrote: > Hello folks, > I'm having problems setting samba with fedora-ds, i'm following the how-to > samba. > The problem follows: > > net groupmap add rid=512 ntgroup='Domain Admins' unixgroup='Domain Admins' > > I get the following error > Can't lookup UNIX group Domain Admins Add in /etc/group: Domain Admins:x:2512 Domain Users:x:2513 Domain Guests:x:2514 Domain Computers:x:2515 And map the samba groups again. -- Wilmer Jaramillo M. GPG Key Fingerprint = 0666 D0D3 24CE 8935 9C24 BBF1 87DD BEA2 A4B2 1E8A From greg.hetrick at gmail.com Tue Jul 31 20:52:14 2007 From: greg.hetrick at gmail.com (Greg Hetrick) Date: Tue, 31 Jul 2007 15:52:14 -0500 Subject: [Fedora-directory-users] Sudo over tls/ssl connection Message-ID: <2859e060707311352i799e22eepcc502f46af8dc871@mail.gmail.com> I am having a problem with sudo when I am running in a TSL/SSL connection, I am able to ssh into the client and verified that the connection is secure, but once logged in to the client machine I am unable to use sudo. I am seeing multiple re-tries in the access logs that appear to close,: When I do the same thing without a TLS/SSL connection sudo works fine. Here is what I am seeing in the log 31/Jul/2007:15:48:18 -0500] conn=607 fd=74 slot=74 connection from to [31/Jul/2007:15:48:18 -0500] conn=607 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [31/Jul/2007:15:48:18 -0500] conn=607 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [31/Jul/2007:15:48:18 -0500] conn=607 SSL 256-bit AES [31/Jul/2007:15:48:18 -0500] conn=607 op=1 UNBIND [31/Jul/2007:15:48:18 -0500] conn=607 op=1 fd=74 closed - U1 and eventually, I get sudo: uid 1000 does not exist in the passwd file! for the user config, it is simple, the user exists in ldap, the group exists on the box (wheel) and I give the user in ldap a gid of 10 -bash-3.1$ id uid=1000(testuser) gid=10(wheel) groups=10(wheel) Thoughts? Greg -------------- next part -------------- An HTML attachment was scrubbed... URL: