From paolo.barbato at igi.cnr.it Mon Oct 1 06:28:12 2007 From: paolo.barbato at igi.cnr.it (Paolo Barbato) Date: Mon, 1 Oct 2007 08:28:12 +0200 Subject: [Fedora-directory-users] fds vs passsync vs AD Message-ID: Dear list, I repost original question on my troubles....anybody has any idea on why I'm facing such a problem ? Regards, Paolo. >Thanks for reply, but I suspect I'm facing a different problem. > >Talking about SSL. > >As far as I understand SSL is used both for passync (AD -> FDS) and >replication agreement (AD <-> FDS). Note two different tasks. > >In first case work cert.db8 certificates. I've installed on both AD >and FDS, my CA certificate and FDS server certificate. Passync works >without a hic. When I change pasword from windows it's exactly set >on FDS. > >Replication agreement is based on cert.db8 on FDS and MS >architecture on AD, I mean that I make use of mmc to install CA and >AD server signed certificate. > >Replication seems also work, since I see that AD and FDS users are >"merged" in one (almost) identical list. So users that were in AD >are created on FDS and viceversa, with (almost) all parameters >setted. > >My problem arise when from a linux machine authenticated on FDS I >issue and passwd change password. Really all seems go right, since >FDS register new password, and also AD tell me that the change has >been committed : > >first event >User Account Changed: > Target Account Name: barbato > Target Domain: TEST > Target Account ID: TEST\barbato > Caller User Name: sync manager > Caller Domain: TEST > Caller Logon ID: (0x0,0x318F76) > Privileges: - > Changed Attributes: > Sam Account Name: - > Display Name: - > User Principal Name: - > Home Directory: - >and after a while a second security event: > >User Account password set: > Target Account Name: barbato > Target Domain: TEST > Target Account ID: TEST\barbato > Caller User Name: sync manager > Caller Domain: TEST > Caller Logon ID: (0x0,0x318F76) > > >But when I try to log on AD with this new password AD tell me that >I'm usinig the wrong one. Note that also the previous doesn't work, >and this confirm that it has been really changed. > >Anybody has faced this ? Some other things to look into ? > >Regards, >Paolo. -- ------------------------------------------------------------------------------------------------ Paolo Barbato email: mailto:paolo.barbato at igi.cnr.it Network Administrator phone: (39-049)-829-5097 (39-049)-829-5000 Corso Stati Uniti,4 www: http://www.igi.cnr.it 35127 Camin-Padova PGP: http://www.igi.cnr.it/wwwpgp/rfx_paolo_barbato.pgp ITALY JabberID: rfx_paolo_barbato at messenger.efda.org ------------------------------------------------------------------------------------------------ From glenn at mail.txwes.edu Mon Oct 1 13:34:59 2007 From: glenn at mail.txwes.edu (Glenn) Date: Mon, 1 Oct 2007 08:34:59 -0500 Subject: [Fedora-directory-users] fds vs passsync vs AD In-Reply-To: References: Message-ID: <20071001133410.M57534@mail.txwes.edu> Paolo - Have you compared password complexity rules between AD and FD? They should be the same. -Glenn. ---------- Original Message ----------- From: Paolo Barbato To: "General discussion list for the Fedora Directory server project." Sent: Mon, 1 Oct 2007 08:28:12 +0200 Subject: Re: [Fedora-directory-users] fds vs passsync vs AD > Dear list, > > I repost original question on my troubles....anybody has any idea on > why I'm facing such a problem ? > > Regards, > Paolo. > > >Thanks for reply, but I suspect I'm facing a different problem. > > > >Talking about SSL. > > > >As far as I understand SSL is used both for passync (AD -> FDS) and > >replication agreement (AD <-> FDS). Note two different tasks. > > > >In first case work cert.db8 certificates. I've installed on both AD > >and FDS, my CA certificate and FDS server certificate. Passync works > >without a hic. When I change pasword from windows it's exactly set > >on FDS. > > > >Replication agreement is based on cert.db8 on FDS and MS > >architecture on AD, I mean that I make use of mmc to install CA and > >AD server signed certificate. > > > >Replication seems also work, since I see that AD and FDS users are > >"merged" in one (almost) identical list. So users that were in AD > >are created on FDS and viceversa, with (almost) all parameters > >setted. > > > >My problem arise when from a linux machine authenticated on FDS I > >issue and passwd change password. Really all seems go right, since > >FDS register new password, and also AD tell me that the change has > >been committed : > > > >first event > >User Account Changed: > > Target Account Name: barbato > > Target Domain: TEST > > Target Account ID: TEST\barbato > > Caller User Name: sync manager > > Caller Domain: TEST > > Caller Logon ID: (0x0,0x318F76) > > Privileges: - > > Changed Attributes: > > Sam Account Name: - > > Display Name: - > > User Principal Name: - > > Home Directory: - > >and after a while a second security event: > > > >User Account password set: > > Target Account Name: barbato > > Target Domain: TEST > > Target Account ID: TEST\barbato > > Caller User Name: sync manager > > Caller Domain: TEST > > Caller Logon ID: (0x0,0x318F76) > > > > > >But when I try to log on AD with this new password AD tell me that > >I'm usinig the wrong one. Note that also the previous doesn't work, > >and this confirm that it has been really changed. > > > >Anybody has faced this ? Some other things to look into ? > > > >Regards, > >Paolo. > > -- > ---------------------------------------------------------------------------- -------------------- > Paolo Barbato email: mailto:paolo.barbato at igi.cnr.it > Network Administrator phone: (39-049)-829-5097 > (39-049)-829-5000 > Corso Stati Uniti,4 www: http://www.igi.cnr.it > 35127 Camin-Padova PGP: > http://www.igi.cnr.it/wwwpgp/rfx_paolo_barbato.pgp > ITALY JabberID: > rfx_paolo_barbato at messenger.efda.org > ---------------------------------------------------------------------------- -------------------- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users ------- End of Original Message ------- From peters at psinergybbs.com Mon Oct 1 10:56:51 2007 From: peters at psinergybbs.com (Peter Santiago) Date: Mon, 01 Oct 2007 18:56:51 +0800 Subject: [Fedora-directory-users] fds vs passsync vs AD In-Reply-To: References: Message-ID: <20071001185651.5vi0uuciok0gsowk@webmail.psinergybbs.com> Hi, I ran into a concrete wall... http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2836267 To create a synchronization agreement: * In the Directory Server Console, select the Configuration tab. * In the left-hand navigation tree, right-click on the suffix to sync, and select New Synchronization Agreement. You can also highlight the suffix, and select Menu>Object>New Synchronization Agreement. I followed the above steps in Fedora Directory Server... There is no option for New Synchronization Agreement... Perhaps it was removed or renamed??? -- Peter Santiago peters at psinergybbs.com My website: www.psinergybbs.com My spamtrap address: r34987y at psinergybbs.com ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3051 bytes Desc: S/MIME Cryptographic Signature URL: From peters at psinergybbs.com Tue Oct 2 17:37:05 2007 From: peters at psinergybbs.com (Peter Santiago) Date: Wed, 03 Oct 2007 01:37:05 +0800 Subject: [Fedora-directory-users] fds vs passsync vs AD In-Reply-To: References: Message-ID: <470281C1.4090803@psinergybbs.com> Hi, I ran into a concrete wall... http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2836267 To create a synchronization agreement: 1. In the Directory Server Console, select the Configuration tab. 2. In the left-hand navigation tree, right-click on the suffix to sync, and select New Synchronization Agreement. You can also highlight the suffix, and select Menu>Object>New Synchronization Agreement. I followed the above steps in Fedora Directory Server... There is no option for New Synchronization Agreement... Perhaps it was removed or renamed??? -- Peter Santiago peters at psinergybbs.com My website: www.psinergybbs.com My spamtrap address: r34987y at psinergybbs.com -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: file:///C:/DOCUME~1/PETER/LOCALS~1/TEMP/nsmail.txt URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3257 bytes Desc: S/MIME Cryptographic Signature URL: From edlinuxguru at gmail.com Tue Oct 2 18:44:34 2007 From: edlinuxguru at gmail.com (Eddie C) Date: Tue, 2 Oct 2007 14:44:34 -0400 Subject: [Fedora-directory-users] How can you monitor replication? In-Reply-To: References: <46FBCE13.60405@redhat.com> Message-ID: All this code is EXACTLY what I was looking for. I took this code and built it to work with nagios. It works great. #!/usr/bin/perl use strict; # Edward Capriolo 2007 # Based on code by # Ivan Ferreira - Enero 2007 #usage perl check_ldap_replication ldapsomething.something.com "cn=Directory Manager" "mypassword" "cn=replica,cn=o\=something.com,cn=mapping tree,cn=config" #define command { # command_name check_ldap_replication # command_line $USER1$/check_ldap_replication $HOSTADDRESS$ "$ARG1$" "$ARG2$" "$ARG3$" #} my $host=$ARGV[0]; #ldapsomething.something.com my $cn=$ARGV[1]; #cn=Directory Manager my $pass=$ARGV[2]; #mypassword my $base=$ARGV[3]; "cn=replica,cn=o\=something.com,cn=mapping tree,cn=config" my $r_cmd="/usr/bin/ldapsearch -h $host -x -D \"$cn\" -b \"$base\" -w $pass objectClass=nsDS5ReplicationAgreement nsds5replicaLastUpdateStatus nsds5replicaLastUpdateStart"; #print "$r_cmd\n"; my @list = split ( /\n/, `$r_cmd` ); my $res=-1; my $line=""; for (my $j=0;$j<@list;$j++){ # print "$list[$j]\n"; if ($list[$j] =~ /^nsds5replicaLastUpdateStatus/){ # print $list[$j]; $line=$list[$j]; my @tok = split ( /\s/, $list[$j] ); $res=$tok[1]; } } if ($res == 0 ){ print ("Replication OK: $line\n"); exit 0; } if ($res != 0 ) { print ("Replication FAILED: $line\n"); exit 2; } On 9/27/07, Ian Meyer wrote: > Thank you Richard and Ivan.. your replies are very helpful. :) > > - Ian > > On 9/27/07, Richard Megginson wrote: > > Ian Meyer wrote: > > > Hello, > > > > > > We have a decent sized env. (1 master, 16 slaves in different > > > datacenters across the world) and we're trying to find a way to > > > effectively monitor the status of replication. When was the last > > > update? How many changes were made? How long did it take from start to > > > finish? I know you can get most of this information from the gui, but > > > we need to tie it in to our monitoring application. Is this > > > information stored in a db anywhere? In ldap itself? Any insight would > > > be appreciated. > > > > > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/replicat.html#1106144 > > > > > Thanks in advance! > > > - Ian > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From tag at netfoo.org Tue Oct 2 21:11:50 2007 From: tag at netfoo.org (Travis) Date: Tue, 02 Oct 2007 17:11:50 -0400 Subject: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable? Message-ID: <1191359510.30058.18.camel@ny2-noc-01> Hi, We're preparing to upgrade from the initial DS release to 1.0.4-1 on our RHEL4 servers. In testing, we've hit a brick wall while trying to set up SSL. We can install the server just fine, but when clicking on "Manage Certificates" in the console we get the following: could not open file slapd-$hostname-cert8.db We get the same type of error when trying to manage the admin server certs. This is a completely fresh install, and we've double checked file ownership, so permissions are not an issue. After working on this for a while, I tried installing the FC6 rpm on my FC6 desktop with the same settings and JVM, which worked just fine...so its something specific about the RHEL4 version or its dependencies. I found one other post about this kind of issue (From Nov 2006 by Graham Leggett), but I never saw a solution. I have even tried initializing the DBs by hand with certutil, but this does not appear to make a difference. Any advice? Thanks, Travis From rcritten at redhat.com Tue Oct 2 21:30:52 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 02 Oct 2007 17:30:52 -0400 Subject: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable? In-Reply-To: <1191359510.30058.18.camel@ny2-noc-01> References: <1191359510.30058.18.camel@ny2-noc-01> Message-ID: <4702B88C.2090201@redhat.com> Travis wrote: > Hi, > > We're preparing to upgrade from the initial DS release to 1.0.4-1 on our > RHEL4 servers. In testing, we've hit a brick wall while trying to set > up SSL. We can install the server just fine, but when clicking on > "Manage Certificates" in the console we get the following: > > could not open file slapd-$hostname-cert8.db > > We get the same type of error when trying to manage the admin server > certs. > > This is a completely fresh install, and we've double checked file > ownership, so permissions are not an issue. After working on this for a > while, I tried installing the FC6 rpm on my FC6 desktop with the same > settings and JVM, which worked just fine...so its something specific > about the RHEL4 version or its dependencies. > > I found one other post about this kind of issue (From Nov 2006 by Graham > Leggett), but I never saw a solution. I have even tried initializing > the DBs by hand with certutil, but this does not appear to make a > difference. > > Any advice? > Permissions perhaps? rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From tag at netfoo.org Tue Oct 2 22:25:50 2007 From: tag at netfoo.org (Travis) Date: Tue, 02 Oct 2007 18:25:50 -0400 Subject: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable? In-Reply-To: <4702B88C.2090201@redhat.com> References: <1191359510.30058.18.camel@ny2-noc-01> <4702B88C.2090201@redhat.com> Message-ID: <1191363950.30058.27.camel@ny2-noc-01> Hi, No, as noted it is a completely new install, and I've already ddouble checked permissions. Regardless - I've also tried chowning the entire tree to ldap (yes, this is the user privs are being dropped to), as well as setting a+rw on the entire /opt/fedora-ds tree. Thanks, Travis On Tue, 2007-10-02 at 17:30 -0400, Rob Crittenden wrote: > Travis wrote: > > Hi, > > > > We're preparing to upgrade from the initial DS release to 1.0.4-1 on our > > RHEL4 servers. In testing, we've hit a brick wall while trying to set > > up SSL. We can install the server just fine, but when clicking on > > "Manage Certificates" in the console we get the following: > > > > could not open file slapd-$hostname-cert8.db > > > > We get the same type of error when trying to manage the admin server > > certs. > > > > This is a completely fresh install, and we've double checked file > > ownership, so permissions are not an issue. After working on this for a > > while, I tried installing the FC6 rpm on my FC6 desktop with the same > > settings and JVM, which worked just fine...so its something specific > > about the RHEL4 version or its dependencies. > > > > I found one other post about this kind of issue (From Nov 2006 by Graham > > Leggett), but I never saw a solution. I have even tried initializing > > the DBs by hand with certutil, but this does not appear to make a > > difference. > > > > Any advice? > > > > Permissions perhaps? > > rob > !DSPAM:10001,4702b89655891583291669! From tag at netfoo.org Tue Oct 2 22:49:00 2007 From: tag at netfoo.org (Travis) Date: Tue, 02 Oct 2007 18:49:00 -0400 Subject: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable? In-Reply-To: <1191363950.30058.27.camel@ny2-noc-01> References: <1191359510.30058.18.camel@ny2-noc-01> <4702B88C.2090201@redhat.com> <1191363950.30058.27.camel@ny2-noc-01> Message-ID: <1191365340.30058.33.camel@ny2-noc-01> I agree with Graham's original idea - its almost as if the server is not looking in the proper location for the database. Does anyone know where this is set? Thanks, Travis On Tue, 2007-10-02 at 18:25 -0400, Travis wrote: > Hi, > > No, as noted it is a completely new install, and I've already ddouble > checked permissions. > > Regardless - I've also tried chowning the entire tree to ldap (yes, this > is the user privs are being dropped to), as well as setting a+rw on the > entire /opt/fedora-ds tree. > > Thanks, > > Travis > > > On Tue, 2007-10-02 at 17:30 -0400, Rob Crittenden wrote: > > Travis wrote: > > > Hi, > > > > > > We're preparing to upgrade from the initial DS release to 1.0.4-1 on our > > > RHEL4 servers. In testing, we've hit a brick wall while trying to set > > > up SSL. We can install the server just fine, but when clicking on > > > "Manage Certificates" in the console we get the following: > > > > > > could not open file slapd-$hostname-cert8.db > > > > > > We get the same type of error when trying to manage the admin server > > > certs. > > > > > > This is a completely fresh install, and we've double checked file > > > ownership, so permissions are not an issue. After working on this for a > > > while, I tried installing the FC6 rpm on my FC6 desktop with the same > > > settings and JVM, which worked just fine...so its something specific > > > about the RHEL4 version or its dependencies. > > > > > > I found one other post about this kind of issue (From Nov 2006 by Graham > > > Leggett), but I never saw a solution. I have even tried initializing > > > the DBs by hand with certutil, but this does not appear to make a > > > difference. > > > > > > Any advice? > > > > > > > Permissions perhaps? > > > > rob > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > !DSPAM:10001,4702c57f55891133320659! > From richard at powerset.com Tue Oct 2 23:02:57 2007 From: richard at powerset.com (Richard Hesse) Date: Tue, 2 Oct 2007 16:02:57 -0700 Subject: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable? In-Reply-To: <4702B88C.2090201@redhat.com> References: <1191359510.30058.18.camel@ny2-noc-01> <4702B88C.2090201@redhat.com> Message-ID: <84E2AE771361E9419DD0EFBD31F09C4D4894671775@EXVMBX015-1.exch015.msoutlookonline.net> > could not open file slapd-$hostname-cert8.db Does $hostname match the slapd instance name? For example, is the path to your slapd directory /opt/fedora-ds/slapd-$hostname? Or is it slapd-$somethingelse? -richard -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rob Crittenden Sent: Tuesday, October 02, 2007 2:31 PM To: tag at netfoo.org; General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable? Travis wrote: > Hi, > > We're preparing to upgrade from the initial DS release to 1.0.4-1 on > our > RHEL4 servers. In testing, we've hit a brick wall while trying to set > up SSL. We can install the server just fine, but when clicking on > "Manage Certificates" in the console we get the following: > > could not open file slapd-$hostname-cert8.db > > We get the same type of error when trying to manage the admin server > certs. > > This is a completely fresh install, and we've double checked file > ownership, so permissions are not an issue. After working on this for > a while, I tried installing the FC6 rpm on my FC6 desktop with the > same settings and JVM, which worked just fine...so its something > specific about the RHEL4 version or its dependencies. > > I found one other post about this kind of issue (From Nov 2006 by > Graham Leggett), but I never saw a solution. I have even tried > initializing the DBs by hand with certutil, but this does not appear > to make a difference. > > Any advice? > Permissions perhaps? rob From rmeggins at redhat.com Tue Oct 2 23:04:33 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 02 Oct 2007 17:04:33 -0600 Subject: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable? In-Reply-To: <1191365340.30058.33.camel@ny2-noc-01> References: <1191359510.30058.18.camel@ny2-noc-01> <4702B88C.2090201@redhat.com> <1191363950.30058.27.camel@ny2-noc-01> <1191365340.30058.33.camel@ny2-noc-01> Message-ID: <4702CE81.5010901@redhat.com> Travis wrote: > I agree with Graham's original idea - its almost as if the server is not > looking in the proper location for the database. Does anyone know where > this is set? > It looks for /opt/fedora-ds/alias/slapd-instancename-cert8.db - also grep -i nscert /opt/fedora-ds/slapd-instancename/config/dse.ldif > Thanks, > > Travis > > On Tue, 2007-10-02 at 18:25 -0400, Travis wrote: > >> Hi, >> >> No, as noted it is a completely new install, and I've already ddouble >> checked permissions. >> >> Regardless - I've also tried chowning the entire tree to ldap (yes, this >> is the user privs are being dropped to), as well as setting a+rw on the >> entire /opt/fedora-ds tree. >> >> Thanks, >> >> Travis >> >> >> On Tue, 2007-10-02 at 17:30 -0400, Rob Crittenden wrote: >> >>> Travis wrote: >>> >>>> Hi, >>>> >>>> We're preparing to upgrade from the initial DS release to 1.0.4-1 on our >>>> RHEL4 servers. In testing, we've hit a brick wall while trying to set >>>> up SSL. We can install the server just fine, but when clicking on >>>> "Manage Certificates" in the console we get the following: >>>> >>>> could not open file slapd-$hostname-cert8.db >>>> >>>> We get the same type of error when trying to manage the admin server >>>> certs. >>>> >>>> This is a completely fresh install, and we've double checked file >>>> ownership, so permissions are not an issue. After working on this for a >>>> while, I tried installing the FC6 rpm on my FC6 desktop with the same >>>> settings and JVM, which worked just fine...so its something specific >>>> about the RHEL4 version or its dependencies. >>>> >>>> I found one other post about this kind of issue (From Nov 2006 by Graham >>>> Leggett), but I never saw a solution. I have even tried initializing >>>> the DBs by hand with certutil, but this does not appear to make a >>>> difference. >>>> >>>> Any advice? >>>> >>>> >>> Permissions perhaps? >>> >>> rob >>> >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> !DSPAM:10001,4702c57f55891133320659! >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From peters at psinergybbs.com Wed Oct 3 04:57:31 2007 From: peters at psinergybbs.com (Peter Santiago) Date: Wed, 03 Oct 2007 12:57:31 +0800 Subject: [Fedora-directory-users] need for Winsync clarification In-Reply-To: References: Message-ID: <4703213B.6000701@psinergybbs.com> Hi, I ran into a concrete wall... http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2836267 To create a synchronization agreement: 1. In the Directory Server Console, select the Configuration tab. 2. In the left-hand navigation tree, right-click on the suffix to sync, and select New Synchronization Agreement. You can also highlight the suffix, and select Menu>Object>New Synchronization Agreement. I followed the above steps in Fedora Directory Server... There is no option for New Synchronization Agreement... Perhaps it was removed or renamed??? -- Peter Santiago peters at psinergybbs.com My website: www.psinergybbs.com My spamtrap address: r34987y at psinergybbs.com -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3257 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Wed Oct 3 05:12:27 2007 From: david_list at boreham.org (David Boreham) Date: Tue, 02 Oct 2007 23:12:27 -0600 Subject: [Fedora-directory-users] need for Winsync clarification In-Reply-To: <4703213B.6000701@psinergybbs.com> References: <4703213B.6000701@psinergybbs.com> Message-ID: <470324BB.8030606@boreham.org> Peter Santiago wrote: > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2836267 > > To create a synchronization agreement: > > 1. In the Directory Server Console, select the Configuration tab. > 2. In the left-hand navigation tree, right-click on the suffix to > sync, and select New Synchronization Agreement. You can also > highlight the suffix, and select Menu>Object>New Synchronization > Agreement. > > I followed the above steps in Fedora Directory Server... There is no > option for New Synchronization Agreement... Perhaps it was removed or > renamed??? I think the menu item is disabled until the changelog is configured. Strangely, the winsync docs appear to fail to mention this step. This is the best documentation I could find on enabling the changelog : http://www.redhat.com/docs/manuals/dir-server/ag/7.1/replicat.html#1100336 From tag at netfoo.org Wed Oct 3 13:23:33 2007 From: tag at netfoo.org (Travis) Date: Wed, 03 Oct 2007 09:23:33 -0400 Subject: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable? In-Reply-To: <4702CE81.5010901@redhat.com> References: <1191359510.30058.18.camel@ny2-noc-01> <4702B88C.2090201@redhat.com> <1191363950.30058.27.camel@ny2-noc-01> <1191365340.30058.33.camel@ny2-noc-01> <4702CE81.5010901@redhat.com> Message-ID: <1191417813.30058.40.camel@ny2-noc-01> Thanks Richard and Richard - Tried to post last night by my home mail server is blocked as a spammer for some reason (a bad spammer *is* on my subnet somewhere...) I had a long think about what was different between the working installs and non-working installs and realized the one that wasn't working had a "." in the name due to our naming convention. I tried substituting a "-" for the "." and it worked like a charm. :-) Thanks for the help folks. I'll file a bug report - the installer should at least prevent you from using periods in instance names. Travis On Tue, 2007-10-02 at 17:04 -0600, Richard Megginson wrote: > Travis wrote: > > I agree with Graham's original idea - its almost as if the server is not > > looking in the proper location for the database. Does anyone know where > > this is set? > > > It looks for /opt/fedora-ds/alias/slapd-instancename-cert8.db - also > grep -i nscert /opt/fedora-ds/slapd-instancename/config/dse.ldif > > Thanks, > > > > Travis > > > > On Tue, 2007-10-02 at 18:25 -0400, Travis wrote: > > > >> Hi, > >> > >> No, as noted it is a completely new install, and I've already ddouble > >> checked permissions. > >> > >> Regardless - I've also tried chowning the entire tree to ldap (yes, this > >> is the user privs are being dropped to), as well as setting a+rw on the > >> entire /opt/fedora-ds tree. > >> > >> Thanks, > >> > >> Travis > >> > >> > >> On Tue, 2007-10-02 at 17:30 -0400, Rob Crittenden wrote: > >> > >>> Travis wrote: > >>> > >>>> Hi, > >>>> > >>>> We're preparing to upgrade from the initial DS release to 1.0.4-1 on our > >>>> RHEL4 servers. In testing, we've hit a brick wall while trying to set > >>>> up SSL. We can install the server just fine, but when clicking on > >>>> "Manage Certificates" in the console we get the following: > >>>> > >>>> could not open file slapd-$hostname-cert8.db > >>>> > >>>> We get the same type of error when trying to manage the admin server > >>>> certs. > >>>> > >>>> This is a completely fresh install, and we've double checked file > >>>> ownership, so permissions are not an issue. After working on this for a > >>>> while, I tried installing the FC6 rpm on my FC6 desktop with the same > >>>> settings and JVM, which worked just fine...so its something specific > >>>> about the RHEL4 version or its dependencies. > >>>> > >>>> I found one other post about this kind of issue (From Nov 2006 by Graham > >>>> Leggett), but I never saw a solution. I have even tried initializing > >>>> the DBs by hand with certutil, but this does not appear to make a > >>>> difference. > >>>> > >>>> Any advice? > >>>> > >>>> > >>> Permissions perhaps? > >>> > >>> rob > >>> > >>> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > >> > >> !DSPAM:10001,4702c57f55891133320659! > >> > >> > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > !DSPAM:10001,4702cfc155891054640233! From glenn at mail.txwes.edu Wed Oct 3 13:48:16 2007 From: glenn at mail.txwes.edu (Glenn) Date: Wed, 3 Oct 2007 08:48:16 -0500 Subject: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable? In-Reply-To: <4702CE81.5010901@redhat.com> References: <1191359510.30058.18.camel@ny2-noc-01> <4702B88C.2090201@redhat.com> <1191363950.30058.27.camel@ny2-noc-01> <1191365340.30058.33.camel@ny2-noc-01> <4702CE81.5010901@redhat.com> Message-ID: <20071003134451.M14961@mail.txwes.edu> Travis - I had this problem with new installations and clean re- installations. The installation of Fedora Directory did not create the certificate database. I solved it by creating the appropriately-named certificate database in the correct location using certutil. -Glenn. ---------- Original Message ----------- From: Richard Megginson To: tag at netfoo.org, "General discussion list for the Fedora Directory server project." Sent: Tue, 02 Oct 2007 17:04:33 -0600 Subject: Re: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable? > Travis wrote: > > I agree with Graham's original idea - its almost as if the server is not > > looking in the proper location for the database. Does anyone know where > > this is set? > > > It looks for /opt/fedora-ds/alias/slapd-instancename-cert8.db - also > grep -i nscert /opt/fedora-ds/slapd-instancename/config/dse.ldif From jemcdon at gmail.com Wed Oct 3 13:51:37 2007 From: jemcdon at gmail.com (Jeffrey McDonald) Date: Wed, 3 Oct 2007 09:51:37 -0400 Subject: [Fedora-directory-users] problems with post/fedora-ds Message-ID: <34c467030710030651g7630730frd9d93127f18af769@mail.gmail.com> Hi, I'm having some problems with fedora-ds and postfix in a high-rate environment. First, let me say that we are migrating from openldap-1.2.2 to Fedora-DS. The configuration with postfix+openldap has to be migrated to fedora-ds and the postfix+openldap works great in the high-rate environment. I have a relay_recipient_maps and a alias list which both use ldap. However, ldaps connections (and ldap) connections to fedora-DS seem to time out in a high-rate environment. In slow-rate environment were there are a few 10s of emails an hour, things work fine. In the high-rate where you receive 1-5 of emails per second, I am seeing lots of temporary lookup failures. My configuration looks exactly like the POSTFIX Wiki configuration on the directory.fedoraproject.org/wiki page. We did some debugging to take a look at postfix, which attempts to open a connection to the ldap server and does, then it wants to perform multiple lookups per connection but this doesn't work--it seems for some reason that postfix is unable to do more than one lookup per connection. The fedora-DS ends up with many connections from postfix which eventually time-out. Any ideas as to what could be wrong? Thanks, Jeff -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Oct 3 14:02:15 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 03 Oct 2007 08:02:15 -0600 Subject: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable? In-Reply-To: <20071003134451.M14961@mail.txwes.edu> References: <1191359510.30058.18.camel@ny2-noc-01> <4702B88C.2090201@redhat.com> <1191363950.30058.27.camel@ny2-noc-01> <1191365340.30058.33.camel@ny2-noc-01> <4702CE81.5010901@redhat.com> <20071003134451.M14961@mail.txwes.edu> Message-ID: <4703A0E7.4070105@redhat.com> Glenn wrote: > Travis - I had this problem with new installations and clean re- > installations. The installation of Fedora Directory did not create the > certificate database. I solved it by creating the appropriately-named > certificate database in the correct location using certutil. -Glenn. > Is there any sort of pattern to when it does or does not create the key/cert databases? When the server starts up, it is supposed to create them if they are not there. This means that /opt/fedora-ds/alias must be writable by the server user id (default nobody). When you uninstall the server, it does not remove the key and cert databases, because this could be potentially devastating if you had not backed them up first. > ---------- Original Message ----------- > From: Richard Megginson > To: tag at netfoo.org, "General discussion list for the Fedora Directory server > project." > Sent: Tue, 02 Oct 2007 17:04:33 -0600 > Subject: Re: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not > readable? > > >> Travis wrote: >> >>> I agree with Graham's original idea - its almost as if the server is not >>> looking in the proper location for the database. Does anyone know where >>> this is set? >>> >>> >> It looks for /opt/fedora-ds/alias/slapd-instancename-cert8.db - also >> grep -i nscert /opt/fedora-ds/slapd-instancename/config/dse.ldif >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From tag at netfoo.org Wed Oct 3 14:20:09 2007 From: tag at netfoo.org (Travis) Date: Wed, 03 Oct 2007 10:20:09 -0400 Subject: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable? In-Reply-To: <20071003134451.M14961@mail.txwes.edu> References: <1191359510.30058.18.camel@ny2-noc-01> <4702B88C.2090201@redhat.com> <1191363950.30058.27.camel@ny2-noc-01> <1191365340.30058.33.camel@ny2-noc-01> <4702CE81.5010901@redhat.com> <20071003134451.M14961@mail.txwes.edu> Message-ID: <1191421209.30058.47.camel@ny2-noc-01> Hi Glen, That was not the problem - the DB was there after install (though not the admin server DB), it just couldn't parse the "." in the instance name. Travis On Wed, 2007-10-03 at 08:48 -0500, Glenn wrote: > Travis - I had this problem with new installations and clean re- > installations. The installation of Fedora Directory did not create the > certificate database. I solved it by creating the appropriately-named > certificate database in the correct location using certutil. -Glenn. > > ---------- Original Message ----------- > From: Richard Megginson > To: tag at netfoo.org, "General discussion list for the Fedora Directory server > project." > Sent: Tue, 02 Oct 2007 17:04:33 -0600 > Subject: Re: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not > readable? > > > Travis wrote: > > > I agree with Graham's original idea - its almost as if the server is not > > > looking in the proper location for the database. Does anyone know where > > > this is set? > > > > > It looks for /opt/fedora-ds/alias/slapd-instancename-cert8.db - also > > grep -i nscert /opt/fedora-ds/slapd-instancename/config/dse.ldif > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > !DSPAM:10001,47039db155899083919185! > From listas.vhs at gmail.com Wed Oct 3 15:20:07 2007 From: listas.vhs at gmail.com (Victor Hugo dos Santos) Date: Wed, 3 Oct 2007 11:20:07 -0400 Subject: [Fedora-directory-users] problem with SSL and load balance Message-ID: <5dce4940710030820s29c9c96amd1faf59f4ebf4204@mail.gmail.com> Hello List, I have the same problem that Alex Aka in Apr 2006 http://www.redhat.com/archives/fedora-directory-users/2006-April/msg00022.html I have two FDS (fds1 and fds2) in MMR in the DNS I create this machines fds1 IN A 10.0.0.11 fds2 IN A 10.0.0.12 fds IN A 10.0.0.11 fds IN A 10.0.0.12 in the clients, I configure the ldap.conf with this parameters: BASE dc=mydomain,dc=com URI ldap://fds.mydomain.com this configuration work very,very fine !!!! exist replication between servers and fault tolerance in the clients.. but i enable SSL in server and in the clients (ldap.conf) BASE dc=mydomain,dc=com URI ldaps://fds.mydomain.com TLS_CACERT /etc/ssl/certs/cacert.org.pem TLS_REQCERT allow and "no" work !!! :-( i receive this error: ldap_bind: Can't contact LDAP server (-1) additional info: TLS: hostname does not match CN in peer certificate this problem, is derivate that i configured the servers with one certificate and distinct CN for independent serves (fds1 and fds2)... if I config one same certificate with same CN (fds) for both nodes (fds1 and fds2).. work fine in the clients, but the replication dont work !!! :-( obs.: my certificates is sign in http://cacert.org any idea or suggestion ??? thanks -- -- Victor Hugo dos Santos Linux Counter #224399 From iferreir at personal.com.py Wed Oct 3 15:27:15 2007 From: iferreir at personal.com.py (Ivan Ferreira) Date: Wed, 3 Oct 2007 11:27:15 -0400 Subject: [Fedora-directory-users] problem with SSL and load balance In-Reply-To: <5dce4940710030820s29c9c96amd1faf59f4ebf4204@mail.gmail.com> Message-ID: You must have one certificate for each server, the problem here is the DNS RR. I don't like DNS load balancing because it cannot detect service failures, for example, you have in your client configuration files: URI ldap://fds.mydomain.com This works fine if both servers are up, but if one server goes down, some clients won't be able to contact the LDAP server ramdomly. It would be better to configure both ldap servers in the client configuration files, and place in different order, or configure a LVS. Cheers. Para "General discussion list for the Fedora Directory server "Victor Hugo dos Santos" project." fedora-directory-users-b cc ounces at redhat.com Asunto 03/10/2007 11:20 a.m. [Fedora-directory-users] problem with SSL and load balance Clasificaci?n Uso Interno Por favor, responda a "General discussion list for the Fedora Directory server project." Hello List, I have the same problem that Alex Aka in Apr 2006 http://www.redhat.com/archives/fedora-directory-users/2006-April/msg00022.html I have two FDS (fds1 and fds2) in MMR in the DNS I create this machines fds1 IN A 10.0.0.11 fds2 IN A 10.0.0.12 fds IN A 10.0.0.11 fds IN A 10.0.0.12 in the clients, I configure the ldap.conf with this parameters: BASE dc=mydomain,dc=com URI ldap://fds.mydomain.com this configuration work very,very fine !!!! exist replication between servers and fault tolerance in the clients.. but i enable SSL in server and in the clients (ldap.conf) BASE dc=mydomain,dc=com URI ldaps://fds.mydomain.com TLS_CACERT /etc/ssl/certs/cacert.org.pem TLS_REQCERT allow and "no" work !!! :-( i receive this error: ldap_bind: Can't contact LDAP server (-1) additional info: TLS: hostname does not match CN in peer certificate this problem, is derivate that i configured the servers with one certificate and distinct CN for independent serves (fds1 and fds2)... if I config one same certificate with same CN (fds) for both nodes (fds1 and fds2).. work fine in the clients, but the replication dont work !!! :-( obs.: my certificates is sign in http://cacert.org any idea or suggestion ??? thanks -- -- Victor Hugo dos Santos Linux Counter #224399 -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. From peters at psinergybbs.com Wed Oct 3 15:44:20 2007 From: peters at psinergybbs.com (Peter Santiago) Date: Wed, 03 Oct 2007 23:44:20 +0800 Subject: [Fedora-directory-users] nss_ldap cannot authenticate vs FDS Message-ID: <20071003234420.tc4memcrtw4w848s@webmail.psinergybbs.com> Hi, I was able to finally configure FDS to sync with ADS with Winsync. Thanks a lot to the members here. Now I ran into another peculiar problem. NSS_LDAP seems not to be able to authenticate or do a successful query against FDS. I used ldapsearch to double check, I was able to do a successful query against FDS. Attached are two files from doing id and ldapsearch. I have enabled debugging. Could someone help explain why ldapsearch can successfully query FDS whereas NSS_LDAP cannot? Maybe there is a need to patch NSS_LDAP? I'm using nss_ldap 253 from fedora 6 package. -- Peter Santiago peters at psinergybbs.com My website: www.psinergybbs.com My spamtrap address: r34987y at psinergybbs.com ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- ldap_create ldap_url_parse_ext(ldap://192.168.0.2/) ldap_create ldap_url_parse_ext(ldap://192.168.0.2/) ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 192.168.0.2:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.0.2:389 ldap_connect_timeout: fd: 3 tm: 120 async: 0 ldap_ndelay_on: 3 ldap_is_sock_ready: 3 ldap_ndelay_off: 3 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush: 14 bytes to sd 3 0000: 30 0c 02 01 01 60 07 02 01 03 04 00 80 00 0....`........ ldap_write: want=14, written=14 0000: 30 0c 02 01 01 60 07 02 01 03 04 00 80 00 0....`........ ldap_result ld 0x9fef048 msgid 1 ldap_chkResponseList ld 0x9fef048 msgid 1 all 0 ldap_chkResponseList returns ld 0x9fef048 NULL wait4msg ld 0x9fef048 msgid 1 (timeout 120000000 usec) wait4msg continue ld 0x9fef048 msgid 1 all 0 ** ld 0x9fef048 Connections: * host: 192.168.0.2 port: 389 (default) refcnt: 2 status: Connected last used: Wed Oct 3 23:29:10 2007 ** ld 0x9fef048 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x9fef048 Response Queue: Empty ldap_chkResponseList ld 0x9fef048 msgid 1 all 0 ldap_chkResponseList returns ld 0x9fef048 NULL ldap_int_select read1msg: ld 0x9fef048 msgid 1 all 0 ber_get_next ldap_read: want=8, got=8 0000: 30 0c 02 01 01 61 07 0a 0....a.. ldap_read: want=6, got=6 0000: 01 00 04 00 04 00 ...... ber_get_next: tag 0x30 len 12 contents: read1msg: ld 0x9fef048 msgid 1 message type bind ber_scanf fmt ({eaa) ber: ber_scanf fmt ({eaa}) ber: new result: res_errno: 0, res_error: <>, res_matched: <> read1msg: ld 0x9fef048 0 new referrals read1msg: mark request completed, ld 0x9fef048 msgid 1 request done: ld 0x9fef048 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_search put_filter: "(&(objectClass=inetOrgPerson)(uid=ftest))" put_filter: AND put_filter_list "(objectClass=inetOrgPerson)(uid=ftest)" put_filter: "(objectClass=inetOrgPerson)" put_filter: simple put_simple_filter: "objectClass=inetOrgPerson" put_filter: "(uid=ftest)" put_filter: simple put_simple_filter: "uid=ftest" ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush: 193 bytes to sd 3 0000: 30 81 be 02 01 02 63 81 b8 04 0e 64 63 3d 65 61 0.....c....dc=ea 0010: 74 73 63 2c 64 63 3d 74 73 0a 01 02 0a 01 00 02 tsc,dc=ts....... 0020: 01 01 02 01 78 01 01 00 a0 2c a3 1c 04 0b 6f 62 ....x....,....ob 0030: 6a 65 63 74 43 6c 61 73 73 04 0d 69 6e 65 74 4f jectClass..inetO 0040: 72 67 50 65 72 73 6f 6e a3 0c 04 03 75 69 64 04 rgPerson....uid. 0050: 05 66 74 65 73 74 30 69 04 03 75 69 64 04 0c 75 .ftest0i..uid..u 0060: 73 65 72 50 61 73 73 77 6f 72 64 04 09 75 69 64 serPassword..uid 0070: 4e 75 6d 62 65 72 04 09 67 69 64 4e 75 6d 62 65 Number..gidNumbe 0080: 72 04 02 63 6e 04 0d 68 6f 6d 65 44 69 72 65 63 r..cn..homeDirec 0090: 74 6f 72 79 04 0a 6c 6f 67 69 6e 53 68 65 6c 6c tory..loginShell 00a0: 04 05 67 65 63 6f 73 04 0b 64 65 73 63 72 69 70 ..gecos..descrip 00b0: 74 69 6f 6e 04 0b 6f 62 6a 65 63 74 43 6c 61 73 tion..objectClas 00c0: 73 s ldap_write: want=193, written=193 0000: 30 81 be 02 01 02 63 81 b8 04 0e 64 63 3d 65 61 0.....c....dc=ea 0010: 74 73 63 2c 64 63 3d 74 73 0a 01 02 0a 01 00 02 tsc,dc=ts....... 0020: 01 01 02 01 78 01 01 00 a0 2c a3 1c 04 0b 6f 62 ....x....,....ob 0030: 6a 65 63 74 43 6c 61 73 73 04 0d 69 6e 65 74 4f jectClass..inetO 0040: 72 67 50 65 72 73 6f 6e a3 0c 04 03 75 69 64 04 rgPerson....uid. 0050: 05 66 74 65 73 74 30 69 04 03 75 69 64 04 0c 75 .ftest0i..uid..u 0060: 73 65 72 50 61 73 73 77 6f 72 64 04 09 75 69 64 serPassword..uid 0070: 4e 75 6d 62 65 72 04 09 67 69 64 4e 75 6d 62 65 Number..gidNumbe 0080: 72 04 02 63 6e 04 0d 68 6f 6d 65 44 69 72 65 63 r..cn..homeDirec 0090: 74 6f 72 79 04 0a 6c 6f 67 69 6e 53 68 65 6c 6c tory..loginShell 00a0: 04 05 67 65 63 6f 73 04 0b 64 65 73 63 72 69 70 ..gecos..descrip 00b0: 74 69 6f 6e 04 0b 6f 62 6a 65 63 74 43 6c 61 73 tion..objectClas 00c0: 73 s ldap_result ld 0x9fef048 msgid 2 ldap_chkResponseList ld 0x9fef048 msgid 2 all 1 ldap_chkResponseList returns ld 0x9fef048 NULL wait4msg ld 0x9fef048 msgid 2 (timeout 120000000 usec) wait4msg continue ld 0x9fef048 msgid 2 all 1 ** ld 0x9fef048 Connections: * host: 192.168.0.2 port: 389 (default) refcnt: 2 status: Connected last used: Wed Oct 3 23:29:10 2007 ** ld 0x9fef048 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ** ld 0x9fef048 Response Queue: Empty ldap_chkResponseList ld 0x9fef048 msgid 2 all 1 ldap_chkResponseList returns ld 0x9fef048 NULL ldap_int_select read1msg: ld 0x9fef048 msgid 2 all 1 ber_get_next ldap_read: want=8, got=8 0000: 30 81 92 02 01 02 64 81 0.....d. ldap_read: want=141, got=141 0000: 8c 04 23 75 69 64 3d 66 74 65 73 74 2c 6f 75 3d ..#uid=ftest,ou= 0010: 50 65 6f 70 6c 65 2c 20 64 63 3d 65 61 74 73 63 People, dc=eatsc 0020: 2c 64 63 3d 74 73 30 65 30 0e 04 03 75 69 64 31 ,dc=ts0e0...uid1 0030: 07 04 05 66 74 65 73 74 30 10 04 02 63 6e 31 0a ...ftest0...cn1. 0040: 04 08 66 64 73 20 74 65 73 74 30 41 04 0b 6f 62 ..fds test0A..ob 0050: 6a 65 63 74 43 6c 61 73 73 31 32 04 03 74 6f 70 jectClass12..top 0060: 04 06 70 65 72 73 6f 6e 04 14 6f 72 67 61 6e 69 ..person..organi 0070: 7a 61 74 69 6f 6e 61 6c 50 65 72 73 6f 6e 04 0d zationalPerson.. 0080: 69 6e 65 74 6f 72 67 70 65 72 73 6f 6e inetorgperson ber_get_next: tag 0x30 len 146 contents: read1msg: ld 0x9fef048 msgid 2 message type search-entry wait4msg ld 0x9fef048 120 secs to go wait4msg continue ld 0x9fef048 msgid 2 all 1 ** ld 0x9fef048 Connections: * host: 192.168.0.2 port: 389 (default) refcnt: 2 status: Connected last used: Wed Oct 3 23:29:10 2007 ** ld 0x9fef048 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ** ld 0x9fef048 Response Queue: * msgid 2, type 100 ldap_chkResponseList ld 0x9fef048 msgid 2 all 1 ldap_chkResponseList returns ld 0x9fef048 NULL ldap_int_select read1msg: ld 0x9fef048 msgid 2 all 1 ber_get_next ldap_read: want=8, got=8 0000: 30 0c 02 01 02 65 07 0a 0....e.. ldap_read: want=6, got=6 0000: 01 00 04 00 04 00 ...... ber_get_next: tag 0x30 len 12 contents: read1msg: ld 0x9fef048 msgid 2 message type search-result ber_scanf fmt ({eaa) ber: ber_scanf fmt ({eaa}) ber: new result: res_errno: 0, res_error: <>, res_matched: <> read1msg: ld 0x9fef048 0 new referrals read1msg: mark request completed, ld 0x9fef048 msgid 2 request done: ld 0x9fef048 msgid 2 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 2, msgid 2) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 adding response ld 0x9fef048 msgid 2 type 101: ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (}) ber: ldap_get_values ber_scanf fmt ({x{{a) ber: ber_scanf fmt (x}{a) ber: ber_scanf fmt (x}{a) ber: ber_scanf fmt ([v]) ber: ldap_get_values ber_scanf fmt ({x{{a) ber: ber_scanf fmt (x}{a) ber: ber_scanf fmt (x}{a) ber: ber_scanf fmt (x}{a) ber: ldap_get_values ber_scanf fmt ({x{{a) ber: ber_scanf fmt ([v]) ber: ldap_get_values ber_scanf fmt ({x{{a) ber: ber_scanf fmt (x}{a) ber: ber_scanf fmt (x}{a) ber: ber_scanf fmt (x}{a) ber: ldap_msgfree id: ftest: No such user -------------- next part -------------- ldap_create ldap_url_parse_ext(ldap://192.168.0.2) ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 192.168.0.2:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.0.2:389 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush: 14 bytes to sd 3 0000: 30 0c 02 01 01 60 07 02 01 03 04 00 80 00 0....`........ ldap_write: want=14, written=14 0000: 30 0c 02 01 01 60 07 02 01 03 04 00 80 00 0....`........ ldap_result ld 0x94e9048 msgid 1 ldap_chkResponseList ld 0x94e9048 msgid 1 all 1 ldap_chkResponseList returns ld 0x94e9048 NULL wait4msg ld 0x94e9048 msgid 1 (infinite timeout) wait4msg continue ld 0x94e9048 msgid 1 all 1 ** ld 0x94e9048 Connections: * host: 192.168.0.2 port: 389 (default) refcnt: 2 status: Connected last used: Wed Oct 3 23:28:47 2007 ** ld 0x94e9048 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x94e9048 Response Queue: Empty ldap_chkResponseList ld 0x94e9048 msgid 1 all 1 ldap_chkResponseList returns ld 0x94e9048 NULL ldap_int_select read1msg: ld 0x94e9048 msgid 1 all 1 ber_get_next ldap_read: want=8, got=8 0000: 30 0c 02 01 01 61 07 0a 0....a.. ldap_read: want=6, got=6 0000: 01 00 04 00 04 00 ...... ber_get_next: tag 0x30 len 12 contents: read1msg: ld 0x94e9048 msgid 1 message type bind ber_scanf fmt ({eaa) ber: read1msg: ld 0x94e9048 0 new referrals read1msg: mark request completed, ld 0x94e9048 msgid 1 request done: ld 0x94e9048 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_search_ext put_filter: "(&(objectclass=inetOrgPerson)(uid=ftest))" put_filter: AND put_filter_list "(objectclass=inetOrgPerson)(uid=ftest)" put_filter: "(objectclass=inetOrgPerson)" put_filter: simple put_simple_filter: "objectclass=inetOrgPerson" put_filter: "(uid=ftest)" put_filter: simple put_simple_filter: "uid=ftest" ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush: 86 bytes to sd 3 0000: 30 54 02 01 02 63 4f 04 0e 64 63 3d 65 61 74 73 0T...cO..dc=eats 0010: 63 2c 64 63 3d 74 73 0a 01 02 0a 01 00 02 01 00 c,dc=ts......... 0020: 02 01 00 01 01 00 a0 2c a3 1c 04 0b 6f 62 6a 65 .......,....obje 0030: 63 74 63 6c 61 73 73 04 0d 69 6e 65 74 4f 72 67 ctclass..inetOrg 0040: 50 65 72 73 6f 6e a3 0c 04 03 75 69 64 04 05 66 Person....uid..f 0050: 74 65 73 74 30 00 test0. ldap_write: want=86, written=86 0000: 30 54 02 01 02 63 4f 04 0e 64 63 3d 65 61 74 73 0T...cO..dc=eats 0010: 63 2c 64 63 3d 74 73 0a 01 02 0a 01 00 02 01 00 c,dc=ts......... 0020: 02 01 00 01 01 00 a0 2c a3 1c 04 0b 6f 62 6a 65 .......,....obje 0030: 63 74 63 6c 61 73 73 04 0d 69 6e 65 74 4f 72 67 ctclass..inetOrg 0040: 50 65 72 73 6f 6e a3 0c 04 03 75 69 64 04 05 66 Person....uid..f 0050: 74 65 73 74 30 00 test0. ldap_result ld 0x94e9048 msgid -1 ldap_chkResponseList ld 0x94e9048 msgid -1 all 0 ldap_chkResponseList returns ld 0x94e9048 NULL wait4msg ld 0x94e9048 msgid -1 (infinite timeout) wait4msg continue ld 0x94e9048 msgid -1 all 0 ** ld 0x94e9048 Connections: * host: 192.168.0.2 port: 389 (default) refcnt: 2 status: Connected last used: Wed Oct 3 23:28:47 2007 ** ld 0x94e9048 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ** ld 0x94e9048 Response Queue: Empty ldap_chkResponseList ld 0x94e9048 msgid -1 all 0 ldap_chkResponseList returns ld 0x94e9048 NULL ldap_int_select read1msg: ld 0x94e9048 msgid -1 all 0 ber_get_next ldap_read: want=8, got=8 0000: 30 81 b5 02 01 02 64 81 0.....d. ldap_read: want=176, got=176 0000: af 04 23 75 69 64 3d 66 74 65 73 74 2c 6f 75 3d ..#uid=ftest,ou= 0010: 50 65 6f 70 6c 65 2c 20 64 63 3d 65 61 74 73 63 People, dc=eatsc 0020: 2c 64 63 3d 74 73 30 81 87 30 0e 04 03 75 69 64 ,dc=ts0..0...uid 0030: 31 07 04 05 66 74 65 73 74 30 12 04 09 67 69 76 1...ftest0...giv 0040: 65 6e 4e 61 6d 65 31 05 04 03 66 64 73 30 41 04 enName1...fds0A. 0050: 0b 6f 62 6a 65 63 74 43 6c 61 73 73 31 32 04 03 .objectClass12.. 0060: 74 6f 70 04 06 70 65 72 73 6f 6e 04 14 6f 72 67 top..person..org 0070: 61 6e 69 7a 61 74 69 6f 6e 61 6c 50 65 72 73 6f anizationalPerso 0080: 6e 04 0d 69 6e 65 74 6f 72 67 70 65 72 73 6f 6e n..inetorgperson 0090: 30 0c 04 02 73 6e 31 06 04 04 74 65 73 74 30 10 0...sn1...test0. 00a0: 04 02 63 6e 31 0a 04 08 66 64 73 20 74 65 73 74 ..cn1...fds test ber_get_next: tag 0x30 len 181 contents: read1msg: ld 0x94e9048 msgid 2 message type search-entry ldap_get_dn_ber ber_scanf fmt ({ml{) ber: ldap_dn2ufn ldap_dn_normalize ber_scanf fmt ({xx) ber: ldap_get_attribute_ber ber_scanf fmt ({mM}) ber: ldap_get_attribute_ber ber_scanf fmt ({mM}) ber: ldap_get_attribute_ber ber_scanf fmt ({mM}) ber: ldap_get_attribute_ber ber_scanf fmt ({mM}) ber: ldap_get_attribute_ber ber_scanf fmt ({mM}) ber: ldap_get_attribute_ber ldap_msgfree ldap_result ld 0x94e9048 msgid -1 ldap_chkResponseList ld 0x94e9048 msgid -1 all 0 ldap_chkResponseList returns ld 0x94e9048 NULL wait4msg ld 0x94e9048 msgid -1 (infinite timeout) wait4msg continue ld 0x94e9048 msgid -1 all 0 ** ld 0x94e9048 Connections: * host: 192.168.0.2 port: 389 (default) refcnt: 2 status: Connected last used: Wed Oct 3 23:28:47 2007 ** ld 0x94e9048 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ** ld 0x94e9048 Response Queue: Empty ldap_chkResponseList ld 0x94e9048 msgid -1 all 0 ldap_chkResponseList returns ld 0x94e9048 NULL ldap_int_select read1msg: ld 0x94e9048 msgid -1 all 0 ber_get_next ldap_read: want=8, got=8 0000: 30 0c 02 01 02 65 07 0a 0....e.. ldap_read: want=6, got=6 0000: 01 00 04 00 04 00 ...... ber_get_next: tag 0x30 len 12 contents: read1msg: ld 0x94e9048 msgid 2 message type search-result ber_scanf fmt ({eaa) ber: read1msg: ld 0x94e9048 0 new referrals read1msg: mark request completed, ld 0x94e9048 msgid 2 request done: ld 0x94e9048 msgid 2 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 2, msgid 2) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (}) ber: ldap_err2string ldap_msgfree ldap_free_connection 1 1 ldap_send_unbind ber_flush: 7 bytes to sd 3 0000: 30 05 02 01 03 42 00 0....B. ldap_write: want=7, written=7 0000: 30 05 02 01 03 42 00 0....B. ldap_free_connection: actually freed -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3051 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Wed Oct 3 15:54:36 2007 From: david_list at boreham.org (David Boreham) Date: Wed, 03 Oct 2007 09:54:36 -0600 Subject: [Fedora-directory-users] nss_ldap cannot authenticate vs FDS In-Reply-To: <20071003234420.tc4memcrtw4w848s@webmail.psinergybbs.com> References: <20071003234420.tc4memcrtw4w848s@webmail.psinergybbs.com> Message-ID: <4703BB3C.9010908@boreham.org> Looking at the debug logs you provided, the entry is correctly returned by the server in both cases. So persumably NSS_LDAP doesn't like the look of it. Is it expecting some specific object class that's missing perhaps ? Peter Santiago wrote: > > Hi, > > I was able to finally configure FDS to sync with ADS with Winsync. > Thanks a lot to the members here. > > Now I ran into another peculiar problem. NSS_LDAP seems not to be able > to authenticate or do a successful query against FDS. > > > I used ldapsearch to double check, I was able to do a successful query > against FDS. > > Attached are two files from doing id and ldapsearch. I have enabled > debugging. > > Could someone help explain why ldapsearch can successfully query FDS > whereas NSS_LDAP cannot? Maybe there is a need to patch NSS_LDAP? I'm > using nss_ldap 253 from fedora 6 package. > > -- > Peter Santiago peters at psinergybbs.com > My website: www.psinergybbs.com > My spamtrap address: r34987y at psinergybbs.com > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From srigler at marathonoil.com Wed Oct 3 15:55:00 2007 From: srigler at marathonoil.com (Steve Rigler) Date: Wed, 03 Oct 2007 10:55:00 -0500 Subject: [Fedora-directory-users] nss_ldap cannot authenticate vs FDS In-Reply-To: <20071003234420.tc4memcrtw4w848s@webmail.psinergybbs.com> References: <20071003234420.tc4memcrtw4w848s@webmail.psinergybbs.com> Message-ID: <1191426900.16845.19.camel@houuc8> On Wed, 2007-10-03 at 23:44 +0800, Peter Santiago wrote: > Hi, > > I was able to finally configure FDS to sync with ADS with Winsync. > Thanks a lot to the members here. > > Now I ran into another peculiar problem. NSS_LDAP seems not to be able > to authenticate or do a successful query against FDS. > > > I used ldapsearch to double check, I was able to do a successful query > against FDS. > > Attached are two files from doing id and ldapsearch. I have enabled > debugging. > > Could someone help explain why ldapsearch can successfully query FDS > whereas NSS_LDAP cannot? Maybe there is a need to patch NSS_LDAP? I'm > using nss_ldap 253 from fedora 6 package. > > -- > Peter Santiago peters at psinergybbs.com > My website: www.psinergybbs.com > My spamtrap address: r34987y at psinergybbs.com > Is "ftest" a posixAccount? -Steve From peters at psinergybbs.com Wed Oct 3 16:08:05 2007 From: peters at psinergybbs.com (Peter Santiago) Date: Thu, 04 Oct 2007 00:08:05 +0800 Subject: [Fedora-directory-users] nss_ldap cannot authenticate vs FDS In-Reply-To: <1191426900.16845.19.camel@houuc8> References: <20071003234420.tc4memcrtw4w848s@webmail.psinergybbs.com> <1191426900.16845.19.camel@houuc8> Message-ID: <20071004000805.w0m9bmxk6cws4sk0@webmail.psinergybbs.com> Quoting Steve Rigler : [snip] >> > > Is "ftest" a posixAccount? > > -Steve > By George,? you hit the nail on the head.? My bad.....? Thanks a lot.? I have enabled posixUsers attributes and it worked.? Now one more question.? Since I'm syncing users from ADS to FDS, is there anyway to enable the posix Users attribute for the imported users?? Or do I have to manually enable it for each synced users? -- Peter Santiago? ? ? ? ?peters at psinergybbs.com My website:? ? ? ? ? ? www.psinergybbs.com My spamtrap address:? ?r34987y at psinergybbs.com ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3051 bytes Desc: S/MIME Cryptographic Signature URL: From Enrico.M.V.Fasanelli at le.infn.it Wed Oct 3 17:49:56 2007 From: Enrico.M.V.Fasanelli at le.infn.it (Enrico M. V. Fasanelli) Date: Wed, 03 Oct 2007 19:49:56 +0200 Subject: [Fedora-directory-users] problem with SSL and load balance In-Reply-To: <5dce4940710030820s29c9c96amd1faf59f4ebf4204@mail.gmail.com> References: <5dce4940710030820s29c9c96amd1faf59f4ebf4204@mail.gmail.com> Message-ID: <4703D644.9020608@le.infn.it> Hi Victor, have you tried with a certificate that contains the alternate name of the server? Something like X509v3 Subject Alternative Name: DNS:fds.mydomain.com, DNS:fds1.mydomain.com Ciao, Enrico Victor Hugo dos Santos wrote: > Hello List, > > I have the same problem that Alex Aka in Apr 2006 > http://www.redhat.com/archives/fedora-directory-users/2006-April/msg00022.html > > I have two FDS (fds1 and fds2) in MMR > > in the DNS I create this machines > > fds1 IN A 10.0.0.11 > fds2 IN A 10.0.0.12 > fds IN A 10.0.0.11 > fds IN A 10.0.0.12 > > in the clients, I configure the ldap.conf with this parameters: > > BASE dc=mydomain,dc=com > URI ldap://fds.mydomain.com > > this configuration work very,very fine !!!! exist replication between > servers and fault tolerance in the clients.. but i enable SSL in > server and in the clients (ldap.conf) > > > BASE dc=mydomain,dc=com > URI ldaps://fds.mydomain.com > TLS_CACERT /etc/ssl/certs/cacert.org.pem > TLS_REQCERT allow > > and "no" work !!! :-( i receive this error: > > ldap_bind: Can't contact LDAP server (-1) > > additional info: TLS: hostname does not match CN in peer certificate > > this problem, is derivate that i configured the servers with one > certificate and distinct CN for independent serves (fds1 and fds2)... > > if I config one same certificate with same CN (fds) for both nodes > (fds1 and fds2).. work fine in the clients, but the replication dont > work !!! :-( > > obs.: my certificates is sign in http://cacert.org > > any idea or suggestion ??? > > thanks > > -- Pochi conoscono cio' che ha veramente scoperto Einstein: quando mangiamo spaghetti, in effetti stiamo masticando un concentrato di Spazio-Tempo. (Antonino Zichichi) -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2954 bytes Desc: S/MIME Cryptographic Signature URL: From lance.raymond at gmail.com Wed Oct 3 18:31:58 2007 From: lance.raymond at gmail.com (lance raymond) Date: Wed, 3 Oct 2007 14:31:58 -0400 Subject: [Fedora-directory-users] linux authentication though ds Message-ID: <5d1656000710031131y6cc0c663jb6a930299f76bfbb@mail.gmail.com> Afternoon, I have been reading a lot on this and wish to see if I am on the right track. I wish to have all employees login information be stored in DS, and authenticate through him. I have subscribed to the list a few day's ago and the questions are pretty high level, so it does seem that people are using fedora's version, so I guess for starters, is this possible. I already have fedora ds running, added a few people, but I didn't see 2 much on authenticating though DS. Thanks ... lr -------------- next part -------------- An HTML attachment was scrubbed... URL: From richard at powerset.com Wed Oct 3 19:17:50 2007 From: richard at powerset.com (Richard Hesse) Date: Wed, 3 Oct 2007 12:17:50 -0700 Subject: [Fedora-directory-users] problem with SSL and load balance In-Reply-To: <5dce4940710030820s29c9c96amd1faf59f4ebf4204@mail.gmail.com> References: <5dce4940710030820s29c9c96amd1faf59f4ebf4204@mail.gmail.com> Message-ID: <84E2AE771361E9419DD0EFBD31F09C4D4894671AAA@EXVMBX015-1.exch015.msoutlookonline.net> Do wildcard certs work with Fedora Directory Server? If they do, that will easily solve your problem. That or setting checkpeer to off. -richard -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Victor Hugo dos Santos Sent: Wednesday, October 03, 2007 8:20 AM To: General discussion list for the Fedora Directory server project. Subject: [Fedora-directory-users] problem with SSL and load balance Hello List, I have the same problem that Alex Aka in Apr 2006 http://www.redhat.com/archives/fedora-directory-users/2006-April/msg00022.html I have two FDS (fds1 and fds2) in MMR in the DNS I create this machines fds1 IN A 10.0.0.11 fds2 IN A 10.0.0.12 fds IN A 10.0.0.11 fds IN A 10.0.0.12 in the clients, I configure the ldap.conf with this parameters: BASE dc=mydomain,dc=com URI ldap://fds.mydomain.com this configuration work very,very fine !!!! exist replication between servers and fault tolerance in the clients.. but i enable SSL in server and in the clients (ldap.conf) BASE dc=mydomain,dc=com URI ldaps://fds.mydomain.com TLS_CACERT /etc/ssl/certs/cacert.org.pem TLS_REQCERT allow and "no" work !!! :-( i receive this error: ldap_bind: Can't contact LDAP server (-1) additional info: TLS: hostname does not match CN in peer certificate this problem, is derivate that i configured the servers with one certificate and distinct CN for independent serves (fds1 and fds2)... if I config one same certificate with same CN (fds) for both nodes (fds1 and fds2).. work fine in the clients, but the replication dont work !!! :-( obs.: my certificates is sign in http://cacert.org any idea or suggestion ??? thanks -- -- Victor Hugo dos Santos Linux Counter #224399 -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From jazcek at scs.fsu.edu Wed Oct 3 19:31:20 2007 From: jazcek at scs.fsu.edu (Jazcek Braden) Date: Wed, 03 Oct 2007 15:31:20 -0400 Subject: [Fedora-directory-users] problem with SSL and load balance In-Reply-To: <84E2AE771361E9419DD0EFBD31F09C4D4894671AAA@EXVMBX015-1.exch015.msoutlookonline.net> References: <5dce4940710030820s29c9c96amd1faf59f4ebf4204@mail.gmail.com> <84E2AE771361E9419DD0EFBD31F09C4D4894671AAA@EXVMBX015-1.exch015.msoutlookonline.net> Message-ID: <4703EE08.4020003@scs.fsu.edu> Wildcard certs definitely work, that is the way that I have my load balanced installation setup. However if you are trying to use self-signed certificates I think you have to make sure to setup the trust chain, but I am not sure. -- Jazcek Braden Richard Hesse wrote: > Do wildcard certs work with Fedora Directory Server? If they do, that will easily solve your problem. That or setting checkpeer to off. > > -richard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Victor Hugo dos Santos > Sent: Wednesday, October 03, 2007 8:20 AM > To: General discussion list for the Fedora Directory server project. > Subject: [Fedora-directory-users] problem with SSL and load balance > > Hello List, > > I have the same problem that Alex Aka in Apr 2006 > http://www.redhat.com/archives/fedora-directory-users/2006-April/msg00022.html > > I have two FDS (fds1 and fds2) in MMR > > in the DNS I create this machines > > fds1 IN A 10.0.0.11 > fds2 IN A 10.0.0.12 > fds IN A 10.0.0.11 > fds IN A 10.0.0.12 > > in the clients, I configure the ldap.conf with this parameters: > > BASE dc=mydomain,dc=com > URI ldap://fds.mydomain.com > > this configuration work very,very fine !!!! exist replication between > servers and fault tolerance in the clients.. but i enable SSL in > server and in the clients (ldap.conf) > > > BASE dc=mydomain,dc=com > URI ldaps://fds.mydomain.com > TLS_CACERT /etc/ssl/certs/cacert.org.pem > TLS_REQCERT allow > > and "no" work !!! :-( i receive this error: > > ldap_bind: Can't contact LDAP server (-1) > > additional info: TLS: hostname does not match CN in peer certificate > > this problem, is derivate that i configured the servers with one > certificate and distinct CN for independent serves (fds1 and fds2)... > > if I config one same certificate with same CN (fds) for both nodes > (fds1 and fds2).. work fine in the clients, but the replication dont > work !!! :-( > > obs.: my certificates is sign in http://cacert.org > > any idea or suggestion ??? > > thanks > > > -- > -- > Victor Hugo dos Santos > Linux Counter #224399 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From msauton at redhat.com Wed Oct 3 20:31:35 2007 From: msauton at redhat.com (Marc Sauton) Date: Wed, 03 Oct 2007 13:31:35 -0700 Subject: [Fedora-directory-users] linux authentication though ds In-Reply-To: <5d1656000710031131y6cc0c663jb6a930299f76bfbb@mail.gmail.com> References: <5d1656000710031131y6cc0c663jb6a930299f76bfbb@mail.gmail.com> Message-ID: <4703FC27.6030900@redhat.com> It depends what you want to do, there is some info in the howto section at: http://directory.fedoraproject.org/wiki/Documentation#Howtos Under "A series of articles about how to get the Directory Server working with other tools", you will find some links to articles, for example about pam, mta's, file system, apache. M. lance raymond wrote: > Afternoon, I have been reading a lot on this and wish to see if I am > on the right track. I wish to have all employees login information be > stored in DS, and authenticate through him. I have subscribed to the > list a few day's ago and the questions are pretty high level, so it > does seem that people are using fedora's version, so I guess for > starters, is this possible. > > I already have fedora ds running, added a few people, but I didn't see > 2 much on authenticating though DS. > > Thanks ... > lr > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From msauton at redhat.com Wed Oct 3 20:36:26 2007 From: msauton at redhat.com (Marc Sauton) Date: Wed, 03 Oct 2007 13:36:26 -0700 Subject: [Fedora-directory-users] problem with SSL and load balance In-Reply-To: <4703D644.9020608@le.infn.it> References: <5dce4940710030820s29c9c96amd1faf59f4ebf4204@mail.gmail.com> <4703D644.9020608@le.infn.it> Message-ID: <4703FD4A.70907@redhat.com> Just for info, there was a good contribution in http://directory.fedoraproject.org/wiki/Howto:SSL#Using_Subject_Alt_Name M. Enrico M. V. Fasanelli wrote: > Hi Victor, > > have you tried with a certificate that contains the alternate name of > the server? > > Something like > X509v3 Subject Alternative Name: DNS:fds.mydomain.com, > DNS:fds1.mydomain.com > > > Ciao, > Enrico > > Victor Hugo dos Santos wrote: >> Hello List, >> >> I have the same problem that Alex Aka in Apr 2006 >> http://www.redhat.com/archives/fedora-directory-users/2006-April/msg00022.html >> >> >> I have two FDS (fds1 and fds2) in MMR >> >> in the DNS I create this machines >> >> fds1 IN A 10.0.0.11 >> fds2 IN A 10.0.0.12 >> fds IN A 10.0.0.11 >> fds IN A 10.0.0.12 >> >> in the clients, I configure the ldap.conf with this parameters: >> >> BASE dc=mydomain,dc=com >> URI ldap://fds.mydomain.com >> >> this configuration work very,very fine !!!! exist replication between >> servers and fault tolerance in the clients.. but i enable SSL in >> server and in the clients (ldap.conf) >> >> >> BASE dc=mydomain,dc=com >> URI ldaps://fds.mydomain.com >> TLS_CACERT /etc/ssl/certs/cacert.org.pem >> TLS_REQCERT allow >> >> and "no" work !!! :-( i receive this error: >> >> ldap_bind: Can't contact LDAP server (-1) >> >> additional info: TLS: hostname does not match CN in peer certificate >> >> this problem, is derivate that i configured the servers with one >> certificate and distinct CN for independent serves (fds1 and fds2)... >> >> if I config one same certificate with same CN (fds) for both nodes >> (fds1 and fds2).. work fine in the clients, but the replication dont >> work !!! :-( >> >> obs.: my certificates is sign in http://cacert.org >> >> any idea or suggestion ??? >> >> thanks >> >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From msauton at redhat.com Wed Oct 3 20:37:34 2007 From: msauton at redhat.com (Marc Sauton) Date: Wed, 03 Oct 2007 13:37:34 -0700 Subject: [Fedora-directory-users] problem with SSL and load balance In-Reply-To: <4703EE08.4020003@scs.fsu.edu> References: <5dce4940710030820s29c9c96amd1faf59f4ebf4204@mail.gmail.com> <84E2AE771361E9419DD0EFBD31F09C4D4894671AAA@EXVMBX015-1.exch015.msoutlookonline.net> <4703EE08.4020003@scs.fsu.edu> Message-ID: <4703FD8E.4080108@redhat.com> See http://directory.fedoraproject.org/wiki/Howto:SSL#Import_the_CA_cert_into_another_Fedora_DS M. Jazcek Braden wrote: > Wildcard certs definitely work, that is the way that I have my load > balanced installation setup. However if you are trying to use > self-signed certificates I think you have to make sure to setup the > trust chain, but I am not sure. > From Clementous.Clement at fox.com Wed Oct 3 16:26:58 2007 From: Clementous.Clement at fox.com (Clementous Clement) Date: Wed, 3 Oct 2007 09:26:58 -0700 Subject: [Fedora-directory-users] Fedora-DS/netgroup configuration Message-ID: <12C2BCDB3FA74D4E8E482325998611190277EF48@fegplmsexmb05.ffe.foxeg.com> Hello Everyone, I'm a newbie to configuring/depolying Fedora-DS. I've been lucky enough to complete the installation for Fedora-DS. I need a little guideance on setting up and configuring netgroups. I've located the link below and researched the the link below, but still can't get the feature to work. Any advice? http://directory.fedoraproject.org/wiki/Howto:Netgroups Thanks In Advance, Clementous Clement System Administrator cclementous at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From srigler at MarathonOil.com Thu Oct 4 13:22:10 2007 From: srigler at MarathonOil.com (Steve Rigler) Date: Thu, 04 Oct 2007 08:22:10 -0500 Subject: [Fedora-directory-users] Fedora-DS/netgroup configuration In-Reply-To: <12C2BCDB3FA74D4E8E482325998611190277EF48@fegplmsexmb05.ffe.foxeg.com> References: <12C2BCDB3FA74D4E8E482325998611190277EF48@fegplmsexmb05.ffe.foxeg.com> Message-ID: <1191504130.4298.8.camel@houuc8> On Wed, 2007-10-03 at 09:26 -0700, Clementous Clement wrote: > Hello Everyone, > > I'm a newbie to configuring/depolying Fedora-DS. I've been lucky > enough to complete the installation for Fedora-DS. I need a little > guideance on setting up and configuring netgroups. I've located the > link below and researched the the link below, but still can't get the > feature to work. Any advice? > > http://directory.fedoraproject.org/wiki/Howto:Netgroups > > > Thanks In Advance, > > Clementous Clement > System Administrator > cclementous at gmail.com > What are you trying to accomplish with netgroups that isn't working? -Steve From glenn at mail.txwes.edu Thu Oct 4 14:25:33 2007 From: glenn at mail.txwes.edu (Glenn) Date: Thu, 4 Oct 2007 09:25:33 -0500 Subject: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable? In-Reply-To: <4703A0E7.4070105@redhat.com> References: <1191359510.30058.18.camel@ny2-noc-01> <4702B88C.2090201@redhat.com> <1191363950.30058.27.camel@ny2-noc-01> <1191365340.30058.33.camel@ny2-noc-01> <4702CE81.5010901@redhat.com> <20071003134451.M14961@mail.txwes.edu> <4703A0E7.4070105@redhat.com> Message-ID: <20071004141907.M49775@mail.txwes.edu> Richard - It has been months since I did this, and I don't remember each detail of the installation. I did not use the default server user ID; I changed it when given the opportunity during installation. Maybe this caused a permissions problem? -Glenn. ---------- Original Message ----------- From: Richard Megginson To: "General discussion list for the Fedora Directory server project." Sent: Wed, 03 Oct 2007 08:02:15 -0600 Subject: Re: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable? > Glenn wrote: > > Travis - I had this problem with new installations and clean re- > > installations. The installation of Fedora Directory did not create the > > certificate database. I solved it by creating the appropriately-named > > certificate database in the correct location using certutil. -Glenn. > > > Is there any sort of pattern to when it does or does not create the > key/cert databases? When the server starts up, it is supposed to > create them if they are not there. This means that /opt/fedora- > ds/alias must be writable by the server user id (default nobody). > From tu2bgone at gmail.com Fri Oct 5 04:59:06 2007 From: tu2bgone at gmail.com (denmat) Date: Fri, 5 Oct 2007 14:59:06 +1000 Subject: [Fedora-directory-users] Roles, Groups and Samba Message-ID: <750b22c10710042159r69b48fa3v8ec7ff5dde33cc4d@mail.gmail.com> Hi List, I am in the process of testing Fedora DS with a Samba installation on Fedora Core 7 (fedora-ds-1.0.4-1, samba-3.0.26a-0). As a general question, what has been the experience people have had with their installations of it? How have people dealt with Groups and Roles in relation to Samba? Especially in relation to samba Domain group mappings (Domain Admins, users, etc). Also has anyone used the CoS to share directories (both in samba and nfs automounts) as attributes in user DNs? Any handy doco people can point me to? Regards, Denmat From alan.orlic at zd-lj.si Fri Oct 5 11:56:48 2007 From: alan.orlic at zd-lj.si (=?ISO-8859-2?Q?Alan_Orli=E8_Bel=B9ak?=) Date: Fri, 05 Oct 2007 13:56:48 +0200 Subject: [Fedora-directory-users] Samba - Fedora DS password update Message-ID: <47062680.1080508@zd-lj.si> Hello, one question, is there a way to update both Samba and LDAP passwords at same time? I don't know what I'm doing wrong but whatever I do I'm able to update only Samba password. Because Samba an LDAP are both on same server I really don't like to install extra SSL/TLS. Here is Samba config. Also, why I newer get the password chat window as is defined in Samba? Alan Samba config: [global] workgroup = ZDL security = user netbios name=pdc passdb backend = ldapsam:ldap://pdc.zd-lj.lan ldap admin dn = "cn=Directory Manager" ldap suffix = dc=zd-lj,dc=lan ldap user suffix = ou=People ldap machine suffix = ou=Computers ldap group suffix = ou=Groups log file = /var/log/samba/%m.log log level = 2 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 66 domain logons = yes domain master = yes local master = yes preferred master = yes wins support = yes idmap uid = 15000-20000 idmap gid = 15000-20000 passwd program = /opt/IDEALX/sbin/smbldap-passwd %u passwd chat = *old*password* %o\n *new*password* %n\n *new*password* %n\n *changed* #passwd chat timeout = 2 ldap passwd sync = no password server = PDC unix password sync = yes passwd chat debug = yes encrypt passwords = yes ... From LACY_S at Mercer.edu Fri Oct 5 15:03:25 2007 From: LACY_S at Mercer.edu (Scott Lacy) Date: Fri, 05 Oct 2007 11:03:25 -0400 Subject: [Fedora-directory-users] ldapmodify and Fedora DS migration Message-ID: <4706523D.3070005@mercer.edu> All, I am migrating an LDAP server off of Netscape I-Planet to Fedora Directory Server 1.0.4. I am having some issues with ldapmodify in that the command that worked in I-Planet 5.0 to do adds, modifiess, and deletes from the same run doesn't seem to work in Fedora DS. With I-Planet: ldapmodify -a -c -D "cn=Directory Manager" -w xxxxx -f updates.ldif would take updates.ldif and do the adds, modifies, and deletions that were in the ldif all in one run. However, to do the same thing in Fedora DS, I find that I am having to do: ldapmodify -c -x -D "cn=Directory Manager" -w xxxxx -f updates.ldif and then ldapmodify -a -c -x -D "cn=Directory Manager" -w xxxxx -f updates.ldif So I guess I wondering if there is a way to get one iteration of ldapmodify to handle changes, adds, and deletes as the I-Planet version did. Thanks! From david_list at boreham.org Fri Oct 5 15:17:32 2007 From: david_list at boreham.org (David Boreham) Date: Fri, 05 Oct 2007 09:17:32 -0600 Subject: [Fedora-directory-users] ldapmodify and Fedora DS migration In-Reply-To: <4706523D.3070005@mercer.edu> References: <4706523D.3070005@mercer.edu> Message-ID: <4706558C.2010101@boreham.org> Are you sure you are running a Netscape/Mozilla/FedoraDS ldapmodify and not an OpenLDAP ldapmodify ? Scott Lacy wrote: > All, > > I am migrating an LDAP server off of Netscape I-Planet to Fedora > Directory Server 1.0.4. I am having some issues with ldapmodify in > that the command that worked in I-Planet 5.0 to do adds, modifiess, > and deletes from the same run doesn't seem to work in Fedora DS. > > With I-Planet: > > ldapmodify -a -c -D "cn=Directory Manager" -w xxxxx -f updates.ldif > > would take updates.ldif and do the adds, modifies, and deletions that > were in the ldif all in one run. > > > However, to do the same thing in Fedora DS, I find that I am having to > do: > > ldapmodify -c -x -D "cn=Directory Manager" -w xxxxx -f updates.ldif > > and then > > ldapmodify -a -c -x -D "cn=Directory Manager" -w xxxxx -f updates.ldif > > > > So I guess I wondering if there is a way to get one iteration of > ldapmodify to handle changes, adds, and deletes as the I-Planet > version did. > > Thanks! > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Fri Oct 5 15:21:04 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 05 Oct 2007 09:21:04 -0600 Subject: [Fedora-directory-users] ldapmodify and Fedora DS migration In-Reply-To: <4706523D.3070005@mercer.edu> References: <4706523D.3070005@mercer.edu> Message-ID: <47065660.70406@redhat.com> Scott Lacy wrote: > All, > > I am migrating an LDAP server off of Netscape I-Planet to Fedora > Directory Server 1.0.4. I am having some issues with ldapmodify in > that the command that worked in I-Planet 5.0 to do adds, modifiess, > and deletes from the same run doesn't seem to work in Fedora DS. > > With I-Planet: > > ldapmodify -a -c -D "cn=Directory Manager" -w xxxxx -f updates.ldif > > would take updates.ldif and do the adds, modifies, and deletions that > were in the ldif all in one run. > > > However, to do the same thing in Fedora DS, I find that I am having to > do: > > ldapmodify -c -x -D "cn=Directory Manager" -w xxxxx -f updates.ldif > > and then > > ldapmodify -a -c -x -D "cn=Directory Manager" -w xxxxx -f updates.ldif > > > > So I guess I wondering if there is a way to get one iteration of > ldapmodify to handle changes, adds, and deletes as the I-Planet > version did. I'm not sure. In the former case, you're probably using either the Solaris supplied ldapmodify or the mozldap 5.x ldapmodify. In the latter case, you're using OpenLDAP ldapmodify (because of the -x argument, I'm assuming). It's possible that the different ldapmodify clients have different behaviors. You might try /opt/fedora-ds/shared/bin/ldapmodify which is the mozldap 6.x one. > > Thanks! > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From listas.vhs at gmail.com Fri Oct 5 16:56:44 2007 From: listas.vhs at gmail.com (Victor Hugo dos Santos) Date: Fri, 5 Oct 2007 12:56:44 -0400 Subject: [Fedora-directory-users] problem with SSL and load balance In-Reply-To: <4703D644.9020608@le.infn.it> References: <5dce4940710030820s29c9c96amd1faf59f4ebf4204@mail.gmail.com> <4703D644.9020608@le.infn.it> Message-ID: <5dce4940710050956p25cad3aeg8f814a2f4daae17b@mail.gmail.com> 2007/10/3, Enrico M. V. Fasanelli : > Hi Victor, > > have you tried with a certificate that contains the alternate name of > the server? > > Something like > X509v3 Subject Alternative Name: DNS:fds.mydomain.com, > DNS:fds1.mydomain.com yes .... apparent that Subject Alternative Name (SubjectAltName) is the best solution for this problem !!!! but, i have one other problem !!! :-) my certificates (all) is signed for cacert.org .. and in the Certificate Wizard in the DS Console, I don't look one field for SubjectAltName.. and in ShowDN option I write: CN="fds.multi.com",SubjectAltName=""DNS:fds.multi.com"",SubjectAltName=""DNS:fds2.multi.com"" /CN="fds.multi.com"/SubjectAltName=""DNS:fds.multi.com""/SubjectAltName=""DNS:fds2.multi.com""/ and others, but in the step 4/4 I receive this error: ------------------------------------------------------- Unable to convert DN to certificate name. -----BEGIN NEW CERTIFICATE REQUEST----- ------------------------------------------------------- in the internet i read various howtos, manual and others that show how usage the certuil for create certificates with SubjectAltName, but it alone work with/for self-signed certificates !!! http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1085091 http://directory.fedoraproject.org/wiki/Howto:SSL#Using_Subject_Alt_Name and I run this command: openssl genrsa -out slapd-fds2-key3.db 2048 openssl req -new -key slapd-fds2-key3.db -out vhs.csr -subj 'CN=fds.multi.com/subjectAltName=DNS:fds.multi.com/subjectAltName=DNS:fds2.multi.com' and work fine... i get one certificate request with all fields and send for my CA (cacert.org) and I receive the certificate signed with all fields, but i dont how install it for CLI !!! for the wizard I receive one other error "this key not found - this certificate is generate in the server ???" any solution ??? -- -- Victor Hugo dos Santos Linux Counter #224399 From listas.vhs at gmail.com Fri Oct 5 19:58:48 2007 From: listas.vhs at gmail.com (Victor Hugo dos Santos) Date: Fri, 5 Oct 2007 15:58:48 -0400 Subject: [Fedora-directory-users] problem with SSL and load balance In-Reply-To: <5dce4940710050956p25cad3aeg8f814a2f4daae17b@mail.gmail.com> References: <5dce4940710030820s29c9c96amd1faf59f4ebf4204@mail.gmail.com> <4703D644.9020608@le.infn.it> <5dce4940710050956p25cad3aeg8f814a2f4daae17b@mail.gmail.com> Message-ID: <5dce4940710051258m7c9299j6439ef5c043bbe86@mail.gmail.com> 2007/10/5, Victor Hugo dos Santos : > 2007/10/3, Enrico M. V. Fasanelli : > > Hi Victor, [...] > openssl genrsa -out slapd-fds2-key3.db 2048 > openssl req -new -key slapd-fds2-key3.db -out vhs.csr -subj > 'CN=fds.multi.com/subjectAltName=DNS:fds.multi.com/subjectAltName=DNS:fds2.multi.com' > > and work fine... i get one certificate request with all fields and > send for my CA (cacert.org) and I receive the certificate signed with > all fields, but i dont how install it for CLI !!! for the wizard I > receive one other error "this key not found - this certificate is > generate in the server ???" > > any solution ??? ok.. ok.. two coffees and one minutes of relax... I re-read the manual of certutil http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html and run this commands: certutil -R -d . -P slapd-fds2- -s CN=fds2.multi.com -o cert.req -a -8 fds.multi.com,fds2.multi.com,ldap.multi.com I send the cert.req file for cacert.org and I receive the signed certificate signed and work fine !!!:-) my problem(s) is: - unknown the function of option "-p", where "slapd-fds2-" is the name of instance - the option "-8".. I think that the others names (fds.multi.com, fds2.multi.com, ldap.multi.com) they went in the subject (option -s).. but no !!! this parameters went for separate.. and is the principal problem (for my). bye -- -- Victor Hugo dos Santos Linux Counter #224399 From richard at powerset.com Sat Oct 6 00:27:57 2007 From: richard at powerset.com (Richard Hesse) Date: Fri, 5 Oct 2007 17:27:57 -0700 Subject: [Fedora-directory-users] slapi search internal errors popping up in error log Message-ID: <84E2AE771361E9419DD0EFBD31F09C4D4956B6BF24@EXVMBX015-1.exch015.msoutlookonline.net> [06/Oct/2007:00:24:51 +0000] - slapi_search_internal ("CN=fds1.sv.powerset.com, OU=Domain Control Validated, O=fds1.sv.powerset.com", subtree, objectclass=*) err 32 I'm guessing that this is cert related, but the TLS/SSL operations are working fine. However, I noticed that I can no longer view the encryption tab for this server in the console. Any ideas what this error means or how to fix it? Thanks. -richard -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Sat Oct 6 20:46:05 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Sat, 06 Oct 2007 14:46:05 -0600 Subject: [Fedora-directory-users] slapi search internal errors popping up in error log In-Reply-To: <84E2AE771361E9419DD0EFBD31F09C4D4956B6BF24@EXVMBX015-1.exch015.msoutlookonline.net> References: <84E2AE771361E9419DD0EFBD31F09C4D4956B6BF24@EXVMBX015-1.exch015.msoutlookonline.net> Message-ID: <4707F40D.1080207@redhat.com> Richard Hesse wrote: > > [06/Oct/2007:00:24:51 +0000] - slapi_search_internal > ("CN=fds1.sv.powerset.com, OU=Domain Control Validated, > O=fds1.sv.powerset.com", subtree, objectclass=*) err 32 > > > > I'm guessing that this is cert related, but the TLS/SSL operations are > working fine. > Are you using client cert based authentication? cat /opt/fedora-ds/slapd-instance/config/certmap.conf /opt/fedora-ds/shared/config/certmap.conf > > However, I noticed that I can no longer view the encryption tab for > this server in the console. > What error do you get when you try to view the encryption tab? ls -al /opt/fedora-ds/alias > > > > Any ideas what this error means or how to fix it? > > > > Thanks. > > > > -richard > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Clementous.Clement at fox.com Sat Oct 6 16:00:04 2007 From: Clementous.Clement at fox.com (Clementous Clement) Date: Sat, 6 Oct 2007 09:00:04 -0700 Subject: [Fedora-directory-users] RE: Fedora-directory-users Digest, Vol 29, Issue 5 In-Reply-To: <20071004160005.29EC773723@hormel.redhat.com> References: <20071004160005.29EC773723@hormel.redhat.com> Message-ID: <12C2BCDB3FA74D4E8E482325998611190277EF62@fegplmsexmb05.ffe.foxeg.com> Richard, I'm trying to use Netgroups to employ control access to groups of hosts to groups of users just as with NIS. I've searched the web for decent example to create the netgroup containter within FDS, but haven't discovered any. =-Clem -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of fedora-directory-users-request at redhat.com Sent: Thursday, October 04, 2007 9:00 AM To: fedora-directory-users at redhat.com Subject: Fedora-directory-users Digest, Vol 29, Issue 5 Send Fedora-directory-users mailing list submissions to fedora-directory-users at redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/fedora-directory-users or, via email, send a message with subject or body 'help' to fedora-directory-users-request at redhat.com You can reach the person managing the list at fedora-directory-users-owner at redhat.com When replying, please edit your Subject line so it is more specific than "Re: Contents of Fedora-directory-users digest..." Today's Topics: 1. Re: nss_ldap cannot authenticate vs FDS (Peter Santiago) 2. Re: problem with SSL and load balance (Enrico M. V. Fasanelli) 3. linux authentication though ds (lance raymond) 4. RE: problem with SSL and load balance (Richard Hesse) 5. Re: problem with SSL and load balance (Jazcek Braden) 6. Re: linux authentication though ds (Marc Sauton) 7. Re: problem with SSL and load balance (Marc Sauton) 8. Re: problem with SSL and load balance (Marc Sauton) 9. Fedora-DS/netgroup configuration (Clementous Clement) 10. Re: Fedora-DS/netgroup configuration (Steve Rigler) 11. Re: RedHat 4/Fedora-DS - SSL Cert DB not readable? (Glenn) ---------------------------------------------------------------------- Message: 1 Date: Thu, 04 Oct 2007 00:08:05 +0800 From: Peter Santiago Subject: Re: [Fedora-directory-users] nss_ldap cannot authenticate vs FDS To: "General discussion list for the Fedora Directory server project." , Steve Rigler Message-ID: <20071004000805.w0m9bmxk6cws4sk0 at webmail.psinergybbs.com> Content-Type: text/plain; charset="iso-8859-1" Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3051 bytes Desc: S/MIME Cryptographic Signature Url : https://www.redhat.com/archives/fedora-directory-users/attachments/20071 004/cd9c6979/smime.bin ------------------------------ Message: 2 Date: Wed, 03 Oct 2007 19:49:56 +0200 From: "Enrico M. V. Fasanelli" Subject: Re: [Fedora-directory-users] problem with SSL and load balance To: "General discussion list for the Fedora Directory server project." Message-ID: <4703D644.9020608 at le.infn.it> Content-Type: text/plain; charset="iso-8859-1" Hi Victor, have you tried with a certificate that contains the alternate name of the server? Something like X509v3 Subject Alternative Name: DNS:fds.mydomain.com, DNS:fds1.mydomain.com Ciao, Enrico Victor Hugo dos Santos wrote: > Hello List, > > I have the same problem that Alex Aka in Apr 2006 > http://www.redhat.com/archives/fedora-directory-users/2006-April/msg0002 2.html > > I have two FDS (fds1 and fds2) in MMR > > in the DNS I create this machines > > fds1 IN A 10.0.0.11 > fds2 IN A 10.0.0.12 > fds IN A 10.0.0.11 > fds IN A 10.0.0.12 > > in the clients, I configure the ldap.conf with this parameters: > > BASE dc=mydomain,dc=com > URI ldap://fds.mydomain.com > > this configuration work very,very fine !!!! exist replication between > servers and fault tolerance in the clients.. but i enable SSL in > server and in the clients (ldap.conf) > > > BASE dc=mydomain,dc=com > URI ldaps://fds.mydomain.com > TLS_CACERT /etc/ssl/certs/cacert.org.pem > TLS_REQCERT allow > > and "no" work !!! :-( i receive this error: > > ldap_bind: Can't contact LDAP server (-1) > > additional info: TLS: hostname does not match CN in peer certificate > > this problem, is derivate that i configured the servers with one > certificate and distinct CN for independent serves (fds1 and fds2)... > > if I config one same certificate with same CN (fds) for both nodes > (fds1 and fds2).. work fine in the clients, but the replication dont > work !!! :-( > > obs.: my certificates is sign in http://cacert.org > > any idea or suggestion ??? > > thanks > > -- Pochi conoscono cio' che ha veramente scoperto Einstein: quando mangiamo spaghetti, in effetti stiamo masticando un concentrato di Spazio-Tempo. (Antonino Zichichi) -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2954 bytes Desc: S/MIME Cryptographic Signature Url : https://www.redhat.com/archives/fedora-directory-users/attachments/20071 003/578df590/smime.bin ------------------------------ Message: 3 Date: Wed, 3 Oct 2007 14:31:58 -0400 From: "lance raymond" Subject: [Fedora-directory-users] linux authentication though ds To: fedora-directory-users at redhat.com Message-ID: <5d1656000710031131y6cc0c663jb6a930299f76bfbb at mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1" Afternoon, I have been reading a lot on this and wish to see if I am on the right track. I wish to have all employees login information be stored in DS, and authenticate through him. I have subscribed to the list a few day's ago and the questions are pretty high level, so it does seem that people are using fedora's version, so I guess for starters, is this possible. I already have fedora ds running, added a few people, but I didn't see 2 much on authenticating though DS. Thanks ... lr -------------- next part -------------- An HTML attachment was scrubbed... URL: https://www.redhat.com/archives/fedora-directory-users/attachments/20071 003/e4b54ef3/attachment.html ------------------------------ Message: 4 Date: Wed, 3 Oct 2007 12:17:50 -0700 From: Richard Hesse Subject: RE: [Fedora-directory-users] problem with SSL and load balance To: "General discussion list for the Fedora Directory server project." Message-ID: <84E2AE771361E9419DD0EFBD31F09C4D4894671AAA at EXVMBX015-1.exch015.msoutloo konline.net> Content-Type: text/plain; charset="us-ascii" Do wildcard certs work with Fedora Directory Server? If they do, that will easily solve your problem. That or setting checkpeer to off. -richard -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Victor Hugo dos Santos Sent: Wednesday, October 03, 2007 8:20 AM To: General discussion list for the Fedora Directory server project. Subject: [Fedora-directory-users] problem with SSL and load balance Hello List, I have the same problem that Alex Aka in Apr 2006 http://www.redhat.com/archives/fedora-directory-users/2006-April/msg0002 2.html I have two FDS (fds1 and fds2) in MMR in the DNS I create this machines fds1 IN A 10.0.0.11 fds2 IN A 10.0.0.12 fds IN A 10.0.0.11 fds IN A 10.0.0.12 in the clients, I configure the ldap.conf with this parameters: BASE dc=mydomain,dc=com URI ldap://fds.mydomain.com this configuration work very,very fine !!!! exist replication between servers and fault tolerance in the clients.. but i enable SSL in server and in the clients (ldap.conf) BASE dc=mydomain,dc=com URI ldaps://fds.mydomain.com TLS_CACERT /etc/ssl/certs/cacert.org.pem TLS_REQCERT allow and "no" work !!! :-( i receive this error: ldap_bind: Can't contact LDAP server (-1) additional info: TLS: hostname does not match CN in peer certificate this problem, is derivate that i configured the servers with one certificate and distinct CN for independent serves (fds1 and fds2)... if I config one same certificate with same CN (fds) for both nodes (fds1 and fds2).. work fine in the clients, but the replication dont work !!! :-( obs.: my certificates is sign in http://cacert.org any idea or suggestion ??? thanks -- -- Victor Hugo dos Santos Linux Counter #224399 -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ------------------------------ Message: 5 Date: Wed, 03 Oct 2007 15:31:20 -0400 From: Jazcek Braden Subject: Re: [Fedora-directory-users] problem with SSL and load balance To: "General discussion list for the Fedora Directory server project." Message-ID: <4703EE08.4020003 at scs.fsu.edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Wildcard certs definitely work, that is the way that I have my load balanced installation setup. However if you are trying to use self-signed certificates I think you have to make sure to setup the trust chain, but I am not sure. -- Jazcek Braden Richard Hesse wrote: > Do wildcard certs work with Fedora Directory Server? If they do, that will easily solve your problem. That or setting checkpeer to off. > > -richard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Victor Hugo dos Santos > Sent: Wednesday, October 03, 2007 8:20 AM > To: General discussion list for the Fedora Directory server project. > Subject: [Fedora-directory-users] problem with SSL and load balance > > Hello List, > > I have the same problem that Alex Aka in Apr 2006 > http://www.redhat.com/archives/fedora-directory-users/2006-April/msg0002 2.html > > I have two FDS (fds1 and fds2) in MMR > > in the DNS I create this machines > > fds1 IN A 10.0.0.11 > fds2 IN A 10.0.0.12 > fds IN A 10.0.0.11 > fds IN A 10.0.0.12 > > in the clients, I configure the ldap.conf with this parameters: > > BASE dc=mydomain,dc=com > URI ldap://fds.mydomain.com > > this configuration work very,very fine !!!! exist replication between > servers and fault tolerance in the clients.. but i enable SSL in > server and in the clients (ldap.conf) > > > BASE dc=mydomain,dc=com > URI ldaps://fds.mydomain.com > TLS_CACERT /etc/ssl/certs/cacert.org.pem > TLS_REQCERT allow > > and "no" work !!! :-( i receive this error: > > ldap_bind: Can't contact LDAP server (-1) > > additional info: TLS: hostname does not match CN in peer certificate > > this problem, is derivate that i configured the servers with one > certificate and distinct CN for independent serves (fds1 and fds2)... > > if I config one same certificate with same CN (fds) for both nodes > (fds1 and fds2).. work fine in the clients, but the replication dont > work !!! :-( > > obs.: my certificates is sign in http://cacert.org > > any idea or suggestion ??? > > thanks > > > -- > -- > Victor Hugo dos Santos > Linux Counter #224399 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------ Message: 6 Date: Wed, 03 Oct 2007 13:31:35 -0700 From: Marc Sauton Subject: Re: [Fedora-directory-users] linux authentication though ds To: "General discussion list for the Fedora Directory server project." Message-ID: <4703FC27.6030900 at redhat.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed It depends what you want to do, there is some info in the howto section at: http://directory.fedoraproject.org/wiki/Documentation#Howtos Under "A series of articles about how to get the Directory Server working with other tools", you will find some links to articles, for example about pam, mta's, file system, apache. M. lance raymond wrote: > Afternoon, I have been reading a lot on this and wish to see if I am > on the right track. I wish to have all employees login information be > stored in DS, and authenticate through him. I have subscribed to the > list a few day's ago and the questions are pretty high level, so it > does seem that people are using fedora's version, so I guess for > starters, is this possible. > > I already have fedora ds running, added a few people, but I didn't see > 2 much on authenticating though DS. > > Thanks ... > lr > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------ Message: 7 Date: Wed, 03 Oct 2007 13:36:26 -0700 From: Marc Sauton Subject: Re: [Fedora-directory-users] problem with SSL and load balance To: "General discussion list for the Fedora Directory server project." Message-ID: <4703FD4A.70907 at redhat.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Just for info, there was a good contribution in http://directory.fedoraproject.org/wiki/Howto:SSL#Using_Subject_Alt_Name M. Enrico M. V. Fasanelli wrote: > Hi Victor, > > have you tried with a certificate that contains the alternate name of > the server? > > Something like > X509v3 Subject Alternative Name: DNS:fds.mydomain.com, > DNS:fds1.mydomain.com > > > Ciao, > Enrico > > Victor Hugo dos Santos wrote: >> Hello List, >> >> I have the same problem that Alex Aka in Apr 2006 >> http://www.redhat.com/archives/fedora-directory-users/2006-April/msg0002 2.html >> >> >> I have two FDS (fds1 and fds2) in MMR >> >> in the DNS I create this machines >> >> fds1 IN A 10.0.0.11 >> fds2 IN A 10.0.0.12 >> fds IN A 10.0.0.11 >> fds IN A 10.0.0.12 >> >> in the clients, I configure the ldap.conf with this parameters: >> >> BASE dc=mydomain,dc=com >> URI ldap://fds.mydomain.com >> >> this configuration work very,very fine !!!! exist replication between >> servers and fault tolerance in the clients.. but i enable SSL in >> server and in the clients (ldap.conf) >> >> >> BASE dc=mydomain,dc=com >> URI ldaps://fds.mydomain.com >> TLS_CACERT /etc/ssl/certs/cacert.org.pem >> TLS_REQCERT allow >> >> and "no" work !!! :-( i receive this error: >> >> ldap_bind: Can't contact LDAP server (-1) >> >> additional info: TLS: hostname does not match CN in peer certificate >> >> this problem, is derivate that i configured the servers with one >> certificate and distinct CN for independent serves (fds1 and fds2)... >> >> if I config one same certificate with same CN (fds) for both nodes >> (fds1 and fds2).. work fine in the clients, but the replication dont >> work !!! :-( >> >> obs.: my certificates is sign in http://cacert.org >> >> any idea or suggestion ??? >> >> thanks >> >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------ Message: 8 Date: Wed, 03 Oct 2007 13:37:34 -0700 From: Marc Sauton Subject: Re: [Fedora-directory-users] problem with SSL and load balance To: "General discussion list for the Fedora Directory server project." Message-ID: <4703FD8E.4080108 at redhat.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed See http://directory.fedoraproject.org/wiki/Howto:SSL#Import_the_CA_cert_int o_another_Fedora_DS M. Jazcek Braden wrote: > Wildcard certs definitely work, that is the way that I have my load > balanced installation setup. However if you are trying to use > self-signed certificates I think you have to make sure to setup the > trust chain, but I am not sure. > ------------------------------ Message: 9 Date: Wed, 3 Oct 2007 09:26:58 -0700 From: "Clementous Clement" Subject: [Fedora-directory-users] Fedora-DS/netgroup configuration To: Message-ID: <12C2BCDB3FA74D4E8E482325998611190277EF48 at fegplmsexmb05.ffe.foxeg.com> Content-Type: text/plain; charset="us-ascii" Hello Everyone, I'm a newbie to configuring/depolying Fedora-DS. I've been lucky enough to complete the installation for Fedora-DS. I need a little guideance on setting up and configuring netgroups. I've located the link below and researched the the link below, but still can't get the feature to work. Any advice? http://directory.fedoraproject.org/wiki/Howto:Netgroups Thanks In Advance, Clementous Clement System Administrator cclementous at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: https://www.redhat.com/archives/fedora-directory-users/attachments/20071 003/1974e7e5/attachment.html ------------------------------ Message: 10 Date: Thu, 04 Oct 2007 08:22:10 -0500 From: Steve Rigler Subject: Re: [Fedora-directory-users] Fedora-DS/netgroup configuration To: "General discussion list for the Fedora Directory server project." Message-ID: <1191504130.4298.8.camel at houuc8> Content-Type: text/plain On Wed, 2007-10-03 at 09:26 -0700, Clementous Clement wrote: > Hello Everyone, > > I'm a newbie to configuring/depolying Fedora-DS. I've been lucky > enough to complete the installation for Fedora-DS. I need a little > guideance on setting up and configuring netgroups. I've located the > link below and researched the the link below, but still can't get the > feature to work. Any advice? > > http://directory.fedoraproject.org/wiki/Howto:Netgroups > > > Thanks In Advance, > > Clementous Clement > System Administrator > cclementous at gmail.com > What are you trying to accomplish with netgroups that isn't working? -Steve ------------------------------ Message: 11 Date: Thu, 4 Oct 2007 09:25:33 -0500 From: "Glenn" Subject: Re: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable? To: "General discussion list for the Fedora Directory server project." Message-ID: <20071004141907.M49775 at mail.txwes.edu> Content-Type: text/plain; charset=iso-8859-1 Richard - It has been months since I did this, and I don't remember each detail of the installation. I did not use the default server user ID; I changed it when given the opportunity during installation. Maybe this caused a permissions problem? -Glenn. ---------- Original Message ----------- From: Richard Megginson To: "General discussion list for the Fedora Directory server project." Sent: Wed, 03 Oct 2007 08:02:15 -0600 Subject: Re: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB not readable? > Glenn wrote: > > Travis - I had this problem with new installations and clean re- > > installations. The installation of Fedora Directory did not create the > > certificate database. I solved it by creating the appropriately-named > > certificate database in the correct location using certutil. -Glenn. > > > Is there any sort of pattern to when it does or does not create the > key/cert databases? When the server starts up, it is supposed to > create them if they are not there. This means that /opt/fedora- > ds/alias must be writable by the server user id (default nobody). > ------------------------------ -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users End of Fedora-directory-users Digest, Vol 29, Issue 5 ***************************************************** From rmeggins at redhat.com Mon Oct 8 14:18:06 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 08 Oct 2007 08:18:06 -0600 Subject: [Fedora-directory-users] Re: Setting up Netgroups with Fedora DS In-Reply-To: <12C2BCDB3FA74D4E8E482325998611190277EF62@fegplmsexmb05.ffe.foxeg.com> References: <20071004160005.29EC773723@hormel.redhat.com> <12C2BCDB3FA74D4E8E482325998611190277EF62@fegplmsexmb05.ffe.foxeg.com> Message-ID: <470A3C1E.1020900@redhat.com> Clementous Clement wrote: > Richard, > > I'm trying to use Netgroups to employ control access to groups of hosts > to groups of users just as with NIS. I've searched the web for decent > example to create the netgroup containter within FDS, but haven't > discovered any. > http://directory.fedoraproject.org/wiki/Howto:Netgroups > =-Clem > > -----Original Message----- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From richard at powerset.com Mon Oct 8 17:53:09 2007 From: richard at powerset.com (Richard Hesse) Date: Mon, 8 Oct 2007 10:53:09 -0700 Subject: [Fedora-directory-users] slapi search internal errors popping up in error log In-Reply-To: <4707F40D.1080207@redhat.com> References: <84E2AE771361E9419DD0EFBD31F09C4D4956B6BF24@EXVMBX015-1.exch015.msoutlookonline.net> <4707F40D.1080207@redhat.com> Message-ID: <84E2AE771361E9419DD0EFBD31F09C4D4956B6C0CD@EXVMBX015-1.exch015.msoutlookonline.net> No, we're not using client certs but that doesn't preclude someone using their own certs. No certmap.conf in the instance directory and it looks like the shared one is stock: cat certmap.conf | grep -v "#" certmap default default The error from the configuration tab is just a generic 500. No additional text in the dialog nor in the logs. Alias directory: drwxr-xr-x 2 nobody nobody 4096 Oct 8 17:42 . drwxr-xr-x 15 root root 4096 Oct 8 17:42 .. -rwxr-xr-x 1 root nobody 347368 Oct 6 00:22 libnssckbi.so -rw------- 1 nobody nobody 16384 Oct 6 00:24 secmod.db -rw------- 1 nobody nobody 65536 Oct 6 00:22 slapd-fds-cert8.db -rw------- 1 nobody nobody 16384 Oct 6 00:22 slapd-fds-key3.db -r-------- 1 nobody nobody 41 Oct 6 00:22 slapd-fds-pin.txt Thanks in advance. -richard -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Saturday, October 06, 2007 1:46 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] slapi search internal errors popping up in error log Richard Hesse wrote: > > [06/Oct/2007:00:24:51 +0000] - slapi_search_internal > ("CN=fds1.sv.powerset.com, OU=Domain Control Validated, > O=fds1.sv.powerset.com", subtree, objectclass=*) err 32 > > > > I'm guessing that this is cert related, but the TLS/SSL operations are > working fine. > Are you using client cert based authentication? cat /opt/fedora-ds/slapd-instance/config/certmap.conf /opt/fedora-ds/shared/config/certmap.conf > > However, I noticed that I can no longer view the encryption tab for > this server in the console. > What error do you get when you try to view the encryption tab? ls -al /opt/fedora-ds/alias > > > > Any ideas what this error means or how to fix it? > > > > Thanks. > > > > -richard > > ---------------------------------------------------------------------- > -- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Mon Oct 8 18:08:41 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 08 Oct 2007 12:08:41 -0600 Subject: [Fedora-directory-users] slapi search internal errors popping up in error log In-Reply-To: <84E2AE771361E9419DD0EFBD31F09C4D4956B6C0CD@EXVMBX015-1.exch015.msoutlookonline.net> References: <84E2AE771361E9419DD0EFBD31F09C4D4956B6BF24@EXVMBX015-1.exch015.msoutlookonline.net> <4707F40D.1080207@redhat.com> <84E2AE771361E9419DD0EFBD31F09C4D4956B6C0CD@EXVMBX015-1.exch015.msoutlookonline.net> Message-ID: <470A7229.5090005@redhat.com> Richard Hesse wrote: > No, we're not using client certs but that doesn't preclude someone using their own certs. > > No certmap.conf in the instance directory and it looks like the shared one is stock: > cat certmap.conf | grep -v "#" > certmap default default > > The error from the configuration tab is just a generic 500. No additional text in the dialog nor in the logs. > Check the admin server access and error log - /opt/fedora-ds/admin-serv/logs > Alias directory: > drwxr-xr-x 2 nobody nobody 4096 Oct 8 17:42 . > drwxr-xr-x 15 root root 4096 Oct 8 17:42 .. > -rwxr-xr-x 1 root nobody 347368 Oct 6 00:22 libnssckbi.so > -rw------- 1 nobody nobody 16384 Oct 6 00:24 secmod.db > -rw------- 1 nobody nobody 65536 Oct 6 00:22 slapd-fds-cert8.db > -rw------- 1 nobody nobody 16384 Oct 6 00:22 slapd-fds-key3.db > -r-------- 1 nobody nobody 41 Oct 6 00:22 slapd-fds-pin.txt > > > Thanks in advance. > > -richard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson > Sent: Saturday, October 06, 2007 1:46 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] slapi search internal errors popping up in error log > > Richard Hesse wrote: > >> [06/Oct/2007:00:24:51 +0000] - slapi_search_internal >> ("CN=fds1.sv.powerset.com, OU=Domain Control Validated, >> O=fds1.sv.powerset.com", subtree, objectclass=*) err 32 >> >> >> >> I'm guessing that this is cert related, but the TLS/SSL operations are >> working fine. >> >> > Are you using client cert based authentication? > > cat /opt/fedora-ds/slapd-instance/config/certmap.conf > /opt/fedora-ds/shared/config/certmap.conf > >> However, I noticed that I can no longer view the encryption tab for >> this server in the console. >> >> > What error do you get when you try to view the encryption tab? > > ls -al /opt/fedora-ds/alias > >> >> Any ideas what this error means or how to fix it? >> >> >> >> Thanks. >> >> >> >> -richard >> >> ---------------------------------------------------------------------- >> -- >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From richard at powerset.com Mon Oct 8 19:22:50 2007 From: richard at powerset.com (Richard Hesse) Date: Mon, 8 Oct 2007 12:22:50 -0700 Subject: [Fedora-directory-users] slapi search internal errors popping up in error log In-Reply-To: <470A7229.5090005@redhat.com> References: <84E2AE771361E9419DD0EFBD31F09C4D4956B6BF24@EXVMBX015-1.exch015.msoutlookonline.net> <4707F40D.1080207@redhat.com> <84E2AE771361E9419DD0EFBD31F09C4D4956B6C0CD@EXVMBX015-1.exch015.msoutlookonline.net> <470A7229.5090005@redhat.com> Message-ID: <84E2AE771361E9419DD0EFBD31F09C4D4956B6C10E@EXVMBX015-1.exch015.msoutlookonline.net> Nothing really informative in the admin server logs. Just the 500's being recorded: 10.69.66.9 - cn=directory manager [08/Oct/2007:17:51:56 +0000] "POST /admin-serv/tasks/configuration/SecurityOp HTTP/1.0" 500 620 -richard -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Monday, October 08, 2007 11:09 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] slapi search internal errors popping up in error log Richard Hesse wrote: > No, we're not using client certs but that doesn't preclude someone using their own certs. > > No certmap.conf in the instance directory and it looks like the shared one is stock: > cat certmap.conf | grep -v "#" > certmap default default > > The error from the configuration tab is just a generic 500. No additional text in the dialog nor in the logs. > Check the admin server access and error log - /opt/fedora-ds/admin-serv/logs > Alias directory: > drwxr-xr-x 2 nobody nobody 4096 Oct 8 17:42 . > drwxr-xr-x 15 root root 4096 Oct 8 17:42 .. > -rwxr-xr-x 1 root nobody 347368 Oct 6 00:22 libnssckbi.so > -rw------- 1 nobody nobody 16384 Oct 6 00:24 secmod.db > -rw------- 1 nobody nobody 65536 Oct 6 00:22 slapd-fds-cert8.db > -rw------- 1 nobody nobody 16384 Oct 6 00:22 slapd-fds-key3.db > -r-------- 1 nobody nobody 41 Oct 6 00:22 slapd-fds-pin.txt > > > Thanks in advance. > > -richard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of > Richard Megginson > Sent: Saturday, October 06, 2007 1:46 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] slapi search internal errors > popping up in error log > > Richard Hesse wrote: > >> [06/Oct/2007:00:24:51 +0000] - slapi_search_internal >> ("CN=fds1.sv.powerset.com, OU=Domain Control Validated, >> O=fds1.sv.powerset.com", subtree, objectclass=*) err 32 >> >> >> >> I'm guessing that this is cert related, but the TLS/SSL operations >> are working fine. >> >> > Are you using client cert based authentication? > > cat /opt/fedora-ds/slapd-instance/config/certmap.conf > /opt/fedora-ds/shared/config/certmap.conf > >> However, I noticed that I can no longer view the encryption tab for >> this server in the console. >> >> > What error do you get when you try to view the encryption tab? > > ls -al /opt/fedora-ds/alias > >> >> Any ideas what this error means or how to fix it? >> >> >> >> Thanks. >> >> >> >> -richard >> >> --------------------------------------------------------------------- >> - >> -- >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Mon Oct 8 21:16:00 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 08 Oct 2007 15:16:00 -0600 Subject: [Fedora-directory-users] slapi search internal errors popping up in error log In-Reply-To: <84E2AE771361E9419DD0EFBD31F09C4D4956B6C10E@EXVMBX015-1.exch015.msoutlookonline.net> References: <84E2AE771361E9419DD0EFBD31F09C4D4956B6BF24@EXVMBX015-1.exch015.msoutlookonline.net> <4707F40D.1080207@redhat.com> <84E2AE771361E9419DD0EFBD31F09C4D4956B6C0CD@EXVMBX015-1.exch015.msoutlookonline.net> <470A7229.5090005@redhat.com> <84E2AE771361E9419DD0EFBD31F09C4D4956B6C10E@EXVMBX015-1.exch015.msoutlookonline.net> Message-ID: <470A9E10.5040806@redhat.com> Richard Hesse wrote: > Nothing really informative in the admin server logs. Just the 500's being recorded: > > 10.69.66.9 - cn=directory manager [08/Oct/2007:17:51:56 +0000] "POST /admin-serv/tasks/configuration/SecurityOp HTTP/1.0" 500 620 > ps -ef|grep httpd ls -al /opt/fedora-ds/admin-serv/logs /opt/fedora-ds/admin-serv/config # do the following only after obscuring any sensitive data cat /opt/fedora-ds/shared/config/dbswitch.conf cat /opt/fedora-ds/admin-serv/config/adm.conf > -richard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson > Sent: Monday, October 08, 2007 11:09 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] slapi search internal errors popping up in error log > > Richard Hesse wrote: > >> No, we're not using client certs but that doesn't preclude someone using their own certs. >> >> No certmap.conf in the instance directory and it looks like the shared one is stock: >> cat certmap.conf | grep -v "#" >> certmap default default >> >> The error from the configuration tab is just a generic 500. No additional text in the dialog nor in the logs. >> >> > Check the admin server access and error log - /opt/fedora-ds/admin-serv/logs > >> Alias directory: >> drwxr-xr-x 2 nobody nobody 4096 Oct 8 17:42 . >> drwxr-xr-x 15 root root 4096 Oct 8 17:42 .. >> -rwxr-xr-x 1 root nobody 347368 Oct 6 00:22 libnssckbi.so >> -rw------- 1 nobody nobody 16384 Oct 6 00:24 secmod.db >> -rw------- 1 nobody nobody 65536 Oct 6 00:22 slapd-fds-cert8.db >> -rw------- 1 nobody nobody 16384 Oct 6 00:22 slapd-fds-key3.db >> -r-------- 1 nobody nobody 41 Oct 6 00:22 slapd-fds-pin.txt >> >> >> Thanks in advance. >> >> -richard >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >> Richard Megginson >> Sent: Saturday, October 06, 2007 1:46 PM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: [Fedora-directory-users] slapi search internal errors >> popping up in error log >> >> Richard Hesse wrote: >> >> >>> [06/Oct/2007:00:24:51 +0000] - slapi_search_internal >>> ("CN=fds1.sv.powerset.com, OU=Domain Control Validated, >>> O=fds1.sv.powerset.com", subtree, objectclass=*) err 32 >>> >>> >>> >>> I'm guessing that this is cert related, but the TLS/SSL operations >>> are working fine. >>> >>> >>> >> Are you using client cert based authentication? >> >> cat /opt/fedora-ds/slapd-instance/config/certmap.conf >> /opt/fedora-ds/shared/config/certmap.conf >> >> >>> However, I noticed that I can no longer view the encryption tab for >>> this server in the console. >>> >>> >>> >> What error do you get when you try to view the encryption tab? >> >> ls -al /opt/fedora-ds/alias >> >> >>> Any ideas what this error means or how to fix it? >>> >>> >>> >>> Thanks. >>> >>> >>> >>> -richard >>> >>> --------------------------------------------------------------------- >>> - >>> -- >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From richard at powerset.com Mon Oct 8 22:09:03 2007 From: richard at powerset.com (Richard Hesse) Date: Mon, 8 Oct 2007 15:09:03 -0700 Subject: [Fedora-directory-users] slapi search internal errors popping up in error log In-Reply-To: <470A9E10.5040806@redhat.com> References: <84E2AE771361E9419DD0EFBD31F09C4D4956B6BF24@EXVMBX015-1.exch015.msoutlookonline.net> <4707F40D.1080207@redhat.com> <84E2AE771361E9419DD0EFBD31F09C4D4956B6C0CD@EXVMBX015-1.exch015.msoutlookonline.net> <470A7229.5090005@redhat.com> <84E2AE771361E9419DD0EFBD31F09C4D4956B6C10E@EXVMBX015-1.exch015.msoutlookonline.net> <470A9E10.5040806@redhat.com> Message-ID: <84E2AE771361E9419DD0EFBD31F09C4D4956B6C16B@EXVMBX015-1.exch015.msoutlookonline.net> ps -ef | grep httpd root 2231 1 0 19:12 ? 00:00:00 /usr/sbin//httpd.worker -k start -d /opt/fedora-ds/admin-serv -f /opt/fedora-ds/admin-serv/config/httpd.conf root 2317 2231 0 19:12 ? 00:00:00 /usr/sbin//httpd.worker -k start -d /opt/fedora-ds/admin-serv -f /opt/fedora-ds/admin-serv/config/httpd.conf nobody 2320 2231 0 19:12 ? 00:00:00 /usr/sbin//httpd.worker -k start -d /opt/fedora-ds/admin-serv -f /opt/fedora-ds/admin-serv/config/httpd.conf root 4830 2425 0 21:58 pts/0 00:00:00 grep httpd # ls -al /opt/fedora-ds/admin-serv/logs /opt/fedora-ds/admin-serv/config /opt/fedora-ds/admin-serv/config: total 84 drwxr-xr-x 2 nobody nobody 4096 Oct 5 18:31 . drwxr-xr-x 6 root root 4096 Sep 27 03:24 .. -rw-r--r-- 1 root root 0 Oct 5 18:31 Admin -rw------- 1 nobody nobody 350 Sep 27 03:24 adm.conf -rw------- 1 nobody nobody 54 Sep 27 03:24 admpw -rw------- 1 root root 4598 Sep 27 03:24 admserv.conf -rw------- 1 nobody nobody 3733 Sep 27 03:24 console.conf -rw------- 1 root root 26784 Sep 27 03:24 httpd.conf -rw-r--r-- 1 root root 16632 Oct 5 05:07 local.conf -rw------- 1 nobody nobody 4573 Sep 27 03:24 nss.conf /opt/fedora-ds/admin-serv/logs: total 1652 drwxr-xr-x 2 root root 4096 Oct 8 21:59 . drwxr-xr-x 6 root root 4096 Sep 27 03:24 .. -rw-r--r-- 1 root root 500844 Oct 5 04:59 access srwx------ 1 nobody root 0 Oct 8 19:12 cgisock.2231 -rw-r--r-- 1 root root 1164192 Oct 8 19:12 error -rw-r--r-- 1 root root 5 Oct 8 19:12 pid cat /opt/fedora-ds/shared/config/dbswitch.conf directory default ldap://localhost:22000/o%3DNetscapeRoot cat /opt/fedora-ds/admin-serv/config/adm.conf ldapHost: localhost ldapPort: 22000 sie: cn=admin-serv-$host, cn=Fedora Administration Server, cn=Server Group,$host,ou=$domain,o=NetscapeRoot userdn: cn=directory manager isie: cn=Fedora Administration Server, cn=Server Group,cn=$host,ou=$domain,o=NetscapeRoot port: 22628 Upon later inspection of the admin-serv error logs, I noticed this: [Mon Oct 08 19:12:40 2007] [warn] Unable to bind as LocalAdmin to populate LocalAdmin tasks into cache. -richard -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Monday, October 08, 2007 2:16 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] slapi search internal errors popping up in error log Richard Hesse wrote: > Nothing really informative in the admin server logs. Just the 500's being recorded: > > 10.69.66.9 - cn=directory manager [08/Oct/2007:17:51:56 +0000] "POST > /admin-serv/tasks/configuration/SecurityOp HTTP/1.0" 500 620 > ps -ef|grep httpd ls -al /opt/fedora-ds/admin-serv/logs /opt/fedora-ds/admin-serv/config # do the following only after obscuring any sensitive data cat /opt/fedora-ds/shared/config/dbswitch.conf cat /opt/fedora-ds/admin-serv/config/adm.conf > -richard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of > Richard Megginson > Sent: Monday, October 08, 2007 11:09 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] slapi search internal errors > popping up in error log > > Richard Hesse wrote: > >> No, we're not using client certs but that doesn't preclude someone using their own certs. >> >> No certmap.conf in the instance directory and it looks like the shared one is stock: >> cat certmap.conf | grep -v "#" >> certmap default default >> >> The error from the configuration tab is just a generic 500. No additional text in the dialog nor in the logs. >> >> > Check the admin server access and error log - > /opt/fedora-ds/admin-serv/logs > >> Alias directory: >> drwxr-xr-x 2 nobody nobody 4096 Oct 8 17:42 . >> drwxr-xr-x 15 root root 4096 Oct 8 17:42 .. >> -rwxr-xr-x 1 root nobody 347368 Oct 6 00:22 libnssckbi.so >> -rw------- 1 nobody nobody 16384 Oct 6 00:24 secmod.db >> -rw------- 1 nobody nobody 65536 Oct 6 00:22 slapd-fds-cert8.db >> -rw------- 1 nobody nobody 16384 Oct 6 00:22 slapd-fds-key3.db >> -r-------- 1 nobody nobody 41 Oct 6 00:22 slapd-fds-pin.txt >> >> >> Thanks in advance. >> >> -richard >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >> Richard Megginson >> Sent: Saturday, October 06, 2007 1:46 PM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: [Fedora-directory-users] slapi search internal errors >> popping up in error log >> >> Richard Hesse wrote: >> >> >>> [06/Oct/2007:00:24:51 +0000] - slapi_search_internal >>> ("CN=fds1.sv.powerset.com, OU=Domain Control Validated, >>> O=fds1.sv.powerset.com", subtree, objectclass=*) err 32 >>> >>> >>> >>> I'm guessing that this is cert related, but the TLS/SSL operations >>> are working fine. >>> >>> >>> >> Are you using client cert based authentication? >> >> cat /opt/fedora-ds/slapd-instance/config/certmap.conf >> /opt/fedora-ds/shared/config/certmap.conf >> >> >>> However, I noticed that I can no longer view the encryption tab for >>> this server in the console. >>> >>> >>> >> What error do you get when you try to view the encryption tab? >> >> ls -al /opt/fedora-ds/alias >> >> >>> Any ideas what this error means or how to fix it? >>> >>> >>> >>> Thanks. >>> >>> >>> >>> -richard >>> >>> -------------------------------------------------------------------- >>> - >>> - >>> -- >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Mon Oct 8 22:47:33 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 08 Oct 2007 16:47:33 -0600 Subject: [Fedora-directory-users] slapi search internal errors popping up in error log In-Reply-To: <84E2AE771361E9419DD0EFBD31F09C4D4956B6C16B@EXVMBX015-1.exch015.msoutlookonline.net> References: <84E2AE771361E9419DD0EFBD31F09C4D4956B6BF24@EXVMBX015-1.exch015.msoutlookonline.net> <4707F40D.1080207@redhat.com> <84E2AE771361E9419DD0EFBD31F09C4D4956B6C0CD@EXVMBX015-1.exch015.msoutlookonline.net> <470A7229.5090005@redhat.com> <84E2AE771361E9419DD0EFBD31F09C4D4956B6C10E@EXVMBX015-1.exch015.msoutlookonline.net> <470A9E10.5040806@redhat.com> <84E2AE771361E9419DD0EFBD31F09C4D4956B6C16B@EXVMBX015-1.exch015.msoutlookonline.net> Message-ID: <470AB385.6030804@redhat.com> Richard Hesse wrote: > ps -ef | grep httpd > root 2231 1 0 19:12 ? 00:00:00 /usr/sbin//httpd.worker -k start -d /opt/fedora-ds/admin-serv -f /opt/fedora-ds/admin-serv/config/httpd.conf > root 2317 2231 0 19:12 ? 00:00:00 /usr/sbin//httpd.worker -k start -d /opt/fedora-ds/admin-serv -f /opt/fedora-ds/admin-serv/config/httpd.conf > nobody 2320 2231 0 19:12 ? 00:00:00 /usr/sbin//httpd.worker -k start -d /opt/fedora-ds/admin-serv -f /opt/fedora-ds/admin-serv/config/httpd.conf > root 4830 2425 0 21:58 pts/0 00:00:00 grep httpd > > # ls -al /opt/fedora-ds/admin-serv/logs /opt/fedora-ds/admin-serv/config > /opt/fedora-ds/admin-serv/config: > total 84 > drwxr-xr-x 2 nobody nobody 4096 Oct 5 18:31 . > drwxr-xr-x 6 root root 4096 Sep 27 03:24 .. > -rw-r--r-- 1 root root 0 Oct 5 18:31 Admin > -rw------- 1 nobody nobody 350 Sep 27 03:24 adm.conf > -rw------- 1 nobody nobody 54 Sep 27 03:24 admpw > -rw------- 1 root root 4598 Sep 27 03:24 admserv.conf > -rw------- 1 nobody nobody 3733 Sep 27 03:24 console.conf > -rw------- 1 root root 26784 Sep 27 03:24 httpd.conf > -rw-r--r-- 1 root root 16632 Oct 5 05:07 local.conf > -rw------- 1 nobody nobody 4573 Sep 27 03:24 nss.conf > > /opt/fedora-ds/admin-serv/logs: > total 1652 > drwxr-xr-x 2 root root 4096 Oct 8 21:59 . > drwxr-xr-x 6 root root 4096 Sep 27 03:24 .. > -rw-r--r-- 1 root root 500844 Oct 5 04:59 access > srwx------ 1 nobody root 0 Oct 8 19:12 cgisock.2231 > -rw-r--r-- 1 root root 1164192 Oct 8 19:12 error > -rw-r--r-- 1 root root 5 Oct 8 19:12 pid > > cat /opt/fedora-ds/shared/config/dbswitch.conf > directory default ldap://localhost:22000/o%3DNetscapeRoot > > cat /opt/fedora-ds/admin-serv/config/adm.conf > ldapHost: localhost > ldapPort: 22000 > sie: cn=admin-serv-$host, cn=Fedora Administration Server, cn=Server Group,$host,ou=$domain,o=NetscapeRoot > userdn: cn=directory manager > isie: cn=Fedora Administration Server, cn=Server Group,cn=$host,ou=$domain,o=NetscapeRoot > port: 22628 > > Upon later inspection of the admin-serv error logs, I noticed this: > > [Mon Oct 08 19:12:40 2007] [warn] Unable to bind as LocalAdmin to populate LocalAdmin tasks into cache. > Looks like there are some permissions problems. local.conf should be owned by nobody. What is the setting for User in console.conf? Have you changed any settings or admin user names or passwords? > -richard > > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson > Sent: Monday, October 08, 2007 2:16 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] slapi search internal errors popping up in error log > > Richard Hesse wrote: > >> Nothing really informative in the admin server logs. Just the 500's being recorded: >> >> 10.69.66.9 - cn=directory manager [08/Oct/2007:17:51:56 +0000] "POST >> /admin-serv/tasks/configuration/SecurityOp HTTP/1.0" 500 620 >> >> > ps -ef|grep httpd > ls -al /opt/fedora-ds/admin-serv/logs /opt/fedora-ds/admin-serv/config # do the following only after obscuring any sensitive data cat /opt/fedora-ds/shared/config/dbswitch.conf > cat /opt/fedora-ds/admin-serv/config/adm.conf > >> -richard >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >> Richard Megginson >> Sent: Monday, October 08, 2007 11:09 AM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: [Fedora-directory-users] slapi search internal errors >> popping up in error log >> >> Richard Hesse wrote: >> >> >>> No, we're not using client certs but that doesn't preclude someone using their own certs. >>> >>> No certmap.conf in the instance directory and it looks like the shared one is stock: >>> cat certmap.conf | grep -v "#" >>> certmap default default >>> >>> The error from the configuration tab is just a generic 500. No additional text in the dialog nor in the logs. >>> >>> >>> >> Check the admin server access and error log - >> /opt/fedora-ds/admin-serv/logs >> >> >>> Alias directory: >>> drwxr-xr-x 2 nobody nobody 4096 Oct 8 17:42 . >>> drwxr-xr-x 15 root root 4096 Oct 8 17:42 .. >>> -rwxr-xr-x 1 root nobody 347368 Oct 6 00:22 libnssckbi.so >>> -rw------- 1 nobody nobody 16384 Oct 6 00:24 secmod.db >>> -rw------- 1 nobody nobody 65536 Oct 6 00:22 slapd-fds-cert8.db >>> -rw------- 1 nobody nobody 16384 Oct 6 00:22 slapd-fds-key3.db >>> -r-------- 1 nobody nobody 41 Oct 6 00:22 slapd-fds-pin.txt >>> >>> >>> Thanks in advance. >>> >>> -richard >>> >>> -----Original Message----- >>> From: fedora-directory-users-bounces at redhat.com >>> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>> Richard Megginson >>> Sent: Saturday, October 06, 2007 1:46 PM >>> To: General discussion list for the Fedora Directory server project. >>> Subject: Re: [Fedora-directory-users] slapi search internal errors >>> popping up in error log >>> >>> Richard Hesse wrote: >>> >>> >>> >>>> [06/Oct/2007:00:24:51 +0000] - slapi_search_internal >>>> ("CN=fds1.sv.powerset.com, OU=Domain Control Validated, >>>> O=fds1.sv.powerset.com", subtree, objectclass=*) err 32 >>>> >>>> >>>> >>>> I'm guessing that this is cert related, but the TLS/SSL operations >>>> are working fine. >>>> >>>> >>>> >>>> >>> Are you using client cert based authentication? >>> >>> cat /opt/fedora-ds/slapd-instance/config/certmap.conf >>> /opt/fedora-ds/shared/config/certmap.conf >>> >>> >>> >>>> However, I noticed that I can no longer view the encryption tab for >>>> this server in the console. >>>> >>>> >>>> >>>> >>> What error do you get when you try to view the encryption tab? >>> >>> ls -al /opt/fedora-ds/alias >>> >>> >>> >>>> Any ideas what this error means or how to fix it? >>>> >>>> >>>> >>>> Thanks. >>>> >>>> >>>> >>>> -richard >>>> >>>> -------------------------------------------------------------------- >>>> - >>>> - >>>> -- >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From roman.rathler at lsr-noe.gv.at Tue Oct 9 12:57:09 2007 From: roman.rathler at lsr-noe.gv.at (Roman RATHLER) Date: Tue, 9 Oct 2007 14:57:09 +0200 Subject: [Fedora-directory-users] Error Logging Performance Message-ID: Hi, If I activate error logging for ACL Control Summary or similar, the machine totaly goes into IO-Wait. It just writes maybe 100K/second but is totaly unusable any more... From normal 1% CPU Load (on a 2 Way Xeon) it moves to 200% CPU Utilization. Debugging ACLs therefore is nearly impossible on a productive system... We run the Fedora-DS 1.0.4 (fedora-ds-1.0.4-1.RHEL4) on an up2date CentOS System... Is there any perfomance tuning option like with the log-buffering for access log. I can't see, why logging kills the machine! cheers.roman -------------- next part -------------- An HTML attachment was scrubbed... URL: From david_list at boreham.org Tue Oct 9 13:52:52 2007 From: david_list at boreham.org (David Boreham) Date: Tue, 09 Oct 2007 07:52:52 -0600 Subject: [Fedora-directory-users] Error Logging Performance In-Reply-To: References: Message-ID: <470B87B4.40208@boreham.org> Roman RATHLER wrote: > If I activate error logging for ACL Control Summary or similar, the > machine totaly goes into IO-Wait. It just writes maybe 100K/second but > is totaly unusable any more... From normal 1% CPU Load (on a 2 Way > Xeon) it moves to 200% CPU Utilization. > Debugging ACLs therefore is nearly impossible on a productive system... > > We run the Fedora-DS 1.0.4 (fedora-ds-1.0.4-1.RHEL4) on an up2date > CentOS System... Is there any perfomance tuning option like with the > log-buffering for access log. I can't see, why logging kills the machine! Errors often occur before a crash, and therefore the error log is flushed to persistent store often in order to improve the chances that any message emitted before a crash will be retained. I seem to remember that buffering can be enabled on the error log but I can't remember the details. Probably in the documentation somewhere though. I think the underlying code is the same for the error log vs. the access log (which is optimized for performance by default) , so it should be possible to configure the error log to buffer. Alternatively you could put the error log file on a ramdisk. From fedoracore.lists at gmail.com Tue Oct 9 14:01:21 2007 From: fedoracore.lists at gmail.com (jhon choptieso) Date: Tue, 9 Oct 2007 10:01:21 -0400 Subject: [Fedora-directory-users] error loading startconsole Message-ID: <9bc2adb00710090701p694d2f36y642f376cec87ed36@mail.gmail.com> Greetings. After of installation and configuration of fedora-ds, i have errors loading the console, here the log: [root at ds1 fedora-ds]# ./startconsole -u admin http://ds1.foo.com:9999/ Exception in thread "main" java.lang.UnsupportedClassVersionError: com/netscape/management/client/console/Console (Unsupported major.minor version 49.0) at java.lang.ClassLoader.defineClass0(Native Method) at java.lang.ClassLoader.defineClass(Unknown Source) at java.security.SecureClassLoader.defineClass(Unknown Source) at java.net.URLClassLoader.defineClass(Unknown Source) at java.net.URLClassLoader.access$100(Unknown Source) at java.net.URLClassLoader$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) at java.lang.ClassLoader.loadClassInternal(Unknown Source) i have the last sun jre. -- jhon choptieso From martin.eckel at infopunkte.de Tue Oct 9 14:24:19 2007 From: martin.eckel at infopunkte.de (Martin Eckel) Date: Tue, 9 Oct 2007 15:24:19 +0100 (IST) Subject: [Fedora-directory-users] Missing tasks directory Message-ID: <14548925.1191939859544.OPEN-XCHANGE.WebMail.wwwrun@p15179592> An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Oct 9 15:43:18 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 09 Oct 2007 09:43:18 -0600 Subject: [Fedora-directory-users] Error Logging Performance In-Reply-To: <470B87B4.40208@boreham.org> References: <470B87B4.40208@boreham.org> Message-ID: <470BA196.5030802@redhat.com> David Boreham wrote: > Roman RATHLER wrote: >> If I activate error logging for ACL Control Summary or similar, the >> machine totaly goes into IO-Wait. It just writes maybe 100K/second >> but is totaly unusable any more... From normal 1% CPU Load (on a 2 >> Way Xeon) it moves to 200% CPU Utilization. >> Debugging ACLs therefore is nearly impossible on a productive system... >> >> We run the Fedora-DS 1.0.4 (fedora-ds-1.0.4-1.RHEL4) on an up2date >> CentOS System... Is there any perfomance tuning option like with the >> log-buffering for access log. I can't see, why logging kills the >> machine! > Errors often occur before a crash, and therefore the error log > is flushed to persistent store often in order to improve the chances > that any message emitted before a crash will be retained. > > I seem to remember that buffering can be enabled on the error log > but I can't remember the details. Probably in the documentation > somewhere though. > I think the underlying code is the same for the error log vs. the > access log > (which is optimized for performance by default) , so it should be > possible > to configure the error log to buffer. I don't think this is possible. It looks like only the access log has this switch. > > Alternatively you could put the error log file on a ramdisk. Another option is to replace the error log file with a named pipe. The other end of the pipe is connected to a python script that keeps a circular log buffer in memory. The script below allows you to configure the size of that buffer, and if you want to use a fifo for the access and audit logs. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: logmon.py Type: text/x-python Size: 5959 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Oct 9 15:47:24 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 09 Oct 2007 09:47:24 -0600 Subject: [Fedora-directory-users] Missing tasks directory In-Reply-To: <14548925.1191939859544.OPEN-XCHANGE.WebMail.wwwrun@p15179592> References: <14548925.1191939859544.OPEN-XCHANGE.WebMail.wwwrun@p15179592> Message-ID: <470BA28C.8000605@redhat.com> Martin Eckel wrote: > Hi, > > I have installed fedora-ds-1.0.4-1 on a FC6 Linux. I am able to run > the startconsole, but when I open the Admin Server window and select > any item than an error message appears that it trys to access to > /admin-serv/tasks/Configuration/ServerSetup. But the tasks directory > don't exist. I would expect that is was created by the rpm-package > while installation but it isn't. > I started the rpm-installation with the --nodeps argument (what I > would like to avoid, I assume that could be the reason) because it > says that no httpd is available, but an apache is already installed as > source-package on this system. I have created a symbolic link before > to the httpd-file in /usr/sbin but that don't help. > Anyone knows, why no tasks directory and its subfolders was created > after the installation ? That URL path is not the actual path in the file system. The way the admin server works is that it maps that URL to a LDAP entry somewhere under o=NetscapeRoot in the configuration directory server. It does this so it can apply fine grained access control to each task based on Fedora DS ACIs, rather than on httpd access control. It's going to be tricky to install properly without an httpd.worker package available for setup. > > Excuse me for my bad English and many Thanks in advance > Martin > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From palo at akinosoft.org Wed Oct 10 11:00:39 2007 From: palo at akinosoft.org (PaLo) Date: Wed, 10 Oct 2007 13:00:39 +0200 (CEST) Subject: [Fedora-directory-users] howto delete ldbm database ? Message-ID: <32714.194.179.46.116.1192014039.squirrel@correo.akinosoft.org> I'm using fedora-ds-1.0.4-1.RHEL4 I have created a LDBM database for a new tree in LDAP and now I?m trying to delete it. I have recursively deleted the entrys: cn=mydatabase, cn=ldbm database, cn=plugins, cn=config cn=mybasedn_of_mydatabase, cn=mapping tree, cn=config This operation has removed the tree in LDAP, but I need to delete de DB files located in /opt/fedora-ds/slapd-myinstance/db/mydatabase ?How can I safely remove this files? THANKS From satish at suburbia.org.au Wed Oct 10 13:35:39 2007 From: satish at suburbia.org.au (Satish Chetty) Date: Wed, 10 Oct 2007 06:35:39 -0700 Subject: [Fedora-directory-users] howto delete ldbm database ? In-Reply-To: <32714.194.179.46.116.1192014039.squirrel@correo.akinosoft.org> References: <32714.194.179.46.116.1192014039.squirrel@correo.akinosoft.org> Message-ID: <470CD52B.8040209@suburbia.org.au> Palo, PaLo wrote: > I'm using fedora-ds-1.0.4-1.RHEL4 I have created a LDBM database for a new > tree in LDAP and now I?m trying to delete it. I have recursively deleted > the entrys: The easier way is to use the console, click on configuration tab, select the suffix, right click it and select the delete option. -Satish. > > cn=mydatabase, cn=ldbm database, cn=plugins, cn=config > > cn=mybasedn_of_mydatabase, cn=mapping tree, cn=config > > This operation has removed the tree in LDAP, but I need to delete de DB > files located in /opt/fedora-ds/slapd-myinstance/db/mydatabase > > ?How can I safely remove this files? > > THANKS > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From palo at akinosoft.org Wed Oct 10 13:54:08 2007 From: palo at akinosoft.org (PaLo) Date: Wed, 10 Oct 2007 15:54:08 +0200 (CEST) Subject: [Fedora-directory-users] howto delete ldbm database ? In-Reply-To: <470CD52B.8040209@suburbia.org.au> References: <32714.194.179.46.116.1192014039.squirrel@correo.akinosoft.org> <470CD52B.8040209@suburbia.org.au> Message-ID: <55898.194.179.46.116.1192024448.squirrel@correo.akinosoft.org> Sorry, I can?t use the console. I have a problem starting the Administration Server: Cannot load /opt/fedora-ds/bin/admin/lib/libmodadmserv.so into server: libstdc++.so.6: cannot handle TLS data I?m trying also to solve this problem but, at the moment, is secondary for me. Thanks ;) > Palo, > > PaLo wrote: >> I'm using fedora-ds-1.0.4-1.RHEL4 I have created a LDBM database for a >> new >> tree in LDAP and now I?m trying to delete it. I have recursively deleted >> the entrys: > The easier way is to use the console, click on configuration tab, > select the suffix, right click it and select the delete option. > > -Satish. >> >> cn=mydatabase, cn=ldbm database, cn=plugins, cn=config >> >> cn=mybasedn_of_mydatabase, cn=mapping tree, cn=config >> >> This operation has removed the tree in LDAP, but I need to delete de DB >> files located in /opt/fedora-ds/slapd-myinstance/db/mydatabase >> >> ?How can I safely remove this files? >> >> THANKS >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From martin.eckel at infopunkte.de Wed Oct 10 14:47:08 2007 From: martin.eckel at infopunkte.de (Martin Eckel) Date: Wed, 10 Oct 2007 15:47:08 +0100 (IST) Subject: [Fedora-directory-users] Missing tasks directory In-Reply-To: <470BA28C.8000605@redhat.com> References: <14548925.1191939859544.OPEN-XCHANGE.WebMail.wwwrun@p15179592> <470BA28C.8000605@redhat.com> Message-ID: <19555646.1192027628990.OPEN-XCHANGE.WebMail.wwwrun@p15179592> An HTML attachment was scrubbed... URL: From LACY_S at Mercer.edu Wed Oct 10 18:39:02 2007 From: LACY_S at Mercer.edu (Scott Lacy) Date: Wed, 10 Oct 2007 14:39:02 -0400 Subject: [Fedora-directory-users] ldapmodify and Fedora DS migration - SOLVED In-Reply-To: <4706523D.3070005@mercer.edu> References: <4706523D.3070005@mercer.edu> Message-ID: <470D1C46.20202@mercer.edu> Using /opt/fedora-ds/shared/bin/ldapmodify works a lot better than /usr/bin/ldapmodify. ;P Thanks all! Scott Scott Lacy wrote: > All, > > I am migrating an LDAP server off of Netscape I-Planet to Fedora > Directory Server 1.0.4. I am having some issues with ldapmodify in > that the command that worked in I-Planet 5.0 to do adds, modifiess, > and deletes from the same run doesn't seem to work in Fedora DS. > > With I-Planet: > > ldapmodify -a -c -D "cn=Directory Manager" -w xxxxx -f updates.ldif > > would take updates.ldif and do the adds, modifies, and deletions that > were in the ldif all in one run. > > > However, to do the same thing in Fedora DS, I find that I am having to > do: > > ldapmodify -c -x -D "cn=Directory Manager" -w xxxxx -f updates.ldif > > and then > > ldapmodify -a -c -x -D "cn=Directory Manager" -w xxxxx -f updates.ldif > > > > So I guess I wondering if there is a way to get one iteration of > ldapmodify to handle changes, adds, and deletes as the I-Planet > version did. > > Thanks! > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From LACY_S at Mercer.edu Wed Oct 10 18:50:36 2007 From: LACY_S at Mercer.edu (Scott Lacy) Date: Wed, 10 Oct 2007 14:50:36 -0400 Subject: [Fedora-directory-users] Error 12 on sorted queries Message-ID: <470D1EFC.1020003@mercer.edu> I'm still a little new at this, so hopefully this isn't a FAQ question, but I am having issues with sorted queries. Single-user queries, and queries without sorts seem to go fine, but I get error 12 (unavailable critical extension) trying to do sorted queries, and returns zero results when it should return five. Log is below. Any idea? This is probably something I have to set up somewhere, but I can't find anything in Google... [10/Oct/2007:14:16:12 -0400] conn=49 fd=86 slot=86 connection from a.b.c.d to e.f.g.h [10/Oct/2007:14:16:12 -0400] conn=49 op=0 BIND dn="" method=128 version=3 [10/Oct/2007:14:16:12 -0400] conn=49 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [10/Oct/2007:14:16:12 -0400] conn=49 op=1 SRCH base="o=Mercer University" scope=2 filter="(&(departmentNumber=Art)(school=College of Liberal Arts))" attrs="a bunch of attributes here...." [10/Oct/2007:14:16:12 -0400] conn=49 op=1 SORT sn givenName (*) [10/Oct/2007:14:16:12 -0400] conn=49 op=1 RESULT err=12 tag=101 nentries=0 etime=0 notes=U Thanks, Scott From rmeggins at redhat.com Wed Oct 10 19:01:43 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 10 Oct 2007 13:01:43 -0600 Subject: [Fedora-directory-users] Error 12 on sorted queries In-Reply-To: <470D1EFC.1020003@mercer.edu> References: <470D1EFC.1020003@mercer.edu> Message-ID: <470D2197.8080806@redhat.com> Scott Lacy wrote: > I'm still a little new at this, so hopefully this isn't a FAQ > question, but I am having issues with sorted queries. Single-user > queries, and queries without sorts seem to go fine, but I get error 12 > (unavailable critical extension) trying to do sorted queries, and > returns zero results when it should return five. > > Log is below. Any idea? This is probably something I have to set up > somewhere, but I can't find anything in Google... You need to have an equality index for each attribute you want to sort on. In this case, you need to have an equality index for sn and givenName. > > [10/Oct/2007:14:16:12 -0400] conn=49 fd=86 slot=86 connection from > a.b.c.d to e.f.g.h > [10/Oct/2007:14:16:12 -0400] conn=49 op=0 BIND dn="" method=128 version=3 > [10/Oct/2007:14:16:12 -0400] conn=49 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="" > [10/Oct/2007:14:16:12 -0400] conn=49 op=1 SRCH base="o=Mercer > University" scope=2 filter="(&(departmentNumber=Art)(school=College of > Liberal Arts))" attrs="a bunch of attributes here...." > [10/Oct/2007:14:16:12 -0400] conn=49 op=1 SORT sn givenName (*) > [10/Oct/2007:14:16:12 -0400] conn=49 op=1 RESULT err=12 tag=101 > nentries=0 etime=0 notes=U > > > > Thanks, > > Scott > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From aGiggins at wcg.net.au Thu Oct 11 03:44:19 2007 From: aGiggins at wcg.net.au (Anthony Giggins) Date: Thu, 11 Oct 2007 13:44:19 +1000 Subject: [Fedora-directory-users] Howto issue Fedora-ds with an Microsoft Active Directory Enterprise Certificate Message-ID: Can anyone tell me how I issue my Fedora-ds with a Microsoft Active Directory Enterprise Certificate Authority? As suggested in http://directory.fedoraproject.org/wiki/Howto:WindowsSync#Enabling_SSL_W ith_Fedora_Directory_Server Note: Its always better to use the same Certificate Authority to issue certificates to both Fedora Directory Server and Active Directory to minimize any trust issues that might occur. I already have my Microsoft Enterprise Certificate Authority imported into CA Certs in Fedora Management Console but how can I create a server certificate for my fedora directory server from my Microsoft Enterprise Certificate Authority so both Active Directory SSL LDAP & FDS SSL LDAP are using the same Certificate Authority? Regards, Anthony Giggins -------------- next part -------------- An HTML attachment was scrubbed... URL: From etorres at dap.es Thu Oct 11 12:56:40 2007 From: etorres at dap.es (Esteban Torres Rodriguez) Date: Thu, 11 Oct 2007 14:56:40 +0200 Subject: [Fedora-directory-users] AD with FDS with Dovecot Message-ID: <470E39A5.655F.0018.0@dap.es> I have installed my synchronous AD with FDS without no problem. The users I create all in AD. I want to install Postfix+Dovecot autenticando against FDS, but when I create a user in AD and synchronizes with FDS does not put the attributes to me to maildir, posixAccount, mailRecipient, etc... As I can solve this? If I synchronize of FDS to AD they appear to me? As I can modify the AD scheme? I need aid on this. Excuse for my english. Esteban Torres Rodr?guez ?REA DE SOPORTE T?CNICO - Administraci?n de Servidores Subdirecci?n de Sistemas Inform?ticos Empresa P?blica Desarrollo Agrario y Pesquero, email: etorres at dap.es From rmeggins at redhat.com Thu Oct 11 13:57:59 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 11 Oct 2007 07:57:59 -0600 Subject: [Fedora-directory-users] AD with FDS with Dovecot In-Reply-To: <470E39A5.655F.0018.0@dap.es> References: <470E39A5.655F.0018.0@dap.es> Message-ID: <470E2BE7.8020308@redhat.com> Esteban Torres Rodriguez wrote: > I have installed my synchronous AD with FDS without no problem. The users I create all in AD. I want to install Postfix+Dovecot autenticando against FDS, but when I create a user in AD and synchronizes with FDS does not put the attributes to me to maildir, posixAccount, mailRecipient, etc... As I can solve this? If I synchronize of FDS to AD they appear to me? As I can modify the AD scheme? I need aid on this. > Fedora DS cannot currently sync any attributes from AD other than a subset of the basic inetOrgPerson schema for users. > Excuse for my english. > > Esteban Torres Rodr?guez > ?REA DE SOPORTE T?CNICO - Administraci?n de Servidores > Subdirecci?n de Sistemas Inform?ticos > Empresa P?blica Desarrollo Agrario y Pesquero, > email: etorres at dap.es > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From GCopeland at efjohnson.com Thu Oct 11 14:04:08 2007 From: GCopeland at efjohnson.com (Greg Copeland) Date: Thu, 11 Oct 2007 09:04:08 -0500 Subject: [Fedora-directory-users] DB Recovery Help? Message-ID: <273A72C669F45B4996896A031B88CCEFA9CBDC@EFJDFWMX01.EFJDFW.local> I have two LDAP servers operating in a replication mode. This morning I found the replicated server is no longer running. I tried to restart it and I get this in the logs/errors files. How do I recovery my database? Fedora-Directory/1.0.2 B2006.060.1928 eng2.efjdfw.local:389 (/opt/fedora-ds/slapd-engldap2) [11/Oct/2007:08:56:29 -0500] - Fedora-Directory/1.0.2 B2006.060.1928 starting up [11/Oct/2007:08:56:29 -0500] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [11/Oct/2007:08:56:29 -0500] - libdb: Ignoring log file: /opt/fedora-ds/slapd-engldap2/db/log.0000000137: magic number 0, not 40988 [11/Oct/2007:08:56:30 -0500] - libdb: Invalid log file: log.0000000137: Invalid argument [11/Oct/2007:08:56:30 -0500] - libdb: First log record not found [11/Oct/2007:08:56:30 -0500] - libdb: PANIC: Invalid argument [11/Oct/2007:08:56:30 -0500] - Database Recovery Process FAILED. The database is not recoverable. err=-30978: DB_RUNRECOVERY: Fatal error, run database recovery [11/Oct/2007:08:56:30 -0500] - Please make sure there is enough disk space for dbcache (10485760 bytes) and db region files [11/Oct/2007:08:56:30 -0500] - start: Failed to init database, err=-30978 DB_RUNRECOVERY: Fatal error, run database recovery [11/Oct/2007:08:56:30 -0500] - Failed to start database plugin ldbm database [11/Oct/2007:08:56:30 -0500] - WARNING: ldbm instance userRoot already exists [11/Oct/2007:08:56:30 -0500] binder-based resource limits - nsLookThroughLimit: parameter error (slapi_reslimit_register() already registered) [11/Oct/2007:08:56:30 -0500] - start: Resource limit registration failed [11/Oct/2007:08:56:30 -0500] - Failed to start database plugin ldbm database [11/Oct/2007:08:56:30 -0500] - Error: Failed to resolve plugin dependencies [11/Oct/2007:08:56:30 -0500] - Error: preoperation plugin 7-bit check is not started [11/Oct/2007:08:56:30 -0500] - Error: accesscontrol plugin ACL Plugin is not started [11/Oct/2007:08:56:30 -0500] - Error: preoperation plugin ACL preoperation is not started [11/Oct/2007:08:56:30 -0500] - Error: postoperation plugin Class of Service is not started [11/Oct/2007:08:56:30 -0500] - Error: preoperation plugin HTTP Client is not started [11/Oct/2007:08:56:30 -0500] - Error: database plugin ldbm database is not started [11/Oct/2007:08:56:30 -0500] - Error: object plugin Legacy Replication Plugin is not started [11/Oct/2007:08:56:30 -0500] - Error: object plugin Multimaster Replication Plugin is not started [11/Oct/2007:08:56:30 -0500] - Error: preoperation plugin Pass Through Authentication is not started [11/Oct/2007:08:56:30 -0500] - Error: postoperation plugin referential integrity postoperation is not started [11/Oct/2007:08:56:30 -0500] - Error: postoperation plugin Roles Plugin is not started [11/Oct/2007:08:56:30 -0500] - Error: object plugin Views is not started Best Regards, Greg Copeland -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Oct 11 20:15:36 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 11 Oct 2007 14:15:36 -0600 Subject: [Fedora-directory-users] Missing tasks directory In-Reply-To: <19555646.1192027628990.OPEN-XCHANGE.WebMail.wwwrun@p15179592> References: <14548925.1191939859544.OPEN-XCHANGE.WebMail.wwwrun@p15179592> <470BA28C.8000605@redhat.com> <19555646.1192027628990.OPEN-XCHANGE.WebMail.wwwrun@p15179592> Message-ID: <470E8468.2050301@redhat.com> Martin Eckel wrote: > Am Di 09.10.2007 17:47 schrieb Richard Megginson : > > > Martin Eckel wrote: > > > Hi, > > > > > > I have installed fedora-ds-1.0.4-1 on a FC6 Linux. I am able to run > > > the startconsole, but when I open the Admin Server window and select > > > any item than an error message appears that it trys to access to > > > /admin-serv/tasks/Configuration/ServerSetup. But the tasks directory > > > don't exist. I would expect that is was created by the rpm-package > > > while installation but it isn't. > > > I started the rpm-installation with the --nodeps argument (what I > > > would like to avoid, I assume that could be the reason) because it > > > says that no httpd is available, but an apache is already > installed as > > > source-package on this system. I have created a symbolic link before > > > to the httpd-file in /usr/sbin but that don't help. > > > Anyone knows, why no tasks directory and its subfolders was created > > > after the installation ? > > That URL path is not the actual path in the file system. The way the > > admin server works is that it maps that URL to a LDAP entry somewhere > > under o=NetscapeRoot in the configuration directory server. It does > > this so it can apply fine grained access control to each task based on > > Fedora DS ACIs, rather than on httpd access control. > > > > It's going to be tricky to install properly without an httpd.worker > > package available for setup. > > My Apache is compiled as worker version. > > > > > > > Excuse me for my bad English and many Thanks in advance > > > Martin > > > > ------------------------------------------------------------------------ > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > Thank you for your answer, Richard. I am still working on the same > problem. I have checked my ldap structure into the Directory Server > startconsole. There exists an "admin-serv-ldap" element into the > NetscapeRoot Directory. I have called my servername "ldap" while the > installation setup,so it should be correct. But if I click on any > button into the Admin Server console window, the error-message shows > that it trys to access to "admin-serv" directory. Check the admin server access and error logs /opt/fedora-ds/admin-serv/logs > Also a mysterious thing is that if I click on a button into the > Directory Server window, i.e. "Manage Certificates" than only an empty > box is appearing. Check the admin server access and error logs? > Is there any configuration file where this access path is defined ? Not exactly. It's really very simple - the admin server converts the path /admin-serv/Tasks/Name into an ldap entry - it first looks for the admin server entry cn=admin-serv-ldap, then looks for cn=Name,cn=Tasks under that entry. > > Regards, > Martin > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From afreitas at sei.ba.gov.br Thu Oct 11 20:11:27 2007 From: afreitas at sei.ba.gov.br (Agnaldo Freitas) Date: Thu, 11 Oct 2007 17:11:27 -0300 Subject: [Fedora-directory-users] samba password change error Message-ID: <000e01c80c42$e81f0120$2e01a8c0@netuno.intranet> Hi everybody! After several tips in relation to the correct way of configuring samba with Fedora-DS, everything was going well. But a few days a go, i was trying to configure the CUPS, and as it did not initiate then i tried to remove it, reinstall it, and to update it with the commands "yum remove cups*", "yum install cups" and "yum update cups*". Since then, i observed that the "password change"(syncronism) stopped to function with an old error message (you don't have permission to change the password). Here, the passwords synchronization between samba and Fedora-DS only worked with "pam password": It will be that someone can help me? This is the configuration that functioned normally until i reinstalled the CUPS. (because, it is the only different thing that "i remember" i can have done). /etc/samba/smb.conf ## Sincronizacao de senhas samba com Linux via windows # ldap passwd sync = yes # here fails, i think it was because FDS doesn't have plugin for "pam_password exop" option. pam password change = yes unix password sync = Yes passwd chat = *New*password* %n *Retype*new*password* %n *passwd:*all*authentication*tokens*updated*successfully* passwd program = /usr/sbin/smbldap-passwd -u %u obey pam restrictions = no /etc/ldap.conf base dc=sei,dc=intranet host 192.168.2.3 rootbinddn cn=Directory Manager # It was my only problem in the past, i forgot this line! timelimit 120 pam_lookup_policy yes ssl no pam_password crypt /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files ldap rpc: files services: files ldap netgroup: files ldap publickey: nisplus automount: files ldap aliases: files nisplus /etc/openladap/ldap.conf URI ldap://127.0.0.1/ BASE dc=sei,dc=intranet /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so retry=3 password sufficient pam_unix.so md5 shadow nullok use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session required pam_limits.so session required pam_unix.so session optional pam_ldap.so Grateful for your attention, Agnaldo -------------- next part -------------- An HTML attachment was scrubbed... URL: From martin.eckel at infopunkte.de Fri Oct 12 13:01:10 2007 From: martin.eckel at infopunkte.de (Martin Eckel) Date: Fri, 12 Oct 2007 14:01:10 +0100 (IST) Subject: [Fedora-directory-users] Missing tasks directory In-Reply-To: <470E8468.2050301@redhat.com> References: <14548925.1191939859544.OPEN-XCHANGE.WebMail.wwwrun@p15179592> <470BA28C.8000605@redhat.com> <19555646.1192027628990.OPEN-XCHANGE.WebMail.wwwrun@p15179592> <470E8468.2050301@redhat.com> Message-ID: <8427651.1192194070165.OPEN-XCHANGE.WebMail.wwwrun@p15179592> An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Oct 12 13:43:59 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 12 Oct 2007 07:43:59 -0600 Subject: [Fedora-directory-users] Missing tasks directory In-Reply-To: <8427651.1192194070165.OPEN-XCHANGE.WebMail.wwwrun@p15179592> References: <14548925.1191939859544.OPEN-XCHANGE.WebMail.wwwrun@p15179592> <470BA28C.8000605@redhat.com> <19555646.1192027628990.OPEN-XCHANGE.WebMail.wwwrun@p15179592> <470E8468.2050301@redhat.com> <8427651.1192194070165.OPEN-XCHANGE.WebMail.wwwrun@p15179592> Message-ID: <470F7A1F.9080603@redhat.com> Martin Eckel wrote: > Am Do 11.10.2007 22:15 schrieb Richard Megginson : > > > Martin Eckel wrote: > > > Am Di 09.10.2007 17:47 schrieb Richard Megginson > : > > > > > > > Martin Eckel wrote: > > > > > Hi, > > > > > > > > > > I have installed fedora-ds-1.0.4-1 on a FC6 Linux. I am able > to run > > > > > the startconsole, but when I open the Admin Server window and > select > > > > > any item than an error message appears that it trys to access to > > > > > /admin-serv/tasks/Configuration/ServerSetup. But the tasks > directory > > > > > don't exist. I would expect that is was created by the rpm-package > > > > > while installation but it isn't. > > > > > I started the rpm-installation with the --nodeps argument (what I > > > > > would like to avoid, I assume that could be the reason) because it > > > > > says that no httpd is available, but an apache is already > > > installed as > > > > > source-package on this system. I have created a symbolic link > before > > > > > to the httpd-file in /usr/sbin but that don't help. > > > > > Anyone knows, why no tasks directory and its subfolders was > created > > > > > after the installation ? > > > > That URL path is not the actual path in the file system. The way the > > > > admin server works is that it maps that URL to a LDAP entry > somewhere > > > > under o=NetscapeRoot in the configuration directory server. It does > > > > this so it can apply fine grained access control to each task > based on > > > > Fedora DS ACIs, rather than on httpd access control. > > > > > > > > It's going to be tricky to install properly without an httpd.worker > > > > package available for setup. > > > > > > My Apache is compiled as worker version. > > > > > > > > > > > > > Excuse me for my bad English and many Thanks in advance > > > > > Martin > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > -- > > > > > Fedora-directory-users mailing list > > > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > Thank you for your answer, Richard. I am still working on the same > > > problem. I have checked my ldap structure into the Directory Server > > > startconsole. There exists an "admin-serv-ldap" element into the > > > NetscapeRoot Directory. I have called my servername "ldap" while the > > > installation setup,so it should be correct. But if I click on any > > > button into the Admin Server console window, the error-message shows > > > that it trys to access to "admin-serv" directory. > > Check the admin server access and error logs > /opt/fedora-ds/admin-serv/logs > > > Also a mysterious thing is that if I click on a button into the > > > Directory Server window, i.e. "Manage Certificates" than only an > empty > > > box is appearing. > > Check the admin server access and error logs? > > > Is there any configuration file where this access path is defined ? > > Not exactly. It's really very simple - the admin server converts the > > path /admin-serv/Tasks/Name into an ldap entry - it first looks for the > > admin server entry cn=admin-serv-ldap, then looks for cn=Name,cn=Tasks > > under that entry. > > > > > > Regards, > > > Martin > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > This is a part of the admin-serv/logs/error file: > [Fri Oct 12 14:37:02 2007] [notice] [client 217.24.204.116] > admserv_host_ip_check: ap_get_remote_host could not resolve 217.24.204.116 > [Fri Oct 12 14:37:02 2007] [warn] [client 217.24.204.116] > admserv_host_ip_check: failed to get host by ip addr [217.24.204.116] > - check your host and DNS configuration > [Fri Oct 12 14:37:10 2007] [notice] [client 217.24.204.116] > admserv_host_ip_check: ap_get_remote_host could not resolve 217.24.204.116 > [Fri Oct 12 14:37:10 2007] [warn] [client 217.24.204.116] > admserv_host_ip_check: failed to get host by ip addr [217.24.204.116] > - check your host and DNS configuration > [Fri Oct 12 14:37:10 2007] [error] [client 217.24.204.116] > (104)Connection reset by peer: ap_content_length_filter: > apr_bucket_read() failed > > > And this will always repeated in the access file if I do something > into the Admin Server: > 217.24.204.110 - admin [12/Oct/2007:14:36:54 +0200] "GET > /admin-serv/authenticate HTTP/1.0" 200 369 > 217.24.204.116 - uid=admin, ou=Administrators, ou=TopologyManagement, > o=NetscapeRoot [12/Oct/2007:14:37:00 +0200] "GET > /admin-serv/tasks/operation/StatusPing HTTP/1.0" 200 19 > 217.24.204.116 - uid=admin, ou=Administrators, ou=TopologyManagement, > o=NetscapeRoot [12/Oct/2007:14:37:02 +0200] "GET > /admin-serv/tasks/operation/StatusPing HTTP/1.0" 200 19 > 217.24.204.116 - uid=admin, ou=Administrators, ou=TopologyManagement, > o=NetscapeRoot [12/Oct/2007:14:37:10 +0200] "POST > /admin-serv/tasks/Configuration/ServerSetup HTTP/1.0" 20 > 0 58 > > Could it be, that reverse DNS mapping is required for a correct > functionality of the Admin Server ? It is if you want to restrict access by host name. But you can disable this and just restrict access by IP address. See http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt - please read the whole page then especially the section "How to set the hosts/IP addresses allowed to access the Admin Server" > The URL of my ldap server has a valid entry in a DNS server ald I can > do a ping on it. In the error log is nothing else than the DNS errors > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From oeufdure at gmail.com Sun Oct 14 18:20:18 2007 From: oeufdure at gmail.com (Fabrice Durand) Date: Sun, 14 Oct 2007 20:20:18 +0200 Subject: [Fedora-directory-users] Virtual Views problem Message-ID: <146df21c0710141120w6865cce1n2e002ac365013195@mail.gmail.com> Hi, i try to understand what's wrong with my virtual views. I've got an 'ou' where all my users are (ou=People,dc=test,dc=fr) So i create a virtual views with diff?rent ou with objectclass : nsview and with nsViewFilter: (something) like this: dn: ou=entreprise,ou=annuaire,dc=test,dc=fr modifytimestamp: 20071005102053Z modifiersname: cn=directory manager ou: Cap l'Orient objectClass: organizationalUnit objectClass: top objectClass: nsview creatorsname: cn=directory manager createtimestamp: 20060130145928Z nsuniqueid: fad66382-1dd111b2-8076e5f7-b3860000 parentid: 323 entryid: 324 entrydn: ou=entreprise,ou=annuaire,dc=test,dc=fr numsubordinates: 8 subschemasubentry: cn=schema hassubordinates: TRUE dn: ou=Services Fonctionnels,ou=entreprise,ou=annuaire,dc=test,dc=fr modifytimestamp: 20071008122956Z modifiersname: cn=directory manager nsViewFilter: (departmentnumber=DGSF*) objectClass: organizationalUnit objectClass: top objectClass: nsview ou: DG Services Fonctionnels creatorsname: cn=directory manager createtimestamp: 20060130145928Z nsuniqueid: fad66383-1dd111b2-8076e5f7-b3860000 parentid: 324 entryid: 325 entrydn: ou=services fonctionnels,ou=entreprise,ou=annuaire,dc=test,dc=fr numsubordinates: 3 subschemasubentry: cn=schema hassubordinates: TRUE dn: ou=Ressources Humaines,ou=Services Fonctionnels,ou=entreprise,ou=annuaire,dc=test,dc=fr modifytimestamp: 20071005102032Z modifiersname: cn=directory manager nsViewFilter: (departmentnumber=DGSF-RH) objectClass: organizationalUnit objectClass: top objectClass: nsview ou: Ressources humaines creatorsname: cn=directory manager createtimestamp: 20060130145928Z nsuniqueid: fad66384-1dd111b2-8076e5f7-b3860000 parentid: 325 entryid: 326 entrydn: ou=ressources humaines,ou=services fonctionnels,ou=entreprise,ou=annuaire,dc=test,dc=fr numsubordinates: 0 subschemasubentry: cn=schema hassubordinates: FALSE .... The problem is when it try to get all the hierarchy with a perl script or with php under ou=entreprise,ou=annuaire,dc=test,dc=fr , FDS doesn't return all the ou. (with phpldapadmin i can see the hierarchy) The perl script i use to get all the hierarchy: use Net::LDAP; use Switch; $ldup = Net::LDAP->new( '127.0.0.1' ) or die "$@"; $masg = $ldup->bind ; # an anonymous bind $masg = $ldup->search( # perform a search base => "ou=entreprise,ou=annuaire,dc=caplorient,dc=com", scope => 'sub', filter => "(objectClass=nsview)" ); $masg->code && die $masg->error; foreach $entry ($masg->entries) { $uid=$cn=$givenname=$mail=$sn="NULL"; $dn=$entry->dn(); foreach $attr ($entry->attributes) { if($attr eq ou) { $uid=$entry->get_value($attr); print $dn."\n"; print $uid."\n"; } } } $mesg = $ldup->unbind; # take down session If anyone has got the same type of problem , thank you in advance for the answer Fabrice -------------- next part -------------- An HTML attachment was scrubbed... URL: From etorres at dap.es Mon Oct 15 07:42:01 2007 From: etorres at dap.es (Esteban Torres Rodriguez) Date: Mon, 15 Oct 2007 09:42:01 +0200 Subject: [Fedora-directory-users] AD with FDS with Dovecot In-Reply-To: <470E2BE7.8020308@redhat.com> References: <470E39A5.655F.0018.0@dap.es> <470E2BE7.8020308@redhat.com> Message-ID: <471335E9.655F.0018.0@dap.es> Has anyone other idea how to solve my problem? Esteban Torres Rodr?guez ?REA DE SOPORTE T?CNICO - Administraci?n de Servidores Subdirecci?n de Sistemas Inform?ticos Empresa P?blica Desarrollo Agrario y Pesquero, email: etorres at dap.es >>> Richard Megginson 10/11/07 3:57 P.M. >>> Esteban Torres Rodriguez wrote: > I have installed my synchronous AD with FDS without no problem. The users I create all in AD. I want to install Postfix+Dovecot autenticando against FDS, but when I create a user in AD and synchronizes with FDS does not put the attributes to me to maildir, posixAccount, mailRecipient, etc... As I can solve this? If I synchronize of FDS to AD they appear to me? As I can modify the AD scheme? I need aid on this. > Fedora DS cannot currently sync any attributes from AD other than a subset of the basic inetOrgPerson schema for users. > Excuse for my english. > > Esteban Torres Rodr?guez > ?REA DE SOPORTE T?CNICO - Administraci?n de Servidores > Subdirecci?n de Sistemas Inform?ticos > Empresa P?blica Desarrollo Agrario y Pesquero, > email: etorres at dap.es > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From fmunoz at hispafuentes.com Mon Oct 15 11:42:27 2007 From: fmunoz at hispafuentes.com (Fernando =?ISO-8859-1?Q?Mu=F1oz?=) Date: Mon, 15 Oct 2007 13:42:27 +0200 Subject: [Fedora-directory-users] Automatically Full Re-syncronization Windows Synchronization agreement Message-ID: <1192448547.6225.15.camel@hispafuentes> Hi, I have installed FDS-1.0.4 with a Windows Synchronization agreement against a Windows 2003 Domain Controller. If the directory it's shutdown (stop or fallback), when I start it, I have initiated Full Re-syncronization manually from console, because appear this error-log: [11/Oct/2007:14:02:08 +0200] NSMMReplicationPlugin - agmt="cn=GRS_ppal-GRS_DA" (10:636): Replica has no update vector. It has never been initialized. Is it posible initialized automatically this agreement, with a special attribute in the Synchronization agreement ldap entry? or in the init script? How? I review the "CLI" and I don't find the attribute to initialized automatically this agreement. thanks, From prowley at redhat.com Mon Oct 15 20:27:45 2007 From: prowley at redhat.com (Pete Rowley) Date: Mon, 15 Oct 2007 13:27:45 -0700 Subject: [Fedora-directory-users] Virtual Views problem In-Reply-To: <146df21c0710141120w6865cce1n2e002ac365013195@mail.gmail.com> References: <146df21c0710141120w6865cce1n2e002ac365013195@mail.gmail.com> Message-ID: <4713CD41.7080706@redhat.com> Fabrice Durand wrote: > Hi, > i try to understand what's wrong with my virtual views. > You are searching for views inside the view hierarchy since ou=entreprise,ou=annuaire,dc=test,dc=fr is a view without a filter. So you're search is being rewritten to be from scope ou=annuaire,dc=test,dc=fr, made a subtree search if it is not already, and then the filter is rewritten to realize the view. Part of the filter rewriting is to ignore views entries unless they match the original filter and are in the original search scope - it is quite possible that there is some odd interaction in this case. Do you see the views if you use (ou=*)? > I've got an 'ou' where all my users are (ou=People,dc=test,dc=fr) > So i create a virtual views with diff?rent ou with objectclass : > nsview and with nsViewFilter: (something) like this: > > dn: ou=entreprise,ou=annuaire,dc=test,dc=fr > modifytimestamp: 20071005102053Z > modifiersname: cn=directory manager > ou: Cap l'Orient > objectClass: organizationalUnit > objectClass: top > objectClass: nsview > creatorsname: cn=directory manager > createtimestamp: 20060130145928Z > nsuniqueid: fad66382-1dd111b2-8076e5f7-b3860000 > parentid: 323 > entryid: 324 > entrydn: ou=entreprise,ou=annuaire,dc=test,dc=fr > numsubordinates: 8 > subschemasubentry: cn=schema > hassubordinates: TRUE > > dn: ou=Services Fonctionnels,ou=entreprise,ou=annuaire,dc=test,dc=fr > modifytimestamp: 20071008122956Z > modifiersname: cn=directory manager > nsViewFilter: (departmentnumber=DGSF*) > objectClass: organizationalUnit > objectClass: top > objectClass: nsview > ou: DG Services Fonctionnels > creatorsname: cn=directory manager > createtimestamp: 20060130145928Z > nsuniqueid: fad66383-1dd111b2-8076e5f7-b3860000 > parentid: 324 > entryid: 325 > entrydn: ou=services fonctionnels,ou=entreprise,ou=annuaire,dc=test,dc=fr > numsubordinates: 3 > subschemasubentry: cn=schema > hassubordinates: TRUE > > dn: ou=Ressources Humaines,ou=Services > Fonctionnels,ou=entreprise,ou=annuaire,dc=test,dc=fr > modifytimestamp: 20071005102032Z > modifiersname: cn=directory manager > nsViewFilter: (departmentnumber=DGSF-RH) > objectClass: organizationalUnit > objectClass: top > objectClass: nsview > ou: Ressources humaines > creatorsname: cn=directory manager > createtimestamp: 20060130145928Z > nsuniqueid: fad66384-1dd111b2-8076e5f7-b3860000 > parentid: 325 > entryid: 326 > entrydn: ou=ressources humaines,ou=services > fonctionnels,ou=entreprise,ou=annuaire,dc=test,dc=fr > numsubordinates: 0 > subschemasubentry: cn=schema > hassubordinates: FALSE > .... > > The problem is when it try to get all the hierarchy with a perl script > or with php under ou=entreprise,ou=annuaire,dc=test,dc=fr , FDS > doesn't return all the ou. (with phpldapadmin i can see the hierarchy) > > The perl script i use to get all the hierarchy: > > use Net::LDAP; > use Switch; > > $ldup = Net::LDAP->new( '127.0.0.1 ' ) or die "$@"; > $masg = $ldup->bind ; # an anonymous bind > $masg = $ldup->search( # perform a search > base => > "ou=entreprise,ou=annuaire,dc=caplorient,dc=com", > scope => 'sub', > filter => "(objectClass=nsview)" > ); > > $masg->code && die $masg->error; > foreach $entry ($masg->entries) > { > $uid=$cn=$givenname=$mail=$sn="NULL"; > $dn=$entry->dn(); > > foreach $attr ($entry->attributes) > { > if($attr eq ou) > { > $uid=$entry->get_value($attr); > print $dn."\n"; > print $uid."\n"; > } > } > > } > > $mesg = $ldup->unbind; # take down session > > If anyone has got the same type of problem , thank you in advance for > the answer > > Fabrice > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From glenn at mail.txwes.edu Tue Oct 16 16:49:15 2007 From: glenn at mail.txwes.edu (Glenn) Date: Tue, 16 Oct 2007 11:49:15 -0500 Subject: [Fedora-directory-users] Windows Sync and displayname Attribute Message-ID: <20071016163832.M13888@mail.txwes.edu> We are trying to populate Active Directory using Fedora Directory and Windows Sync. It works great if we make sure the FD data is in a format that AD will accept. There is one hitch -- we need to fill the displayname attribute in AD, since this will be used by our new Exchange address book. I tried adding the "displayname" attribute to an FD user record, but it doesn't replicate to AD, even after a full resync. Can anyone suggest how this could be done? Thanks. -Glenn. From carlopmart at gmail.com Wed Oct 17 07:39:31 2007 From: carlopmart at gmail.com (carlopmart) Date: Wed, 17 Oct 2007 09:39:31 +0200 Subject: [Fedora-directory-users] Testing FDS 1.1 Message-ID: <4715BC33.7090406@gmail.com> Hi all, As fedora web says: "The code has been completed for the new features in Fedora DS 1.1. Our focus now is on whittling down the bug list, testing, and updating the documentation". From where can I download a test release?? Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com From oeufdure at gmail.com Wed Oct 17 09:36:51 2007 From: oeufdure at gmail.com (Fabrice Durand) Date: Wed, 17 Oct 2007 11:36:51 +0200 Subject: [Fedora-directory-users] Re: Virtual Views problem In-Reply-To: <146df21c0710141120w6865cce1n2e002ac365013195@mail.gmail.com> References: <146df21c0710141120w6865cce1n2e002ac365013195@mail.gmail.com> Message-ID: <146df21c0710170236h220e4710p7147c706634e61e7@mail.gmail.com> Hi thank you for the reply. You are right , it's because my "ou" ou=entreprise,ou=annuaire,dc =test,dc=fr and ou=annuaire,dc =test,dc=fr contain objectclass=nsview , but not contain nsviewfilter=something.. Thank Fabrice > Hi, > i try to understand what's wrong with my virtual views. > You are searching for views inside the view hierarchy since ou=entreprise,ou=annuaire,dc=test,dc=fr is a view without a filter. So you're search is being rewritten to be from scope ou=annuaire,dc=test,dc=fr, made a subtree search if it is not already, and then the filter is rewritten to realize the view. Part of the filter rewriting is to ignore views entries unless they match the original filter and are in the original search scope - it is quite possible that there is some odd interaction in this case. Do you see the views if you use (ou=*)? > I've got an 'ou' where all my users are (ou=People,dc=test,dc=fr) > So i create a virtual views with diff?rent ou with objectclass : > nsview and with nsViewFilter: (something) like this: > > dn: ou=entreprise,ou=annuaire,dc=test,dc=fr > modifytimestamp: 20071005102053Z > modifiersname: cn=directory manager > ou: Cap l'Orient > objectClass: organizationalUnit > objectClass: top > objectClass: nsview > creatorsname: cn=directory manager > createtimestamp: 20060130145928Z > nsuniqueid: fad66382-1dd111b2-8076e5f7-b3860000 > parentid: 323 > entryid: 324 > entrydn: ou=entreprise,ou=annuaire,dc=test,dc=fr > numsubordinates: 8 > subschemasubentry: cn=schema > hassubordinates: TRUE > > dn: ou=Services Fonctionnels,ou=entreprise,ou=annuaire,dc=test,dc=fr > modifytimestamp: 20071008122956Z > modifiersname: cn=directory manager > nsViewFilter: (departmentnumber=DGSF*) > objectClass: organizationalUnit > objectClass: top > objectClass: nsview > ou: DG Services Fonctionnels > creatorsname: cn=directory manager > createtimestamp: 20060130145928Z > nsuniqueid: fad66383-1dd111b2-8076e5f7-b3860000 > parentid: 324 > entryid: 325 > entrydn: ou=services fonctionnels,ou=entreprise,ou=annuaire,dc=test,dc=fr > numsubordinates: 3 > subschemasubentry: cn=schema > hassubordinates: TRUE > > dn: ou=Ressources Humaines,ou=Services > Fonctionnels,ou=entreprise,ou=annuaire,dc=test,dc=fr > modifytimestamp: 20071005102032Z > modifiersname: cn=directory manager > nsViewFilter: (departmentnumber=DGSF-RH) > objectClass: organizationalUnit > objectClass: top > objectClass: nsview > ou: Ressources humaines > creatorsname: cn=directory manager > createtimestamp: 20060130145928Z > nsuniqueid: fad66384-1dd111b2-8076e5f7-b3860000 > parentid: 325 > entryid: 326 > entrydn: ou=ressources humaines,ou=services > fonctionnels,ou=entreprise,ou=annuaire,dc=test,dc=fr > numsubordinates: 0 > subschemasubentry: cn=schema > hassubordinates: FALSE > .... > > The problem is when it try to get all the hierarchy with a perl script > or with php under ou=entreprise,ou=annuaire,dc=test,dc=fr , FDS > doesn't return all the ou. (with phpldapadmin i can see the hierarchy) > > The perl script i use to get all the hierarchy: > > use Net::LDAP; > use Switch; > > $ldup = Net::LDAP->new( '127.0.0.1 ' ) or die "$@"; > $masg = $ldup->bind ; # an anonymous bind > $masg = $ldup->search( # perform a search > base => > "ou=entreprise,ou=annuaire,dc=caplorient,dc=com", > scope => 'sub', > filter => "(objectClass=nsview)" > ); > > $masg->code && die $masg->error; > foreach $entry ($masg->entries) > { > $uid=$cn=$givenname=$mail=$sn="NULL"; > $dn=$entry->dn(); > > foreach $attr ($entry->attributes) > { > if($attr eq ou) > { > $uid=$entry->get_value($attr); > print $dn."\n"; > print $uid."\n"; > } > } > > } > > $mesg = $ldup->unbind; # take down session > > If anyone has got the same type of problem , thank you in advance for > the answer > > Fabrice > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Pete -------------- next part -------------- An HTML attachment was scrubbed... URL: From sysadmin.linux at gmail.com Thu Oct 18 18:44:28 2007 From: sysadmin.linux at gmail.com (Linux Admin) Date: Thu, 18 Oct 2007 13:44:28 -0500 Subject: [Fedora-directory-users] backup/dump--restore/import Message-ID: <696934990710181144i67fc7b52xc3aba7edd0957bb0@mail.gmail.com> Please forgive the newbee question here. What is the best way to backup/dump--restore/import a fedora ldap server (without downtime) TIA -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Oct 18 19:32:19 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 18 Oct 2007 13:32:19 -0600 Subject: [Fedora-directory-users] backup/dump--restore/import In-Reply-To: <696934990710181144i67fc7b52xc3aba7edd0957bb0@mail.gmail.com> References: <696934990710181144i67fc7b52xc3aba7edd0957bb0@mail.gmail.com> Message-ID: <4717B4C3.1070202@redhat.com> Linux Admin wrote: > Please forgive the newbee question here. > What is the best way to backup/dump--restore/import a fedora ldap server > (without downtime) Look at the scripts db2ldif.pl, ldif2db.pl, db2bak.pl, and bak2db.pl > TIA > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From iferreir at personal.com.py Thu Oct 18 19:51:13 2007 From: iferreir at personal.com.py (Ivan Ferreira) Date: Thu, 18 Oct 2007 15:51:13 -0400 Subject: [Fedora-directory-users] backup/dump--restore/import In-Reply-To: <4717B4C3.1070202@redhat.com> Message-ID: I use both, db2ldif and db2bak to backup our directory database. Very, very simple usage: LOGFILE=/var/log/DSBackup.log /opt/fedora-ds/slapd-infra1/db2ldif -n netscaperoot > $LOGFILE 2>&1 /opt/fedora-ds/slapd-infra1/db2ldif -n userRoot >> $LOGFILE 2>&1 /opt/fedora-ds/slapd-infra1/db2bak >> $LOGFILE 2>&1 Para "General discussion list for the Fedora Directory server Richard Megginson project." fedora-directory-users-b cc ounces at redhat.com Asunto 18/10/2007 03:32 p.m. Re: [Fedora-directory-users] backup/dump--restore/import Clasificaci?n Uso Interno Por favor, responda a "General discussion list for the Fedora Directory server project." Linux Admin wrote: > Please forgive the newbee question here. > What is the best way to backup/dump--restore/import a fedora ldap server > (without downtime) Look at the scripts db2ldif.pl, ldif2db.pl, db2bak.pl, and bak2db.pl > TIA > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > (See attached file: smime.p7s)-- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/octet-stream Size: 3245 bytes Desc: not available URL: From mwallnoefer at yahoo.de Sat Oct 20 10:50:45 2007 From: mwallnoefer at yahoo.de (=?ISO-8859-15?Q?Matthias_Dieter_Walln=F6fer?=) Date: Sat, 20 Oct 2007 12:50:45 +0200 Subject: [Fedora-directory-users] Samba schema Message-ID: <4719DD85.6050004@yahoo.de> Hi! I asked myself many times why the Fedora Directory Server isn't bundeled with a schema for Samba 3. I think, this is nearly as important as the RFC and Java schema, because many people use this software in combination with Samba. So, is there a special reason why this wasn't done yet? Maybe a second step would be to write a Samba-Plugin for the management console. Matthias From gnulinux9 at googlemail.com Mon Oct 22 21:19:35 2007 From: gnulinux9 at googlemail.com (John gray) Date: Mon, 22 Oct 2007 17:19:35 -0400 Subject: [Fedora-directory-users] mandated TLS connections In-Reply-To: References: Message-ID: ---------- Forwarded message ---------- From: John gray Date: Oct 22, 2007 5:16 PM Subject: mandated TLS connections To: fedora-directory-users at redhat.com Hi all, I migrated from openldap to redhat directory server. In openldap I mandated TLS connections ie: [root at bjoshi ~]# ldapsearch -x -h 10.1.1.8 uid=bjoshi ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required [root at bjoshi ~]# ldapsearch -x -LL -ZZ -h 10.1.1.8 uid=bjoshi mail version: 1 dn: uid=bjoshi,ou=people,dc=example,dc=com mail: bjoshi at example.com Below ioption in /etc/openldap/slapd.conf for enforcing. security ssf=128 update_ssf=128 simple_bind=128 update_tls=128 tls=128 On the rhds machines tls works, but it also allows plain text searches. Can anyone suggest configuration in rhds to force tls search only Also note, follow the below documentation http://directory.fedoraproject .org/wiki/Howto:SSL#Configure_LDAP_clients and enabling nsServerSecurity: on does not solve the problem. Only SSL is not option Regards, Bhargav -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Oct 22 21:21:58 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 22 Oct 2007 15:21:58 -0600 Subject: [Fedora-directory-users] mandated TLS connections In-Reply-To: References: Message-ID: <471D1476.5050302@redhat.com> John gray wrote: > > > ---------- Forwarded message ---------- > From: *John gray* > > Date: Oct 22, 2007 5:16 PM > Subject: mandated TLS connections > To: fedora-directory-users at redhat.com > > > Hi all, > > > > I migrated from openldap to redhat directory server. > > > > In openldap I mandated TLS connections > > > > ie: > > [root at bjoshi ~]# ldapsearch -x -h 10.1.1.8 uid=bjoshi > > ldap_bind: Confidentiality required (13) > > additional info: TLS confidentiality required > > > > [root at bjoshi ~]# ldapsearch -x -LL -ZZ -h 10.1.1.8 > uid=bjoshi mail > > version: 1 > > > > dn: uid=bjoshi,ou=people,dc=example,dc=com > > mail: bjoshi at example.com > > > > Below ioption in /etc/openldap/slapd.conf for enforcing. > > security ssf=128 update_ssf=128 simple_bind=128 update_tls=128 tls=128 > > > > On the rhds machines tls works, but it also allows plain text searches. > > > > Can anyone suggest configuration in rhds to force tls search only > > > > Also note, follow the below documentation > > http://directory.fedoraproject > .org/wiki/Howto:SSL#Configure_LDAP_clients > > > and enabling > > nsServerSecurity: on > > does not solve the problem. > > > Only SSL is not option > There is currently no way to do this in Fedora DS. > > > Regards, > > Bhargav > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From sysadmin.linux at gmail.com Wed Oct 24 18:17:00 2007 From: sysadmin.linux at gmail.com (Linux Admin) Date: Wed, 24 Oct 2007 13:17:00 -0500 Subject: [Fedora-directory-users] Re: backup/dump--restore/import In-Reply-To: <696934990710181144i67fc7b52xc3aba7edd0957bb0@mail.gmail.com> References: <696934990710181144i67fc7b52xc3aba7edd0957bb0@mail.gmail.com> Message-ID: <696934990710241117j405a5b68h623863a7342c5ddf@mail.gmail.com> If I want to do through GUI: which option do I use: Backup/Restore or Import/Export When I sued Backup....I tried to restore into vanilla LDAP specifying the top level directory which contains NetascapeRoot and userRoot subdirs, I get error 53 (failed to read the backup file set) On 10/18/07, Linux Admin wrote: > > Please forgive the newbee question here. > What is the best way to backup/dump--restore/import a fedora ldap server > (without downtime) > TIA > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Oct 24 18:25:58 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 24 Oct 2007 12:25:58 -0600 Subject: [Fedora-directory-users] Re: backup/dump--restore/import In-Reply-To: <696934990710241117j405a5b68h623863a7342c5ddf@mail.gmail.com> References: <696934990710181144i67fc7b52xc3aba7edd0957bb0@mail.gmail.com> <696934990710241117j405a5b68h623863a7342c5ddf@mail.gmail.com> Message-ID: <471F8E36.2060306@redhat.com> Linux Admin wrote: > If I want to do through GUI: which option do I use: Backup/Restore or > Import/Export Backup creates a binary backup of your entire database. Export creates an LDIF (ASCII) dump of the database you specify (userRoot or NetscapeRoot). > When I sued Backup....I tried to restore into vanilla LDAP specifying > the top level directory which contains NetascapeRoot and userRoot > subdirs, I get error 53 (failed to read the backup file set) Can you provide more information about what directory you put your backup in, what directory you told it to restore from, etc. > > > On 10/18/07, *Linux Admin* > wrote: > > Please forgive the newbee question here. > What is the best way to backup/dump--restore/import a fedora ldap > server > (without downtime) > TIA > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From gholbert at broadcom.com Wed Oct 24 18:26:48 2007 From: gholbert at broadcom.com (George Holbert) Date: Wed, 24 Oct 2007 11:26:48 -0700 Subject: [Fedora-directory-users] Re: backup/dump--restore/import In-Reply-To: <696934990710241117j405a5b68h623863a7342c5ddf@mail.gmail.com> References: <696934990710181144i67fc7b52xc3aba7edd0957bb0@mail.gmail.com> <696934990710241117j405a5b68h623863a7342c5ddf@mail.gmail.com> Message-ID: <471F8E68.1000806@broadcom.com> Backup/Restore: Creates / restores from a copy of the server's binary database files. Export/Import: Creates / imports from ASCII text LDIF files representing the data in the directory server. It's actually a good idea to do both (if possible), as this will give you the most flexibility when you're in the heat of a restore. http://www.redhat.com/docs/manuals/dir-server/ag/7.1/dbmanage.html#1055147 > I get error 53 (failed to read the backup file set) Is the backup file set still there? Linux Admin wrote: > If I want to do through GUI: which option do I use: Backup/Restore or > Import/Export > When I sued Backup....I tried to restore into vanilla LDAP specifying > the top level directory which contains NetascapeRoot and userRoot > subdirs, I get error 53 (failed to read the backup file set) > > > On 10/18/07, *Linux Admin* > wrote: > > Please forgive the newbee question here. > What is the best way to backup/dump--restore/import a fedora ldap > server > (without downtime) > TIA > > > ------------------------------------------------------------------------ From sysadmin.linux at gmail.com Wed Oct 24 18:33:58 2007 From: sysadmin.linux at gmail.com (Linux Admin) Date: Wed, 24 Oct 2007 13:33:58 -0500 Subject: [Fedora-directory-users] Re: backup/dump--restore/import In-Reply-To: <471F8E36.2060306@redhat.com> References: <696934990710181144i67fc7b52xc3aba7edd0957bb0@mail.gmail.com> <696934990710241117j405a5b68h623863a7342c5ddf@mail.gmail.com> <471F8E36.2060306@redhat.com> Message-ID: <696934990710241133k87bc9bg144dbe92a926c643@mail.gmail.com> Thanks Richard and George, Here is what I have tired: I tried restoring from both: 1. Export/Import from ldif file: backup all the subtrees and get a lot of rejects on this restore 2. Backup/Restore: Backup creates a directory of my choosing with 2 ldif files and 3 subderectories: userRoot NetscapeRoot and one more subdir for my app all 3 subdirs have db4 files Restoring: if I specify the top leve back directory (same as I use during backup process) I get error 53 (cannot read dir) Restore will take 3 subdirectires (netacpre root or userRoot) and will run OK. but then it stops working, you can not log in or on restart admin server would not start. On 10/24/07, Richard Megginson wrote: > > Linux Admin wrote: > > If I want to do through GUI: which option do I use: Backup/Restore or > > Import/Export > Backup creates a binary backup of your entire database. > Export creates an LDIF (ASCII) dump of the database you specify > (userRoot or NetscapeRoot). > > When I sued Backup....I tried to restore into vanilla LDAP specifying > > the top level directory which contains NetascapeRoot and userRoot > > subdirs, I get error 53 (failed to read the backup file set) > Can you provide more information about what directory you put your > backup in, what directory you told it to restore from, etc. > > > > > > On 10/18/07, *Linux Admin* > > wrote: > > > > Please forgive the newbee question here. > > What is the best way to backup/dump--restore/import a fedora ldap > > server > > (without downtime) > > TIA > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Oct 24 18:38:04 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 24 Oct 2007 12:38:04 -0600 Subject: [Fedora-directory-users] Re: backup/dump--restore/import In-Reply-To: <696934990710241133k87bc9bg144dbe92a926c643@mail.gmail.com> References: <696934990710181144i67fc7b52xc3aba7edd0957bb0@mail.gmail.com> <696934990710241117j405a5b68h623863a7342c5ddf@mail.gmail.com> <471F8E36.2060306@redhat.com> <696934990710241133k87bc9bg144dbe92a926c643@mail.gmail.com> Message-ID: <471F910C.50909@redhat.com> Linux Admin wrote: > Thanks Richard and George, > Here is what I have tired: > I tried restoring from both: > 1. Export/Import from ldif file: > backup all the subtrees and get a lot of rejects on this restore How did you do the import? > 2. Backup/Restore: > Backup creates a directory of my choosing with 2 ldif > files and 3 subderectories: > userRoot NetscapeRoot and one more subdir for my app > all 3 subdirs have db4 files Can you post an ls -lR of the backup directory? > Restoring: if I specify the top leve back directory (same as I use > during backup process) I get error 53 (cannot read dir) Check the server error log. > Restore will take 3 subdirectires (netacpre root or userRoot) and will > run OK. but then it stops working, you can not log in or on restart > admin server would not start. > > > On 10/24/07, *Richard Megginson* > wrote: > > Linux Admin wrote: > > If I want to do through GUI: which option do I use: > Backup/Restore or > > Import/Export > Backup creates a binary backup of your entire database. > Export creates an LDIF (ASCII) dump of the database you specify > (userRoot or NetscapeRoot). > > When I sued Backup....I tried to restore into vanilla LDAP > specifying > > the top level directory which contains NetascapeRoot and userRoot > > subdirs, I get error 53 (failed to read the backup file set) > Can you provide more information about what directory you put your > backup in, what directory you told it to restore from, etc. > > > > > > On 10/18/07, *Linux Admin* < sysadmin.linux at gmail.com > > > >> wrote: > > > > Please forgive the newbee question here. > > What is the best way to backup/dump--restore/import a fedora > ldap > > server > > (without downtime) > > TIA > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From sysadmin.linux at gmail.com Wed Oct 24 18:49:55 2007 From: sysadmin.linux at gmail.com (Linux Admin) Date: Wed, 24 Oct 2007 13:49:55 -0500 Subject: [Fedora-directory-users] Re: backup/dump--restore/import In-Reply-To: <471F910C.50909@redhat.com> References: <696934990710181144i67fc7b52xc3aba7edd0957bb0@mail.gmail.com> <696934990710241117j405a5b68h623863a7342c5ddf@mail.gmail.com> <471F8E36.2060306@redhat.com> <696934990710241133k87bc9bg144dbe92a926c643@mail.gmail.com> <471F910C.50909@redhat.com> Message-ID: <696934990710241149s58e7cddetbc0cd58aea101b15@mail.gmail.com> This is beyond bad: Here is what I did now: I copied my backup dir into: serverRoot/slapd-serverID/bak/backup_name So when you click retore button it actually find the name of back and directory and yet it will produce error53 (failed to read the backup file set from....) Here is ls -al from /tmp/2007_backup -rwxrwxrwx 1 ldapds ldapds 18 Oct 18 14:17 DBVERSION -rwxrwxrwx 1 ldapds ldapds 50218 Oct 18 14:17 dse_index.ldif -rwxrwxrwx 1 ldapds ldapds 1211 Oct 18 14:17 dse_instance.ldif -rwxrwxrwx 1 ldapds ldapds 4070917 Oct 18 14:17 log.0000000749 drwxrwxrwx 2 ldapds ldapds 4096 Oct 18 14:17 NetscapeRoot drwxrwxrwx 2 ldapds ldapds 4096 Oct 18 14:17 PolicySvr4 drwxrwxrwx 2 ldapds ldapds 4096 Oct 18 14:17 userRoot If you specify /tmp/2007_bak as restore dir you get error 53 You can specify /tmp/2007_bak/NetscapeRoot....etc all 3 subdir and it will work Yet!!! here is what you get in error log [24/Oct/2007:13:34:45 -0500] - Warning: config backup file dse_instance.ldif not found in backup [24/Oct/2007:13:34:45 -0500] - Warning: config backup file dse_index.ldif not found in back No kiiding they are in top level dir. I wounder if this ever worked? On 10/24/07, Richard Megginson wrote: > > Linux Admin wrote: > > Thanks Richard and George, > > Here is what I have tired: > > I tried restoring from both: > > 1. Export/Import from ldif file: > > backup all the subtrees and get a lot of rejects on this restore > How did you do the import? > > 2. Backup/Restore: > > Backup creates a directory of my choosing with 2 ldif > > files and 3 subderectories: > > userRoot NetscapeRoot and one more subdir for my app > > all 3 subdirs have db4 files > Can you post an ls -lR of the backup directory? > > Restoring: if I specify the top leve back directory (same as I use > > during backup process) I get error 53 (cannot read dir) > Check the server error log. > > Restore will take 3 subdirectires (netacpre root or userRoot) and will > > run OK. but then it stops working, you can not log in or on restart > > admin server would not start. > > > > > > On 10/24/07, *Richard Megginson* > > wrote: > > > > Linux Admin wrote: > > > If I want to do through GUI: which option do I use: > > Backup/Restore or > > > Import/Export > > Backup creates a binary backup of your entire database. > > Export creates an LDIF (ASCII) dump of the database you specify > > (userRoot or NetscapeRoot). > > > When I sued Backup....I tried to restore into vanilla LDAP > > specifying > > > the top level directory which contains NetascapeRoot and userRoot > > > subdirs, I get error 53 (failed to read the backup file set) > > Can you provide more information about what directory you put your > > backup in, what directory you told it to restore from, etc. > > > > > > > > > On 10/18/07, *Linux Admin* < sysadmin.linux at gmail.com > > > > > > >> wrote: > > > > > > Please forgive the newbee question here. > > > What is the best way to backup/dump--restore/import a fedora > > ldap > > > server > > > (without downtime) > > > TIA > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sysadmin.linux at gmail.com Wed Oct 24 18:54:35 2007 From: sysadmin.linux at gmail.com (Linux Admin) Date: Wed, 24 Oct 2007 13:54:35 -0500 Subject: [Fedora-directory-users] Re: backup/dump--restore/import In-Reply-To: <471F8E68.1000806@broadcom.com> References: <696934990710181144i67fc7b52xc3aba7edd0957bb0@mail.gmail.com> <696934990710241117j405a5b68h623863a7342c5ddf@mail.gmail.com> <471F8E68.1000806@broadcom.com> Message-ID: <696934990710241154p45bb11a4lb0cf2f4dc7bdb8f4@mail.gmail.com> Using the refernace for redhat site even command line does work error 43: Failed to read backup file set On 10/24/07, George Holbert wrote: > > Backup/Restore: Creates / restores from a copy of the server's binary > database files. > Export/Import: Creates / imports from ASCII text LDIF files > representing the data in the directory server. > > It's actually a good idea to do both (if possible), as this will give > you the most flexibility when you're in the heat of a restore. > > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/dbmanage.html#1055147 > > > I get error 53 (failed to read the backup file set) > > Is the backup file set still there? > > > Linux Admin wrote: > > If I want to do through GUI: which option do I use: Backup/Restore or > > Import/Export > > When I sued Backup....I tried to restore into vanilla LDAP specifying > > the top level directory which contains NetascapeRoot and userRoot > > subdirs, I get error 53 (failed to read the backup file set) > > > > > > On 10/18/07, *Linux Admin* > > wrote: > > > > Please forgive the newbee question here. > > What is the best way to backup/dump--restore/import a fedora ldap > > server > > (without downtime) > > TIA > > > > > > ------------------------------------------------------------------------ > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sysadmin.linux at gmail.com Wed Oct 24 19:02:52 2007 From: sysadmin.linux at gmail.com (Linux Admin) Date: Wed, 24 Oct 2007 14:02:52 -0500 Subject: [Fedora-directory-users] Re: backup/dump--restore/import In-Reply-To: <696934990710241154p45bb11a4lb0cf2f4dc7bdb8f4@mail.gmail.com> References: <696934990710181144i67fc7b52xc3aba7edd0957bb0@mail.gmail.com> <696934990710241117j405a5b68h623863a7342c5ddf@mail.gmail.com> <471F8E68.1000806@broadcom.com> <696934990710241154p45bb11a4lb0cf2f4dc7bdb8f4@mail.gmail.com> Message-ID: <696934990710241202j7e0e6047p86f2ab87a81673f8@mail.gmail.com> It get really bad: on new clean server: Backup from CLI: db2bak Restore CLI: works OK then I bring the dir produce by db2bak from the server I am trying to restore to new box and teh same restore commad fails On 10/24/07, Linux Admin wrote: > > Using the refernace for redhat site even command line does work > error 43: Failed to read backup file set > > > On 10/24/07, George Holbert < gholbert at broadcom.com> wrote: > > > > Backup/Restore: Creates / restores from a copy of the server's binary > > database files. > > Export/Import: Creates / imports from ASCII text LDIF files > > representing the data in the directory server. > > > > It's actually a good idea to do both (if possible), as this will give > > you the most flexibility when you're in the heat of a restore. > > > > > > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/dbmanage.html#1055147 > > > > > I get error 53 (failed to read the backup file set) > > > > Is the backup file set still there? > > > > > > Linux Admin wrote: > > > If I want to do through GUI: which option do I use: Backup/Restore or > > > Import/Export > > > When I sued Backup....I tried to restore into vanilla LDAP specifying > > > the top level directory which contains NetascapeRoot and userRoot > > > subdirs, I get error 53 (failed to read the backup file set) > > > > > > > > > On 10/18/07, *Linux Admin* < sysadmin.linux at gmail.com > > > > wrote: > > > > > > Please forgive the newbee question here. > > > What is the best way to backup/dump--restore/import a fedora ldap > > > server > > > (without downtime) > > > TIA > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gholbert at broadcom.com Wed Oct 24 19:09:31 2007 From: gholbert at broadcom.com (George Holbert) Date: Wed, 24 Oct 2007 12:09:31 -0700 Subject: [Fedora-directory-users] Re: backup/dump--restore/import In-Reply-To: <696934990710241202j7e0e6047p86f2ab87a81673f8@mail.gmail.com> References: <696934990710181144i67fc7b52xc3aba7edd0957bb0@mail.gmail.com> <696934990710241117j405a5b68h623863a7342c5ddf@mail.gmail.com> <471F8E68.1000806@broadcom.com> <696934990710241154p45bb11a4lb0cf2f4dc7bdb8f4@mail.gmail.com> <696934990710241202j7e0e6047p86f2ab87a81673f8@mail.gmail.com> Message-ID: <471F986B.5080005@broadcom.com> db2bak (binary backup) is pretty specific to the machine on which it was created. At least a few dependencies: - architecture of the machine (e.g., sparc to intel, or 32 to 64 bit). - hostname is sprinkled throughout o=NetscapeRoot. - index and other configuration in the server's cn=config. Unless you're restoring on an identical machine with identical directory server configuration, I would expect quirks when attempting what you've described. On the bright side, since it does work on the new server, it sounds like you've isolated the problem to something with the original server. What happens when you create a fresh new directory server instance on the original, and try to backup and restore that instance? Linux Admin wrote: > It get really bad: > on new clean server: > Backup from CLI: db2bak > Restore CLI: works OK > then I bring the dir produce by db2bak from the server I am trying to > restore to new box and teh same restore commad fails > > > On 10/24/07, *Linux Admin* > wrote: > > Using the refernace for redhat site even command line does work > error 43: Failed to read backup file set > > > > On 10/24/07, * George Holbert* < gholbert at broadcom.com > > wrote: > > Backup/Restore: Creates / restores from a copy of the > server's binary > database files. > Export/Import: Creates / imports from ASCII text LDIF files > representing the data in the directory server. > > It's actually a good idea to do both (if possible), as this > will give > you the most flexibility when you're in the heat of a restore. > > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/dbmanage.html#1055147 > > > > I get error 53 (failed to read the backup file set) > > Is the backup file set still there? > > > Linux Admin wrote: > > If I want to do through GUI: which option do I use: > Backup/Restore or > > Import/Export > > When I sued Backup....I tried to restore into vanilla LDAP > specifying > > the top level directory which contains NetascapeRoot and userRoot > > subdirs, I get error 53 (failed to read the backup file set) > > > > > > On 10/18/07, *Linux Admin* < sysadmin.linux at gmail.com > > > >> wrote: > > > > Please forgive the newbee question here. > > What is the best way to backup/dump--restore/import a > fedora ldap > > server > > (without downtime) > > TIA > > > > > > ------------------------------------------------------------------------ > From sysadmin.linux at gmail.com Wed Oct 24 19:12:01 2007 From: sysadmin.linux at gmail.com (Linux Admin) Date: Wed, 24 Oct 2007 14:12:01 -0500 Subject: [Fedora-directory-users] Re: backup/dump--restore/import In-Reply-To: <471F986B.5080005@broadcom.com> References: <696934990710181144i67fc7b52xc3aba7edd0957bb0@mail.gmail.com> <696934990710241117j405a5b68h623863a7342c5ddf@mail.gmail.com> <471F8E68.1000806@broadcom.com> <696934990710241154p45bb11a4lb0cf2f4dc7bdb8f4@mail.gmail.com> <696934990710241202j7e0e6047p86f2ab87a81673f8@mail.gmail.com> <471F986B.5080005@broadcom.com> Message-ID: <696934990710241212r6257aa98y65d8db8905083ae@mail.gmail.com> I can not really create a new dir on the original. I am doing DR. So if that does not work, what are my options in building the DR? On 10/24/07, George Holbert wrote: > > db2bak (binary backup) is pretty specific to the machine on which it was > created. > At least a few dependencies: > - architecture of the machine (e.g., sparc to intel, or 32 to 64 bit). > - hostname is sprinkled throughout o=NetscapeRoot. > - index and other configuration in the server's cn=config. > > Unless you're restoring on an identical machine with identical directory > server configuration, I would expect quirks when attempting what you've > described. > On the bright side, since it does work on the new server, it sounds like > you've isolated the problem to something with the original server. > What happens when you create a fresh new directory server instance on > the original, and try to backup and restore that instance? > > > Linux Admin wrote: > > It get really bad: > > on new clean server: > > Backup from CLI: db2bak > > Restore CLI: works OK > > then I bring the dir produce by db2bak from the server I am trying to > > restore to new box and teh same restore commad fails > > > > > > On 10/24/07, *Linux Admin* > > wrote: > > > > Using the refernace for redhat site even command line does work > > error 43: Failed to read backup file set > > > > > > > > On 10/24/07, * George Holbert* < gholbert at broadcom.com > > > wrote: > > > > Backup/Restore: Creates / restores from a copy of the > > server's binary > > database files. > > Export/Import: Creates / imports from ASCII text LDIF files > > representing the data in the directory server. > > > > It's actually a good idea to do both (if possible), as this > > will give > > you the most flexibility when you're in the heat of a restore. > > > > > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/dbmanage.html#1055147 > > < > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/dbmanage.html#1055147 > > > > > > > I get error 53 (failed to read the backup file set) > > > > Is the backup file set still there? > > > > > > Linux Admin wrote: > > > If I want to do through GUI: which option do I use: > > Backup/Restore or > > > Import/Export > > > When I sued Backup....I tried to restore into vanilla LDAP > > specifying > > > the top level directory which contains NetascapeRoot and > userRoot > > > subdirs, I get error 53 (failed to read the backup file set) > > > > > > > > > On 10/18/07, *Linux Admin* < sysadmin.linux at gmail.com > > > > > > >> wrote: > > > > > > Please forgive the newbee question here. > > > What is the best way to backup/dump--restore/import a > > fedora ldap > > > server > > > (without downtime) > > > TIA > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Oct 24 19:17:03 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 24 Oct 2007 13:17:03 -0600 Subject: [Fedora-directory-users] Re: backup/dump--restore/import In-Reply-To: <696934990710241202j7e0e6047p86f2ab87a81673f8@mail.gmail.com> References: <696934990710181144i67fc7b52xc3aba7edd0957bb0@mail.gmail.com> <696934990710241117j405a5b68h623863a7342c5ddf@mail.gmail.com> <471F8E68.1000806@broadcom.com> <696934990710241154p45bb11a4lb0cf2f4dc7bdb8f4@mail.gmail.com> <696934990710241202j7e0e6047p86f2ab87a81673f8@mail.gmail.com> Message-ID: <471F9A2F.2010801@redhat.com> Linux Admin wrote: > It get really bad: > on new clean server: > Backup from CLI: db2bak > Restore CLI: works OK > then I bring the dir produce by db2bak from the server I am trying to > restore to new box and teh same restore commad fails Then there must be something going wrong with the copy. Because backup/restore from cli works ok. > > > On 10/24/07, *Linux Admin* > wrote: > > Using the refernace for redhat site even command line does work > error 43: Failed to read backup file set > > > > On 10/24/07, * George Holbert* < gholbert at broadcom.com > > wrote: > > Backup/Restore: Creates / restores from a copy of the > server's binary > database files. > Export/Import: Creates / imports from ASCII text LDIF files > representing the data in the directory server. > > It's actually a good idea to do both (if possible), as this > will give > you the most flexibility when you're in the heat of a restore. > > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/dbmanage.html#1055147 > > > > I get error 53 (failed to read the backup file set) > > Is the backup file set still there? > > > Linux Admin wrote: > > If I want to do through GUI: which option do I use: > Backup/Restore or > > Import/Export > > When I sued Backup....I tried to restore into vanilla LDAP > specifying > > the top level directory which contains NetascapeRoot and userRoot > > subdirs, I get error 53 (failed to read the backup file set) > > > > > > On 10/18/07, *Linux Admin* < sysadmin.linux at gmail.com > > > >> wrote: > > > > Please forgive the newbee question here. > > What is the best way to backup/dump--restore/import a > fedora ldap > > server > > (without downtime) > > TIA > > > > > > ------------------------------------------------------------------------ > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Oct 24 19:17:33 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 24 Oct 2007 13:17:33 -0600 Subject: [Fedora-directory-users] Re: backup/dump--restore/import In-Reply-To: <696934990710241212r6257aa98y65d8db8905083ae@mail.gmail.com> References: <696934990710181144i67fc7b52xc3aba7edd0957bb0@mail.gmail.com> <696934990710241117j405a5b68h623863a7342c5ddf@mail.gmail.com> <471F8E68.1000806@broadcom.com> <696934990710241154p45bb11a4lb0cf2f4dc7bdb8f4@mail.gmail.com> <696934990710241202j7e0e6047p86f2ab87a81673f8@mail.gmail.com> <471F986B.5080005@broadcom.com> <696934990710241212r6257aa98y65d8db8905083ae@mail.gmail.com> Message-ID: <471F9A4D.5000107@redhat.com> Linux Admin wrote: > I can not really create a new dir on the original. I am doing DR. > So if that does not work, what are my options in building the DR? What's "DR"? > > > On 10/24/07, *George Holbert * > wrote: > > db2bak (binary backup) is pretty specific to the machine on which > it was > created. > At least a few dependencies: > - architecture of the machine (e.g., sparc to intel, or 32 to 64 bit). > - hostname is sprinkled throughout o=NetscapeRoot. > - index and other configuration in the server's cn=config. > > Unless you're restoring on an identical machine with identical > directory > server configuration, I would expect quirks when attempting what > you've > described. > On the bright side, since it does work on the new server, it > sounds like > you've isolated the problem to something with the original server. > What happens when you create a fresh new directory server instance on > the original, and try to backup and restore that instance? > > > Linux Admin wrote: > > It get really bad: > > on new clean server: > > Backup from CLI: db2bak > > Restore CLI: works OK > > then I bring the dir produce by db2bak from the server I am > trying to > > restore to new box and teh same restore commad fails > > > > > > On 10/24/07, *Linux Admin* > > >> wrote: > > > > Using the refernace for redhat site even command line does work > > error 43: Failed to read backup file set > > > > > > > > On 10/24/07, * George Holbert* < gholbert at broadcom.com > > > >> wrote: > > > > Backup/Restore: Creates / restores from a copy of the > > server's binary > > database files. > > Export/Import: Creates / imports from ASCII text LDIF files > > representing the data in the directory server. > > > > It's actually a good idea to do both (if possible), as this > > will give > > you the most flexibility when you're in the heat of a > restore. > > > > > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/dbmanage.html#1055147 > > > > > > > > > I get error 53 (failed to read the backup file set) > > > > Is the backup file set still there? > > > > > > Linux Admin wrote: > > > If I want to do through GUI: which option do I use: > > Backup/Restore or > > > Import/Export > > > When I sued Backup....I tried to restore into vanilla LDAP > > specifying > > > the top level directory which contains NetascapeRoot > and userRoot > > > subdirs, I get error 53 (failed to read the backup > file set) > > > > > > > > > On 10/18/07, *Linux Admin* < sysadmin.linux at gmail.com > > > > > > > > > >>> wrote: > > > > > > Please forgive the newbee question here. > > > What is the best way to backup/dump--restore/import a > > fedora ldap > > > server > > > (without downtime) > > > TIA > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From gholbert at broadcom.com Wed Oct 24 19:16:46 2007 From: gholbert at broadcom.com (George Holbert) Date: Wed, 24 Oct 2007 12:16:46 -0700 Subject: [Fedora-directory-users] Re: backup/dump--restore/import In-Reply-To: <696934990710241212r6257aa98y65d8db8905083ae@mail.gmail.com> References: <696934990710181144i67fc7b52xc3aba7edd0957bb0@mail.gmail.com> <696934990710241117j405a5b68h623863a7342c5ddf@mail.gmail.com> <471F8E68.1000806@broadcom.com> <696934990710241154p45bb11a4lb0cf2f4dc7bdb8f4@mail.gmail.com> <696934990710241202j7e0e6047p86f2ab87a81673f8@mail.gmail.com> <471F986B.5080005@broadcom.com> <696934990710241212r6257aa98y65d8db8905083ae@mail.gmail.com> Message-ID: <471F9A1E.8080304@broadcom.com> Hmm... If you mean your production server can't be restored from any of your backups, it might be worth it to give RedHat a call and book some professional services to assist in the recovery. Linux Admin wrote: > I can not really create a new dir on the original. I am doing DR. > So if that does not work, what are my options in building the DR? > > > On 10/24/07, *George Holbert * > wrote: > > db2bak (binary backup) is pretty specific to the machine on which > it was > created. > At least a few dependencies: > - architecture of the machine (e.g., sparc to intel, or 32 to 64 bit). > - hostname is sprinkled throughout o=NetscapeRoot. > - index and other configuration in the server's cn=config. > > Unless you're restoring on an identical machine with identical > directory > server configuration, I would expect quirks when attempting what > you've > described. > On the bright side, since it does work on the new server, it > sounds like > you've isolated the problem to something with the original server. > What happens when you create a fresh new directory server instance on > the original, and try to backup and restore that instance? > > > Linux Admin wrote: > > It get really bad: > > on new clean server: > > Backup from CLI: db2bak > > Restore CLI: works OK > > then I bring the dir produce by db2bak from the server I am > trying to > > restore to new box and teh same restore commad fails > > > > > > On 10/24/07, *Linux Admin* > > >> wrote: > > > > Using the refernace for redhat site even command line does work > > error 43: Failed to read backup file set > > > > > > > > On 10/24/07, * George Holbert* < gholbert at broadcom.com > > > >> wrote: > > > > Backup/Restore: Creates / restores from a copy of the > > server's binary > > database files. > > Export/Import: Creates / imports from ASCII text LDIF files > > representing the data in the directory server. > > > > It's actually a good idea to do both (if possible), as this > > will give > > you the most flexibility when you're in the heat of a > restore. > > > > > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/dbmanage.html#1055147 > > > > > > > > > I get error 53 (failed to read the backup file set) > > > > Is the backup file set still there? > > > > > > Linux Admin wrote: > > > If I want to do through GUI: which option do I use: > > Backup/Restore or > > > Import/Export > > > When I sued Backup....I tried to restore into vanilla LDAP > > specifying > > > the top level directory which contains NetascapeRoot > and userRoot > > > subdirs, I get error 53 (failed to read the backup > file set) > > > > > > > > > On 10/18/07, *Linux Admin* < sysadmin.linux at gmail.com > > > > > > > > > >>> wrote: > > > > > > Please forgive the newbee question here. > > > What is the best way to backup/dump--restore/import a > > fedora ldap > > > server > > > (without downtime) > > > TIA > > > > > > > > > > ------------------------------------------------------------------------ > > From sysadmin.linux at gmail.com Wed Oct 24 19:20:28 2007 From: sysadmin.linux at gmail.com (Linux Admin) Date: Wed, 24 Oct 2007 14:20:28 -0500 Subject: [Fedora-directory-users] Re: backup/dump--restore/import In-Reply-To: <471F9A2F.2010801@redhat.com> References: <696934990710181144i67fc7b52xc3aba7edd0957bb0@mail.gmail.com> <696934990710241117j405a5b68h623863a7342c5ddf@mail.gmail.com> <471F8E68.1000806@broadcom.com> <696934990710241154p45bb11a4lb0cf2f4dc7bdb8f4@mail.gmail.com> <696934990710241202j7e0e6047p86f2ab87a81673f8@mail.gmail.com> <471F9A2F.2010801@redhat.com> Message-ID: <696934990710241220u2b34c2bdof55be74b50e687cb@mail.gmail.com> DR is disaster recovery. Copy is OK...I tar the file and sftp to the server. backup/restore work ok from CLI for me too, but only if backup is done of the original server and resotre is done on the same server. Tring taking backup of server A and restore it to vanilly server B does not. Will that work for anyone? On 10/24/07, Richard Megginson wrote: > > Linux Admin wrote: > > It get really bad: > > on new clean server: > > Backup from CLI: db2bak > > Restore CLI: works OK > > then I bring the dir produce by db2bak from the server I am trying to > > restore to new box and teh same restore commad fails > Then there must be something going wrong with the copy. Because > backup/restore from cli works ok. > > > > > > On 10/24/07, *Linux Admin* > > wrote: > > > > Using the refernace for redhat site even command line does work > > error 43: Failed to read backup file set > > > > > > > > On 10/24/07, * George Holbert* < gholbert at broadcom.com > > > wrote: > > > > Backup/Restore: Creates / restores from a copy of the > > server's binary > > database files. > > Export/Import: Creates / imports from ASCII text LDIF files > > representing the data in the directory server. > > > > It's actually a good idea to do both (if possible), as this > > will give > > you the most flexibility when you're in the heat of a restore. > > > > > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/dbmanage.html#1055147 > > < > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/dbmanage.html#1055147 > > > > > > > I get error 53 (failed to read the backup file set) > > > > Is the backup file set still there? > > > > > > Linux Admin wrote: > > > If I want to do through GUI: which option do I use: > > Backup/Restore or > > > Import/Export > > > When I sued Backup....I tried to restore into vanilla LDAP > > specifying > > > the top level directory which contains NetascapeRoot and > userRoot > > > subdirs, I get error 53 (failed to read the backup file set) > > > > > > > > > On 10/18/07, *Linux Admin* < sysadmin.linux at gmail.com > > > > > > >> wrote: > > > > > > Please forgive the newbee question here. > > > What is the best way to backup/dump--restore/import a > > fedora ldap > > > server > > > (without downtime) > > > TIA > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Oct 24 19:24:28 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 24 Oct 2007 13:24:28 -0600 Subject: [Fedora-directory-users] Re: backup/dump--restore/import In-Reply-To: <696934990710241220u2b34c2bdof55be74b50e687cb@mail.gmail.com> References: <696934990710181144i67fc7b52xc3aba7edd0957bb0@mail.gmail.com> <696934990710241117j405a5b68h623863a7342c5ddf@mail.gmail.com> <471F8E68.1000806@broadcom.com> <696934990710241154p45bb11a4lb0cf2f4dc7bdb8f4@mail.gmail.com> <696934990710241202j7e0e6047p86f2ab87a81673f8@mail.gmail.com> <471F9A2F.2010801@redhat.com> <696934990710241220u2b34c2bdof55be74b50e687cb@mail.gmail.com> Message-ID: <471F9BEC.40604@redhat.com> Linux Admin wrote: > DR is disaster recovery. > Copy is OK...I tar the file and sftp to the server. > backup/restore work ok from CLI for me too, but only if backup is done > of the original server and resotre is done on the same server. > Tring taking backup of server A and restore it to vanilly server B > does not. Will that work for anyone? It should work, assuming the same suffix/database/index configuration on both servers, and assuming the architecture of both machines are the same. > > > On 10/24/07, *Richard Megginson* > wrote: > > Linux Admin wrote: > > It get really bad: > > on new clean server: > > Backup from CLI: db2bak > > Restore CLI: works OK > > then I bring the dir produce by db2bak from the server I am > trying to > > restore to new box and teh same restore commad fails > Then there must be something going wrong with the copy. Because > backup/restore from cli works ok. > > > > > > On 10/24/07, *Linux Admin* > > >> wrote: > > > > Using the refernace for redhat site even command line does work > > error 43: Failed to read backup file set > > > > > > > > On 10/24/07, * George Holbert* < gholbert at broadcom.com > > > >> wrote: > > > > Backup/Restore: Creates / restores from a copy of the > > server's binary > > database files. > > Export/Import: Creates / imports from ASCII text LDIF > files > > representing the data in the directory server. > > > > It's actually a good idea to do both (if possible), as this > > will give > > you the most flexibility when you're in the heat of a > restore. > > > > > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/dbmanage.html#1055147 > > < > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/dbmanage.html#1055147> > > > > > I get error 53 (failed to read the backup file set) > > > > Is the backup file set still there? > > > > > > Linux Admin wrote: > > > If I want to do through GUI: which option do I use: > > Backup/Restore or > > > Import/Export > > > When I sued Backup....I tried to restore into vanilla > LDAP > > specifying > > > the top level directory which contains NetascapeRoot > and userRoot > > > subdirs, I get error 53 (failed to read the backup > file set) > > > > > > > > > On 10/18/07, *Linux Admin* < sysadmin.linux at gmail.com > > > > > > > > > >>> wrote: > > > > > > Please forgive the newbee question here. > > > What is the best way to backup/dump--restore/import a > > fedora ldap > > > server > > > (without downtime) > > > TIA > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > < > https://www.redhat.com/mailman/listinfo/fedora-directory-users> > > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From sysadmin.linux at gmail.com Wed Oct 24 20:49:37 2007 From: sysadmin.linux at gmail.com (Linux Admin) Date: Wed, 24 Oct 2007 15:49:37 -0500 Subject: [Fedora-directory-users] Re: backup/dump--restore/import In-Reply-To: <471F9BEC.40604@redhat.com> References: <696934990710181144i67fc7b52xc3aba7edd0957bb0@mail.gmail.com> <696934990710241117j405a5b68h623863a7342c5ddf@mail.gmail.com> <471F8E68.1000806@broadcom.com> <696934990710241154p45bb11a4lb0cf2f4dc7bdb8f4@mail.gmail.com> <696934990710241202j7e0e6047p86f2ab87a81673f8@mail.gmail.com> <471F9A2F.2010801@redhat.com> <696934990710241220u2b34c2bdof55be74b50e687cb@mail.gmail.com> <471F9BEC.40604@redhat.com> Message-ID: <696934990710241349h46d5acebt6a7f602410bce161@mail.gmail.com> Thanks Richard, George, Ivan for all you help. I will do some more testing, so far I did manage to get it work on new server with the same identifier. On 10/24/07, Richard Megginson wrote: > > Linux Admin wrote: > > DR is disaster recovery. > > Copy is OK...I tar the file and sftp to the server. > > backup/restore work ok from CLI for me too, but only if backup is done > > of the original server and resotre is done on the same server. > > Tring taking backup of server A and restore it to vanilly server B > > does not. Will that work for anyone? > It should work, assuming the same suffix/database/index configuration on > both servers, and assuming the architecture of both machines are the same. > > > > > > On 10/24/07, *Richard Megginson* > > wrote: > > > > Linux Admin wrote: > > > It get really bad: > > > on new clean server: > > > Backup from CLI: db2bak > > > Restore CLI: works OK > > > then I bring the dir produce by db2bak from the server I am > > trying to > > > restore to new box and teh same restore commad fails > > Then there must be something going wrong with the copy. Because > > backup/restore from cli works ok. > > > > > > > > > On 10/24/07, *Linux Admin* > > > > > >> wrote: > > > > > > Using the refernace for redhat site even command line does > work > > > error 43: Failed to read backup file set > > > > > > > > > > > > On 10/24/07, * George Holbert* < gholbert at broadcom.com > > > > > > >> wrote: > > > > > > Backup/Restore: Creates / restores from a copy of the > > > server's binary > > > database files. > > > Export/Import: Creates / imports from ASCII text LDIF > > files > > > representing the data in the directory server. > > > > > > It's actually a good idea to do both (if possible), as > this > > > will give > > > you the most flexibility when you're in the heat of a > > restore. > > > > > > > > > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/dbmanage.html#1055147 > > > < > > > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/dbmanage.html#1055147 > > > > > > > > > I get error 53 (failed to read the backup file set) > > > > > > Is the backup file set still there? > > > > > > > > > Linux Admin wrote: > > > > If I want to do through GUI: which option do I use: > > > Backup/Restore or > > > > Import/Export > > > > When I sued Backup....I tried to restore into vanilla > > LDAP > > > specifying > > > > the top level directory which contains NetascapeRoot > > and userRoot > > > > subdirs, I get error 53 (failed to read the backup > > file set) > > > > > > > > > > > > On 10/18/07, *Linux Admin* < sysadmin.linux at gmail.com > > > > > > > > > > > > > > > > >>> wrote: > > > > > > > > Please forgive the newbee question here. > > > > What is the best way to backup/dump--restore/import > a > > > fedora ldap > > > > server > > > > (without downtime) > > > > TIA > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > < > > https://www.redhat.com/mailman/listinfo/fedora-directory-users> > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sysadmin.linux at gmail.com Wed Oct 24 21:21:24 2007 From: sysadmin.linux at gmail.com (Linux Admin) Date: Wed, 24 Oct 2007 16:21:24 -0500 Subject: [Fedora-directory-users] Re: backup/dump--restore/import In-Reply-To: <696934990710241349h46d5acebt6a7f602410bce161@mail.gmail.com> References: <696934990710181144i67fc7b52xc3aba7edd0957bb0@mail.gmail.com> <696934990710241117j405a5b68h623863a7342c5ddf@mail.gmail.com> <471F8E68.1000806@broadcom.com> <696934990710241154p45bb11a4lb0cf2f4dc7bdb8f4@mail.gmail.com> <696934990710241202j7e0e6047p86f2ab87a81673f8@mail.gmail.com> <471F9A2F.2010801@redhat.com> <696934990710241220u2b34c2bdof55be74b50e687cb@mail.gmail.com> <471F9BEC.40604@redhat.com> <696934990710241349h46d5acebt6a7f602410bce161@mail.gmail.com> Message-ID: <696934990710241421r5028460fr37a99d66474bbe7@mail.gmail.com> The restore worked, yet it killed admin server. had manually fix it by copying over adm.conf and admpw files Great mail list! Thanks you!!! On 10/24/07, Linux Admin wrote: > > Thanks Richard, George, Ivan for all you help. > I will do some more testing, so far I did manage to get it work on new > server with the same identifier. > > > On 10/24/07, Richard Megginson wrote: > > > > Linux Admin wrote: > > > DR is disaster recovery. > > > Copy is OK...I tar the file and sftp to the server. > > > backup/restore work ok from CLI for me too, but only if backup is done > > > of the original server and resotre is done on the same server. > > > Tring taking backup of server A and restore it to vanilly server B > > > does not. Will that work for anyone? > > It should work, assuming the same suffix/database/index configuration on > > both servers, and assuming the architecture of both machines are the > > same. > > > > > > > > > On 10/24/07, *Richard Megginson* > > > wrote: > > > > > > Linux Admin wrote: > > > > It get really bad: > > > > on new clean server: > > > > Backup from CLI: db2bak > > > > Restore CLI: works OK > > > > then I bring the dir produce by db2bak from the server I am > > > trying to > > > > restore to new box and teh same restore commad fails > > > Then there must be something going wrong with the copy. Because > > > backup/restore from cli works ok. > > > > > > > > > > > > On 10/24/07, *Linux Admin* > > > > > > > > >> wrote: > > > > > > > > Using the refernace for redhat site even command line does > > work > > > > error 43: Failed to read backup file set > > > > > > > > > > > > > > > > On 10/24/07, * George Holbert* < gholbert at broadcom.com > > > > > > > > > >> wrote: > > > > > > > > Backup/Restore: Creates / restores from a copy of the > > > > server's binary > > > > database files. > > > > Export/Import: Creates / imports from ASCII text LDIF > > > files > > > > representing the data in the directory server. > > > > > > > > It's actually a good idea to do both (if possible), as > > this > > > > will give > > > > you the most flexibility when you're in the heat of a > > > restore. > > > > > > > > > > > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/dbmanage.html#1055147 > > > > > > < > > > > > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/dbmanage.html#1055147 > > > > > > > > > > > > I get error 53 (failed to read the backup file set) > > > > > > > > Is the backup file set still there? > > > > > > > > > > > > Linux Admin wrote: > > > > > If I want to do through GUI: which option do I use: > > > > Backup/Restore or > > > > > Import/Export > > > > > When I sued Backup....I tried to restore into vanilla > > > LDAP > > > > specifying > > > > > the top level directory which contains NetascapeRoot > > > and userRoot > > > > > subdirs, I get error 53 (failed to read the backup > > > file set) > > > > > > > > > > > > > > > On 10/18/07, *Linux Admin* < sysadmin.linux at gmail.com > > > > > > > > > > > > > > > > > > > > > > > >>> wrote: > > > > > > > > > > Please forgive the newbee question here. > > > > > What is the best way to > > backup/dump--restore/import a > > > > fedora ldap > > > > > server > > > > > (without downtime) > > > > > TIA > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > -- > > > > Fedora-directory-users mailing list > > > > Fedora-directory-users at redhat.com > > > > > > > > > > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > < > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users> > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > -- > > > > Fedora-directory-users mailing list > > > > Fedora-directory-users at redhat.com > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > < https://www.redhat.com/mailman/listinfo/fedora-directory-users> > > > > > > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Kirill.Petrov at farheap.com Wed Oct 24 23:46:29 2007 From: Kirill.Petrov at farheap.com (Kirill Petrov) Date: Wed, 24 Oct 2007 16:46:29 -0700 Subject: [Fedora-directory-users] gentoo and web console Message-ID: <471FD955.8070108@farheap.com> Hello everybody, I installed FDS on Gentoo 2007.0 using the instructions provided at this url: http://gentoo-wiki.com/HOWTO_Install_Fedora_Directory_Server I did everything according to the manual except that I installed apache 2.2.6 and had to modify httpd.conf to load cgid module instead of cgi module. In general everything seems to work but when I tried to use the web console Fedora Administration Express it gave me a blank screen with a message: NMC_Status: 1 NMC_ErrType: NMC_ErrInfo: NMC_ErrDetail: The organization charts functionality does not work either, it gives me: Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, [no address given] and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log. The logs have the following records: Can't load '/opt/fedora-ds/lib/perl/arch/auto/Mozilla/LDAP/API/API.so' for module Mozilla::LDAP::API: libssl3.so: cannot open shared object file: No such file or di\ rectory at /usr/lib/perl5/5.8.8/i686-linux/DynaLoader.pm line 230. at /opt/fedora-ds/lib/perl/Mozilla/LDAP/Utils.pm line 32 Compilation failed in require at /opt/fedora-ds/lib/perl/Mozilla/LDAP/Utils.pm line 32. BEGIN failed--compilation aborted at /opt/fedora-ds/lib/perl/Mozilla/LDAP/Utils.pm line 32. Compilation failed in require at /opt/fedora-ds/lib/perl/Mozilla/LDAP/Conn.pm line 36. BEGIN failed--compilation aborted at /opt/fedora-ds/lib/perl/Mozilla/LDAP/Conn.pm line 36. Compilation failed in require at /opt/fedora-ds/clients/orgchart/bin/org line 79. BEGIN failed--compilation aborted at /opt/fedora-ds/clients/orgchart/bin/org line 79. [Wed Oct 24 08:15:01 2007] [error] [client 192.168.11.10] Premature end of script headers: org, referer: http://ld:46406/clients/orgchart/html/topframe.\ html Does anybody know how to install Fedora Directory Server properly on Gentoo? thanks, Kirill From rmeggins at redhat.com Wed Oct 24 23:55:13 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 24 Oct 2007 17:55:13 -0600 Subject: [Fedora-directory-users] gentoo and web console In-Reply-To: <471FD955.8070108@farheap.com> References: <471FD955.8070108@farheap.com> Message-ID: <471FDB61.7030107@redhat.com> Kirill Petrov wrote: > Hello everybody, > > I installed FDS on Gentoo 2007.0 using the instructions provided at > this url: > > http://gentoo-wiki.com/HOWTO_Install_Fedora_Directory_Server > > I did everything according to the manual except that I installed > apache 2.2.6 and had to modify httpd.conf to load cgid module instead > of cgi module. > > In general everything seems to work but when I tried to use the web > console Fedora Administration Express > > > it gave me a blank screen with a message: > NMC_Status: 1 NMC_ErrType: NMC_ErrInfo: NMC_ErrDetail: > > The organization charts functionality does not work either, it gives me: > > > Internal Server Error > > The server encountered an internal error or misconfiguration and was > unable to complete your request. > > Please contact the server administrator, [no address given] and inform > them of the time the error occurred, and anything you might have done > that may have caused the error. > > More information about this error may be available in the server error > log. > > > > The logs have the following records: Yeah, orgchart is broken. Does Gentoo have an ldconfig command? You'll have to add the directory /opt/fedora-ds/shared/lib to ldconfig. But this doesn't address why the other web console doesn't work. What else is in your /opt/fedora-ds/admin-serv/logs/error file? > > Can't load '/opt/fedora-ds/lib/perl/arch/auto/Mozilla/LDAP/API/API.so' > for module Mozilla::LDAP::API: libssl3.so: cannot open shared object > file: No such file or di\ > rectory at /usr/lib/perl5/5.8.8/i686-linux/DynaLoader.pm line 230. > at /opt/fedora-ds/lib/perl/Mozilla/LDAP/Utils.pm line 32 > Compilation failed in require at > /opt/fedora-ds/lib/perl/Mozilla/LDAP/Utils.pm line 32. > BEGIN failed--compilation aborted at > /opt/fedora-ds/lib/perl/Mozilla/LDAP/Utils.pm line 32. > Compilation failed in require at > /opt/fedora-ds/lib/perl/Mozilla/LDAP/Conn.pm line 36. > BEGIN failed--compilation aborted at > /opt/fedora-ds/lib/perl/Mozilla/LDAP/Conn.pm line 36. > Compilation failed in require at > /opt/fedora-ds/clients/orgchart/bin/org line 79. > BEGIN failed--compilation aborted at > /opt/fedora-ds/clients/orgchart/bin/org line 79. > [Wed Oct 24 08:15:01 2007] [error] [client 192.168.11.10] Premature > end of script headers: org, referer: > http://ld:46406/clients/orgchart/html/topframe.\ > html > > > > Does anybody know how to install Fedora Directory Server properly on > Gentoo? > > thanks, > > Kirill > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Kirill.Petrov at farheap.com Thu Oct 25 00:58:39 2007 From: Kirill.Petrov at farheap.com (Kirill Petrov) Date: Wed, 24 Oct 2007 17:58:39 -0700 Subject: [Fedora-directory-users] gentoo and web console In-Reply-To: <471FDB61.7030107@redhat.com> References: <471FD955.8070108@farheap.com> <471FDB61.7030107@redhat.com> Message-ID: <471FEA3F.5030908@farheap.com> Richard Megginson wrote: >> I installed FDS on Gentoo 2007.0 using the instructions provided at >> this url: >> >> http://gentoo-wiki.com/HOWTO_Install_Fedora_Directory_Server >> >> I did everything according to the manual except that I installed >> apache 2.2.6 and had to modify httpd.conf to load cgid module instead >> of cgi module. >> >> In general everything seems to work but when I tried to use the web >> console Fedora Administration Express >> >> >> it gave me a blank screen with a message: >> NMC_Status: 1 NMC_ErrType: NMC_ErrInfo: NMC_ErrDetail: >> >> The organization charts functionality does not work either, it gives me: >> >> >> Internal Server Error >> >> The server encountered an internal error or misconfiguration and was >> unable to complete your request. >> >> Please contact the server administrator, [no address given] and >> inform them of the time the error occurred, and anything you might >> have done that may have caused the error. >> >> More information about this error may be available in the server >> error log. >> >> >> >> The logs have the following records: > Yeah, orgchart is broken. Does Gentoo have an ldconfig command? > You'll have to add the directory /opt/fedora-ds/shared/lib to ldconfig. > > But this doesn't address why the other web console doesn't work. What > else is in your /opt/fedora-ds/admin-serv/logs/error file? ldconfig solved the problem with the charts but the Administration Console still does not work. The only thing I found in the error log was this which does not seem to be a problem: [Wed Oct 24 09:01:57 2007] [warn] [client 192.168.11.10] admserv_host_ip_check: failed to get host by ip addr [192.168.11.10] - check your host and DNS configuratio\ n, referer: http://ld.farheap.com:46406/dist/download [Wed Oct 24 09:02:00 2007] [notice] [client 192.168.11.10] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.11.10, referer: http://ld.farheap.com\ :46406/dist/download [Wed Oct 24 09:02:00 2007] [warn] [client 192.168.11.10] admserv_host_ip_check: failed to get host by ip addr [192.168.11.10] - check your host and DNS configuratio\ n, referer: http://ld.farheap.com:46406/dist/download Where would I go now? I have a VMWare image of the installation, if somebody wants to help me :-) Kirill From rmeggins at redhat.com Thu Oct 25 03:04:47 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 24 Oct 2007 21:04:47 -0600 Subject: [Fedora-directory-users] gentoo and web console In-Reply-To: <471FEA3F.5030908@farheap.com> References: <471FD955.8070108@farheap.com> <471FDB61.7030107@redhat.com> <471FEA3F.5030908@farheap.com> Message-ID: <472007CF.5000403@redhat.com> Kirill Petrov wrote: > Richard Megginson wrote: >>> I installed FDS on Gentoo 2007.0 using the instructions provided at >>> this url: >>> >>> http://gentoo-wiki.com/HOWTO_Install_Fedora_Directory_Server >>> >>> I did everything according to the manual except that I installed >>> apache 2.2.6 and had to modify httpd.conf to load cgid module >>> instead of cgi module. >>> >>> In general everything seems to work but when I tried to use the web >>> console Fedora Administration Express >>> >>> >>> it gave me a blank screen with a message: >>> NMC_Status: 1 NMC_ErrType: NMC_ErrInfo: NMC_ErrDetail: >>> >>> The organization charts functionality does not work either, it gives >>> me: >>> >>> >>> Internal Server Error >>> >>> The server encountered an internal error or misconfiguration and was >>> unable to complete your request. >>> >>> Please contact the server administrator, [no address given] and >>> inform them of the time the error occurred, and anything you might >>> have done that may have caused the error. >>> >>> More information about this error may be available in the server >>> error log. >>> >>> >>> >>> The logs have the following records: >> Yeah, orgchart is broken. Does Gentoo have an ldconfig command? >> You'll have to add the directory /opt/fedora-ds/shared/lib to ldconfig. >> >> But this doesn't address why the other web console doesn't work. >> What else is in your /opt/fedora-ds/admin-serv/logs/error file? > > ldconfig solved the problem with the charts but the Administration > Console still does not work. > The only thing I found in the error log was this which does not seem > to be a problem: > > [Wed Oct 24 09:01:57 2007] [warn] [client 192.168.11.10] > admserv_host_ip_check: failed to get host by ip addr [192.168.11.10] - > check your host and DNS configuratio\ > n, referer: http://ld.farheap.com:46406/dist/download > [Wed Oct 24 09:02:00 2007] [notice] [client 192.168.11.10] > admserv_host_ip_check: ap_get_remote_host could not resolve > 192.168.11.10, referer: http://ld.farheap.com\ > :46406/dist/download > [Wed Oct 24 09:02:00 2007] [warn] [client 192.168.11.10] > admserv_host_ip_check: failed to get host by ip addr [192.168.11.10] - > check your host and DNS configuratio\ > n, referer: http://ld.farheap.com:46406/dist/download It doesn't look like you are using "real" hostnames, just NAT'd DHCP addresses. You should disable access checking by hostname. See http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt#How_to_set_the_hosts.2FIP_addresses_allowed_to_access_the_Admin_Server > > > Where would I go now? > > I have a VMWare image of the installation, if somebody wants to help > me :-) > > Kirill > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Kirill.Petrov at farheap.com Thu Oct 25 03:43:18 2007 From: Kirill.Petrov at farheap.com (Kirill Petrov) Date: Wed, 24 Oct 2007 20:43:18 -0700 Subject: [Fedora-directory-users] gentoo and web console In-Reply-To: <472007CF.5000403@redhat.com> References: <471FD955.8070108@farheap.com> <471FDB61.7030107@redhat.com> <471FEA3F.5030908@farheap.com> <472007CF.5000403@redhat.com> Message-ID: <472010D6.4080101@farheap.com> Richard Megginson wrote: > Kirill Petrov wrote: >> Richard Megginson wrote: >>>> I installed FDS on Gentoo 2007.0 using the instructions provided at >>>> this url: >>>> >>>> http://gentoo-wiki.com/HOWTO_Install_Fedora_Directory_Server >>>> >>>> I did everything according to the manual except that I installed >>>> apache 2.2.6 and had to modify httpd.conf to load cgid module >>>> instead of cgi module. >>>> >>>> In general everything seems to work but when I tried to use the >>>> web console Fedora Administration Express >>>> >>>> >>>> it gave me a blank screen with a message: >>>> NMC_Status: 1 NMC_ErrType: NMC_ErrInfo: NMC_ErrDetail: >>>> >>>> The organization charts functionality does not work either, it >>>> gives me: >>>> >>>> >>>> Internal Server Error >>>> >>>> The server encountered an internal error or misconfiguration and >>>> was unable to complete your request. >>>> >>>> Please contact the server administrator, [no address given] and >>>> inform them of the time the error occurred, and anything you might >>>> have done that may have caused the error. >>>> >>>> More information about this error may be available in the server >>>> error log. >>>> >>>> >>>> >>>> The logs have the following records: >>> Yeah, orgchart is broken. Does Gentoo have an ldconfig command? >>> You'll have to add the directory /opt/fedora-ds/shared/lib to ldconfig. >>> >>> But this doesn't address why the other web console doesn't work. >>> What else is in your /opt/fedora-ds/admin-serv/logs/error file? >> >> ldconfig solved the problem with the charts but the Administration >> Console still does not work. >> The only thing I found in the error log was this which does not seem >> to be a problem: >> >> [Wed Oct 24 09:01:57 2007] [warn] [client 192.168.11.10] >> admserv_host_ip_check: failed to get host by ip addr [192.168.11.10] >> - check your host and DNS configuratio\ >> n, referer: http://ld.farheap.com:46406/dist/download >> [Wed Oct 24 09:02:00 2007] [notice] [client 192.168.11.10] >> admserv_host_ip_check: ap_get_remote_host could not resolve >> 192.168.11.10, referer: http://ld.farheap.com\ >> :46406/dist/download >> [Wed Oct 24 09:02:00 2007] [warn] [client 192.168.11.10] >> admserv_host_ip_check: failed to get host by ip addr [192.168.11.10] >> - check your host and DNS configuratio\ >> n, referer: http://ld.farheap.com:46406/dist/download > It doesn't look like you are using "real" hostnames, just NAT'd DHCP > addresses. You should disable access checking by hostname. See > http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt#How_to_set_the_hosts.2FIP_addresses_allowed_to_access_the_Admin_Server > Modified nsAdminAccessAddresses and nsAdminAccessHosts, so, now I don't have any errors related to reverse DNS entries. The only errors I have left now are the following, when I access the administration console, no new errors show up in the logs. [Wed Oct 24 10:34:27 2007] [notice] Access Address filter is: * [Wed Oct 24 10:34:28 2007] [error] (98)Address already in use: Couldn't bind unix domain socket /var/run/cgisock.6367 [Wed Oct 24 10:34:28 2007] [notice] Access Address filter is: * [Wed Oct 24 10:34:28 2007] [notice] Apache/2.2.6 (Unix) mod_nss/2.2.6 NSS/3.11.3 configured -- resuming normal operations [Wed Oct 24 10:34:28 2007] [error] restartd daemon process died, restarting Kirill From rmeggins at redhat.com Thu Oct 25 13:40:52 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 25 Oct 2007 07:40:52 -0600 Subject: [Fedora-directory-users] gentoo and web console In-Reply-To: <472010D6.4080101@farheap.com> References: <471FD955.8070108@farheap.com> <471FDB61.7030107@redhat.com> <471FEA3F.5030908@farheap.com> <472007CF.5000403@redhat.com> <472010D6.4080101@farheap.com> Message-ID: <47209CE4.3060206@redhat.com> Kirill Petrov wrote: > Richard Megginson wrote: >> Kirill Petrov wrote: >>> Richard Megginson wrote: >>>>> I installed FDS on Gentoo 2007.0 using the instructions provided >>>>> at this url: >>>>> >>>>> http://gentoo-wiki.com/HOWTO_Install_Fedora_Directory_Server >>>>> >>>>> I did everything according to the manual except that I installed >>>>> apache 2.2.6 and had to modify httpd.conf to load cgid module >>>>> instead of cgi module. >>>>> >>>>> In general everything seems to work but when I tried to use the >>>>> web console Fedora Administration Express >>>>> >>>>> >>>>> it gave me a blank screen with a message: >>>>> NMC_Status: 1 NMC_ErrType: NMC_ErrInfo: NMC_ErrDetail: >>>>> >>>>> The organization charts functionality does not work either, it >>>>> gives me: >>>>> >>>>> >>>>> Internal Server Error >>>>> >>>>> The server encountered an internal error or misconfiguration and >>>>> was unable to complete your request. >>>>> >>>>> Please contact the server administrator, [no address given] and >>>>> inform them of the time the error occurred, and anything you might >>>>> have done that may have caused the error. >>>>> >>>>> More information about this error may be available in the server >>>>> error log. >>>>> >>>>> >>>>> >>>>> The logs have the following records: >>>> Yeah, orgchart is broken. Does Gentoo have an ldconfig command? >>>> You'll have to add the directory /opt/fedora-ds/shared/lib to >>>> ldconfig. >>>> >>>> But this doesn't address why the other web console doesn't work. >>>> What else is in your /opt/fedora-ds/admin-serv/logs/error file? >>> >>> ldconfig solved the problem with the charts but the Administration >>> Console still does not work. >>> The only thing I found in the error log was this which does not seem >>> to be a problem: >>> >>> [Wed Oct 24 09:01:57 2007] [warn] [client 192.168.11.10] >>> admserv_host_ip_check: failed to get host by ip addr [192.168.11.10] >>> - check your host and DNS configuratio\ >>> n, referer: http://ld.farheap.com:46406/dist/download >>> [Wed Oct 24 09:02:00 2007] [notice] [client 192.168.11.10] >>> admserv_host_ip_check: ap_get_remote_host could not resolve >>> 192.168.11.10, referer: http://ld.farheap.com\ >>> :46406/dist/download >>> [Wed Oct 24 09:02:00 2007] [warn] [client 192.168.11.10] >>> admserv_host_ip_check: failed to get host by ip addr [192.168.11.10] >>> - check your host and DNS configuratio\ >>> n, referer: http://ld.farheap.com:46406/dist/download >> It doesn't look like you are using "real" hostnames, just NAT'd DHCP >> addresses. You should disable access checking by hostname. See >> http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt#How_to_set_the_hosts.2FIP_addresses_allowed_to_access_the_Admin_Server >> > Modified nsAdminAccessAddresses and nsAdminAccessHosts, so, now I > don't have any errors related to reverse DNS entries. The only errors > I have left now are the following, when I access the administration > console, no new errors show up in the logs. > > [Wed Oct 24 10:34:27 2007] [notice] Access Address filter is: * > [Wed Oct 24 10:34:28 2007] [error] (98)Address already in use: > Couldn't bind unix domain socket /var/run/cgisock.6367 This is very odd. mod_cgi or mod_cgid creates/opens this socket. Try shutting down the admin server, then removing /var/run/cgisock.* > [Wed Oct 24 10:34:28 2007] [notice] Access Address filter is: * > [Wed Oct 24 10:34:28 2007] [notice] Apache/2.2.6 (Unix) mod_nss/2.2.6 > NSS/3.11.3 configured -- resuming normal operations > [Wed Oct 24 10:34:28 2007] [error] restartd daemon process died, > restarting Also try start-admin -e debug, or edit httpd.conf and set LogLevel to debug > > > Kirill > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From glenn at mail.txwes.edu Thu Oct 25 14:19:47 2007 From: glenn at mail.txwes.edu (Glenn) Date: Thu, 25 Oct 2007 09:19:47 -0500 Subject: [Fedora-directory-users] Windows Sync only works one way Message-ID: <20071025135722.M24872@mail.txwes.edu> I set up a Windows Sync agreement between Fedora Directory and Windows NT, but it only works one way. If I change the "description" attribute in FD and click "Send and Receive Updates", nothing happens. If I click "Send and Receive Updates" again, the description in FD is overwritten by the older description in NT. If I change the description in NT, it is immediately changed in FD. The same thing happens if I do a full resync. What possible causes could result in this one-way sync behavior? The one-way problem seems limited to our production NT server. I set up replication on a test system, and it works correctly. Thanks for any suggestions. -Glenn. From kekkou.a at cs.ucy.ac.cy Thu Oct 25 16:03:53 2007 From: kekkou.a at cs.ucy.ac.cy (Andreas Kekkou) Date: Thu, 25 Oct 2007 19:03:53 +0300 Subject: [Fedora-directory-users] Problem with AES Message-ID: <4720BE69.5010809@cs.ucy.ac.cy> Hi all, I'm running FDS in multi-master mode with two servers. Both servers are configured with TLS support. One of the servers logs the following error: [25/Oct/2007:08:50:55 +0300] - attrcrypt_unwrap_key: failed to unwrap key for cipher AES [25/Oct/2007:08:50:55 +0300] - Failed to retrieve key for cipher AES in attrcrypt_cipher_init [25/Oct/2007:08:50:55 +0300] - Failed to initialize cipher AES in attrcrypt_init [25/Oct/2007:08:50:55 +0300] - attrcrypt_unwrap_key: failed to unwrap key for cipher AES [25/Oct/2007:08:50:55 +0300] - Failed to retrieve key for cipher AES in attrcrypt_cipher_init [25/Oct/2007:08:50:55 +0300] - Failed to initialize cipher AES in attrcrypt_init [25/Oct/2007:08:50:57 +0300] - slapd started. Listening on All Interfaces port 389 for LDAP requests [25/Oct/2007:08:50:57 +0300] - Listening on All Interfaces port 636 for LDAPS requests Both servers seems to work just fine. Any ideas how this can be resolved? Thanks, Andreas -------------- next part -------------- A non-text attachment was scrubbed... Name: kekkou.a.vcf Type: text/x-vcard Size: 303 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3525 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Oct 25 16:29:28 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 25 Oct 2007 10:29:28 -0600 Subject: [Fedora-directory-users] Problem with AES In-Reply-To: <4720BE69.5010809@cs.ucy.ac.cy> References: <4720BE69.5010809@cs.ucy.ac.cy> Message-ID: <4720C468.5060705@redhat.com> Andreas Kekkou wrote: > Hi all, > > I'm running FDS in multi-master mode with two servers. Both servers > are configured with TLS support. One of the servers logs the following > error: > > [25/Oct/2007:08:50:55 +0300] - attrcrypt_unwrap_key: failed to unwrap > key for cipher AES > [25/Oct/2007:08:50:55 +0300] - Failed to retrieve key for cipher AES > in attrcrypt_cipher_init > [25/Oct/2007:08:50:55 +0300] - Failed to initialize cipher AES in > attrcrypt_init > [25/Oct/2007:08:50:55 +0300] - attrcrypt_unwrap_key: failed to unwrap > key for cipher AES > [25/Oct/2007:08:50:55 +0300] - Failed to retrieve key for cipher AES > in attrcrypt_cipher_init > [25/Oct/2007:08:50:55 +0300] - Failed to initialize cipher AES in > attrcrypt_init > [25/Oct/2007:08:50:57 +0300] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > [25/Oct/2007:08:50:57 +0300] - Listening on All Interfaces port 636 > for LDAPS requests > > Both servers seems to work just fine. Any ideas how this can be resolved? Has your SSL/TLS configuration changed at all? Have you acquired a new cert or renewed an existing cert? cd /opt/fedora-ds/alias ../shared/bin/certutil -L -P slapd-instance- -d . > > Thanks, > > Andreas > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From timothy.hunt at intraisp.com Thu Oct 25 17:33:02 2007 From: timothy.hunt at intraisp.com (Timothy Hunt) Date: Thu, 25 Oct 2007 12:33:02 -0500 Subject: [Fedora-directory-users] Problem with getting FDS and AD to sync Message-ID: <367697F2-2D36-423A-B151-C3081F5106EB@intraisp.com> I've taken over control of an FDS and an AD server which had been set up before I got to it. I'm still fairly new to LDAP and related things. I come from a unix background rather than windows. At some point, users put into FDS were replicated on the AD server correctly. Subsequently, the flat "structure" of the users in FDS was improved to be more hierarchical. However, new users added into FDS are not being added into AD. I'm also not familiar enough with AD to know where to see the OU structure that is present in FDS in AD. I'm not even sure if AD would have that structure. I'm at a bit of a loss as to how to start diagnosing where the problem is, let alone fixing it. I've looked at http://directory.fedoraproject.org/wiki/ Howto:WindowsSync but as that is focussed on setting it up initially, I'm not sure how much of it applies. Help on how to start solving this welcomed. Timothy From rmeggins at redhat.com Thu Oct 25 17:50:51 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 25 Oct 2007 11:50:51 -0600 Subject: [Fedora-directory-users] Problem with getting FDS and AD to sync In-Reply-To: <367697F2-2D36-423A-B151-C3081F5106EB@intraisp.com> References: <367697F2-2D36-423A-B151-C3081F5106EB@intraisp.com> Message-ID: <4720D77B.4080205@redhat.com> Timothy Hunt wrote: > I've taken over control of an FDS and an AD server which had been set > up before I got to it. I'm still fairly new to LDAP and related > things. I come from a unix background rather than windows. > > At some point, users put into FDS were replicated on the AD server > correctly. Subsequently, the flat "structure" of the users in FDS was > improved to be more hierarchical. However, new users added into FDS > are not being added into AD. I'm also not familiar enough with AD to > know where to see the OU structure that is present in FDS in AD. I'm > not even sure if AD would have that structure. I'm at a bit of a loss > as to how to start diagnosing where the problem is, let alone fixing it. > > I've looked at > http://directory.fedoraproject.org/wiki/Howto:WindowsSync but as that > is focussed on setting it up initially, I'm not sure how much of it > applies. http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2836267 > > Help on how to start solving this welcomed. > > Timothy > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kekkou.a at cs.ucy.ac.cy Fri Oct 26 06:03:02 2007 From: kekkou.a at cs.ucy.ac.cy (Andreas Kekkou) Date: Fri, 26 Oct 2007 09:03:02 +0300 Subject: [Fedora-directory-users] Problem with AES In-Reply-To: <4720C468.5060705@redhat.com> References: <4720BE69.5010809@cs.ucy.ac.cy> <4720C468.5060705@redhat.com> Message-ID: <47218316.7020400@cs.ucy.ac.cy> Hi Richard, Nothing has changed. Executing the command you have suggested on both servers I get the same output: [root at serverA alias]# ../shared/bin/certutil -L -P slapd-serverA- -d . serverA-cert u,u,u Computer Science Department CA CT,, [root at serverB alias]# ../shared/bin/certutil -L -P slapd-serverB- -d . serverB-cert u,u,u Computer Science Department CA CT,, Is there anything else I have to check? Cheers. Andreas Richard Megginson wrote: > Andreas Kekkou wrote: >> Hi all, >> >> I'm running FDS in multi-master mode with two servers. Both servers >> are configured with TLS support. One of the servers logs the >> following error: >> >> [25/Oct/2007:08:50:55 +0300] - attrcrypt_unwrap_key: failed to unwrap >> key for cipher AES >> [25/Oct/2007:08:50:55 +0300] - Failed to retrieve key for cipher AES >> in attrcrypt_cipher_init >> [25/Oct/2007:08:50:55 +0300] - Failed to initialize cipher AES in >> attrcrypt_init >> [25/Oct/2007:08:50:55 +0300] - attrcrypt_unwrap_key: failed to unwrap >> key for cipher AES >> [25/Oct/2007:08:50:55 +0300] - Failed to retrieve key for cipher AES >> in attrcrypt_cipher_init >> [25/Oct/2007:08:50:55 +0300] - Failed to initialize cipher AES in >> attrcrypt_init >> [25/Oct/2007:08:50:57 +0300] - slapd started. Listening on All >> Interfaces port 389 for LDAP requests >> [25/Oct/2007:08:50:57 +0300] - Listening on All Interfaces port 636 >> for LDAPS requests >> >> Both servers seems to work just fine. Any ideas how this can be >> resolved? > Has your SSL/TLS configuration changed at all? Have you acquired a > new cert or renewed an existing cert? > cd /opt/fedora-ds/alias > ../shared/bin/certutil -L -P slapd-instance- -d . >> >> Thanks, >> >> Andreas >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: kekkou.a.vcf Type: text/x-vcard Size: 303 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3525 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Oct 26 15:12:46 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 26 Oct 2007 09:12:46 -0600 Subject: [Fedora-directory-users] Problem with AES In-Reply-To: <47218316.7020400@cs.ucy.ac.cy> References: <4720BE69.5010809@cs.ucy.ac.cy> <4720C468.5060705@redhat.com> <47218316.7020400@cs.ucy.ac.cy> Message-ID: <472203EE.8090609@redhat.com> Andreas Kekkou wrote: > Hi Richard, > > Nothing has changed. Executing the command you have suggested on both > servers I get the same output: > > [root at serverA alias]# ../shared/bin/certutil -L -P slapd-serverA- -d . > serverA-cert u,u,u > Computer Science Department CA CT,, > > [root at serverB alias]# ../shared/bin/certutil -L -P slapd-serverB- -d . > serverB-cert u,u,u > Computer Science Department CA CT,, > > Is there anything else I have to check? grep -i personality /opt/fedora-ds/slapd-instancename/config/dse.ldif The personality name should match with the server cert name in your certdb. > > Cheers. > > Andreas > > Richard Megginson wrote: >> Andreas Kekkou wrote: >>> Hi all, >>> >>> I'm running FDS in multi-master mode with two servers. Both servers >>> are configured with TLS support. One of the servers logs the >>> following error: >>> >>> [25/Oct/2007:08:50:55 +0300] - attrcrypt_unwrap_key: failed to >>> unwrap key for cipher AES >>> [25/Oct/2007:08:50:55 +0300] - Failed to retrieve key for cipher AES >>> in attrcrypt_cipher_init >>> [25/Oct/2007:08:50:55 +0300] - Failed to initialize cipher AES in >>> attrcrypt_init >>> [25/Oct/2007:08:50:55 +0300] - attrcrypt_unwrap_key: failed to >>> unwrap key for cipher AES >>> [25/Oct/2007:08:50:55 +0300] - Failed to retrieve key for cipher AES >>> in attrcrypt_cipher_init >>> [25/Oct/2007:08:50:55 +0300] - Failed to initialize cipher AES in >>> attrcrypt_init >>> [25/Oct/2007:08:50:57 +0300] - slapd started. Listening on All >>> Interfaces port 389 for LDAP requests >>> [25/Oct/2007:08:50:57 +0300] - Listening on All Interfaces port 636 >>> for LDAPS requests >>> >>> Both servers seems to work just fine. Any ideas how this can be >>> resolved? >> Has your SSL/TLS configuration changed at all? Have you acquired a >> new cert or renewed an existing cert? >> cd /opt/fedora-ds/alias >> ../shared/bin/certutil -L -P slapd-instance- -d . >>> >>> Thanks, >>> >>> Andreas >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Dael.Maselli at lnf.infn.it Fri Oct 26 15:19:04 2007 From: Dael.Maselli at lnf.infn.it (Dael Maselli) Date: Fri, 26 Oct 2007 17:19:04 +0200 Subject: [Fedora-directory-users] Can't locate CSN in Multi-Master replica Message-ID: <47220568.50607@lnf.infn.it> Hi all, I have a multiple master configured with SSL Authentication, it seemed to work correctly, but since a moment (I don't know when) it gave me errors and it doesn't work anymore. When I try to do an update from A to B it works, but from B to A I get this in the B log: [26/Oct/2007:16:53:08 +0200] agmt="cn=B-A" (A:636) - Can't locate CSN 47220f50000000020000 in the changelog (DB rc=-30990). The consumer may need to be reinitialized. The A logs is: [26/Oct/2007:16:47:09 +0200] conn=17 SSL 256-bit AES; client CN=B,L=Lecce,OU=Host,O=INFN,C=IT; issuer CN=INFN CA,O=INFN,C=IT [26/Oct/2007:16:47:09 +0200] conn=17 SSL client bound as cn=B,cn=config [26/Oct/2007:16:47:09 +0200] conn=17 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL [26/Oct/2007:16:47:09 +0200] conn=17 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=B,cn=config" [26/Oct/2007:16:47:09 +0200] conn=17 op=1 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" [26/Oct/2007:16:47:09 +0200] conn=17 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [26/Oct/2007:16:47:09 +0200] conn=17 op=2 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" [26/Oct/2007:16:47:09 +0200] conn=17 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [26/Oct/2007:16:47:09 +0200] conn=17 op=3 EXT oid="2.16.840.1.113730.3.5.3" name="Netscape Replication Start Session" [26/Oct/2007:16:47:09 +0200] conn=17 op=3 RESULT err=0 tag=120 nentries=0 etime=0 [26/Oct/2007:16:47:10 +0200] conn=17 op=4 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [26/Oct/2007:16:47:10 +0200] conn=17 op=4 RESULT err=0 tag=120 nentries=0 etime=0 as you can see there isn't the MOD line If I try to reinitialize A I get this error on B: NSMMReplicationPlugin - replica_reload_ruv: Warning: new data for replica dc=infn,dc=it does not match the data in the changelog. Recreating the changelog file. This could affect replication with replica's consumers in which case the consumers should be reinitialized. the parts exchanges and I can do updates from B to A and not from A to B. I tried to delete changelog as I read on the manual, also tried to delete and recreate all the replica and agreements but no way to get it work! Thank you! Dael. -- ___________________________________________________________________ Dael Maselli --- INFN-LNF Computing Service -- +39.06.9403.2214 ___________________________________________________________________ Democracy is two wolves and a lamb voting on what to have for lunch ___________________________________________________________________ From rmeggins at redhat.com Fri Oct 26 17:11:42 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 26 Oct 2007 11:11:42 -0600 Subject: [Fedora-directory-users] Can't locate CSN in Multi-Master replica In-Reply-To: <47220568.50607@lnf.infn.it> References: <47220568.50607@lnf.infn.it> Message-ID: <47221FCE.8050508@redhat.com> Dael Maselli wrote: > Hi all, > > I have a multiple master configured with SSL Authentication, it seemed > to work correctly, but since a moment (I don't know when) it gave me > errors and it doesn't work anymore. > > When I try to do an update from A to B it works, but from B to A I get > this in the B log: > > [26/Oct/2007:16:53:08 +0200] agmt="cn=B-A" (A:636) - Can't locate CSN > 47220f50000000020000 in the changelog (DB rc=-30990). The consumer may > need to be reinitialized. Do you have a changelog configured on B? Is B configured as a multiple master? Is the replica ID for B different than A? > > The A logs is: > > [26/Oct/2007:16:47:09 +0200] conn=17 SSL 256-bit AES; client > CN=B,L=Lecce,OU=Host,O=INFN,C=IT; issuer CN=INFN CA,O=INFN,C=IT > [26/Oct/2007:16:47:09 +0200] conn=17 SSL client bound as cn=B,cn=config > [26/Oct/2007:16:47:09 +0200] conn=17 op=0 BIND dn="" method=sasl > version=3 mech=EXTERNAL > [26/Oct/2007:16:47:09 +0200] conn=17 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="cn=B,cn=config" > [26/Oct/2007:16:47:09 +0200] conn=17 op=1 SRCH base="" scope=0 > filter="(objectClass=*)" attrs="supportedControl supportedExtension" > [26/Oct/2007:16:47:09 +0200] conn=17 op=1 RESULT err=0 tag=101 > nentries=1 etime=0 > [26/Oct/2007:16:47:09 +0200] conn=17 op=2 SRCH base="" scope=0 > filter="(objectClass=*)" attrs="supportedControl supportedExtension" > [26/Oct/2007:16:47:09 +0200] conn=17 op=2 RESULT err=0 tag=101 > nentries=1 etime=0 > [26/Oct/2007:16:47:09 +0200] conn=17 op=3 EXT > oid="2.16.840.1.113730.3.5.3" name="Netscape Replication Start Session" > [26/Oct/2007:16:47:09 +0200] conn=17 op=3 RESULT err=0 tag=120 > nentries=0 etime=0 > [26/Oct/2007:16:47:10 +0200] conn=17 op=4 EXT > oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" > [26/Oct/2007:16:47:10 +0200] conn=17 op=4 RESULT err=0 tag=120 > nentries=0 etime=0 > > as you can see there isn't the MOD line > > If I try to reinitialize A I get this error on B: > > NSMMReplicationPlugin - replica_reload_ruv: Warning: new data for > replica dc=infn,dc=it does not match the data in the changelog. > Recreating the changelog file. This could affect replication with > replica's consumers in which case the consumers should be reinitialized. > > the parts exchanges and I can do updates from B to A and not from A to B. > > I tried to delete changelog as I read on the manual, also tried to > delete and recreate all the replica and agreements but no way to get > it work! > > Thank you! > > Dael. > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From timothy.hunt at intraisp.com Fri Oct 26 19:24:13 2007 From: timothy.hunt at intraisp.com (Timothy Hunt) Date: Fri, 26 Oct 2007 14:24:13 -0500 Subject: [Fedora-directory-users] Problem with getting FDS and AD to sync In-Reply-To: <4720D77B.4080205@redhat.com> References: <367697F2-2D36-423A-B151-C3081F5106EB@intraisp.com> <4720D77B.4080205@redhat.com> Message-ID: On Oct 25, 2007, at 12:50 PM, Richard Megginson wrote: > Timothy Hunt wrote: >> I've taken over control of an FDS and an AD server which had been >> set up before I got to it. I'm still fairly new to LDAP and >> related things. I come from a unix background rather than windows. >> >> At some point, users put into FDS were replicated on the AD server >> correctly. Subsequently, the flat "structure" of the users in FDS >> was improved to be more hierarchical. However, new users added >> into FDS are not being added into AD. I'm also not familiar >> enough with AD to know where to see the OU structure that is >> present in FDS in AD. I'm not even sure if AD would have that >> structure. I'm at a bit of a loss as to how to start diagnosing >> where the problem is, let alone fixing it. >> >> I've looked at http://directory.fedoraproject.org/wiki/ >> Howto:WindowsSync but as that is focussed on setting it up >> initially, I'm not sure how much of it applies. > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2836267 >> >> Thanks, Richard, As our AD server isn't yet being used, I decided to break the existing sync agreement, wipe the users on the AD server, and start a new sync agreement. I've got "replication" logging set and I'm getting this in the FDS log files [26/Oct/2007:14:15:38 -0500] NSMMReplicationPlugin - agmt="cn=fs2" (fs2:636): Replication session backing off for 191 seconds [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - agmt="cn=fs2" (fs2:636): State: backoff -> backoff [26/Oct/2007:14:18:50 -0500] - acquire_replica, supplier RUV: [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - supplier: {replicageneration} 4693ce97000000010000 [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - supplier: {replica 1 ldap://ds1.intraisp.com:389} 469ee73e000000010000 47223b23000000010000 47223b23 [26/Oct/2007:14:18:50 -0500] - acquire_replica, consumer RUV: [26/Oct/2007:14:18:50 -0500] - acquire_replica, consumer RUV = null [26/Oct/2007:14:18:50 -0500] - acquire_replica, supplier RUV is newer [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - agmt="cn=fs2" (fs2:636): Trying secure slapi_ldap_init [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - agmt="cn=fs2" (fs2:636): binddn = CN=Administrator,CN=Users,DC=directory,DC=intraisp,DC=com, passwd = {DES}cwngvvY1zCw= [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - agmt="cn=fs2" (fs2:636): Disconnected from the consumer [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - agmt="cn=fs2" (fs2:636): Beginning linger on the connection [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - agmt="cn=fs2" (fs2:636): No linger on the closed conn [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - agmt="cn=fs2" (fs2:636): Replication session backing off for 299 seconds the "summary" tab of the AD sync agreement on FDS says Last update message: - LDAP error: Can't contact LDAP server: Error Code: 81 But I can connect to port 636 on the AD server from the RDS box without a problem. Any suggestions? Timothy From rmeggins at redhat.com Fri Oct 26 19:50:53 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 26 Oct 2007 13:50:53 -0600 Subject: [Fedora-directory-users] Problem with getting FDS and AD to sync In-Reply-To: References: <367697F2-2D36-423A-B151-C3081F5106EB@intraisp.com> <4720D77B.4080205@redhat.com> Message-ID: <4722451D.4010302@redhat.com> Timothy Hunt wrote: > > On Oct 25, 2007, at 12:50 PM, Richard Megginson wrote: > >> Timothy Hunt wrote: >>> I've taken over control of an FDS and an AD server which had been >>> set up before I got to it. I'm still fairly new to LDAP and related >>> things. I come from a unix background rather than windows. >>> >>> At some point, users put into FDS were replicated on the AD server >>> correctly. Subsequently, the flat "structure" of the users in FDS >>> was improved to be more hierarchical. However, new users added into >>> FDS are not being added into AD. I'm also not familiar enough with >>> AD to know where to see the OU structure that is present in FDS in >>> AD. I'm not even sure if AD would have that structure. I'm at a >>> bit of a loss as to how to start diagnosing where the problem is, >>> let alone fixing it. >>> >>> I've looked at >>> http://directory.fedoraproject.org/wiki/Howto:WindowsSync but as >>> that is focussed on setting it up initially, I'm not sure how much >>> of it applies. >> http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2836267 >>> >>> > > Thanks, Richard, > > As our AD server isn't yet being used, I decided to break the existing > sync agreement, wipe the users on the AD server, and start a new sync > agreement. > > I've got "replication" logging set and I'm getting this in the FDS log > files > > [26/Oct/2007:14:15:38 -0500] NSMMReplicationPlugin - agmt="cn=fs2" > (fs2:636): Replication session backing off for 191 seconds > [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - agmt="cn=fs2" > (fs2:636): State: backoff -> backoff > [26/Oct/2007:14:18:50 -0500] - acquire_replica, supplier RUV: > [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - supplier: > {replicageneration} 4693ce97000000010000 > [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - supplier: > {replica 1 ldap://ds1.intraisp.com:389} 469ee73e000000010000 > 47223b23000000010000 47223b23 > [26/Oct/2007:14:18:50 -0500] - acquire_replica, consumer RUV: > [26/Oct/2007:14:18:50 -0500] - acquire_replica, consumer RUV = null > [26/Oct/2007:14:18:50 -0500] - acquire_replica, supplier RUV is newer > [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - agmt="cn=fs2" > (fs2:636): Trying secure slapi_ldap_init > [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - agmt="cn=fs2" > (fs2:636): binddn = > CN=Administrator,CN=Users,DC=directory,DC=intraisp,DC=com, passwd = > {DES}cwngvvY1zCw= > [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - agmt="cn=fs2" > (fs2:636): Disconnected from the consumer > [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - agmt="cn=fs2" > (fs2:636): Beginning linger on the connection > [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - agmt="cn=fs2" > (fs2:636): No linger on the closed conn > [26/Oct/2007:14:18:50 -0500] NSMMReplicationPlugin - agmt="cn=fs2" > (fs2:636): Replication session backing off for 299 seconds > > the "summary" tab of the AD sync agreement on FDS says > Last update message: - LDAP error: Can't contact LDAP server: Error > Code: 81 > > But I can connect to port 636 on the AD server from the RDS box > without a problem. Can you connect to port 389 on the AD server? Is it possible you have configured it to use port 636 but not to use SSL (or vice versa)? > > Any suggestions? > > Timothy > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From timothy.hunt at intraisp.com Fri Oct 26 20:38:45 2007 From: timothy.hunt at intraisp.com (Timothy Hunt) Date: Fri, 26 Oct 2007 15:38:45 -0500 Subject: [Fedora-directory-users] Problem with getting FDS and AD to sync In-Reply-To: <4722451D.4010302@redhat.com> References: <367697F2-2D36-423A-B151-C3081F5106EB@intraisp.com> <4720D77B.4080205@redhat.com> <4722451D.4010302@redhat.com> Message-ID: >> >> But I can connect to port 636 on the AD server from the RDS box >> without a problem. > Can you connect to port 389 on the AD server? Is it possible you > have configured it to use port 636 but not to use SSL (or vice versa)? >> Yes I can, but I also know for sure that 636 is using SSL. Timothy From rmeggins at redhat.com Fri Oct 26 20:59:28 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 26 Oct 2007 14:59:28 -0600 Subject: [Fedora-directory-users] Problem with getting FDS and AD to sync In-Reply-To: References: <367697F2-2D36-423A-B151-C3081F5106EB@intraisp.com> <4720D77B.4080205@redhat.com> <4722451D.4010302@redhat.com> Message-ID: <47225530.8040705@redhat.com> Timothy Hunt wrote: >>> >>> But I can connect to port 636 on the AD server from the RDS box >>> without a problem. >> Can you connect to port 389 on the AD server? Is it possible you >> have configured it to use port 636 but not to use SSL (or vice versa)? >>> > > Yes I can, but I also know for sure that 636 is using SSL. Did you configure the sync agreement to use SSL and to use port 636? > > Timothy > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From timothy.hunt at intraisp.com Fri Oct 26 21:04:32 2007 From: timothy.hunt at intraisp.com (Timothy Hunt) Date: Fri, 26 Oct 2007 16:04:32 -0500 Subject: [Fedora-directory-users] Problem with getting FDS and AD to sync In-Reply-To: <47225530.8040705@redhat.com> References: <367697F2-2D36-423A-B151-C3081F5106EB@intraisp.com> <4720D77B.4080205@redhat.com> <4722451D.4010302@redhat.com> <47225530.8040705@redhat.com> Message-ID: <5AD059E9-FDC7-420F-BB7F-06D67D6E15B6@intraisp.com> >> >> Yes I can, but I also know for sure that 636 is using SSL. > Did you configure the sync agreement to use SSL and to use port 636? >> >> Yes. Timothy From rmeggins at redhat.com Fri Oct 26 21:12:24 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 26 Oct 2007 15:12:24 -0600 Subject: [Fedora-directory-users] Problem with getting FDS and AD to sync In-Reply-To: <5AD059E9-FDC7-420F-BB7F-06D67D6E15B6@intraisp.com> References: <367697F2-2D36-423A-B151-C3081F5106EB@intraisp.com> <4720D77B.4080205@redhat.com> <4722451D.4010302@redhat.com> <47225530.8040705@redhat.com> <5AD059E9-FDC7-420F-BB7F-06D67D6E15B6@intraisp.com> Message-ID: <47225838.6070306@redhat.com> Timothy Hunt wrote: >>> >>> Yes I can, but I also know for sure that 636 is using SSL. >> Did you configure the sync agreement to use SSL and to use port 636? >>> >>> > > Yes. Can you use ldapsearch from the command line? e.g. cd /opt/fedora-ds/shared/bin ./ldapsearch -h adhostname -p 636 -D "cn=administrator,cn=Users,dc=your,dc=domain,dc=com" -w adpassword -Z -P /opt/fedora-ds/alias/slapd-instance-cert8.db -s base -b "" "objectclass=*" > > Timothy > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Dael.Maselli at lnf.infn.it Sat Oct 27 10:31:35 2007 From: Dael.Maselli at lnf.infn.it (Dael Maselli) Date: Sat, 27 Oct 2007 12:31:35 +0200 Subject: [Fedora-directory-users] Can't locate CSN in Multi-Master replica Message-ID: <47231387.1090707@lnf.infn.it> > Do you have a changelog configured on B? Is B configured as a multiple master? Is the replica ID for B different than A? Yes to all. I hope it's an error of mine, we are planning a big reorganization of our Authentication and Authorization Infrastructure, FDS seems to be great for our needs. I think it is a misconfiguration and maybe it work if I reinstall FDS, but i need to understand what's happening. Thank you. -- ___________________________________________________________________ Dael Maselli --- INFN-LNF Computing Service -- +39.06.9403.2214 ___________________________________________________________________ Democracy is two wolves and a lamb voting on what to have for lunch ___________________________________________________________________ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3000 bytes Desc: S/MIME Cryptographic Signature URL: From Dael.Maselli at lnf.infn.it Mon Oct 29 14:15:33 2007 From: Dael.Maselli at lnf.infn.it (Dael Maselli) Date: Mon, 29 Oct 2007 15:15:33 +0100 Subject: [Fedora-directory-users] Can't locate CSN in Multi-Master replica In-Reply-To: <47231387.1090707@lnf.infn.it> References: <47231387.1090707@lnf.infn.it> Message-ID: <4725EB05.1070505@lnf.infn.it> I can't understand very well what fds do during replica. My node A has replica id 1 and node B has 2, in the changelog of A I see records like 4725e604000000010000 or 4725e80f000000010000 and in B records like 472224f2000000020000, so I conclude that 5th digit from right is the replica id. Am I wrong??? When I get the logs "Can't locate CSN 47222163000000020000" in A, is A looking in its own changelog? or in B one? Because, if is true what i said before, A is looking fot id 1 and B for id 2... Right? By the way, i'm using bin/slapd/server/dbscan -f to look in the changelog, when fds gives the error "Can't locate CSN", I can't see the csn id in the changelog of A nor B. Thank you. Dael Maselli wrote: >> Do you have a changelog configured on B? Is B configured as a multiple >> master? Is the replica ID for B different than A? > > Yes to all. > > I hope it's an error of mine, we are planning a big reorganization of > our Authentication and Authorization Infrastructure, FDS seems to be > great for our needs. > > I think it is a misconfiguration and maybe it work if I reinstall FDS, > but i need to understand what's happening. > > Thank you. > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- ___________________________________________________________________ Dael Maselli --- INFN-LNF Computing Service -- +39.06.9403.2214 ___________________________________________________________________ Democracy is two wolves and a lamb voting on what to have for lunch ___________________________________________________________________ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3000 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Oct 29 15:25:39 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 29 Oct 2007 09:25:39 -0600 Subject: [Fedora-directory-users] Can't locate CSN in Multi-Master replica In-Reply-To: <4725EB05.1070505@lnf.infn.it> References: <47231387.1090707@lnf.infn.it> <4725EB05.1070505@lnf.infn.it> Message-ID: <4725FB73.1030100@redhat.com> Dael Maselli wrote: > I can't understand very well what fds do during replica. > > My node A has replica id 1 and node B has 2, in the changelog of A I see > records like 4725e604000000010000 or 4725e80f000000010000 and in B > records > like 472224f2000000020000, so I conclude that 5th digit from right is the > replica id. Am I wrong??? Right. > > When I get the logs "Can't locate CSN 47222163000000020000" in A, is A > looking > in its own changelog? or in B one? Because, if is true what i said > before, > A is looking fot id 1 and B for id 2... Right? Yes. > > By the way, i'm using bin/slapd/server/dbscan -f to look in the > changelog, > when fds gives the error "Can't locate CSN", I can't see the csn id in > the > changelog of A nor B. I don't think dbscan can look at changelogs. Can you describe the exact steps you took e.g. configured and created changelogs on A and B created replication manager user on A and B configured A to be a multi master replica configured B to be a multi master replica created replication agreement from A to B created replication agreement from B to A Did replica init from A to B Note that you should not do a replica init from B to A if you already did one from A to B > > Thank you. > > > > Dael Maselli wrote: >>> Do you have a changelog configured on B? Is B configured as a >>> multiple master? Is the replica ID for B different than A? >> >> Yes to all. >> >> I hope it's an error of mine, we are planning a big reorganization of >> our Authentication and Authorization Infrastructure, FDS seems to be >> great for our needs. >> >> I think it is a misconfiguration and maybe it work if I reinstall FDS, >> but i need to understand what's happening. >> >> Thank you. >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Dael.Maselli at lnf.infn.it Mon Oct 29 17:11:27 2007 From: Dael.Maselli at lnf.infn.it (Dael Maselli) Date: Mon, 29 Oct 2007 18:11:27 +0100 Subject: [Fedora-directory-users] Can't locate CSN in Multi-Master replica In-Reply-To: <4725FB73.1030100@redhat.com> References: <47231387.1090707@lnf.infn.it> <4725EB05.1070505@lnf.infn.it> <4725FB73.1030100@redhat.com> Message-ID: <4726143F.8060407@lnf.infn.it> I'm working with the java management console. I created replication manager users as: dn: cn=A.infn.it,cn=config cn: A.infn.it description: CN=A.infn.it,L=Lecce,OU=Host,O=INFN,C=IT objectClass: top objectClass: nshost dn: cn=B.infn.it,cn=config cn: B.infn.it description: CN=B.infn.it,L=Lecce,OU=Host,O=INFN,C=IT objectClass: top objectClass: nshost in my shared/config/certmap.conf i have: certmap default default default:CmapLdapAttr description I tried SSL auth and it works as I can see in the logs: [29/Oct/2007:14:53:40 +0100] conn=2 SSL 256-bit AES; client CN=A.infn.it,L=Lecce,OU=Host,O=INFN,C=IT; issuer CN=INFN CA,O=INFN,C=IT [29/Oct/2007:14:53:40 +0100] conn=2 SSL client bound as cn=A.infn.it,cn=config The changelogs are created with management console, enabling the checkbox in the Replication node of the configuration tab, selecting the default location. Then, under database in the replication node i checked enable replica, and Multiple Master, replication id 1 for A and 2 for B, and in the supplier DN I wrote cn=A.infn.it,cn=config in B and cn=B.infn.it,cn=config in A. Then, right click on database name under Replication, "New Replication Agreement", selecting B node on A with port 636 and checked "Using Encrypted SSL connection" and "SSL Client Authentication". Here I had a problem! There was a pop-up that told me it can't connect to the other fds server, but I thought it was a bug, because I checked with tcpdump and saw no packet sent (I can see it with simple auth). So I clicked to continue and all seems to work well, even the initialization done from A to B, I didn't do it when I created the Agreement from B to A in the same way. I followed the manual at http://www.redhat.com/docs/manuals/dir-server/ag/replicat.htm#66943 I hope I was clear, sorry for my macaronic english ;-) Thank you so much. Richard Megginson wrote: > > Can you describe the exact steps you took e.g. > configured and created changelogs on A and B > created replication manager user on A and B > configured A to be a multi master replica > configured B to be a multi master replica > created replication agreement from A to B > created replication agreement from B to A > Did replica init from A to B > > Note that you should not do a replica init from B to A if you already > did one from A to B -- ___________________________________________________________________ Dael Maselli --- INFN-LNF Computing Service -- +39.06.9403.2214 ___________________________________________________________________ Democracy is two wolves and a lamb voting on what to have for lunch ___________________________________________________________________ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3000 bytes Desc: S/MIME Cryptographic Signature URL: From kekkou.a at cs.ucy.ac.cy Tue Oct 30 07:06:35 2007 From: kekkou.a at cs.ucy.ac.cy (Andreas Kekkou) Date: Tue, 30 Oct 2007 09:06:35 +0200 Subject: [Fedora-directory-users] Problem with AES In-Reply-To: <472203EE.8090609@redhat.com> References: <4720BE69.5010809@cs.ucy.ac.cy> <4720C468.5060705@redhat.com> <47218316.7020400@cs.ucy.ac.cy> <472203EE.8090609@redhat.com> Message-ID: <4726D7FB.2070704@cs.ucy.ac.cy> Both names are exactly the same. Richard Megginson wrote: > Andreas Kekkou wrote: >> Hi Richard, >> >> Nothing has changed. Executing the command you have suggested on both >> servers I get the same output: >> >> [root at serverA alias]# ../shared/bin/certutil -L -P slapd-serverA- -d . >> serverA-cert u,u,u >> Computer Science Department CA CT,, >> >> [root at serverB alias]# ../shared/bin/certutil -L -P slapd-serverB- -d . >> serverB-cert u,u,u >> Computer Science Department CA CT,, >> >> Is there anything else I have to check? > grep -i personality /opt/fedora-ds/slapd-instancename/config/dse.ldif > > The personality name should match with the server cert name in your > certdb. >> >> Cheers. >> >> Andreas >> >> Richard Megginson wrote: >>> Andreas Kekkou wrote: >>>> Hi all, >>>> >>>> I'm running FDS in multi-master mode with two servers. Both servers >>>> are configured with TLS support. One of the servers logs the >>>> following error: >>>> >>>> [25/Oct/2007:08:50:55 +0300] - attrcrypt_unwrap_key: failed to >>>> unwrap key for cipher AES >>>> [25/Oct/2007:08:50:55 +0300] - Failed to retrieve key for cipher >>>> AES in attrcrypt_cipher_init >>>> [25/Oct/2007:08:50:55 +0300] - Failed to initialize cipher AES in >>>> attrcrypt_init >>>> [25/Oct/2007:08:50:55 +0300] - attrcrypt_unwrap_key: failed to >>>> unwrap key for cipher AES >>>> [25/Oct/2007:08:50:55 +0300] - Failed to retrieve key for cipher >>>> AES in attrcrypt_cipher_init >>>> [25/Oct/2007:08:50:55 +0300] - Failed to initialize cipher AES in >>>> attrcrypt_init >>>> [25/Oct/2007:08:50:57 +0300] - slapd started. Listening on All >>>> Interfaces port 389 for LDAP requests >>>> [25/Oct/2007:08:50:57 +0300] - Listening on All Interfaces port 636 >>>> for LDAPS requests >>>> >>>> Both servers seems to work just fine. Any ideas how this can be >>>> resolved? >>> Has your SSL/TLS configuration changed at all? Have you acquired a >>> new cert or renewed an existing cert? >>> cd /opt/fedora-ds/alias >>> ../shared/bin/certutil -L -P slapd-instance- -d . >>>> >>>> Thanks, >>>> >>>> Andreas >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: kekkou.a.vcf Type: text/x-vcard Size: 303 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3525 bytes Desc: S/MIME Cryptographic Signature URL: From puestadelsol83 at libero.it Tue Oct 30 08:32:26 2007 From: puestadelsol83 at libero.it (puestadelsol83) Date: Tue, 30 Oct 2007 09:32:26 +0100 Subject: [Fedora-directory-users] problem with certificate Message-ID: Hi! I have some problem with certificate. I'm using Fc6 and here I install FDS. I follow the guide " Obtaining and Installing Server Certificates " and "Enabling SSL in the Directory Server, Admin Server, and Console" with console. Everything seems correct but when I estart the Admin Server and Directory Server from the command-line an error message appear and is impossible for me to restart server end console. What is the problem? Can You help me? Thanks! From zahra_bahar at ec.iut.ac.ir Tue Oct 30 09:35:47 2007 From: zahra_bahar at ec.iut.ac.ir (Zahra Bahar) Date: Tue, 30 Oct 2007 13:05:47 +0330 (IRST) Subject: [Fedora-directory-users] netscape error Message-ID: <28376999.204631193736947768.JavaMail.root@mta.iut.ac.ir> Hi all, I installed fedora-ds-1.0.4-1 and j2re-1.4.2_16-fcs. but now when I want to connect to the console there is this error: can not connect to the directory server: netscape.ldap.LDAPException:error result(34);invalid DN; invalid DN syntax what is wrong?what should I do? thanks From rmeggins at redhat.com Tue Oct 30 14:04:52 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 30 Oct 2007 08:04:52 -0600 Subject: [Fedora-directory-users] netscape error In-Reply-To: <28376999.204631193736947768.JavaMail.root@mta.iut.ac.ir> References: <28376999.204631193736947768.JavaMail.root@mta.iut.ac.ir> Message-ID: <47273A04.6020702@redhat.com> Zahra Bahar wrote: > Hi all, > I installed fedora-ds-1.0.4-1 and j2re-1.4.2_16-fcs. but now when I want to connect to the console there is this error: > > can not connect to the directory server: > netscape.ldap.LDAPException:error result(34);invalid DN; invalid DN syntax > What did you type in as your admin username? > what is wrong?what should I do? > thanks > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Oct 30 14:05:28 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 30 Oct 2007 08:05:28 -0600 Subject: [Fedora-directory-users] problem with certificate In-Reply-To: References: Message-ID: <47273A28.6020301@redhat.com> puestadelsol83 wrote: > Hi! > I have some problem with certificate. > I'm using Fc6 and here I install FDS. I follow the guide " Obtaining and Installing Server Certificates " and "Enabling SSL in the Directory Server, Admin > Server, and Console" with console. Everything seems correct but when I estart the Admin Server and Directory Server from the command-line an error message appear and is impossible for me to restart server end console. > What is the error message? Can you post excerpts from your error logs? > What is the problem? Can You help me? > Thanks! > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From puestadelsol83 at libero.it Tue Oct 30 15:21:49 2007 From: puestadelsol83 at libero.it (puestadelsol83) Date: Tue, 30 Oct 2007 16:21:49 +0100 Subject: [Fedora-directory-users] problem with certificate Message-ID: Sorry but I work with certificate last month an I don't remember the error. I don't solve problem but now is necessary to work with cert. I follow the guide and everything in cert installation seems correct but when I restart everything the messages is something like Ldap_sasl error. Can you help me? ---------- Initial Header ----------- From rmeggins at redhat.com Tue Oct 30 15:34:58 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 30 Oct 2007 09:34:58 -0600 Subject: [Fedora-directory-users] problem with certificate In-Reply-To: References: Message-ID: <47274F22.2080408@redhat.com> puestadelsol83 wrote: > Sorry but I work with certificate last month an I don't remember the error. I don't solve problem but now is necessary to work with cert. > I follow the guide and everything in cert installation seems correct but when I restart everything the messages is something like Ldap_sasl error. > > Can you help me? > We can't help you unless you provide more details, like exact error message output, excerpts from the server error logs, etc > > ---------- Initial Header ----------- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Oct 30 18:45:23 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 30 Oct 2007 12:45:23 -0600 Subject: [Fedora-directory-users] Problem with AES In-Reply-To: <4726D7FB.2070704@cs.ucy.ac.cy> References: <4720BE69.5010809@cs.ucy.ac.cy> <4720C468.5060705@redhat.com> <47218316.7020400@cs.ucy.ac.cy> <472203EE.8090609@redhat.com> <4726D7FB.2070704@cs.ucy.ac.cy> Message-ID: <47277BC3.3090707@redhat.com> Andreas Kekkou wrote: > Both names are exactly the same. > > Richard Megginson wrote: >> Andreas Kekkou wrote: >>> Hi Richard, >>> >>> Nothing has changed. Executing the command you have suggested on >>> both servers I get the same output: >>> >>> [root at serverA alias]# ../shared/bin/certutil -L -P slapd-serverA- -d . >>> serverA-cert u,u,u >>> Computer Science Department CA CT,, >>> >>> [root at serverB alias]# ../shared/bin/certutil -L -P slapd-serverB- -d . >>> serverB-cert u,u,u >>> Computer Science Department CA CT,, >>> >>> Is there anything else I have to check? >> grep -i personality /opt/fedora-ds/slapd-instancename/config/dse.ldif >> >> The personality name should match with the server cert name in your >> certdb. >>> >>> Cheers. >>> >>> Andreas >>> >>> Richard Megginson wrote: >>>> Andreas Kekkou wrote: >>>>> Hi all, >>>>> >>>>> I'm running FDS in multi-master mode with two servers. Both >>>>> servers are configured with TLS support. One of the servers logs >>>>> the following error: >>>>> >>>>> [25/Oct/2007:08:50:55 +0300] - attrcrypt_unwrap_key: failed to >>>>> unwrap key for cipher AES >>>>> [25/Oct/2007:08:50:55 +0300] - Failed to retrieve key for cipher >>>>> AES in attrcrypt_cipher_init >>>>> [25/Oct/2007:08:50:55 +0300] - Failed to initialize cipher AES in >>>>> attrcrypt_init >>>>> [25/Oct/2007:08:50:55 +0300] - attrcrypt_unwrap_key: failed to >>>>> unwrap key for cipher AES >>>>> [25/Oct/2007:08:50:55 +0300] - Failed to retrieve key for cipher >>>>> AES in attrcrypt_cipher_init >>>>> [25/Oct/2007:08:50:55 +0300] - Failed to initialize cipher AES in >>>>> attrcrypt_init >>>>> [25/Oct/2007:08:50:57 +0300] - slapd started. Listening on All >>>>> Interfaces port 389 for LDAP requests >>>>> [25/Oct/2007:08:50:57 +0300] - Listening on All Interfaces port >>>>> 636 for LDAPS requests >>>>> >>>>> Both servers seems to work just fine. Any ideas how this can be >>>>> resolved? >>>> Has your SSL/TLS configuration changed at all? Have you acquired a >>>> new cert or renewed an existing cert? >>>> cd /opt/fedora-ds/alias >>>> ../shared/bin/certutil -L -P slapd-instance- -d . I'm not sure. If you are not using attribute encryption, and do not have any encrypted attribute values, you can simply remove the offending attributes: shutdown the server edit dse.ldif - remove the entry cn=AES, cn=encrypted attribute keys, cn=userRoot, cn=ldbm database, cn=plugins, cn=config and cn=AES, cn=encrypted attribute keys, cn=NetscapeRoot, n=ldbm database, cn=plugins, cn=config then restart the server >>>>> >>>>> Thanks, >>>>> >>>>> Andreas >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From puestadelsol83 at libero.it Wed Oct 31 08:38:14 2007 From: puestadelsol83 at libero.it (puestadelsol83) Date: Wed, 31 Oct 2007 09:38:14 +0100 Subject: [Fedora-directory-users] show uesr's hash password Message-ID: Hi! I want see user password. When I use console to create a new user in my ldap tree I can set user's password. FDS encrypt password automatically with the hash functione that I choose (in particular with SSHA) when I use ldapsearch -x "uid=SCarter" I see all SCarter attribute but not his password. Form me is important to see the hash of password: how can I do? I have an other question: what is the function of the attribute "nsuniqueid" Thanks! From Maria.Tsiolakki at cs.ucy.ac.cy Wed Oct 31 08:15:31 2007 From: Maria.Tsiolakki at cs.ucy.ac.cy (Maria Tsiolakki) Date: Wed, 31 Oct 2007 10:15:31 +0200 Subject: [Fedora-directory-users] setting up AIX clients with fds Message-ID: <472839A3.5030609@cs.ucy.ac.cy> Has anyone set-up an IBM AIX ver5.2 client to work with fds? regards Maria From balaji7 at gmail.com Wed Oct 31 13:57:27 2007 From: balaji7 at gmail.com (Balaji Ganesan) Date: Wed, 31 Oct 2007 19:27:27 +0530 Subject: [Fedora-directory-users] Question about caseIgnoreIA5Match Message-ID: <775ce1550710310657q559f6609h241f9cb6087e5844@mail.gmail.com> I have the following entry in my schema, attributeTypes: ( someOID NAME ( 'mailAddress' ) DESC 'mailAddress' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) This attribute is indexed, using information below. dn: cn=mailAddress,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config objectClass:top objectClass:nsIndex cn:mailCurrentAddress nsSystemIndex:false nsIndexType:eq In our sample db, we have mailAddress set to foo at bar.com. When I run ldapsearch with mailAddress=foo at bar.com, it returns 1 record. When I search with mailAddres=Foo at bar.com I get 0 entries back. What do I need to change for FDS to perform a case-insensitive search? I tried changing my attribute type to directory string and equalit to caseIgnoreMatch and got the same results. Thanks in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Oct 31 14:11:52 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 31 Oct 2007 08:11:52 -0600 Subject: [Fedora-directory-users] show uesr's hash password In-Reply-To: References: Message-ID: <47288D28.6050201@redhat.com> puestadelsol83 wrote: > Hi! > I want see user password. > When I use console to create a new user in my ldap tree I can set user's password. FDS encrypt password automatically with the hash functione that I choose (in particular with SSHA) > when I use > ldapsearch -x "uid=SCarter" > I see all SCarter attribute but not his password. > Form me is important to see the hash of password: how can I do? > There is a default aci that disallows search access to the userPassword. You have to either edit that aci or use a privileged account e.g. ldapsearch -x -D "cn=directory manager" -w password > I have an other question: what is the function of the attribute "nsuniqueid" > This attribute is a unique identifier for this entry. The value is guaranteed to be unique even in a multi master replication environment. > Thanks! > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Oct 31 15:28:23 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 31 Oct 2007 09:28:23 -0600 Subject: [Fedora-directory-users] Question about caseIgnoreIA5Match In-Reply-To: <775ce1550710310657q559f6609h241f9cb6087e5844@mail.gmail.com> References: <775ce1550710310657q559f6609h241f9cb6087e5844@mail.gmail.com> Message-ID: <47289F17.7070300@redhat.com> Balaji Ganesan wrote: > I have the following entry in my schema, > > attributeTypes: ( someOID NAME ( 'mailAddress' ) DESC 'mailAddress' > EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 > SINGLE-VALUE ) > > This attribute is indexed, using information below. > > dn: cn=mailAddress,cn=index,cn=userRoot,cn=ldbm > database,cn=plugins,cn=config > objectClass:top > objectClass:nsIndex > cn:mailCurrentAddress > nsSystemIndex:false > nsIndexType:eq > > > In our sample db, we have mailAddress set to foo at bar.com > . When I run ldapsearch with > mailAddress=foo at bar.com , it returns 1 > record. When I search with mailAddres=Foo at bar.com > I get 0 entries back. What do I need > to change for FDS to perform a case-insensitive search? I tried > changing my attribute type to directory string and equalit to > caseIgnoreMatch and got the same results. Did you re-index the attribute after making that change? > > Thanks in advance. > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From satish at suburbia.org.au Wed Oct 31 16:14:31 2007 From: satish at suburbia.org.au (Satish Chetty) Date: Wed, 31 Oct 2007 09:14:31 -0700 Subject: [Fedora-directory-users] setting up AIX clients with fds In-Reply-To: <472839A3.5030609@cs.ucy.ac.cy> References: <472839A3.5030609@cs.ucy.ac.cy> Message-ID: <4728A9E7.8030107@suburbia.org.au> Maria, I have setup AIX 5.2 as a client with Red Hat Directory Server. Should not be very different with FDS I presume. -Satish. Maria Tsiolakki wrote: > Has anyone set-up an IBM AIX ver5.2 client to work with fds? > > > regards > > Maria > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Wed Oct 31 16:43:02 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 31 Oct 2007 10:43:02 -0600 Subject: [Fedora-directory-users] Can't locate CSN in Multi-Master replica In-Reply-To: <4726143F.8060407@lnf.infn.it> References: <47231387.1090707@lnf.infn.it> <4725EB05.1070505@lnf.infn.it> <4725FB73.1030100@redhat.com> <4726143F.8060407@lnf.infn.it> Message-ID: <4728B096.8060504@redhat.com> Dael Maselli wrote: > I'm working with the java management console. > > I created replication manager users as: > dn: cn=A.infn.it,cn=config > cn: A.infn.it > description: CN=A.infn.it,L=Lecce,OU=Host,O=INFN,C=IT > objectClass: top > objectClass: nshost > > dn: cn=B.infn.it,cn=config > cn: B.infn.it > description: CN=B.infn.it,L=Lecce,OU=Host,O=INFN,C=IT > objectClass: top > objectClass: nshost > > in my shared/config/certmap.conf i have: > certmap default default > default:CmapLdapAttr description > > I tried SSL auth and it works as I can see in the logs: > [29/Oct/2007:14:53:40 +0100] conn=2 SSL 256-bit AES; client > CN=A.infn.it,L=Lecce,OU=Host,O=INFN,C=IT; issuer CN=INFN CA,O=INFN,C=IT > [29/Oct/2007:14:53:40 +0100] conn=2 SSL client bound as > cn=A.infn.it,cn=config > > The changelogs are created with management console, enabling the > checkbox in the > Replication node of the configuration tab, selecting the default > location. > > Then, under database in the replication node i checked enable replica, > and > Multiple Master, replication id 1 for A and 2 for B, and in the > supplier DN > I wrote cn=A.infn.it,cn=config in B and cn=B.infn.it,cn=config in A. > > Then, right click on database name under Replication, "New Replication > Agreement", > selecting B node on A with port 636 and checked "Using Encrypted SSL > connection" and > "SSL Client Authentication". Here I had a problem! There was a pop-up > that told me > it can't connect to the other fds server, but I thought it was a bug, > because I checked > with tcpdump and saw no packet sent (I can see it with simple auth). > So I clicked to > continue and all seems to work well, even the initialization done from > A to B, I didn't > do it when I created the Agreement from B to A in the same way. You don't need to initialize from B to A if you already did the initialize from A to B. When you did the tcpdump, did you look at traffic on port 389 too, or just 636? > > I followed the manual at > http://www.redhat.com/docs/manuals/dir-server/ag/replicat.htm#66943 > > I hope I was clear, sorry for my macaronic english ;-) > > Thank you so much. > > > Richard Megginson wrote: >> >> Can you describe the exact steps you took e.g. >> configured and created changelogs on A and B >> created replication manager user on A and B >> configured A to be a multi master replica >> configured B to be a multi master replica >> created replication agreement from A to B >> created replication agreement from B to A >> Did replica init from A to B >> >> Note that you should not do a replica init from B to A if you already >> did one from A to B > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Dael.Maselli at lnf.infn.it Wed Oct 31 17:59:57 2007 From: Dael.Maselli at lnf.infn.it (Dael Maselli) Date: Wed, 31 Oct 2007 18:59:57 +0100 Subject: [Fedora-directory-users] Can't locate CSN in Multi-Master replica In-Reply-To: <4728B096.8060504@redhat.com> References: <47231387.1090707@lnf.infn.it> <4725EB05.1070505@lnf.infn.it> <4725FB73.1030100@redhat.com> <4726143F.8060407@lnf.infn.it> <4728B096.8060504@redhat.com> Message-ID: <4728C29D.4030708@lnf.infn.it> Richard Megginson, on 31/10/2007 17.43, wrote: > Dael Maselli wrote: [...] >> "SSL Client Authentication". Here I had a problem! There was a pop-up that told me >> it can't connect to the other fds server, but I thought it was a bug, because I checked >> with tcpdump and saw no packet sent (I can see it with simple auth). So I clicked to >> continue and all seems to work well, even the initialization done from A to B, I didn't >> do it when I created the Agreement from B to A in the same way. > You don't need to initialize from B to A if you already did the > initialize from A to B. Yes, I never did it. I only did A->B. > > When you did the tcpdump, did you look at traffic on port 389 too, or > just 636? I looked at 389 when I used simple auth with UNencrypted connection, and I saw packets. When I do SSL Auth I specify port 636 for the destination of the agreement, so I didn't look at 389. At 636 no packets. I tried with SSL and 389 hoping in TLS but it didn't work. By the way, in production environment I need to do the 4-way MMR, in the manual I read to do it with the A agreement to B and D, B to A and C, and so on, in a circular manner. I don't like this way due to its split-brain danger and no ollerance to more than 1 server fault, so I first tried connecting all to all, is it wrong? May it be the cause of the CNS disaster? I note you that after this 4-way test i deleted all agreements, replicas and changelogs, maybe there is some "dirty" configuration? Thanks. > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- ___________________________________________________________________ Dael Maselli --- INFN-LNF Computing Service -- +39.06.9403.2214 ___________________________________________________________________ Democracy is two wolves and a lamb voting on what to have for lunch ___________________________________________________________________ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3000 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Oct 31 19:20:45 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 31 Oct 2007 13:20:45 -0600 Subject: [Fedora-directory-users] Can't locate CSN in Multi-Master replica In-Reply-To: <4728C29D.4030708@lnf.infn.it> References: <47231387.1090707@lnf.infn.it> <4725EB05.1070505@lnf.infn.it> <4725FB73.1030100@redhat.com> <4726143F.8060407@lnf.infn.it> <4728B096.8060504@redhat.com> <4728C29D.4030708@lnf.infn.it> Message-ID: <4728D58D.2050807@redhat.com> Dael Maselli wrote: > > Richard Megginson, on 31/10/2007 17.43, wrote: >> Dael Maselli wrote: > [...] >>> "SSL Client Authentication". Here I had a problem! There was a >>> pop-up that told me >>> it can't connect to the other fds server, but I thought it was a >>> bug, because I checked >>> with tcpdump and saw no packet sent (I can see it with simple auth). >>> So I clicked to >>> continue and all seems to work well, even the initialization done >>> from A to B, I didn't >>> do it when I created the Agreement from B to A in the same way. >> You don't need to initialize from B to A if you already did the >> initialize from A to B. > > Yes, I never did it. I only did A->B. > >> >> When you did the tcpdump, did you look at traffic on port 389 too, or >> just 636? > > I looked at 389 when I used simple auth with UNencrypted connection, > and I saw packets. When I do SSL Auth I specify port 636 for the > destination > of the agreement, so I didn't look at 389. At 636 no packets. > > I tried with SSL and 389 hoping in TLS but it didn't work. I suggest turning up the error log level to the replication log, then attempt to initialize B from A. You may have to enable replication logging on both A and B - see http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting > > By the way, in production environment I need to do the 4-way MMR, in the > manual I read to do it with the A agreement to B and D, B to A and C, > and so > on, in a circular manner. I don't like this way due to its split-brain > danger > and no ollerance to more than 1 server fault, so I first tried > connecting all > to all, is it wrong? No. > May it be the cause of the CNS disaster? I don't think so. > > I note you that after this 4-way test i deleted all agreements, > replicas and > changelogs, maybe there is some "dirty" configuration? Ah, yes, that could be. Can you start over again from scratch? > > Thanks. > > >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From phanoko at gmail.com Wed Oct 31 21:24:09 2007 From: phanoko at gmail.com (matt wells) Date: Wed, 31 Oct 2007 14:24:09 -0700 Subject: [Fedora-directory-users] Admin Server with multiple Directory servers Message-ID: I have 4 directory servers. I would really like to just run the admin-serv on one and let that interface control the others. How do I do that? -------------- next part -------------- An HTML attachment was scrubbed... URL: From phanoko at gmail.com Wed Oct 31 21:24:51 2007 From: phanoko at gmail.com (matt wells) Date: Wed, 31 Oct 2007 14:24:51 -0700 Subject: [Fedora-directory-users] RSA integration? Message-ID: Has anyone used directory server with the RSA keyfobs for two factor authentication? Do I need to extend the schema? What do you think? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Oct 31 21:36:45 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 31 Oct 2007 15:36:45 -0600 Subject: [Fedora-directory-users] Admin Server with multiple Directory servers In-Reply-To: References: Message-ID: <4728F56D.2050403@redhat.com> matt wells wrote: > I have 4 directory servers. > I would really like to just run the admin-serv on one and let that > interface control the others. > How do I do that? You need an external agent (the admin server) on each machine, in order to perform certain remote tasks via CGI, such as server start/restart, among others. The console is designed to contact the local admin server on each machine. Or do you mean, you just want to be able to manage all 4 of your servers from a single console - that is, start the console and have all 4 of your directory servers in there? > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From phanoko at gmail.com Wed Oct 31 21:45:48 2007 From: phanoko at gmail.com (matt wells) Date: Wed, 31 Oct 2007 14:45:48 -0700 Subject: [Fedora-directory-users] Admin Server with multiple Directory servers In-Reply-To: <4728F56D.2050403@redhat.com> References: <4728F56D.2050403@redhat.com> Message-ID: Yes the 4 consoles. Since we use SSL we have to restart the servers from shell anyway. On 10/31/07, Richard Megginson wrote: > > matt wells wrote: > > I have 4 directory servers. > > I would really like to just run the admin-serv on one and let that > > interface control the others. > > How do I do that? > You need an external agent (the admin server) on each machine, in order > to perform certain remote tasks via CGI, such as server start/restart, > among others. The console is designed to contact the local admin server > on each machine. > > Or do you mean, you just want to be able to manage all 4 of your servers > from a single console - that is, start the console and have all 4 of > your directory servers in there? > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Oct 31 22:01:48 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 31 Oct 2007 16:01:48 -0600 Subject: [Fedora-directory-users] Admin Server with multiple Directory servers In-Reply-To: References: <4728F56D.2050403@redhat.com> Message-ID: <4728FB4C.7050409@redhat.com> matt wells wrote: > Yes the 4 consoles. When you run setup, use Typical (not Express) mode, and tell it that you want to use an existing configuration DS. That will register your new server with the config DS, which is usually the first one you install. > Since we use SSL we have to restart the servers from shell anyway. You can create a pin file for unattended server start. In the /opt/fedora-ds/alias directory, create a file named slapd-instancename-pin.txt The format of this file should be the following: Internal (Software) Token:thepassword Make sure this file is mode 0400 and owned by the server user id. > > On 10/31/07, *Richard Megginson* < rmeggins at redhat.com > > wrote: > > matt wells wrote: > > I have 4 directory servers. > > I would really like to just run the admin-serv on one and let that > > interface control the others. > > How do I do that? > You need an external agent (the admin server) on each machine, in > order > to perform certain remote tasks via CGI, such as server > start/restart, > among others. The console is designed to contact the local admin > server > on each machine. > > Or do you mean, you just want to be able to manage all 4 of your > servers > from a single console - that is, start the console and have all 4 of > your directory servers in there? > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: