From sstipl at exstream.com Fri Jun 1 08:41:42 2007 From: sstipl at exstream.com (Stipl, Stepan) Date: Fri, 1 Jun 2007 04:41:42 -0400 Subject: [Fedora-directory-users] nss_ldap - using full DNs in member attribute Message-ID: Hi, I'm trying to setup authentication against Fedora DS on Linux box (Gentoo). Everything is working fine, except for one thing - I have groups with members in uniqueMember attributes and I have there full DNs - like "uid=sstipl,ou=users,dc=example,dc=com", but the nss expects me to have there just logins (uid's value in this case). So when I do "getent group" I receive something like this from groups from LDAP: testgroup:*:1010:uid=sstipl,ou=users,dc=example,dc=com, uid=jsmith,ou=users,dc=example,dc=com Any idea how to setup probably nss? to use just RND value (uid's in this case) from the uniqueMember attribute? To get this: "testgroup:*:1010:sstipl,jsmith" many thanks. .stepan -------------- next part -------------- An HTML attachment was scrubbed... URL: From ashley at csse.uwa.edu.au Mon Jun 4 07:52:10 2007 From: ashley at csse.uwa.edu.au (ashley) Date: Mon, 4 Jun 2007 15:52:10 +0800 (WST) Subject: [Fedora-directory-users] nss_ldap - using full DNs in member attribute In-Reply-To: References: Message-ID: Thats extremely strange, I've made clients including Fedora,Suse and Ubuntu bind to the FDS Ldap without a problem like that. Can you just verify something for me. ie login via the console or ssh into your client machine ie as jsmith as in your example and type groups. It should just list your groups in the shortform. ie you should see testgroup blah blah (all your groups) as with your example, you shouldn't see the ou,dc bits. If it does you can remap the lookup / search base usually by editing ldap.conf which you can find in /etc/ldap.conf most of the time including Fedora, SUSE & Ubuntu, but I can't say anything about Gentoo as I've havn't dealt with it recently. You should then look at the mappings / lookup ie for nss_base_passwd, nss_base_shadow, nss_base_group which are the three basic fields with Linux/Unix. In your case you would be dealing with nss_base_group. If you are caching the fields is with nscd you would have to do the same with nscd.conf. But still I find that extremely strange. Regards Ashley On Fri, 1 Jun 2007, Stipl, Stepan wrote: > Hi, > > I'm trying to setup authentication against Fedora DS on Linux box > (Gentoo). Everything is working fine, except for one thing - I have > groups with members in uniqueMember attributes and I have there full DNs > - like "uid=sstipl,ou=users,dc=example,dc=com", but the nss expects me > to have there just logins (uid's value in this case). > > So when I do "getent group" I receive something like this from groups > from LDAP: > > testgroup:*:1010:uid=sstipl,ou=users,dc=example,dc=com, > uid=jsmith,ou=users,dc=example,dc=com > > Any idea how to setup probably nss? to use just RND value (uid's in this > case) from the uniqueMember attribute? To get this: > "testgroup:*:1010:sstipl,jsmith" > > > > many thanks. > > .stepan > > > > > > !DSPAM:272,465fdbe081151117595406! > -- Ashley Chew - Systems Administrator School of Computer Science and Software Engineering University of Western Australia Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089 Ashley[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ashley "There is no such thing as Fate, Fate is what you make of it!" From sstipl at exstream.com Mon Jun 4 09:15:43 2007 From: sstipl at exstream.com (Stipl, Stepan) Date: Mon, 4 Jun 2007 05:15:43 -0400 Subject: [Fedora-directory-users] nss_ldap - using full DNs in member attribute In-Reply-To: References: Message-ID: Hi Ashley, thanks for help. When I log in to the console under the desired user and try groups, I don't see the groups from ldap at all - (I think that's because system thinks that user "uid=jsmith,ou=users,dc=example,dc=com" is member of this group & not the user "jsmith"). You're writing that it's working fine for you - the problem may be in what records do you actually have in ldap. AFAIK (and I'm just newbie in ldap stuff)... 1) you can have group records as "groupOfNames"/"groupOfUniqueNames" specs. in "RFC 2256", where are the member records stored in "uniqueMember"/"member" attributes and with full DN's - with. the uid,ou,dc.. part. 2) or you can have group records as "posixGroup", where are the members stored in "memberUid" attributes in the short form, ie. "jsmith". Second possibility is actually working fine for me, you see proper usernames in the "getent group" listing, but the first approach - storing full DN's - makes IMHO much more sense & some other apps. connected to LDAP requires this form. And I don't want to have special (duplicated) groups just for linux machines. Can you confirm that you're using the form where you store the members in groups as a full DNs? I think there should be way how to configure pam_ldap/nss_ldap to cut the member record to RDN value, just that I'm stupid and don't know how to set it up :). Thanks. .stepan -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of ashley Sent: 04 June, 2007 09:52 To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] nss_ldap - using full DNs in member attribute Thats extremely strange, I've made clients including Fedora,Suse and Ubuntu bind to the FDS Ldap without a problem like that. Can you just verify something for me. ie login via the console or ssh into your client machine ie as jsmith as in your example and type groups. It should just list your groups in the shortform. ie you should see testgroup blah blah (all your groups) as with your example, you shouldn't see the ou,dc bits. If it does you can remap the lookup / search base usually by editing ldap.conf which you can find in /etc/ldap.conf most of the time including Fedora, SUSE & Ubuntu, but I can't say anything about Gentoo as I've havn't dealt with it recently. You should then look at the mappings / lookup ie for nss_base_passwd, nss_base_shadow, nss_base_group which are the three basic fields with Linux/Unix. In your case you would be dealing with nss_base_group. If you are caching the fields is with nscd you would have to do the same with nscd.conf. But still I find that extremely strange. Regards Ashley On Fri, 1 Jun 2007, Stipl, Stepan wrote: > Hi, > > I'm trying to setup authentication against Fedora DS on Linux box > (Gentoo). Everything is working fine, except for one thing - I have > groups with members in uniqueMember attributes and I have there full DNs > - like "uid=sstipl,ou=users,dc=example,dc=com", but the nss expects me > to have there just logins (uid's value in this case). > > So when I do "getent group" I receive something like this from groups > from LDAP: > > testgroup:*:1010:uid=sstipl,ou=users,dc=example,dc=com, > uid=jsmith,ou=users,dc=example,dc=com > > Any idea how to setup probably nss? to use just RND value (uid's in this > case) from the uniqueMember attribute? To get this: > "testgroup:*:1010:sstipl,jsmith" > > > > many thanks. > > .stepan > > > > > > !DSPAM:272,465fdbe081151117595406! > -- Ashley Chew - Systems Administrator School of Computer Science and Software Engineering University of Western Australia Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089 Ashley[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ashley "There is no such thing as Fate, Fate is what you make of it!" -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From sstipl at exstream.com Mon Jun 4 15:25:46 2007 From: sstipl at exstream.com (Stipl, Stepan) Date: Mon, 4 Jun 2007 11:25:46 -0400 Subject: [Fedora-directory-users] nss_ldap - using full DNs in memberattribute In-Reply-To: References: Message-ID: Hi, Just FYI - I managed to solve my problem. To enable group members specified by full DN, you need to have following line in ldap.conf nss_schema rfc2307bis Actually it's also in manual: nss_schema If the value of this option is rfc2307bis then support for the RFC2307bis schema (distinguished names in groups) will be enabled. I hope this may also help to somebody else in the future, thanks for help to Ashley. .stepan -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Stipl, Stepan Sent: 04 June, 2007 11:16 To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] nss_ldap - using full DNs in memberattribute Hi Ashley, thanks for help. When I log in to the console under the desired user and try groups, I don't see the groups from ldap at all - (I think that's because system thinks that user "uid=jsmith,ou=users,dc=example,dc=com" is member of this group & not the user "jsmith"). You're writing that it's working fine for you - the problem may be in what records do you actually have in ldap. AFAIK (and I'm just newbie in ldap stuff)... 1) you can have group records as "groupOfNames"/"groupOfUniqueNames" specs. in "RFC 2256", where are the member records stored in "uniqueMember"/"member" attributes and with full DN's - with. the uid,ou,dc.. part. 2) or you can have group records as "posixGroup", where are the members stored in "memberUid" attributes in the short form, ie. "jsmith". Second possibility is actually working fine for me, you see proper usernames in the "getent group" listing, but the first approach - storing full DN's - makes IMHO much more sense & some other apps. connected to LDAP requires this form. And I don't want to have special (duplicated) groups just for linux machines. Can you confirm that you're using the form where you store the members in groups as a full DNs? I think there should be way how to configure pam_ldap/nss_ldap to cut the member record to RDN value, just that I'm stupid and don't know how to set it up :). Thanks. .stepan -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of ashley Sent: 04 June, 2007 09:52 To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] nss_ldap - using full DNs in member attribute Thats extremely strange, I've made clients including Fedora,Suse and Ubuntu bind to the FDS Ldap without a problem like that. Can you just verify something for me. ie login via the console or ssh into your client machine ie as jsmith as in your example and type groups. It should just list your groups in the shortform. ie you should see testgroup blah blah (all your groups) as with your example, you shouldn't see the ou,dc bits. If it does you can remap the lookup / search base usually by editing ldap.conf which you can find in /etc/ldap.conf most of the time including Fedora, SUSE & Ubuntu, but I can't say anything about Gentoo as I've havn't dealt with it recently. You should then look at the mappings / lookup ie for nss_base_passwd, nss_base_shadow, nss_base_group which are the three basic fields with Linux/Unix. In your case you would be dealing with nss_base_group. If you are caching the fields is with nscd you would have to do the same with nscd.conf. But still I find that extremely strange. Regards Ashley On Fri, 1 Jun 2007, Stipl, Stepan wrote: > Hi, > > I'm trying to setup authentication against Fedora DS on Linux box > (Gentoo). Everything is working fine, except for one thing - I have > groups with members in uniqueMember attributes and I have there full DNs > - like "uid=sstipl,ou=users,dc=example,dc=com", but the nss expects me > to have there just logins (uid's value in this case). > > So when I do "getent group" I receive something like this from groups > from LDAP: > > testgroup:*:1010:uid=sstipl,ou=users,dc=example,dc=com, > uid=jsmith,ou=users,dc=example,dc=com > > Any idea how to setup probably nss? to use just RND value (uid's in this > case) from the uniqueMember attribute? To get this: > "testgroup:*:1010:sstipl,jsmith" > > > > many thanks. > > .stepan > > > > > > !DSPAM:272,465fdbe081151117595406! > -- Ashley Chew - Systems Administrator School of Computer Science and Software Engineering University of Western Australia Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089 Ashley[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ashley "There is no such thing as Fate, Fate is what you make of it!" -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From santangelo.luigi at tiscali.it Tue Jun 5 07:07:59 2007 From: santangelo.luigi at tiscali.it (Luigi Santangelo) Date: Tue, 5 Jun 2007 09:07:59 +0200 (CEST) Subject: [Fedora-directory-users] Win Sync doesn't work Message-ID: <28549905.1181027279591.JavaMail.root@ps12> Hi all, I'm driving crazy. I hope that you can help me. I cannot to establish a sync from Fedora DS to Active Directory (Windows 2000 Server). It seems to me a certificates' problem. In the Fedora Directory Server, Server Certs Tab, I installed the Fedora's cert (this cert is signed by my self-signed CA). In the CA Certs Tab, I installed the self-signed CA's Cert. On the windows Side, in the PassSync, I installed the Fedora Cert. The PassSync works fine and I can syncronize the users' password when this are changed. On Windows 2000 server, I installed, also, the CA's cert. Is it exact? Or are there any errors? When I create the Sync, from fedora, I completed the wizard with no errors. But when I right click into sync and I initiate full re- syncronization, this error appaers: "The consumer initialization has unsuccesfully completed. The error received by the replica is: '81 - LDAP error: Can't contact LDAP > server'". If I try to connect it to my server Win using 389 port, and only the Windows Groups are been synchronized (in the Fedora Directory I see only Windows Groups and no user). Another question: In my Windows Box, shall I install kerberos? Thanks all. Luigi Naviga e telefona senza limiti con Tiscali Scopri le promozioni Tiscali Adsl: navighi e telefoni senza canone Telecom http://abbonati.tiscali.it/adsl/ From tdiehl at rogueind.com Tue Jun 5 21:08:06 2007 From: tdiehl at rogueind.com (Tom Diehl) Date: Tue, 5 Jun 2007 17:08:06 -0400 (EDT) Subject: [Fedora-directory-users] FDS on EL4 startup errors Message-ID: Hi, I am trying to get FDS running on a fully updated EL4 machine. I installed the fedora-ds-1.0.4-1.RHEL4 rpm and all looks fine until I try to start the admin console. When I do that I get the following errors: (pocono pts7) # ./startconsole -u admin -a http://pocono.keenanmotorgroup.com:47868/ Warning: -ms8m not understood. Ignoring. Warning: -mx64m not understood. Ignoring. Exception in thread "GtkMain" java.lang.UnsatisfiedLinkError: gtkInit at _Jv_LookupJNIMethod (/usr/lib64/libgcj.so.5.0.0) at _Jv_JNIMethod.call(ffi_cif, void, ffi_raw, void) (/usr/lib64/libgcj.so.5.0.0) at gnu.java.awt.peer.gtk.GtkMainThread.run() (Unknown Source) at java.lang.Thread.run() (/usr/lib64/libgcj.so.5.0.0) at _Jv_ThreadRun(java.lang.Thread) (/usr/lib64/libgcj.so.5.0.0) at GC_start_routine (/usr/lib64/libgcj.so.5.0.0) at __clone (/lib64/tls/libc-2.3.4.so) If I try telnetting to port 47868 I get connection refused. (pocono pts9) # telnet pocono.keenanmotorgroup.com 47868 Trying 10.42.123.11... telnet: connect to address 10.42.123.11: Connection refused (pocono pts9) # Does anyone know what I am doing wrong? So far google and the documentation have not revealed anything useful. Regards, -- Tom Diehl tdiehl at rogueind.com Spamtrap address mtd123 at rogueind.com From patrick.morris at hp.com Tue Jun 5 22:42:54 2007 From: patrick.morris at hp.com (Morris, Patrick) Date: Tue, 5 Jun 2007 18:42:54 -0400 Subject: [Fedora-directory-users] FDS on EL4 startup errors In-Reply-To: References: Message-ID: > I am trying to get FDS running on a fully updated EL4 > machine. I installed the fedora-ds-1.0.4-1.RHEL4 rpm and all > looks fine until I try to start the admin console. When I do > that I get the following errors: > > (pocono pts7) # ./startconsole -u admin -a > http://pocono.keenanmotorgroup.com:47868/ > Warning: -ms8m not understood. Ignoring. > Warning: -mx64m not understood. Ignoring. > Exception in thread "GtkMain" java.lang.UnsatisfiedLinkError: gtkInit > at _Jv_LookupJNIMethod (/usr/lib64/libgcj.so.5.0.0) > at _Jv_JNIMethod.call(ffi_cif, void, ffi_raw, void) > (/usr/lib64/libgcj.so.5.0.0) > at gnu.java.awt.peer.gtk.GtkMainThread.run() (Unknown Source) > at java.lang.Thread.run() (/usr/lib64/libgcj.so.5.0.0) > at _Jv_ThreadRun(java.lang.Thread) (/usr/lib64/libgcj.so.5.0.0) > at GC_start_routine (/usr/lib64/libgcj.so.5.0.0) > at __clone (/lib64/tls/libc-2.3.4.so) > > If I try telnetting to port 47868 I get connection refused. Are you using a supported verion of Java? It appears you're not. I've had luck with the IBM and Sun versions. From wilde at intevation.de Wed Jun 6 14:36:59 2007 From: wilde at intevation.de (Sascha Wilde) Date: Wed, 06 Jun 2007 16:36:59 +0200 Subject: [Fedora-directory-users] ACI trouble: binding as a UID in an "hidden" branch Message-ID: Hi *, I'm having a directory with an basedn: dc=foo, dc=bar containing an "sub directory" named "internal": cn=internal, dc=foo, dc=bar Now I want to hide "internal" and its children from most users, with exception of the members of some administrative groups, so I added an ACI to "internal" like this: (targetattr = "*") (version 3.0;acl "hide internal"; deny (read,write,delete,add) (groupdn != "ldap:///cn=admin,cn=internal,dc=foo,dc=bar" and groupdn != "ldap:///cn=configuration administrators,ou=groups, ou=topologymanagement,o=netscaperoot");) Now I have a user cn=manager,cn=internal,dc=foo,dc=bar who is member of the group cn=admin,cn=internal,dc=foo,dc=bar and should be allowed to access "internal" and its children. But this doesn't work: I can't even bind as cn=manager,cn=internal,dc=foo,dc=bar I suppose because the user is an child of "internal", and so anonymous isn't allowed to access the object for authentication. How can I achieve that it is possible to bind as a user in the hidden sub directory without making it world readable? cheers sascha -- Sascha Wilde OpenPGP key: 4BB86568 Intevation GmbH, Osnabr?ck http://www.intevation.de/~wilde/ Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: not available URL: From wilde at intevation.de Wed Jun 6 14:51:05 2007 From: wilde at intevation.de (Sascha Wilde) Date: Wed, 06 Jun 2007 16:51:05 +0200 Subject: [Fedora-directory-users] ACIs not propagating to subtrees? Message-ID: Hi *, is there an way to make ACIs which don't propagate to subtrees? I want to change the default ACIs, so that they don't apply to some subtrees, then I could write some simple allow rules for this subtrees instead of writing deny rules with certain rather complex exceptions. cheers sascha -- Sascha Wilde OpenPGP key: 4BB86568 Intevation GmbH, Osnabr?ck http://www.intevation.de/~wilde/ Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: not available URL: From vsi at ebi.ac.uk Wed Jun 6 15:16:12 2007 From: vsi at ebi.ac.uk (Ville Silventoinen) Date: Wed, 6 Jun 2007 16:16:12 +0100 (BST) Subject: [Fedora-directory-users] Create Browsing Index disabled Message-ID: Hi, I re-installed Fedora DS 1.0.4, created a new database and imported entries. When I use the Console to view the entries, it informs me that I need to create a Browsing Index because there are more than 1000 entries. However, when I right-click the parent object, both "Create Browsing Index" and "Delete Browsing Index" are disabled. Same thing with the Object menu. I'm logged in as "cn=Directory Manager". Nothing in the admin-serv/logs or slapd logs that would be useful. I vaguely remember this happening before but I cannot remember what the solution was. Any ideas? OS is CentOS 4.2, Linux 2.6.9-22.ELsmp. I'm using JDK 1.5.0_09. I searched bugzilla but I didn't find any similar bugs (at least with "index" keyword). "startconsole -D" output is below. Thanks, Ville ContentMenuController.populateMenuCategory() adding to Framework ContentMenuController.populateMenuCategory() adding FILE to Framework ContentMenuController.populateMenuCategory() adding EDIT to Framework ContentMenuController.populateMenuCategory() adding VIEW to Framework ResourceSet:getString():Unable to resolve menu-EditFindUG-description ContentMenuController.populateMenuCategory() adding CONTEXT to context menu ResourceSet:getString():Unable to resolve menu-EditFindUG-description ContentMenuController.populateMenuCategory() adding OBJECT to Framework ContentMenuController.populateMenuCategory() adding CONTEXTNEW to some menu ContentMenuController.createNewRootEntryMenuItems() ContentMenuController.createNewRootEntryMenuItems() the list is [] ContentMenuController.populateMenuCategory() adding CONTEXTNEWROOTENTRY to some menu ContentMenuController.populateMenuCategory() adding context_setPWP to some menu ContentMenuController.populateMenuCategory() adding OBJECTNEW to Framework ContentMenuController.populateMenuCategory() adding OBJECTNEWROOTENTRY to Framework ContentMenuController.populateMenuCategory() adding object_setPWP to Framework ContentMenuController.populateMenuCategory() adding DISPLAY to Framework ResourceSet:getString():Unable to resolve menu-nodeleafview-description ResourceSet:getString():Unable to resolve menu-onlytreeview-description ResourceSet:getString():Unable to resolve menu-attributeview-description ContentMenuController.populateMenuCategory() adding LAYOUT to Framework ContentMenuController.createPartitionViewMenuItems() ContentMenuController.populateMenuCategory() adding PARTITIONVIEW to Framework CreateVLVIndex.indexStatus(): dc=ebi,dc=ac,dc=uk CreateVLVIndex.indexStatus(): ou=Aliases,dc=ebi,dc=ac,dc=uk ResourceSet:getString():Unable to resolve DisplayedChildrenLimitExceededDialog-checkbox-default ResourceSet:getString():Unable to resolve DisplayedChildrenLimitExceededDialog-checkbox-ttip From Cary_Anderson at CalPERS.ca.gov Wed Jun 6 17:01:34 2007 From: Cary_Anderson at CalPERS.ca.gov (Anderson, Cary) Date: Wed, 6 Jun 2007 10:01:34 -0700 Subject: [Fedora-directory-users] Load Testing question Message-ID: <611085D774BEAE4C9E4959C53EB7A9760E4C2EE2@hqk110.calpers.ca.gov> I am still playing around with load/stress testing my FDS install. I am using slamd to run the tests, and I am running the basic load, and the basic search tests against my test boxes, The slamd client and the FDS server are on identical hardware running RHEL4 with 2G memory, and 2 Intel Xeon 3.6GHz processors. The issue I am seeing is that I am getting "cannot connect to the ldap server" errors once I push the "threads per client" past 2400. My question is am I hitting a limit on the OS (max tcp connections)? Or a FDS limit? My assumption was that given appropriate hardware, and proper configuration, I could expect FDS to handle more than 2400 concurrent connections. Any insights as to what I might be missing would be greatly appreciated. Thanks FDS Config: Performance settings are: Time Limit: 3600 Max file descriptors: 65535 Database Link Connection Management Settings Max TCP connections: 6 Bind Timeout: 15 Max binds per conn: 20 Timeout before Abandon: 1 Max LDAP Conn: 40 Max bind retries: 6 Max operations/conn: 2 Database Settings: Max Cache Size: 66060288 Mem Avail for cache: 105622733 Note: uidnumber is indexed SLAMD test parameters: Scheduled Start Time 06/05/2007 13:10:46 Scheduled Stop Time (not specified) Scheduled Duration 300 seconds Number of Clients 1 Wait for Available Clients true Monitor Clients if Available false Threads per Client 2400 Thread Startup Delay 0 milliseconds Statistics Collection Interval 60 seconds Job Dependencies (none specified) Notify on Completion (none specified) Parameter Information Directory Server Host app2 Directory Server Port 389 Bind DN (not specified) Bind Password (not specified) Search Base dc=calpers,dc=ca,dc=gov Search Scope Whole Subtree Search Filter uidnumber=50000 Filter File URL (not specified) Attributes to Return uidnumber Warm Up Time 0 Cool Down Time 0 Search Size Limit 0 Search Time Limit 0 Time Between Requests (ms) 0 Use SSL false Blindly Trust Any Certificate true SSL Key Store (not specified) SSL Key Store Password (not specified) SSL Trust Store (not specified) SSL Trust Store Password (not specified) Number of Iterations -1 Always Disconnect false Follow Referrals false Cary Anderson, Systems Software Specialist UNIX/Linux Services Information Technology Services Branch Technology Services & Support Division / Data Center Section System Software & Storage Infrastructure fCalPERS Phone: (916) 795-2588 Fax: (916) 795-2424 -------------- next part -------------- An HTML attachment was scrubbed... URL: From patrick.morris at hp.com Wed Jun 6 19:32:43 2007 From: patrick.morris at hp.com (Patrick Morris) Date: Wed, 6 Jun 2007 12:32:43 -0700 Subject: [Fedora-directory-users] Load Testing question In-Reply-To: <611085D774BEAE4C9E4959C53EB7A9760E4C2EE2@hqk110.calpers.ca.gov> References: <611085D774BEAE4C9E4959C53EB7A9760E4C2EE2@hqk110.calpers.ca.gov> Message-ID: <20070606193243.GE12840@pmorris.usa.hp.com> On Wed, 06 Jun 2007, Anderson, Cary wrote: > I am still playing around with load/stress testing my FDS install. I am using slamd to run the tests, and I am running the basic load, and the basic search tests against my test boxes, The slamd client and the FDS server are on identical hardware running RHEL4 with 2G memory, and 2 Intel Xeon 3.6GHz processors. The issue I am seeing is that I am getting "cannot connect to the ldap server" errors once I push the "threads per client" past 2400. My question is am I hitting a limit on the OS (max tcp connections)? Or a FDS limit? My assumption was that given appropriate hardware, and proper configuration, I could expect FDS to handle more than 2400 concurrent connections. Any insights as to what I might be missing would be greatly appreciated. Log entries from your server should give you some insight into why connections are being refused. There's a good chance you haven't allocated enough file handles, but that's a guess. From Cary_Anderson at CalPERS.ca.gov Wed Jun 6 20:30:59 2007 From: Cary_Anderson at CalPERS.ca.gov (Anderson, Cary) Date: Wed, 6 Jun 2007 13:30:59 -0700 Subject: [Fedora-directory-users] Load Testing question In-Reply-To: <20070606193243.GE12840@pmorris.usa.hp.com> Message-ID: <611085D774BEAE4C9E4959C53EB7A9760E4C2EE4@hqk110.calpers.ca.gov> Thanks for the feedback, I have turned on more extensive logging on the FDS server, Hopefully that will turn something up, but based on the settings in my sysctl.conf, limits.conf, and ulimit, I should be able to handle more than 2500 connections, unless I am missing a configuration parameter. Ulimit 805696 Sysctl.conf ############################## # Set Kernel Parameters # semaphores, SEMMSL, SEMMNS, SEMOPM, SEMMNI: kernel.sem = 256 32000 100 142 kernel.shmall = 2097152 kernel.shmmax = 2147483648 kernel.shmmni = 4096 kernel.msgmax = 8192 kernel.msgmnb = 65535 kernel.msgmni = 2878 fs.file-max = 131072 net.ipv4.ip_local_port_range = 32000 65000 Limits.conf # Custom setup for Global System Limits: * hard nproc 32767 * soft nproc 32767 * hard nofile 65536 * soft nofile 65536 * hard fsize 5000000 * soft fsize 1000000 Cary Anderson, Systems Software Specialist UNIX/Linux Services Information Technology Services Branch Technology Services & Support Division / Data Center Section System Software & Storage Infrastructure fCalPERS Phone: (916) 795-2588 Fax: (916) 795-2424 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Patrick Morris Sent: Wednesday, June 06, 2007 12:33 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Load Testing question On Wed, 06 Jun 2007, Anderson, Cary wrote: > I am still playing around with load/stress testing my FDS install. I > am using slamd to run the tests, and I am running the basic load, and > the basic search tests against my test boxes, The slamd client and > the FDS server are on identical hardware running RHEL4 with 2G memory, > and 2 Intel Xeon 3.6GHz processors. The issue I am seeing is that I > am getting "cannot connect to the ldap server" errors once I push the > "threads per client" past 2400. My question is am I hitting a limit > on the OS (max tcp connections)? Or a FDS limit? My assumption was > that given appropriate hardware, and proper configuration, I could > expect FDS to handle more than 2400 concurrent connections. Any > insights as to what I might be missing would be greatly appreciated. Log entries from your server should give you some insight into why connections are being refused. There's a good chance you haven't allocated enough file handles, but that's a guess. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From patrick.morris at hp.com Wed Jun 6 22:09:27 2007 From: patrick.morris at hp.com (Patrick Morris) Date: Wed, 6 Jun 2007 15:09:27 -0700 Subject: [Fedora-directory-users] Load Testing question In-Reply-To: <611085D774BEAE4C9E4959C53EB7A9760E4C2EE4@hqk110.calpers.ca.gov> References: <20070606193243.GE12840@pmorris.usa.hp.com> <611085D774BEAE4C9E4959C53EB7A9760E4C2EE4@hqk110.calpers.ca.gov> Message-ID: <20070606220927.GI12840@pmorris.usa.hp.com> On Wed, 06 Jun 2007, Anderson, Cary wrote: > Thanks for the feedback, I have turned on more extensive logging on the > FDS server, Hopefully that will turn something up, but based on the > settings in my sysctl.conf, limits.conf, and ulimit, I should be able to > handle more than 2500 connections, unless I am missing a configuration > parameter. > > Ulimit 805696 > > Sysctl.conf > ############################## > # Set Kernel Parameters > # semaphores, SEMMSL, SEMMNS, SEMOPM, SEMMNI: > kernel.sem = 256 32000 100 142 > kernel.shmall = 2097152 > kernel.shmmax = 2147483648 > kernel.shmmni = 4096 > kernel.msgmax = 8192 > kernel.msgmnb = 65535 > kernel.msgmni = 2878 > fs.file-max = 131072 > net.ipv4.ip_local_port_range = 32000 65000 > > Limits.conf > > # Custom setup for Global System Limits: > * hard nproc 32767 > * soft nproc 32767 > * hard nofile 65536 > * soft nofile 65536 > * hard fsize 5000000 > * soft fsize 1000000 You may be hitting a limit in the FDS configuration. Again, a quick glance at your LDAP logs (the error log in particular) should tell you if that's the case. From ashley at csse.uwa.edu.au Thu Jun 7 08:52:12 2007 From: ashley at csse.uwa.edu.au (ashley) Date: Thu, 7 Jun 2007 16:52:12 +0800 (WST) Subject: [Fedora-directory-users] Create Browsing Index disabled In-Reply-To: References: Message-ID: I thought I saw that bug somewhere but I found references to it. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220127 "And it turned out this bug is a duplicate of bug [171081] ldapsearch hung at browsing index creation." Its bug 171081 but I'm not authorized to view it. Anyways when I've enabled create the browser index, basically my FDS server is stalled. I had to reboot it and the ldap database was in read-only mode. So you can't modify it ie change password etc. Painful exercise on a production LDAP server. But as you said it asks you to do it when you have more then a 1000 entires when using the GUI. But I rarely use the GUI. But its handy if people can't use the command line tools. But yeah thats the short story. Regards Ashley On Wed, 6 Jun 2007, Ville Silventoinen wrote: > Hi, > > I re-installed Fedora DS 1.0.4, created a new database and imported entries. > When I use the Console to view the entries, it informs me that I need to > create a Browsing Index because there are more than 1000 entries. > > However, when I right-click the parent object, both "Create Browsing Index" > and "Delete Browsing Index" are disabled. Same thing with the Object menu. > I'm logged in as "cn=Directory Manager". Nothing in the admin-serv/logs or > slapd logs that would be useful. I vaguely remember this happening before but > I cannot remember what the solution was. Any ideas? > > OS is CentOS 4.2, Linux 2.6.9-22.ELsmp. I'm using JDK 1.5.0_09. I searched > bugzilla but I didn't find any similar bugs (at least with "index" keyword). > "startconsole -D" output is below. > > Thanks, > Ville > > > ContentMenuController.populateMenuCategory() adding to Framework > ContentMenuController.populateMenuCategory() adding FILE to Framework > ContentMenuController.populateMenuCategory() adding EDIT to Framework > ContentMenuController.populateMenuCategory() adding VIEW to Framework > ResourceSet:getString():Unable to resolve menu-EditFindUG-description > ContentMenuController.populateMenuCategory() adding CONTEXT to context menu > ResourceSet:getString():Unable to resolve menu-EditFindUG-description > ContentMenuController.populateMenuCategory() adding OBJECT to Framework > ContentMenuController.populateMenuCategory() adding CONTEXTNEW to some menu > ContentMenuController.createNewRootEntryMenuItems() > ContentMenuController.createNewRootEntryMenuItems() the list is [] > ContentMenuController.populateMenuCategory() adding CONTEXTNEWROOTENTRY to > some menu > ContentMenuController.populateMenuCategory() adding context_setPWP to some > menu > ContentMenuController.populateMenuCategory() adding OBJECTNEW to Framework > ContentMenuController.populateMenuCategory() adding OBJECTNEWROOTENTRY to > Framework > ContentMenuController.populateMenuCategory() adding object_setPWP to > Framework > ContentMenuController.populateMenuCategory() adding DISPLAY to Framework > ResourceSet:getString():Unable to resolve menu-nodeleafview-description > ResourceSet:getString():Unable to resolve menu-onlytreeview-description > ResourceSet:getString():Unable to resolve menu-attributeview-description > ContentMenuController.populateMenuCategory() adding LAYOUT to Framework > ContentMenuController.createPartitionViewMenuItems() > ContentMenuController.populateMenuCategory() adding PARTITIONVIEW to > Framework > CreateVLVIndex.indexStatus(): dc=ebi,dc=ac,dc=uk > CreateVLVIndex.indexStatus(): ou=Aliases,dc=ebi,dc=ac,dc=uk > ResourceSet:getString():Unable to resolve > DisplayedChildrenLimitExceededDialog-checkbox-default > ResourceSet:getString():Unable to resolve > DisplayedChildrenLimitExceededDialog-checkbox-ttip > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > !DSPAM:272,4666cfde242631069210503! > -- Ashley Chew - Systems Administrator School of Computer Science and Software Engineering University of Western Australia Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089 Ashley[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ashley "There is no such thing as Fate, Fate is what you make of it!" From FenderB at gsicommerce.com Thu Jun 7 18:35:03 2007 From: FenderB at gsicommerce.com (Brian Fender) Date: Thu, 7 Jun 2007 14:35:03 -0400 Subject: [Fedora-directory-users] Replication fails due to lack of permissions Message-ID: I started with two Redhat EL3U5 servers, setting up the newest available directory server (fedora-ds rpm) on each server with an identical configuration. I set up Single Master replication according to this guide: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/replicat.html#11088 49. That is, I created a 'cn=replication manager,cn=config' by pasting the example entry from the guide in the config/dse.ldif on the slave (consumer) server. I verified this account works by using LDAP Browser/Editor, I can log in and view my LDAP directory 'dc=foo,dc=net'. I cannot, however, add or delete any foo.net entries when logged in as the replication manager. When I configured a replication agreement on the master/supplier and restarted both servers, it errors out with: NSMMReplicationPlugin - agmt="cn=myagreement" (192:1389): Unable to acquire replica: permission denied. The bind dn "cn=replication manager,cn=config" does not have permission to supply replication updates to the replica. Will retry later. I had specified the ip address of the slave/consumer server when setting up the replication agreement, but because it refers to it as '192:1389' in the logs I thought maybe it was looking for a hostname. Getting past the fact that it will not allow underscores in the consumer name (I assume this is a bug), I added an /etc/hosts entry for the consumer on the master and recreated the replication agreement and restarted both servers. I still have the same problem: NSMMReplicationPlugin - agmt="cn=myagreement" (testappserver2:1389): Unable to acquire replica: permission denied. The bind dn "cn=replication manager,cn=config" does not have permission to supply replication updates to the replica. Will retry later. On the slave/consumer, I get: NSMMReplicationPlugin - conn=9 op=3 replica="dc=foo,dc=net": Unable to acquire replica: error: permission denied Any idea why this is happening? Shouldn't the replication manager have read/write permissions to the userRoot by default since it inherits all the administrator roles? -------------- next part -------------- An HTML attachment was scrubbed... URL: From wilde at intevation.de Fri Jun 8 07:52:44 2007 From: wilde at intevation.de (Sascha Wilde) Date: Fri, 08 Jun 2007 09:52:44 +0200 Subject: [Fedora-directory-users] ACI trouble: binding as a UID in an "hidden" branch In-Reply-To: (Sascha Wilde's message of "Wed\, 06 Jun 2007 16\:36\:59 +0200") References: Message-ID: Sascha Wilde writes: [...] > But this doesn't work: I can't even bind as > cn=manager,cn=internal,dc=foo,dc=bar I suppose because the user is an > child of "internal", and so anonymous isn't allowed to access the > object for authentication. For the records: my analysis of the problem was wrong. It _is_ possible to bind as an object which is not world readable. My problems were caused by an specific client, so this is an non issue. Sorry for the noise. sascha -- Sascha Wilde OpenPGP key: 4BB86568 Intevation GmbH, Osnabr?ck http://www.intevation.de/~wilde/ Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: not available URL: From alexandre.morel at univ-poitiers.fr Fri Jun 8 07:58:38 2007 From: alexandre.morel at univ-poitiers.fr (Alexandre MOREL) Date: Fri, 08 Jun 2007 09:58:38 +0200 Subject: [Fedora-directory-users] Problem with passsync between FDS and AD Message-ID: <46690C2E.9080809@univ-poitiers.fr> Hi, I know some problems with the use of passsync. FDS (fedora-ds-1.0.4-1.FC6) is setup on a Red Hat 4.1.1-30. The active directory is a windows 2003 server standard. When i start passsync service nothing happen, no synchronization between the two directory servers. I have the following entry in the logs : Active Directory : passsync.log 06/08/07 09:21:25: PassSync service started 06/08/07 09:21:25: Password list is empty. Waiting for passhook event Fedora DS : access: [08/Jun/2007:09:24:29 +0200] conn=26 op=0 BIND dn="cn=directory manager" method=128 version=2 [08/Jun/2007:09:24:29 +0200] conn=26 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [08/Jun/2007:09:24:29 +0200] conn=26 op=1 UNBIND [08/Jun/2007:09:24:29 +0200] conn=26 op=1 fd=64 closed - U1 [08/Jun/2007:09:24:30 +0200] conn=27 fd=64 slot=64 SSL connection from aaa.bbb.ccc.dd to www.xx.yy.zzz [08/Jun/2007:09:24:30 +0200] conn=27 SSL 128-bit RC4 [08/Jun/2007:09:24:30 +0200] conn=27 op=0 BIND dn="cn=directory manager" method=128 version=2 [08/Jun/2007:09:24:30 +0200] conn=27 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [08/Jun/2007:09:24:30 +0200] conn=27 op=1 UNBIND [08/Jun/2007:09:24:30 +0200] conn=27 op=1 fd=64 closed - U1 there is 3 minutes between the two host. PassSync say that it have no password list, but in the FDS access log we can see it don't do the search like this line in other query via ldapsearch tool: [07/Jun/2007:17:43:00 +0200] conn=23 op=1 SRCH base="ou=people,dc=toto,dc=fr" scope=2 filter="(uid=*)" attrs=ALL Some additionals handling i do on the active directory : I restart after the setup of passsync.msi I try to regsvr32 the passhook.dll, but windows say : there is no entry point of DllRegisterServer. It is a problem ? I suppose it's not a SSL connection problem, but someone have an idea to help me ? Cordially Alexandre MOREL From M.Mazurek at netsync.pl Sat Jun 9 14:31:43 2007 From: M.Mazurek at netsync.pl (Marcin Mazurek) Date: Sat, 9 Jun 2007 16:31:43 +0200 Subject: [Fedora-directory-users] New Root Object creation problem Message-ID: <20070609143143.GA21762@netsync.pl> Hello, I'm new to FDS, going through docs to learn how it works. I'm having problems with creation of new root object for newly created database. As docs says, after creation of new database, I should assign it to new suffix by creation of new root entry. When I right click on "New Root Object" is inactive. I'm logged in with Directory Manager (tried it on example ldap server instance and new one created by myslef). What did I miss? best regards -- Marcin Mazurek http://www.netsync.pl/ - :::: - nic-hdl: MM3380-RIPE GnuPG 6687 E661 98B0 AEE6 DA8B 7F48 AEE4 776F 5688 DC89 From sacarde at tiscali.it Sun Jun 10 08:15:27 2007 From: sacarde at tiscali.it (sacarde) Date: Sun, 10 Jun 2007 10:15:27 +0200 Subject: [Fedora-directory-users] error compiling FedoraDirectory Server Message-ID: <200706101015.28322.sacarde@tiscali.it> Hi, I try to install on my archlinux fedora-ds following this: http://gentoo-wiki.com/HOWTO_Install_Fedora_Directory_Server but after 1/2 hour downloading and compiling I have an error: BUILD FAILED /root/dsbuild-fds104/ds/console/work/fedora-console-1.0.3/build.xml:180: Compile failed; see the compiler error output for details. Total time: 12 seconds make[1]: *** [build-custom] Error 1 make[1]: Leaving directory `/root/dsbuild-fds104/ds/console' make: *** [dep-../../ds/console] Error 2 can you help me ? sacarde at tiscali.it From rmeggins at redhat.com Mon Jun 11 14:12:13 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 11 Jun 2007 08:12:13 -0600 Subject: [Fedora-directory-users] New Root Object creation problem In-Reply-To: <20070609143143.GA21762@netsync.pl> References: <20070609143143.GA21762@netsync.pl> Message-ID: <466D583D.8030403@redhat.com> Marcin Mazurek wrote: > Hello, > > I'm new to FDS, going through docs to learn how it works. I'm having > problems with creation of new root object for newly created database. > > As docs says, after creation of new database, I should assign it to new > suffix by creation of new root entry. How did you create the database/suffix? > When I right click on "New Root > Object" is inactive. I'm logged in with Directory Manager (tried it on > example ldap server instance and new one created by myslef). What did I > miss? > > best regards > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Jun 11 14:12:59 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 11 Jun 2007 08:12:59 -0600 Subject: [Fedora-directory-users] error compiling FedoraDirectory Server In-Reply-To: <200706101015.28322.sacarde@tiscali.it> References: <200706101015.28322.sacarde@tiscali.it> Message-ID: <466D586B.7030405@redhat.com> sacarde wrote: > Hi, > I try to install on my archlinux fedora-ds following this: > > http://gentoo-wiki.com/HOWTO_Install_Fedora_Directory_Server > > but after 1/2 hour downloading and compiling I have an error: > > BUILD FAILED > /root/dsbuild-fds104/ds/console/work/fedora-console-1.0.3/build.xml:180: > Compile failed; see the compiler error output for details. > Total time: 12 seconds > make[1]: *** [build-custom] Error 1 > make[1]: Leaving directory `/root/dsbuild-fds104/ds/console' > make: *** [dep-../../ds/console] Error 2 > > can you help me ? > Can you post more? It looks like the salient output is above "BUILD FAILED" > > sacarde at tiscali.it > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From f.renzetti at gmail.com Mon Jun 11 16:14:55 2007 From: f.renzetti at gmail.com (Federico Renzetti) Date: Mon, 11 Jun 2007 18:14:55 +0200 Subject: [Fedora-directory-users] ns-slapd crashes Message-ID: Hi all, this is my first post. My problem is that Outlook 2003 clients crash my Fedora Directory Server v1.0.4 x86_64 with auto-complete query when in "to:" field they put lots of names. On /var/log/messages I find: kernel: ns-slapd[2948] general protection rip:2a955e4e71 rsp:406d4b50 error:0 ns-slapd: sql_select option missing ns-slapd: auxpropfunc error no mechanism available On /opt/fedora-ds/slapd-server/logs/access I find: filter="(&(mail=*)(|(mail=I............................................................................................................... truncated by log service too many chars Sometimes on /opt/fedora-ds/slapd-server/logs/errors I find: --- not enough pattern space I cannot find any information about this issue Thanks in advance -------------- next part -------------- An HTML attachment was scrubbed... URL: From halstead at eris.qinetiq.com Mon Jun 11 15:32:29 2007 From: halstead at eris.qinetiq.com (Steve Halstead) Date: Mon, 11 Jun 2007 16:32:29 +0100 Subject: [Fedora-directory-users] db2ldif causes server to hang Message-ID: <466D6B0D.7010405@eris.qinetiq.com> Hi, We are currently having problems where by a Fedora DS LDAP server which has been running for several days begins to hang. The consequence of this is that further LDAP commands (e.g. ldapsearch and db2ldif) triggered by cron jobs start but fail to complete. The only way to recover is to run "killall -9 ns-slapd" and then restarting the server in the usual way. On an hourly basis, db2ldif is used to export our LDAP repository to an LDIF file. Looking through the logs, it would appear that the server can start to hang if db2ldif is interrupted in some way. The last time that we saw the server hang, in the access log we had ldapsearch and "Netscape Replication Start Session" both accessing the server at the same time as our db2ldif export process was running. In the error log it could be seen that db2ldif stopped mid-way through exporting users. All further executions of db2ldif failed to complete. It would seem that db2lif is generating some sort of lock which isn't released if it is interrupted. I have managed to reproduce this server hang by running db2ldif and killing it with CTRL+C. We are currently running fedora-ds 1.0.2 on RHEL 4 but I have tried 1.0.4 and had a similar experience. Has anybody else had a similar experience, or even better, know how to fix it? Thanks, Steve From jonathan.mills at motricity.com Mon Jun 11 17:15:52 2007 From: jonathan.mills at motricity.com (Jonathan Mills) Date: Mon, 11 Jun 2007 13:15:52 -0400 Subject: [Fedora-directory-users] backup to ldif Message-ID: <466D8348.30504@motricity.com> Just thought I'd ask first, rather than go reinventing the wheel....but does anyone have a cute little script to backup the whole directory to a single ldif file? -- Jonathan Mills From gholbert at broadcom.com Mon Jun 11 17:57:15 2007 From: gholbert at broadcom.com (George Holbert) Date: Mon, 11 Jun 2007 10:57:15 -0700 Subject: [Fedora-directory-users] backup to ldif In-Reply-To: <466D8348.30504@motricity.com> References: <466D8348.30504@motricity.com> Message-ID: <466D8CFB.8090106@broadcom.com> Have you tried db2ldif ? It is included with FDS. http://www.redhat.com/docs/manuals/dir-server/ag/7.1/dbmanage.html#1011783 Jonathan Mills wrote: > Just thought I'd ask first, rather than go reinventing the > wheel....but does anyone have a cute little script to backup the whole > directory to a single ldif file? > From sacarde at tiscali.it Mon Jun 11 16:38:07 2007 From: sacarde at tiscali.it (sacarde) Date: Mon, 11 Jun 2007 18:38:07 +0200 Subject: [Fedora-directory-users] error compiling FedoraDirectory Server In-Reply-To: <466D586B.7030405@redhat.com> References: <200706101015.28322.sacarde@tiscali.it> <466D586B.7030405@redhat.com> Message-ID: <200706111838.07300.sacarde@tiscali.it> Alle luned? 11 giugno 2007, hai scritto: > Can you post more? It looks like the salient output is above "BUILD > FAILED" http://rafb.net/p/trCFPw60.html > > > sacarde at tiscali.it From rmeggins at redhat.com Mon Jun 11 19:36:03 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 11 Jun 2007 13:36:03 -0600 Subject: [Fedora-directory-users] error compiling FedoraDirectory Server In-Reply-To: <200706111838.07300.sacarde@tiscali.it> References: <200706101015.28322.sacarde@tiscali.it> <466D586B.7030405@redhat.com> <200706111838.07300.sacarde@tiscali.it> Message-ID: <466DA423.9090005@redhat.com> sacarde wrote: > Alle luned? 11 giugno 2007, hai scritto: > > >> Can you post more? It looks like the salient output is above "BUILD >> FAILED" >> > > http://rafb.net/p/trCFPw60.html > [javac] Compiling 218 source files to /root/dsbuild-fds104/ds/console/work/built/classes [javac] /root/dsbuild-fds104/ds/console/work/fedora-console-1.0.3/src/com/netscape/management/client/preferences/FilePreferenceManager.java:49: reference to Console is ambiguous, both class com.netscape.management.client.console.Console in com.netscape.management.client.console and class java.io.Console in java.io match [javac] File f = new File(Console.PREFERENCE_DIR); [javac] ^ What version of Java are you using? > >>> sacarde at tiscali.it >>> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From sacarde at tiscali.it Mon Jun 11 19:54:55 2007 From: sacarde at tiscali.it (sacarde) Date: Mon, 11 Jun 2007 21:54:55 +0200 Subject: [Fedora-directory-users] error compiling FedoraDirectory Server In-Reply-To: <466DA423.9090005@redhat.com> References: <200706101015.28322.sacarde@tiscali.it> <200706111838.07300.sacarde@tiscali.it> <466DA423.9090005@redhat.com> Message-ID: <200706112154.56091.sacarde@tiscali.it> Alle luned? 11 giugno 2007, hai scritto: > sacarde wrote: > What version of Java are you using? jre 6-3 jdk 6-2 sacarde From vsi at ebi.ac.uk Tue Jun 12 08:32:44 2007 From: vsi at ebi.ac.uk (Ville Silventoinen) Date: Tue, 12 Jun 2007 09:32:44 +0100 (BST) Subject: [Fedora-directory-users] Create Browsing Index disabled In-Reply-To: References: Message-ID: Thanks Ashley. Sounds like it could be related. I just find it weird that the "Create Browsing Index" stays disabled forever. I installed another Fedora DS 1.0.4 on Friday with exactly the same problem. I used the GUI yesterday and both choices are still disabled (Create and Delete). I don't use the Console that often, I just wanted to demo it to my boss. ;-) Best regards, Ville On Thu, 7 Jun 2007, ashley wrote: > > I thought I saw that bug somewhere but I found references to it. > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220127 > > "And it turned out this bug is a duplicate of bug [171081] ldapsearch hung at > browsing index creation." > > Its bug 171081 but I'm not authorized to view it. > > Anyways when I've enabled create the browser index, basically my FDS server > is stalled. I had to reboot it and the ldap database was in read-only mode. > So you can't modify it ie change password etc. > > Painful exercise on a production LDAP server. But as you said it asks you to > do it when you have more then a 1000 entires when using the GUI. But I rarely > use the GUI. But its handy if people can't use the command line tools. > > But yeah thats the short story. > > Regards Ashley > > > On Wed, 6 Jun 2007, Ville Silventoinen wrote: > >> Hi, >> >> I re-installed Fedora DS 1.0.4, created a new database and imported >> entries. When I use the Console to view the entries, it informs me that I >> need to create a Browsing Index because there are more than 1000 entries. >> >> However, when I right-click the parent object, both "Create Browsing Index" >> and "Delete Browsing Index" are disabled. Same thing with the Object menu. >> I'm logged in as "cn=Directory Manager". Nothing in the admin-serv/logs or >> slapd logs that would be useful. I vaguely remember this happening before >> but I cannot remember what the solution was. Any ideas? >> >> OS is CentOS 4.2, Linux 2.6.9-22.ELsmp. I'm using JDK 1.5.0_09. I searched >> bugzilla but I didn't find any similar bugs (at least with "index" >> keyword). "startconsole -D" output is below. >> >> Thanks, >> Ville >> >> >> ContentMenuController.populateMenuCategory() adding to Framework >> ContentMenuController.populateMenuCategory() adding FILE to Framework >> ContentMenuController.populateMenuCategory() adding EDIT to Framework >> ContentMenuController.populateMenuCategory() adding VIEW to Framework >> ResourceSet:getString():Unable to resolve menu-EditFindUG-description >> ContentMenuController.populateMenuCategory() adding CONTEXT to context menu >> ResourceSet:getString():Unable to resolve menu-EditFindUG-description >> ContentMenuController.populateMenuCategory() adding OBJECT to Framework >> ContentMenuController.populateMenuCategory() adding CONTEXTNEW to some menu >> ContentMenuController.createNewRootEntryMenuItems() >> ContentMenuController.createNewRootEntryMenuItems() the list is [] >> ContentMenuController.populateMenuCategory() adding CONTEXTNEWROOTENTRY to >> some menu >> ContentMenuController.populateMenuCategory() adding context_setPWP to some >> menu >> ContentMenuController.populateMenuCategory() adding OBJECTNEW to Framework >> ContentMenuController.populateMenuCategory() adding OBJECTNEWROOTENTRY to >> Framework >> ContentMenuController.populateMenuCategory() adding object_setPWP to >> Framework >> ContentMenuController.populateMenuCategory() adding DISPLAY to Framework >> ResourceSet:getString():Unable to resolve menu-nodeleafview-description >> ResourceSet:getString():Unable to resolve menu-onlytreeview-description >> ResourceSet:getString():Unable to resolve menu-attributeview-description >> ContentMenuController.populateMenuCategory() adding LAYOUT to Framework >> ContentMenuController.createPartitionViewMenuItems() >> ContentMenuController.populateMenuCategory() adding PARTITIONVIEW to >> Framework >> CreateVLVIndex.indexStatus(): dc=ebi,dc=ac,dc=uk >> CreateVLVIndex.indexStatus(): ou=Aliases,dc=ebi,dc=ac,dc=uk >> ResourceSet:getString():Unable to resolve >> DisplayedChildrenLimitExceededDialog-checkbox-default >> ResourceSet:getString():Unable to resolve >> DisplayedChildrenLimitExceededDialog-checkbox-ttip >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> !DSPAM:272,4666cfde242631069210503! >> > > From rmeggins at redhat.com Tue Jun 12 14:03:58 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 12 Jun 2007 08:03:58 -0600 Subject: [Fedora-directory-users] error compiling FedoraDirectory Server In-Reply-To: <200706112154.56091.sacarde@tiscali.it> References: <200706101015.28322.sacarde@tiscali.it> <200706111838.07300.sacarde@tiscali.it> <466DA423.9090005@redhat.com> <200706112154.56091.sacarde@tiscali.it> Message-ID: <466EA7CE.6010109@redhat.com> sacarde wrote: > Alle luned? 11 giugno 2007, hai scritto: > >> sacarde wrote: >> > > >> What version of Java are you using? >> > > jre 6-3 > > jdk 6-2 > Looks like the Java 1.6 API has changed and is now incompatible. I suggest using 1.5 which is known to work. Or, if you are java savvy, patches are welcome. > > sacarde > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mont.rothstein at gmail.com Tue Jun 12 19:30:54 2007 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Tue, 12 Jun 2007 12:30:54 -0700 Subject: [Fedora-directory-users] Going insane (can't logon from Windows) Message-ID: <467a83630706121230w20221edbj2509f855b946c832@mail.gmail.com> I have Fedora Directory Server (1.0.4) running on a Red Hat Linux (RHEL 4) with Samba (3.0.10-1.4E.12.2). I have a Windows XP box that I have successfully joined to the domain. When I go to login with a domain user I get the following error: "Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found." In the Windows system event log there is the following entry: "Event Type: Error Event Source: NETLOGON Event Category: None Event ID: 3210 Date: 6/12/2007 Time: 10:08:02 AM User: N/A Computer: WINXP-CLEAN Description: This computer could not authenticate with \\RHEL-CLEAN2, a Windows domain controller for domain FORAYADAMS2, and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: c0000022" The only thing in smb.log is: [2007/06/12 11:41:09, 0] lib/util_sock.c:get_peer_addr(1000) getpeername failed. Error was Transport endpoint is not connected The only thing in the machine's samba log is: [2007/06/12 11:41:09, 0] lib/util_sock.c:get_peer_addr(1000) getpeername failed. Error was Transport endpoint is not connected [2007/06/12 11:41:09, 0] lib/util_sock.c:write_socket_data(430) write_socket_data: write failure. Error = Connection reset by peer [2007/06/12 11:41:09, 0] lib/util_sock.c:write_socket(455) write_socket: Error writing 4 bytes to socket 24: ERRNO = Connection reset by peer [2007/06/12 11:41:09, 0] lib/util_sock.c:send_smb(647) Error writing 4 bytes to client. -1. (Connection reset by peer) There is nothing in the Fedora log near to when the workstation boots or the user tries to login. I can connect to a share on the server from the Windows computer, when logged in as a local user, using "net view" or entering the path directly (\\rhel-clean2\sharename\). I can ping the server from the workstation and vis-a-versa. I've explicitly added the workstation to the forward and reverse DNS zone files. The time of the server and workstation is less than 5 min apart. I have explicitly added the linux server as a WINS server on the Windows box (just in case). When I lookup the Windows system error on Google at I get stuff about the machine's password being out of sync or various things about group policies for encryption and such. I tried turning off all of the related group policies with no effect. I am pulling my hair out trying to figure this out. Any and all help is appreciated. Thanks, -Mont -------------- next part -------------- An HTML attachment was scrubbed... URL: From jfenal at gmail.com Tue Jun 12 19:48:38 2007 From: jfenal at gmail.com (=?UTF-8?Q?J=C3=A9r=C3=B4me_Fenal?=) Date: Tue, 12 Jun 2007 21:48:38 +0200 Subject: [Fedora-directory-users] Going insane (can't logon from Windows) In-Reply-To: <467a83630706121230w20221edbj2509f855b946c832@mail.gmail.com> References: <467a83630706121230w20221edbj2509f855b946c832@mail.gmail.com> Message-ID: <40a14bc10706121248y656b05b9w2aca4e131e14d586@mail.gmail.com> 2007/6/12, Mont Rothstein : Hi Mont, > I have Fedora Directory Server (1.0.4) running on a Red Hat Linux (RHEL 4) > with Samba (3.0.10-1.4E.12.2). > > I have a Windows XP box that I have successfully joined to the domain. > > When I go to login with a domain user I get the following error: > > "Windows cannot connect to the domain, either because the domain controller > is down or otherwise unavailable, or because your computer account was not > found." Did you add/change the following registry key on the XP machine : REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] "requiresignorseal"=dword:00000001 "signsecurechannel"=dword:00000001 Regards, J. -- J?r?me Fenal - jfenal AT gmail.com - http://fenal.org/ Paris.pm - http://paris.mongueurs.net/ From mont.rothstein at gmail.com Tue Jun 12 20:50:52 2007 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Tue, 12 Jun 2007 13:50:52 -0700 Subject: [Fedora-directory-users] Going insane (can't logon from Windows) In-Reply-To: <40a14bc10706121248y656b05b9w2aca4e131e14d586@mail.gmail.com> References: <467a83630706121230w20221edbj2509f855b946c832@mail.gmail.com> <40a14bc10706121248y656b05b9w2aca4e131e14d586@mail.gmail.com> Message-ID: <467a83630706121350n7827f255n54f973aff4000cb6@mail.gmail.com> We'll I tried disabling those policies via gpedit.msc (it changes those registry settings) but it had not effect. -Mont On 6/12/07, J?r?me Fenal wrote: > > 2007/6/12, Mont Rothstein : > > Hi Mont, > > > I have Fedora Directory Server (1.0.4) running on a Red Hat Linux (RHEL > 4) > > with Samba (3.0.10-1.4E.12.2). > > > > I have a Windows XP box that I have successfully joined to the domain. > > > > When I go to login with a domain user I get the following error: > > > > "Windows cannot connect to the domain, either because the domain > controller > > is down or otherwise unavailable, or because your computer account was > not > > found." > > Did you add/change the following registry key on the XP machine : > > > REGEDIT4 > > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] > "requiresignorseal"=dword:00000001 > "signsecurechannel"=dword:00000001 > > > Regards, > > J. > -- > J?r?me Fenal - jfenal AT gmail.com - http://fenal.org/ > Paris.pm - http://paris.mongueurs.net/ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From diwakoe at gmail.com Wed Jun 13 04:37:13 2007 From: diwakoe at gmail.com (Diwakoe) Date: Wed, 13 Jun 2007 11:37:13 +0700 Subject: [Fedora-directory-users] Group name not gid Message-ID: Dear all, I'm using FC6 with FDS authentication and running well but can not show groups name only GID when command 'groups' execute on console. Sometimes we get confuse when we saw some folder not show group name only gid. --- $groups id: cannot find name for group ID 10001 10001 --- Is there any trick how to show group name not gid on konsole. Thanks, Diwa From ashley at csse.uwa.edu.au Wed Jun 13 07:11:25 2007 From: ashley at csse.uwa.edu.au (ashley) Date: Wed, 13 Jun 2007 15:11:25 +0800 (WST) Subject: [Fedora-directory-users] Group name not gid In-Reply-To: References: Message-ID: Normal users don't have the necessary permissions to do the lookup on LDAP. The authentication process is done usally by root then when you are logged in you can't do lookups. I've documented this here http://www.csse.uwa.edu.au/~ashley/fedora-ds/fedora-ds-26072006.html In Section 3.3 Binding Linux/Unix Machines to LDAPs (way at the bottom) Short story is turn on NSCD, this service binds as root but caches the information for the local user. Usually information you should cache is passwd, group and aliases information which you have to edit /etc/nscd.conf You might want to check this out for NSCD http://www.csse.uwa.edu.au/~ashley/fedora-ds/Fedora%20Miscellaneous%20Problems-23082006.htm Regards Ashley On Wed, 13 Jun 2007, Diwakoe wrote: > Dear all, > > I'm using FC6 with FDS authentication and running well but can not > show groups name only GID when command 'groups' execute on console. > Sometimes we get confuse when we saw some folder not show group name > only gid. > > --- > $groups > id: cannot find name for group ID 10001 > 10001 > --- > > Is there any trick how to show group name not gid on konsole. > > > Thanks, > Diwa > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > !DSPAM:272,466f7488187291087211254! > -- Ashley Chew - Systems Administrator School of Computer Science and Software Engineering University of Western Australia Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089 Ashley[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ashley "There is no such thing as Fate, Fate is what you make of it!" From ashley at csse.uwa.edu.au Wed Jun 13 07:15:49 2007 From: ashley at csse.uwa.edu.au (ashley) Date: Wed, 13 Jun 2007 15:15:49 +0800 (WST) Subject: [Fedora-directory-users] Create Browsing Index disabled In-Reply-To: References: Message-ID: I Imagine that I had an earlier build of 1.04 which "Create Browsing Index" wasn't disabled. But I believe it was a good idea to have it disabled, shouldn't have a feature which may inadventently cause ppl grief. Regards Ashley On Tue, 12 Jun 2007, Ville Silventoinen wrote: > Thanks Ashley. Sounds like it could be related. I just find it weird that the > "Create Browsing Index" stays disabled forever. I installed another Fedora DS > 1.0.4 on Friday with exactly the same problem. I used the GUI yesterday and > both choices are still disabled (Create and Delete). > > I don't use the Console that often, I just wanted to demo it to my boss. ;-) > > Best regards, > Ville > > On Thu, 7 Jun 2007, ashley wrote: > >> >> I thought I saw that bug somewhere but I found references to it. >> >> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220127 >> >> "And it turned out this bug is a duplicate of bug [171081] ldapsearch hung >> at browsing index creation." >> >> Its bug 171081 but I'm not authorized to view it. >> >> Anyways when I've enabled create the browser index, basically my FDS server >> is stalled. I had to reboot it and the ldap database was in read-only mode. >> So you can't modify it ie change password etc. >> >> Painful exercise on a production LDAP server. But as you said it asks you >> to do it when you have more then a 1000 entires when using the GUI. But I >> rarely use the GUI. But its handy if people can't use the command line >> tools. >> >> But yeah thats the short story. >> >> Regards Ashley >> >> >> On Wed, 6 Jun 2007, Ville Silventoinen wrote: >> >>> Hi, >>> >>> I re-installed Fedora DS 1.0.4, created a new database and imported >>> entries. When I use the Console to view the entries, it informs me that I >>> need to create a Browsing Index because there are more than 1000 entries. >>> >>> However, when I right-click the parent object, both "Create Browsing >>> Index" and "Delete Browsing Index" are disabled. Same thing with the >>> Object menu. I'm logged in as "cn=Directory Manager". Nothing in the >>> admin-serv/logs or slapd logs that would be useful. I vaguely remember >>> this happening before but I cannot remember what the solution was. Any >>> ideas? >>> >>> OS is CentOS 4.2, Linux 2.6.9-22.ELsmp. I'm using JDK 1.5.0_09. I searched >>> bugzilla but I didn't find any similar bugs (at least with "index" >>> keyword). "startconsole -D" output is below. >>> >>> Thanks, >>> Ville >>> >>> >>> ContentMenuController.populateMenuCategory() adding to Framework >>> ContentMenuController.populateMenuCategory() adding FILE to Framework >>> ContentMenuController.populateMenuCategory() adding EDIT to Framework >>> ContentMenuController.populateMenuCategory() adding VIEW to Framework >>> ResourceSet:getString():Unable to resolve menu-EditFindUG-description >>> ContentMenuController.populateMenuCategory() adding CONTEXT to context >>> menu >>> ResourceSet:getString():Unable to resolve menu-EditFindUG-description >>> ContentMenuController.populateMenuCategory() adding OBJECT to Framework >>> ContentMenuController.populateMenuCategory() adding CONTEXTNEW to some >>> menu >>> ContentMenuController.createNewRootEntryMenuItems() >>> ContentMenuController.createNewRootEntryMenuItems() the list is [] >>> ContentMenuController.populateMenuCategory() adding CONTEXTNEWROOTENTRY to >>> some menu >>> ContentMenuController.populateMenuCategory() adding context_setPWP to some >>> menu >>> ContentMenuController.populateMenuCategory() adding OBJECTNEW to Framework >>> ContentMenuController.populateMenuCategory() adding OBJECTNEWROOTENTRY to >>> Framework >>> ContentMenuController.populateMenuCategory() adding object_setPWP to >>> Framework >>> ContentMenuController.populateMenuCategory() adding DISPLAY to Framework >>> ResourceSet:getString():Unable to resolve menu-nodeleafview-description >>> ResourceSet:getString():Unable to resolve menu-onlytreeview-description >>> ResourceSet:getString():Unable to resolve menu-attributeview-description >>> ContentMenuController.populateMenuCategory() adding LAYOUT to Framework >>> ContentMenuController.createPartitionViewMenuItems() >>> ContentMenuController.populateMenuCategory() adding PARTITIONVIEW to >>> Framework >>> CreateVLVIndex.indexStatus(): dc=ebi,dc=ac,dc=uk >>> CreateVLVIndex.indexStatus(): ou=Aliases,dc=ebi,dc=ac,dc=uk >>> ResourceSet:getString():Unable to resolve >>> DisplayedChildrenLimitExceededDialog-checkbox-default >>> ResourceSet:getString():Unable to resolve >>> DisplayedChildrenLimitExceededDialog-checkbox-ttip >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > !DSPAM:272,466e5a4a262083778812040! > -- Ashley Chew - Systems Administrator School of Computer Science and Software Engineering University of Western Australia Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089 Ashley[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ashley "There is no such thing as Fate, Fate is what you make of it!" From diwakoe at gmail.com Wed Jun 13 09:11:30 2007 From: diwakoe at gmail.com (Diwakoe) Date: Wed, 13 Jun 2007 16:11:30 +0700 Subject: [Fedora-directory-users] Group name not gid In-Reply-To: References: Message-ID: Hi Ashley, Thanks for your docs, but how about directory listing? when root log in and doing command "ls -al" on home folder is showing user name, group and folder. But only user name is show correctly but the group is only gid. ---- drwxr-xr-x 4 JWilliam 10001 4096 Jun 4 14:56 JWilliam --- Regards, Diwa On 6/13/07, ashley wrote: > > Normal users don't have the necessary permissions to do the lookup on > LDAP. > > The authentication process is done usally by root then when you are logged > in you can't do lookups. > > I've documented this here > > http://www.csse.uwa.edu.au/~ashley/fedora-ds/fedora-ds-26072006.html > > In Section 3.3 Binding Linux/Unix Machines to LDAPs > > (way at the bottom) > > Short story is turn on NSCD, this service binds as root but caches the > information for the local user. Usually information you should cache is > passwd, group and aliases information which you have to edit > /etc/nscd.conf > > You might want to check this out for NSCD > > http://www.csse.uwa.edu.au/~ashley/fedora-ds/Fedora%20Miscellaneous%20Problems-23082006.htm > > Regards Ashley > From srigler at marathonoil.com Wed Jun 13 15:23:48 2007 From: srigler at marathonoil.com (Steve Rigler) Date: Wed, 13 Jun 2007 10:23:48 -0500 Subject: [Fedora-directory-users] Admin Server Port Message-ID: <1181748228.30837.18.camel@houuc8> Is it possible to configure the admin server to use the standard https port? The documentation states that reserved ports can't be used, but if the admin server runs as root is this really an issue? Thanks, Steve From rmeggins at redhat.com Wed Jun 13 15:21:24 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 13 Jun 2007 09:21:24 -0600 Subject: [Fedora-directory-users] Admin Server Port In-Reply-To: <1181748228.30837.18.camel@houuc8> References: <1181748228.30837.18.camel@houuc8> Message-ID: <46700B74.2090109@redhat.com> Steve Rigler wrote: > Is it possible to configure the admin server to use the standard https > port? The documentation states that reserved ports can't be used, but > if the admin server runs as root is this really an issue? > What version of Fedora DS? Note that the standard Apache used on most linux platforms will not even allow you to run as root. > Thanks, > Steve > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From srigler at marathonoil.com Wed Jun 13 15:57:16 2007 From: srigler at marathonoil.com (Steve Rigler) Date: Wed, 13 Jun 2007 10:57:16 -0500 Subject: [Fedora-directory-users] Admin Server Port In-Reply-To: <46700B74.2090109@redhat.com> References: <1181748228.30837.18.camel@houuc8> <46700B74.2090109@redhat.com> Message-ID: <1181750236.30837.31.camel@houuc8> On Wed, 2007-06-13 at 09:21 -0600, Richard Megginson wrote: > Steve Rigler wrote: > > Is it possible to configure the admin server to use the standard https > > port? The documentation states that reserved ports can't be used, but > > if the admin server runs as root is this really an issue? > > > What version of Fedora DS? Note that the standard Apache used on most > linux platforms will not even allow you to run as root. This is 1.0.4 on RHEL 4. The issue is that when I try to configure the admin server to use a reserved port I get a dialog stating "inadequate permission. Port is protected." Ideally we'd like to be able to use "Directory Server Express" to provide users with the ability to reset their own passwords. Since this should be secure it seems like it would make more sense to run the service on port 443 rather than an unreserved port. I'm just stumbling on actually getting this part to work. Thanks, Steve From rmeggins at redhat.com Wed Jun 13 15:59:58 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 13 Jun 2007 09:59:58 -0600 Subject: [Fedora-directory-users] Admin Server Port In-Reply-To: <1181750236.30837.31.camel@houuc8> References: <1181748228.30837.18.camel@houuc8> <46700B74.2090109@redhat.com> <1181750236.30837.31.camel@houuc8> Message-ID: <4670147E.80703@redhat.com> Steve Rigler wrote: > On Wed, 2007-06-13 at 09:21 -0600, Richard Megginson wrote: > >> Steve Rigler wrote: >> >>> Is it possible to configure the admin server to use the standard https >>> port? The documentation states that reserved ports can't be used, but >>> if the admin server runs as root is this really an issue? >>> >>> >> What version of Fedora DS? Note that the standard Apache used on most >> linux platforms will not even allow you to run as root. >> > > This is 1.0.4 on RHEL 4. The issue is that when I try to configure the > admin server to use a reserved port I get a dialog stating "inadequate > permission. Port is protected." > Hmm. Not sure why that is. The standard model for most unix/linux daemons now is to startup as root, open/bind the low port number, then setuid to a non-privileged user. > Ideally we'd like to be able to use "Directory Server Express" to > provide users with the ability to reset their own passwords. Since this > should be secure it seems like it would make more sense to run the > service on port 443 rather than an unreserved port. I'm just stumbling > on actually getting this part to work. > Why do you need to use 443? The Admin Server can serve https requests without having to be on port 443. > Thanks, > Steve > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed Jun 13 17:03:42 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 13 Jun 2007 13:03:42 -0400 Subject: [Fedora-directory-users] Admin Server Port In-Reply-To: <4670147E.80703@redhat.com> References: <1181748228.30837.18.camel@houuc8> <46700B74.2090109@redhat.com> <1181750236.30837.31.camel@houuc8> <4670147E.80703@redhat.com> Message-ID: <4670236E.8000906@redhat.com> Richard Megginson wrote: > Steve Rigler wrote: >> On Wed, 2007-06-13 at 09:21 -0600, Richard Megginson wrote: >> >>> Steve Rigler wrote: >>> >>>> Is it possible to configure the admin server to use the standard https >>>> port? The documentation states that reserved ports can't be used, but >>>> if the admin server runs as root is this really an issue? >>>> >>> What version of Fedora DS? Note that the standard Apache used on >>> most linux platforms will not even allow you to run as root. >>> >> >> This is 1.0.4 on RHEL 4. The issue is that when I try to configure the >> admin server to use a reserved port I get a dialog stating "inadequate >> permission. Port is protected." >> > Hmm. Not sure why that is. The standard model for most unix/linux > daemons now is to startup as root, open/bind the low port number, then > setuid to a non-privileged user. I think there is code that looks to see if the port is available/bindable. Since admin server has already dropped priviledges it can't change the port. >> Ideally we'd like to be able to use "Directory Server Express" to >> provide users with the ability to reset their own passwords. Since this >> should be secure it seems like it would make more sense to run the >> service on port 443 rather than an unreserved port. I'm just stumbling >> on actually getting this part to work. >> > Why do you need to use 443? The Admin Server can serve https requests > without having to be on port 443. You could try setting it manually in /opt/fedora-ds/admin-serv/config/console.conf I suspect he wants 443 because it is easier and users don't need to remember to set a port. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From srigler at marathonoil.com Wed Jun 13 17:47:14 2007 From: srigler at marathonoil.com (Steve Rigler) Date: Wed, 13 Jun 2007 12:47:14 -0500 Subject: [Fedora-directory-users] Admin Server Port In-Reply-To: <4670236E.8000906@redhat.com> References: <1181748228.30837.18.camel@houuc8> <46700B74.2090109@redhat.com> <1181750236.30837.31.camel@houuc8> <4670147E.80703@redhat.com> <4670236E.8000906@redhat.com> Message-ID: <1181756834.30837.48.camel@houuc8> On Wed, 2007-06-13 at 13:03 -0400, Rob Crittenden wrote: > > Why do you need to use 443? The Admin Server can serve https requests > > without having to be on port 443. > > > You could try setting it manually in > /opt/fedora-ds/admin-serv/config/console.conf > > I suspect he wants 443 because it is easier and users don't need to > remember to set a port. Aside from the fact that it's a well known port, it's also a port that's less likely to be restricted via firewall rules. The system is on an internal network, but I need to be able to allow remote users (connected through VPN) to use it and there are firewalls in place between them and the rest of the network. By putting this on a well known port I'm saving myself the grief of having to go through a risk-analysis down the road because a firewall rule needs to be changed. I believe I've found the way to configure it to use port 443 (aside from specifying that at setup time). In addition to "console.conf" it looks like "local.conf" and "adm.conf" need to be updated as well as the "nsserverport" attribute in the configuration entry for the admin server under "o=NetscapeRoot". Curiously enough, I wasn't able to update "nsserverport" from the GUI (pops up "unknown error with naming attribute") but I could do it with "ldapmodify". Anyways, it's working now. Thanks, Steve From rmeggins at redhat.com Wed Jun 13 17:48:24 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 13 Jun 2007 11:48:24 -0600 Subject: [Fedora-directory-users] Admin Server Port In-Reply-To: <1181756834.30837.48.camel@houuc8> References: <1181748228.30837.18.camel@houuc8> <46700B74.2090109@redhat.com> <1181750236.30837.31.camel@houuc8> <4670147E.80703@redhat.com> <4670236E.8000906@redhat.com> <1181756834.30837.48.camel@houuc8> Message-ID: <46702DE8.5050903@redhat.com> Steve Rigler wrote: > On Wed, 2007-06-13 at 13:03 -0400, Rob Crittenden wrote: > > >>> Why do you need to use 443? The Admin Server can serve https requests >>> without having to be on port 443. >>> >> You could try setting it manually in >> /opt/fedora-ds/admin-serv/config/console.conf >> >> I suspect he wants 443 because it is easier and users don't need to >> remember to set a port. >> > > Aside from the fact that it's a well known port, it's also a port that's > less likely to be restricted via firewall rules. The system is on an > internal network, but I need to be able to allow remote users (connected > through VPN) to use it and there are firewalls in place between them and > the rest of the network. By putting this on a well known port I'm > saving myself the grief of having to go through a risk-analysis down the > road because a firewall rule needs to be changed. > Ok. > I believe I've found the way to configure it to use port 443 (aside from > specifying that at setup time). In addition to "console.conf" it looks > like "local.conf" local.conf is a read-only cache of the admin server config information stored under o=NetscapeRoot in the configuration directory server. > and "adm.conf" I think the port is ignored in this file. It's there for historical purposes. > need to be updated as well as the > "nsserverport" attribute in the configuration entry for the admin server > under "o=NetscapeRoot". I think this and console.conf are the two main (only?) places. > Curiously enough, I wasn't able to update > "nsserverport" from the GUI (pops up "unknown error with naming > attribute") On which screen? > but I could do it with "ldapmodify". > > Anyways, it's working now. > > Thanks, > Steve > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From srigler at marathonoil.com Wed Jun 13 17:58:34 2007 From: srigler at marathonoil.com (Steve Rigler) Date: Wed, 13 Jun 2007 12:58:34 -0500 Subject: [Fedora-directory-users] Admin Server Port In-Reply-To: <46702DE8.5050903@redhat.com> References: <1181748228.30837.18.camel@houuc8> <46700B74.2090109@redhat.com> <1181750236.30837.31.camel@houuc8> <4670147E.80703@redhat.com> <4670236E.8000906@redhat.com> <1181756834.30837.48.camel@houuc8> <46702DE8.5050903@redhat.com> Message-ID: <1181757514.30837.53.camel@houuc8> On Wed, 2007-06-13 at 11:48 -0600, Richard Megginson wrote: > Steve Rigler wrote: > > I believe I've found the way to configure it to use port 443 (aside from > > specifying that at setup time). In addition to "console.conf" it looks > > like "local.conf" > local.conf is a read-only cache of the admin server config information > stored under o=NetscapeRoot in the configuration directory server. > > and "adm.conf" > I think the port is ignored in this file. It's there for historical > purposes. > > need to be updated as well as the > > "nsserverport" attribute in the configuration entry for the admin server > > under "o=NetscapeRoot". > I think this and console.conf are the two main (only?) places. > > Curiously enough, I wasn't able to update > > "nsserverport" from the GUI (pops up "unknown error with naming > > attribute") > On which screen? This was when opening the console, opening the "Directory Server" window on the configuration server and drilling down through "NetscapeRoot" until I opened the properties on cn=configuration,cn=admin-serv- servername,cn=fedora adminstration server... -Steve From mont.rothstein at gmail.com Wed Jun 13 17:58:56 2007 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Wed, 13 Jun 2007 10:58:56 -0700 Subject: [Fedora-directory-users] Going insane (can't logon from Windows) In-Reply-To: <467a83630706121350n7827f255n54f973aff4000cb6@mail.gmail.com> References: <467a83630706121230w20221edbj2509f855b946c832@mail.gmail.com> <40a14bc10706121248y656b05b9w2aca4e131e14d586@mail.gmail.com> <467a83630706121350n7827f255n54f973aff4000cb6@mail.gmail.com> Message-ID: <467a83630706131058w6892e38yc1c28dbb284b1cb@mail.gmail.com> A little more info on this. Everything I can find says that Windows believes the computer password is out of sync. It tries to use the password and fails. Adding and removing the computer from the domain (including deleting the account in FDS) does not help. Add the computer, reboot, try and login, no dice. Does anyone have any idea what might be happening here? Thanks, -Mont On 6/12/07, Mont Rothstein wrote: > > We'll I tried disabling those policies via gpedit.msc (it changes those > registry settings) but it had not effect. > > -Mont > > > On 6/12/07, J?r?me Fenal wrote: > > > > 2007/6/12, Mont Rothstein < mont.rothstein at gmail.com>: > > > > Hi Mont, > > > > > I have Fedora Directory Server (1.0.4) running on a Red Hat Linux > > (RHEL 4) > > > with Samba (3.0.10-1.4E.12.2). > > > > > > I have a Windows XP box that I have successfully joined to the domain. > > > > > > When I go to login with a domain user I get the following error: > > > > > > "Windows cannot connect to the domain, either because the domain > > controller > > > is down or otherwise unavailable, or because your computer account was > > not > > > found." > > > > Did you add/change the following registry key on the XP machine : > > > > > > REGEDIT4 > > > > > > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] > > "requiresignorseal"=dword:00000001 > > "signsecurechannel"=dword:00000001 > > > > > > Regards, > > > > J. > > -- > > J?r?me Fenal - jfenal AT gmail.com - http://fenal.org/ > > Paris.pm - http://paris.mongueurs.net/ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jfenal at gmail.com Wed Jun 13 19:36:45 2007 From: jfenal at gmail.com (=?UTF-8?Q?J=C3=A9r=C3=B4me_Fenal?=) Date: Wed, 13 Jun 2007 21:36:45 +0200 Subject: [Fedora-directory-users] Going insane (can't logon from Windows) In-Reply-To: <467a83630706131058w6892e38yc1c28dbb284b1cb@mail.gmail.com> References: <467a83630706121230w20221edbj2509f855b946c832@mail.gmail.com> <40a14bc10706121248y656b05b9w2aca4e131e14d586@mail.gmail.com> <467a83630706121350n7827f255n54f973aff4000cb6@mail.gmail.com> <467a83630706131058w6892e38yc1c28dbb284b1cb@mail.gmail.com> Message-ID: <40a14bc10706131236m5ac0f76eob3e3001e9796661c@mail.gmail.com> 2007/6/13, Mont Rothstein : > A little more info on this. > > Everything I can find says that Windows believes the computer password is > out of sync. It tries to use the password and fails. Adding and removing > the computer from the domain (including deleting the account in FDS) does > not help. Add the computer, reboot, try and login, no dice. > > Does anyone have any idea what might be happening here? this does seem to be related directly to the directory server, but more to Samba. Maybe it will be more relevant to ask your question on samba at samba.org https://lists.samba.org/mailman/listinfo/samba Regards, J. -- J?r?me Fenal - jfenal AT gmail.com - http://fenal.org/ Paris.pm - http://paris.mongueurs.net/ From mont.rothstein at gmail.com Wed Jun 13 20:22:55 2007 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Wed, 13 Jun 2007 13:22:55 -0700 Subject: [Fedora-directory-users] Going insane (can't logon from Windows) In-Reply-To: <40a14bc10706131236m5ac0f76eob3e3001e9796661c@mail.gmail.com> References: <467a83630706121230w20221edbj2509f855b946c832@mail.gmail.com> <40a14bc10706121248y656b05b9w2aca4e131e14d586@mail.gmail.com> <467a83630706121350n7827f255n54f973aff4000cb6@mail.gmail.com> <467a83630706131058w6892e38yc1c28dbb284b1cb@mail.gmail.com> <40a14bc10706131236m5ac0f76eob3e3001e9796661c@mail.gmail.com> Message-ID: <467a83630706131322h38d0f543o8ef47d326aed5419@mail.gmail.com> I'll try there, thanks. -Mont On 6/13/07, J?r?me Fenal wrote: > > 2007/6/13, Mont Rothstein : > > A little more info on this. > > > > Everything I can find says that Windows believes the computer password > is > > out of sync. It tries to use the password and fails. Adding and > removing > > the computer from the domain (including deleting the account in FDS) > does > > not help. Add the computer, reboot, try and login, no dice. > > > > Does anyone have any idea what might be happening here? > > this does seem to be related directly to the directory server, but > more to Samba. > Maybe it will be more relevant to ask your question on samba at samba.org > https://lists.samba.org/mailman/listinfo/samba > > Regards, > > J. > -- > J?r?me Fenal - jfenal AT gmail.com - http://fenal.org/ > Paris.pm - http://paris.mongueurs.net/ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ashley at csse.uwa.edu.au Thu Jun 14 01:58:57 2007 From: ashley at csse.uwa.edu.au (ashley) Date: Thu, 14 Jun 2007 09:58:57 +0800 (WST) Subject: [Fedora-directory-users] Group name not gid In-Reply-To: References: Message-ID: On your client, if its properly binded you should be able to see your remote mappings ie do this getent passwd getent group And see if the user and groupmember information for that user are there. ashley at gp01:/etc:554> getent group |grep -i ashley motorola:*:32705:ashley acm:*:32071:ashley,luigi Now that only shows that the ldap lookup / binding is working. If it isn't then something wrong with your binding, if it is then try mapping the group information directly. ie edit /etc/ldap.conf and edit the nss_base_group. The only other place I think of is that you didn't tell your linux system to used the LDAP lookup information for groups which is specified in /etc/nsswitch.conf For unix there three main files / variables which are passwd, shadow and group. For nsswitch.conf I've got lookup local information followed by LDAP information ie in passwd: files ldap shadow: files ldap group: files ldap Thats all I can think of at the moment. Regards Ashley On Wed, 13 Jun 2007, Diwakoe wrote: > Dear all, > > I'm using FC6 with FDS authentication and running well but can not > show groups name only GID when command 'groups' execute on console. > Sometimes we get confuse when we saw some folder not show group name > only gid. > > --- > $groups > id: cannot find name for group ID 10001 > 10001 > --- > > Is there any trick how to show group name not gid on konsole. > > > Thanks, > Diwa > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > !DSPAM:272,466f7488187291087211254! > -- Ashley Chew - Systems Administrator School of Computer Science and Software Engineering University of Western Australia Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089 Ashley[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ashley "There is no such thing as Fate, Fate is what you make of it!" From patrick.morris at hp.com Thu Jun 14 16:40:27 2007 From: patrick.morris at hp.com (Morris, Patrick) Date: Thu, 14 Jun 2007 12:40:27 -0400 Subject: [Fedora-directory-users] Group name not gid In-Reply-To: References: Message-ID: How did you set up LDAP auth? Fedora has a really simple configuration utility (authconfig) that makes it very easy. You should be able to just tell it to use LDAP, point it at your server and base DN (make sure it's at a level below where both your users and groups arem if they're in separate contexts), and you're good to go. > Thanks for your docs, but how about directory listing? when > root log in and doing command "ls -al" on home folder is > showing user name, group and folder. But only user name is > show correctly but the group is only gid. > > ---- > drwxr-xr-x 4 JWilliam 10001 4096 Jun 4 14:56 JWilliam > --- > > Regards, > Diwa From sphenisciformes at hotmail.com Thu Jun 14 19:36:29 2007 From: sphenisciformes at hotmail.com (Sphenis cidae) Date: Thu, 14 Jun 2007 19:36:29 +0000 Subject: [Fedora-directory-users] Need Help - FDS 1.0.4 - Admin Console - Details Inside - Thanks Message-ID: Hi,Thanks for your atention, I'll be brief.I have fedora directory server 1.0.4 running and I can access it from a windows workstation using softerra ldap administrator, but when i try using the fedora admi console from the server i get the following error:"cannot logon because of an incorrect User ID, Incorrect password or Directory problem. java.io.InterruptedIOException: HTTP response timeout"In /opt/fedora-ds/admin-serv/logs/error i have:child pid 2768 exit signal segmentation fault (11)child pid 2769 exit signal segmentation fault (11)...child pid 3360 exit signal segmentation fault (11)I'm asking for a big help here. I'm just a newbie trying very hard to learn.Thanks, and I hope someday I'll be able to help you too. _________________________________________________________________ Comunica??o sem fronteiras - converse agora tamb?m com os amigos que tem no Yahoo!. http://get.live.com/pt-pt/messenger/overview -------------- next part -------------- An HTML attachment was scrubbed... URL: From diwakoe at gmail.com Fri Jun 15 01:51:00 2007 From: diwakoe at gmail.com (Diwakoe) Date: Fri, 15 Jun 2007 08:51:00 +0700 Subject: [Fedora-directory-users] Group name not gid In-Reply-To: References: Message-ID: Hi Patrick, The problem is my user group created using management console doesn't show GID field entry so the GID number entered on user properties is not refer to group (thanks to ashley). I created new group using .ldif file with gid entered same number on user properties imported using management console and the problem is solved. So now I'm looking for hint how to show GID number field on management console when created new user group. Thanks, Diwa On 6/14/07, Morris, Patrick wrote: > How did you set up LDAP auth? Fedora has a really simple configuration > utility (authconfig) that makes it very easy. You should be able to just > tell it to use LDAP, point it at your server and base DN (make sure it's > at a level below where both your users and groups arem if they're in > separate contexts), and you're good to go. > > > Thanks for your docs, but how about directory listing? when > > root log in and doing command "ls -al" on home folder is > > showing user name, group and folder. But only user name is > > show correctly but the group is only gid. > > > > ---- > > drwxr-xr-x 4 JWilliam 10001 4096 Jun 4 14:56 JWilliam > > --- > > > > Regards, > > Diwa > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From etorres at dap.es Fri Jun 15 10:53:33 2007 From: etorres at dap.es (Esteban Torres Rodriguez) Date: Fri, 15 Jun 2007 12:53:33 +0200 Subject: [Fedora-directory-users] Problem with fds 1.0.4 on Red Hat 5 64 bits. In-Reply-To: References: Message-ID: <46728BCD0200001800104DFC@mail.dap.es> Excuse me for my english. When run start-admin for admin my console show me this error: httpd.worker: Syntax error on line 151 of /opt/fedora-ds/admin-serv/config/httpd.conf: Cannot load /opt/fedora-ds/bin/admin/lib/libmodrestartd.so into server: /opt/fedora-ds/bin/admin/lib/libmodrestartd.so: undefined symbol: apr_filename_of_pathname It s possible install fedora-ds-1.0.4-1.RHEL4.x86_64.opt.rpm on Red Hat 5 64 bits? I need help.. Esteban Torres Rodr?guez ?REA DE SOPORTE T?CNICO - Administraci?n de Servidores Subdirecci?n de Sistemas Inform?ticos Empresa P?blica Desarrollo Agrario y Pesquero, email: etorres at dap.es From rcritten at redhat.com Fri Jun 15 13:17:25 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 15 Jun 2007 09:17:25 -0400 Subject: [Fedora-directory-users] Problem with fds 1.0.4 on Red Hat 5 64 bits. In-Reply-To: <46728BCD0200001800104DFC@mail.dap.es> References: <46728BCD0200001800104DFC@mail.dap.es> Message-ID: <46729165.9090107@redhat.com> Esteban Torres Rodriguez wrote: > Excuse me for my english. > > When run start-admin for admin my console show me this error: > > httpd.worker: Syntax error on line 151 of /opt/fedora-ds/admin-serv/config/httpd.conf: Cannot load /opt/fedora-ds/bin/admin/lib/libmodrestartd.so into server: /opt/fedora-ds/bin/admin/lib/libmodrestartd.so: undefined symbol: apr_filename_of_pathname > > It s possible install fedora-ds-1.0.4-1.RHEL4.x86_64.opt.rpm on Red Hat 5 64 bits? > > I need help.. Try the FC6 build instead. The problem is that RHEL4 uses Apache 2.0.52 and RHEL 5 uses Apache 2.2.3. Their API's are not completely compatible and modules need to be recompiled. rob > > > > Esteban Torres Rodr?guez > ?REA DE SOPORTE T?CNICO - Administraci?n de Servidores > Subdirecci?n de Sistemas Inform?ticos > Empresa P?blica Desarrollo Agrario y Pesquero, > email: etorres at dap.es > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From maurizio.marini at cost.it Fri Jun 15 10:45:03 2007 From: maurizio.marini at cost.it (Maurizio Marini) Date: Fri, 15 Jun 2007 12:45:03 +0200 Subject: [Fedora-directory-users] automatically add attributes for new People users Message-ID: <200706151245.03820.maurizio.marini@cost.it> Hi all, sorry for very newbie question? i want add shadow attribute to all users; i am creating users adding them to ou=People i add posix schema as in http://directory.fedoraproject.org/wiki/Howto:Posix now i add a new user; click on Add Value click on shadowAccount click on Add Attribute multiselection for shadowexpire...shadowwaring click on Ok now i can input values for these attributes. Question is: i can make this permanent for all next users i will add from now? can i setup that all new users added to ou=person will have shadowaccount value and all shadow attributes automatically? TIA Maurizio From jeff.applewhite at motricity.com Fri Jun 15 14:22:35 2007 From: jeff.applewhite at motricity.com (Jeff Applewhite) Date: Fri, 15 Jun 2007 10:22:35 -0400 Subject: [Fedora-directory-users] Group membership display issue Message-ID: Hi All, I think I have encountered a bug. When I look at group membership in the Java gui sometimes group members display and sometimes they don't (hourglass displays). If I go to the advanced view I can see members from there. Command line tools verify that group object looks correct. Has anyone seen this before? Is there a fix / workaround? I am running the latest release 1.0.4 on RHEL 4, the Java gui is running on a MAC OS X box (X server). Thanks in advance Jeff Applewhite NOTICE: This e-mail message is for the sole use of the intended recipient(s) and may contain confidential and privileged information of Motricity. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rnappert at juniper.net Fri Jun 15 18:47:59 2007 From: rnappert at juniper.net (Reinhard Nappert) Date: Fri, 15 Jun 2007 14:47:59 -0400 Subject: [Fedora-directory-users] Replication over SSL with simple authentication Message-ID: <3525C9833C09ED418C6FD6CD9514668C01C832C4@emailwf1.jnpr.net> Hi, I SSL-enabled two Directory Servers and I can access them over LDAPS using ldapsearch and other clients. I enabled both servers with the steps from the setupssl script. However, when I to set replication up, I get: [15/Jun/2007:13:32:56 -0400] conn=6057 op=-1 fd=69 closed - SSL peer cannot verify your certificate. I did import the CA cert (self-signed) to the other server, both ways, since I want to have multi-mastering. By the way, I checked the serial numbers of the certs and they are not identical. Does anyone have an idea why the replication fails. Thanks, -Reinhard -------------- next part -------------- An HTML attachment was scrubbed... URL: From iferreir at personal.com.py Sat Jun 16 00:03:10 2007 From: iferreir at personal.com.py (Ivan Ferreira) Date: Fri, 15 Jun 2007 20:03:10 -0400 Subject: [Fedora-directory-users] Winsync and "New Windows User Sync" and "New Windows Group Sync" Message-ID: Hello all. I sucessfully installed Fedora Directory Server 1.0.4-1.RHEL4 on RHEL4U5. Also PassSync-20060330.msi was installed and configured in the Windows 2003 Domain Controller. SSL connection is working. Password synchronization works if the user exists on both Directories, but new users and groups are not created. I have enabled the "New Windows User Sync" and "New Windows Group Sync" checkboxes, but nothing happens in the logs when I create a new user or group. Debug is enabled in DS and PassSync. PassSync log: 06/15/07 19:11:41: There are no entries that match: juancitoperez 06/15/07 19:11:41: Deferring password change for juancitoperez 06/15/07 19:11:41: Backing off for 2048000ms Directory Server log: [15/Jun/2007:19:44:25 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS" (asusis-dc:636): State: wait_for_changes -> wait_for_changes [15/Jun/2007:19:44:25 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS" (asusis-dc:636): State: wait_for_changes -> wait_for_changes [15/Jun/2007:19:44:25 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS" (asusis-dc:636): No linger to cancel on the connection [15/Jun/2007:19:44:25 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS" (asusis-dc:636): Disconnected from the consumer [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS" (asusis-dc:636): windows_inc_stop: protocol stopped after 1 seconds [15/Jun/2007:19:44:26 -0400] - acquire_replica, supplier RUV: [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - supplier: {replicageneration} 46707261000000030000 [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - supplier: {replica 3 ldap://infra1.sis.personal.net.py:389} 46714c54000000030000 46730709000100030000 00000000 [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - supplier: {replica 4 ldap://infra2.sis.personal.net.py:389} [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - supplier: {replica 1 ldap://infra1.sis.personal.net.py:389} 4673124f000000010000 46731f00000000010000 46731f01 [15/Jun/2007:19:44:26 -0400] - acquire_replica, consumer RUV: [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - consumer: {replicageneration} 46707261000000030000 [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - consumer: {replica 3 ldap://infra1.sis.personal.net.py:389} 46714c54000000030000 46730709000100030000 00000000 [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - consumer: {replica 4 ldap://infra2.sis.personal.net.py:389} [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - consumer: {replica 1 ldap://infra1.sis.personal.net.py:389} 4673124f000000010000 467316d4000000010000 00000000 [15/Jun/2007:19:44:26 -0400] - acquire_replica, supplier RUV is newer [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS" (asusis-dc:636): Trying secure slapi_ldap_init [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS" (asusis-dc:636): binddn = cn=SSOSync,ou=Service accounts,ou=Usuarios,dc=personal,dc=com,dc=py, passwd = {DES}T4FVTMFnERrR8F1Io6In7Q== [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS" (asusis-dc:636): No linger to cancel on the connection [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=AD-FDS" (asusis-dc:636)". [15/Jun/2007:19:44:26 -0400] - Sending dirsync search request [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS" (asusis-dc:636): windows_process_total_entry: Looking dn="uid=pgimenez,ou=SSO,dc=sis,dc=personal,dc=net,dc=py" (ours) [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS" (asusis-dc:636): map_entry_dn_outbound: failed to fetch entry from AD: dn="uid=pgimenez,ou=SSO,dc=sis,dc=personal,dc=net,dc=py", err=-1 [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS" (asusis-dc:636): windows_replay_update: failed map dn for total update dn="uid=pgimenez,ou=SSO,dc=sis,dc=personal,dc=net,dc=py" [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS" (asusis-dc:636): Beginning linger on the connection [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS" (asusis-dc:636): windows_tot_run: failed to obtain data to send to the consumer; LDAP error - -1 [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS" (asusis-dc:636): No linger to cancel on the connection [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS" (asusis-dc:636): Disconnected from the consumer [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS" (asusis-dc:636): State: start -> ready_to_acquire_replica [15/Jun/2007:19:44:26 -0400] - acquire_replica, supplier RUV: [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - supplier: {replicageneration} 46707261000000030000 [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - supplier: {replica 3 ldap://infra1.sis.personal.net.py:389} 46714c54000000030000 46730709000100030000 00000000 [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - supplier: {replica 4 ldap://infra2.sis.personal.net.py:389} [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - supplier: {replica 1 ldap://infra1.sis.personal.net.py:389} 4673124f000000010000 46731f00000000010000 46731f01 [15/Jun/2007:19:44:26 -0400] - acquire_replica, consumer RUV: [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - consumer: {replicageneration} 46707261000000030000 [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - consumer: {replica 3 ldap://infra1.sis.personal.net.py:389} 46714c54000000030000 46730709000100030000 00000000 [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - consumer: {replica 4 ldap://infra2.sis.personal.net.py:389} [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - consumer: {replica 1 ldap://infra1.sis.personal.net.py:389} 4673124f000000010000 467316d4000000010000 00000000 [15/Jun/2007:19:44:26 -0400] - acquire_replica, supplier RUV is newer [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS" (asusis-dc:636): Trying secure slapi_ldap_init [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS" (asusis-dc:636): binddn = cn=SSOSync,ou=Service accounts,ou=Usuarios,dc=personal,dc=com,dc=py, passwd = {DES}T4FVTMFnERrR8F1Io6In7Q== [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS" (asusis-dc:636): No linger to cancel on the connection [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - windows_acquire_replica returned success (101) [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS" (asusis-dc:636): State: ready_to_acquire_replica -> sending_updates [15/Jun/2007:19:44:26 -0400] - _cl5PositionCursorForReplay (agmt="cn=AD-FDS" (asusis-dc:636)): Consumer RUV: [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS" (asusis-dc:636): {replicageneration} 46707261000000030000 [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS" (asusis-dc:636): {replica 3 ldap://infra1.sis.personal.net.py:389} 46714c54000000030000 46730709000100030000 00000000 [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS" (asusis-dc:636): {replica 4 ldap://infra2.sis.personal.net.py:389} [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS" (asusis-dc:636): {replica 1 ldap://infra1.sis.personal.net.py:389} 4673124f000000010000 467316d4000000010000 00000000 [15/Jun/2007:19:44:26 -0400] - _cl5PositionCursorForReplay (agmt="cn=AD-FDS" (asusis-dc:636)): Supplier RUV: [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS" (asusis-dc:636): {replicageneration} 46707261000000030000 [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS" (asusis-dc:636): {replica 3 ldap://infra1.sis.personal.net.py:389} 46714c54000000030000 46730709000100030000 00000000 [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS" (asusis-dc:636): {replica 4 ldap://infra2.sis.personal.net.py:389} [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS" (asusis-dc:636): {replica 1 ldap://infra1.sis.personal.net.py:389} 4673124f000000010000 46731f00000000010000 46731f01 [15/Jun/2007:19:44:26 -0400] agmt="cn=AD-FDS" (asusis-dc:636) - session start: anchorcsn=467316d4000000010000 [15/Jun/2007:19:44:26 -0400] agmt="cn=AD-FDS" (asusis-dc:636) - Can't locate CSN 467316d4000000010000 in the changelog (DB rc=-30990). The consumer may need to be reinitialized. [15/Jun/2007:19:44:26 -0400] agmt="cn=AD-FDS" (asusis-dc:636) - clcache_load_buffer: rc=-30990 [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - changelog program - agmt="cn=AD-FDS" (asusis-dc:636): CSN 467316d4000000010000 found, position set for replay [15/Jun/2007:19:44:26 -0400] agmt="cn=AD-FDS" (asusis-dc:636) - clcache_load_buffer: rc=-30990 [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS" (asusis-dc:636): No more updates to send (cl5GetNextOperationToReplay) [15/Jun/2007:19:44:26 -0400] agmt="cn=AD-FDS" (asusis-dc:636) - session end: state=0 load=0 sent=0 skipped=0 [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS" (asusis-dc:636): Beginning linger on the connection [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS" (asusis-dc:636): State: sending_updates -> wait_for_changes [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS" (asusis-dc:636): Linger timeout has expired on the connection [15/Jun/2007:19:44:26 -0400] NSMMReplicationPlugin - agmt="cn=AD-FDS" (asusis-dc:636): Disconnected from the consumer This is when I create a new account in AD [15/Jun/2007:19:58:55 -0400] conn=29 fd=73 slot=73 SSL connection from 10.129.4.176 to 172.20.0.1 [15/Jun/2007:19:58:55 -0400] conn=29 SSL 128-bit RC4 [15/Jun/2007:19:58:55 -0400] conn=29 op=0 BIND dn="cn=sync manager,cn=config" method=128 version=2 [15/Jun/2007:19:58:55 -0400] conn=29 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=sync manager,cn=config" [15/Jun/2007:19:58:55 -0400] conn=29 op=1 SRCH base="ou=sso,dc=sis,dc=personal,dc=net,dc=py" scope=2 filter="(ntUserDomainId=pepelin)" attrs=ALL [15/Jun/2007:19:58:55 -0400] conn=29 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [15/Jun/2007:19:58:55 -0400] conn=29 op=2 UNBIND [15/Jun/2007:19:58:55 -0400] conn=29 op=2 fd=73 closed - U1 [15/Jun/2007:19:59:00 -0400] conn=13 op=24 SRCH base="ou=SSO,dc=sis,dc=personal,dc=net,dc=py" scope=1 filter="(objectClass=*)" attrs="objectClass" [15/Jun/2007:19:59:00 -0400] conn=13 op=24 RESULT err=0 tag=101 nentries=1 etime=0 [15/Jun/2007:19:59:01 -0400] conn=13 op=26 SRCH base="ou=sudoers,dc=sis,dc=personal,dc=net,dc=py" scope=0 filter="(objectClass=*)" attrs=ALL [15/Jun/2007:19:59:01 -0400] conn=13 op=26 RESULT err=0 tag=101 nentries=1 etime=0 [15/Jun/2007:19:59:01 -0400] conn=13 op=27 SRCH base="ou=SSO,dc=sis,dc=personal,dc=net,dc=py" scope=0 filter="(objectClass=*)" attrs=ALL [15/Jun/2007:19:59:01 -0400] conn=13 op=27 RESULT err=0 tag=101 nentries=1 etime=0 [15/Jun/2007:19:59:01 -0400] conn=13 op=28 SRCH base="ou=SSO,dc=sis,dc=personal,dc=net,dc=py" scope=1 filter="(objectClass=*)" attrs="objectClass" [15/Jun/2007:19:59:01 -0400] conn=13 op=28 RESULT err=0 tag=101 nentries=1 etime=0 [15/Jun/2007:19:59:03 -0400] conn=13 op=29 SRCH base="ou=SSO,dc=sis,dc=personal,dc=net,dc=py" scope=1 filter="(objectClass=*)" attrs="objectClass" [15/Jun/2007:19:59:03 -0400] conn=13 op=29 RESULT err=0 tag=101 nentries=1 etime=0 [15/Jun/2007:19:59:11 -0400] conn=30 fd=73 slot=73 SSL connection from 10.129.4.176 to 172.20.0.1 [15/Jun/2007:19:59:11 -0400] conn=30 SSL 128-bit RC4 [15/Jun/2007:19:59:11 -0400] conn=30 op=0 BIND dn="cn=sync manager,cn=config" method=128 version=2 [15/Jun/2007:19:59:11 -0400] conn=30 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=sync manager,cn=config" [15/Jun/2007:19:59:11 -0400] conn=30 op=1 SRCH base="ou=sso,dc=sis,dc=personal,dc=net,dc=py" scope=2 filter="(ntUserDomainId=pepelin)" attrs=ALL [15/Jun/2007:19:59:11 -0400] conn=30 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [15/Jun/2007:19:59:11 -0400] conn=30 op=2 UNBIND [15/Jun/2007:19:59:11 -0400] conn=30 op=2 fd=73 closed - U1 And PassSync: 06/15/07 19:58:44: Password list has 1 entries 06/15/07 19:58:44: Attempting to sync password for pepelin 06/15/07 19:58:44: Searching for (ntuserdomainid=pepelin) 06/15/07 19:58:44: There are no entries that match: pepelin 06/15/07 19:58:44: Deferring password change for pepelin 06/15/07 19:58:44: Backing off for 4000ms 06/15/07 19:58:48: Backoff time expired. Attempting sync 06/15/07 19:58:48: Password list has 1 entries 06/15/07 19:58:48: Attempting to sync password for pepelin 06/15/07 19:58:48: Searching for (ntuserdomainid=pepelin) 06/15/07 19:58:48: There are no entries that match: pepelin 06/15/07 19:58:48: Deferring password change for pepelin 06/15/07 19:58:48: Backing off for 8000ms 06/15/07 19:58:56: Backoff time expired. Attempting sync 06/15/07 19:58:56: Password list has 1 entries 06/15/07 19:58:56: Attempting to sync password for pepelin 06/15/07 19:58:56: Searching for (ntuserdomainid=pepelin) 06/15/07 19:58:56: There are no entries that match: pepelin 06/15/07 19:58:56: Deferring password change for pepelin 06/15/07 19:58:56: Backing off for 16000ms 06/15/07 19:59:12: Backoff time expired. Attempting sync 06/15/07 19:59:12: Password list has 1 entries 06/15/07 19:59:12: Attempting to sync password for pepelin 06/15/07 19:59:12: Searching for (ntuserdomainid=pepelin) 06/15/07 19:59:12: There are no entries that match: pepelin 06/15/07 19:59:12: Deferring password change for pepelin 06/15/07 19:59:12: Backing off for 32000ms 06/15/07 19:59:44: Backoff time expired. Attempting sync 06/15/07 19:59:44: Password list has 1 entries 06/15/07 19:59:44: Attempting to sync password for pepelin 06/15/07 19:59:44: Searching for (ntuserdomainid=pepelin) 06/15/07 19:59:44: There are no entries that match: pepelin 06/15/07 19:59:44: Deferring password change for pepelin 06/15/07 19:59:44: Backing off for 64000ms I don't see any attempt to create the accounts. What could be the problem? ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. From sphenisciformes at hotmail.com Sat Jun 16 18:17:32 2007 From: sphenisciformes at hotmail.com (Sphenis cidae) Date: Sat, 16 Jun 2007 18:17:32 +0000 Subject: [Fedora-directory-users] Need Help - FDS 1.0.4 - Admin Console - Details Inside - Thanks Message-ID: After some tests, I discovered that the problem occurs after I turned on ldap authentication. Maybe I've to populate the ldap before I turn on authentication. I go learn some more. The long path of a newbie... >I have fedora directory server 1.0.4 running and I can access it from a windows workstation using softerra ldap >administrator, but when i try using the fedora admi console from the server i get the following error:>"cannot logon because of an incorrect User ID, Incorrect password or Directory problem. >java.io.InterruptedIOException: HTTP response timeout">In /opt/fedora-ds/admin-serv/logs/error i have:>child pid 2768 exit signal segmentation fault (11)>child pid 2769 exit signal segmentation fault (11)>...>child pid 3360 exit signal segmentation fault (11)>I'm asking for a big help here. I'm just a newbie trying very hard to learn.>Thanks, and I hope someday I'll be able to help you too. _________________________________________________________________ Comunica??o sem fronteiras - converse agora tamb?m com os amigos que tem no Yahoo!. http://get.live.com/pt-pt/messenger/overview -------------- next part -------------- An HTML attachment was scrubbed... URL: From kekkou.a at cs.ucy.ac.cy Mon Jun 18 08:41:49 2007 From: kekkou.a at cs.ucy.ac.cy (Andreas Kekkou) Date: Mon, 18 Jun 2007 11:41:49 +0300 Subject: [Fedora-directory-users] Installing using yum, admin server & automatic uid Message-ID: <4676454D.4040105@cs.ucy.ac.cy> Hi, We are in the process of migrating our NIS to FDS. We've been experimenting with FDS 1.0.4 for some time now and we managed to sync it with AD and have our *nix clients authenticating using TLS. Last week I installed FDS on Fedora 7 using yum. We have the base server functioning but it seems too hard to maintain it without the admin server. Does anybody knows if I can get the admin server using cvs? And something else, how we take advantage of automatic uid? I'm creating accounts using Softerra's LDAP Administrator. I've created a custom template and set uid to optional but when I'm trying to create an account I getting an error message. Andreas -------------- next part -------------- A non-text attachment was scrubbed... Name: kekkou.a.vcf Type: text/x-vcard Size: 303 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3655 bytes Desc: S/MIME Cryptographic Signature URL: From maurizio.marini at cost.it Fri Jun 15 15:53:10 2007 From: maurizio.marini at cost.it (Maurizio Marini) Date: Fri, 15 Jun 2007 17:53:10 +0200 Subject: [Fedora-directory-users] Centos5 does not install Message-ID: <200706151753.10197.maurizio.marini@cost.it> As stated clearly here: http://www.mail-archive.com/fedora-directory-users at redhat.com/msg02579.html linux distro should be support apache 2.0 not 2.2 m. From rcritten at redhat.com Mon Jun 18 12:33:17 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 18 Jun 2007 08:33:17 -0400 Subject: [Fedora-directory-users] Centos5 does not install In-Reply-To: <200706151753.10197.maurizio.marini@cost.it> References: <200706151753.10197.maurizio.marini@cost.it> Message-ID: <46767B8D.4030709@redhat.com> Maurizio Marini wrote: > As stated clearly here: > http://www.mail-archive.com/fedora-directory-users at redhat.com/msg02579.html > > linux distro should be support apache 2.0 not 2.2 > > m. I'm not sure what you mean. The e-mail you are referring to discussed the change of Apache versions between Fedora Core 4 and 5. A similar thing happened between RHEL 4 and 5 (though the release numbers is just a coincidence). The directory server uses the version of Apache that comes by default with the distribution. So in the case of RHEL 4 and Fedore Core 4 this was Apache 2.0.x. For Fedora Core 5+ and RHEL 5 this is Apache 2.2.x. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Jun 18 13:25:22 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 18 Jun 2007 07:25:22 -0600 Subject: [Fedora-directory-users] Installing using yum, admin server & automatic uid In-Reply-To: <4676454D.4040105@cs.ucy.ac.cy> References: <4676454D.4040105@cs.ucy.ac.cy> Message-ID: <467687C2.5010900@redhat.com> Andreas Kekkou wrote: > Hi, > > We are in the process of migrating our NIS to FDS. We've been > experimenting with FDS 1.0.4 for some time now and we managed to sync > it with AD and have our *nix clients authenticating using TLS. Last > week I installed FDS on Fedora 7 using yum. We have the base server > functioning but it seems too hard to maintain it without the admin > server. Does anybody knows if I can get the admin server using cvs? Not yet. We're working on it. > And something else, how we take advantage of automatic uid? You mean the new distributed numeric assignment plugin in Fedora DS 1.1 (that is, the version of fedora-ds-base available via F7 yum)? > I'm creating accounts using Softerra's LDAP Administrator. I've > created a custom template and set uid to optional but when I'm trying > to create an account I getting an error message. What error message? What exactly are you trying to do? > > Andreas > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From iferreir at personal.com.py Mon Jun 18 15:47:56 2007 From: iferreir at personal.com.py (Ivan Ferreira) Date: Mon, 18 Jun 2007 11:47:56 -0400 Subject: [Fedora-directory-users] Winsync and "New Windows User Sync" and "New Windows Group Sync" Message-ID: I found the problem. I was delegating the administration of the replicated OU in Windows 20003. This is not enough to enable "DirSync". The Windows replication Account must have "Replicating Directory Changes" permissions. Directory Server documentation ======================== During normal operation, all the updates made to entries in the Directory Server that need to be sent to the Windows Server are generated via the changelog. However, when the server is initially configured or after major changes to its content, it is necessary to initiate a re-synchronization process. For re-synchronization, the entire contents of synchronized subtree in the Directory Server is examined and, if necessary, sent to the Windows Server. This is done without using the changelog. Inbound changes, that is changes to entries in the Windows Server, are found by using Active Directory's `Dirsync' search feature. Because there is no changelog to use, it is necessary to issue the Dirsync search periodically. The default interval is five minutes. Microsoft documentation ================== Although the DirSync control is powerful and efficient, it has two limitations. The first limitation is that the control must run by using a user account that has the Replicating Directory Changes permission on the domain naming context. By default, the Administrator user account has this permission. However, we do not recommend that you use the Administrator account to run your DirSync control program. Instead, we recommend that the Replicating Directory Changes permission be granted to a typical user account or group. Therefore, you can configure permissions that are specific and limited to the DirSync control program. http://support.microsoft.com/?scid=kb%3Ben-us%3B891995&x=16&y=16 ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. From mjdshop at earthlink.net Mon Jun 18 18:44:38 2007 From: mjdshop at earthlink.net (MJD Shop Account) Date: Mon, 18 Jun 2007 14:44:38 -0400 (GMT-04:00) Subject: [Fedora-directory-users] root certificate for use with startconsole Message-ID: <15058608.1182192278183.JavaMail.root@elwamui-milano.atl.sa.earthlink.net> How can I import the root certificate into my keystore used for startconsole? I would like to put it into my ~/.fedora-console/*db files. I'm assuming if I do so, that I won't need to accept new certificates that were issued by that root authority (they'll be automatically trusted). I would like to do this under both Linux and Windows. If I need to use the utilities under Linux, should I be able to copy the resulting *db files to my Windows machine for use with the java console there? Or would the format be wrong? Thanks, MJD From rmeggins at redhat.com Mon Jun 18 18:54:28 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 18 Jun 2007 12:54:28 -0600 Subject: [Fedora-directory-users] root certificate for use with startconsole In-Reply-To: <15058608.1182192278183.JavaMail.root@elwamui-milano.atl.sa.earthlink.net> References: <15058608.1182192278183.JavaMail.root@elwamui-milano.atl.sa.earthlink.net> Message-ID: <4676D4E4.9060807@redhat.com> MJD Shop Account wrote: > How can I import the root certificate into my keystore used for startconsole? I would like to put it into my ~/.fedora-console/*db files. I'm assuming if I do so, that I won't need to accept new certificates that were issued by that root authority (they'll be automatically trusted). > You should be able to use the certutil program, with a -d ~/.fedora-console argument, and no -P argument. See http://directory.fedoraproject.org/wiki/Howto:SSL#Import_the_CA_cert_into_another_Fedora_DS > I would like to do this under both Linux and Windows. If I need to use the utilities under Linux, should I be able to copy the resulting *db files to my Windows machine for use with the java console there? Or would the format be wrong? > The format is supposed to be platform and architecture independent. So you should be able to just copy them to Windows. Make sure you set binmode on in your Windows file transfer utilities so it won't try to convert \n to \r\n when copying the files to Windows. > Thanks, > MJD > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mjdshop at earthlink.net Mon Jun 18 19:51:00 2007 From: mjdshop at earthlink.net (MJD Shop Account) Date: Mon, 18 Jun 2007 15:51:00 -0400 (EDT) Subject: [Fedora-directory-users] admin server ssl setup Message-ID: <14058855.1182196260692.JavaMail.root@elwamui-milano.atl.sa.earthlink.net> I'm trying to set up the admin console to be accessible w/ SSL (https). I have the right certificates set up and the main FDS is SSL enabled. I'm running FDS 1.0.4. I usually get a problem when I open up the admin console, click on the Configuration tab, click on the Encryption tab in that window, then try to check the enable ssl box. It gives me some error and doesn't save it. I had an idea which I tried and I think it worked (or it was just coincidence). Instead of clicking on the Configuration tab, I clicked the 'Configure Admin Server' task in the Task tab. This opened a separate configuration window which otherwise looks the same as before. But, this time I was successful in saving the change. I still had a problem with the NSSNickname being set to 'blank' in the console.conf file (under /opt/fedora-ds/admin-serv/config); I edited that manually. This seems to happen if you try and fail to save the SSL changes, after that the certificate list always comes up empty. And I also manually edit nss.conf to point to a file for the certificate-store PIN for automatic startup. So, should the two methods of opening the configuration window have different effects? Thanks, MJD From mjdshop at earthlink.net Mon Jun 18 22:10:50 2007 From: mjdshop at earthlink.net (MJD Shop Account) Date: Mon, 18 Jun 2007 18:10:50 -0400 (EDT) Subject: [Fedora-directory-users] problems w/ admin server, local.conf Message-ID: <22851509.1182204650525.JavaMail.root@elwamui-milano.atl.sa.earthlink.net> I've set up a few FDS 1.0.4 servers now and have problems every time getting certain things right with the admin server. I run into problems using either the console or just ldif file (which I prefer, for scripting). Here's the typical problem: when I try to set nsAdminAccessHosts, I use an ldif file. I can see the new value is set in the operational attributes, but it doesn't always make it into /opt/fedora-ds/admin-server/config/local.conf. The admin server logs indicate it is using the old values. I looked at file permissions, on one server I had owner:group as ldap:root, another has root:root, a third had ldap:ldap. That one was not getting updated, I changed it to root:root and restarted things and that seemed to update local.conf. Now I'm building a new server and it's not updating. I get this error in the admin server error log: [warn] Unable to bind as LocalAdmin to populate LocalAdmin tasks into cache. This was similar to the server I fixed, but I already have root:root permissions on that file. I went and looked at the server that originally had root:root, and while it has been functioning OK, it too doesn't have the correctly updated values for nsAdminAccessHosts in local.conf and shows the same error in its logs from awhile back (March). So, I tried, for a test, setting the owner:group to ldap:root. When I did this and restarted admin server, I got this error: [error] server reached MaxClients setting, consider raising the MaxClients setting This on a server that should not have anyone connected to the admin server... So I set it back to root:root and had neither error on restarting (but the attribute value is still wrong). On all servers, there is an httpd process under ldap user id and two under root user id (one of the two of the two root processes is the parent to the other root and to the ldap process). Sometime ago I tried to find out what triggers the re-writing of local.conf, as Richard said it was best to use the console for updating these values, where some magic makes it do that. Richard suggested looking in the logs to see what was happening, but I found no clues there. If anyone has one... Maybe the permissions need to match the method; would it be different running a root script at the command prompt vs. using the java console from a windows machine and connecting as the cn=dirmgr user? Thanks, MJD From rmeggins at redhat.com Mon Jun 18 22:23:54 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 18 Jun 2007 16:23:54 -0600 Subject: [Fedora-directory-users] problems w/ admin server, local.conf In-Reply-To: <22851509.1182204650525.JavaMail.root@elwamui-milano.atl.sa.earthlink.net> References: <22851509.1182204650525.JavaMail.root@elwamui-milano.atl.sa.earthlink.net> Message-ID: <467705FA.3040402@redhat.com> MJD Shop Account wrote: > I've set up a few FDS 1.0.4 servers now and have problems every time getting certain things right with the admin server. I run into problems using either the console or just ldif file (which I prefer, for scripting). Here's the typical problem: when I try to set nsAdminAccessHosts, I use an ldif file. I can see the new value is set in the operational attributes, but it doesn't always make it into /opt/fedora-ds/admin-server/config/local.conf. The admin server logs indicate it is using the old values. > If you modify settings yourself in the configuration DS via LDAP, you will have to tell Admin Server to refresh its configuration. The console does this when you change admin server parameters. It uses the special url path "/Commands/sync-task-sie-data". You must authenticate to http first becauses it uses those credentials to bind to the directory server to read the new configuration. This is how local.conf is updated with the information from the config ds. http://directory.fedoraproject.org/wiki/AdminServer#Admin_Server_Config_Files gives an overview of the various Admin Server config files. One thing it doesn't say is what the ownership should be. admin-serv/config - directory - should be owned by the admin server uid and should be mode 0700. adm.conf - must be owned by the admin server uid (default nobody) and mode 0600 admpw - must be owned by the admin server uid (default nobody) and mode 0600 local.conf - must be owned by the admin server uid (default nobody) and mode 0600 console.conf - must be owned by the admin server uid (default nobody) and mode 0600 All other files can be owned by root and be read only. > I looked at file permissions, on one server I had owner:group as ldap:root, another has root:root, a third had ldap:ldap. That one was not getting updated, I changed it to root:root and restarted things and that seemed to update local.conf. > > Now I'm building a new server and it's not updating. I get this error in the admin server error log: > [warn] Unable to bind as LocalAdmin to populate LocalAdmin tasks into cache. > > This was similar to the server I fixed, but I already have root:root permissions on that file. > > I went and looked at the server that originally had root:root, and while it has been functioning OK, it too doesn't have the correctly updated values for nsAdminAccessHosts in local.conf and shows the same error in its logs from awhile back (March). So, I tried, for a test, setting the owner:group to ldap:root. When I did this and restarted admin server, I got this error: > [error] server reached MaxClients setting, consider raising the MaxClients setting > > This on a server that should not have anyone connected to the admin server... > > So I set it back to root:root and had neither error on restarting (but the attribute value is still wrong). On all servers, there is an httpd process under ldap user id and two under root user id (one of the two of the two root processes is the parent to the other root and to the ldap process). > > Sometime ago I tried to find out what triggers the re-writing of local.conf, as Richard said it was best to use the console for updating these values, where some magic makes it do that. Richard suggested looking in the logs to see what was happening, but I found no clues there. If anyone has one... > > Maybe the permissions need to match the method; would it be different running a root script at the command prompt vs. using the java console from a windows machine and connecting as the cn=dirmgr user? > > Thanks, > MJD > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kekkou.a at cs.ucy.ac.cy Tue Jun 19 07:03:34 2007 From: kekkou.a at cs.ucy.ac.cy (Andreas Kekkou) Date: Tue, 19 Jun 2007 10:03:34 +0300 Subject: [Fedora-directory-users] Installing using yum, admin server & automatic uid In-Reply-To: <467687C2.5010900@redhat.com> References: <4676454D.4040105@cs.ucy.ac.cy> <467687C2.5010900@redhat.com> Message-ID: <46777FC6.5010601@cs.ucy.ac.cy> What I'm trying to do is to create users (object class posixAccount) and don't have to provide uid manually. I'm not sure how I can achieve this since uid is mandatory attribute for posixAccount. In FDS's website, under Recent News it is mentioned that Fedora DS gets posix/unix automatic uid generation (02/08/2007). If this is called distributed numeric assignment plugin, then this is the feature I want to use. As I've mentioned all ready I'm not running admin server so I don't know if this plugin is installed or configured. Andreas Richard Megginson wrote: > Andreas Kekkou wrote: >> Hi, >> >> We are in the process of migrating our NIS to FDS. We've been >> experimenting with FDS 1.0.4 for some time now and we managed to sync >> it with AD and have our *nix clients authenticating using TLS. Last >> week I installed FDS on Fedora 7 using yum. We have the base server >> functioning but it seems too hard to maintain it without the admin >> server. Does anybody knows if I can get the admin server using cvs? > Not yet. We're working on it. >> And something else, how we take advantage of automatic uid? > You mean the new distributed numeric assignment plugin in Fedora DS > 1.1 (that is, the version of fedora-ds-base available via F7 yum)? >> I'm creating accounts using Softerra's LDAP Administrator. I've >> created a custom template and set uid to optional but when I'm trying >> to create an account I getting an error message. > What error message? What exactly are you trying to do? >> >> Andreas >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: kekkou.a.vcf Type: text/x-vcard Size: 303 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3655 bytes Desc: S/MIME Cryptographic Signature URL: From ddemarco at seisint.com Wed Jun 20 14:48:52 2007 From: ddemarco at seisint.com (Dennis De Marco) Date: Wed, 20 Jun 2007 10:48:52 -0400 Subject: [Fedora-directory-users] problems w/ admin server, local.conf In-Reply-To: <22851509.1182204650525.JavaMail.root@elwamui-milano.atl.sa.earthlink.net> References: <22851509.1182204650525.JavaMail.root@elwamui-milano.atl.sa.earthlink.net> Message-ID: <1182350932.25029.15.camel@linux-2pdo.site> I've had other issues with SSL and the admin server, these seem to stick me the most. These seem to happen with the ssl shell scripts, or by hand. When clicking on 'Manager Certificates ' under the task menu for Fedora Admin server you get an error that the cert8.db could not be found. The fix is : # cd /opt/fedora-ds/alias # ../shared/bin/certutil -N -d . -P admin-serv-[LDAPINSTANCE]- Also when installing a certificate, then going to configure and manage encryption. Selecting using SSL and RSA will give me a PSET error. Then the certificate will not be listed in the drop down box. By clicking various checkboxes on and off it will stick with a bla k certificate. You need to make sure that the NSSNickName is set with your server-cert in /opt/fedora-ds/admin/admin-serv/config. If not the error log will say something with 'blank' certificate. Also, double verify the nssLPersonalitySSL: is not blank attribute at # RSA, encryption, config dn: cn=RSA,cn=encryption,cn=config nsSSLToken: internal (software) nsSSLPersonalitySSL: server-cert nsSSLActivation: on objectClass: top objectClass: nsEncryptionModule cn: RSA - Dennis On Mon, 2007-06-18 at 18:10 -0400, MJD Shop Account wrote: > I've set up a few FDS 1.0.4 servers now and have problems every time getting certain things right with the admin server. I run into problems using either the console or just ldif file (which I prefer, for scripting). Here's the typical problem: when I try to set nsAdminAccessHosts, I use an ldif file. I can see the new value is set in the operational attributes, but it doesn't always make it into /opt/fedora-ds/admin-server/config/local.conf. The admin server logs indicate it is using the old values. > > I looked at file permissions, on one server I had owner:group as ldap:root, another has root:root, a third had ldap:ldap. That one was not getting updated, I changed it to root:root and restarted things and that seemed to update local.conf. > > Now I'm building a new server and it's not updating. I get this error in the admin server error log: > [warn] Unable to bind as LocalAdmin to populate LocalAdmin tasks into cache. > > This was similar to the server I fixed, but I already have root:root permissions on that file. > > I went and looked at the server that originally had root:root, and while it has been functioning OK, it too doesn't have the correctly updated values for nsAdminAccessHosts in local.conf and shows the same error in its logs from awhile back (March). So, I tried, for a test, setting the owner:group to ldap:root. When I did this and restarted admin server, I got this error: > [error] server reached MaxClients setting, consider raising the MaxClients setting > > This on a server that should not have anyone connected to the admin server... > > So I set it back to root:root and had neither error on restarting (but the attribute value is still wrong). On all servers, there is an httpd process under ldap user id and two under root user id (one of the two of the two root processes is the parent to the other root and to the ldap process). > > Sometime ago I tried to find out what triggers the re-writing of local.conf, as Richard said it was best to use the console for updating these values, where some magic makes it do that. Richard suggested looking in the logs to see what was happening, but I found no clues there. If anyone has one... > > Maybe the permissions need to match the method; would it be different running a root script at the command prompt vs. using the java console from a windows machine and connecting as the cn=dirmgr user? > > Thanks, > MJD > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. From ddemarco at seisint.com Wed Jun 20 17:04:36 2007 From: ddemarco at seisint.com (Dennis De Marco) Date: Wed, 20 Jun 2007 13:04:36 -0400 Subject: [Fedora-directory-users] Replication over SSL with simpleauthentication In-Reply-To: <3525C9833C09ED418C6FD6CD9514668C01C832C4@emailwf1.jnpr.net> References: <3525C9833C09ED418C6FD6CD9514668C01C832C4@emailwf1.jnpr.net> Message-ID: <1182359076.25029.19.camel@linux-2pdo.site> I've had this issue using subjectAltName in my certificates to load balance behind a VIP. I turned off the checkbox 'verify hostname in SSL certificate on outgoing connections' I am not sure why this is happening, but I do not have any other certificate problems with ldapsearch, nor authentication. - Dennis On Fri, 2007-06-15 at 14:47 -0400, Reinhard Nappert wrote: > Hi, > > I SSL-enabled two Directory Servers and I can access them over LDAPS > using ldapsearch and other clients. I enabled both servers with the > steps from the setupssl script. However, when I to set replication up, > I get: > > [15/Jun/2007:13:32:56 -0400] conn=6057 op=-1 fd=69 closed - SSL peer > cannot verify your certificate. > > I did import the CA cert (self-signed) to the other server, both > ways, since I want to have multi-mastering. > > By the way, I checked the serial numbers of the certs and they are not > identical. > > Does anyone have an idea why the replication fails. > > Thanks, > -Reinhard > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. From aaron.cline at gmail.com Wed Jun 20 17:20:43 2007 From: aaron.cline at gmail.com (Aaron Cline) Date: Wed, 20 Jun 2007 13:20:43 -0400 Subject: [Fedora-directory-users] Constraint Violation at Logon Message-ID: <2f8a29cb0706201020m13bc9fdmc530603b0b4b3767@mail.gmail.com> Hello: I've emailed this to the list before but I didn't get an answer so I'm bringing this up again with a little bit more information. This problem seems to happen sporadically. I'm using Fedora DS 1.0.3 on the server. My client system in this case is a RHEL 3 WS box. When the user tries to login, the system will not accept his password. This doesn't happen all the time though and I haven't yet figured out how to "make" it happen. Here are the log messages on the client: Jun 20 17:12:57 low-tcw-104 sshd[14328]: pam_ldap: error trying to bind as user "uid=fallonma,ou=ISG,ou=Lowell,ou=People,dc=pii-dmz,dc=ext" (Constraint violation) I found some messages on the server side in the "errors" file that coincide with this user but the login attempt happens about 12 minutes after the error messages. The error messages on the server are: [20/Jun/2007:17:00:07 +0000] NSMMReplicationPlugin - agmt="cn=PII-DMZ TechOps" (low-mgt-100:389): windows_replay_update: failed to fetch local entry for modify operation dn="uid=fallonma,ou=isg,ou=lowell,ou=people,dc=pii-dmz,dc=ext" [20/Jun/2007:17:00:07 +0000] NSMMReplicationPlugin - agmt="cn=PII-DMZ IVRS" (low-mgt-100:389): windows_replay_update: failed to fetch local entry for modify operation dn="uid=fallonma,ou=isg,ou=lowell,ou=people,dc=pii-dmz,dc=ext" [20/Jun/2007:17:00:13 +0000] NSMMReplicationPlugin - agmt="cn=PII-DMZ IVRS" (low-mgt-100:389): windows_replay_update: failed to fetch local entry for modify operation dn="uid=fallonma,ou=isg,ou=lowell,ou=people,dc=pii-dmz,dc=ext" [20/Jun/2007:17:00:13 +0000] NSMMReplicationPlugin - agmt="cn=PII-DMZ TechOps" (low-mgt-100:389): windows_replay_update: failed to fetch local entry for modify operation dn="uid=fallonma,ou=isg,ou=lowell,ou=people,dc=pii-dmz,dc=ext" [20/Jun/2007:17:00:22 +0000] NSMMReplicationPlugin - agmt="cn=PII-DMZ IVRS" (low-mgt-100:389): windows_replay_update: failed to fetch local entry for modify operation dn="uid=fallonma,ou=isg,ou=lowell,ou=people,dc=pii-dmz,dc=ext" [20/Jun/2007:17:00:22 +0000] NSMMReplicationPlugin - agmt="cn=PII-DMZ TechOps" (low-mgt-100:389): windows_replay_update: failed to fetch local entry for modify operation dn="uid=fallonma,ou=isg,ou=lowell,ou=people,dc=pii-dmz,dc=ext" Is access to this user's information somehow locked at this point? Is the replication doing something to the account? Thanks for any info. Aaron -------------- next part -------------- An HTML attachment was scrubbed... URL: From mjdshop at earthlink.net Wed Jun 20 18:15:06 2007 From: mjdshop at earthlink.net (MJD Shop Account) Date: Wed, 20 Jun 2007 14:15:06 -0400 (GMT-04:00) Subject: [Fedora-directory-users] root certificate for use with startconsole Message-ID: <13155947.1182363306688.JavaMail.root@elwamui-cypress.atl.sa.earthlink.net> This worked great, thanks. I was able to copy and use the db files under Windows with no problem. -----Original Message----- >From: Richard Megginson >Sent: Jun 18, 2007 2:54 PM >To: MJD Shop Account , "General discussion list for the Fedora Directory server project." >Subject: Re: [Fedora-directory-users] root certificate for use with startconsole > >MJD Shop Account wrote: >> How can I import the root certificate into my keystore used for startconsole? I would like to put it into my ~/.fedora-console/*db files. I'm assuming if I do so, that I won't need to accept new certificates that were issued by that root authority (they'll be automatically trusted). >> >You should be able to use the certutil program, with a -d >~/.fedora-console argument, and no -P argument. See >http://directory.fedoraproject.org/wiki/Howto:SSL#Import_the_CA_cert_into_another_Fedora_DS >> I would like to do this under both Linux and Windows. If I need to use the utilities under Linux, should I be able to copy the resulting *db files to my Windows machine for use with the java console there? Or would the format be wrong? >> >The format is supposed to be platform and architecture independent. So >you should be able to just copy them to Windows. Make sure you set >binmode on in your Windows file transfer utilities so it won't try to >convert \n to \r\n when copying the files to Windows. >> Thanks, >> MJD >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> From mjdshop at earthlink.net Wed Jun 20 18:21:51 2007 From: mjdshop at earthlink.net (MJD Shop Account) Date: Wed, 20 Jun 2007 14:21:51 -0400 (GMT-04:00) Subject: [Fedora-directory-users] problems w/ admin server, local.conf Message-ID: <16509192.1182363711505.JavaMail.root@elwamui-cypress.atl.sa.earthlink.net> I've seen the same issues, except I dont' think I've gotten the error about using the cert8.db; but generally I'm using the same *db files as for the DS itself, so I copy and rename them. The PSET error I see all the time. It's one reason I'm hoping to script this setup. Even when it seems to be working (as it is now), I notice things like the config operational attribute for the cert nssPersonalitySSL says 'blank', while the http config files have the right value. -----Original Message----- >From: Dennis De Marco >Sent: Jun 20, 2007 10:48 AM >To: MJD Shop Account , "General discussion list for the Fedora Directory server project." >Subject: Re: [Fedora-directory-users] problems w/ admin server, local.conf > >I've had other issues with SSL and the admin server, these seem to stick >me the most. These seem to happen with the ssl shell scripts, or by >hand. > >When clicking on 'Manager Certificates ' under the task menu for Fedora >Admin server you get an error that the cert8.db could not be found. > > >The fix is : > ># cd /opt/fedora-ds/alias ># ../shared/bin/certutil -N -d . -P admin-serv-[LDAPINSTANCE]- > >Also when installing a certificate, then going to configure and manage >encryption. Selecting using SSL and RSA will give me a PSET error. > >Then the certificate will not be listed in the drop down box. By >clicking various checkboxes on and off it will stick with a bla k >certificate. > >You need to make sure that the NSSNickName is set with your server-cert >in /opt/fedora-ds/admin/admin-serv/config. If not the error log will say >something with 'blank' certificate. > >Also, double verify the nssLPersonalitySSL: is not blank attribute at > ># RSA, encryption, config >dn: cn=RSA,cn=encryption,cn=config >nsSSLToken: internal (software) >nsSSLPersonalitySSL: server-cert >nsSSLActivation: on >objectClass: top >objectClass: nsEncryptionModule >cn: RSA > > >- Dennis > >On Mon, 2007-06-18 at 18:10 -0400, MJD Shop Account wrote: >> I've set up a few FDS 1.0.4 servers now and have problems every time getting certain things right with the admin server. I run into problems using either the console or just ldif file (which I prefer, for scripting). Here's the typical problem: when I try to set nsAdminAccessHosts, I use an ldif file. I can see the new value is set in the operational attributes, but it doesn't always make it into /opt/fedora-ds/admin-server/config/local.conf. The admin server logs indicate it is using the old values. >> >> I looked at file permissions, on one server I had owner:group as ldap:root, another has root:root, a third had ldap:ldap. That one was not getting updated, I changed it to root:root and restarted things and that seemed to update local.conf. >> >> Now I'm building a new server and it's not updating. I get this error in the admin server error log: >> [warn] Unable to bind as LocalAdmin to populate LocalAdmin tasks into cache. >> >> This was similar to the server I fixed, but I already have root:root permissions on that file. >> >> I went and looked at the server that originally had root:root, and while it has been functioning OK, it too doesn't have the correctly updated values for nsAdminAccessHosts in local.conf and shows the same error in its logs from awhile back (March). So, I tried, for a test, setting the owner:group to ldap:root. When I did this and restarted admin server, I got this error: >> [error] server reached MaxClients setting, consider raising the MaxClients setting >> >> This on a server that should not have anyone connected to the admin server... >> >> So I set it back to root:root and had neither error on restarting (but the attribute value is still wrong). On all servers, there is an httpd process under ldap user id and two under root user id (one of the two of the two root processes is the parent to the other root and to the ldap process). >> >> Sometime ago I tried to find out what triggers the re-writing of local.conf, as Richard said it was best to use the console for updating these values, where some magic makes it do that. Richard suggested looking in the logs to see what was happening, but I found no clues there. If anyone has one... >> >> Maybe the permissions need to match the method; would it be different running a root script at the command prompt vs. using the java console from a windows machine and connecting as the cn=dirmgr user? >> >> Thanks, >> MJD >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. > From rnappert at juniper.net Thu Jun 21 15:24:21 2007 From: rnappert at juniper.net (Reinhard Nappert) Date: Thu, 21 Jun 2007 11:24:21 -0400 Subject: [Fedora-directory-users] Replication over SSL withsimpleauthentication In-Reply-To: <1182359076.25029.19.camel@linux-2pdo.site> References: <3525C9833C09ED418C6FD6CD9514668C01C832C4@emailwf1.jnpr.net> <1182359076.25029.19.camel@linux-2pdo.site> Message-ID: <3525C9833C09ED418C6FD6CD9514668C01D2B417@emailwf1.jnpr.net> I actually set "nsslapd-ssl-check-hostname" to "off" in the cn=config object! -Reinhard -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Dennis De Marco Sent: Wednesday, June 20, 2007 1:05 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Replication over SSL withsimpleauthentication I've had this issue using subjectAltName in my certificates to load balance behind a VIP. I turned off the checkbox 'verify hostname in SSL certificate on outgoing connections' I am not sure why this is happening, but I do not have any other certificate problems with ldapsearch, nor authentication. - Dennis On Fri, 2007-06-15 at 14:47 -0400, Reinhard Nappert wrote: > Hi, > > I SSL-enabled two Directory Servers and I can access them over LDAPS > using ldapsearch and other clients. I enabled both servers with the > steps from the setupssl script. However, when I to set replication up, > I get: > > [15/Jun/2007:13:32:56 -0400] conn=6057 op=-1 fd=69 closed - SSL peer > cannot verify your certificate. > > I did import the CA cert (self-signed) to the other server, both > ways, since I want to have multi-mastering. > > By the way, I checked the serial numbers of the certs and they are not > identical. > > Does anyone have an idea why the replication fails. > > Thanks, > -Reinhard > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From myacc at roundbox.com Thu Jun 21 21:00:49 2007 From: myacc at roundbox.com (FDS User) Date: Thu, 21 Jun 2007 17:00:49 -0400 Subject: [Fedora-directory-users] FreeRadius schema for Fedora Directory Server Message-ID: <467AE701.6020709@roundbox.com> Is there some schema files that comes with fedora directory server to integrate with FreeRadius? If not can someone point me to the schema files that can used? Thanks in advance. From koippa at gmail.com Fri Jun 22 08:10:17 2007 From: koippa at gmail.com (Kimmo Koivisto) Date: Fri, 22 Jun 2007 11:10:17 +0300 Subject: [Fedora-directory-users] FreeRadius schema for Fedora Directory Server In-Reply-To: <467AE701.6020709@roundbox.com> References: <467AE701.6020709@roundbox.com> Message-ID: <200706221110.17757.koippa@gmail.com> FDS User wrote: > Is there some schema files that comes with fedora directory server to > integrate with FreeRadius? > If not can someone point me to the schema files that can used? Maybe this helps: http://www.redhat.com/archives/fedora-directory-users/2005-December/msg00431.html Regards, Kimmo Koivisto From sean.everson at netronome.com Fri Jun 22 21:30:29 2007 From: sean.everson at netronome.com (Sean Everson) Date: Fri, 22 Jun 2007 17:30:29 -0400 Subject: [Fedora-directory-users] PassSync and PAM Question Message-ID: <002701c7b514$917e10c0$7b03a8c0@severson> All, I have successfully set up FDS1.04 on Centos4.4, with passSync-20060330.msi on Windows 2003 Server by following the directions in the docs + howtos. All traffic is running successfully over SSL in both directions. I am able to change my password on windows and login on Linux successfully. I am able to change my password on Linux via ldappasswd or via the Directory Console successfully. However, when I try to change my password via the standard passwd command on a linux client the update causes an endless loop of replication attempts. It would appear that the passwd command is using crypt to store the password in the directory. My questions are: 1) Is my understanding correct, that in order for passSync to work the password encryption policy on the subtree used in the sync agreement has to be set to "No encryption - CLEAR" Are there any other settings that would work? 2) I have experimented with "pam_password exo" and "pam_password clear" in /etc/ldap.conf, but crypt seems to be used regardless of the settings in this file for hashing the password locally before sending it to the directory server. This causes an endless replication loop. Does anyone have an example of an ldap.conf file that works with passSync and allows the standard passwd command to work for password changes? Thanks! --Sean Sean Everson IT Manager Netronome Systems, Inc. sean.everson at netronome.com From sphenisciformes at hotmail.com Fri Jun 22 23:47:48 2007 From: sphenisciformes at hotmail.com (Sphenis cidae) Date: Fri, 22 Jun 2007 23:47:48 +0000 Subject: [Fedora-directory-users] Need Help - FDS 1.0.4 - Admin Console - Details Inside - Thanks Message-ID: I really need some help here. Fedora directory server works. The ldap directory is working, I can even authenticate the users at login using ldap authentication. I've imported groups and users and created new users. Everything seems nice. When I turn LDAP authentication and support on (tried in fedora7) the admin console stops working. "cannot logon because of an incorrect User ID, Incorrect password or Directory problem. java.io.InterruptedIOException: HTTP response timeout"In /opt/fedora-ds/admin-serv/logs/error i have:child pid 2768 exit signal segmentation fault (11)child pid 2769 exit signal segmentation fault (11)...child pid 3360 exit signal segmentation fault (11) I know everyone have their own problems, and I seem to implore for some help, but hey, prove that you deserve to receive a guru title, at least from me :) just kidding. I know you're not ghandi, so i just appeal to your comunity spirit. Thanks. >I have fedora directory server 1.0.4 running and I can access it from a windows workstation using softerra ldap >administrator, but when i try using the fedora admi console from the server i get the following error:>"cannot logon because of an incorrect User ID, Incorrect password or Directory problem. >java.io.InterruptedIOException: HTTP response timeout">In /opt/fedora-ds/admin-serv/logs/error i have:>child pid 2768 exit signal segmentation fault (11)>child pid 2769 exit signal segmentation fault (11)>...>child pid 3360 exit signal segmentation fault (11)>I'm asking for a big help here. I'm just a newbie trying very hard to learn.>Thanks, and I hope someday I'll be able to help you too. _________________________________________________________________ Comunica??o sem fronteiras - converse agora tamb?m com os amigos que tem no Yahoo!. http://get.live.com/pt-pt/messenger/overview -------------- next part -------------- An HTML attachment was scrubbed... URL: From tfar at smc.co.nz Sun Jun 24 04:32:09 2007 From: tfar at smc.co.nz (Anthony M. Farrell) Date: Sun, 24 Jun 2007 16:32:09 +1200 Subject: [Fedora-directory-users] [crit] host_ip_init(): PSET failure: Failed to create PSET handle (pset error = ) Message-ID: <200706241632.10046.tfar@smc.co.nz> fedora core 6 - 2.6.20-1.2933.fc6 fedora-ds-1.0.4-1.FC6 httpd-2.2.4-2.fc6 I installed the directory server as a typical install with owner and group set to root. Directory server starts OK Admin server will not start. Output of 'admin-serv/logs/error ' shows above subject error. Output of /tmp file3SRK6D: Syntax error on line 35 of /opt/fedora-ds/admin-serv/config/console.conf: Error:\tApache has not been designed to serve pages while\n\trunning as root. There are known race conditions that\n\twill allow any local user to read any file on the system.\n\tIf you still desire to serve pages as root then\n\tadd -DBIG_SECURITY_HOLE to the CFLAGS env variable\n\tand then rebuild the server.\n\tIt is strongly suggested that you instead modify the User\n\tdirective in your httpd.conf file to list a non-root\n\tuser.\n Changing the console.conf user and group to apache does not make any difference. Output of ls -l admin-serv/config: -rw------- 1 root root 337 Jun 24 13:17 adm.conf -rw------- 1 root root 39 Jun 24 13:17 admpw -rw------- 1 root root 4588 Jun 24 13:17 admserv.conf -rw------- 1 root root 1324 Jun 24 13:17 admserv.conf.rej -rw------- 1 root root 3726 Jun 24 15:54 console.conf -rw------- 1 root root 30468 Jun 24 15:38 httpd.conf -rw------- 1 root root 2048 Jun 24 13:17 httpd.conf.rej -rw-r--r-- 1 root root 19707 Jun 24 13:17 local.conf -rw------- 1 root root 4573 Jun 24 13:17 nss.conf I have installed on two separate servers with latest fc6 and have the same problem on both boxes. I would appreciate any ideas from list members as to how to resolve this problem. From rmeggins at redhat.com Mon Jun 25 12:28:31 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 25 Jun 2007 06:28:31 -0600 Subject: [Fedora-directory-users] [crit] host_ip_init(): PSET failure: Failed to create PSET handle (pset error = ) In-Reply-To: <200706241632.10046.tfar@smc.co.nz> References: <200706241632.10046.tfar@smc.co.nz> Message-ID: <467FB4EF.8000301@redhat.com> Anthony M. Farrell wrote: > fedora core 6 - 2.6.20-1.2933.fc6 > fedora-ds-1.0.4-1.FC6 > httpd-2.2.4-2.fc6 > > I installed the directory server as a typical install with owner and group set > to root. > > Directory server starts OK > > Admin server will not start. > > Output of 'admin-serv/logs/error ' shows above subject error. > > Output of /tmp file3SRK6D: > Syntax error on line 35 of /opt/fedora-ds/admin-serv/config/console.conf: > Error:\tApache has not been designed to serve pages while\n\trunning as root. > There are known race conditions that\n\twill allow any local user to read any > file on the system.\n\tIf you still desire to serve pages as root > then\n\tadd -DBIG_SECURITY_HOLE to the CFLAGS env variable\n\tand then > rebuild the server.\n\tIt is strongly suggested that you instead modify the > User\n\tdirective in your httpd.conf file to list a non-root\n\tuser.\n > This error message is telling you that Apache will not run as root. You must change your User in admin-serv/config/console.conf to a non-root user, preferably the same user as you run your directory server as (if that is also root, I strongly encourage you to use a non-root user). If you're not very far along, I suggest starting over from scratch, and re-installing using a non-root user for both the Directory and Admin servers. > Changing the console.conf user and group to apache does not make any > difference. > > Output of ls -l admin-serv/config: > -rw------- 1 root root 337 Jun 24 13:17 adm.conf > -rw------- 1 root root 39 Jun 24 13:17 admpw > -rw------- 1 root root 4588 Jun 24 13:17 admserv.conf > -rw------- 1 root root 1324 Jun 24 13:17 admserv.conf.rej > -rw------- 1 root root 3726 Jun 24 15:54 console.conf > -rw------- 1 root root 30468 Jun 24 15:38 httpd.conf > -rw------- 1 root root 2048 Jun 24 13:17 httpd.conf.rej > -rw-r--r-- 1 root root 19707 Jun 24 13:17 local.conf > -rw------- 1 root root 4573 Jun 24 13:17 nss.conf > > I have installed on two separate servers with latest fc6 and have the same > problem on both boxes. > > I would appreciate any ideas from list members as to how to resolve this > problem. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Jun 25 12:37:52 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 25 Jun 2007 06:37:52 -0600 Subject: [Fedora-directory-users] Need Help - FDS 1.0.4 - Admin Console - Details Inside - Thanks In-Reply-To: References: Message-ID: <467FB720.6010106@redhat.com> Sphenis cidae wrote: > I really need some help here. > > Fedora directory server works. The ldap directory is working, I can > even authenticate the users at login using ldap authentication. I've > imported groups and users and created new users. Everything seems nice. > > When I turn LDAP authentication and support on (tried in fedora7) the > admin console stops working. > > "cannot logon because of an incorrect User ID, Incorrect password or > Directory problem. java.io.InterruptedIOException: HTTP response timeout" > > In /opt/fedora-ds/admin-serv/logs/error i have: > child pid 2768 exit signal segmentation fault (11) > child pid 2769 exit signal segmentation fault (11) > ... > child pid 3360 exit signal segmentation fault (11) > > I know everyone have their own problems, and I seem to implore for > some help, but hey, prove that you deserve to receive a guru title, at > least from me :) just kidding. I know you're not ghandi, so i just > appeal to your comunity spirit. Thanks. I think this is being caused by a conflict between the Mozilla LDAP libraries used by the Admin Server and the OpenLDAP libraries used by the OS for nss_ldap/pam_ldap. These two libraries both implement the client side of LDAP, but they are not binary compatible. When the Admin Server starts, we force it to load mozldap first, because the Admin Server must use mozldap in order for the console and other admin server features to work. This causes those symbols like ldap_get_option(), ldap_sasl_bind(), etc. to be defined in the process. However, if using LDAP in the OS, if Apache needs to call nss_ldap, the nss_ldap libs will have been compiled against OpenLDAP, and will call those functions, but it will be using the mozldap version of those functions, and will fail in strange ways, usually by seg. fault. I don't know of an easy way to resolve this problem, unless it is possible on a per-process basis to disable nss_ldap. > > >I have fedora directory server 1.0.4 running and I can access > it from a windows workstation using softerra ldap > >administrator, but when i try using the fedora admi console > from the server i get the following error: > > >"cannot logon because of an incorrect User ID, Incorrect > password or Directory problem. > >java.io.InterruptedIOException: HTTP response timeout" > > >In /opt/fedora-ds/admin-serv/logs/error i have: > >child pid 2768 exit signal segmentation fault (11) > >child pid 2769 exit signal segmentation fault (11) > >... > >child pid 3360 exit signal segmentation fault (11) > > >I'm asking for a big help here. I'm just a newbie trying very > hard to learn. > >Thanks, and I hope someday I'll be able to help you too. > > > ------------------------------------------------------------------------ > Com conversas em v?deo tem j? hoje um bocadinho de futuro. Clique aui! > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mont.rothstein at gmail.com Mon Jun 25 15:21:40 2007 From: mont.rothstein at gmail.com (Mont Rothstein) Date: Mon, 25 Jun 2007 08:21:40 -0700 Subject: [Fedora-directory-users] Going insane (can't logon from Windows) In-Reply-To: <467a83630706131322h38d0f543o8ef47d326aed5419@mail.gmail.com> References: <467a83630706121230w20221edbj2509f855b946c832@mail.gmail.com> <40a14bc10706121248y656b05b9w2aca4e131e14d586@mail.gmail.com> <467a83630706121350n7827f255n54f973aff4000cb6@mail.gmail.com> <467a83630706131058w6892e38yc1c28dbb284b1cb@mail.gmail.com> <40a14bc10706131236m5ac0f76eob3e3001e9796661c@mail.gmail.com> <467a83630706131322h38d0f543o8ef47d326aed5419@mail.gmail.com> Message-ID: <467a83630706250821o6f74d508pcad7933ecffb7bf@mail.gmail.com> I found the problem. I had "restrict anonymous = 2" in my smb.conf. This causes WinXP logins to fail. I don't know if this is because I am using Fedora Directory Server or just a Samba problem. -Mont On 6/13/07, Mont Rothstein wrote: > > I'll try there, thanks. > > -Mont > > > On 6/13/07, J?r?me Fenal wrote: > > > > 2007/6/13, Mont Rothstein : > > > A little more info on this. > > > > > > Everything I can find says that Windows believes the computer password > > is > > > out of sync. It tries to use the password and fails. Adding and > > removing > > > the computer from the domain (including deleting the account in FDS) > > does > > > not help. Add the computer, reboot, try and login, no dice. > > > > > > Does anyone have any idea what might be happening here? > > > > this does seem to be related directly to the directory server, but > > more to Samba. > > Maybe it will be more relevant to ask your question on samba at samba.org > > https://lists.samba.org/mailman/listinfo/samba > > > > Regards, > > > > J. > > -- > > J?r?me Fenal - jfenal AT gmail.com - http://fenal.org/ > > Paris.pm - http://paris.mongueurs.net/ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gene.poole at macys.com Mon Jun 25 16:53:32 2007 From: gene.poole at macys.com (Gene Poole) Date: Mon, 25 Jun 2007 12:53:32 -0400 Subject: [Fedora-directory-users] How Do I? Message-ID: I've just completed a clean install of Fedora 7. How/What should I use to get FDS installed on this new system? Thanks, Gene Poole gene.poole at macys.com From racerx at makeworld.com Mon Jun 25 17:31:53 2007 From: racerx at makeworld.com (Chris) Date: Mon, 25 Jun 2007 12:31:53 -0500 Subject: [Fedora-directory-users] How Do I? In-Reply-To: References: Message-ID: <20070625123153.2939f200@thudpucker.heritageofcare.local> On Mon, 25 Jun 2007 12:53:32 -0400 Gene Poole wrote: > > > I've just completed a clean install of Fedora 7. How/What should I > use to get FDS installed on this new system? > > Thanks, > Gene Poole > gene.poole at macys.com In addition - how to setup a one-way sync from Active Directory to FDS? -- Best regards, Chris -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From patrick.morris at hp.com Mon Jun 25 18:09:18 2007 From: patrick.morris at hp.com (Patrick Morris) Date: Mon, 25 Jun 2007 11:09:18 -0700 Subject: [Fedora-directory-users] How Do I? In-Reply-To: References: Message-ID: <20070625180918.GO2907@pmorris.usa.hp.com> http://directory.fedoraproject.org/wiki/FAQ On Mon, 25 Jun 2007, Gene Poole wrote: > > > I've just completed a clean install of Fedora 7. How/What should I use to > get FDS installed on this new system? > > Thanks, > Gene Poole > gene.poole at macys.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From tour9 at ece.lsu.edu Mon Jun 25 19:46:17 2007 From: tour9 at ece.lsu.edu (Saied W. Andalib) Date: Mon, 25 Jun 2007 14:46:17 -0500 Subject: [Fedora-directory-users] NSS initialization failed... Message-ID: <20070625144617.18521324@control.ece.lsu.edu> I'm trying to install the FDS-1.0.4 on RHEL-5. The setup fails with the following error: [slapd-dirs]: [25/Jun/2007:14:37:25 -0500] - SSL alert: Security Initialization: NSS initialization failed (Netscape Portable Runtime error -8174 - security library: bad database.): path: /opt/fedora-ds/alias/, certdb prefix: slapd-dirs-, keydb prefix: slapd-dirs-. [slapd-dirs]: [25/Jun/2007:14:37:25 -0500] - ERROR: NSS Initialization Failed. error:[25/Jun/2007:14:37:25 -0500] - ERROR: NSS Initialization\nFailed. system_errno:2 After which it hangs. Even when I wipe out the entire fedora-ds directory and re-install the whole thing, the above setup error reappears again! It used to work fine before, but, once it got stuck and I had to kill it, I'm getting that error message ever since. I'm wondering if some files somewhere outside the fedora-ds directory tree has changed... Help would be appreciated! Thanks. From rmeggins at redhat.com Mon Jun 25 20:46:59 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 25 Jun 2007 14:46:59 -0600 Subject: [Fedora-directory-users] NSS initialization failed... In-Reply-To: <20070625144617.18521324@control.ece.lsu.edu> References: <20070625144617.18521324@control.ece.lsu.edu> Message-ID: <468029C3.4090706@redhat.com> Saied W. Andalib wrote: > I'm trying to install the FDS-1.0.4 on RHEL-5. The setup fails with > the following error: > > > > > [slapd-dirs]: [25/Jun/2007:14:37:25 -0500] - SSL alert: Security > Initialization: NSS initialization failed (Netscape Portable Runtime > error -8174 - security library: bad database.): > path: /opt/fedora-ds/alias/, certdb prefix: slapd-dirs-, keydb prefix: > slapd-dirs-. [slapd-dirs]: [25/Jun/2007:14:37:25 -0500] - ERROR: NSS > Initialization Failed. error:[25/Jun/2007:14:37:25 -0500] - ERROR: NSS > Initialization\nFailed. system_errno:2 > > ls -al /opt/fedora-ds/alias > > > After which it hangs. Even when I wipe out the entire fedora-ds > directory and re-install the whole thing, the above setup error > reappears again! It used to work fine before, but, once it got stuck > and I had to kill it, I'm getting that error message ever since. I'm > wondering if some files somewhere outside the fedora-ds directory tree > has changed... > > Help would be appreciated! > > Thanks. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From sphenisciformes at hotmail.com Mon Jun 25 21:01:38 2007 From: sphenisciformes at hotmail.com (Sphenis cidae) Date: Mon, 25 Jun 2007 21:01:38 +0000 Subject: [Fedora-directory-users] Need Help - FDS 1.0.4 - Admin Console - Details Inside - Thanks Message-ID: Thanks Richard for your help and atention. ------- The possible solution ------- My problem is solved. I tried everything but I think the solution was removing carefully everything that has to do with openldap from the system and change the LDAP Settings in AUTHENTICATION CONFIGURATION: from: LDAP Server: 192.168.10.1 to: LDAP Server: 192.168.10.1|ldap://192.168.10.1 Thanks all for your inputs. I want to thank also a really cool guy from #fedora-ds, uffe, that tried to help. ------- The Problem ------- > When I turn LDAP authentication and support on (tried in fedora7) the > admin console stops working.> > "cannot logon because of an incorrect User ID, Incorrect password or > Directory problem. java.io.InterruptedIOException: HTTP response timeout">> In /opt/fedora-ds/admin-serv/logs/error i have:> child pid 2768 exit signal segmentation fault (11)> child pid 2769 exit signal segmentation fault (11)> ...> child pid 3360 exit signal segmentation fault (11) _________________________________________________________________ Clique aui! http://get.live.com/pt-pt/messenger/overview -------------- next part -------------- An HTML attachment was scrubbed... URL: From daryle at micralyne.com Tue Jun 26 02:40:07 2007 From: daryle at micralyne.com (Daryle A. Tilroe) Date: Mon, 25 Jun 2007 20:40:07 -0600 Subject: [Fedora-directory-users] Problem with fds 1.0.4 on Red Hat 5 64 bits. Message-ID: <46807C87.3060808@micralyne.com> Rob Crittenden wrote: > Try the FC6 build instead. The problem is that RHEL4 uses Apache > 2.0.52 and RHEL 5 uses Apache 2.2.3. Their API's are not completely > compatible and modules need to be recompiled. Just a quick followup on this. I am going to try it myself soon. Is the FC6 build actually the correct one or will there be a "proper" FDS 1.0.4 rpm for RHEL5 64bit at any point in the near future? -- Daryle A. Tilroe From tfar at smc.co.nz Tue Jun 26 06:38:39 2007 From: tfar at smc.co.nz (Anthony M. Farrell) Date: Tue, 26 Jun 2007 18:38:39 +1200 Subject: [Fedora-directory-users] [crit] host_ip_init(): PSET failure: Failed to create PSET handle (pset error = ) In-Reply-To: <467FB4EF.8000301@redhat.com> References: <200706241632.10046.tfar@smc.co.nz> <467FB4EF.8000301@redhat.com> Message-ID: <200706261838.39940.tfar@smc.co.nz> On Tue, 26 Jun 2007 00:28:31 Richard Megginson wrote: > This error message is telling you that Apache will not run as root. ?You > must change your User in admin-serv/config/console.conf to a non-root > user, preferably the same user as you run your directory server as (if > that is also root, I strongly encourage you to use a non-root user). Thanks Richard - I created a fedora-ds user and that solved the problem. My interpretation of the installation instructions was that the default port 389 must run as root. However that is obviously not the case. With your help all is now well. Thanks for the effort you make to assist users on this list. I am sure it is much appreciated. Tony From rmeggins at redhat.com Tue Jun 26 12:58:32 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 26 Jun 2007 06:58:32 -0600 Subject: [Fedora-directory-users] Problem with fds 1.0.4 on Red Hat 5 64 bits. In-Reply-To: <46807C87.3060808@micralyne.com> References: <46807C87.3060808@micralyne.com> Message-ID: <46810D78.3010007@redhat.com> Daryle A. Tilroe wrote: > Rob Crittenden wrote: > >> Try the FC6 build instead. The problem is that RHEL4 uses Apache >> 2.0.52 and RHEL 5 uses Apache 2.2.3. Their API's are not completely >> compatible and modules need to be recompiled. > > Just a quick followup on this. I am going to try it myself soon. > Is the FC6 build actually the correct one Yes. > or will there be a > "proper" FDS 1.0.4 rpm for RHEL5 64bit at any point in the near > future? > Probably only if there is some problem with the FC6 binary on RHEL5. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jun 26 13:01:26 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 26 Jun 2007 07:01:26 -0600 Subject: [Fedora-directory-users] [crit] host_ip_init(): PSET failure: Failed to create PSET handle (pset error = ) In-Reply-To: <200706261838.39940.tfar@smc.co.nz> References: <200706241632.10046.tfar@smc.co.nz> <467FB4EF.8000301@redhat.com> <200706261838.39940.tfar@smc.co.nz> Message-ID: <46810E26.3060404@redhat.com> Anthony M. Farrell wrote: > On Tue, 26 Jun 2007 00:28:31 Richard Megginson wrote: > >> This error message is telling you that Apache will not run as root. You >> must change your User in admin-serv/config/console.conf to a non-root >> user, preferably the same user as you run your directory server as (if >> that is also root, I strongly encourage you to use a non-root user). >> > > Thanks Richard - I created a fedora-ds user and that solved the problem. My > interpretation of the installation instructions was that the default port 389 > must run as root. However that is obviously not the case. You must start the server as the root user (or from init). Once the server binds to port 389, it does a setuid to the non-privileged user. > With your help all > is now well. > > Thanks for the effort you make to assist users on this list. I am sure it is > much appreciated. > > Tony > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From tour9 at ece.lsu.edu Tue Jun 26 14:15:00 2007 From: tour9 at ece.lsu.edu (Saied W. Andalib) Date: Tue, 26 Jun 2007 09:15:00 -0500 Subject: [Fedora-directory-users] Re: Recurring NSS initialization failure... In-Reply-To: <468029C3.4090706@redhat.com> References: <20070625144617.18521324@control.ece.lsu.edu> <468029C3.4090706@redhat.com> Message-ID: <20070626091500.1f087210@control.ece.lsu.edu> After the clean re-installation, I tried to do the setup, but, it fails with the same error: [slapd-dirs]: [26/Jun/2007:09:03:00 -0500] - SSL alert: Security Initialization: NSS initialization failed (Netscape Portable Runtime error -8174 - security library: bad database.): path: /opt/fedora-ds/alias/, certdb prefix: slapd-dirs-, keydb prefix: slapd-dirs-. [slapd-dirs]: [26/Jun/2007:09:03:00 -0500] - ERROR: NSS Initialization Failed. error:[26/Jun/2007:09:03:00 -0500] - ERROR: NSS Initialization\nFailed. system_errno:2 Where it hangs. The alias directory has only one entry: [root at dirs fedora-ds]# ls -al alias/ total 268 drwxr-xr-x 2 fedora-ds fedora-ds 4096 Jun 13 12:01 . drwxr-xr-x 15 root root 4096 Jun 26 09:03 .. -rwxr-xr-x 1 root root 247376 Nov 8 2006 libnssckbi.so It didn't create the other cert and key files under alias directory. Also, the admin-serv/config directory is empty! That NSS Initialization failure (-8174) with "bad database" error prevents the setup from doing anything. Since, this is a fresh installation, I think the bad database error is probably somewhere outside the /opt/fedora-ds tree...! I'm only guessing at this point;-) Any ideas as to where to look for any clues?!!!! SWA From daryle at micralyne.com Tue Jun 26 14:30:10 2007 From: daryle at micralyne.com (Daryle A. Tilroe) Date: Tue, 26 Jun 2007 08:30:10 -0600 Subject: [Fedora-directory-users] Problem with fds 1.0.4 on Red Hat 5 64 bits. In-Reply-To: <46810D78.3010007@redhat.com> References: <46807C87.3060808@micralyne.com> <46810D78.3010007@redhat.com> Message-ID: <468122F2.3080402@micralyne.com> Richard Megginson wrote: > Daryle A. Tilroe wrote: > >> Rob Crittenden wrote: >> >>> Try the FC6 build instead. The problem is that RHEL4 uses Apache >>> 2.0.52 and RHEL 5 uses Apache 2.2.3. Their API's are not completely >>> compatible and modules need to be recompiled. >> >> Just a quick followup on this. I am going to try it myself soon. >> Is the FC6 build actually the correct one > > Yes. > >> or will there be a >> "proper" FDS 1.0.4 rpm for RHEL5 64bit at any point in the near >> future? >> > Probably only if there is some problem with the FC6 binary on RHEL5. Thanks for the clarification! I'll be sure to give the community a shout if I find any issues. -- Daryle A. Tilroe From rmeggins at redhat.com Tue Jun 26 14:30:07 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 26 Jun 2007 08:30:07 -0600 Subject: [Fedora-directory-users] Re: Recurring NSS initialization failure... In-Reply-To: <20070626091500.1f087210@control.ece.lsu.edu> References: <20070625144617.18521324@control.ece.lsu.edu> <468029C3.4090706@redhat.com> <20070626091500.1f087210@control.ece.lsu.edu> Message-ID: <468122EF.5070604@redhat.com> Saied W. Andalib wrote: > After the clean re-installation, I tried to do the setup, but, it fails > with the same error: > > > > [slapd-dirs]: [26/Jun/2007:09:03:00 -0500] - SSL alert: Security > Initialization: NSS initialization failed (Netscape Portable Runtime > error -8174 - security library: bad database.): > path: /opt/fedora-ds/alias/, certdb prefix: slapd-dirs-, keydb prefix: > slapd-dirs-. [slapd-dirs]: [26/Jun/2007:09:03:00 -0500] - ERROR: NSS > Initialization Failed. error:[26/Jun/2007:09:03:00 -0500] - ERROR: NSS > Initialization\nFailed. system_errno:2 > Try this as root: cd /opt/fedora-ds/alias ; su fedora-ds -c "../shared/bin/certutil -N -d . -P slapd-dirs-" > > > Where it hangs. The alias directory has only one entry: > > > > [root at dirs fedora-ds]# ls -al alias/ > total 268 > drwxr-xr-x 2 fedora-ds fedora-ds 4096 Jun 13 12:01 . > drwxr-xr-x 15 root root 4096 Jun 26 09:03 .. > -rwxr-xr-x 1 root root 247376 Nov 8 2006 libnssckbi.so > > > > It didn't create the other cert and key files under alias directory. > Also, the admin-serv/config directory is empty! > Admin server depends on directory server to complete setup. > That NSS Initialization failure (-8174) with "bad database" error > prevents the setup from doing anything. Since, this is a fresh > installation, I think the bad database error is probably somewhere > outside the /opt/fedora-ds tree...! No, it's not. There is something really weird going on. The system error above is 2, which is #define ENOENT 2 /* No such file or directory */ I'm not sure what file or directory it is complaining about. The directory server is supposed to create the key/cert db if they do not exist. The directory names and permissions all look correct. > I'm only guessing at this point;-) > Any ideas as to where to look for any clues?!!!! > > SWA > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From tour9 at ece.lsu.edu Tue Jun 26 15:31:40 2007 From: tour9 at ece.lsu.edu (Saied W. Andalib) Date: Tue, 26 Jun 2007 10:31:40 -0500 Subject: [Fedora-directory-users] Re: Recurring NSS initialization failure... In-Reply-To: <468122EF.5070604@redhat.com> References: <20070625144617.18521324@control.ece.lsu.edu> <468029C3.4090706@redhat.com> <20070626091500.1f087210@control.ece.lsu.edu> <468122EF.5070604@redhat.com> Message-ID: <20070626103140.0c4921e5@control.ece.lsu.edu> Richard, Thanks for responding. I did the su fedora-ds, and got the following: [root at dirs alias]# ls libnssckbi.so [root at dirs alias]# su fedora-ds -c "../shared/bin/certutil -N -d . -P slapd-dirs-" ../shared/bin/certutil: line 50: cd: ../shared/bin/../lib: Not a directory ../shared/bin/certutil: line 57: cd: /opt/fedora-ds/alias: Not a directory Error opening input terminal for read [root at dirs alias]# [root at dirs alias]# ls ../shared/bin/../lib libfreebl3.chk libicudata.so.34 libicuuc.so.34 libnspr4.so libplc4.so libprldap60.so libsoftokn3.chk libssl3.so libfreebl3.so libicui18n.so.34 libldap60.so libnss3.so libplds4.so libsmime3.so libsoftokn3.so libssldap60.so The ../shared/bin/../lib directory seems fine! SWA From rmeggins at redhat.com Tue Jun 26 15:41:18 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 26 Jun 2007 09:41:18 -0600 Subject: [Fedora-directory-users] Re: Recurring NSS initialization failure... In-Reply-To: <20070626103140.0c4921e5@control.ece.lsu.edu> References: <20070625144617.18521324@control.ece.lsu.edu> <468029C3.4090706@redhat.com> <20070626091500.1f087210@control.ece.lsu.edu> <468122EF.5070604@redhat.com> <20070626103140.0c4921e5@control.ece.lsu.edu> Message-ID: <4681339E.1070101@redhat.com> Saied W. Andalib wrote: > Richard, > > Thanks for responding. I did the su fedora-ds, and got the following: > > > > > [root at dirs alias]# ls > libnssckbi.so > > [root at dirs alias]# su fedora-ds -c "../shared/bin/certutil -N -d . -P > slapd-dirs-" > > ../shared/bin/certutil: line 50: cd: ../shared/bin/../lib: > Not a directory ../shared/bin/certutil: line 57: > cd: /opt/fedora-ds/alias: Not a directory Error opening input terminal > for read > It's looking for a password - create a file with a dummy password e.g. /tmp/pwd.txt then pass that to certutil: su fedora-ds -c "../shared/bin/certutil -N -d . -P slapd-dirs- -f /tmp/pwd.txt" Make sure fedora-ds can read /tmp/pwd.txt > [root at dirs alias]# > [root at dirs alias]# ls ../shared/bin/../lib > libfreebl3.chk libicudata.so.34 libicuuc.so.34 libnspr4.so > libplc4.so libprldap60.so libsoftokn3.chk libssl3.so > libfreebl3.so libicui18n.so.34 libldap60.so libnss3.so > libplds4.so libsmime3.so libsoftokn3.so libssldap60.so > > > > > The ../shared/bin/../lib directory seems fine! > > > SWA > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From gene.poole at macys.com Tue Jun 26 15:55:11 2007 From: gene.poole at macys.com (Gene Poole) Date: Tue, 26 Jun 2007 11:55:11 -0400 Subject: [Fedora-directory-users] Re: How Do I? In-Reply-To: <20070626143529.4B58073CC9@hormel.redhat.com> Message-ID: On Mon, 25 Jun 2007, Patrick Morris wrote: > http://directory.fedoraproject.org/wiki/FAQ Based upon what's written in that document, concerning supported releases, I'll have to wait until the next release of Fedora DS. Thanks, Gene Poole gene.poole at macys.com From tour9 at ece.lsu.edu Tue Jun 26 16:02:30 2007 From: tour9 at ece.lsu.edu (Saied W. Andalib) Date: Tue, 26 Jun 2007 11:02:30 -0500 Subject: [Fedora-directory-users] Re: Recurring NSS initialization failure... In-Reply-To: <4681339E.1070101@redhat.com> References: <20070625144617.18521324@control.ece.lsu.edu> <468029C3.4090706@redhat.com> <20070626091500.1f087210@control.ece.lsu.edu> <468122EF.5070604@redhat.com> <20070626103140.0c4921e5@control.ece.lsu.edu> <4681339E.1070101@redhat.com> Message-ID: <20070626110230.2eff64da@control.ece.lsu.edu> The "su fedora-ds" with the "/tmp/pwd.txt" gave the same errors: [root at dirs alias]# su fedora-ds -c "../shared/bin/certutil -N -d . -P slapd-dirs- -f /tmp/pwd.txt" ../shared/bin/certutil: line 50: cd: ../shared/bin/../lib: Not a directory ../shared/bin/certutil: line 57: cd: /opt/fedora-ds/alias: Not a directory [root at dirs alias]#ll /tmp/pwd.txt -rw-r--r-- 1 root root 52 Jun 26 10:55 /tmp/pwd.txt [root at dirs alias]# ll total 364 -rwxr-xr-x 1 root root 247376 Nov 8 2006 libnssckbi.so -rw------- 1 fedora-ds fedora-ds 16384 Jun 26 10:56 secmod.db -rw------- 1 fedora-ds fedora-ds 65536 Jun 26 10:56 slapd-dirs-cert8.db -rw------- 1 fedora-ds fedora-ds 16384 Jun 26 10:56 slapd-dirs-key3.db Something very unusual going on....! SWA From rmeggins at redhat.com Tue Jun 26 16:14:23 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 26 Jun 2007 10:14:23 -0600 Subject: [Fedora-directory-users] Re: Recurring NSS initialization failure... In-Reply-To: <20070626110230.2eff64da@control.ece.lsu.edu> References: <20070625144617.18521324@control.ece.lsu.edu> <468029C3.4090706@redhat.com> <20070626091500.1f087210@control.ece.lsu.edu> <468122EF.5070604@redhat.com> <20070626103140.0c4921e5@control.ece.lsu.edu> <4681339E.1070101@redhat.com> <20070626110230.2eff64da@control.ece.lsu.edu> Message-ID: <46813B5F.4020607@redhat.com> Saied W. Andalib wrote: > The "su fedora-ds" with the "/tmp/pwd.txt" gave the same errors: > > > > [root at dirs alias]# su fedora-ds -c "../shared/bin/certutil -N -d . -P > slapd-dirs- -f /tmp/pwd.txt" > > ../shared/bin/certutil: line 50: cd: ../shared/bin/../lib: Not a > directory > ../shared/bin/certutil: line 57: cd: /opt/fedora-ds/alias: Not a > directory > > > [root at dirs alias]#ll /tmp/pwd.txt -rw-r--r-- 1 root root 52 Jun 26 > 10:55 /tmp/pwd.txt > > [root at dirs alias]# ll > total 364 > -rwxr-xr-x 1 root root 247376 Nov 8 2006 libnssckbi.so > -rw------- 1 fedora-ds fedora-ds 16384 Jun 26 10:56 secmod.db > -rw------- 1 fedora-ds fedora-ds 65536 Jun 26 10:56 slapd-dirs-cert8.db > -rw------- 1 fedora-ds fedora-ds 16384 Jun 26 10:56 slapd-dirs-key3.db > > > > Something very unusual going on....! > Can you start the directory server now? > SWA > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From tour9 at ece.lsu.edu Tue Jun 26 16:25:57 2007 From: tour9 at ece.lsu.edu (Saied W. Andalib) Date: Tue, 26 Jun 2007 11:25:57 -0500 Subject: [Fedora-directory-users] Re: Recurring NSS initialization failure... In-Reply-To: <46813B5F.4020607@redhat.com> References: <20070625144617.18521324@control.ece.lsu.edu> <468029C3.4090706@redhat.com> <20070626091500.1f087210@control.ece.lsu.edu> <468122EF.5070604@redhat.com> <20070626103140.0c4921e5@control.ece.lsu.edu> <4681339E.1070101@redhat.com> <20070626110230.2eff64da@control.ece.lsu.edu> <46813B5F.4020607@redhat.com> Message-ID: <20070626112557.03dab4ac@control.ece.lsu.edu> The directory server gives the same NSS error: [root at dirs fedora-ds]# ./slapd-dirs/start-slapd [26/Jun/2007:11:24:45 -0500] - SSL alert: Security Initialization: NSS initialization failed (Netscape Portable Runtime error -8174 - security library: bad database.): path: /opt/fedora-ds/alias/, certdb prefix: slapd-dirs-, keydb prefix: slapd-dirs-. [26/Jun/2007:11:24:45 -0500] - ERROR: NSS Initialization Failed. SWA From rmeggins at redhat.com Tue Jun 26 22:15:40 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 26 Jun 2007 16:15:40 -0600 Subject: [Fedora-directory-users] Re: Recurring NSS initialization failure... In-Reply-To: <20070626112557.03dab4ac@control.ece.lsu.edu> References: <20070625144617.18521324@control.ece.lsu.edu> <468029C3.4090706@redhat.com> <20070626091500.1f087210@control.ece.lsu.edu> <468122EF.5070604@redhat.com> <20070626103140.0c4921e5@control.ece.lsu.edu> <4681339E.1070101@redhat.com> <20070626110230.2eff64da@control.ece.lsu.edu> <46813B5F.4020607@redhat.com> <20070626112557.03dab4ac@control.ece.lsu.edu> Message-ID: <4681900C.4030800@redhat.com> Saied W. Andalib wrote: > The directory server gives the same NSS error: > > > [root at dirs fedora-ds]# ./slapd-dirs/start-slapd > [26/Jun/2007:11:24:45 -0500] - SSL alert: Security Initialization: NSS > initialization failed (Netscape Portable Runtime error -8174 - security > library: bad database.): path: /opt/fedora-ds/alias/, certdb prefix: > slapd-dirs-, keydb prefix: slapd-dirs-. [26/Jun/2007:11:24:45 -0500] - > ERROR: NSS Initialization Failed. > At this point I'm completely baffled. My suggestion would be to start the server using strace - edit the start-slapd shell script (make a copy of it first) and use strace -o /tmp/trace.out ns-slapd ..... I don't know why this is still failing, even after you have created the key and cert dbs. > > > SWA > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Alan.Hagge at warnerbros.com Tue Jun 26 19:36:50 2007 From: Alan.Hagge at warnerbros.com (Alan Hagge) Date: Tue, 26 Jun 2007 12:36:50 -0700 Subject: [Fedora-directory-users] FDS equivalent of OpenLDAP's password-crypt-salt-format? Message-ID: <46816AD2.9030807@warnerbros.com> Does anyone know if FDS has the equivalent of OpenLDAP's password-crypt-salt-format option? It's used to specify the format of the salt used in crypt encryption. Specifically, I need a way to have md5crypt passwords generated by an "ldap password modify" extended operation. I'm trying to support Irix, Linux and Windows (using samba) hosts, and unfortunately, Irix only supports crypt-format passwords, but WILL use the md5 salted variant, which (as I understand it) is much more secure than the standard DES version. It looks like Sun's enterprise directory server supports this through an optional parameter passed to its crypt password storage scheme plugin (see http://docs.sun.com/app/docs/doc/820-0376/6nc4cgnh4?a=view , topic 6557410), but in looking over the FDS source for this plugin, I don't see where this has been implemented. Thanks for any hints, tips, etc. From rmeggins at redhat.com Wed Jun 27 14:17:54 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 27 Jun 2007 08:17:54 -0600 Subject: [Fedora-directory-users] FDS equivalent of OpenLDAP's password-crypt-salt-format? In-Reply-To: <46816AD2.9030807@warnerbros.com> References: <46816AD2.9030807@warnerbros.com> Message-ID: <46827192.4010605@redhat.com> Alan Hagge wrote: > Does anyone know if FDS has the equivalent of OpenLDAP's > password-crypt-salt-format option? It's used to specify the format of > the salt used in crypt encryption. Specifically, I need a way to have > md5crypt passwords generated by an "ldap password modify" extended > operation. I'm trying to support Irix, Linux and Windows (using samba) > hosts, and unfortunately, Irix only supports crypt-format passwords, but > WILL use the md5 salted variant, which (as I understand it) is much more > secure than the standard DES version. > > It looks like Sun's enterprise directory server supports this through an > optional parameter passed to its crypt password storage scheme plugin > (see http://docs.sun.com/app/docs/doc/820-0376/6nc4cgnh4?a=view , topic > 6557410), but in looking over the FDS source for this plugin, I don't > see where this has been implemented. > FDS does not support this. Please file an enhancement request at http://bugzilla.redhat.com for Fedora Directory Server. Or, if you are a C coder, http://directory.fedoraproject.org/wiki/Contributing > Thanks for any hints, tips, etc. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From srigler at marathonoil.com Wed Jun 27 14:30:48 2007 From: srigler at marathonoil.com (Steve Rigler) Date: Wed, 27 Jun 2007 09:30:48 -0500 Subject: [Fedora-directory-users] FDS equivalent of OpenLDAP's password-crypt-salt-format? In-Reply-To: <46816AD2.9030807@warnerbros.com> References: <46816AD2.9030807@warnerbros.com> Message-ID: <1182954648.2872.3.camel@houuc8> On Tue, 2007-06-26 at 12:36 -0700, Alan Hagge wrote: > Does anyone know if FDS has the equivalent of OpenLDAP's > password-crypt-salt-format option? It's used to specify the format of > the salt used in crypt encryption. Specifically, I need a way to have > md5crypt passwords generated by an "ldap password modify" extended > operation. I'm trying to support Irix, Linux and Windows (using samba) > hosts, and unfortunately, Irix only supports crypt-format passwords, but > WILL use the md5 salted variant, which (as I understand it) is much more > secure than the standard DES version. > > It looks like Sun's enterprise directory server supports this through an > optional parameter passed to its crypt password storage scheme plugin > (see http://docs.sun.com/app/docs/doc/820-0376/6nc4cgnh4?a=view , topic > 6557410), but in looking over the FDS source for this plugin, I don't > see where this has been implemented. > > Thanks for any hints, tips, etc. Alan, What version of Irix are you running? AFAIK, 6.5.22 and later has PAM, so you can bind to the directory without exposing userPassword. There is also an openldap module for NSD (I believe it's available in 6.5.26 an later) that introduces some better filtering for NSD. -Steve From kingttx at tomslinux.homelinux.org Wed Jun 27 19:08:47 2007 From: kingttx at tomslinux.homelinux.org (Thomas King) Date: Wed, 27 Jun 2007 14:08:47 -0500 (CDT) Subject: [Fedora-directory-users] Newbie question Message-ID: <7287.143.166.255.41.1182971327.squirrel@tomslinux.homelinux.org> I am trying to sort out a couple of things in my mind, so please forgive the plebian topic. Some of the articles I saw online concerning using FDS for authentication states to use the 'Users and Groups' tab from the management console. However, when I try to create a user, group, or OU, it ends up being forced into the NetscapeRoot branch instead of the directory. I see no way offhand on how to change this. Re-reading the manuals several times for making entries suggests that tab is not to be used for "normal" user/group/OU entries for authentication and/or user information queries. Instead, I should have opened the directory server itself from the Management Console, clicked on the Directory tab, expanded the appropriate branch, selected the appropriate OU, and added a user there instead. Am I correct? Is there actually a way to change the target from the 'Users and Groups' tab within the Management Console so that I can use that tab instead to make quick additions or changes? Thank you, Tom From rmeggins at redhat.com Thu Jun 28 15:13:25 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 28 Jun 2007 09:13:25 -0600 Subject: [Fedora-directory-users] Newbie question In-Reply-To: <7287.143.166.255.41.1182971327.squirrel@tomslinux.homelinux.org> References: <7287.143.166.255.41.1182971327.squirrel@tomslinux.homelinux.org> Message-ID: <4683D015.3080500@redhat.com> Thomas King wrote: > I am trying to sort out a couple of things in my mind, so please forgive the > plebian topic. > > Some of the articles I saw online concerning using FDS for authentication states > to use the 'Users and Groups' tab from the management console. However, when I > try to create a user, group, or OU, it ends up being forced into the > NetscapeRoot branch instead of the directory. I see no way offhand on how to > change this. > When you select the Users and Groups tab, go to the User menu, select Change Directory..., fill in the correct information, and press Ok. > Re-reading the manuals several times for making entries suggests that tab is not > to be used for "normal" user/group/OU entries for authentication and/or user > information queries. Instead, I should have opened the directory server itself > from the Management Console, clicked on the Directory tab, expanded the > appropriate branch, selected the appropriate OU, and added a user there instead. > > Am I correct? Is there actually a way to change the target from the 'Users and > Groups' tab within the Management Console so that I can use that tab instead to > make quick additions or changes? > > Thank you, > Tom > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kingttx at tomslinux.homelinux.org Thu Jun 28 15:32:05 2007 From: kingttx at tomslinux.homelinux.org (Thomas King) Date: Thu, 28 Jun 2007 10:32:05 -0500 (CDT) Subject: [Fedora-directory-users] Newbie question In-Reply-To: <4683D015.3080500@redhat.com> References: <7287.143.166.255.41.1182971327.squirrel@tomslinux.homelinux.org> <4683D015.3080500@redhat.com> Message-ID: <44198.143.166.255.40.1183044725.squirrel@tomslinux.homelinux.org> > When you select the Users and Groups tab, go to the User menu, select > Change Directory..., fill in the correct information, and press Ok. -slaps head- Excellent!! Thank you for the answer! I need to put this on the LUG mailing list as well. Thanks again! Tom From jo.de.troy at gmail.com Thu Jun 28 15:36:47 2007 From: jo.de.troy at gmail.com (Jo De Troy) Date: Thu, 28 Jun 2007 17:36:47 +0200 Subject: [Fedora-directory-users] ldapdelete error 1 Message-ID: Hello, I'm running FedoraDS 1.0.4 on RHEL4. When I try to delete an entry I get as result: Delete Result: Operations error (1) I've tried it from within Directory Server console and from cli via ldapdelete Any ideas what might be the problem? I'm using Views don't know if that has anything to do with it ot not. Thanks for helping, Jo From tour9 at ece.lsu.edu Thu Jun 28 16:11:11 2007 From: tour9 at ece.lsu.edu (Saied W. Andalib) Date: Thu, 28 Jun 2007 11:11:11 -0500 Subject: [Fedora-directory-users] Recurring NSS initialization failure... In-Reply-To: <4681900C.4030800@redhat.com> References: <20070625144617.18521324@control.ece.lsu.edu> <468029C3.4090706@redhat.com> <20070626091500.1f087210@control.ece.lsu.edu> <468122EF.5070604@redhat.com> <20070626103140.0c4921e5@control.ece.lsu.edu> <4681339E.1070101@redhat.com> <20070626110230.2eff64da@control.ece.lsu.edu> <46813B5F.4020607@redhat.com> <20070626112557.03dab4ac@control.ece.lsu.edu> <4681900C.4030800@redhat.com> Message-ID: <20070628111111.3156d0fa@control.ece.lsu.edu> Thanks Richard for replying. I actually did the strace on slapd a while ago and it went through with a lot of info and at the end it put out the same NSS error message! One thing I noticed was that when I did a clean re-installation followed by the setup, when I picked the user and group root instead of fedora-ds, the start-slapd started as root without any problem! However, the httpd wouldn't start. If however, during the setup, I pick any other non-root user, say, fedora-ds for the directory server, the setup would fail with NSS error, at that point it would hang! If I do the setup as fedora-ds user, it goes through fine. Everything works ok. So, after that, I did a clean re-installation as root, and did the setup as recommended by the documentation -- the directory server runs as user/group fedora-ds as it supposed to. So, now, the directory server runs fine. The admin-server, however gives the PSET failure error. On the other hand, if I start the admin server as fedora-ds user: (e.g., su fedora-ds ./start-admin), then, it starts without any problem! This is one of those weird cases that has been baffling! So, at this point I'm not sure the cause of the PSET error. On a side note, I had similar question asked by Thomas King on how to create users outside the NetscapeRoot branch via the "User and Group" tab in the management Console. I noticed you mentioned selecting "Change Directory" after going to the user menu. I tried that, but, I don't seem to have the "Change Directory" option anywhere on the menu. I'm runing FDS-1.0.4 on RHEL5. Thanks, SWA SWA From abliss at brockport.edu Thu Jun 28 16:26:16 2007 From: abliss at brockport.edu (abliss at brockport.edu) Date: Thu, 28 Jun 2007 16:26:16 +0000 (GMT) Subject: [Fedora-directory-users] quick question on database backups Message-ID: Hi everyone, I'm sure this is a super easy question, however I didn't see it documented on the fds website...can someone tell me how to dump the fds database to an ldif file? I'm just looking to make a quick backup routine while the database is online (not from the console). Thanks for your help. Aaron From rmeggins at redhat.com Thu Jun 28 16:20:51 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 28 Jun 2007 10:20:51 -0600 Subject: [Fedora-directory-users] quick question on database backups In-Reply-To: References: Message-ID: <4683DFE3.5050209@redhat.com> abliss at brockport.edu wrote: > Hi everyone, > I'm sure this is a super easy question, however I didn't see it documented on the fds website...can someone tell me how to dump the fds database to an ldif file? I'm just looking to make a quick backup routine while the database is online (not from the console). Thanks for your help. > Two ways, local and remote (via LDAP) local - /opt/fedora-ds/slapd-instance/db2ldif remote - /opt/fedora-ds/slapd-instance/db2ldif.pl > Aaron > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jun 28 16:23:57 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 28 Jun 2007 10:23:57 -0600 Subject: [Fedora-directory-users] Recurring NSS initialization failure... In-Reply-To: <20070628111111.3156d0fa@control.ece.lsu.edu> References: <20070625144617.18521324@control.ece.lsu.edu> <468029C3.4090706@redhat.com> <20070626091500.1f087210@control.ece.lsu.edu> <468122EF.5070604@redhat.com> <20070626103140.0c4921e5@control.ece.lsu.edu> <4681339E.1070101@redhat.com> <20070626110230.2eff64da@control.ece.lsu.edu> <46813B5F.4020607@redhat.com> <20070626112557.03dab4ac@control.ece.lsu.edu> <4681900C.4030800@redhat.com> <20070628111111.3156d0fa@control.ece.lsu.edu> Message-ID: <4683E09D.2010807@redhat.com> Saied W. Andalib wrote: > Thanks Richard for replying. > I actually did the strace on slapd a while ago and it went through with > a lot of info and at the end it put out the same NSS error message! There might be a clue buried in the strace output that would shed some light on this problem. > One > thing I noticed was that when I did a clean re-installation followed by > the setup, When you say "clean re-installation" do you mean rm -rf /opt/fedora-ds? > when I picked the user and group root instead of fedora-ds, > the start-slapd started as root without any problem! However, the httpd > wouldn't start. If however, during the setup, I pick any other non-root > user, say, fedora-ds for the directory server, the setup would fail > with NSS error, at that point it would hang! > > If I do the setup as fedora-ds user, it goes through fine. Everything > works ok. So, after that, I did a clean re-installation as root, and did > the setup as recommended by the documentation -- the directory server > runs as user/group fedora-ds as it supposed to. So, now, the directory > server runs fine. The admin-server, however gives the PSET failure > error. On the other hand, if I start the admin server as fedora-ds user: > (e.g., su fedora-ds ./start-admin), then, it starts without any problem! > This is one of those weird cases that has been baffling! > So, at this point I'm not sure the cause of the PSET error. > Probably a permissions problem in admin-serv/config - local.conf, adm.conf, admpw, and console.conf must be owned by the admin server user and must be writable. The directory admin-serv/config must be owned by the admin server user and be writable. > On a side note, I had similar question asked by Thomas King on how to > create users outside the NetscapeRoot branch via the "User and Group" > tab in the management Console. I noticed you mentioned selecting > "Change Directory" after going to the user menu. I tried that, but, I > don't seem to have the "Change Directory" option anywhere on the menu. > I'm runing FDS-1.0.4 on RHEL5. > ? > Thanks, > > SWA > > > SWA > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From abliss at brockport.edu Thu Jun 28 17:37:44 2007 From: abliss at brockport.edu (abliss at brockport.edu) Date: Thu, 28 Jun 2007 17:37:44 +0000 (GMT) Subject: [Fedora-directory-users] quick question on database backups In-Reply-To: <4683DFE3.5050209@redhat.com> References: <4683DFE3.5050209@redhat.com> Message-ID: Works great, thanks. Aaron ----- Original Message ----- From: Richard Megginson Date: Thursday, June 28, 2007 12:31 pm Subject: Re: [Fedora-directory-users] quick question on database backups To: "General discussion list for the Fedora Directory server project." > abliss at brockport.edu wrote: > > Hi everyone, > > I'm sure this is a super easy question, however I didn't see it > documented on the fds website...can someone tell me how to dump the > fds database to an ldif file? I'm just looking to make a quick > backup routine while the database is online (not from the console). > Thanks for your help. > > > Two ways, local and remote (via LDAP) > > local - /opt/fedora-ds/slapd-instance/db2ldif > > remote - /opt/fedora-ds/slapd-instance/db2ldif.pl > > Aaron > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > From abliss at brockport.edu Thu Jun 28 19:01:20 2007 From: abliss at brockport.edu (abliss at brockport.edu) Date: Thu, 28 Jun 2007 19:01:20 +0000 (GMT) Subject: [Fedora-directory-users] the relationship between sun's directory server and fds Message-ID: Hi everyone, I've used fedora directory server now since version 7.1 (of which I'm a huge fan) and just started using Sun's directory server 5.2 (since taking a new job a few days ago)...I installed sun's directory server onto centos 3, and couldn't help noticing that the look, feel and even process names are the same as in fds...does anyone know the history between the two? Are they both based on netscape's directory server? Thanks. Aaron From rmeggins at redhat.com Thu Jun 28 18:58:40 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 28 Jun 2007 12:58:40 -0600 Subject: [Fedora-directory-users] the relationship between sun's directory server and fds In-Reply-To: References: Message-ID: <468404E0.9060906@redhat.com> abliss at brockport.edu wrote: > Hi everyone, > I've used fedora directory server now since version 7.1 (of which I'm a huge fan) and just started using Sun's directory server 5.2 (since taking a new job a few days ago)...I installed sun's directory server onto centos 3, and couldn't help noticing that the look, feel and even process names are the same as in fds...does anyone know the history between the two? Are they both based on netscape's directory server? Thanks. > http://directory.fedoraproject.org/wiki/Roadmap#History > Aaron > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From slackamp at gmail.com Thu Jun 28 19:52:16 2007 From: slackamp at gmail.com (slamp slamp) Date: Thu, 28 Jun 2007 15:52:16 -0400 Subject: [Fedora-directory-users] blank login window Message-ID: <78926d250706281252s68ebcbd4mb53bd40a65729d5@mail.gmail.com> my fedora admin is showing a blank login. I cannot login because of it. please see attached screenshot. fedora-ds-1.0.4-1.RHEL4 CentOS release 4.5 (Final) java version "1.5.0_12" Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_12-b04) Java HotSpot(TM) Client VM (build 1.5.0_12-b04, mixed mode, sharing) -------------- next part -------------- A non-text attachment was scrubbed... Name: fds_admin.png Type: image/png Size: 23245 bytes Desc: not available URL: From slackamp at gmail.com Thu Jun 28 20:00:05 2007 From: slackamp at gmail.com (slamp slamp) Date: Thu, 28 Jun 2007 16:00:05 -0400 Subject: [Fedora-directory-users] blank login window In-Reply-To: <78926d250706281252s68ebcbd4mb53bd40a65729d5@mail.gmail.com> References: <78926d250706281252s68ebcbd4mb53bd40a65729d5@mail.gmail.com> Message-ID: <78926d250706281300m58042379ibdd8f03f2c98cc65@mail.gmail.com> sorry. i fixed it. i did an rpmbuild on java on my own and forgot to install the fonts. On 6/28/07, slamp slamp wrote: > my fedora admin is showing a blank login. I cannot login because of > it. please see attached screenshot. > > fedora-ds-1.0.4-1.RHEL4 > > CentOS release 4.5 (Final) > > java version "1.5.0_12" > Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_12-b04) > Java HotSpot(TM) Client VM (build 1.5.0_12-b04, mixed mode, sharing) > > From tour9 at ece.lsu.edu Thu Jun 28 20:32:35 2007 From: tour9 at ece.lsu.edu (Saied W. Andalib) Date: Thu, 28 Jun 2007 15:32:35 -0500 Subject: [Fedora-directory-users] Creating new unix/posix user accounts In-Reply-To: <4683E09D.2010807@redhat.com> References: <20070625144617.18521324@control.ece.lsu.edu> <468029C3.4090706@redhat.com> <20070626091500.1f087210@control.ece.lsu.edu> <468122EF.5070604@redhat.com> <20070626103140.0c4921e5@control.ece.lsu.edu> <4681339E.1070101@redhat.com> <20070626110230.2eff64da@control.ece.lsu.edu> <46813B5F.4020607@redhat.com> <20070626112557.03dab4ac@control.ece.lsu.edu> <4681900C.4030800@redhat.com> <20070628111111.3156d0fa@control.ece.lsu.edu> <4683E09D.2010807@redhat.com> Message-ID: <20070628153235.4e998220@control.ece.lsu.edu> I wonder if it's possible to create new unix/posix user accounts on the management Console via the "Users and Groups" Tab. It seems in order to create a new user account from the drop down menu at the bottom of the Console, the only allowable "dn:" entries are under the o=NetscapeRoot branch. Even when new root suffixes are created, they never seem to show up in the "Users and Groups"->"Create User" menu options. SWA From jimh at u.washington.edu Fri Jun 29 02:32:51 2007 From: jimh at u.washington.edu (Jim Hogan) Date: Thu, 28 Jun 2007 19:32:51 -0700 (PDT) Subject: [Fedora-directory-users] Samba 4 support/integration? Message-ID: Sorry if this has been raised already.... We are presently running an NT4-style Samba 3 domain with FDS back end. Good. I was looking at the README for the most recent Samba 4 Technology Preview. There's a section in there that says: "The Samba 4 architecture is based around an LDAP-like database that can use a range of modular backends. One of the backends supports standards compliant LDAP servers (including OpenLDAP), and we are working on modules to map between AD-like behaviours and this back-end. We are aiming for Samba 4 to be powerful front-end to large directories." The fact that FDS isn't mentioned doesn't necessarily mean anything to me, but I wonder if Richard or anyone involved in core FDS development could offer any observations on Samba 4 and the potential for use of FDS as a Samba 4 back end. I will say that making Samba 3 run with FDS back end involved a fair amount of knitting (tho' the same could be said for making Samba 3 run with OpenLDAP back end). I have only gotten so far as to untar the latest Samba 4 TP. Has anyone on list gone so far as to configure Samba 4 with FDS? Thanks, Jim From jimh at u.washington.edu Fri Jun 29 03:38:14 2007 From: jimh at u.washington.edu (Jim Hogan) Date: Thu, 28 Jun 2007 20:38:14 -0700 (PDT) Subject: [Fedora-directory-users] Samba 4 support/integration? In-Reply-To: References: Message-ID: Responding to myself.... Ever have one of those moments where you wished you waited 30 minutes before you posted??? Well, sure enough I found a fairly interesting page on the Samba Wiki that treats the issue of Samba 4 and supported LDAP servers: http://wiki.samba.org/index.php/Samba4/LDAP_Backend ..and I also, belatedly,found a "devel" mail list thread with discussion between Richard and Andrew Bartlett: http://lists.samba.org/archive/samba-technical/2007-January/050932.html So it looks like the Samba4-FDS discussion is active and those links give me a place to start. Now if anyone wants to offer observations related to my original post, great. In the meantime, let me make my excuses... Thanks. Jim On Thu, 28 Jun 2007, Jim Hogan wrote: > Sorry if this has been raised already.... > > We are presently running an NT4-style Samba 3 domain with FDS back end. Good. > I was looking at the README for the most recent Samba 4 Technology Preview. > There's a section in there that says: > > "The Samba 4 architecture is based around an LDAP-like database that > can use a range of modular backends. One of the backends supports > standards compliant LDAP servers (including OpenLDAP), and we are > working on modules to map between AD-like behaviours and this back-end. > We are aiming for Samba 4 to be powerful front-end to large > directories." > > The fact that FDS isn't mentioned doesn't necessarily mean anything to me, > but I wonder if Richard or anyone involved in core FDS development could > offer any observations on Samba 4 and the potential for use of FDS as a Samba > 4 back end. I will say that making Samba 3 run with FDS back end involved a > fair amount of knitting (tho' the same could be said for making Samba 3 run > with OpenLDAP back end). > > I have only gotten so far as to untar the latest Samba 4 TP. Has anyone on > list gone so far as to configure Samba 4 with FDS? > > Thanks, > > Jim > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From maumar at cost.it Fri Jun 29 15:33:28 2007 From: maumar at cost.it (Maurizio Marini) Date: Fri, 29 Jun 2007 17:33:28 +0200 Subject: [Fedora-directory-users] newbie question regarding replica setup Message-ID: <200706291733.28984.maumar@cost.it> How suggested in replicat.html#1108815 "For example, you could create an entry cn=Replication Manager,cn=config under the cn=config tree on the consumer server. This would be the supplier bind DN that all supplier servers would use to bind to the consumer to perform replication operations." i created an entry cn=Replication Manager,cn=config under the cn=config tree. Now, during Replica setup, it is asked in Replica Setting/Update Setting/Current supplier DNs: to input it, should i use: cn=Replication Manager or: cn=Replication Manager,cn=config ? the same doubt does arose during Agrrement setup Any help will be very apreciated Maurizio From patrick.morris at hp.com Fri Jun 29 15:37:50 2007 From: patrick.morris at hp.com (Morris, Patrick) Date: Fri, 29 Jun 2007 11:37:50 -0400 Subject: [Fedora-directory-users] newbie question regarding replica setup In-Reply-To: <200706291733.28984.maumar@cost.it> References: <200706291733.28984.maumar@cost.it> Message-ID: > How suggested in > replicat.html#1108815 > "For example, you could create an entry cn=Replication > Manager,cn=config under > the cn=config tree on the consumer server. This would be the supplier > bind DN > that all supplier servers would use to bind to the consumer to perform > replication operations." > i created an entry cn=Replication Manager,cn=config under the cn=config > tree. > Now, during Replica setup, it is asked in > Replica Setting/Update Setting/Current supplier DNs: > to input it, should i use: > cn=Replication Manager > or: > cn=Replication Manager,cn=config > ? > > the same doubt does arose during Agrrement setup > Any help will be very appreciated As mentioned in the part you quoted, you need to use the DN of the entry you created, so in this case that would be " cn=Replication Manager,cn=config". If you're ever unsure of the DN for an entry it will be listed in its properties. From vampired at gmail.com Fri Jun 29 19:21:40 2007 From: vampired at gmail.com (Vampire D) Date: Fri, 29 Jun 2007 15:21:40 -0400 Subject: [Fedora-directory-users] Looking for training Message-ID: <4ca8a4870706291221g5fd0eec5x373179cbbcef7dd5@mail.gmail.com> I am looking for someone who has experience extensive experience with FDS to spend a couple hours on the phone and WebEX (we will provide) to give us a walk through the installation and configuration of FDS and mutliple master configuration. Coverage of common troubleshooting steps and common problems would be expected as well. Assistance with phpldapadmin and schema configuration would be a big plus. I am looking to do this as soon as possible to give us a little boost on how FDS works and how we can intergrate it into our environment. You may contact me directly in response to this, and I can work with most timezones. We can provide two CentOS installations to do the install over. If there is a good CBT or Online Class that you are familar with, I would be interested in hearing about it. But I suspect we only need a 2-4 hour kickstart to put us in good shape. -- "Do the actors on Unsolved Mysteries ever get arrested because they look just like the criminal they are playing?" Christopher -------------- next part -------------- An HTML attachment was scrubbed... URL: From slackamp at gmail.com Fri Jun 29 20:10:12 2007 From: slackamp at gmail.com (slamp slamp) Date: Fri, 29 Jun 2007 16:10:12 -0400 Subject: [Fedora-directory-users] how to reset admin password? Message-ID: <78926d250706291310v6c51f68eu8206130a2cd2accb@mail.gmail.com> i changed the admin password using the admin console and now i cannot log back in with the new or the old password. i saw a way to change the directory manager password but i do not know if its the same for the admin password. please help. From rmeggins at redhat.com Fri Jun 29 20:09:48 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 29 Jun 2007 14:09:48 -0600 Subject: [Fedora-directory-users] how to reset admin password? In-Reply-To: <78926d250706291310v6c51f68eu8206130a2cd2accb@mail.gmail.com> References: <78926d250706291310v6c51f68eu8206130a2cd2accb@mail.gmail.com> Message-ID: <4685670C.3010400@redhat.com> slamp slamp wrote: > i changed the admin password using the admin console and now i cannot > log back in with the new or the old password. i saw a way to change > the directory manager password but i do not know if its the same for > the admin password. please help. Did you restart the admin server afterwards? How did you change the password? > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From slackamp at gmail.com Fri Jun 29 20:25:56 2007 From: slackamp at gmail.com (slamp slamp) Date: Fri, 29 Jun 2007 16:25:56 -0400 Subject: [Fedora-directory-users] how to reset admin password? In-Reply-To: <4685670C.3010400@redhat.com> References: <78926d250706291310v6c51f68eu8206130a2cd2accb@mail.gmail.com> <4685670C.3010400@redhat.com> Message-ID: <78926d250706291325l11041d68ice420cefb0f947c4@mail.gmail.com> yes i did. i changed the password using the admin console. ./startconsole Logged in Double clicked on Administration Server under Server Group Under Configuration there is Access tab and thats where I changed it. On 6/29/07, Richard Megginson wrote: > slamp slamp wrote: > > i changed the admin password using the admin console and now i cannot > > log back in with the new or the old password. i saw a way to change > > the directory manager password but i do not know if its the same for > > the admin password. please help. > Did you restart the admin server afterwards? How did you change the > password? > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > From rmeggins at redhat.com Fri Jun 29 20:54:42 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 29 Jun 2007 14:54:42 -0600 Subject: [Fedora-directory-users] how to reset admin password? In-Reply-To: <78926d250706291325l11041d68ice420cefb0f947c4@mail.gmail.com> References: <78926d250706291310v6c51f68eu8206130a2cd2accb@mail.gmail.com> <4685670C.3010400@redhat.com> <78926d250706291325l11041d68ice420cefb0f947c4@mail.gmail.com> Message-ID: <46857192.40705@redhat.com> slamp slamp wrote: > yes i did. i changed the password using the admin console. > > ./startconsole > Logged in > Double clicked on Administration Server under Server Group > Under Configuration there is Access tab and thats where I changed it. What does the configuration directory server access log show for BIND attempts? > > On 6/29/07, Richard Megginson wrote: >> slamp slamp wrote: >> > i changed the admin password using the admin console and now i cannot >> > log back in with the new or the old password. i saw a way to change >> > the directory manager password but i do not know if its the same for >> > the admin password. please help. >> Did you restart the admin server afterwards? How did you change the >> password? >> > >> > -- >> > Fedora-directory-users mailing list >> > Fedora-directory-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From slackamp at gmail.com Sat Jun 30 00:36:06 2007 From: slackamp at gmail.com (slamp slamp) Date: Fri, 29 Jun 2007 20:36:06 -0400 Subject: [Fedora-directory-users] how to reset admin password? In-Reply-To: <46857192.40705@redhat.com> References: <78926d250706291310v6c51f68eu8206130a2cd2accb@mail.gmail.com> <4685670C.3010400@redhat.com> <78926d250706291325l11041d68ice420cefb0f947c4@mail.gmail.com> <46857192.40705@redhat.com> Message-ID: <78926d250706291736g5635529bu23c1e98766e08b0@mail.gmail.com> [Fri Jun 29 16:12:21 2007] [error] [client xx.xx.xxx.xx] user admin: authentication failure for "/admin-serv/authenticate": Password Mismatch [Fri Jun 29 16:12:25 2007] [error] [client xx.xx.xxx.xx] user admin: authentication failure for "/admin-serv/authenticate": Password Mismatch On 6/29/07, Richard Megginson wrote: > slamp slamp wrote: > > yes i did. i changed the password using the admin console. > > > > ./startconsole > > Logged in > > Double clicked on Administration Server under Server Group > > Under Configuration there is Access tab and thats where I changed it. > What does the configuration directory server access log show for BIND > attempts? > > > > On 6/29/07, Richard Megginson wrote: > >> slamp slamp wrote: > >> > i changed the admin password using the admin console and now i cannot > >> > log back in with the new or the old password. i saw a way to change > >> > the directory manager password but i do not know if its the same for > >> > the admin password. please help. > >> Did you restart the admin server afterwards? How did you change the > >> password? > >> > > >> > -- > >> > Fedora-directory-users mailing list > >> > Fedora-directory-users at redhat.com > >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > >> > >> > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >