From rewdn at bellsouth.net Sat Sep 1 02:19:12 2007 From: rewdn at bellsouth.net (Bob Wooden) Date: Fri, 31 Aug 2007 21:19:12 -0500 Subject: [Fedora-directory-users] error logging in first time In-Reply-To: <46D83AA9.9060304@redhat.com> References: <1188513887.4918.7.camel@bob-desktop> <46D83AA9.9060304@redhat.com> Message-ID: <1188613152.5162.5.camel@bob-desktop> Thanks for the reply. Please see below. On Fri, 2007-08-31 at 09:58 -0600, Richard Megginson wrote: > Bob Wooden wrote: > > I am new to Fedora Directory Server, but six or seven years linux > > user. > > > > I have built a Fedora Core 6, selected the "web server" option on build > > and installed the FDS 1.0.4 version. Located java and adjusted the > > symbolic link. Did my FDS setup/setup and set all the defaults. When I > > perform the ./startconsole command (within the fedora-ds directory, I > > get the following error message: > > > > Cannot connect to the Admin Server "http://******.***.***:43766" > > The URL is not correct or the server is not running. > > > First, make sure both the DS and admin server are running: > ps -ef|grep ns-slapd > ps -ef|grep httpd.worker These report that both are running. > > If one or the other is not running, make sure you start the DS first, > then the admin server. > > Next, try connecting to the URL http://******.***.***:43766 using your > web browser - does it work? No, neither the browser on the server nor a browser on the lan can connect. I can ping the ipaddress of the FDS server. So, I tried the ipaddress:43766 and browser reports "unable to connect . . . " > > I would suggest looking at /opt/fedora-ds/admin-serv/logs to see if > there are any errors. > > I have searched the mailing list archive and I am unable to locate any > > reference to this error message. > > > > What do I do now? And again, what do I do now? > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From j at jamver.id.au Sat Sep 1 22:03:03 2007 From: j at jamver.id.au (James Lever) Date: Sun, 2 Sep 2007 08:03:03 +1000 Subject: [Fedora-directory-users] error logging in first time In-Reply-To: <1188613152.5162.5.camel@bob-desktop> References: <1188513887.4918.7.camel@bob-desktop> <46D83AA9.9060304@redhat.com> <1188613152.5162.5.camel@bob-desktop> Message-ID: <539E2389-D028-4A2C-8C73-CF9FA2BEB237@jamver.id.au> For fear of asking the complete obvious, have you checked your local firewall? The default for Fedora is to block everything (assuming it's enabled). cheers, James On 01/09/2007, at 12:19 PM, Bob Wooden wrote: >>> Cannot connect to the Admin Server "http://******.***.***:43766" >>> The URL is not correct or the server is not running. > > No, neither the browser on the server nor a browser on the lan can > connect. I can ping the ipaddress of the FDS server. So, I tried the > ipaddress:43766 and browser reports "unable to connect . . . " From rewdn at bellsouth.net Sun Sep 2 13:35:51 2007 From: rewdn at bellsouth.net (Bob Wooden) Date: Sun, 02 Sep 2007 08:35:51 -0500 Subject: [Fedora-directory-users] error logging in first time In-Reply-To: <539E2389-D028-4A2C-8C73-CF9FA2BEB237@jamver.id.au> References: <1188513887.4918.7.camel@bob-desktop> <46D83AA9.9060304@redhat.com> <1188613152.5162.5.camel@bob-desktop> <539E2389-D028-4A2C-8C73-CF9FA2BEB237@jamver.id.au> Message-ID: <1188740151.4953.4.camel@bob-desktop> I am still testing and operating from the CLI. So, I do not think it is the firewall. This morning, I discovered that I had two java loaded. The version that came with FC6 and the Sun version. So, I removed the FC6 version. Same result, so I am still stuck. On Sun, 2007-09-02 at 08:03 +1000, James Lever wrote: > For fear of asking the complete obvious, have you checked your local > firewall? > > The default for Fedora is to block everything (assuming it's enabled). > > cheers, > James > > On 01/09/2007, at 12:19 PM, Bob Wooden wrote: > > >>> Cannot connect to the Admin Server "http://******.***.***:43766" > >>> The URL is not correct or the server is not running. > > > > No, neither the browser on the server nor a browser on the lan can > > connect. I can ping the ipaddress of the FDS server. So, I tried the > > ipaddress:43766 and browser reports "unable to connect . . . " > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Tue Sep 4 14:19:41 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 04 Sep 2007 08:19:41 -0600 Subject: [Fedora-directory-users] error logging in first time In-Reply-To: <1188613152.5162.5.camel@bob-desktop> References: <1188513887.4918.7.camel@bob-desktop> <46D83AA9.9060304@redhat.com> <1188613152.5162.5.camel@bob-desktop> Message-ID: <46DD697D.9010204@redhat.com> Bob Wooden wrote: > Thanks for the reply. Please see below. > > On Fri, 2007-08-31 at 09:58 -0600, Richard Megginson wrote: > >> Bob Wooden wrote: >> >>> I am new to Fedora Directory Server, but six or seven years linux >>> user. >>> >>> I have built a Fedora Core 6, selected the "web server" option on build >>> and installed the FDS 1.0.4 version. Located java and adjusted the >>> symbolic link. Did my FDS setup/setup and set all the defaults. When I >>> perform the ./startconsole command (within the fedora-ds directory, I >>> get the following error message: >>> >>> Cannot connect to the Admin Server "http://******.***.***:43766" >>> The URL is not correct or the server is not running. >>> >>> >> First, make sure both the DS and admin server are running: >> ps -ef|grep ns-slapd >> ps -ef|grep httpd.worker >> > > These report that both are running. > > >> If one or the other is not running, make sure you start the DS first, >> then the admin server. >> >> Next, try connecting to the URL http://******.***.***:43766 using your >> web browser - does it work? >> > > No, neither the browser on the server nor a browser on the lan can > connect. I can ping the ipaddress of the FDS server. So, I tried the > ipaddress:43766 and browser reports "unable to connect . . . " > netstat -an|grep 43766 - do you see a process listening to 43766? telnet IPaddress 43766 - can you connect using telnet? > >> I would suggest looking at /opt/fedora-ds/admin-serv/logs to see if >> there are any errors. >> >>> I have searched the mailing list archive and I am unable to locate any >>> reference to this error message. >>> >>> What do I do now? >>> > > And again, what do I do now? > I suggest looking at /opt/fedora-ds/admin-serv/logs to see if there are any errors in the file "error" or "access". Are there any? > >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rewdn at bellsouth.net Wed Sep 5 01:34:52 2007 From: rewdn at bellsouth.net (Bob Wooden) Date: Tue, 04 Sep 2007 20:34:52 -0500 Subject: [Fedora-directory-users] error logging in first time In-Reply-To: <46DD697D.9010204@redhat.com> References: <1188513887.4918.7.camel@bob-desktop> <46D83AA9.9060304@redhat.com> <1188613152.5162.5.camel@bob-desktop> <46DD697D.9010204@redhat.com> Message-ID: <1188956093.4946.6.camel@bob-desktop> I figured it out! On re-installing, I answered the last setup question with the user I wanted to run fedora-ds under (instead of accepting the default, which I think was "administrator.") If you could tell me the install log file to review, I could better tell everyone what my setup mistake was? I reran setup/setup and (now that fedora-ds is running) I could not return to review all of the setup questions. Where is the install log file, please? On Tue, 2007-09-04 at 08:19 -0600, Richard Megginson wrote: > Bob Wooden wrote: > > Thanks for the reply. Please see below. > > > > On Fri, 2007-08-31 at 09:58 -0600, Richard Megginson wrote: > > > >> Bob Wooden wrote: > >> > >>> I am new to Fedora Directory Server, but six or seven years linux > >>> user. > >>> > >>> I have built a Fedora Core 6, selected the "web server" option on build > >>> and installed the FDS 1.0.4 version. Located java and adjusted the > >>> symbolic link. Did my FDS setup/setup and set all the defaults. When I > >>> perform the ./startconsole command (within the fedora-ds directory, I > >>> get the following error message: > >>> > >>> Cannot connect to the Admin Server "http://******.***.***:43766" > >>> The URL is not correct or the server is not running. > >>> > >>> > >> First, make sure both the DS and admin server are running: > >> ps -ef|grep ns-slapd > >> ps -ef|grep httpd.worker > >> > > > > These report that both are running. > > > > > >> If one or the other is not running, make sure you start the DS first, > >> then the admin server. > >> > >> Next, try connecting to the URL http://******.***.***:43766 using your > >> web browser - does it work? > >> > > > > No, neither the browser on the server nor a browser on the lan can > > connect. I can ping the ipaddress of the FDS server. So, I tried the > > ipaddress:43766 and browser reports "unable to connect . . . " > > > netstat -an|grep 43766 - do you see a process listening to 43766? > telnet IPaddress 43766 - can you connect using telnet? > > > > >> I would suggest looking at /opt/fedora-ds/admin-serv/logs to see if > >> there are any errors. > >> > >>> I have searched the mailing list archive and I am unable to locate any > >>> reference to this error message. > >>> > >>> What do I do now? > >>> > > > > And again, what do I do now? > > > I suggest looking at /opt/fedora-ds/admin-serv/logs to see if there are > any errors in the file "error" or "access". Are there any? > > > >>> -- > >>> Fedora-directory-users mailing list > >>> Fedora-directory-users at redhat.com > >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>> > >>> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From rubin at xs4all.nl Wed Sep 5 09:35:04 2007 From: rubin at xs4all.nl (Rubin) Date: Wed, 5 Sep 2007 11:35:04 +0200 (CEST) Subject: [Fedora-directory-users] Directory size (/var/opt/netscape/server7) Message-ID: <7861.145.7.182.188.1188984904.squirrel@webmail.xs4all.nl> Hi All, A question of curiosity: i've set up a small ldap server (no slaves or multimaster stuff) with about 50 users. I made a backup of the server7 directory (/var/opt/netscape/server7) before I changed anything and started hacking away. now, a couple of months later everything is working very well and i'm asked to migrate the server. I just made a new backup of the server7 directory and to my amazement it is 10x as big. It started out at 139m, and it is now 1.2g! So the question is: What is taking up so much space when there are only 50 posixAccounts and 2 posixGroups? For the record, I know this is not the way to backup a rhds server, I'm reading about how to do a backup or dump "the right way" as we speak ;-) Grtz, Rubin. From abliss at brockport.edu Wed Sep 5 12:12:28 2007 From: abliss at brockport.edu (Aaron Bliss) Date: Wed, 05 Sep 2007 08:12:28 -0400 Subject: [Fedora-directory-users] Directory size (/var/opt/netscape/server7) In-Reply-To: <7861.145.7.182.188.1188984904.squirrel@webmail.xs4all.nl> References: <7861.145.7.182.188.1188984904.squirrel@webmail.xs4all.nl> Message-ID: <46DE9D2C.2050407@brockport.edu> Rubin, You may want to check for old error and access logs, as these tend to grow pretty quickly. You can also run du -h to get an idea of what dirs are taking up the space. Aaron Rubin wrote: > Hi All, > > A question of curiosity: i've set up a small ldap server (no slaves or > multimaster stuff) with about 50 users. I made a backup of the server7 > directory (/var/opt/netscape/server7) before I changed anything and > started hacking away. now, a couple of months later everything is working > very well and i'm asked to migrate the server. I just made a new backup of > the server7 directory and to my amazement it is 10x as big. It started out > at 139m, and it is now 1.2g! > > So the question is: What is taking up so much space when there are only 50 > posixAccounts and 2 posixGroups? > > For the record, I know this is not the way to backup a rhds server, I'm > reading about how to do a backup or dump "the right way" as we speak ;-) > > > Grtz, > > Rubin. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Aaron Bliss Systems Administrator Suny Brockport 585-395-2417 From rubin at xs4all.nl Wed Sep 5 12:47:02 2007 From: rubin at xs4all.nl (Rubin) Date: Wed, 5 Sep 2007 14:47:02 +0200 (CEST) Subject: [Fedora-directory-users] Directory size (/var/opt/netscape/server7) In-Reply-To: <46DE9D2C.2050407@brockport.edu> References: <7861.145.7.182.188.1188984904.squirrel@webmail.xs4all.nl> <46DE9D2C.2050407@brockport.edu> Message-ID: <18685.145.7.182.188.1188996422.squirrel@webmail.xs4all.nl> Indeed, its logs: [root at foo ~]# du -sk /var/opt/netscape/server7/slapd-foo/logs 996296 /var/opt/netscape/server7/slapd-foo/logs It keeps about 10 days of logs, each about 100m in size. Thanks for the pointer (I should've looked a little closer ;-). Greets, Rubin > Rubin, > You may want to check for old error and access logs, as these tend to > grow pretty quickly. You can also run du -h to get an idea of what dirs > are taking up the space. > > Aaron > > Rubin wrote: >> Hi All, >> >> A question of curiosity: i've set up a small ldap server (no slaves or >> multimaster stuff) with about 50 users. I made a backup of the server7 >> directory (/var/opt/netscape/server7) before I changed anything and >> started hacking away. now, a couple of months later everything is >> working >> very well and i'm asked to migrate the server. I just made a new backup >> of >> the server7 directory and to my amazement it is 10x as big. It started >> out >> at 139m, and it is now 1.2g! >> >> So the question is: What is taking up so much space when there are only >> 50 >> posixAccounts and 2 posixGroups? >> >> For the record, I know this is not the way to backup a rhds server, I'm >> reading about how to do a backup or dump "the right way" as we speak ;-) >> >> >> Grtz, >> >> Rubin. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Aaron Bliss > Systems Administrator > Suny Brockport > 585-395-2417 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From sam.smith at ece.gatech.edu Wed Sep 5 13:04:27 2007 From: sam.smith at ece.gatech.edu (Sam Smith) Date: Wed, 05 Sep 2007 09:04:27 -0400 Subject: [Fedora-directory-users] deletion problem - multi-master In-Reply-To: <46D83F30.6030403@redhat.com> References: <46CD9F77.1010900@ece.gatech.edu> <46D80974.7060102@ece.gatech.edu> <46D83F30.6030403@redhat.com> Message-ID: <46DEA95B.30407@ece.gatech.edu> I set nsslapd-errorlog-level to 1 (trace) I attempted a delete, and got an ldap operations error I set nsslapd-errorlog-level back to 0 I looked through the errors log, which did have a record of every function called, but no indication of any errors. What should I be looking for? Is there a different errorlog-level I should use that will give me some indication of what is going wrong? Once again, I can add and modify, but not delete. I am currently running with a single master and four replicas. Replication is working fine. I just can't delete. Thanks, Sam Richard Megginson wrote: > Sam Smith wrote: >> I am still having this problem where I cannot delete. >> I changed from multi-master replication to single master - didn't help. >> I turned on trace level debug, and there are no error messages in the >> errors file at all. > ??? What exactly did you do? > http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting >> It still gets an ldap operations error. >> >> Is there a different level of debug I should try? One that actually >> logs an error message? >> I can add and modify entries, just no delete. I have tried it as >> directory manager and as a user with an acl that includes delete. >> Still no luck. >> >> Thanks for any help, >> Sam Smith >> >> Sam Smith wrote: >>> I have two masters and three replicas. >>> >>> Master A works fine - I can add, modify, delete, and the changes >>> replicate OK. >>> >>> Except that Master B cannot delete, either directly at the console, >>> via the command line, or via replication from master A. It can add >>> and modify just fine, and those changes replicate to the other >>> master and the replicas. But it can't delete. >>> >>> The error message is simply LDAP OPERATIONS ERROR >>> >>> Thanks for any help. >>> >>> Sam Smith >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Wed Sep 5 14:19:51 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 05 Sep 2007 08:19:51 -0600 Subject: [Fedora-directory-users] deletion problem - multi-master In-Reply-To: <46DEA95B.30407@ece.gatech.edu> References: <46CD9F77.1010900@ece.gatech.edu> <46D80974.7060102@ece.gatech.edu> <46D83F30.6030403@redhat.com> <46DEA95B.30407@ece.gatech.edu> Message-ID: <46DEBB07.9010303@redhat.com> Sam Smith wrote: > I set nsslapd-errorlog-level to 1 (trace) > I attempted a delete, and got an ldap operations error > I set nsslapd-errorlog-level back to 0 > I looked through the errors log, which did have a record of every > function called, but no indication of any errors. What should I be > looking for? Is there a different errorlog-level I should use that > will give me some indication of what is going wrong? I suggest you post your error log to pastebin.com and post the link to it to this mailing list. Please be sure to scrub any sensitive data from the error log before posting it. > > Once again, I can add and modify, but not delete. I am currently > running with a single master and four replicas. Replication is working > fine. I just can't delete. > > Thanks, > Sam > > Richard Megginson wrote: >> Sam Smith wrote: >>> I am still having this problem where I cannot delete. >>> I changed from multi-master replication to single master - didn't help. >>> I turned on trace level debug, and there are no error messages in >>> the errors file at all. >> ??? What exactly did you do? >> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting >>> It still gets an ldap operations error. >>> >>> Is there a different level of debug I should try? One that actually >>> logs an error message? >>> I can add and modify entries, just no delete. I have tried it as >>> directory manager and as a user with an acl that includes delete. >>> Still no luck. >>> >>> Thanks for any help, >>> Sam Smith >>> >>> Sam Smith wrote: >>>> I have two masters and three replicas. >>>> >>>> Master A works fine - I can add, modify, delete, and the changes >>>> replicate OK. >>>> >>>> Except that Master B cannot delete, either directly at the console, >>>> via the command line, or via replication from master A. It can add >>>> and modify just fine, and those changes replicate to the other >>>> master and the replicas. But it can't delete. >>>> >>>> The error message is simply LDAP OPERATIONS ERROR >>>> >>>> Thanks for any help. >>>> >>>> Sam Smith >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Sep 5 14:20:50 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 05 Sep 2007 08:20:50 -0600 Subject: [Fedora-directory-users] error logging in first time In-Reply-To: <1188956093.4946.6.camel@bob-desktop> References: <1188513887.4918.7.camel@bob-desktop> <46D83AA9.9060304@redhat.com> <1188613152.5162.5.camel@bob-desktop> <46DD697D.9010204@redhat.com> <1188956093.4946.6.camel@bob-desktop> Message-ID: <46DEBB42.4030006@redhat.com> Bob Wooden wrote: > I figured it out! On re-installing, I answered the last setup question > with the user I wanted to run fedora-ds under (instead of accepting the > default, which I think was "administrator.") > > If you could tell me the install log file to review, I could better tell > everyone what my setup mistake was? I reran setup/setup and (now that > fedora-ds is running) I could not return to review all of the setup > questions. Where is the install log file, please? > Look for logs under /opt/fedora-ds/setup > On Tue, 2007-09-04 at 08:19 -0600, Richard Megginson wrote: > >> Bob Wooden wrote: >> >>> Thanks for the reply. Please see below. >>> >>> On Fri, 2007-08-31 at 09:58 -0600, Richard Megginson wrote: >>> >>> >>>> Bob Wooden wrote: >>>> >>>> >>>>> I am new to Fedora Directory Server, but six or seven years linux >>>>> user. >>>>> >>>>> I have built a Fedora Core 6, selected the "web server" option on build >>>>> and installed the FDS 1.0.4 version. Located java and adjusted the >>>>> symbolic link. Did my FDS setup/setup and set all the defaults. When I >>>>> perform the ./startconsole command (within the fedora-ds directory, I >>>>> get the following error message: >>>>> >>>>> Cannot connect to the Admin Server "http://******.***.***:43766" >>>>> The URL is not correct or the server is not running. >>>>> >>>>> >>>>> >>>> First, make sure both the DS and admin server are running: >>>> ps -ef|grep ns-slapd >>>> ps -ef|grep httpd.worker >>>> >>>> >>> These report that both are running. >>> >>> >>> >>>> If one or the other is not running, make sure you start the DS first, >>>> then the admin server. >>>> >>>> Next, try connecting to the URL http://******.***.***:43766 using your >>>> web browser - does it work? >>>> >>>> >>> No, neither the browser on the server nor a browser on the lan can >>> connect. I can ping the ipaddress of the FDS server. So, I tried the >>> ipaddress:43766 and browser reports "unable to connect . . . " >>> >>> >> netstat -an|grep 43766 - do you see a process listening to 43766? >> telnet IPaddress 43766 - can you connect using telnet? >> >> >>> >>> >>>> I would suggest looking at /opt/fedora-ds/admin-serv/logs to see if >>>> there are any errors. >>>> >>>> >>>>> I have searched the mailing list archive and I am unable to locate any >>>>> reference to this error message. >>>>> >>>>> What do I do now? >>>>> >>>>> >>> And again, what do I do now? >>> >>> >> I suggest looking at /opt/fedora-ds/admin-serv/logs to see if there are >> any errors in the file "error" or "access". Are there any? >> >>> >>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rnappert at juniper.net Wed Sep 5 16:52:30 2007 From: rnappert at juniper.net (Reinhard Nappert) Date: Wed, 5 Sep 2007 12:52:30 -0400 Subject: [Fedora-directory-users] MMR: Directory updates on same object Message-ID: <3525C9833C09ED418C6FD6CD9514668C024C7C19@emailwf1.jnpr.net> I have a working Multi-Master Replication setup with two masters (Fedora Directory Server 1.0.4). The setup works fine as long as I do not update the same object via both Masters. When the later happens (application driven), one of the Master crashes. This server does not generate a core dump, nor can I find any unusual in the access and error log files. I am pretty sure that it has to do something with the conflict resolution, but I am stuck now. Did anybody experience a similar behavior? Thanks, -Reinhard -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Sep 5 16:56:08 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 05 Sep 2007 10:56:08 -0600 Subject: [Fedora-directory-users] MMR: Directory updates on same object In-Reply-To: <3525C9833C09ED418C6FD6CD9514668C024C7C19@emailwf1.jnpr.net> References: <3525C9833C09ED418C6FD6CD9514668C024C7C19@emailwf1.jnpr.net> Message-ID: <46DEDFA8.7060307@redhat.com> Reinhard Nappert wrote: > > I have a working Multi-Master Replication setup with two masters > (Fedora Directory Server 1.0.4). The setup works fine as long as I do > not update the same object via both Masters. When the later happens > (application driven), one of the Master crashes. This server does not > generate a core dump, nor can I find any unusual in the access and > error log files. I am pretty sure that it has to do something with the > conflict resolution, but I am stuck now. > > Did anybody experience a similar behavior? > Can you reproduce the problem with the replication log level on? http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting What OS are you on? 32bit or 64bit? > > Thanks, > -Reinhard > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rnappert at juniper.net Wed Sep 5 17:06:17 2007 From: rnappert at juniper.net (Reinhard Nappert) Date: Wed, 5 Sep 2007 13:06:17 -0400 Subject: [Fedora-directory-users] MMR: Directory updates on same object In-Reply-To: <46DEDFA8.7060307@redhat.com> References: <3525C9833C09ED418C6FD6CD9514668C024C7C19@emailwf1.jnpr.net> <46DEDFA8.7060307@redhat.com> Message-ID: <3525C9833C09ED418C6FD6CD9514668C024C7C2D@emailwf1.jnpr.net> Actually, I did use log level 8192. I saw that at some point the access logs stopped generating entries for the updates, but errors still had about 150 operations logged. I do not have those logs anymore, but I can reproduce those in a while, when I am done with some other tests. I run those tests on a mixed environment (Solaris 9 and Linux) 32bit. This happens on both boxes. I also have seen it on a pure Linux environment. When I have the error logs, I will post them -Reinhard -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Wednesday, September 05, 2007 12:56 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] MMR: Directory updates on same object Reinhard Nappert wrote: > > I have a working Multi-Master Replication setup with two masters > (Fedora Directory Server 1.0.4). The setup works fine as long as I do > not update the same object via both Masters. When the later happens > (application driven), one of the Master crashes. This server does not > generate a core dump, nor can I find any unusual in the access and > error log files. I am pretty sure that it has to do something with the > conflict resolution, but I am stuck now. > > Did anybody experience a similar behavior? > Can you reproduce the problem with the replication log level on? http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting What OS are you on? 32bit or 64bit? > > Thanks, > -Reinhard > > ---------------------------------------------------------------------- > -- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From sam.smith at ece.gatech.edu Wed Sep 5 17:28:45 2007 From: sam.smith at ece.gatech.edu (Sam Smith) Date: Wed, 05 Sep 2007 13:28:45 -0400 Subject: [Fedora-directory-users] deletion problem - multi-master In-Reply-To: <46DEBB07.9010303@redhat.com> References: <46CD9F77.1010900@ece.gatech.edu> <46D80974.7060102@ece.gatech.edu> <46D83F30.6030403@redhat.com> <46DEA95B.30407@ece.gatech.edu> <46DEBB07.9010303@redhat.com> Message-ID: <46DEE74D.5000600@ece.gatech.edu> OK the link at pastebin.com is here: http://pastebin.com/m11cefaeb I think I removed everything that is sensitive. The user I bind as is uid=test The account I try to delete is uid=acctest There may be some extra trace info at the beginning and the end. Thanks, Sam Smith Richard Megginson wrote: > Sam Smith wrote: >> I set nsslapd-errorlog-level to 1 (trace) >> I attempted a delete, and got an ldap operations error >> I set nsslapd-errorlog-level back to 0 >> I looked through the errors log, which did have a record of every >> function called, but no indication of any errors. What should I be >> looking for? Is there a different errorlog-level I should use that >> will give me some indication of what is going wrong? > I suggest you post your error log to pastebin.com and post the link to > it to this mailing list. Please be sure to scrub any sensitive data > from the error log before posting it. >> >> Once again, I can add and modify, but not delete. I am currently >> running with a single master and four replicas. Replication is >> working fine. I just can't delete. >> >> Thanks, >> Sam >> >> Richard Megginson wrote: >>> Sam Smith wrote: >>>> I am still having this problem where I cannot delete. >>>> I changed from multi-master replication to single master - didn't >>>> help. >>>> I turned on trace level debug, and there are no error messages in >>>> the errors file at all. >>> ??? What exactly did you do? >>> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting >>>> It still gets an ldap operations error. >>>> >>>> Is there a different level of debug I should try? One that actually >>>> logs an error message? >>>> I can add and modify entries, just no delete. I have tried it as >>>> directory manager and as a user with an acl that includes delete. >>>> Still no luck. >>>> >>>> Thanks for any help, >>>> Sam Smith >>>> >>>> Sam Smith wrote: >>>>> I have two masters and three replicas. >>>>> >>>>> Master A works fine - I can add, modify, delete, and the changes >>>>> replicate OK. >>>>> >>>>> Except that Master B cannot delete, either directly at the >>>>> console, via the command line, or via replication from master A. >>>>> It can add and modify just fine, and those changes replicate to >>>>> the other master and the replicas. But it can't delete. >>>>> >>>>> The error message is simply LDAP OPERATIONS ERROR >>>>> >>>>> Thanks for any help. >>>>> >>>>> Sam Smith >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Wed Sep 5 17:44:06 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 05 Sep 2007 11:44:06 -0600 Subject: [Fedora-directory-users] deletion problem - multi-master In-Reply-To: <46DEE74D.5000600@ece.gatech.edu> References: <46CD9F77.1010900@ece.gatech.edu> <46D80974.7060102@ece.gatech.edu> <46D83F30.6030403@redhat.com> <46DEA95B.30407@ece.gatech.edu> <46DEBB07.9010303@redhat.com> <46DEE74D.5000600@ece.gatech.edu> Message-ID: <46DEEAE6.40802@redhat.com> Sam Smith wrote: > OK the link at pastebin.com is here: > http://pastebin.com/m11cefaeb > > I think I removed everything that is sensitive. > The user I bind as is uid=test > The account I try to delete is uid=acctest > There may be some extra trace info at the beginning and the end. Thanks. This is really weird. It looks like the deletion gets all the way through to almost the very end, when it tries to remove the entry from the console browsing index (VLV): [31/Aug/2007:08:10:55 -0400] - <= index_addordel_values_ext_sv [31/Aug/2007:08:10:55 -0400] - vlv_update_index: by MCC ou=People dc=ece dc=gatech dc=edu Delete acct test [31/Aug/2007:08:10:55 -0400] - vlv_update_index: by MCC ou=People dc=ece dc=gatech dc=edu Delete acct test [31/Aug/2007:08:10:55 -0400] - vlv_update_index: by MCC ou=People dc=ece dc=gatech dc=edu Delete acct test FAILED I suggest removing the console browsing index, then recreating it. > > Thanks, > Sam Smith > > Richard Megginson wrote: >> Sam Smith wrote: >>> I set nsslapd-errorlog-level to 1 (trace) >>> I attempted a delete, and got an ldap operations error >>> I set nsslapd-errorlog-level back to 0 >>> I looked through the errors log, which did have a record of every >>> function called, but no indication of any errors. What should I be >>> looking for? Is there a different errorlog-level I should use that >>> will give me some indication of what is going wrong? >> I suggest you post your error log to pastebin.com and post the link >> to it to this mailing list. Please be sure to scrub any sensitive >> data from the error log before posting it. >>> >>> Once again, I can add and modify, but not delete. I am currently >>> running with a single master and four replicas. Replication is >>> working fine. I just can't delete. >>> >>> Thanks, >>> Sam >>> >>> Richard Megginson wrote: >>>> Sam Smith wrote: >>>>> I am still having this problem where I cannot delete. >>>>> I changed from multi-master replication to single master - didn't >>>>> help. >>>>> I turned on trace level debug, and there are no error messages in >>>>> the errors file at all. >>>> ??? What exactly did you do? >>>> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting >>>>> It still gets an ldap operations error. >>>>> >>>>> Is there a different level of debug I should try? One that >>>>> actually logs an error message? >>>>> I can add and modify entries, just no delete. I have tried it as >>>>> directory manager and as a user with an acl that includes delete. >>>>> Still no luck. >>>>> >>>>> Thanks for any help, >>>>> Sam Smith >>>>> >>>>> Sam Smith wrote: >>>>>> I have two masters and three replicas. >>>>>> >>>>>> Master A works fine - I can add, modify, delete, and the changes >>>>>> replicate OK. >>>>>> >>>>>> Except that Master B cannot delete, either directly at the >>>>>> console, via the command line, or via replication from master A. >>>>>> It can add and modify just fine, and those changes replicate to >>>>>> the other master and the replicas. But it can't delete. >>>>>> >>>>>> The error message is simply LDAP OPERATIONS ERROR >>>>>> >>>>>> Thanks for any help. >>>>>> >>>>>> Sam Smith >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rewdn at bellsouth.net Wed Sep 5 23:52:51 2007 From: rewdn at bellsouth.net (Bob Wooden) Date: Wed, 05 Sep 2007 18:52:51 -0500 Subject: [Fedora-directory-users] error logging in first time In-Reply-To: <46DEBB42.4030006@redhat.com> References: <1188513887.4918.7.camel@bob-desktop> <46D83AA9.9060304@redhat.com> <1188613152.5162.5.camel@bob-desktop> <46DD697D.9010204@redhat.com> <1188956093.4946.6.camel@bob-desktop> <46DEBB42.4030006@redhat.com> Message-ID: <1189036371.6582.1.camel@bob-desktop> Thanks, I will check this out. I have moved the server to work and look at the logs there. On Wed, 2007-09-05 at 08:20 -0600, Richard Megginson wrote: > Bob Wooden wrote: > > I figured it out! On re-installing, I answered the last setup question > > with the user I wanted to run fedora-ds under (instead of accepting the > > default, which I think was "administrator.") > > > > If you could tell me the install log file to review, I could better tell > > everyone what my setup mistake was? I reran setup/setup and (now that > > fedora-ds is running) I could not return to review all of the setup > > questions. Where is the install log file, please? > > > Look for logs under /opt/fedora-ds/setup > > On Tue, 2007-09-04 at 08:19 -0600, Richard Megginson wrote: > > > >> Bob Wooden wrote: > >> > >>> Thanks for the reply. Please see below. > >>> > >>> On Fri, 2007-08-31 at 09:58 -0600, Richard Megginson wrote: > >>> > >>> > >>>> Bob Wooden wrote: > >>>> > >>>> > >>>>> I am new to Fedora Directory Server, but six or seven years linux > >>>>> user. > >>>>> > >>>>> I have built a Fedora Core 6, selected the "web server" option on build > >>>>> and installed the FDS 1.0.4 version. Located java and adjusted the > >>>>> symbolic link. Did my FDS setup/setup and set all the defaults. When I > >>>>> perform the ./startconsole command (within the fedora-ds directory, I > >>>>> get the following error message: > >>>>> > >>>>> Cannot connect to the Admin Server "http://******.***.***:43766" > >>>>> The URL is not correct or the server is not running. > >>>>> > >>>>> > >>>>> > >>>> First, make sure both the DS and admin server are running: > >>>> ps -ef|grep ns-slapd > >>>> ps -ef|grep httpd.worker > >>>> > >>>> > >>> These report that both are running. > >>> > >>> > >>> > >>>> If one or the other is not running, make sure you start the DS first, > >>>> then the admin server. > >>>> > >>>> Next, try connecting to the URL http://******.***.***:43766 using your > >>>> web browser - does it work? > >>>> > >>>> > >>> No, neither the browser on the server nor a browser on the lan can > >>> connect. I can ping the ipaddress of the FDS server. So, I tried the > >>> ipaddress:43766 and browser reports "unable to connect . . . " > >>> > >>> > >> netstat -an|grep 43766 - do you see a process listening to 43766? > >> telnet IPaddress 43766 - can you connect using telnet? > >> > >> > >>> > >>> > >>>> I would suggest looking at /opt/fedora-ds/admin-serv/logs to see if > >>>> there are any errors. > >>>> > >>>> > >>>>> I have searched the mailing list archive and I am unable to locate any > >>>>> reference to this error message. > >>>>> > >>>>> What do I do now? > >>>>> > >>>>> > >>> And again, what do I do now? > >>> > >>> > >> I suggest looking at /opt/fedora-ds/admin-serv/logs to see if there are > >> any errors in the file "error" or "access". Are there any? > >> > >>> > >>> > >>>>> -- > >>>>> Fedora-directory-users mailing list > >>>>> Fedora-directory-users at redhat.com > >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>>>> > >>>>> > >>>>> > >>>> -- > >>>> Fedora-directory-users mailing list > >>>> Fedora-directory-users at redhat.com > >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>>> > >>>> > >>> -- > >>> Fedora-directory-users mailing list > >>> Fedora-directory-users at redhat.com > >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>> > >>> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From rnappert at juniper.net Wed Sep 5 17:52:00 2007 From: rnappert at juniper.net (Reinhard Nappert) Date: Wed, 5 Sep 2007 13:52:00 -0400 Subject: [Fedora-directory-users] MMR: Directory updates on same object In-Reply-To: <3525C9833C09ED418C6FD6CD9514668C024C7C2D@emailwf1.jnpr.net> References: <3525C9833C09ED418C6FD6CD9514668C024C7C19@emailwf1.jnpr.net><46DEDFA8.7060307@redhat.com> <3525C9833C09ED418C6FD6CD9514668C024C7C2D@emailwf1.jnpr.net> Message-ID: <3525C9833C09ED418C6FD6CD9514668C024C7C7B@emailwf1.jnpr.net> Richard, I attached the entire access and error log file of one Master (MasterOne) and the error file of the other (MasterTwo). You see that the last update through the client was conn=50 op=424 on MasterOne. In errors, you see that it still processed the operation conn=50 op=650. This time the crash happened on MasterOne. Hope, this helps -Reinhard -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Reinhard Nappert Sent: Wednesday, September 05, 2007 1:06 PM To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] MMR: Directory updates on same object Actually, I did use log level 8192. I saw that at some point the access logs stopped generating entries for the updates, but errors still had about 150 operations logged. I do not have those logs anymore, but I can reproduce those in a while, when I am done with some other tests. I run those tests on a mixed environment (Solaris 9 and Linux) 32bit. This happens on both boxes. I also have seen it on a pure Linux environment. When I have the error logs, I will post them -Reinhard -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Wednesday, September 05, 2007 12:56 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] MMR: Directory updates on same object Reinhard Nappert wrote: > > I have a working Multi-Master Replication setup with two masters > (Fedora Directory Server 1.0.4). The setup works fine as long as I do > not update the same object via both Masters. When the later happens > (application driven), one of the Master crashes. This server does not > generate a core dump, nor can I find any unusual in the access and > error log files. I am pretty sure that it has to do something with the > conflict resolution, but I am stuck now. > > Did anybody experience a similar behavior? > Can you reproduce the problem with the replication log level on? http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting What OS are you on? 32bit or 64bit? > > Thanks, > -Reinhard > > ---------------------------------------------------------------------- > -- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: MMRlogs.zip Type: application/x-zip-compressed Size: 102170 bytes Desc: MMRlogs.zip URL: From rmeggins at redhat.com Thu Sep 6 14:20:55 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 06 Sep 2007 08:20:55 -0600 Subject: [Fedora-directory-users] MMR: Directory updates on same object In-Reply-To: <3525C9833C09ED418C6FD6CD9514668C024C7C7B@emailwf1.jnpr.net> References: <3525C9833C09ED418C6FD6CD9514668C024C7C19@emailwf1.jnpr.net><46DEDFA8.7060307@redhat.com> <3525C9833C09ED418C6FD6CD9514668C024C7C2D@emailwf1.jnpr.net> <3525C9833C09ED418C6FD6CD9514668C024C7C7B@emailwf1.jnpr.net> Message-ID: <46E00CC7.90005@redhat.com> Reinhard Nappert wrote: > Richard, > > I attached the entire access and error log file of one Master > (MasterOne) and the error file of the other (MasterTwo). You see that > the last update through the client was conn=50 op=424 on MasterOne. In > errors, you see that it still processed the operation conn=50 op=650. > > This time the crash happened on MasterOne. > Thanks. This is a very interesting test. You are generating replication conflicts: [05/Sep/2007:13:15:40 -0400] conn=51 op=29 csn=46dee55f000200030000 - Naming conflict ADD. Renamed existing entry to nsuniqueid=99277847-1dd111b2-80dfcd7f-b7bc0000+ou=repltest It looks as though you are repeatedly adding and deleting the same entry from both servers at the same time, which should be fine. Could you post your script that you use to generate these entries? > Hope, this helps > -Reinhard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Reinhard > Nappert > Sent: Wednesday, September 05, 2007 1:06 PM > To: General discussion list for the Fedora Directory server project. > Subject: RE: [Fedora-directory-users] MMR: Directory updates on same > object > > Actually, I did use log level 8192. I saw that at some point the access > logs stopped generating entries for the updates, but errors still had > about 150 operations logged. I do not have those logs anymore, but I can > reproduce those in a while, when I am done with some other tests. > > I run those tests on a mixed environment (Solaris 9 and Linux) 32bit. > This happens on both boxes. I also have seen it on a pure Linux > environment. > > When I have the error logs, I will post them > > -Reinhard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard > Megginson > Sent: Wednesday, September 05, 2007 12:56 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] MMR: Directory updates on same > object > > Reinhard Nappert wrote: > >> I have a working Multi-Master Replication setup with two masters >> (Fedora Directory Server 1.0.4). The setup works fine as long as I do >> not update the same object via both Masters. When the later happens >> (application driven), one of the Master crashes. This server does not >> generate a core dump, nor can I find any unusual in the access and >> error log files. I am pretty sure that it has to do something with the >> > > >> conflict resolution, but I am stuck now. >> >> Did anybody experience a similar behavior? >> >> > Can you reproduce the problem with the replication log level on? > http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting > > What OS are you on? 32bit or 64bit? > >> Thanks, >> -Reinhard >> >> ---------------------------------------------------------------------- >> -- >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kekkou.a at cs.ucy.ac.cy Thu Sep 6 15:10:40 2007 From: kekkou.a at cs.ucy.ac.cy (Andreas Kekkou) Date: Thu, 06 Sep 2007 18:10:40 +0300 Subject: [Fedora-directory-users] FDS & NIS sync. Message-ID: <46E01870.8020202@cs.ucy.ac.cy> Hi all, We are in the process of migrating our NIS domain to FDS and for some time we have to run both systems. Since the current version of FDS does not generates UIDs automatically, we are thinking of creating any new accounts to NIS and export all info every night in ldif format. What command/software I have to use in order to import the ldif file to FDS? Please bear in mind that we want to update the existing user info and create any new users that might exist in the ldif file. Regards, Andreas -------------- next part -------------- A non-text attachment was scrubbed... Name: kekkou.a.vcf Type: text/x-vcard Size: 303 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3655 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Sep 6 15:48:22 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 06 Sep 2007 09:48:22 -0600 Subject: [Fedora-directory-users] FDS & NIS sync. In-Reply-To: <46E01870.8020202@cs.ucy.ac.cy> References: <46E01870.8020202@cs.ucy.ac.cy> Message-ID: <46E02146.1090800@redhat.com> Andreas Kekkou wrote: > Hi all, > > We are in the process of migrating our NIS domain to FDS and for some > time we have to run both systems. Since the current version of FDS > does not generates UIDs automatically, we are thinking of creating any > new accounts to NIS and export all info every night in ldif format. > What command/software I have to use in order to import the ldif file > to FDS? ldapmodify or ldif2db - but beware, ldif2db is destructive - it will completely wipe out any existing data in your database. > Please bear in mind that we want to update the existing user info and > create any new users that might exist in the ldif file. > > Regards, > Andreas > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rnappert at juniper.net Thu Sep 6 16:34:57 2007 From: rnappert at juniper.net (Reinhard Nappert) Date: Thu, 6 Sep 2007 12:34:57 -0400 Subject: [Fedora-directory-users] MMR: Directory updates on same object In-Reply-To: <46E00CC7.90005@redhat.com> References: <3525C9833C09ED418C6FD6CD9514668C024C7C19@emailwf1.jnpr.net><46DEDFA8.7060307@redhat.com> <3525C9833C09ED418C6FD6CD9514668C024C7C2D@emailwf1.jnpr.net><3525C9833C09ED418C6FD6CD9514668C024C7C7B@emailwf1.jnpr.net> <46E00CC7.90005@redhat.com> Message-ID: <3525C9833C09ED418C6FD6CD9514668C024C7FD7@emailwf1.jnpr.net> Richard, this is a java class, using jndi. The relevant methods are: 1. public InitialDirContext connect(String host, int port) throws NamingException { InitialDirContext context = null; Hashtable environment = new Hashtable(); environment.put( Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory" ); environment.put( "java.naming.ldap.version", "3" ); environment.put(Context.SECURITY_PRINCIPAL, "cn=Directory Manager"); environment.put(Context.SECURITY_CREDENTIALS, "xxxxxx"); environment.put(Context.SECURITY_AUTHENTICATION, "simple"); // timeouts environment.put( "com.sun.jndi.dns.timeout.initial", "2000" ); environment.put( "com.sun.jndi.dns.timeout.retries", "3" ); environment.put( Context.PROVIDER_URL, "ldap://" + host + ":" + port+"/o=test" ); context = new InitialDirContext( environment); System.out.println("Connected to " + host); return context; } 2. public void addEntry(InitialDirContext ctx) { // Create attributes to be associated with the new context Attributes attrs = new BasicAttributes(true); // case-ignore Attribute objclass = new BasicAttribute("objectclass"); objclass.add("top"); objclass.add("organizationalUnit"); attrs.put(objclass); // Create the context Context result; try { result = ctx.createSubcontext("ou=test", attrs); result.close(); } catch (NameAlreadyBoundException e) { // ignore // just logg it ....... } catch (NamingException e) { e.printStackTrace(); this.destroy(); } } 3. public void deleteEntry(InitialDirContext ctx) { try { ctx.destroySubcontext("ou=test"); //ctx.close(); } catch (NameNotFoundException e) { // ignore // just logg it ....... } } catch (NamingException e) { // TODO Auto-generated catch block e.printStackTrace(); this.destroy(); } } 4. Start of the thread: public void start() { int counter = 0; for (int i = start; i < stop; i++) { try { addEntry(ctx); //....some kind of logging this.sleep(100); deleteEntry(ctx); //....some kind of logging this.sleep(50); } catch (Exception e) { e.printStackTrace(); } } //close context; try { ctx.close(); } catch (NamingException e) { e.printStackTrace(); } } Then, I just call this thread for my two masters (MasterOne and MasterTwo). Of course, when I pause for a longer time between the add and delete, it takes longer that it happens. Hope, this helps. -Reinhard -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Thursday, September 06, 2007 10:21 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] MMR: Directory updates on same object Reinhard Nappert wrote: > Richard, > > I attached the entire access and error log file of one Master > (MasterOne) and the error file of the other (MasterTwo). You see that > the last update through the client was conn=50 op=424 on MasterOne. In > errors, you see that it still processed the operation conn=50 op=650. > > This time the crash happened on MasterOne. > Thanks. This is a very interesting test. You are generating replication conflicts: [05/Sep/2007:13:15:40 -0400] conn=51 op=29 csn=46dee55f000200030000 - Naming conflict ADD. Renamed existing entry to nsuniqueid=99277847-1dd111b2-80dfcd7f-b7bc0000+ou=repltest It looks as though you are repeatedly adding and deleting the same entry from both servers at the same time, which should be fine. Could you post your script that you use to generate these entries? > Hope, this helps > -Reinhard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of > Reinhard Nappert > Sent: Wednesday, September 05, 2007 1:06 PM > To: General discussion list for the Fedora Directory server project. > Subject: RE: [Fedora-directory-users] MMR: Directory updates on same > object > > Actually, I did use log level 8192. I saw that at some point the > access logs stopped generating entries for the updates, but errors > still had about 150 operations logged. I do not have those logs > anymore, but I can reproduce those in a while, when I am done with some other tests. > > I run those tests on a mixed environment (Solaris 9 and Linux) 32bit. > This happens on both boxes. I also have seen it on a pure Linux > environment. > > When I have the error logs, I will post them > > -Reinhard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of > Richard Megginson > Sent: Wednesday, September 05, 2007 12:56 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] MMR: Directory updates on same > object > > Reinhard Nappert wrote: > >> I have a working Multi-Master Replication setup with two masters >> (Fedora Directory Server 1.0.4). The setup works fine as long as I do >> not update the same object via both Masters. When the later happens >> (application driven), one of the Master crashes. This server does not >> generate a core dump, nor can I find any unusual in the access and >> error log files. I am pretty sure that it has to do something with >> the >> > > >> conflict resolution, but I am stuck now. >> >> Did anybody experience a similar behavior? >> >> > Can you reproduce the problem with the replication log level on? > http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting > > What OS are you on? 32bit or 64bit? > >> Thanks, >> -Reinhard >> >> --------------------------------------------------------------------- >> - >> -- >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ---------------------------------------------------------------------- > -- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From marco.strullato at gmail.com Fri Sep 7 08:10:58 2007 From: marco.strullato at gmail.com (Marco Strullato) Date: Fri, 7 Sep 2007 10:10:58 +0200 Subject: [Fedora-directory-users] cleint problems with ssl and tls Message-ID: Hi all! I have a problem with ldap and ssl: I set up the fedora directory server with ssl following this link: http://directory.fedoraproject.org/wiki/Howto:SSL The problem is client authentication: I mean when I do an ldapsearch I get "SSL connection already established" but I don't have any other connection to between client and server (check with netstat). What do you suggest me? Thanks Marco logs from the FDS server are: [07/Sep/2007:10:04:09 +0200] conn=10 fd=68 slot=68 SSL connection from to [07/Sep/2007:10:04:09 +0200] conn=10 SSL 256-bit AES [07/Sep/2007:10:04:09 +0200] conn=10 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [07/Sep/2007:10:04:09 +0200] conn=10 op=0 RESULT err=1 tag=120 nentries=0 etime=0 [07/Sep/2007:10:04:09 +0200] conn=10 op=-1 fd=68 closed - B1 from client: ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldaps_vm02_admin:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying :636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: /C=IT/O=<......> TLS certificate verification: depth: 0, err: 0, subject: /C=IT/O=<......> TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush: 31 bytes to sd 3 ldap_result ld 0x80bc048 msgid 1 ldap_chkResponseList ld 0x80bc048 msgid 1 all 1 ldap_chkResponseList returns ld 0x80bc048 NULL wait4msg ld 0x80bc048 msgid 1 (infinite timeout) wait4msg continue ld 0x80bc048 msgid 1 all 1 ** ld 0x80bc048 Connections: * host: ldaps_vm02_admin port: 636 (default) refcnt: 2 status: Connected last used: Fri Sep 7 10:05:20 2007 ** ld 0x80bc048 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x80bc048 Response Queue: Empty ldap_chkResponseList ld 0x80bc048 msgid 1 all 1 ldap_chkResponseList returns ld 0x80bc048 NULL ldap_int_select read1msg: ld 0x80bc048 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 71 contents: read1msg: ld 0x80bc048 msgid 1 message type extended-result ber_scanf fmt ({eaa) ber: read1msg: ld 0x80bc048 0 new referrals read1msg: mark request completed, ld 0x80bc048 msgid 1 request done: ld 0x80bc048 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ber_scanf fmt ({eaa) ber: ber_scanf fmt (a) ber: ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (x) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_perror ldap_start_tls: Operations error (1) additional info: SSL connection already established -------------- next part -------------- An HTML attachment was scrubbed... URL: From matteo.angelino at mfn.unipmn.it Fri Sep 7 10:06:53 2007 From: matteo.angelino at mfn.unipmn.it (Matteo Angelino) Date: Fri, 7 Sep 2007 12:06:53 +0200 Subject: [Fedora-directory-users] FDS and OpenLDAP integration Message-ID: <0A175DA6-C6A6-4439-B840-FA4B039914D9@mfn.unipmn.it> Hello, in my organization I have a master ldap server based on openLDAP. Now I have installed a new ldap server (slave) based on Fedora Directory Server. The openLDAP server have a replica directive in the cenfiguration file to replicate the modify to FDS server. Modify entry that exist on master server work fine. The problem in the insert of e new user into the master server. When I try to insert e new user from the followind ldif, i see an error in the insert. testuser.ldif: dn: uid=testuser, dc=studenti, dc=unipmn,dc=it givenName: TEST postalCode: 1920 objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: posixAccount userPassword:: e21kNX0rcmM3V2xoeE9QcnZLc0MvdlJtRlZnPT0= mail: roberto.pinna at studenti.unipmn.it uid: testuser uidNumber: 6763578 cn: TEST USER carLicense: PNNRRT73B26A182A loginShell: /bin/bash gidNumber: 100 homeDirectory: /home/test sn: TEST Error from FDS error log: Entry "uid=testuser,dc=studenti,dc=unipmn,dc=it" -- attribute "structuralobjectclass" not allowed Error from slurpd (on master openLDAP server): Error: ldap_add_s failed adding DN "uid=testuser,dc=studenti,dc=unipmn,dc=it": attribute "structuralobjectclass" not allowed Information from reject file of the surpd: ERROR:: T2JqZWN0IGNsYXNzIHZpb2xhdGlvbjogYXR0cmlidXRlICJzdHJ1Y3R1cmFsb2JqZWN0Y2 xhc3MiIG5vdCBhbGxvd2VkCg== replica: db.mfn.unipmn.it:389 time: 1189156318.0 dn: uid=testuser,dc=studenti,dc=unipmn,dc=it changetype: add givenName: TEST postalCode: 1920 objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: posixAccount userPassword:: e21kNX0rcmM3V2xoeE9QcnZLc0MvdlJtRlZnPT0= uid: testuser mail: roberto.pinna at studenti.unipmn.it uidNumber: 6763578 cn: TEST USER carLicense: PNNRRT73B26A182A loginShell: /bin/bash gidNumber: 100 homeDirectory: /home/test sn: TEST structuralObjectClass: inetOrgPerson entryUUID: 21363b50-f16e-102b-96d1-e14b33466425 creatorsName: cn=manager,dc=unipmn,dc=it createTimestamp: 20070907091157Z entryCSN: 20070907091157Z#000000#00#000000 modifiersName: cn=manager,dc=unipmn,dc=it modifyTimestamp: 20070907091157Z I have see that the structuralobjectclass is not defined in the attributes available in FDS.... how can resolve the probem? Thank's in advance -------------------------------------------------------------- Matteo Angelino Dipartimento di Informatica Via Bellini 25\G 15100 Alessandria ITALY Tel: +39 0131 360375 Email: matteo.angelino at mfn.unipmn.it -------------------------------------------------------------- From peter at md.kth.se Fri Sep 7 09:31:23 2007 From: peter at md.kth.se (=?ISO-8859-1?Q?Peter_Reuter=E5s?=) Date: Fri, 07 Sep 2007 11:31:23 +0200 Subject: [Fedora-directory-users] FDS 1.0.4 and DNS host filter based ACIs In-Reply-To: References: Message-ID: <46E11A6B.9070702@md.kth.se> Peter Reuter?s wrote: > Hi > > I have a problem with ACIs on FDS 1.0.4. After uppgrading a server from > FDS 1.0.2 to 1.0.4 "DNS host filter" based ACIs stopped working. We can > still use IP based ACIs for IPv4 access but not "DNS host filter". FDS is > running on a Red Hat Enterprise Linux 4.0 server. > > Anybody else seen this problem? > > /Peter > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > If anyone else have had this problme I found the bug in Bugzilla today: https://bugzilla.redhat.com/show_bug.cgi?id=214682 /Peter From satish at suburbia.org.au Fri Sep 7 12:34:31 2007 From: satish at suburbia.org.au (Satish Chetty) Date: Fri, 07 Sep 2007 05:34:31 -0700 Subject: [Fedora-directory-users] cleint problems with ssl and tls In-Reply-To: References: Message-ID: <46E14557.4000106@suburbia.org.au> Marco, Which ldapsearch are you using? OL's or the one that comes with FDS? -Satish. Marco Strullato wrote: > Hi all! > I have a problem with ldap and ssl: > I set up the fedora directory server with ssl following this link: > http://directory.fedoraproject.org/wiki/Howto:SSL > > > The problem is client authentication: I mean when I do an ldapsearch I > get "SSL connection already established" but I don't have any other > connection to between client and server (check with netstat). > > What do you suggest me? > > Thanks > > Marco > > logs from the FDS server are: > [07/Sep/2007:10:04:09 +0200] conn=10 fd=68 slot=68 SSL connection from > to > [07/Sep/2007:10:04:09 +0200] conn=10 SSL 256-bit AES > [07/Sep/2007:10:04:09 +0200] conn=10 op=0 EXT > oid="1.3.6.1.4.1.1466.20037" name="startTLS" > [07/Sep/2007:10:04:09 +0200] conn=10 op=0 RESULT err=1 tag=120 > nentries=0 etime=0 > [07/Sep/2007:10:04:09 +0200] conn=10 op=-1 fd=68 closed - B1 > > from client: > ldap_create > ldap_extended_operation_s > ldap_extended_operation > ldap_send_initial_request > ldap_new_connection 1 1 0 > ldap_int_open_connection > ldap_connect_to_host: TCP ldaps_vm02_admin:636 > ldap_new_socket: 3 > ldap_prepare_socket: 3 > ldap_connect_to_host: Trying :636 > ldap_connect_timeout: fd: 3 tm: -1 async: 0 > TLS trace: SSL_connect:before/connect initialization > TLS trace: SSL_connect:SSLv2/v3 write client hello A > TLS trace: SSL_connect:SSLv3 read server hello A > TLS certificate verification: depth: 1, err: 0, subject: /C=IT/O=<......> > TLS certificate verification: depth: 0, err: 0, subject: /C=IT/O=<......> > TLS trace: SSL_connect:SSLv3 read server certificate A > TLS trace: SSL_connect:SSLv3 read server certificate request A > TLS trace: SSL_connect:SSLv3 read server done A > TLS trace: SSL_connect:SSLv3 write client certificate A > TLS trace: SSL_connect:SSLv3 write client key exchange A > TLS trace: SSL_connect:SSLv3 write change cipher spec A > TLS trace: SSL_connect:SSLv3 write finished A > TLS trace: SSL_connect:SSLv3 flush data > TLS trace: SSL_connect:SSLv3 read finished A > ldap_open_defconn: successful > ldap_send_server_request > ber_scanf fmt ({it) ber: > ber_scanf fmt ({) ber: > ber_flush: 31 bytes to sd 3 > ldap_result ld 0x80bc048 msgid 1 > ldap_chkResponseList ld 0x80bc048 msgid 1 all 1 > ldap_chkResponseList returns ld 0x80bc048 NULL > wait4msg ld 0x80bc048 msgid 1 (infinite timeout) > wait4msg continue ld 0x80bc048 msgid 1 all 1 > ** ld 0x80bc048 Connections: > * host: ldaps_vm02_admin port: 636 (default) > refcnt: 2 status: Connected > last used: Fri Sep 7 10:05:20 2007 > > ** ld 0x80bc048 Outstanding Requests: > * msgid 1, origid 1, status InProgress > outstanding referrals 0, parent count 0 > ** ld 0x80bc048 Response Queue: > Empty > ldap_chkResponseList ld 0x80bc048 msgid 1 all 1 > ldap_chkResponseList returns ld 0x80bc048 NULL > ldap_int_select > read1msg: ld 0x80bc048 msgid 1 all 1 > ber_get_next > ber_get_next: tag 0x30 len 71 contents: > read1msg: ld 0x80bc048 msgid 1 message type extended-result > ber_scanf fmt ({eaa) ber: > read1msg: ld 0x80bc048 0 new referrals > read1msg: mark request completed, ld 0x80bc048 msgid 1 > request done: ld 0x80bc048 msgid 1 > res_errno: 0, res_error: <>, res_matched: <> > ldap_free_request (origid 1, msgid 1) > ldap_free_connection 0 1 > ldap_free_connection: refcnt 1 > ldap_parse_extended_result > ber_scanf fmt ({eaa) ber: > ber_scanf fmt (a) ber: > ldap_parse_result > ber_scanf fmt ({iaa) ber: > ber_scanf fmt (x) ber: > ber_scanf fmt (}) ber: > ldap_msgfree > ldap_perror > ldap_start_tls: Operations error (1) > additional info: SSL connection already established > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From marco.strullato at gmail.com Fri Sep 7 12:47:01 2007 From: marco.strullato at gmail.com (Marco Strullato) Date: Fri, 7 Sep 2007 14:47:01 +0200 Subject: [Fedora-directory-users] cleint problems with ssl and tls In-Reply-To: <46E14557.4000106@suburbia.org.au> References: <46E14557.4000106@suburbia.org.au> Message-ID: Hello, I'm using ldapsearch provided by openldap-clients-2.3.27-5. Marco 2007/9/7, Satish Chetty : > > Marco, > Which ldapsearch are you using? OL's or the one that comes with > FDS? > > -Satish. > > Marco Strullato wrote: > > Hi all! > > I have a problem with ldap and ssl: > > I set up the fedora directory server with ssl following this link: > > http://directory.fedoraproject.org/wiki/Howto:SSL > > > > > > The problem is client authentication: I mean when I do an ldapsearch I > > get "SSL connection already established" but I don't have any other > > connection to between client and server (check with netstat). > > > > What do you suggest me? > > > > Thanks > > > > Marco > > > > logs from the FDS server are: > > [07/Sep/2007:10:04:09 +0200] conn=10 fd=68 slot=68 SSL connection from > > to > > [07/Sep/2007:10:04:09 +0200] conn=10 SSL 256-bit AES > > [07/Sep/2007:10:04:09 +0200] conn=10 op=0 EXT > > oid="1.3.6.1.4.1.1466.20037" name="startTLS" > > [07/Sep/2007:10:04:09 +0200] conn=10 op=0 RESULT err=1 tag=120 > > nentries=0 etime=0 > > [07/Sep/2007:10:04:09 +0200] conn=10 op=-1 fd=68 closed - B1 > > > > from client: > > ldap_create > > ldap_extended_operation_s > > ldap_extended_operation > > ldap_send_initial_request > > ldap_new_connection 1 1 0 > > ldap_int_open_connection > > ldap_connect_to_host: TCP ldaps_vm02_admin:636 > > ldap_new_socket: 3 > > ldap_prepare_socket: 3 > > ldap_connect_to_host: Trying :636 > > ldap_connect_timeout: fd: 3 tm: -1 async: 0 > > TLS trace: SSL_connect:before/connect initialization > > TLS trace: SSL_connect:SSLv2/v3 write client hello A > > TLS trace: SSL_connect:SSLv3 read server hello A > > TLS certificate verification: depth: 1, err: 0, subject: > /C=IT/O=<......> > > TLS certificate verification: depth: 0, err: 0, subject: > /C=IT/O=<......> > > TLS trace: SSL_connect:SSLv3 read server certificate A > > TLS trace: SSL_connect:SSLv3 read server certificate request A > > TLS trace: SSL_connect:SSLv3 read server done A > > TLS trace: SSL_connect:SSLv3 write client certificate A > > TLS trace: SSL_connect:SSLv3 write client key exchange A > > TLS trace: SSL_connect:SSLv3 write change cipher spec A > > TLS trace: SSL_connect:SSLv3 write finished A > > TLS trace: SSL_connect:SSLv3 flush data > > TLS trace: SSL_connect:SSLv3 read finished A > > ldap_open_defconn: successful > > ldap_send_server_request > > ber_scanf fmt ({it) ber: > > ber_scanf fmt ({) ber: > > ber_flush: 31 bytes to sd 3 > > ldap_result ld 0x80bc048 msgid 1 > > ldap_chkResponseList ld 0x80bc048 msgid 1 all 1 > > ldap_chkResponseList returns ld 0x80bc048 NULL > > wait4msg ld 0x80bc048 msgid 1 (infinite timeout) > > wait4msg continue ld 0x80bc048 msgid 1 all 1 > > ** ld 0x80bc048 Connections: > > * host: ldaps_vm02_admin port: 636 (default) > > refcnt: 2 status: Connected > > last used: Fri Sep 7 10:05:20 2007 > > > > ** ld 0x80bc048 Outstanding Requests: > > * msgid 1, origid 1, status InProgress > > outstanding referrals 0, parent count 0 > > ** ld 0x80bc048 Response Queue: > > Empty > > ldap_chkResponseList ld 0x80bc048 msgid 1 all 1 > > ldap_chkResponseList returns ld 0x80bc048 NULL > > ldap_int_select > > read1msg: ld 0x80bc048 msgid 1 all 1 > > ber_get_next > > ber_get_next: tag 0x30 len 71 contents: > > read1msg: ld 0x80bc048 msgid 1 message type extended-result > > ber_scanf fmt ({eaa) ber: > > read1msg: ld 0x80bc048 0 new referrals > > read1msg: mark request completed, ld 0x80bc048 msgid 1 > > request done: ld 0x80bc048 msgid 1 > > res_errno: 0, res_error: <>, res_matched: <> > > ldap_free_request (origid 1, msgid 1) > > ldap_free_connection 0 1 > > ldap_free_connection: refcnt 1 > > ldap_parse_extended_result > > ber_scanf fmt ({eaa) ber: > > ber_scanf fmt (a) ber: > > ldap_parse_result > > ber_scanf fmt ({iaa) ber: > > ber_scanf fmt (x) ber: > > ber_scanf fmt (}) ber: > > ldap_msgfree > > ldap_perror > > ldap_start_tls: Operations error (1) > > additional info: SSL connection already established > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Sep 7 14:30:13 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 07 Sep 2007 08:30:13 -0600 Subject: [Fedora-directory-users] cleint problems with ssl and tls In-Reply-To: References: <46E14557.4000106@suburbia.org.au> Message-ID: <46E16075.4030401@redhat.com> Marco Strullato wrote: > Hello, I'm using ldapsearch provided by openldap-clients-2.3.27-5. > > Marco > > 2007/9/7, Satish Chetty >: > > Marco, > Which ldapsearch are you using? OL's or the one that comes > with FDS? > > -Satish. > > Marco Strullato wrote: > > Hi all! > > I have a problem with ldap and ssl: > > I set up the fedora directory server with ssl following this link: > > http://directory.fedoraproject.org/wiki/Howto:SSL > > > > > > The problem is client authentication: I mean when I do an > ldapsearch I > > get "SSL connection already established" but I don't have any other > > connection to between client and server (check with netstat). > > > > What do you suggest me? > > > > Thanks > > > > Marco > > > > logs from the FDS server are: > > [07/Sep/2007:10:04:09 +0200] conn=10 fd=68 slot=68 SSL > connection from > > to > > [07/Sep/2007:10:04:09 +0200] conn=10 SSL 256-bit AES > > [07/Sep/2007:10:04:09 +0200] conn=10 op=0 EXT > > oid="1.3.6.1.4.1.1466.20037" name="startTLS" > > [07/Sep/2007:10:04:09 +0200] conn=10 op=0 RESULT err=1 tag=120 > > nentries=0 etime=0 > > [07/Sep/2007:10:04:09 +0200] conn=10 op=-1 fd=68 closed - B1 > The problem is that you are attempting to use startTLS on a connection that you have already started TLS/SSL on. The original connection is already a SSL connection: "conn=10 fd=68 slot=68 SSL connection". Then there is an attempt to startTLS on this connection: "conn=10 op=0 EXT > oid="1.3.6.1.4.1.1466.20037" name="startTLS"". If you want to use startTLS, you must do so on a non-encrypted connection. > > > > > from client: > > ldap_create > > ldap_extended_operation_s > > ldap_extended_operation > > ldap_send_initial_request > > ldap_new_connection 1 1 0 > > ldap_int_open_connection > > ldap_connect_to_host: TCP ldaps_vm02_admin:636 > > ldap_new_socket: 3 > > ldap_prepare_socket: 3 > > ldap_connect_to_host: Trying :636 > > ldap_connect_timeout: fd: 3 tm: -1 async: 0 > > TLS trace: SSL_connect:before/connect initialization > > TLS trace: SSL_connect:SSLv2/v3 write client hello A > > TLS trace: SSL_connect:SSLv3 read server hello A > > TLS certificate verification: depth: 1, err: 0, subject: > /C=IT/O=<......> > > TLS certificate verification: depth: 0, err: 0, subject: > /C=IT/O=<......> > > TLS trace: SSL_connect:SSLv3 read server certificate A > > TLS trace: SSL_connect:SSLv3 read server certificate request A > > TLS trace: SSL_connect:SSLv3 read server done A > > TLS trace: SSL_connect:SSLv3 write client certificate A > > TLS trace: SSL_connect:SSLv3 write client key exchange A > > TLS trace: SSL_connect:SSLv3 write change cipher spec A > > TLS trace: SSL_connect:SSLv3 write finished A > > TLS trace: SSL_connect:SSLv3 flush data > > TLS trace: SSL_connect:SSLv3 read finished A > > ldap_open_defconn: successful > > ldap_send_server_request > > ber_scanf fmt ({it) ber: > > ber_scanf fmt ({) ber: > > ber_flush: 31 bytes to sd 3 > > ldap_result ld 0x80bc048 msgid 1 > > ldap_chkResponseList ld 0x80bc048 msgid 1 all 1 > > ldap_chkResponseList returns ld 0x80bc048 NULL > > wait4msg ld 0x80bc048 msgid 1 (infinite timeout) > > wait4msg continue ld 0x80bc048 msgid 1 all 1 > > ** ld 0x80bc048 Connections: > > * host: ldaps_vm02_admin port: 636 (default) > > refcnt: 2 status: Connected > > last used: Fri Sep 7 10:05:20 2007 > > > > ** ld 0x80bc048 Outstanding Requests: > > * msgid 1, origid 1, status InProgress > > outstanding referrals 0, parent count 0 > > ** ld 0x80bc048 Response Queue: > > Empty > > ldap_chkResponseList ld 0x80bc048 msgid 1 all 1 > > ldap_chkResponseList returns ld 0x80bc048 NULL > > ldap_int_select > > read1msg: ld 0x80bc048 msgid 1 all 1 > > ber_get_next > > ber_get_next: tag 0x30 len 71 contents: > > read1msg: ld 0x80bc048 msgid 1 message type extended-result > > ber_scanf fmt ({eaa) ber: > > read1msg: ld 0x80bc048 0 new referrals > > read1msg: mark request completed, ld 0x80bc048 msgid 1 > > request done: ld 0x80bc048 msgid 1 > > res_errno: 0, res_error: <>, res_matched: <> > > ldap_free_request (origid 1, msgid 1) > > ldap_free_connection 0 1 > > ldap_free_connection: refcnt 1 > > ldap_parse_extended_result > > ber_scanf fmt ({eaa) ber: > > ber_scanf fmt (a) ber: > > ldap_parse_result > > ber_scanf fmt ({iaa) ber: > > ber_scanf fmt (x) ber: > > ber_scanf fmt (}) ber: > > ldap_msgfree > > ldap_perror > > ldap_start_tls: Operations error (1) > > additional info: SSL connection already established > > > > > > > ------------------------------------------------------------------------ > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Sep 7 14:31:40 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 07 Sep 2007 08:31:40 -0600 Subject: [Fedora-directory-users] FDS and OpenLDAP integration In-Reply-To: <0A175DA6-C6A6-4439-B840-FA4B039914D9@mfn.unipmn.it> References: <0A175DA6-C6A6-4439-B840-FA4B039914D9@mfn.unipmn.it> Message-ID: <46E160CC.8050401@redhat.com> Matteo Angelino wrote: > Hello, > in my organization I have a master ldap server based on openLDAP. Now > I have installed a new ldap server (slave) based on Fedora Directory > Server. > The openLDAP server have a replica directive in the cenfiguration file > to replicate the modify to FDS server. Modify entry that exist on > master server work fine. > The problem in the insert of e new user into the master server. When I > try to insert e new user from the followind ldif, i see an error in > the insert. > > testuser.ldif: > > dn: uid=testuser, dc=studenti, dc=unipmn,dc=it > givenName: TEST > postalCode: 1920 > objectClass: top > objectClass: person > objectClass: inetOrgPerson > objectClass: posixAccount > userPassword:: e21kNX0rcmM3V2xoeE9QcnZLc0MvdlJtRlZnPT0= > mail: roberto.pinna at studenti.unipmn.it > uid: testuser > uidNumber: 6763578 > cn: TEST USER > carLicense: PNNRRT73B26A182A > loginShell: /bin/bash > gidNumber: 100 > homeDirectory: /home/test > sn: TEST > > Error from FDS error log: > > Entry "uid=testuser,dc=studenti,dc=unipmn,dc=it" -- attribute > "structuralobjectclass" not allowed > > Error from slurpd (on master openLDAP server): > > Error: ldap_add_s failed adding DN > "uid=testuser,dc=studenti,dc=unipmn,dc=it": attribute > "structuralobjectclass" not allowed > > Information from reject file of the surpd: > > ERROR:: > T2JqZWN0IGNsYXNzIHZpb2xhdGlvbjogYXR0cmlidXRlICJzdHJ1Y3R1cmFsb2JqZWN0Y2 > xhc3MiIG5vdCBhbGxvd2VkCg== > replica: db.mfn.unipmn.it:389 > time: 1189156318.0 > dn: uid=testuser,dc=studenti,dc=unipmn,dc=it > changetype: add > givenName: TEST > postalCode: 1920 > objectClass: top > objectClass: person > objectClass: inetOrgPerson > objectClass: posixAccount > userPassword:: e21kNX0rcmM3V2xoeE9QcnZLc0MvdlJtRlZnPT0= > uid: testuser > mail: roberto.pinna at studenti.unipmn.it > uidNumber: 6763578 > cn: TEST USER > carLicense: PNNRRT73B26A182A > loginShell: /bin/bash > gidNumber: 100 > homeDirectory: /home/test > sn: TEST > structuralObjectClass: inetOrgPerson > entryUUID: 21363b50-f16e-102b-96d1-e14b33466425 > creatorsName: cn=manager,dc=unipmn,dc=it > createTimestamp: 20070907091157Z > entryCSN: 20070907091157Z#000000#00#000000 > modifiersName: cn=manager,dc=unipmn,dc=it > modifyTimestamp: 20070907091157Z > > > I have see that the structuralobjectclass is not defined in the > attributes available in FDS.... how can resolve the probem? I suggest adding an operational attribute called 'structuralObjectClass' to Fedora DS. Maybe you can just copy the definition of it from openldap. > > Thank's in advance > > -------------------------------------------------------------- > Matteo Angelino > Dipartimento di Informatica > Via Bellini 25\G > 15100 Alessandria > ITALY > Tel: +39 0131 360375 > Email: matteo.angelino at mfn.unipmn.it > -------------------------------------------------------------- > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From marco.strullato at gmail.com Fri Sep 7 14:37:34 2007 From: marco.strullato at gmail.com (Marco Strullato) Date: Fri, 7 Sep 2007 16:37:34 +0200 Subject: [Fedora-directory-users] cleint problems with ssl and tls In-Reply-To: <46E16075.4030401@redhat.com> References: <46E14557.4000106@suburbia.org.au> <46E16075.4030401@redhat.com> Message-ID: Thanks! changing the uri from ldaps to ldap it works! Marco 2007/9/7, Richard Megginson : > > Marco Strullato wrote: > > Hello, I'm using ldapsearch provided by openldap-clients-2.3.27-5. > > > > Marco > > > > 2007/9/7, Satish Chetty > >: > > > > Marco, > > Which ldapsearch are you using? OL's or the one that comes > > with FDS? > > > > -Satish. > > > > Marco Strullato wrote: > > > Hi all! > > > I have a problem with ldap and ssl: > > > I set up the fedora directory server with ssl following this link: > > > http://directory.fedoraproject.org/wiki/Howto:SSL > > > > > > > > > The problem is client authentication: I mean when I do an > > ldapsearch I > > > get "SSL connection already established" but I don't have any > other > > > connection to between client and server (check with netstat). > > > > > > What do you suggest me? > > > > > > Thanks > > > > > > Marco > > > > > > logs from the FDS server are: > > > [07/Sep/2007:10:04:09 +0200] conn=10 fd=68 slot=68 SSL > > connection from > > > to > > > [07/Sep/2007:10:04:09 +0200] conn=10 SSL 256-bit AES > > > [07/Sep/2007:10:04:09 +0200] conn=10 op=0 EXT > > > oid="1.3.6.1.4.1.1466.20037" name="startTLS" > > > [07/Sep/2007:10:04:09 +0200] conn=10 op=0 RESULT err=1 tag=120 > > > nentries=0 etime=0 > > > [07/Sep/2007:10:04:09 +0200] conn=10 op=-1 fd=68 closed - B1 > > > > The problem is that you are attempting to use startTLS on a connection > that you have already started TLS/SSL on. The original connection is > already a SSL connection: "conn=10 fd=68 slot=68 SSL connection". Then > there is an attempt to startTLS on this connection: "conn=10 op=0 EXT > > oid="1.3.6.1.4.1.1466.20037" name="startTLS"". If you want to use > startTLS, you must do so on a non-encrypted connection. > > > > > > > > from client: > > > ldap_create > > > ldap_extended_operation_s > > > ldap_extended_operation > > > ldap_send_initial_request > > > ldap_new_connection 1 1 0 > > > ldap_int_open_connection > > > ldap_connect_to_host: TCP ldaps_vm02_admin:636 > > > ldap_new_socket: 3 > > > ldap_prepare_socket: 3 > > > ldap_connect_to_host: Trying :636 > > > ldap_connect_timeout: fd: 3 tm: -1 async: 0 > > > TLS trace: SSL_connect:before/connect initialization > > > TLS trace: SSL_connect:SSLv2/v3 write client hello A > > > TLS trace: SSL_connect:SSLv3 read server hello A > > > TLS certificate verification: depth: 1, err: 0, subject: > > /C=IT/O=<......> > > > TLS certificate verification: depth: 0, err: 0, subject: > > /C=IT/O=<......> > > > TLS trace: SSL_connect:SSLv3 read server certificate A > > > TLS trace: SSL_connect:SSLv3 read server certificate request A > > > TLS trace: SSL_connect:SSLv3 read server done A > > > TLS trace: SSL_connect:SSLv3 write client certificate A > > > TLS trace: SSL_connect:SSLv3 write client key exchange A > > > TLS trace: SSL_connect:SSLv3 write change cipher spec A > > > TLS trace: SSL_connect:SSLv3 write finished A > > > TLS trace: SSL_connect:SSLv3 flush data > > > TLS trace: SSL_connect:SSLv3 read finished A > > > ldap_open_defconn: successful > > > ldap_send_server_request > > > ber_scanf fmt ({it) ber: > > > ber_scanf fmt ({) ber: > > > ber_flush: 31 bytes to sd 3 > > > ldap_result ld 0x80bc048 msgid 1 > > > ldap_chkResponseList ld 0x80bc048 msgid 1 all 1 > > > ldap_chkResponseList returns ld 0x80bc048 NULL > > > wait4msg ld 0x80bc048 msgid 1 (infinite timeout) > > > wait4msg continue ld 0x80bc048 msgid 1 all 1 > > > ** ld 0x80bc048 Connections: > > > * host: ldaps_vm02_admin port: 636 (default) > > > refcnt: 2 status: Connected > > > last used: Fri Sep 7 10:05:20 2007 > > > > > > ** ld 0x80bc048 Outstanding Requests: > > > * msgid 1, origid 1, status InProgress > > > outstanding referrals 0, parent count 0 > > > ** ld 0x80bc048 Response Queue: > > > Empty > > > ldap_chkResponseList ld 0x80bc048 msgid 1 all 1 > > > ldap_chkResponseList returns ld 0x80bc048 NULL > > > ldap_int_select > > > read1msg: ld 0x80bc048 msgid 1 all 1 > > > ber_get_next > > > ber_get_next: tag 0x30 len 71 contents: > > > read1msg: ld 0x80bc048 msgid 1 message type extended-result > > > ber_scanf fmt ({eaa) ber: > > > read1msg: ld 0x80bc048 0 new referrals > > > read1msg: mark request completed, ld 0x80bc048 msgid 1 > > > request done: ld 0x80bc048 msgid 1 > > > res_errno: 0, res_error: <>, res_matched: <> > > > ldap_free_request (origid 1, msgid 1) > > > ldap_free_connection 0 1 > > > ldap_free_connection: refcnt 1 > > > ldap_parse_extended_result > > > ber_scanf fmt ({eaa) ber: > > > ber_scanf fmt (a) ber: > > > ldap_parse_result > > > ber_scanf fmt ({iaa) ber: > > > ber_scanf fmt (x) ber: > > > ber_scanf fmt (}) ber: > > > ldap_msgfree > > > ldap_perror > > > ldap_start_tls: Operations error (1) > > > additional info: SSL connection already established > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ando at sys-net.it Fri Sep 7 15:32:09 2007 From: ando at sys-net.it (Pierangelo Masarati) Date: Fri, 07 Sep 2007 17:32:09 +0200 Subject: [Fedora-directory-users] FDS and OpenLDAP integration In-Reply-To: <46E160CC.8050401@redhat.com> References: <0A175DA6-C6A6-4439-B840-FA4B039914D9@mfn.unipmn.it> <46E160CC.8050401@redhat.com> Message-ID: <46E16EF9.1040907@sys-net.it> Richard Megginson wrote: >> I have see that the structuralobjectclass is not defined in the >> attributes available in FDS.... how can resolve the probem? > I suggest adding an operational attribute called 'structuralObjectClass' > to Fedora DS. Maybe you can just copy the definition of it from openldap. Since the structuralObjectClass attribute is supposed to have a very special meaning for the DSA (RFC 4512), just adding it as a user attribute seems to me quite a broken approach. Provided you're running a decent version of OpenLDAP, you should be able to filter out undesired attributes from the replication process. For example, in slapd.conf (from slapd.conf(5) man page of OpenLDAP 2.3, but the feature exists since OpenLDAP 2.1, I think) replica [...] attr!=structuralObjectClass will prevent slurpd from replicating the negated attribute list. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati at sys-net.it --------------------------------------- From ando at sys-net.it Fri Sep 7 16:20:20 2007 From: ando at sys-net.it (Pierangelo Masarati) Date: Fri, 07 Sep 2007 18:20:20 +0200 Subject: [Fedora-directory-users] FDS and OpenLDAP integration In-Reply-To: <46E16EF9.1040907@sys-net.it> References: <0A175DA6-C6A6-4439-B840-FA4B039914D9@mfn.unipmn.it> <46E160CC.8050401@redhat.com> <46E16EF9.1040907@sys-net.it> Message-ID: <46E17A44.8050708@sys-net.it> Pierangelo Masarati wrote: > Since the structuralObjectClass attribute is supposed to have a very > special meaning for the DSA (RFC 4512), just adding it as a user > attribute seems to me quite a broken approach. Provided you're running > a decent version of OpenLDAP, you should be able to filter out undesired > attributes from the replication process. For example, in slapd.conf > (from slapd.conf(5) man page of OpenLDAP 2.3, but the feature exists > since OpenLDAP 2.1, I think) > > replica [...] > attr!=structuralObjectClass > > will prevent slurpd from replicating the negated attribute list. Just for the records: a custom patch in this sense was developed by SysNet back in the old times of OpenLDAP 2.0 exactly for the purpose of replicating an OpenLDAP server to a proprietary LDAP server that didn't like many operational attributes slurpd was willing to push in. It also provided partial subtree replication capabilities. A similar patch was prepared in the meanwhile by Symas and the two merged into OpenLDAP 2.1. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati at sys-net.it --------------------------------------- From rnappert at juniper.net Fri Sep 7 19:06:04 2007 From: rnappert at juniper.net (Reinhard Nappert) Date: Fri, 7 Sep 2007 15:06:04 -0400 Subject: [Fedora-directory-users] MMR: Directory updates on same object In-Reply-To: <3525C9833C09ED418C6FD6CD9514668C024C7FD7@emailwf1.jnpr.net> References: <3525C9833C09ED418C6FD6CD9514668C024C7C19@emailwf1.jnpr.net><46DEDFA8.7060307@redhat.com> <3525C9833C09ED418C6FD6CD9514668C024C7C2D@emailwf1.jnpr.net><3525C9833C09ED418C6FD6CD9514668C024C7C7B@emailwf1.jnpr.net><46E00CC7.90005@redhat.com> <3525C9833C09ED418C6FD6CD9514668C024C7FD7@emailwf1.jnpr.net> Message-ID: <3525C9833C09ED418C6FD6CD9514668C024C8477@emailwf1.jnpr.net> Richard, Did you have a closer look at it and the test client. When you increases the pause between the adds/deletes it takes a much longer time to occur (even after days). It looks to me like some kind of memory leak. Should I open a bug for it? Let me know. Thanks, -Reinhard -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Reinhard Nappert Sent: Thursday, September 06, 2007 12:35 PM To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] MMR: Directory updates on same object Richard, this is a java class, using jndi. The relevant methods are: 1. public InitialDirContext connect(String host, int port) throws NamingException { InitialDirContext context = null; Hashtable environment = new Hashtable(); environment.put( Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory" ); environment.put( "java.naming.ldap.version", "3" ); environment.put(Context.SECURITY_PRINCIPAL, "cn=Directory Manager"); environment.put(Context.SECURITY_CREDENTIALS, "xxxxxx"); environment.put(Context.SECURITY_AUTHENTICATION, "simple"); // timeouts environment.put( "com.sun.jndi.dns.timeout.initial", "2000" ); environment.put( "com.sun.jndi.dns.timeout.retries", "3" ); environment.put( Context.PROVIDER_URL, "ldap://" + host + ":" + port+"/o=test" ); context = new InitialDirContext( environment); System.out.println("Connected to " + host); return context; } 2. public void addEntry(InitialDirContext ctx) { // Create attributes to be associated with the new context Attributes attrs = new BasicAttributes(true); // case-ignore Attribute objclass = new BasicAttribute("objectclass"); objclass.add("top"); objclass.add("organizationalUnit"); attrs.put(objclass); // Create the context Context result; try { result = ctx.createSubcontext("ou=test", attrs); result.close(); } catch (NameAlreadyBoundException e) { // ignore // just logg it ....... } catch (NamingException e) { e.printStackTrace(); this.destroy(); } } 3. public void deleteEntry(InitialDirContext ctx) { try { ctx.destroySubcontext("ou=test"); //ctx.close(); } catch (NameNotFoundException e) { // ignore // just logg it ....... } } catch (NamingException e) { // TODO Auto-generated catch block e.printStackTrace(); this.destroy(); } } 4. Start of the thread: public void start() { int counter = 0; for (int i = start; i < stop; i++) { try { addEntry(ctx); //....some kind of logging this.sleep(100); deleteEntry(ctx); //....some kind of logging this.sleep(50); } catch (Exception e) { e.printStackTrace(); } } //close context; try { ctx.close(); } catch (NamingException e) { e.printStackTrace(); } } Then, I just call this thread for my two masters (MasterOne and MasterTwo). Of course, when I pause for a longer time between the add and delete, it takes longer that it happens. Hope, this helps. -Reinhard -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Thursday, September 06, 2007 10:21 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] MMR: Directory updates on same object Reinhard Nappert wrote: > Richard, > > I attached the entire access and error log file of one Master > (MasterOne) and the error file of the other (MasterTwo). You see that > the last update through the client was conn=50 op=424 on MasterOne. In > errors, you see that it still processed the operation conn=50 op=650. > > This time the crash happened on MasterOne. > Thanks. This is a very interesting test. You are generating replication conflicts: [05/Sep/2007:13:15:40 -0400] conn=51 op=29 csn=46dee55f000200030000 - Naming conflict ADD. Renamed existing entry to nsuniqueid=99277847-1dd111b2-80dfcd7f-b7bc0000+ou=repltest It looks as though you are repeatedly adding and deleting the same entry from both servers at the same time, which should be fine. Could you post your script that you use to generate these entries? > Hope, this helps > -Reinhard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of > Reinhard Nappert > Sent: Wednesday, September 05, 2007 1:06 PM > To: General discussion list for the Fedora Directory server project. > Subject: RE: [Fedora-directory-users] MMR: Directory updates on same > object > > Actually, I did use log level 8192. I saw that at some point the > access logs stopped generating entries for the updates, but errors > still had about 150 operations logged. I do not have those logs > anymore, but I can reproduce those in a while, when I am done with some other tests. > > I run those tests on a mixed environment (Solaris 9 and Linux) 32bit. > This happens on both boxes. I also have seen it on a pure Linux > environment. > > When I have the error logs, I will post them > > -Reinhard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of > Richard Megginson > Sent: Wednesday, September 05, 2007 12:56 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] MMR: Directory updates on same > object > > Reinhard Nappert wrote: > >> I have a working Multi-Master Replication setup with two masters >> (Fedora Directory Server 1.0.4). The setup works fine as long as I do >> not update the same object via both Masters. When the later happens >> (application driven), one of the Master crashes. This server does not >> generate a core dump, nor can I find any unusual in the access and >> error log files. I am pretty sure that it has to do something with >> the >> > > >> conflict resolution, but I am stuck now. >> >> Did anybody experience a similar behavior? >> >> > Can you reproduce the problem with the replication log level on? > http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting > > What OS are you on? 32bit or 64bit? > >> Thanks, >> -Reinhard >> >> --------------------------------------------------------------------- >> - >> -- >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ---------------------------------------------------------------------- > -- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Fri Sep 7 19:13:00 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 07 Sep 2007 13:13:00 -0600 Subject: [Fedora-directory-users] MMR: Directory updates on same object In-Reply-To: <3525C9833C09ED418C6FD6CD9514668C024C8477@emailwf1.jnpr.net> References: <3525C9833C09ED418C6FD6CD9514668C024C7C19@emailwf1.jnpr.net><46DEDFA8.7060307@redhat.com> <3525C9833C09ED418C6FD6CD9514668C024C7C2D@emailwf1.jnpr.net><3525C9833C09ED418C6FD6CD9514668C024C7C7B@emailwf1.jnpr.net><46E00CC7.90005@redhat.com> <3525C9833C09ED418C6FD6CD9514668C024C7FD7@emailwf1.jnpr.net> <3525C9833C09ED418C6FD6CD9514668C024C8477@emailwf1.jnpr.net> Message-ID: <46E1A2BC.8060703@redhat.com> Reinhard Nappert wrote: > Richard, > > Did you have a closer look at it and the test client. When you increases > the pause between the adds/deletes it takes a much longer time to occur > (even after days). It looks to me like some kind of memory leak. > > Should I open a bug for it? > Yes, please. > Let me know. > > Thanks, > -Reinhard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Reinhard > Nappert > Sent: Thursday, September 06, 2007 12:35 PM > To: General discussion list for the Fedora Directory server project. > Subject: RE: [Fedora-directory-users] MMR: Directory updates on same > object > > Richard, this is a java class, using jndi. > > The relevant methods are: > 1. > public InitialDirContext connect(String host, int port) throws > NamingException > { > InitialDirContext context = null; > Hashtable environment = new Hashtable(); > environment.put( Context.INITIAL_CONTEXT_FACTORY, > "com.sun.jndi.ldap.LdapCtxFactory" ); > environment.put( "java.naming.ldap.version", "3" ); > environment.put(Context.SECURITY_PRINCIPAL, "cn=Directory > Manager"); > environment.put(Context.SECURITY_CREDENTIALS, "xxxxxx"); > environment.put(Context.SECURITY_AUTHENTICATION, "simple"); > > // timeouts > environment.put( "com.sun.jndi.dns.timeout.initial", "2000" ); > environment.put( "com.sun.jndi.dns.timeout.retries", "3" ); > > environment.put( Context.PROVIDER_URL, "ldap://" + host + ":" + > port+"/o=test" ); > > context = new InitialDirContext( environment); > System.out.println("Connected to " + host); > > return context; > > } > > 2. > public void addEntry(InitialDirContext ctx) { > > // Create attributes to be associated with the new context > Attributes attrs = new BasicAttributes(true); // case-ignore > Attribute objclass = new BasicAttribute("objectclass"); > objclass.add("top"); > objclass.add("organizationalUnit"); > attrs.put(objclass); > > // Create the context > Context result; > try { > result = ctx.createSubcontext("ou=test", attrs); > > result.close(); > } catch (NameAlreadyBoundException e) { > // ignore > // just logg it ....... > } catch (NamingException e) { > e.printStackTrace(); > this.destroy(); > } > } > > 3. > public void deleteEntry(InitialDirContext ctx) { > > try { > ctx.destroySubcontext("ou=test"); > //ctx.close(); > } catch (NameNotFoundException e) { > // ignore > // just logg it ....... > } > } catch (NamingException e) { > // TODO Auto-generated catch block > e.printStackTrace(); > this.destroy(); > } > } > > 4. Start of the thread: > public void start() { > int counter = 0; > > for (int i = start; i < stop; i++) { > try { > addEntry(ctx); > //....some kind of logging > this.sleep(100); > deleteEntry(ctx); > //....some kind of logging > this.sleep(50); > } catch (Exception e) { > e.printStackTrace(); > } > > } > //close context; > try { > ctx.close(); > } catch (NamingException e) { > e.printStackTrace(); > } > } > > Then, I just call this thread for my two masters (MasterOne and > MasterTwo). > > Of course, when I pause for a longer time between the add and delete, it > takes longer that it happens. > > Hope, this helps. > -Reinhard > > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard > Megginson > Sent: Thursday, September 06, 2007 10:21 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] MMR: Directory updates on same > object > > Reinhard Nappert wrote: > >> Richard, >> >> I attached the entire access and error log file of one Master >> (MasterOne) and the error file of the other (MasterTwo). You see that >> the last update through the client was conn=50 op=424 on MasterOne. In >> > > >> errors, you see that it still processed the operation conn=50 op=650. >> >> This time the crash happened on MasterOne. >> >> > Thanks. This is a very interesting test. You are generating > replication conflicts: > [05/Sep/2007:13:15:40 -0400] conn=51 op=29 csn=46dee55f000200030000 - > Naming conflict ADD. Renamed existing entry to > nsuniqueid=99277847-1dd111b2-80dfcd7f-b7bc0000+ou=repltest > > It looks as though you are repeatedly adding and deleting the same entry > from both servers at the same time, which should be fine. Could you > post your script that you use to generate these entries? > > >> Hope, this helps >> -Reinhard >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >> Reinhard Nappert >> Sent: Wednesday, September 05, 2007 1:06 PM >> To: General discussion list for the Fedora Directory server project. >> Subject: RE: [Fedora-directory-users] MMR: Directory updates on same >> object >> >> Actually, I did use log level 8192. I saw that at some point the >> access logs stopped generating entries for the updates, but errors >> still had about 150 operations logged. I do not have those logs >> anymore, but I can reproduce those in a while, when I am done with >> > some other tests. > >> I run those tests on a mixed environment (Solaris 9 and Linux) 32bit. >> This happens on both boxes. I also have seen it on a pure Linux >> environment. >> >> When I have the error logs, I will post them >> >> -Reinhard >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >> Richard Megginson >> Sent: Wednesday, September 05, 2007 12:56 PM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: [Fedora-directory-users] MMR: Directory updates on same >> object >> >> Reinhard Nappert wrote: >> >> >>> I have a working Multi-Master Replication setup with two masters >>> (Fedora Directory Server 1.0.4). The setup works fine as long as I do >>> > > >>> not update the same object via both Masters. When the later happens >>> (application driven), one of the Master crashes. This server does not >>> > > >>> generate a core dump, nor can I find any unusual in the access and >>> error log files. I am pretty sure that it has to do something with >>> the >>> >>> >> >> >>> conflict resolution, but I am stuck now. >>> >>> Did anybody experience a similar behavior? >>> >>> >>> >> Can you reproduce the problem with the replication log level on? >> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting >> >> What OS are you on? 32bit or 64bit? >> >> >>> Thanks, >>> -Reinhard >>> >>> --------------------------------------------------------------------- >>> - >>> -- >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> ---------------------------------------------------------------------- >> -- >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Steven.Jones at vuw.ac.nz Mon Sep 10 01:43:57 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 10 Sep 2007 13:43:57 +1200 Subject: [Fedora-directory-users] ssh login fail Message-ID: Hi, I am trying to get a RHEL4 box to LDAP authenticate against FDS (also on RHEL4) and failing..... In the logs (messages) I have, Sep 10 13:30:52 vuwunicvfwall02 sshd(pam_unix)[2284]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=vuwunicvadmin02.res.vuw.ac.nz user=jonesst1 Sep 10 13:30:52 vuwunicvfwall02 sshd[2284]: pam_ldap: ldap_simple_bind Can't contact LDAP server Sep 10 13:30:52 vuwunicvfwall02 sshd[2284]: pam_ldap: ldap_simple_bind Can't contact LDAP server Sep 10 13:31:05 vuwunicvfwall02 sshd(pam_unix)[2284]: 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=vuwunicvadmin02.res.vuw.ac.nz user=jonesst1 Any ideas why? And how to fix? Also is there a way to search the archive for this list? When I do a, ldapsearch -x -h 130.195.87.249 -b dc=vuw,dc=ac,dc=nz "(ou=Users)" The server replies so FDS appears to be running OK.... Also is there a way to search the archive for this list? I have tried Googling with no luck... regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Mon Sep 10 02:51:09 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 10 Sep 2007 14:51:09 +1200 Subject: [Fedora-directory-users] ssh login fail In-Reply-To: Message-ID: Oh and I get the same failure when trying to get Debian etch to connect, so I am assuming there is something on the FDS that is wrong, or not as yet setup, rather than a client side issue.... Firewall is off.... Hosts.allow is ALL:ALL Ldapsearch returns OK....so a pam issue in some form....maybe regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 ________________________________ From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Steven Jones Sent: Monday, 10 September 2007 1:44 p.m. To: fedora-directory-users at redhat.com Subject: [Fedora-directory-users] ssh login fail Hi, I am trying to get a RHEL4 box to LDAP authenticate against FDS (also on RHEL4) and failing..... In the logs (messages) I have, Sep 10 13:30:52 vuwunicvfwall02 sshd(pam_unix)[2284]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=vuwunicvadmin02.res.vuw.ac.nz user=jonesst1 Sep 10 13:30:52 vuwunicvfwall02 sshd[2284]: pam_ldap: ldap_simple_bind Can't contact LDAP server Sep 10 13:30:52 vuwunicvfwall02 sshd[2284]: pam_ldap: ldap_simple_bind Can't contact LDAP server Sep 10 13:31:05 vuwunicvfwall02 sshd(pam_unix)[2284]: 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=vuwunicvadmin02.res.vuw.ac.nz user=jonesst1 Any ideas why? And how to fix? Also is there a way to search the archive for this list? When I do a, ldapsearch -x -h 130.195.87.249 -b dc=vuw,dc=ac,dc=nz "(ou=Users)" The server replies so FDS appears to be running OK.... Also is there a way to search the archive for this list? I have tried Googling with no luck... regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 -------------- next part -------------- An HTML attachment was scrubbed... URL: From matteo.angelino at mfn.unipmn.it Mon Sep 10 13:43:24 2007 From: matteo.angelino at mfn.unipmn.it (Matteo Angelino) Date: Mon, 10 Sep 2007 15:43:24 +0200 Subject: [Fedora-directory-users] FDS and OpenLDAP integration In-Reply-To: <46E17A44.8050708@sys-net.it> References: <0A175DA6-C6A6-4439-B840-FA4B039914D9@mfn.unipmn.it> <46E160CC.8050401@redhat.com> <46E16EF9.1040907@sys-net.it> <46E17A44.8050708@sys-net.it> Message-ID: <4332FDA6-AEDB-48E9-856E-232413A6312E@mfn.unipmn.it> Thank's I have used the first solution, I hv added the followin line in my slapd.conf attr!=structuralObjectClass I have added othe two line in my slapd.conf attr!=entryUUID attr!=entryCSN with this 3 line the replication work fine. On Sep 7, 2007, at 6:20 PM, Pierangelo Masarati wrote: > Pierangelo Masarati wrote: > >> Since the structuralObjectClass attribute is supposed to have a >> very special meaning for the DSA (RFC 4512), just adding it as a >> user attribute seems to me quite a broken approach. Provided >> you're running a decent version of OpenLDAP, you should be able to >> filter out undesired attributes from the replication process. For >> example, in slapd.conf (from slapd.conf(5) man page of OpenLDAP >> 2.3, but the feature exists since OpenLDAP 2.1, I think) >> replica [...] >> attr!=structuralObjectClass >> will prevent slurpd from replicating the negated attribute list. > > Just for the records: a custom patch in this sense was developed by > SysNet back in the old times of OpenLDAP 2.0 exactly for the > purpose of replicating an OpenLDAP server to a proprietary LDAP > server that didn't like many operational attributes slurpd was > willing to push in. It also provided partial subtree replication > capabilities. > > A similar patch was prepared in the meanwhile by Symas and the two > merged into OpenLDAP 2.1. > > p. > > > > Ing. Pierangelo Masarati > OpenLDAP Core Team > > SysNet s.r.l. > via Dossi, 8 - 27100 Pavia - ITALIA > http://www.sys-net.it > --------------------------------------- > Office: +39 02 23998309 > Mobile: +39 333 4963172 > Email: pierangelo.masarati at sys-net.it > --------------------------------------- > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------------------------------------------------------- Matteo Angelino Dipartimento di Informatica Via Bellini 25\G 15100 Alessandria ITALY Tel: +39 0131 360375 Email: matteo.angelino at mfn.unipmn.it -------------------------------------------------------------- From peters at psinergybbs.com Mon Sep 10 13:31:38 2007 From: peters at psinergybbs.com (Peter Santiago) Date: Mon, 10 Sep 2007 21:31:38 +0800 Subject: [Fedora-directory-users] Active directory users sync with Fedora DS Message-ID: <20070910213138.l8gdn459ko0c0c44@webmail.psinergybbs.com> Hi everyone, Among the features of Fedora DS that interest me is the Active Directory user and group synchronization. However I still haven't found any documentation that could help in making use of this feature.? Can? someone point out how to implement this especially syncing users from ADS to a newly installed FDS. Thanks, -- Peter Santiago? ? ? ? ?peters at psinergybbs.com My website:? ? ? ? ? ? www.psinergybbs.com My spamtrap address:? ?r34987y at psinergybbs.com ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3051 bytes Desc: S/MIME Cryptographic Signature URL: From myacc at roundbox.com Mon Sep 10 14:55:56 2007 From: myacc at roundbox.com (FDS User) Date: Mon, 10 Sep 2007 10:55:56 -0400 Subject: [Fedora-directory-users] Password Expiration Warning notification Message-ID: <20070910145634.5070C7405E3@mailman.roundbox.com> Is there an option in FDS for password expiration warning message to go out via email? We have few applications that use FDS but none reports about the password expiration. SSH displays the warning but there are users who don't use ssh. Any help is highly appreciated. Thanks much. CONFIDENTIALITY NOTICE: This email message and any attachments contain proprietary and privileged information of Roundbox, Inc., which are provided for the sole and confidential use of the intended recipients. Any review, use, disclosure or distribution of this information is restricted and must comply with the nondisclosure agreement between Roundbox, Inc. and you (or your company). All other uses are prohibited. If you are not an intended recipient, please contact the sender by reply email and promptly delete and otherwise destroy all copies of the message and its attachments. -------------- next part -------------- An HTML attachment was scrubbed... URL: From srigler at marathonoil.com Mon Sep 10 15:08:16 2007 From: srigler at marathonoil.com (Steve Rigler) Date: Mon, 10 Sep 2007 10:08:16 -0500 Subject: [Fedora-directory-users] Password Expiration Warning notification In-Reply-To: <20070910145634.5070C7405E3@mailman.roundbox.com> References: <20070910145634.5070C7405E3@mailman.roundbox.com> Message-ID: <1189436896.22425.8.camel@houuc8> On Mon, 2007-09-10 at 10:55 -0400, FDS User wrote: > Is there an option in FDS for password expiration warning message to > go out via email? > > We have few applications that use FDS but none reports about the > password expiration. > > SSH displays the warning but there are users who don?t use ssh. > > Any help is highly appreciated. > > > > Thanks much. We run a script nightly via cron that handles this. -Steve From rmeggins at redhat.com Mon Sep 10 15:16:15 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 10 Sep 2007 09:16:15 -0600 Subject: [Fedora-directory-users] Password Expiration Warning notification In-Reply-To: <20070910145634.5070C7405E3@mailman.roundbox.com> References: <20070910145634.5070C7405E3@mailman.roundbox.com> Message-ID: <46E55FBF.40503@redhat.com> FDS User wrote: > > Is there an option in FDS for password expiration warning message to > go out via email? > No. Probably the easiest way to do it would be to write a cronjob that periodically searches the directory server for about-to-expire passwords and sends out email. > > We have few applications that use FDS but none reports about the > password expiration. > > SSH displays the warning but there are users who don?t use ssh. > > Any help is highly appreciated. > > Thanks much. > > > CONFIDENTIALITY NOTICE: This email message and any attachments contain > proprietary and privileged information of Roundbox, Inc., which are > provided for the sole and confidential use of the intended recipients. > Any review, use, disclosure or distribution of this information is > restricted and must comply with the nondisclosure agreement between > Roundbox, Inc. and you (or your company). All other uses are > prohibited. If you are not an intended recipient, please contact the > sender by reply email and promptly delete and otherwise destroy all > copies of the message and its attachments. > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Sep 10 15:28:00 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 10 Sep 2007 09:28:00 -0600 Subject: [Fedora-directory-users] FDS and OpenLDAP integration In-Reply-To: <4332FDA6-AEDB-48E9-856E-232413A6312E@mfn.unipmn.it> References: <0A175DA6-C6A6-4439-B840-FA4B039914D9@mfn.unipmn.it> <46E160CC.8050401@redhat.com> <46E16EF9.1040907@sys-net.it> <46E17A44.8050708@sys-net.it> <4332FDA6-AEDB-48E9-856E-232413A6312E@mfn.unipmn.it> Message-ID: <46E56280.3000406@redhat.com> Matteo Angelino wrote: > Thank's > I have used the first solution, I hv added the followin line in my > slapd.conf > > attr!=structuralObjectClass > > I have added othe two line in my slapd.conf > > attr!=entryUUID > attr!=entryCSN > > with this 3 line the replication work fine. Great! I've added this information here - http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration > > On Sep 7, 2007, at 6:20 PM, Pierangelo Masarati wrote: > >> Pierangelo Masarati wrote: >> >>> Since the structuralObjectClass attribute is supposed to have a very >>> special meaning for the DSA (RFC 4512), just adding it as a user >>> attribute seems to me quite a broken approach. Provided you're >>> running a decent version of OpenLDAP, you should be able to filter >>> out undesired attributes from the replication process. For example, >>> in slapd.conf (from slapd.conf(5) man page of OpenLDAP 2.3, but the >>> feature exists since OpenLDAP 2.1, I think) >>> replica [...] >>> attr!=structuralObjectClass >>> will prevent slurpd from replicating the negated attribute list. >> >> Just for the records: a custom patch in this sense was developed by >> SysNet back in the old times of OpenLDAP 2.0 exactly for the purpose >> of replicating an OpenLDAP server to a proprietary LDAP server that >> didn't like many operational attributes slurpd was willing to push >> in. It also provided partial subtree replication capabilities. >> >> A similar patch was prepared in the meanwhile by Symas and the two >> merged into OpenLDAP 2.1. >> >> p. >> >> >> >> Ing. Pierangelo Masarati >> OpenLDAP Core Team >> >> SysNet s.r.l. >> via Dossi, 8 - 27100 Pavia - ITALIA >> http://www.sys-net.it >> --------------------------------------- >> Office: +39 02 23998309 >> Mobile: +39 333 4963172 >> Email: pierangelo.masarati at sys-net.it >> --------------------------------------- >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------------------------------------------------------- > Matteo Angelino > Dipartimento di Informatica > Via Bellini 25\G > 15100 Alessandria > ITALY > Tel: +39 0131 360375 > Email: matteo.angelino at mfn.unipmn.it > -------------------------------------------------------------- > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Sep 10 15:29:08 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 10 Sep 2007 09:29:08 -0600 Subject: [Fedora-directory-users] Active directory users sync with Fedora DS In-Reply-To: <20070910213138.l8gdn459ko0c0c44@webmail.psinergybbs.com> References: <20070910213138.l8gdn459ko0c0c44@webmail.psinergybbs.com> Message-ID: <46E562C4.7070700@redhat.com> Peter Santiago wrote: > > Hi everyone, > > Among the features of Fedora DS that interest me is the Active > Directory user and group synchronization. > > However I still haven't found any documentation that could help in > making use of this feature. > > Can someone point out how to implement this especially syncing users > from ADS to a newly installed FDS. > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2836267 and http://directory.fedoraproject.org/wiki/Howto:WindowsSync > > Thanks, > > -- > Peter Santiago peters at psinergybbs.com > My website: www.psinergybbs.com > My spamtrap address: r34987y at psinergybbs.com > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Sep 10 15:31:15 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 10 Sep 2007 09:31:15 -0600 Subject: [Fedora-directory-users] ssh login fail In-Reply-To: References: Message-ID: <46E56343.9000503@redhat.com> Steven Jones wrote: > > Hi, > > I am trying to get a RHEL4 box to LDAP authenticate against FDS (also > on RHEL4) and failing?.. > > In the logs (messages) I have, > > Sep 10 13:30:52 vuwunicvfwall02 sshd(pam_unix)[2284]: authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=vuwunicvadmin02.res.vuw.ac.nz user=jonesst1 > > Sep 10 13:30:52 vuwunicvfwall02 sshd[2284]: pam_ldap: ldap_simple_bind > Can't contact LDAP server > > Sep 10 13:30:52 vuwunicvfwall02 sshd[2284]: pam_ldap: ldap_simple_bind > Can't contact LDAP server > > Sep 10 13:31:05 vuwunicvfwall02 sshd(pam_unix)[2284]: 2 more > authentication failures; logname= uid=0 euid=0 tty=ssh ruser= > rhost=vuwunicvadmin02.res.vuw.ac.nz user=jonesst1 > > Any ideas why? And how to fix? Also is there a way to search the > archive for this list? > Have you seen this: http://directory.fedoraproject.org/wiki/Howto:PAM - search for ssh > > When I do a, > > ldapsearch -x -h 130.195.87.249 -b dc=vuw,dc=ac,dc=nz "(ou=Users)" > > The server replies so FDS appears to be running OK?. > > Also is there a way to search the archive for this list? I have tried > Googling with no luck? > > regards > > Steven Jones > Senior Linux/Unix/San/Vmware System Administrator > APG -Technology Integration Team > Victoria University of Wellington > Phone: +64 4 463 6272 > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ando at sys-net.it Mon Sep 10 15:33:25 2007 From: ando at sys-net.it (Pierangelo Masarati) Date: Mon, 10 Sep 2007 17:33:25 +0200 Subject: [Fedora-directory-users] FDS and OpenLDAP integration In-Reply-To: <46E56280.3000406@redhat.com> References: <0A175DA6-C6A6-4439-B840-FA4B039914D9@mfn.unipmn.it> <46E160CC.8050401@redhat.com> <46E16EF9.1040907@sys-net.it> <46E17A44.8050708@sys-net.it> <4332FDA6-AEDB-48E9-856E-232413A6312E@mfn.unipmn.it> <46E56280.3000406@redhat.com> Message-ID: <46E563C5.6040900@sys-net.it> Richard Megginson wrote: > Great! I've added this information here - > http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration Rich, I've cleaned up that entry, please check. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati at sys-net.it --------------------------------------- From rmeggins at redhat.com Mon Sep 10 16:20:36 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 10 Sep 2007 10:20:36 -0600 Subject: [Fedora-directory-users] FDS and OpenLDAP integration In-Reply-To: <46E563C5.6040900@sys-net.it> References: <0A175DA6-C6A6-4439-B840-FA4B039914D9@mfn.unipmn.it> <46E160CC.8050401@redhat.com> <46E16EF9.1040907@sys-net.it> <46E17A44.8050708@sys-net.it> <4332FDA6-AEDB-48E9-856E-232413A6312E@mfn.unipmn.it> <46E56280.3000406@redhat.com> <46E563C5.6040900@sys-net.it> Message-ID: <46E56ED4.2030305@redhat.com> Pierangelo Masarati wrote: > Richard Megginson wrote: > >> Great! I've added this information here - >> http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration > > Rich, I've cleaned up that entry, please check. Excellent. Thanks! > > p. > > > > Ing. Pierangelo Masarati > OpenLDAP Core Team > > SysNet s.r.l. > via Dossi, 8 - 27100 Pavia - ITALIA > http://www.sys-net.it > --------------------------------------- > Office: +39 02 23998309 > Mobile: +39 333 4963172 > Email: pierangelo.masarati at sys-net.it > --------------------------------------- > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Steven.Jones at vuw.ac.nz Mon Sep 10 20:31:21 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 11 Sep 2007 08:31:21 +1200 Subject: [Fedora-directory-users] ssh login fail In-Reply-To: <46E56343.9000503@redhat.com> Message-ID: Yes. Thanks, I have this page book marked. Content looks identical to what I have...I have spent days on this googling with no joy. Since a Debian LDAP client also does not work I suspect it is a server side FDS mis-configuration and not client side, but I could be wrong. Previously I had a Debian Openldap setup working and that was fine. So it looks like something is missing/broken in FDS. I find it interesting that yours is the only reply for what I assume is a default type of problem....suggests a poor likelihood of the product being supportable long term.... regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Tuesday, 11 September 2007 3:31 a.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] ssh login fail Steven Jones wrote: > > Hi, > > I am trying to get a RHEL4 box to LDAP authenticate against FDS (also > on RHEL4) and failing..... > > In the logs (messages) I have, > > Sep 10 13:30:52 vuwunicvfwall02 sshd(pam_unix)[2284]: authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=vuwunicvadmin02.res.vuw.ac.nz user=jonesst1 > > Sep 10 13:30:52 vuwunicvfwall02 sshd[2284]: pam_ldap: ldap_simple_bind > Can't contact LDAP server > > Sep 10 13:30:52 vuwunicvfwall02 sshd[2284]: pam_ldap: ldap_simple_bind > Can't contact LDAP server > > Sep 10 13:31:05 vuwunicvfwall02 sshd(pam_unix)[2284]: 2 more > authentication failures; logname= uid=0 euid=0 tty=ssh ruser= > rhost=vuwunicvadmin02.res.vuw.ac.nz user=jonesst1 > > Any ideas why? And how to fix? Also is there a way to search the > archive for this list? > Have you seen this: http://directory.fedoraproject.org/wiki/Howto:PAM - search for ssh > > When I do a, > > ldapsearch -x -h 130.195.87.249 -b dc=vuw,dc=ac,dc=nz "(ou=Users)" > > The server replies so FDS appears to be running OK.... > > Also is there a way to search the archive for this list? I have tried > Googling with no luck... > > regards > > Steven Jones > Senior Linux/Unix/San/Vmware System Administrator > APG -Technology Integration Team > Victoria University of Wellington > Phone: +64 4 463 6272 > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From Steven.Jones at vuw.ac.nz Mon Sep 10 20:35:44 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 11 Sep 2007 08:35:44 +1200 Subject: [Fedora-directory-users] Active directory users sync with FedoraDS In-Reply-To: <46E562C4.7070700@redhat.com> Message-ID: Hi, This would be one of my wants, but to be honest from what I can see looking at an AD addon such as Centrify looks to be a better solution than trying to use LDAP and get the data to copy/sync over. I certainly would not bother with Sun's SDEE product unless you are on Solaris and possibly Windows, as Linux support is non-existant. regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Tuesday, 11 September 2007 3:29 a.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Active directory users sync with FedoraDS Peter Santiago wrote: > > Hi everyone, > > Among the features of Fedora DS that interest me is the Active > Directory user and group synchronization. > > However I still haven't found any documentation that could help in > making use of this feature. > > Can someone point out how to implement this especially syncing users > from ADS to a newly installed FDS. > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2836267 and http://directory.fedoraproject.org/wiki/Howto:WindowsSync > > Thanks, > > -- > Peter Santiago peters at psinergybbs.com > My website: www.psinergybbs.com > My spamtrap address: r34987y at psinergybbs.com > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From scott.ding at autodesk.com Mon Sep 10 20:38:11 2007 From: scott.ding at autodesk.com (Scott Ding) Date: Mon, 10 Sep 2007 13:38:11 -0700 Subject: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris 10? Message-ID: Has anyone built Fedora DS 1.0.4 on Solaris 10 (SPARC 32bit)? -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Mon Sep 10 20:43:12 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 11 Sep 2007 08:43:12 +1200 Subject: [Fedora-directory-users] ssh login fail In-Reply-To: Message-ID: Is this the correct rpm to use on RHAS4-32bit-U5? fedora-ds-1.0.4-1.RHEL4.i386.opt.rpm Are there any dependencies on the server and clients not installed by default? I have everything installed that I can see documented but its possible I have missed something, or there is an un-documented change as version upgrade. How practical is it to rip out any RHAS4 ldap client modules software and install Fedora ones? Are there different password hash mechanisms between versions? If so how do I check for these? These might seem odd Q's but I'm kinda desperate as to why I cannot get the system working.... regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Steven Jones Sent: Tuesday, 11 September 2007 8:31 a.m. To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] ssh login fail Yes. Thanks, I have this page book marked. Content looks identical to what I have...I have spent days on this googling with no joy. Since a Debian LDAP client also does not work I suspect it is a server side FDS mis-configuration and not client side, but I could be wrong. Previously I had a Debian Openldap setup working and that was fine. So it looks like something is missing/broken in FDS. I find it interesting that yours is the only reply for what I assume is a default type of problem....suggests a poor likelihood of the product being supportable long term.... regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Tuesday, 11 September 2007 3:31 a.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] ssh login fail Steven Jones wrote: > > Hi, > > I am trying to get a RHEL4 box to LDAP authenticate against FDS (also > on RHEL4) and failing..... > > In the logs (messages) I have, > > Sep 10 13:30:52 vuwunicvfwall02 sshd(pam_unix)[2284]: authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=vuwunicvadmin02.res.vuw.ac.nz user=jonesst1 > > Sep 10 13:30:52 vuwunicvfwall02 sshd[2284]: pam_ldap: ldap_simple_bind > Can't contact LDAP server > > Sep 10 13:30:52 vuwunicvfwall02 sshd[2284]: pam_ldap: ldap_simple_bind > Can't contact LDAP server > > Sep 10 13:31:05 vuwunicvfwall02 sshd(pam_unix)[2284]: 2 more > authentication failures; logname= uid=0 euid=0 tty=ssh ruser= > rhost=vuwunicvadmin02.res.vuw.ac.nz user=jonesst1 > > Any ideas why? And how to fix? Also is there a way to search the > archive for this list? > Have you seen this: http://directory.fedoraproject.org/wiki/Howto:PAM - search for ssh > > When I do a, > > ldapsearch -x -h 130.195.87.249 -b dc=vuw,dc=ac,dc=nz "(ou=Users)" > > The server replies so FDS appears to be running OK.... > > Also is there a way to search the archive for this list? I have tried > Googling with no luck... > > regards > > Steven Jones > Senior Linux/Unix/San/Vmware System Administrator > APG -Technology Integration Team > Victoria University of Wellington > Phone: +64 4 463 6272 > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Mon Sep 10 20:43:46 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 10 Sep 2007 14:43:46 -0600 Subject: [Fedora-directory-users] ssh login fail In-Reply-To: References: Message-ID: <46E5AC82.3050103@redhat.com> Steven Jones wrote: > Yes. > > Thanks, I have this page book marked. > > Content looks identical to what I have...I have spent days on this > googling with no joy. > > Since a Debian LDAP client also does not work I suspect it is a server > side FDS mis-configuration and not client side, but I could be wrong. > Previously I had a Debian Openldap setup working and that was fine. So > it looks like something is missing/broken in FDS. > > I find it interesting that yours is the only reply for what I assume is > a default type of problem....suggests a poor likelihood of the product > being supportable long term.... > I'm assuming the lack of replies means that 1) people just got it to work by following the directions and didn't run into the problems you are seeing 2) just don't have the time to reply 3) have no experience with setting up ssh. I know other people on this list have been able to integrate ssh with Fedora DS. I'm sorry that you have not. I'm not sure why you have not been able to. You could look at the Fedora DS access and error logs, the pam/ssh logs, and even make Fedora DS logging more verbose - http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting I would start with the Fedora DS access log. See if ssh is making a connection to Fedora DS, if so, see what types of operations are being sent, and the responses to those operations. For searches, see what the base DN, filter, and attributes being requested are. > regards > > Steven Jones > Senior Linux/Unix/San/Vmware System Administrator > APG -Technology Integration Team > Victoria University of Wellington > Phone: +64 4 463 6272 > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard > Megginson > Sent: Tuesday, 11 September 2007 3:31 a.m. > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] ssh login fail > > Steven Jones wrote: > >> Hi, >> >> I am trying to get a RHEL4 box to LDAP authenticate against FDS (also >> on RHEL4) and failing..... >> >> In the logs (messages) I have, >> >> Sep 10 13:30:52 vuwunicvfwall02 sshd(pam_unix)[2284]: authentication >> failure; logname= uid=0 euid=0 tty=ssh ruser= >> rhost=vuwunicvadmin02.res.vuw.ac.nz user=jonesst1 >> >> Sep 10 13:30:52 vuwunicvfwall02 sshd[2284]: pam_ldap: ldap_simple_bind >> > > >> Can't contact LDAP server >> >> Sep 10 13:30:52 vuwunicvfwall02 sshd[2284]: pam_ldap: ldap_simple_bind >> > > >> Can't contact LDAP server >> >> Sep 10 13:31:05 vuwunicvfwall02 sshd(pam_unix)[2284]: 2 more >> authentication failures; logname= uid=0 euid=0 tty=ssh ruser= >> rhost=vuwunicvadmin02.res.vuw.ac.nz user=jonesst1 >> >> Any ideas why? And how to fix? Also is there a way to search the >> archive for this list? >> >> > Have you seen this: http://directory.fedoraproject.org/wiki/Howto:PAM - > search for ssh > >> When I do a, >> >> ldapsearch -x -h 130.195.87.249 -b dc=vuw,dc=ac,dc=nz "(ou=Users)" >> >> The server replies so FDS appears to be running OK.... >> >> Also is there a way to search the archive for this list? I have tried >> Googling with no luck... >> >> regards >> >> Steven Jones >> Senior Linux/Unix/San/Vmware System Administrator >> APG -Technology Integration Team >> Victoria University of Wellington >> Phone: +64 4 463 6272 >> >> >> > ------------------------------------------------------------------------ > >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Sep 10 20:46:54 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 10 Sep 2007 14:46:54 -0600 Subject: [Fedora-directory-users] ssh login fail In-Reply-To: References: Message-ID: <46E5AD3E.1010104@redhat.com> Steven Jones wrote: > Is this the correct rpm to use on RHAS4-32bit-U5? > > fedora-ds-1.0.4-1.RHEL4.i386.opt.rpm > Yes. > Are there any dependencies on the server and clients not installed by > default? I have everything installed that I can see documented but its > possible I have missed something, or there is an un-documented change as > version upgrade. > rpm installation should tell you if you are missing some dependency of the server. > How practical is it to rip out any RHAS4 ldap client modules software > and install Fedora ones? > I have no idea. > Are there different password hash mechanisms between versions? If so how > do I check for these? > Fedora DS versions? If so, yes. I believe Fedora DS 7.1 supported only SHA, SSHA, and crypt. Fedora DS 1.0.1 added MD5. Fedora DS 1.0.4 added support for SHA and SSHA 256, 384, and 512. > These might seem odd Q's but I'm kinda desperate as to why I cannot get > the system working.... > > regards > > Steven Jones > Senior Linux/Unix/San/Vmware System Administrator > APG -Technology Integration Team > Victoria University of Wellington > Phone: +64 4 463 6272 > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Steven > Jones > Sent: Tuesday, 11 September 2007 8:31 a.m. > To: General discussion list for the Fedora Directory server project. > Subject: RE: [Fedora-directory-users] ssh login fail > > Yes. > > Thanks, I have this page book marked. > > Content looks identical to what I have...I have spent days on this > googling with no joy. > > Since a Debian LDAP client also does not work I suspect it is a server > side FDS mis-configuration and not client side, but I could be wrong. > Previously I had a Debian Openldap setup working and that was fine. So > it looks like something is missing/broken in FDS. > > I find it interesting that yours is the only reply for what I assume is > a default type of problem....suggests a poor likelihood of the product > being supportable long term.... > > regards > > Steven Jones > Senior Linux/Unix/San/Vmware System Administrator > APG -Technology Integration Team > Victoria University of Wellington > Phone: +64 4 463 6272 > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard > Megginson > Sent: Tuesday, 11 September 2007 3:31 a.m. > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] ssh login fail > > Steven Jones wrote: > >> Hi, >> >> I am trying to get a RHEL4 box to LDAP authenticate against FDS (also >> on RHEL4) and failing..... >> >> In the logs (messages) I have, >> >> Sep 10 13:30:52 vuwunicvfwall02 sshd(pam_unix)[2284]: authentication >> failure; logname= uid=0 euid=0 tty=ssh ruser= >> rhost=vuwunicvadmin02.res.vuw.ac.nz user=jonesst1 >> >> Sep 10 13:30:52 vuwunicvfwall02 sshd[2284]: pam_ldap: ldap_simple_bind >> > > >> Can't contact LDAP server >> >> Sep 10 13:30:52 vuwunicvfwall02 sshd[2284]: pam_ldap: ldap_simple_bind >> > > >> Can't contact LDAP server >> >> Sep 10 13:31:05 vuwunicvfwall02 sshd(pam_unix)[2284]: 2 more >> authentication failures; logname= uid=0 euid=0 tty=ssh ruser= >> rhost=vuwunicvadmin02.res.vuw.ac.nz user=jonesst1 >> >> Any ideas why? And how to fix? Also is there a way to search the >> archive for this list? >> >> > Have you seen this: http://directory.fedoraproject.org/wiki/Howto:PAM - > search for ssh > >> When I do a, >> >> ldapsearch -x -h 130.195.87.249 -b dc=vuw,dc=ac,dc=nz "(ou=Users)" >> >> The server replies so FDS appears to be running OK.... >> >> Also is there a way to search the archive for this list? I have tried >> Googling with no luck... >> >> regards >> >> Steven Jones >> Senior Linux/Unix/San/Vmware System Administrator >> APG -Technology Integration Team >> Victoria University of Wellington >> Phone: +64 4 463 6272 >> >> >> > ------------------------------------------------------------------------ > >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From patrick.morris at hp.com Mon Sep 10 21:00:44 2007 From: patrick.morris at hp.com (Patrick Morris) Date: Mon, 10 Sep 2007 14:00:44 -0700 Subject: [Fedora-directory-users] ssh login fail In-Reply-To: References: Message-ID: <20070910210044.GG9208@pmorris.usa.hp.com> Hi Steven! On Mon, 10 Sep 2007, Steven Jones wrote: > Is this the correct rpm to use on RHAS4-32bit-U5? > > fedora-ds-1.0.4-1.RHEL4.i386.opt.rpm > > Are there any dependencies on the server and clients not installed by > default? I have everything installed that I can see documented but its > possible I have missed something, or there is an un-documented change as > version upgrade. > > How practical is it to rip out any RHAS4 ldap client modules software > and install Fedora ones? > > Are there different password hash mechanisms between versions? If so how > do I check for these? > > These might seem odd Q's but I'm kinda desperate as to why I cannot get > the system working.... Configuration of EL4 with FDS is normally dirt-simple, if you use authconfig. All I've ever had to do is give it the server address and where to look, and off it went. If you're getting an error that the server can't be contacted, it seems that maybe auth isn't correctly configured (or you have more basic network issues). The most likely cause, off the top of my head, would be trying to using something like ldaps://ldapserver.yourdomain.com without having configured the server for SSL. From Steven.Jones at vuw.ac.nz Mon Sep 10 21:16:11 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 11 Sep 2007 09:16:11 +1200 Subject: [Fedora-directory-users] ssh login fail In-Reply-To: <20070910210044.GG9208@pmorris.usa.hp.com> Message-ID: Hi, See below. Regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Patrick Morris Sent: Tuesday, 11 September 2007 9:01 a.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] ssh login fail Hi Steven! On Mon, 10 Sep 2007, Steven Jones wrote: > Is this the correct rpm to use on RHAS4-32bit-U5? > > fedora-ds-1.0.4-1.RHEL4.i386.opt.rpm > > Are there any dependencies on the server and clients not installed by > default? I have everything installed that I can see documented but its > possible I have missed something, or there is an un-documented change as > version upgrade. > > How practical is it to rip out any RHAS4 ldap client modules software > and install Fedora ones? > > Are there different password hash mechanisms between versions? If so how > do I check for these? > > These might seem odd Q's but I'm kinda desperate as to why I cannot get > the system working.... Configuration of EL4 with FDS is normally dirt-simple, if you use authconfig. All I've ever had to do is give it the server address and where to look, and off it went. Thanks, I started by hand and recently re-ran using the authconfig tool and the gtk version... I am pretty much convinced/agree that it should be very simple, I have read so many docs all saying the same thing that I am assuming I have missed read or mis-understood some really easy setting that causes this.....OpenLdap on Debian certainly was easy so it is likely I have either missed something, hit a terminal bug or I am doing the wrong thing. If you're getting an error that the server can't be contacted, it seems that maybe auth isn't correctly configured (or you have more basic network issues). I can do a ldapsearch at the command line on the client which returns info The problem is also in login, so I am pretty sure it is a pam client issue....or encryption.... Eg., ============== [root at vuwunicvfwall02 pam.d]# ldapsearch -x -h 130.195.87.249 -b dc=vuw,dc=ac,dc=nz # extended LDIF # # LDAPv3 # base with scope sub # filter: (objectclass=*) # requesting: ALL # # vuw.ac.nz dn: dc=vuw,dc=ac,dc=nz objectClass: top objectClass: domain dc: vuw # Directory Administrators, vuw.ac.nz dn: cn=Directory Administrators, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: groupofuniquenames cn: Directory Administrators # Groups, vuw.ac.nz dn: ou=Groups, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: organizationalunit ou: Groups # People, vuw.ac.nz dn: ou=People, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: organizationalunit ou: People # Special Users, vuw.ac.nz dn: ou=Special Users,dc=vuw,dc=ac,dc=nz objectClass: top objectClass: organizationalUnit ou: Special Users description: Special Administrative Accounts # Accounting Managers, groups, vuw.ac.nz dn: cn=Accounting Managers,ou=groups,dc=vuw,dc=ac,dc=nz objectClass: top objectClass: groupOfUniqueNames cn: Accounting Managers ou: groups description: People who can manage accounting entries # HR Managers, groups, vuw.ac.nz dn: cn=HR Managers,ou=groups,dc=vuw,dc=ac,dc=nz objectClass: top objectClass: groupOfUniqueNames cn: HR Managers ou: groups description: People who can manage HR entries # QA Managers, groups, vuw.ac.nz dn: cn=QA Managers,ou=groups,dc=vuw,dc=ac,dc=nz objectClass: top objectClass: groupOfUniqueNames cn: QA Managers ou: groups description: People who can manage QA entries # PD Managers, groups, vuw.ac.nz dn: cn=PD Managers,ou=groups,dc=vuw,dc=ac,dc=nz objectClass: top objectClass: groupOfUniqueNames cn: PD Managers ou: groups description: People who can manage engineer entries # search result search: 2 result: 0 Success # numResponses: 10 # numEntries: 9 ============== Thanks, I started by hand and recently re-ran using the authconfig tool... The most likely cause, off the top of my head, would be trying to using something like ldaps://ldapserver.yourdomain.com without having configured the server for SSL. As far as I know I am not running ssl but it is possible one end is and the other is not, however FDS is not set to do so in the gui and the client has no setting I can see beyond //etc/ldap.conf saying "ssl no". Hmmm possibly I have my test user in the wrong place in LDAP and hence I get a null return....cant see how to check for this though.... Regards Steven From Steven.Jones at vuw.ac.nz Mon Sep 10 22:08:41 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 11 Sep 2007 10:08:41 +1200 Subject: [Fedora-directory-users] ssh login fail In-Reply-To: <46E5AC82.3050103@redhat.com> Message-ID: 8><---- I would start with the Fedora DS access log. See if ssh is making a connection to Fedora DS, if so, see what types of operations are being sent, and the responses to those operations. For searches, see what the base DN, filter, and attributes being requested are. This helped.....the ldapsearch was being logged but the pam search was not so.... I blew away /etc/ldap.conf and sym linked it to /etc/openldap/ldap.conf, then blindly added these lines to its somewhat short form, ======= scope sub suffix "dc=vuw,dc=ac,dc=nz" #TLS_CACERTDIR /etc/openldap/cacerts pam_password exop ldap_version 3 pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberuid nss_base_passwd ou=Computers,dc=cognifide,dc=pl nss_base_passwd ou=People,dc=cognifide,dc=pl nss_base_shadow ou=People,dc=cognifide,dc=pl nss_base_group ou=Group,dc=cognifide,dc=pl nss_base_hosts ou=Hosts,dc=cognifide,dc=pl =========== The log now shows, 8><----- PosixAccount)(uid=root))" attrs=ALL [11/Sep/2007:10:01:01 +1200] conn=200 op=2 RESULT err=32 tag=101 nentries=0 etime=0 [11/Sep/2007:10:01:01 +1200] conn=200 op=2 RESULT err=32 tag=101 nentries=0 etime=0 [11/Sep/2007:10:01:01 +1200] conn=200 op=3 SRCH base="ou=Group,dc=cognifide,dc=pl" scope=2 filter="(&(objectClass=posixGroup)(memberUid=root))" attrs="gidNumber" [11/Sep/2007:10:01:01 +1200] conn=200 op=3 RESULT err=32 tag=101 nentries=0 etime=0 [11/Sep/2007:10:01:01 +1200] conn=200 op=3 RESULT err=32 tag=101 nentries=0 etime=0 [11/Sep/2007:10:01:01 +1200] conn=200 op=-1 fd=67 closed error 104 (Connection reset by peer) - TCP connection reset by peer. So pam is now actually querying the LDAP server it seems, it is not getting it right but it's a small step. I would seem to need to do some config around this area, # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example, dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never HOST 130.195.87.249 BASE dc=vuw,dc=ac,dc=nz ssl no scope sub suffix "dc=vuw,dc=ac,dc=nz" #TLS_CACERTDIR /etc/openldap/cacerts pam_password exop ldap_version 3 pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberuid nss_base_passwd ou=Computers,dc=cognifide,dc=pl nss_base_passwd ou=People,dc=cognifide,dc=pl nss_base_shadow ou=People,dc=cognifide,dc=pl nss_base_group ou=Group,dc=cognifide,dc=pl nss_base_hosts ou=Hosts,dc=cognifide,dc=pl As I still get no reply/successful login. Regards Steven From rmeggins at redhat.com Mon Sep 10 22:30:16 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 10 Sep 2007 16:30:16 -0600 Subject: [Fedora-directory-users] ssh login fail In-Reply-To: References: Message-ID: <46E5C578.1040108@redhat.com> Steven Jones wrote: > 8><---- > > I would start with the Fedora DS access log. See if ssh is making a > connection to Fedora DS, if so, see what types of operations are being > sent, and the responses to those operations. For searches, see what the > > base DN, filter, and attributes being requested are. > > This helped.....the ldapsearch was being logged but the pam search was > not so.... > > I blew away /etc/ldap.conf and sym linked it to /etc/openldap/ldap.conf, > then blindly added these lines to its somewhat short form, > > ======= > scope sub > suffix "dc=vuw,dc=ac,dc=nz" > #TLS_CACERTDIR /etc/openldap/cacerts > pam_password exop > ldap_version 3 > pam_filter objectclass=posixAccount > pam_login_attribute uid > pam_member_attribute memberuid > nss_base_passwd ou=Computers,dc=cognifide,dc=pl > nss_base_passwd ou=People,dc=cognifide,dc=pl > nss_base_shadow ou=People,dc=cognifide,dc=pl > nss_base_group ou=Group,dc=cognifide,dc=pl > nss_base_hosts ou=Hosts,dc=cognifide,dc=pl > =========== > > The log now shows, > > 8><----- > PosixAccount)(uid=root))" attrs=ALL > [11/Sep/2007:10:01:01 +1200] conn=200 op=2 RESULT err=32 tag=101 > nentries=0 etime=0 > [11/Sep/2007:10:01:01 +1200] conn=200 op=2 RESULT err=32 tag=101 > nentries=0 etime=0 > [11/Sep/2007:10:01:01 +1200] conn=200 op=3 SRCH > base="ou=Group,dc=cognifide,dc=pl" scope=2 > filter="(&(objectClass=posixGroup)(memberUid=root))" attrs="gidNumber" > [11/Sep/2007:10:01:01 +1200] conn=200 op=3 RESULT err=32 tag=101 > nentries=0 etime=0 > [11/Sep/2007:10:01:01 +1200] conn=200 op=3 RESULT err=32 tag=101 > nentries=0 etime=0 > [11/Sep/2007:10:01:01 +1200] conn=200 op=-1 fd=67 closed error 104 > (Connection reset by peer) - TCP connection reset by peer. > > So pam is now actually querying the LDAP server it seems, it is not > getting it right but it's a small step. > err=32 means no such object. That is, ou=Group,dc=cognifide,dc=pl does not exist. In your file above, you have suffix "dc=vuw,dc=ac,dc=nz" Do you have ou=Groups,dc=vuw,dc=ac,dc=nz ? > I would seem to need to do some config around this area, > > # > # LDAP Defaults > # > > > # See ldap.conf(5) for details > # This file should be world readable but not world writable. > > > #BASE dc=example, dc=com > #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 > > > #SIZELIMIT 12 > #TIMELIMIT 15 > #DEREF never > HOST 130.195.87.249 > BASE dc=vuw,dc=ac,dc=nz > ssl no > scope sub > suffix "dc=vuw,dc=ac,dc=nz" > #TLS_CACERTDIR /etc/openldap/cacerts > pam_password exop > ldap_version 3 > pam_filter objectclass=posixAccount > pam_login_attribute uid > pam_member_attribute memberuid > nss_base_passwd ou=Computers,dc=cognifide,dc=pl > nss_base_passwd ou=People,dc=cognifide,dc=pl > nss_base_shadow ou=People,dc=cognifide,dc=pl > nss_base_group ou=Group,dc=cognifide,dc=pl > nss_base_hosts ou=Hosts,dc=cognifide,dc=pl > > > > As I still get no reply/successful login. > > Regards > > Steven > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Steven.Jones at vuw.ac.nz Mon Sep 10 22:47:05 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 11 Sep 2007 10:47:05 +1200 Subject: [Fedora-directory-users] ssh login fail In-Reply-To: <46E5C578.1040108@redhat.com> Message-ID: 8><---- > > The log now shows, > > 8><----- > PosixAccount)(uid=root))" attrs=ALL > [11/Sep/2007:10:01:01 +1200] conn=200 op=2 RESULT err=32 tag=101 > nentries=0 etime=0 > [11/Sep/2007:10:01:01 +1200] conn=200 op=2 RESULT err=32 tag=101 > nentries=0 etime=0 > [11/Sep/2007:10:01:01 +1200] conn=200 op=3 SRCH > base="ou=Group,dc=cognifide,dc=pl" scope=2 > filter="(&(objectClass=posixGroup)(memberUid=root))" attrs="gidNumber" > [11/Sep/2007:10:01:01 +1200] conn=200 op=3 RESULT err=32 tag=101 > nentries=0 etime=0 > [11/Sep/2007:10:01:01 +1200] conn=200 op=3 RESULT err=32 tag=101 > nentries=0 etime=0 > [11/Sep/2007:10:01:01 +1200] conn=200 op=-1 fd=67 closed error 104 > (Connection reset by peer) - TCP connection reset by peer. > > So pam is now actually querying the LDAP server it seems, it is not > getting it right but it's a small step. > err=32 means no such object. That is, ou=Group,dc=cognifide,dc=pl does not exist. In your file above, you have suffix "dc=vuw,dc=ac,dc=nz" Do you have ou=Groups,dc=vuw,dc=ac,dc=nz ? I have no idea....I suspect not, need an English explanation on some of this stuff...Fedora has a nice gui but it hides things so trying to determine if the test user is in the right "place" for the external query would seem an issue... Is there a command line syntax to run to see if I get a positive password return? Regards Steven From rmeggins at redhat.com Mon Sep 10 22:54:10 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 10 Sep 2007 16:54:10 -0600 Subject: [Fedora-directory-users] ssh login fail In-Reply-To: References: Message-ID: <46E5CB12.30908@redhat.com> Steven Jones wrote: > 8><---- > > >> The log now shows, >> >> 8><----- >> PosixAccount)(uid=root))" attrs=ALL >> [11/Sep/2007:10:01:01 +1200] conn=200 op=2 RESULT err=32 tag=101 >> nentries=0 etime=0 >> [11/Sep/2007:10:01:01 +1200] conn=200 op=2 RESULT err=32 tag=101 >> nentries=0 etime=0 >> [11/Sep/2007:10:01:01 +1200] conn=200 op=3 SRCH >> base="ou=Group,dc=cognifide,dc=pl" scope=2 >> filter="(&(objectClass=posixGroup)(memberUid=root))" attrs="gidNumber" >> [11/Sep/2007:10:01:01 +1200] conn=200 op=3 RESULT err=32 tag=101 >> nentries=0 etime=0 >> [11/Sep/2007:10:01:01 +1200] conn=200 op=3 RESULT err=32 tag=101 >> nentries=0 etime=0 >> [11/Sep/2007:10:01:01 +1200] conn=200 op=-1 fd=67 closed error 104 >> (Connection reset by peer) - TCP connection reset by peer. >> >> So pam is now actually querying the LDAP server it seems, it is not >> getting it right but it's a small step. >> >> > err=32 means no such object. That is, ou=Group,dc=cognifide,dc=pl does > not exist. In your file above, you have > > suffix "dc=vuw,dc=ac,dc=nz" > > Do you have ou=Groups,dc=vuw,dc=ac,dc=nz ? > > I have no idea....I suspect not, need an English explanation on some of > this stuff...Fedora has a nice gui but it hides things so trying to > determine if the test user is in the right "place" for the external > query would seem an issue... > > Is there a command line syntax to run to see if I get a positive > password return? > ldapsearch -x -b dc=vuw,dc=ac,dc=nz Will see if dc=vuw,dc=ac,dc=nz exists and if there is any data there. I'm not sure what you mean by "positive password return". > Regards > > Steven > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Steven.Jones at vuw.ac.nz Mon Sep 10 23:06:10 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 11 Sep 2007 11:06:10 +1200 Subject: [Fedora-directory-users] ssh login fail In-Reply-To: <46E5CB12.30908@redhat.com> Message-ID: Yes I have run this before, vuw exists (see below), By password return I assume the client is querying LDAP to ask if the user jonesst1 exists and either sends the hash of the password I used to try and login or asks for the hash to do a comparison if it matches a login is allowed.... I assume pam.d on the client is doing the hash comparison, so if the hash method on the client is different to FDS its not going to get anywhere. Querying via the FDS gui shows the user so it is in the database somewhere.... So the possible errors are wrong hash or looking in the wrong place, or some other error. regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 8><----- [root at vuwunicvfwall02 openldap]# more output # extended LDIF # # LDAPv3 # base with scope sub # filter: (objectclass=*) # requesting: ALL # # vuw.ac.nz dn: dc=vuw,dc=ac,dc=nz objectClass: top objectClass: domain dc: vuw # Directory Administrators, vuw.ac.nz dn: cn=Directory Administrators, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: groupofuniquenames cn: Directory Administrators # Groups, vuw.ac.nz dn: ou=Groups, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: organizationalunit ou: Groups # People, vuw.ac.nz dn: ou=People, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: organizationalunit ou: People # Special Users, vuw.ac.nz dn: ou=Special Users,dc=vuw,dc=ac,dc=nz objectClass: top 8><------ # PD Managers, groups, vuw.ac.nz dn: cn=PD Managers,ou=groups,dc=vuw,dc=ac,dc=nz objectClass: top objectClass: groupOfUniqueNames cn: PD Managers ou: groups description: People who can manage engineer entries # search result search: 2 result: 0 Success # numResponses: 10 # numEntries: 9 ================== From rmeggins at redhat.com Mon Sep 10 23:59:21 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 10 Sep 2007 17:59:21 -0600 Subject: [Fedora-directory-users] ssh login fail In-Reply-To: References: Message-ID: <46E5DA59.8040002@redhat.com> Steven Jones wrote: > Yes I have run this before, vuw exists (see below), > > By password return I assume the client is querying LDAP to ask if the > user jonesst1 exists and either sends the hash of the password I used to > try and login or asks for the hash to do a comparison if it matches a > login is allowed.... > I hope not. It really should do an LDAP BIND operation, which means it sends the clear text password to the server in the BIND request (for simple username/password auth). So, try ldapsearch -x -D "uid=someuser,ou=People,dc=vuw,dc=ac,dc=nz" -w thepasssword -s base -b "" That will test to see if that user exists and that the password is correct. > I assume pam.d on the client is doing the hash comparison, so if the > hash method on the client is different to FDS its not going to get > anywhere. > > Querying via the FDS gui shows the user so it is in the database > somewhere.... > > So the possible errors are wrong hash or looking in the wrong place, or > some other error. > looking in the wrong place would be my guess, based on the err=32 in the previous logs you posted. > regards > > Steven Jones > Senior Linux/Unix/San/Vmware System Administrator > APG -Technology Integration Team > Victoria University of Wellington > Phone: +64 4 463 6272 > > 8><----- > > [root at vuwunicvfwall02 openldap]# more output > # extended LDIF > # > # LDAPv3 > # base with scope sub > # filter: (objectclass=*) > # requesting: ALL > # > > # vuw.ac.nz > dn: dc=vuw,dc=ac,dc=nz > objectClass: top > objectClass: domain > dc: vuw > > # Directory Administrators, vuw.ac.nz > dn: cn=Directory Administrators, dc=vuw,dc=ac,dc=nz > objectClass: top > objectClass: groupofuniquenames > cn: Directory Administrators > > # Groups, vuw.ac.nz > dn: ou=Groups, dc=vuw,dc=ac,dc=nz > objectClass: top > objectClass: organizationalunit > ou: Groups > > # People, vuw.ac.nz > dn: ou=People, dc=vuw,dc=ac,dc=nz > objectClass: top > objectClass: organizationalunit > ou: People > > # Special Users, vuw.ac.nz > dn: ou=Special Users,dc=vuw,dc=ac,dc=nz > objectClass: top > > 8><------ > > # PD Managers, groups, vuw.ac.nz > dn: cn=PD Managers,ou=groups,dc=vuw,dc=ac,dc=nz > objectClass: top > objectClass: groupOfUniqueNames > cn: PD Managers > ou: groups > description: People who can manage engineer entries > > > # search result > search: 2 > result: 0 Success > > # numResponses: 10 > # numEntries: 9 > > ================== > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Steven.Jones at vuw.ac.nz Tue Sep 11 00:40:33 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 11 Sep 2007 12:40:33 +1200 Subject: [Fedora-directory-users] ssh login fail In-Reply-To: <46E5DA59.8040002@redhat.com> Message-ID: There you go, Looks like it is not in the right place in FDS....or it is but LDAP is looking in the wrong place... root at vuwunicvfwall02 openldap]# ldapsearch -x -D "uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz" -w xxxxx -s base -b "" ldap_bind: No such object (32) matched DN: ou=people,dc=vuw,dc=ac,dc=nz [root at vuwunicvfwall02 openldap]# ldapsearch -x -D "uid=jonesst1,dc=vuw,dc=ac,dc=nz" -w xxxxx -s base -b "" ldap_bind: No such object (32) matched DN: dc=vuw,dc=ac,dc=nz ho hum.... regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Tuesday, 11 September 2007 11:59 a.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] ssh login fail Steven Jones wrote: > Yes I have run this before, vuw exists (see below), > > By password return I assume the client is querying LDAP to ask if the > user jonesst1 exists and either sends the hash of the password I used to > try and login or asks for the hash to do a comparison if it matches a > login is allowed.... > I hope not. It really should do an LDAP BIND operation, which means it sends the clear text password to the server in the BIND request (for simple username/password auth). So, try ldapsearch -x -D "uid=someuser,ou=People,dc=vuw,dc=ac,dc=nz" -w thepasssword -s base -b "" That will test to see if that user exists and that the password is correct. > I assume pam.d on the client is doing the hash comparison, so if the > hash method on the client is different to FDS its not going to get > anywhere. > > Querying via the FDS gui shows the user so it is in the database > somewhere.... > > So the possible errors are wrong hash or looking in the wrong place, or > some other error. > looking in the wrong place would be my guess, based on the err=32 in the previous logs you posted. > regards > > Steven Jones > Senior Linux/Unix/San/Vmware System Administrator > APG -Technology Integration Team > Victoria University of Wellington > Phone: +64 4 463 6272 > > 8><----- > > [root at vuwunicvfwall02 openldap]# more output > # extended LDIF > # > # LDAPv3 > # base with scope sub > # filter: (objectclass=*) > # requesting: ALL > # > > # vuw.ac.nz > dn: dc=vuw,dc=ac,dc=nz > objectClass: top > objectClass: domain > dc: vuw > > # Directory Administrators, vuw.ac.nz > dn: cn=Directory Administrators, dc=vuw,dc=ac,dc=nz > objectClass: top > objectClass: groupofuniquenames > cn: Directory Administrators > > # Groups, vuw.ac.nz > dn: ou=Groups, dc=vuw,dc=ac,dc=nz > objectClass: top > objectClass: organizationalunit > ou: Groups > > # People, vuw.ac.nz > dn: ou=People, dc=vuw,dc=ac,dc=nz > objectClass: top > objectClass: organizationalunit > ou: People > > # Special Users, vuw.ac.nz > dn: ou=Special Users,dc=vuw,dc=ac,dc=nz > objectClass: top > > 8><------ > > # PD Managers, groups, vuw.ac.nz > dn: cn=PD Managers,ou=groups,dc=vuw,dc=ac,dc=nz > objectClass: top > objectClass: groupOfUniqueNames > cn: PD Managers > ou: groups > description: People who can manage engineer entries > > > # search result > search: 2 > result: 0 Success > > # numResponses: 10 > # numEntries: 9 > > ================== > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From Steven.Jones at vuw.ac.nz Tue Sep 11 02:01:52 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 11 Sep 2007 14:01:52 +1200 Subject: [Fedora-directory-users] ssh login fail In-Reply-To: Message-ID: I am getting things like this, but I did not enter them, so these are some sort of defaults? 8><-------- # PD Managers, groups, vuw.ac.nz dn: cn=PD Managers,ou=groups,dc=vuw,dc=ac,dc=nz objectClass: top objectClass: groupOfUniqueNames cn: PD Managers ou: groups description: People who can manage engineer entries 8><-------- Yet I cannot find then under the FDS gui.... regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Steven Jones Sent: Tuesday, 11 September 2007 12:41 p.m. To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] ssh login fail There you go, Looks like it is not in the right place in FDS....or it is but LDAP is looking in the wrong place... root at vuwunicvfwall02 openldap]# ldapsearch -x -D "uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz" -w xxxxx -s base -b "" ldap_bind: No such object (32) matched DN: ou=people,dc=vuw,dc=ac,dc=nz [root at vuwunicvfwall02 openldap]# ldapsearch -x -D "uid=jonesst1,dc=vuw,dc=ac,dc=nz" -w xxxxx -s base -b "" ldap_bind: No such object (32) matched DN: dc=vuw,dc=ac,dc=nz ho hum.... regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Tuesday, 11 September 2007 11:59 a.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] ssh login fail Steven Jones wrote: > Yes I have run this before, vuw exists (see below), > > By password return I assume the client is querying LDAP to ask if the > user jonesst1 exists and either sends the hash of the password I used to > try and login or asks for the hash to do a comparison if it matches a > login is allowed.... > I hope not. It really should do an LDAP BIND operation, which means it sends the clear text password to the server in the BIND request (for simple username/password auth). So, try ldapsearch -x -D "uid=someuser,ou=People,dc=vuw,dc=ac,dc=nz" -w thepasssword -s base -b "" That will test to see if that user exists and that the password is correct. > I assume pam.d on the client is doing the hash comparison, so if the > hash method on the client is different to FDS its not going to get > anywhere. > > Querying via the FDS gui shows the user so it is in the database > somewhere.... > > So the possible errors are wrong hash or looking in the wrong place, or > some other error. > looking in the wrong place would be my guess, based on the err=32 in the previous logs you posted. > regards > > Steven Jones > Senior Linux/Unix/San/Vmware System Administrator > APG -Technology Integration Team > Victoria University of Wellington > Phone: +64 4 463 6272 > > 8><----- > > [root at vuwunicvfwall02 openldap]# more output > # extended LDIF > # > # LDAPv3 > # base with scope sub > # filter: (objectclass=*) > # requesting: ALL > # > > # vuw.ac.nz > dn: dc=vuw,dc=ac,dc=nz > objectClass: top > objectClass: domain > dc: vuw > > # Directory Administrators, vuw.ac.nz > dn: cn=Directory Administrators, dc=vuw,dc=ac,dc=nz > objectClass: top > objectClass: groupofuniquenames > cn: Directory Administrators > > # Groups, vuw.ac.nz > dn: ou=Groups, dc=vuw,dc=ac,dc=nz > objectClass: top > objectClass: organizationalunit > ou: Groups > > # People, vuw.ac.nz > dn: ou=People, dc=vuw,dc=ac,dc=nz > objectClass: top > objectClass: organizationalunit > ou: People > > # Special Users, vuw.ac.nz > dn: ou=Special Users,dc=vuw,dc=ac,dc=nz > objectClass: top > > 8><------ > > # PD Managers, groups, vuw.ac.nz > dn: cn=PD Managers,ou=groups,dc=vuw,dc=ac,dc=nz > objectClass: top > objectClass: groupOfUniqueNames > cn: PD Managers > ou: groups > description: People who can manage engineer entries > > > # search result > search: 2 > result: 0 Success > > # numResponses: 10 > # numEntries: 9 > > ================== > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From Steven.Jones at vuw.ac.nz Tue Sep 11 02:44:29 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 11 Sep 2007 14:44:29 +1200 Subject: [Fedora-directory-users] ssh login fail In-Reply-To: <46E5DA59.8040002@redhat.com> Message-ID: ldapsearch -x -b "dc=vuw,dc=ac,dc=nz" |more shows, # People, vuw.ac.nz dn: ou=People, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: organizationalunit ou: People 8><------ # jonesst1, People, vuw.ac.nz dn: uid=jonesst1,ou=People, dc=vuw,dc=ac,dc=nz uid: jonesst1 givenName: steven objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: jones cn: steven jones # search result search: 2 result: 0 Success # numResponses: 6 # numEntries: 5 And this shows, [root at vuwunicvfwall02 openldap]# ldapsearch -x -b "ou=People,dc=vuw,dc=ac,dc=nz" # extended LDIF # # LDAPv3 # base with scope sub # filter: (objectclass=*) # requesting: ALL # # People, vuw.ac.nz dn: ou=People, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: organizationalunit ou: People # jonesst1, People, vuw.ac.nz dn: uid=jonesst1,ou=People, dc=vuw,dc=ac,dc=nz uid: jonesst1 givenName: steven objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: jones cn: steven jones # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 ===================== So lets try the password check, [root at vuwunicvfwall02 openldap]# ldapsearch -x -D "uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz" -w xxxxxx -s base -b "" # extended LDIF # # LDAPv3 # base <> with scope base # filter: (objectclass=*) # requesting: ALL # # dn: objectClass: top namingContexts: dc=vuw,dc=ac,dc=nz namingContexts: o=NetscapeRoot supportedExtension: 2.16.840.1.113730.3.5.7 supportedExtension: 2.16.840.1.113730.3.5.8 supportedExtension: 2.16.840.1.113730.3.5.3 supportedExtension: 2.16.840.1.113730.3.5.5 supportedExtension: 2.16.840.1.113730.3.5.6 supportedExtension: 2.16.840.1.113730.3.5.9 supportedExtension: 2.16.840.1.113730.3.5.4 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 2.16.840.1.113730.3.4.3 supportedControl: 2.16.840.1.113730.3.4.4 supportedControl: 2.16.840.1.113730.3.4.5 supportedControl: 1.2.840.113556.1.4.473 supportedControl: 2.16.840.1.113730.3.4.9 supportedControl: 2.16.840.1.113730.3.4.16 supportedControl: 2.16.840.1.113730.3.4.15 supportedControl: 2.16.840.1.113730.3.4.17 supportedControl: 2.16.840.1.113730.3.4.19 supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2 supportedControl: 2.16.840.1.113730.3.4.14 supportedControl: 2.16.840.1.113730.3.4.20 supportedControl: 1.3.6.1.4.1.1466.29539.12 supportedControl: 2.16.840.1.113730.3.4.13 supportedControl: 2.16.840.1.113730.3.4.12 supportedControl: 2.16.840.1.113730.3.4.18 supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: PLAIN supportedSASLMechanisms: LOGIN supportedSASLMechanisms: ANONYMOUS supportedLDAPVersion: 2 supportedLDAPVersion: 3 vendorName: Fedora Project vendorVersion: Fedora-Directory/1.0.4 B2006.312.435 dataversion: 020070910011125020070910011125 netscapemdsuffix: cn=ldap://dc=vuwunicvfdsm001,dc=vuw,dc=ac,dc=nz:389 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root at vuwunicvfwall02 openldap]# ======================================================= Is this the expected output from a successful password check? However, Still no ssh or login... and, Regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Tuesday, 11 September 2007 11:59 a.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] ssh login fail Steven Jones wrote: > Yes I have run this before, vuw exists (see below), > > By password return I assume the client is querying LDAP to ask if the > user jonesst1 exists and either sends the hash of the password I used to > try and login or asks for the hash to do a comparison if it matches a > login is allowed.... > I hope not. It really should do an LDAP BIND operation, which means it sends the clear text password to the server in the BIND request (for simple username/password auth). So, try ldapsearch -x -D "uid=someuser,ou=People,dc=vuw,dc=ac,dc=nz" -w thepasssword -s base -b "" That will test to see if that user exists and that the password is correct. > I assume pam.d on the client is doing the hash comparison, so if the > hash method on the client is different to FDS its not going to get > anywhere. > > Querying via the FDS gui shows the user so it is in the database > somewhere.... > > So the possible errors are wrong hash or looking in the wrong place, or > some other error. > looking in the wrong place would be my guess, based on the err=32 in the previous logs you posted. > regards > > Steven Jones > Senior Linux/Unix/San/Vmware System Administrator > APG -Technology Integration Team > Victoria University of Wellington > Phone: +64 4 463 6272 > > 8><----- > > [root at vuwunicvfwall02 openldap]# more output > # extended LDIF > # > # LDAPv3 > # base with scope sub > # filter: (objectclass=*) > # requesting: ALL > # > > # vuw.ac.nz > dn: dc=vuw,dc=ac,dc=nz > objectClass: top > objectClass: domain > dc: vuw > > # Directory Administrators, vuw.ac.nz > dn: cn=Directory Administrators, dc=vuw,dc=ac,dc=nz > objectClass: top > objectClass: groupofuniquenames > cn: Directory Administrators > > # Groups, vuw.ac.nz > dn: ou=Groups, dc=vuw,dc=ac,dc=nz > objectClass: top > objectClass: organizationalunit > ou: Groups > > # People, vuw.ac.nz > dn: ou=People, dc=vuw,dc=ac,dc=nz > objectClass: top > objectClass: organizationalunit > ou: People > > # Special Users, vuw.ac.nz > dn: ou=Special Users,dc=vuw,dc=ac,dc=nz > objectClass: top > > 8><------ > > # PD Managers, groups, vuw.ac.nz > dn: cn=PD Managers,ou=groups,dc=vuw,dc=ac,dc=nz > objectClass: top > objectClass: groupOfUniqueNames > cn: PD Managers > ou: groups > description: People who can manage engineer entries > > > # search result > search: 2 > result: 0 Success > > # numResponses: 10 > # numEntries: 9 > > ================== > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From Steven.Jones at vuw.ac.nz Tue Sep 11 04:26:07 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 11 Sep 2007 16:26:07 +1200 Subject: [Fedora-directory-users] ssh login fail In-Reply-To: <46E5DA59.8040002@redhat.com> Message-ID: > looking in the wrong place would be my guess, based on the err=32 in the previous logs you posted. I seem to have been able to stop the err=32 by reconfiguring ldap.conf a bit and cleaning out FDS and I assume putting the user in the right place but still no login. [11/Sep/2007:16:21:47 +1200] conn=30 fd=78 slot=78 connection from 130.195.87.246 to 130.195.87.249 [11/Sep/2007:16:21:47 +1200] conn=30 op=0 BIND dn="" method=128 version=3 [11/Sep/2007:16:21:47 +1200] conn=30 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [11/Sep/2007:16:21:47 +1200] conn=30 op=1 SRCH base="ou=People,dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(objectClass=posixAccount)(uid=jonesst1))" attrs=ALL [11/Sep/2007:16:21:47 +1200] conn=30 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [11/Sep/2007:16:21:47 +1200] conn=30 op=2 BIND dn="" method=128 version=3 [11/Sep/2007:16:21:47 +1200] conn=30 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [11/Sep/2007:16:21:47 +1200] conn=30 op=3 SRCH base="ou=People,dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(objectClass=posixAccount)(uid=jonesst1))" attrs=ALL [11/Sep/2007:16:21:47 +1200] conn=30 op=3 RESULT err=0 tag=101 nentries=0 etime=0 [11/Sep/2007:16:21:51 +1200] conn=30 op=4 BIND dn="" method=128 version=3 [11/Sep/2007:16:21:51 +1200] conn=30 op=4 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [11/Sep/2007:16:21:51 +1200] conn=30 op=5 SRCH base="ou=People,dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(objectClass=posixAccount)(uid=jonesst1))" attrs=ALL [11/Sep/2007:16:21:51 +1200] conn=30 op=5 RESULT err=0 tag=101 nentries=0 etime=0 [11/Sep/2007:16:21:51 +1200] conn=30 op=6 BIND dn="" method=128 version=3 [11/Sep/2007:16:21:51 +1200] conn=30 op=6 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [11/Sep/2007:16:21:51 +1200] conn=30 op=7 SRCH base="ou=People,dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(objectClass=posixAccount)(uid=jonesst1))" attrs=ALL [11/Sep/2007:16:21:51 +1200] conn=30 op=7 RESULT err=0 tag=101 nentries=0 etime=0 [11/Sep/2007:16:21:56 +1200] conn=30 op=8 BIND dn="" method=128 version=3 [11/Sep/2007:16:21:56 +1200] conn=30 op=8 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [11/Sep/2007:16:21:56 +1200] conn=30 op=9 SRCH base="ou=People,dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(objectClass=posixAccount)(uid=jonesst1))" attrs=ALL [11/Sep/2007:16:21:56 +1200] conn=30 op=9 RESULT err=0 tag=101 nentries=0 etime=0 [11/Sep/2007:16:21:56 +1200] conn=30 op=10 BIND dn="" method=128 version=3 [11/Sep/2007:16:21:56 +1200] conn=30 op=10 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [11/Sep/2007:16:21:56 +1200] conn=30 op=11 SRCH base="ou=People,dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(objectClass=posixAccount)(uid=jonesst1))" attrs=ALL [11/Sep/2007:16:21:56 +1200] conn=30 op=11 RESULT err=0 tag=101 nentries=0 etime=0 [11/Sep/2007:16:21:58 +1200] conn=30 op=13 UNBIND [11/Sep/2007:16:21:58 +1200] conn=30 op=13 fd=78 closed - U1 [11/Sep/2007:16:22:46 +1200] conn=31 fd=78 slot=78 connection from 130.195.87.246 to 130.195.87.249 [11/Sep/2007:16:22:46 +1200] conn=31 op=0 BIND dn="uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz" method=128 version=3 [11/Sep/2007:16:22:46 +1200] conn=31 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=jonesst1,ou=people,dc=vuw,dc=ac,dc=nz" [11/Sep/2007:16:22:46 +1200] conn=31 op=1 SRCH base="" scope=0 filter="(objectClass=*)" attrs=ALL [11/Sep/2007:16:22:46 +1200] conn=31 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [11/Sep/2007:16:22:46 +1200] conn=31 op=2 UNBIND [11/Sep/2007:16:22:46 +1200] conn=31 op=2 fd=78 closed - U1 [11/Sep/2007:16:22:52 +1200] conn=32 fd=78 slot=78 connection from 130.195.87.246 to 130.195.87.249 [11/Sep/2007:16:22:52 +1200] conn=32 op=0 BIND dn="" method=128 version=3 [11/Sep/2007:16:22:52 +1200] conn=32 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [11/Sep/2007:16:22:52 +1200] conn=32 op=1 SRCH base="uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz" scope=2 filter="(objectClass=*)" attrs=ALL [11/Sep/2007:16:22:52 +1200] conn=32 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [11/Sep/2007:16:22:52 +1200] conn=32 op=2 UNBIND [11/Sep/2007:16:22:52 +1200] conn=32 op=2 fd=78 closed - U1 From del at babel.com.au Tue Sep 11 07:49:00 2007 From: del at babel.com.au (Del) Date: Tue, 11 Sep 2007 17:49:00 +1000 Subject: [Fedora-directory-users] FDS and OpenLDAP integration In-Reply-To: <46E563C5.6040900@sys-net.it> References: <0A175DA6-C6A6-4439-B840-FA4B039914D9@mfn.unipmn.it> <46E160CC.8050401@redhat.com> <46E16EF9.1040907@sys-net.it> <46E17A44.8050708@sys-net.it> <4332FDA6-AEDB-48E9-856E-232413A6312E@mfn.unipmn.it> <46E56280.3000406@redhat.com> <46E563C5.6040900@sys-net.it> Message-ID: <46E6486C.1080207@babel.com.au> Pierangelo Masarati wrote: > Richard Megginson wrote: > >> Great! I've added this information here - >> http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration > > Rich, I've cleaned up that entry, please check. That entry would make more sense if it began with: There are ways to sync data from OpenLDAP to Fedora DS. NOTE: sync is one way only. instead of: There are ways to sync data between OpenLDAP and Fedora DS. NOTE: sync is one way only. "between X and Y" implies two way, but then in the next sentence you say that it is one way only -- which way is supported and which way is not, is not specified. ... and I'm making the assumption that "slapd.conf" refers to the OpenLDAP slapd.conf file, and that the sync is from OpenLDAP to FDS, but like I said, that's not specified in the article. -- Del Babel Com Australia http://www.babel.com.au/ ph: 02 9368 0728 fax: 02 9368 0758 From rmeggins at redhat.com Tue Sep 11 13:19:34 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 11 Sep 2007 07:19:34 -0600 Subject: [Fedora-directory-users] ssh login fail In-Reply-To: References: Message-ID: <46E695E6.9000206@redhat.com> Steven Jones wrote: > ldapsearch -x -b "dc=vuw,dc=ac,dc=nz" |more > > shows, > > # People, vuw.ac.nz > dn: ou=People, dc=vuw,dc=ac,dc=nz > objectClass: top > objectClass: organizationalunit > ou: People > > 8><------ > > # jonesst1, People, vuw.ac.nz > dn: uid=jonesst1,ou=People, dc=vuw,dc=ac,dc=nz > uid: jonesst1 > givenName: steven > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > sn: jones > cn: steven jones > > > # search result > search: 2 > result: 0 Success > > > # numResponses: 6 > # numEntries: 5 > > And this shows, > > [root at vuwunicvfwall02 openldap]# ldapsearch -x -b > "ou=People,dc=vuw,dc=ac,dc=nz" > # extended LDIF > # > # LDAPv3 > # base with scope sub > # filter: (objectclass=*) > # requesting: ALL > # > > # People, vuw.ac.nz > dn: ou=People, dc=vuw,dc=ac,dc=nz > objectClass: top > objectClass: organizationalunit > ou: People > > # jonesst1, People, vuw.ac.nz > dn: uid=jonesst1,ou=People, dc=vuw,dc=ac,dc=nz > uid: jonesst1 > givenName: steven > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > sn: jones > cn: steven jones > > # search result > search: 2 > result: 0 Success > > # numResponses: 3 > # numEntries: 2 > > ===================== > So lets try the password check, > > [root at vuwunicvfwall02 openldap]# ldapsearch -x -D > "uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz" -w xxxxxx -s base -b "" > # extended LDIF > # > # LDAPv3 > # base <> with scope base > # filter: (objectclass=*) > # requesting: ALL > # > > # > dn: > objectClass: top > namingContexts: dc=vuw,dc=ac,dc=nz > namingContexts: o=NetscapeRoot > supportedExtension: 2.16.840.1.113730.3.5.7 > supportedExtension: 2.16.840.1.113730.3.5.8 > supportedExtension: 2.16.840.1.113730.3.5.3 > supportedExtension: 2.16.840.1.113730.3.5.5 > supportedExtension: 2.16.840.1.113730.3.5.6 > supportedExtension: 2.16.840.1.113730.3.5.9 > supportedExtension: 2.16.840.1.113730.3.5.4 > supportedExtension: 1.3.6.1.4.1.4203.1.11.1 > supportedControl: 2.16.840.1.113730.3.4.2 > supportedControl: 2.16.840.1.113730.3.4.3 > supportedControl: 2.16.840.1.113730.3.4.4 > supportedControl: 2.16.840.1.113730.3.4.5 > supportedControl: 1.2.840.113556.1.4.473 > supportedControl: 2.16.840.1.113730.3.4.9 > supportedControl: 2.16.840.1.113730.3.4.16 > supportedControl: 2.16.840.1.113730.3.4.15 > supportedControl: 2.16.840.1.113730.3.4.17 > supportedControl: 2.16.840.1.113730.3.4.19 > supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1 > supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2 > supportedControl: 2.16.840.1.113730.3.4.14 > supportedControl: 2.16.840.1.113730.3.4.20 > supportedControl: 1.3.6.1.4.1.1466.29539.12 > supportedControl: 2.16.840.1.113730.3.4.13 > supportedControl: 2.16.840.1.113730.3.4.12 > supportedControl: 2.16.840.1.113730.3.4.18 > supportedSASLMechanisms: EXTERNAL > supportedSASLMechanisms: DIGEST-MD5 > supportedSASLMechanisms: CRAM-MD5 > supportedSASLMechanisms: PLAIN > supportedSASLMechanisms: LOGIN > supportedSASLMechanisms: ANONYMOUS > supportedLDAPVersion: 2 > supportedLDAPVersion: 3 > vendorName: Fedora Project > vendorVersion: Fedora-Directory/1.0.4 B2006.312.435 > dataversion: 020070910011125020070910011125 > netscapemdsuffix: cn=ldap://dc=vuwunicvfdsm001,dc=vuw,dc=ac,dc=nz:389 > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > [root at vuwunicvfwall02 openldap]# > ======================================================= > > > Is this the expected output from a successful password check? > Yes. You can also use the ldapwhoami command. > However, > > Still no ssh or login... > In your nss configuration, you were using a different suffix than dc=vuw,dc=ac,dc=nz. Did you change that? I don't know much about pam or nss configuration. I am trying to verify that Fedora DS is behaving correctly. > and, > > > Regards > > Steven Jones > Senior Linux/Unix/San/Vmware System Administrator > APG -Technology Integration Team > Victoria University of Wellington > Phone: +64 4 463 6272 > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard > Megginson > Sent: Tuesday, 11 September 2007 11:59 a.m. > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] ssh login fail > > Steven Jones wrote: > >> Yes I have run this before, vuw exists (see below), >> >> By password return I assume the client is querying LDAP to ask if the >> user jonesst1 exists and either sends the hash of the password I used >> > to > >> try and login or asks for the hash to do a comparison if it matches a >> login is allowed.... >> >> > I hope not. It really should do an LDAP BIND operation, which means it > sends the clear text password to the server in the BIND request (for > simple username/password auth). > > So, try > ldapsearch -x -D "uid=someuser,ou=People,dc=vuw,dc=ac,dc=nz" -w > thepasssword -s base -b "" > That will test to see if that user exists and that the password is > correct. > > >> I assume pam.d on the client is doing the hash comparison, so if the >> hash method on the client is different to FDS its not going to get >> anywhere. >> >> Querying via the FDS gui shows the user so it is in the database >> somewhere.... >> >> So the possible errors are wrong hash or looking in the wrong place, >> > or > >> some other error. >> >> > looking in the wrong place would be my guess, based on the err=32 in the > > previous logs you posted. > >> regards >> >> Steven Jones >> Senior Linux/Unix/San/Vmware System Administrator >> APG -Technology Integration Team >> Victoria University of Wellington >> Phone: +64 4 463 6272 >> >> 8><----- >> >> [root at vuwunicvfwall02 openldap]# more output >> # extended LDIF >> # >> # LDAPv3 >> # base with scope sub >> # filter: (objectclass=*) >> # requesting: ALL >> # >> >> # vuw.ac.nz >> dn: dc=vuw,dc=ac,dc=nz >> objectClass: top >> objectClass: domain >> dc: vuw >> >> # Directory Administrators, vuw.ac.nz >> dn: cn=Directory Administrators, dc=vuw,dc=ac,dc=nz >> objectClass: top >> objectClass: groupofuniquenames >> cn: Directory Administrators >> >> # Groups, vuw.ac.nz >> dn: ou=Groups, dc=vuw,dc=ac,dc=nz >> objectClass: top >> objectClass: organizationalunit >> ou: Groups >> >> # People, vuw.ac.nz >> dn: ou=People, dc=vuw,dc=ac,dc=nz >> objectClass: top >> objectClass: organizationalunit >> ou: People >> >> # Special Users, vuw.ac.nz >> dn: ou=Special Users,dc=vuw,dc=ac,dc=nz >> objectClass: top >> >> 8><------ >> >> # PD Managers, groups, vuw.ac.nz >> dn: cn=PD Managers,ou=groups,dc=vuw,dc=ac,dc=nz >> objectClass: top >> objectClass: groupOfUniqueNames >> cn: PD Managers >> ou: groups >> description: People who can manage engineer entries >> >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 10 >> # numEntries: 9 >> >> ================== >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Sep 11 13:22:08 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 11 Sep 2007 07:22:08 -0600 Subject: [Fedora-directory-users] ssh login fail In-Reply-To: References: Message-ID: <46E69680.60408@redhat.com> Steven Jones wrote: > I am getting things like this, but I did not enter them, so these are > some sort of defaults? > Yes. By default, Fedora DS setup will create some organizational entries for you. If you do not want to do this, you can run setup in Custom mode and tell it to not add these entries. > 8><-------- > # PD Managers, groups, vuw.ac.nz > dn: cn=PD Managers,ou=groups,dc=vuw,dc=ac,dc=nz > objectClass: top > objectClass: groupOfUniqueNames > cn: PD Managers > ou: groups > description: People who can manage engineer entries > 8><-------- > > Yet I cannot find then under the FDS gui.... > Try changing your identity in the console to cn=Directory Manager. Under the File menu, select the option to login as another user. Or use the Tasks tab - there is a button there to do the same thing. > regards > > Steven Jones > Senior Linux/Unix/San/Vmware System Administrator > APG -Technology Integration Team > Victoria University of Wellington > Phone: +64 4 463 6272 > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Steven > Jones > Sent: Tuesday, 11 September 2007 12:41 p.m. > To: General discussion list for the Fedora Directory server project. > Subject: RE: [Fedora-directory-users] ssh login fail > > There you go, > > Looks like it is not in the right place in FDS....or it is but LDAP is > looking in the wrong place... > > root at vuwunicvfwall02 openldap]# ldapsearch -x -D > "uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz" -w xxxxx -s base -b "" > ldap_bind: No such object (32) > matched DN: ou=people,dc=vuw,dc=ac,dc=nz > [root at vuwunicvfwall02 openldap]# ldapsearch -x -D > "uid=jonesst1,dc=vuw,dc=ac,dc=nz" -w xxxxx -s base -b "" > ldap_bind: No such object (32) > matched DN: dc=vuw,dc=ac,dc=nz > > ho hum.... > > regards > > Steven Jones > Senior Linux/Unix/San/Vmware System Administrator > APG -Technology Integration Team > Victoria University of Wellington > Phone: +64 4 463 6272 > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard > Megginson > Sent: Tuesday, 11 September 2007 11:59 a.m. > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] ssh login fail > > Steven Jones wrote: > >> Yes I have run this before, vuw exists (see below), >> >> By password return I assume the client is querying LDAP to ask if the >> user jonesst1 exists and either sends the hash of the password I used >> > to > >> try and login or asks for the hash to do a comparison if it matches a >> login is allowed.... >> >> > I hope not. It really should do an LDAP BIND operation, which means it > sends the clear text password to the server in the BIND request (for > simple username/password auth). > > So, try > ldapsearch -x -D "uid=someuser,ou=People,dc=vuw,dc=ac,dc=nz" -w > thepasssword -s base -b "" > That will test to see if that user exists and that the password is > correct. > > >> I assume pam.d on the client is doing the hash comparison, so if the >> hash method on the client is different to FDS its not going to get >> anywhere. >> >> Querying via the FDS gui shows the user so it is in the database >> somewhere.... >> >> So the possible errors are wrong hash or looking in the wrong place, >> > or > >> some other error. >> >> > looking in the wrong place would be my guess, based on the err=32 in the > > previous logs you posted. > >> regards >> >> Steven Jones >> Senior Linux/Unix/San/Vmware System Administrator >> APG -Technology Integration Team >> Victoria University of Wellington >> Phone: +64 4 463 6272 >> >> 8><----- >> >> [root at vuwunicvfwall02 openldap]# more output >> # extended LDIF >> # >> # LDAPv3 >> # base with scope sub >> # filter: (objectclass=*) >> # requesting: ALL >> # >> >> # vuw.ac.nz >> dn: dc=vuw,dc=ac,dc=nz >> objectClass: top >> objectClass: domain >> dc: vuw >> >> # Directory Administrators, vuw.ac.nz >> dn: cn=Directory Administrators, dc=vuw,dc=ac,dc=nz >> objectClass: top >> objectClass: groupofuniquenames >> cn: Directory Administrators >> >> # Groups, vuw.ac.nz >> dn: ou=Groups, dc=vuw,dc=ac,dc=nz >> objectClass: top >> objectClass: organizationalunit >> ou: Groups >> >> # People, vuw.ac.nz >> dn: ou=People, dc=vuw,dc=ac,dc=nz >> objectClass: top >> objectClass: organizationalunit >> ou: People >> >> # Special Users, vuw.ac.nz >> dn: ou=Special Users,dc=vuw,dc=ac,dc=nz >> objectClass: top >> >> 8><------ >> >> # PD Managers, groups, vuw.ac.nz >> dn: cn=PD Managers,ou=groups,dc=vuw,dc=ac,dc=nz >> objectClass: top >> objectClass: groupOfUniqueNames >> cn: PD Managers >> ou: groups >> description: People who can manage engineer entries >> >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 10 >> # numEntries: 9 >> >> ================== >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Sep 11 13:26:10 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 11 Sep 2007 07:26:10 -0600 Subject: [Fedora-directory-users] FDS and OpenLDAP integration In-Reply-To: <46E6486C.1080207@babel.com.au> References: <0A175DA6-C6A6-4439-B840-FA4B039914D9@mfn.unipmn.it> <46E160CC.8050401@redhat.com> <46E16EF9.1040907@sys-net.it> <46E17A44.8050708@sys-net.it> <4332FDA6-AEDB-48E9-856E-232413A6312E@mfn.unipmn.it> <46E56280.3000406@redhat.com> <46E563C5.6040900@sys-net.it> <46E6486C.1080207@babel.com.au> Message-ID: <46E69772.3030401@redhat.com> Del wrote: > Pierangelo Masarati wrote: >> Richard Megginson wrote: >> >>> Great! I've added this information here - >>> http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration >> >> Rich, I've cleaned up that entry, please check. > > That entry would make more sense if it began with: > > There are ways to sync data from OpenLDAP to Fedora DS. NOTE: sync is > one way only. > > instead of: > > There are ways to sync data between OpenLDAP and Fedora DS. NOTE: sync > is one way only. > > "between X and Y" implies two way, but then in the next sentence you > say that it is one way only -- which way is supported and which way > is not, is not specified. But there are ways to sync data from Fedora DS to OpenLDAP also. You just can't do both directions at the same time. How could I word that appropriately? > > ... and I'm making the assumption that "slapd.conf" refers to the > OpenLDAP slapd.conf file, Is there another one? > and that the sync is from OpenLDAP to FDS, > but like I said, that's not specified in the article. The section heading is "Replication from OpenLDAP to Fedora DS" - how should this be specified? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Sep 11 13:36:26 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 11 Sep 2007 07:36:26 -0600 Subject: [Fedora-directory-users] ssh login fail In-Reply-To: References: Message-ID: <46E699DA.7080401@redhat.com> Steven Jones wrote: >> >> > looking in the wrong place would be my guess, based on the err=32 in the > > previous logs you posted. > > I seem to have been able to stop the err=32 by reconfiguring ldap.conf a > bit and cleaning out FDS and I assume putting the user in the right > place but still no login. > > [11/Sep/2007:16:21:47 +1200] conn=30 fd=78 slot=78 connection from > 130.195.87.246 to 130.195.87.249 > [11/Sep/2007:16:21:47 +1200] conn=30 op=0 BIND dn="" method=128 > version=3 > [11/Sep/2007:16:21:47 +1200] conn=30 op=0 RESULT err=0 tag=97 nentries=0 > etime=0 dn="" > [11/Sep/2007:16:21:47 +1200] conn=30 op=1 SRCH > base="ou=People,dc=vuw,dc=ac,dc=nz" scope=2 > filter="(&(objectClass=posixAccount)(uid=jonesst1))" attrs=ALL > [11/Sep/2007:16:21:47 +1200] conn=30 op=1 RESULT err=0 tag=101 > nentries=0 etime=0 > The clue here is that err=0 but nentries=0. This to me indicates some sort of ACI problem. If you ran the setup program, and you specified dc=vuw,dc=ac,dc=nz as your suffix, setup should have added an ACI which would allow this search to return entries. This, coupled with the fact that you cannot view these entries using the console (assuming you meant while logged in as the admin user), suggests that you added this data after setup and that you did not specify dc=vuw,dc=ac,dc=nz as your suffix. If you want to see what the suggested ACIs are, you should be able to view the ACIs that were added to the suffix that you did specify when you ran setup. The console will show you the ACIs. If you want to see what they are without using the console, you can use ldapsearch e.g. ldapsearch -x -D "cn=directory manager" -w password -b "dc=vuw,dc=ac,dc=nz" "aci=*" aci > [11/Sep/2007:16:21:47 +1200] conn=30 op=2 BIND dn="" method=128 > version=3 > [11/Sep/2007:16:21:47 +1200] conn=30 op=2 RESULT err=0 tag=97 nentries=0 > etime=0 dn="" > [11/Sep/2007:16:21:47 +1200] conn=30 op=3 SRCH > base="ou=People,dc=vuw,dc=ac,dc=nz" scope=2 > filter="(&(objectClass=posixAccount)(uid=jonesst1))" attrs=ALL > [11/Sep/2007:16:21:47 +1200] conn=30 op=3 RESULT err=0 tag=101 > nentries=0 etime=0 > [11/Sep/2007:16:21:51 +1200] conn=30 op=4 BIND dn="" method=128 > version=3 > [11/Sep/2007:16:21:51 +1200] conn=30 op=4 RESULT err=0 tag=97 nentries=0 > etime=0 dn="" > [11/Sep/2007:16:21:51 +1200] conn=30 op=5 SRCH > base="ou=People,dc=vuw,dc=ac,dc=nz" scope=2 > filter="(&(objectClass=posixAccount)(uid=jonesst1))" attrs=ALL > [11/Sep/2007:16:21:51 +1200] conn=30 op=5 RESULT err=0 tag=101 > nentries=0 etime=0 > [11/Sep/2007:16:21:51 +1200] conn=30 op=6 BIND dn="" method=128 > version=3 > [11/Sep/2007:16:21:51 +1200] conn=30 op=6 RESULT err=0 tag=97 nentries=0 > etime=0 dn="" > [11/Sep/2007:16:21:51 +1200] conn=30 op=7 SRCH > base="ou=People,dc=vuw,dc=ac,dc=nz" scope=2 > filter="(&(objectClass=posixAccount)(uid=jonesst1))" attrs=ALL > [11/Sep/2007:16:21:51 +1200] conn=30 op=7 RESULT err=0 tag=101 > nentries=0 etime=0 > [11/Sep/2007:16:21:56 +1200] conn=30 op=8 BIND dn="" method=128 > version=3 > [11/Sep/2007:16:21:56 +1200] conn=30 op=8 RESULT err=0 tag=97 nentries=0 > etime=0 dn="" > [11/Sep/2007:16:21:56 +1200] conn=30 op=9 SRCH > base="ou=People,dc=vuw,dc=ac,dc=nz" scope=2 > filter="(&(objectClass=posixAccount)(uid=jonesst1))" attrs=ALL > [11/Sep/2007:16:21:56 +1200] conn=30 op=9 RESULT err=0 tag=101 > nentries=0 etime=0 > [11/Sep/2007:16:21:56 +1200] conn=30 op=10 BIND dn="" method=128 > version=3 > [11/Sep/2007:16:21:56 +1200] conn=30 op=10 RESULT err=0 tag=97 > nentries=0 etime=0 dn="" > [11/Sep/2007:16:21:56 +1200] conn=30 op=11 SRCH > base="ou=People,dc=vuw,dc=ac,dc=nz" scope=2 > filter="(&(objectClass=posixAccount)(uid=jonesst1))" attrs=ALL > [11/Sep/2007:16:21:56 +1200] conn=30 op=11 RESULT err=0 tag=101 > nentries=0 etime=0 > [11/Sep/2007:16:21:58 +1200] conn=30 op=13 UNBIND > [11/Sep/2007:16:21:58 +1200] conn=30 op=13 fd=78 closed - U1 > [11/Sep/2007:16:22:46 +1200] conn=31 fd=78 slot=78 connection from > 130.195.87.246 to 130.195.87.249 > [11/Sep/2007:16:22:46 +1200] conn=31 op=0 BIND > dn="uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz" method=128 version=3 > [11/Sep/2007:16:22:46 +1200] conn=31 op=0 RESULT err=0 tag=97 nentries=0 > etime=0 dn="uid=jonesst1,ou=people,dc=vuw,dc=ac,dc=nz" > [11/Sep/2007:16:22:46 +1200] conn=31 op=1 SRCH base="" scope=0 > filter="(objectClass=*)" attrs=ALL > [11/Sep/2007:16:22:46 +1200] conn=31 op=1 RESULT err=0 tag=101 > nentries=1 etime=0 > [11/Sep/2007:16:22:46 +1200] conn=31 op=2 UNBIND > [11/Sep/2007:16:22:46 +1200] conn=31 op=2 fd=78 closed - U1 > [11/Sep/2007:16:22:52 +1200] conn=32 fd=78 slot=78 connection from > 130.195.87.246 to 130.195.87.249 > [11/Sep/2007:16:22:52 +1200] conn=32 op=0 BIND dn="" method=128 > version=3 > [11/Sep/2007:16:22:52 +1200] conn=32 op=0 RESULT err=0 tag=97 nentries=0 > etime=0 dn="" > [11/Sep/2007:16:22:52 +1200] conn=32 op=1 SRCH > base="uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz" scope=2 > filter="(objectClass=*)" attrs=ALL > [11/Sep/2007:16:22:52 +1200] conn=32 op=1 RESULT err=0 tag=101 > nentries=1 etime=0 > [11/Sep/2007:16:22:52 +1200] conn=32 op=2 UNBIND > [11/Sep/2007:16:22:52 +1200] conn=32 op=2 fd=78 closed - U1 > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From srigler at marathonoil.com Tue Sep 11 13:44:26 2007 From: srigler at marathonoil.com (Steve Rigler) Date: Tue, 11 Sep 2007 08:44:26 -0500 Subject: [Fedora-directory-users] ssh login fail In-Reply-To: References: Message-ID: <1189518266.11406.5.camel@houuc8> On Tue, 2007-09-11 at 14:44 +1200, Steven Jones wrote: > ldapsearch -x -b "dc=vuw,dc=ac,dc=nz" |more > > shows, > > # People, vuw.ac.nz > dn: ou=People, dc=vuw,dc=ac,dc=nz > objectClass: top > objectClass: organizationalunit > ou: People > > 8><------ > > # jonesst1, People, vuw.ac.nz > dn: uid=jonesst1,ou=People, dc=vuw,dc=ac,dc=nz > uid: jonesst1 > givenName: steven > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > sn: jones > cn: steven jones > Your account does not have any posixAccount attributes defined. -Steve From rcritten at redhat.com Tue Sep 11 14:24:58 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 11 Sep 2007 10:24:58 -0400 Subject: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris 10? In-Reply-To: References: Message-ID: <46E6A53A.5080002@redhat.com> Scott Ding wrote: > Has anyone built Fedora DS 1.0.4 on Solaris 10 (SPARC 32bit)? > In theory this should work ok. I spent a little time many months ago to try to build it on Solaris 10 x86 and nearly got there before running out of time and I never got back to it because I needed to reclaim the disk space :-( I would recommend the manual build process defined at http://directory.fedoraproject.org/wiki/Building . I would avoid the "one-step build" because I suspect this is going to be very iterative and while the auto-fetching is nice developing in that environment just adds another layer of pain. It is possible to build on Solaris with gcc, the trick is figuring out the magic to tell the various components to use it. I think things like NSS, NSPR and FDS itself use the env variable NS_USE_GCC. Set that to 1 and give it a go. There may be other tweaks required. And note that the manual instructions just cover the server itself. For console, the plugins, etc there is more to do. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From scott.ding at autodesk.com Tue Sep 11 14:59:46 2007 From: scott.ding at autodesk.com (Scott Ding) Date: Tue, 11 Sep 2007 07:59:46 -0700 Subject: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris 10? References: <46E6A53A.5080002@redhat.com> Message-ID: Thanks for the tips! I will give it a try. -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rob Crittenden Sent: Tuesday, September 11, 2007 7:25 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris 10? Scott Ding wrote: > Has anyone built Fedora DS 1.0.4 on Solaris 10 (SPARC 32bit)? > In theory this should work ok. I spent a little time many months ago to try to build it on Solaris 10 x86 and nearly got there before running out of time and I never got back to it because I needed to reclaim the disk space :-( I would recommend the manual build process defined at http://directory.fedoraproject.org/wiki/Building . I would avoid the "one-step build" because I suspect this is going to be very iterative and while the auto-fetching is nice developing in that environment just adds another layer of pain. It is possible to build on Solaris with gcc, the trick is figuring out the magic to tell the various components to use it. I think things like NSS, NSPR and FDS itself use the env variable NS_USE_GCC. Set that to 1 and give it a go. There may be other tweaks required. And note that the manual instructions just cover the server itself. For console, the plugins, etc there is more to do. rob From Steven.Jones at vuw.ac.nz Tue Sep 11 21:04:34 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 12 Sep 2007 09:04:34 +1200 Subject: [Fedora-directory-users] ssh login fail In-Reply-To: <46E69680.60408@redhat.com> Message-ID: Thanks, Comments as below.... Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Wednesday, 12 September 2007 1:22 a.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] ssh login fail Steven Jones wrote: > I am getting things like this, but I did not enter them, so these are > some sort of defaults? > Yes. By default, Fedora DS setup will create some organizational entries for you. If you do not want to do this, you can run setup in Custom mode and tell it to not add these entries. So, "typical" can actually be a bad setting to choose...possibly a simple explanation inside the setup script (unless its there and I missed it). Think I will spend the day writing up my own notes...the RDS and FDS manuals obviously don't come down to my level. ;] > 8><-------- > # PD Managers, groups, vuw.ac.nz > dn: cn=PD Managers,ou=groups,dc=vuw,dc=ac,dc=nz > objectClass: top > objectClass: groupOfUniqueNames > cn: PD Managers > ou: groups > description: People who can manage engineer entries > 8><-------- > > Yet I cannot find then under the FDS gui.... > Try changing your identity in the console to cn=Directory Manager. Under the File menu, select the option to login as another user. Or use the Tasks tab - there is a button there to do the same thing. Yes, I had the user in the wrong place because of this. When I deleted the user and re-created "people" with the "user" as a member and fixed the posix issue it worked. Thanks for your efforts....I was going to give up today and go back to open-ldap... > regards > > Steven Jones > Senior Linux/Unix/San/Vmware System Administrator > APG -Technology Integration Team > Victoria University of Wellington > Phone: +64 4 463 6272 > From rmeggins at redhat.com Tue Sep 11 21:37:26 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 11 Sep 2007 15:37:26 -0600 Subject: [Fedora-directory-users] ssh login fail In-Reply-To: References: Message-ID: <46E70A96.3080305@redhat.com> Steven Jones wrote: > Thanks, Comments as below.... > > Steven Jones > Senior Linux/Unix/San/Vmware System Administrator > APG -Technology Integration Team > Victoria University of Wellington > Phone: +64 4 463 6272 > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard > Megginson > Sent: Wednesday, 12 September 2007 1:22 a.m. > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] ssh login fail > > Steven Jones wrote: > >> I am getting things like this, but I did not enter them, so these are >> some sort of defaults? >> >> > Yes. By default, Fedora DS setup will create some organizational > entries for you. If you do not want to do this, you can run setup in > Custom mode and tell it to not add these entries. > > So, "typical" can actually be a bad setting to choose... Rarely, and only for advanced users. > possibly a > simple explanation inside the setup script (unless its there and I > missed it). > Typical is the default because it is the most useful, and most people usually want the default entries like ou=People. > Think I will spend the day writing up my own notes...the RDS and FDS > manuals obviously don't come down to my level. > Please consider contributing them to the Fedora DS wiki. > ;] > > >> 8><-------- >> # PD Managers, groups, vuw.ac.nz >> dn: cn=PD Managers,ou=groups,dc=vuw,dc=ac,dc=nz >> objectClass: top >> objectClass: groupOfUniqueNames >> cn: PD Managers >> ou: groups >> description: People who can manage engineer entries >> 8><-------- >> >> Yet I cannot find then under the FDS gui.... >> >> > Try changing your identity in the console to cn=Directory Manager. > Under the File menu, select the option to login as another user. Or use > > the Tasks tab - there is a button there to do the same thing. > > Yes, I had the user in the wrong place because of this. When I deleted > the user and re-created "people" with the "user" as a member and fixed > the posix issue it worked. > > Thanks for your efforts....I was going to give up today and go back to > open-ldap... > > >> regards >> >> Steven Jones >> Senior Linux/Unix/San/Vmware System Administrator >> APG -Technology Integration Team >> Victoria University of Wellington >> Phone: +64 4 463 6272 >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From scott.ding at autodesk.com Tue Sep 11 21:49:34 2007 From: scott.ding at autodesk.com (Scott Ding) Date: Tue, 11 Sep 2007 14:49:34 -0700 Subject: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris 10? References: <46E6A53A.5080002@redhat.com> Message-ID: Rob, We got the FDS compiled on Solaris 10 with NET-SNMP 5.4.1. The compiled result contains the following files: LICENSE.txt README.txt disktune slapd.tar.gz After I untar slapd.tar.gz, I got the following: alias manual shared bin - slapd - admin - server - install - property -lib lib plugins I checked the Installation Guide. The instructions are based on RedHat. Are there any installation instructions based on Solaris? Regards, Scott -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rob Crittenden Sent: Tuesday, September 11, 2007 7:25 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris 10? Scott Ding wrote: > Has anyone built Fedora DS 1.0.4 on Solaris 10 (SPARC 32bit)? > In theory this should work ok. I spent a little time many months ago to try to build it on Solaris 10 x86 and nearly got there before running out of time and I never got back to it because I needed to reclaim the disk space :-( I would recommend the manual build process defined at http://directory.fedoraproject.org/wiki/Building . I would avoid the "one-step build" because I suspect this is going to be very iterative and while the auto-fetching is nice developing in that environment just adds another layer of pain. It is possible to build on Solaris with gcc, the trick is figuring out the magic to tell the various components to use it. I think things like NSS, NSPR and FDS itself use the env variable NS_USE_GCC. Set that to 1 and give it a go. There may be other tweaks required. And note that the manual instructions just cover the server itself. For console, the plugins, etc there is more to do. rob From rmeggins at redhat.com Tue Sep 11 21:54:23 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 11 Sep 2007 15:54:23 -0600 Subject: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris 10? In-Reply-To: References: <46E6A53A.5080002@redhat.com> Message-ID: <46E70E8F.5050301@redhat.com> Scott Ding wrote: > Rob, > > We got the FDS compiled on Solaris 10 with NET-SNMP 5.4.1. The compiled > result contains the following files: > > LICENSE.txt > README.txt > disktune > slapd.tar.gz > > > After I untar slapd.tar.gz, I got the following: > > alias > manual > shared > bin > - slapd > - admin > - server > - install > - property > -lib > lib > plugins > > I checked the Installation Guide. The instructions are based on RedHat. > Are there any installation instructions based on Solaris? > Is there a setup command in there somewhere? > Regards, > Scott > > > > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rob > Crittenden > Sent: Tuesday, September 11, 2007 7:25 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris > 10? > > Scott Ding wrote: > >> Has anyone built Fedora DS 1.0.4 on Solaris 10 (SPARC 32bit)? >> >> > > In theory this should work ok. > > I spent a little time many months ago to try to build it on Solaris 10 > x86 and nearly got there before running out of time and I never got back > to it because I needed to reclaim the disk space :-( > > I would recommend the manual build process defined at > http://directory.fedoraproject.org/wiki/Building . I would avoid the > "one-step build" because I suspect this is going to be very iterative > and while the auto-fetching is nice developing in that environment just > adds another layer of pain. > > It is possible to build on Solaris with gcc, the trick is figuring out > the magic to tell the various components to use it. I think things like > NSS, NSPR and FDS itself use the env variable NS_USE_GCC. Set that to 1 > and give it a go. There may be other tweaks required. > > And note that the manual instructions just cover the server itself. For > console, the plugins, etc there is more to do. > > rob > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Steven.Jones at vuw.ac.nz Tue Sep 11 22:07:20 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 12 Sep 2007 10:07:20 +1200 Subject: [Fedora-directory-users] ssh login fail In-Reply-To: <46E70A96.3080305@redhat.com> Message-ID: RE: FDS Wiki ~ I write stuff on my web site so I can refer to my notes from anywhere...I have no issue on doing/posting a FDS wiki page....once I have a set of notes I am happy with, I will get back to you.... regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Wednesday, 12 September 2007 9:37 a.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] ssh login fail Steven Jones wrote: > Thanks, Comments as below.... > > Steven Jones > Senior Linux/Unix/San/Vmware System Administrator > APG -Technology Integration Team > Victoria University of Wellington > Phone: +64 4 463 6272 > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard > Megginson > Sent: Wednesday, 12 September 2007 1:22 a.m. > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] ssh login fail > > Steven Jones wrote: > >> I am getting things like this, but I did not enter them, so these are >> some sort of defaults? >> >> > Yes. By default, Fedora DS setup will create some organizational > entries for you. If you do not want to do this, you can run setup in > Custom mode and tell it to not add these entries. > > So, "typical" can actually be a bad setting to choose... Rarely, and only for advanced users. > possibly a > simple explanation inside the setup script (unless its there and I > missed it). > Typical is the default because it is the most useful, and most people usually want the default entries like ou=People. > Think I will spend the day writing up my own notes...the RDS and FDS > manuals obviously don't come down to my level. > Please consider contributing them to the Fedora DS wiki. > ;] > > >> 8><-------- >> # PD Managers, groups, vuw.ac.nz >> dn: cn=PD Managers,ou=groups,dc=vuw,dc=ac,dc=nz >> objectClass: top >> objectClass: groupOfUniqueNames >> cn: PD Managers >> ou: groups >> description: People who can manage engineer entries >> 8><-------- >> >> Yet I cannot find then under the FDS gui.... >> >> > Try changing your identity in the console to cn=Directory Manager. > Under the File menu, select the option to login as another user. Or use > > the Tasks tab - there is a button there to do the same thing. > > Yes, I had the user in the wrong place because of this. When I deleted > the user and re-created "people" with the "user" as a member and fixed > the posix issue it worked. > > Thanks for your efforts....I was going to give up today and go back to > open-ldap... > > >> regards >> >> Steven Jones >> Senior Linux/Unix/San/Vmware System Administrator >> APG -Technology Integration Team >> Victoria University of Wellington >> Phone: +64 4 463 6272 >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From Steven.Jones at vuw.ac.nz Tue Sep 11 22:07:59 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 12 Sep 2007 10:07:59 +1200 Subject: [Fedora-directory-users] ssh login fail In-Reply-To: <1189518266.11406.5.camel@houuc8> Message-ID: B*gger me.... # jonesst1, People, vuw.ac.nz dn: uid=jonesst1, ou=People, dc=vuw,dc=ac,dc=nz uid: jonesst1 givenName: steven objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount sn: jones cn: steven jones uidNumber: 500 gidNumber: 500 homeDirectory: /home/jonesst1 loginShell: /bin/bash I must have had multiple issues and initially I created accounts with a posix user but later as I had re-done fully it sooo many times, I stopped bothering....not realising it could have been an issue. SO I just setup the posix account settings (as shown above) and ssh login now works.... ****slaps self repeatedly***** So under the ssh howtos there needs to be at least some pre-requsits ie full posix setup.... Thanks.... regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Steve Rigler Sent: Wednesday, 12 September 2007 1:44 a.m. To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] ssh login fail On Tue, 2007-09-11 at 14:44 +1200, Steven Jones wrote: > ldapsearch -x -b "dc=vuw,dc=ac,dc=nz" |more > > shows, > > # People, vuw.ac.nz > dn: ou=People, dc=vuw,dc=ac,dc=nz > objectClass: top > objectClass: organizationalunit > ou: People > > 8><------ > > # jonesst1, People, vuw.ac.nz > dn: uid=jonesst1,ou=People, dc=vuw,dc=ac,dc=nz > uid: jonesst1 > givenName: steven > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > sn: jones > cn: steven jones > Your account does not have any posixAccount attributes defined. -Steve -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From davea at support.kcm.org Tue Sep 11 22:10:46 2007 From: davea at support.kcm.org (Dave Augustus) Date: Tue, 11 Sep 2007 17:10:46 -0500 Subject: [Fedora-directory-users] FDS crash - happened after adding views Message-ID: <1189548647.31875.10.camel@kcm40202.kcmhq.org> Hello all, On Centos 5 x86_64, we have fedora-ds-1.0.4-1.FC6.x86_64 installed. We are in the painful process of migrating from OpenLDAP to FDS. After adding around 40 views. The server crashed and won't restart. Running slapd-server -d 1 provides no clues until the last statement: [11/Sep/2007:16:42:33 -0500] views-plugin - <-- views_cache_build_view_list ./start-slapd: line 33: 14540 Segmentation fault ./ns-slapd - D /opt/fedora-ds/slapd-ldap1-server1 -i /opt/fedora-ds/slapd-ldap1- server1/logs/pid -w $STARTPIDFILE "$@" Is there a limit to views? The changelog shows that it has been around for awhile. How do I recover? I have an ldif export but if I import the data with these views will I run into the same problems? Thanks, Dave From davea at support.kcm.org Tue Sep 11 22:46:46 2007 From: davea at support.kcm.org (Dave Augustus) Date: Tue, 11 Sep 2007 17:46:46 -0500 Subject: [Fedora-directory-users] FDS crash - happened after adding views In-Reply-To: <1189548647.31875.10.camel@kcm40202.kcmhq.org> References: <1189548647.31875.10.camel@kcm40202.kcmhq.org> Message-ID: <1189550806.31875.13.camel@kcm40202.kcmhq.org> On Tue, 2007-09-11 at 17:10 -0500, Dave Augustus wrote: > Hello all, > > On Centos 5 x86_64, we have fedora-ds-1.0.4-1.FC6.x86_64 installed. > > We are in the painful process of migrating from OpenLDAP to FDS. After > adding around 40 views. The server crashed and won't restart. > > Running slapd-server -d 1 provides no clues until the last statement: > > [11/Sep/2007:16:42:33 -0500] views-plugin - <-- > views_cache_build_view_list > ./start-slapd: line 33: 14540 Segmentation fault ./ns-slapd - > D /opt/fedora-ds/slapd-ldap1-server1 -i /opt/fedora-ds/slapd-ldap1- > server1/logs/pid -w $STARTPIDFILE "$@" > > Is there a limit to views? The changelog shows that it has been around > for awhile. > > How do I recover? I have an ldif export but if I import the data with > these views will I run into the same problems? > > Thanks, > Dave > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users Also, when this occurred, the "Maximum Number of Files Open" via "fs.file-max" was not set. It is now set to 8192. Could this have caused my problem? From scott.ding at autodesk.com Tue Sep 11 23:17:04 2007 From: scott.ding at autodesk.com (Scott Ding) Date: Tue, 11 Sep 2007 16:17:04 -0700 Subject: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris 10? References: <46E6A53A.5080002@redhat.com> Message-ID: I got the FDS installed on Solaris 10 by calling ds_newinst.pl with a inf file. However, when I tried to start the FDS, I got the following error. It looks like I did not set up SSL correctly. Can anyone help? [11/Sep/2007:16:05:13 -0700] - SSL alert: Security Initialization: NSS initialization failed (Netscape Portable Runtime error -8174 - security library: bad database.): path: /home/dings/fds/alias/, certdb prefix: slapd-lsctsol06-, keydb prefix: slapd-lsctsol06-. [11/Sep/2007:16:05:13 -0700] - ERROR: NSS Initialization Failed. -----Original Message----- From: Scott Ding Sent: Tuesday, September 11, 2007 2:50 PM To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris 10? Rob, We got the FDS compiled on Solaris 10 with NET-SNMP 5.4.1. The compiled result contains the following files: LICENSE.txt README.txt disktune slapd.tar.gz After I untar slapd.tar.gz, I got the following: alias manual shared bin - slapd - admin - server - install - property -lib lib plugins I checked the Installation Guide. The instructions are based on RedHat. Are there any installation instructions based on Solaris? Regards, Scott -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rob Crittenden Sent: Tuesday, September 11, 2007 7:25 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris 10? Scott Ding wrote: > Has anyone built Fedora DS 1.0.4 on Solaris 10 (SPARC 32bit)? > In theory this should work ok. I spent a little time many months ago to try to build it on Solaris 10 x86 and nearly got there before running out of time and I never got back to it because I needed to reclaim the disk space :-( I would recommend the manual build process defined at http://directory.fedoraproject.org/wiki/Building . I would avoid the "one-step build" because I suspect this is going to be very iterative and while the auto-fetching is nice developing in that environment just adds another layer of pain. It is possible to build on Solaris with gcc, the trick is figuring out the magic to tell the various components to use it. I think things like NSS, NSPR and FDS itself use the env variable NS_USE_GCC. Set that to 1 and give it a go. There may be other tweaks required. And note that the manual instructions just cover the server itself. For console, the plugins, etc there is more to do. rob From markwu05 at gmail.com Tue Sep 11 23:54:51 2007 From: markwu05 at gmail.com (Hai Wu) Date: Tue, 11 Sep 2007 16:54:51 -0700 Subject: [Fedora-directory-users] failover works but very slow. Message-ID: <41fdffa10709111654m144ceb5ctf357ddb3a01de064@mail.gmail.com> Hi, We are using fedora 1.0.4, When the first ldap server dies and does not ping, the clients can still bind to second server but it is very slow to do anything on clients, opening a terminal or listing a dir takes a few seconds. I find when ldap service is down on the first server but server it still up and pingable, there is no delay on clients at all, so I have the workaround to set up a eth0:0 on second ldap server(or any other machine) to assume the IP of the first ldap server when first ldap server does not ping. Please see our /etc/ldap.conf and /etc/openldap/ldap.conf , we have only Rhel 3 and 4 clients. Any idea how to fix this? Thanks Mark /etc/ldap.conf host 1.1.1.1 2.2.2.2 port 636 ldap_version 3 base o=unix,dc=company,dc=com scope sub timelimit 5 bind_timelimit 3 pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberUid pam_password crypt idle_timelimit 3600 /etc/openldap/ldap.conf BASE o=unix,dc=company,dc=com HOST 1.1.1.1 2.2.2.2 PORT 636 SIZELIMIT 0 TIMELIMIT 0 From gholbert at broadcom.com Wed Sep 12 00:03:08 2007 From: gholbert at broadcom.com (George Holbert) Date: Tue, 11 Sep 2007 17:03:08 -0700 Subject: [Fedora-directory-users] failover works but very slow. In-Reply-To: <41fdffa10709111654m144ceb5ctf357ddb3a01de064@mail.gmail.com> References: <41fdffa10709111654m144ceb5ctf357ddb3a01de064@mail.gmail.com> Message-ID: <46E72CBC.5000002@broadcom.com> This is just the way it is with pam/nss_ldap as bundled in RHEL3 and RHEL4. There is no easy fix. If you like, you can reduce bind_timelimit to something very small. But this still isn't much of a solution, since clients will definitely notice when the primary is down. It's possible that newer versions of pam/nss_ldap handle failover more elegantly (I've seen notes to this effect in their Changelog). I haven't tested this myself yet. Another possibility is to put some kind of load balancer in front of your LDAP servers, which hides from clients the failure of any individual LDAP server. Hai Wu wrote: > Hi, > > We are using fedora 1.0.4, When the first ldap server dies and does not ping, > the clients can still bind to second server but it is very slow to do > anything on clients, opening a terminal or listing a dir takes a few > seconds. I find when ldap service is down on the first server but > server it still up and pingable, there is no delay on clients at all, > so I have the workaround to set up a eth0:0 on second ldap server(or > any other machine) to assume the IP of the first ldap server when > first ldap server does not ping. > > Please see our /etc/ldap.conf and /etc/openldap/ldap.conf , we have > only Rhel 3 and 4 clients. Any idea how to fix this? > > Thanks > Mark > > /etc/ldap.conf > host 1.1.1.1 2.2.2.2 > port 636 > ldap_version 3 > base o=unix,dc=company,dc=com > scope sub > timelimit 5 > bind_timelimit 3 > pam_filter objectclass=posixAccount > pam_login_attribute uid > pam_member_attribute memberUid > pam_password crypt > idle_timelimit 3600 > > /etc/openldap/ldap.conf > BASE o=unix,dc=company,dc=com > HOST 1.1.1.1 2.2.2.2 > PORT 636 > > SIZELIMIT 0 > TIMELIMIT 0 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From markwu05 at gmail.com Wed Sep 12 00:30:52 2007 From: markwu05 at gmail.com (Hai Wu) Date: Tue, 11 Sep 2007 17:30:52 -0700 Subject: [Fedora-directory-users] failover works but very slow. In-Reply-To: <46E72CBC.5000002@broadcom.com> References: <41fdffa10709111654m144ceb5ctf357ddb3a01de064@mail.gmail.com> <46E72CBC.5000002@broadcom.com> Message-ID: <41fdffa10709111730s42bbe114xa799197d4c31700@mail.gmail.com> Thanks for your quick reply, it is hard to believe Redhat's Fedora DS has such problem on their OS. I tried to reduce bind_timelimit from 3 to 1 and it almost reduced the delay to an acceptable(but still noticeable) level, I think we will do this if there is no side effect to have such a small bind_timelimit. In the meaning time, I will stick to my taking-primary-IP workaround which reduces the delay to zero. On 9/11/07, George Holbert wrote: > This is just the way it is with pam/nss_ldap as bundled in RHEL3 and > RHEL4. There is no easy fix. > If you like, you can reduce bind_timelimit to something very small. But > this still isn't much of a solution, since clients will definitely > notice when the primary is down. > It's possible that newer versions of pam/nss_ldap handle failover more > elegantly (I've seen notes to this effect in their Changelog). I > haven't tested this myself yet. > Another possibility is to put some kind of load balancer in front of > your LDAP servers, which hides from clients the failure of any > individual LDAP server. > > > Hai Wu wrote: > > Hi, > > > > We are using fedora 1.0.4, When the first ldap server dies and does not ping, > > the clients can still bind to second server but it is very slow to do > > anything on clients, opening a terminal or listing a dir takes a few > > seconds. I find when ldap service is down on the first server but > > server it still up and pingable, there is no delay on clients at all, > > so I have the workaround to set up a eth0:0 on second ldap server(or > > any other machine) to assume the IP of the first ldap server when > > first ldap server does not ping. > > > > Please see our /etc/ldap.conf and /etc/openldap/ldap.conf , we have > > only Rhel 3 and 4 clients. Any idea how to fix this? > > > > Thanks > > Mark > > > > /etc/ldap.conf > > host 1.1.1.1 2.2.2.2 > > port 636 > > ldap_version 3 > > base o=unix,dc=company,dc=com > > scope sub > > timelimit 5 > > bind_timelimit 3 > > pam_filter objectclass=posixAccount > > pam_login_attribute uid > > pam_member_attribute memberUid > > pam_password crypt > > idle_timelimit 3600 > > > > /etc/openldap/ldap.conf > > BASE o=unix,dc=company,dc=com > > HOST 1.1.1.1 2.2.2.2 > > PORT 636 > > > > SIZELIMIT 0 > > TIMELIMIT 0 > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From gholbert at broadcom.com Wed Sep 12 00:43:46 2007 From: gholbert at broadcom.com (George Holbert) Date: Tue, 11 Sep 2007 17:43:46 -0700 Subject: [Fedora-directory-users] failover works but very slow. In-Reply-To: <41fdffa10709111730s42bbe114xa799197d4c31700@mail.gmail.com> References: <41fdffa10709111654m144ceb5ctf357ddb3a01de064@mail.gmail.com> <46E72CBC.5000002@broadcom.com> <41fdffa10709111730s42bbe114xa799197d4c31700@mail.gmail.com> Message-ID: <46E73642.9090408@broadcom.com> > > Thanks for your quick reply, it is hard to believe Redhat's Fedora DS > has such problem on their OS. Actually this is more related to the pam and nss_ldap libraries from PADL, which RedHat (and pretty much everyone else) bundles with their Linux. It's unlikely that recent improvements to PADL's software will show up in RHEL3 or RHEL4, but sometimes certain bugfixes are backported by RedHat. Hai Wu wrote: > Thanks for your quick reply, it is hard to believe Redhat's Fedora DS > has such problem on their OS. > I tried to reduce bind_timelimit from 3 to 1 and it almost reduced the > delay to an acceptable(but still noticeable) level, I think we will > do this if there is no side effect to have such a small > bind_timelimit. In the meaning time, I will stick to my > taking-primary-IP workaround which reduces the delay to zero. > > On 9/11/07, George Holbert wrote: > >> This is just the way it is with pam/nss_ldap as bundled in RHEL3 and >> RHEL4. There is no easy fix. >> If you like, you can reduce bind_timelimit to something very small. But >> this still isn't much of a solution, since clients will definitely >> notice when the primary is down. >> It's possible that newer versions of pam/nss_ldap handle failover more >> elegantly (I've seen notes to this effect in their Changelog). I >> haven't tested this myself yet. >> Another possibility is to put some kind of load balancer in front of >> your LDAP servers, which hides from clients the failure of any >> individual LDAP server. >> >> >> Hai Wu wrote: >> >>> Hi, >>> >>> We are using fedora 1.0.4, When the first ldap server dies and does not ping, >>> the clients can still bind to second server but it is very slow to do >>> anything on clients, opening a terminal or listing a dir takes a few >>> seconds. I find when ldap service is down on the first server but >>> server it still up and pingable, there is no delay on clients at all, >>> so I have the workaround to set up a eth0:0 on second ldap server(or >>> any other machine) to assume the IP of the first ldap server when >>> first ldap server does not ping. >>> >>> Please see our /etc/ldap.conf and /etc/openldap/ldap.conf , we have >>> only Rhel 3 and 4 clients. Any idea how to fix this? >>> >>> Thanks >>> Mark >>> >>> /etc/ldap.conf >>> host 1.1.1.1 2.2.2.2 >>> port 636 >>> ldap_version 3 >>> base o=unix,dc=company,dc=com >>> scope sub >>> timelimit 5 >>> bind_timelimit 3 >>> pam_filter objectclass=posixAccount >>> pam_login_attribute uid >>> pam_member_attribute memberUid >>> pam_password crypt >>> idle_timelimit 3600 >>> >>> /etc/openldap/ldap.conf >>> BASE o=unix,dc=company,dc=com >>> HOST 1.1.1.1 2.2.2.2 >>> PORT 636 >>> >>> SIZELIMIT 0 >>> TIMELIMIT 0 >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From rmeggins at redhat.com Wed Sep 12 00:55:30 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 11 Sep 2007 18:55:30 -0600 Subject: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris 10? In-Reply-To: References: <46E6A53A.5080002@redhat.com> Message-ID: <46E73902.3080301@redhat.com> Scott Ding wrote: > I got the FDS installed on Solaris 10 by calling ds_newinst.pl with a > inf file. However, when I tried to start the FDS, I got the following > error. It looks like I did not set up SSL correctly. Can anyone help? > > [11/Sep/2007:16:05:13 -0700] - SSL alert: Security Initialization: NSS > initialization failed (Netscape Portable Runtime error -8174 - security > library: bad database.): path: /home/dings/fds/alias/, certdb prefix: > slapd-lsctsol06-, keydb prefix: slapd-lsctsol06-. > Does the directory /home/dings/fds/alias exist? Is it owned by the server user? Is it writable by the server user? > [11/Sep/2007:16:05:13 -0700] - ERROR: NSS Initialization Failed. > > -----Original Message----- > From: Scott Ding > Sent: Tuesday, September 11, 2007 2:50 PM > To: General discussion list for the Fedora Directory server project. > Subject: RE: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris > 10? > > Rob, > > We got the FDS compiled on Solaris 10 with NET-SNMP 5.4.1. The compiled > result contains the following files: > > LICENSE.txt > README.txt > disktune > slapd.tar.gz > > > After I untar slapd.tar.gz, I got the following: > > alias > manual > shared > bin > - slapd > - admin > - server > - install > - property > -lib > lib > plugins > > I checked the Installation Guide. The instructions are based on RedHat. > Are there any installation instructions based on Solaris? > > Regards, > Scott > > > > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rob > Crittenden > Sent: Tuesday, September 11, 2007 7:25 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris > 10? > > Scott Ding wrote: > >> Has anyone built Fedora DS 1.0.4 on Solaris 10 (SPARC 32bit)? >> >> > > In theory this should work ok. > > I spent a little time many months ago to try to build it on Solaris 10 > x86 and nearly got there before running out of time and I never got back > to it because I needed to reclaim the disk space :-( > > I would recommend the manual build process defined at > http://directory.fedoraproject.org/wiki/Building . I would avoid the > "one-step build" because I suspect this is going to be very iterative > and while the auto-fetching is nice developing in that environment just > adds another layer of pain. > > It is possible to build on Solaris with gcc, the trick is figuring out > the magic to tell the various components to use it. I think things like > NSS, NSPR and FDS itself use the env variable NS_USE_GCC. Set that to 1 > and give it a go. There may be other tweaks required. > > And note that the manual instructions just cover the server itself. For > console, the plugins, etc there is more to do. > > rob > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Sep 12 00:56:35 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 11 Sep 2007 18:56:35 -0600 Subject: [Fedora-directory-users] FDS crash - happened after adding views In-Reply-To: <1189550806.31875.13.camel@kcm40202.kcmhq.org> References: <1189548647.31875.10.camel@kcm40202.kcmhq.org> <1189550806.31875.13.camel@kcm40202.kcmhq.org> Message-ID: <46E73943.6070605@redhat.com> Dave Augustus wrote: > On Tue, 2007-09-11 at 17:10 -0500, Dave Augustus wrote: > >> Hello all, >> >> On Centos 5 x86_64, we have fedora-ds-1.0.4-1.FC6.x86_64 installed. >> >> We are in the painful process of migrating from OpenLDAP to FDS. After >> adding around 40 views. The server crashed and won't restart. >> >> Running slapd-server -d 1 provides no clues until the last statement: >> >> [11/Sep/2007:16:42:33 -0500] views-plugin - <-- >> views_cache_build_view_list >> ./start-slapd: line 33: 14540 Segmentation fault ./ns-slapd - >> D /opt/fedora-ds/slapd-ldap1-server1 -i /opt/fedora-ds/slapd-ldap1- >> server1/logs/pid -w $STARTPIDFILE "$@" >> >> Is there a limit to views? The changelog shows that it has been around >> for awhile. >> >> How do I recover? I have an ldif export but if I import the data with >> these views will I run into the same problems? >> >> Thanks, >> Dave >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > Also, when this occurred, the "Maximum Number of Files Open" via > "fs.file-max" was not set. It is now set to 8192. > > Could this have caused my problem? > Possibly, but I doubt it. This looks like it could be a bug. Please file a bug in bugzilla.redhat.com. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From scott.ding at autodesk.com Wed Sep 12 02:56:36 2007 From: scott.ding at autodesk.com (Scott Ding) Date: Tue, 11 Sep 2007 19:56:36 -0700 Subject: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris 10? References: <46E6A53A.5080002@redhat.com> <46E73902.3080301@redhat.com> Message-ID: /home/dings/fds/alias does exist. I am starting FDS by using start-slapd as root user. /home/dings/fds/alias is writable by the server. It looks like start-slapd is looking for some certificate under /home/dings/fds/alias. I checked the content under /home/dings/alias. It contains only one file: libnssckbi.so. -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Tuesday, September 11, 2007 5:56 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris 10? Scott Ding wrote: > I got the FDS installed on Solaris 10 by calling ds_newinst.pl with a > inf file. However, when I tried to start the FDS, I got the following > error. It looks like I did not set up SSL correctly. Can anyone help? > > [11/Sep/2007:16:05:13 -0700] - SSL alert: Security Initialization: NSS > initialization failed (Netscape Portable Runtime error -8174 - > security > library: bad database.): path: /home/dings/fds/alias/, certdb prefix: > slapd-lsctsol06-, keydb prefix: slapd-lsctsol06-. > Does the directory /home/dings/fds/alias exist? Is it owned by the server user? Is it writable by the server user? > [11/Sep/2007:16:05:13 -0700] - ERROR: NSS Initialization Failed. > > -----Original Message----- > From: Scott Ding > Sent: Tuesday, September 11, 2007 2:50 PM > To: General discussion list for the Fedora Directory server project. > Subject: RE: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris > 10? > > Rob, > > We got the FDS compiled on Solaris 10 with NET-SNMP 5.4.1. The > compiled result contains the following files: > > LICENSE.txt > README.txt > disktune > slapd.tar.gz > > > After I untar slapd.tar.gz, I got the following: > > alias > manual > shared > bin > - slapd > - admin > - server > - install > - property > -lib > lib > plugins > > I checked the Installation Guide. The instructions are based on RedHat. > Are there any installation instructions based on Solaris? > > Regards, > Scott > > > > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rob > Crittenden > Sent: Tuesday, September 11, 2007 7:25 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris > 10? > > Scott Ding wrote: > >> Has anyone built Fedora DS 1.0.4 on Solaris 10 (SPARC 32bit)? >> >> > > In theory this should work ok. > > I spent a little time many months ago to try to build it on Solaris 10 > x86 and nearly got there before running out of time and I never got > back to it because I needed to reclaim the disk space :-( > > I would recommend the manual build process defined at > http://directory.fedoraproject.org/wiki/Building . I would avoid the > "one-step build" because I suspect this is going to be very iterative > and while the auto-fetching is nice developing in that environment > just adds another layer of pain. > > It is possible to build on Solaris with gcc, the trick is figuring out > the magic to tell the various components to use it. I think things > like NSS, NSPR and FDS itself use the env variable NS_USE_GCC. Set > that to 1 and give it a go. There may be other tweaks required. > > And note that the manual instructions just cover the server itself. > For console, the plugins, etc there is more to do. > > rob > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From markwu05 at gmail.com Wed Sep 12 03:07:27 2007 From: markwu05 at gmail.com (Hai Wu) Date: Tue, 11 Sep 2007 20:07:27 -0700 Subject: [Fedora-directory-users] failover works but very slow. In-Reply-To: <46E73642.9090408@broadcom.com> References: <41fdffa10709111654m144ceb5ctf357ddb3a01de064@mail.gmail.com> <46E72CBC.5000002@broadcom.com> <41fdffa10709111730s42bbe114xa799197d4c31700@mail.gmail.com> <46E73642.9090408@broadcom.com> Message-ID: <41fdffa10709112007u57c2d4f7g1d5481b8388236e2@mail.gmail.com> I just want to add that our SUSE 10 clients do not have this problem at all. On 9/11/07, George Holbert wrote: > > > > Thanks for your quick reply, it is hard to believe Redhat's Fedora DS > > has such problem on their OS. > > Actually this is more related to the pam and nss_ldap libraries from > PADL, which RedHat (and pretty much everyone else) bundles with their Linux. > It's unlikely that recent improvements to PADL's software will show up > in RHEL3 or RHEL4, but sometimes certain bugfixes are backported by RedHat. > > > Hai Wu wrote: > > Thanks for your quick reply, it is hard to believe Redhat's Fedora DS > > has such problem on their OS. > > I tried to reduce bind_timelimit from 3 to 1 and it almost reduced the > > delay to an acceptable(but still noticeable) level, I think we will > > do this if there is no side effect to have such a small > > bind_timelimit. In the meaning time, I will stick to my > > taking-primary-IP workaround which reduces the delay to zero. > > > > On 9/11/07, George Holbert wrote: > > > >> This is just the way it is with pam/nss_ldap as bundled in RHEL3 and > >> RHEL4. There is no easy fix. > >> If you like, you can reduce bind_timelimit to something very small. But > >> this still isn't much of a solution, since clients will definitely > >> notice when the primary is down. > >> It's possible that newer versions of pam/nss_ldap handle failover more > >> elegantly (I've seen notes to this effect in their Changelog). I > >> haven't tested this myself yet. > >> Another possibility is to put some kind of load balancer in front of > >> your LDAP servers, which hides from clients the failure of any > >> individual LDAP server. > >> > >> > >> Hai Wu wrote: > >> > >>> Hi, > >>> > >>> We are using fedora 1.0.4, When the first ldap server dies and does not ping, > >>> the clients can still bind to second server but it is very slow to do > >>> anything on clients, opening a terminal or listing a dir takes a few > >>> seconds. I find when ldap service is down on the first server but > >>> server it still up and pingable, there is no delay on clients at all, > >>> so I have the workaround to set up a eth0:0 on second ldap server(or > >>> any other machine) to assume the IP of the first ldap server when > >>> first ldap server does not ping. > >>> > >>> Please see our /etc/ldap.conf and /etc/openldap/ldap.conf , we have > >>> only Rhel 3 and 4 clients. Any idea how to fix this? > >>> > >>> Thanks > >>> Mark > >>> > >>> /etc/ldap.conf > >>> host 1.1.1.1 2.2.2.2 > >>> port 636 > >>> ldap_version 3 > >>> base o=unix,dc=company,dc=com > >>> scope sub > >>> timelimit 5 > >>> bind_timelimit 3 > >>> pam_filter objectclass=posixAccount > >>> pam_login_attribute uid > >>> pam_member_attribute memberUid > >>> pam_password crypt > >>> idle_timelimit 3600 > >>> > >>> /etc/openldap/ldap.conf > >>> BASE o=unix,dc=company,dc=com > >>> HOST 1.1.1.1 2.2.2.2 > >>> PORT 636 > >>> > >>> SIZELIMIT 0 > >>> TIMELIMIT 0 > >>> > >>> -- > >>> Fedora-directory-users mailing list > >>> Fedora-directory-users at redhat.com > >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>> > >>> > >>> > >> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > >> > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From davea at support.kcm.org Wed Sep 12 11:49:13 2007 From: davea at support.kcm.org (Dave Augustus) Date: Wed, 12 Sep 2007 06:49:13 -0500 Subject: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris 10? In-Reply-To: References: <46E6A53A.5080002@redhat.com> <46E73902.3080301@redhat.com> Message-ID: <1189597753.7534.14.camel@springer> On Tue, 2007-09-11 at 19:56 -0700, Scott Ding wrote: > /home/dings/fds/alias does exist. I am starting FDS by using start-slapd > as root user. /home/dings/fds/alias is writable by the server. It looks > like start-slapd is looking for some certificate under > /home/dings/fds/alias. I checked the content under /home/dings/alias. It > contains only one file: libnssckbi.so. > > > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard > Megginson > Sent: Tuesday, September 11, 2007 5:56 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris > 10? > > Scott Ding wrote: > > I got the FDS installed on Solaris 10 by calling ds_newinst.pl with a > > inf file. However, when I tried to start the FDS, I got the following > > error. It looks like I did not set up SSL correctly. Can anyone help? > > > > [11/Sep/2007:16:05:13 -0700] - SSL alert: Security Initialization: NSS > > > initialization failed (Netscape Portable Runtime error -8174 - > > security > > library: bad database.): path: /home/dings/fds/alias/, certdb prefix: > > slapd-lsctsol06-, keydb prefix: slapd-lsctsol06-. > > > Does the directory /home/dings/fds/alias exist? Is it owned by the > server user? Is it writable by the server user? > > [11/Sep/2007:16:05:13 -0700] - ERROR: NSS Initialization Failed. > > > > -----Original Message----- > > From: Scott Ding > > Sent: Tuesday, September 11, 2007 2:50 PM > > To: General discussion list for the Fedora Directory server project. > > Subject: RE: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris > > > 10? > > > > Rob, > > > > We got the FDS compiled on Solaris 10 with NET-SNMP 5.4.1. The > > compiled result contains the following files: > > > > LICENSE.txt > > README.txt > > disktune > > slapd.tar.gz > > > > > > After I untar slapd.tar.gz, I got the following: > > > > alias > > manual > > shared > > bin > > - slapd > > - admin > > - server > > - install > > - property > > -lib > > lib > > plugins > > > > I checked the Installation Guide. The instructions are based on > RedHat. > > Are there any installation instructions based on Solaris? > > > > Regards, > > Scott > > > > > > > > > > -----Original Message----- > > From: fedora-directory-users-bounces at redhat.com > > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rob > > Crittenden > > Sent: Tuesday, September 11, 2007 7:25 AM > > To: General discussion list for the Fedora Directory server project. > > Subject: Re: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris > > > 10? > > > > Scott Ding wrote: > > > >> Has anyone built Fedora DS 1.0.4 on Solaris 10 (SPARC 32bit)? > >> > >> > > > > In theory this should work ok. > > > > I spent a little time many months ago to try to build it on Solaris 10 > > x86 and nearly got there before running out of time and I never got > > back to it because I needed to reclaim the disk space :-( > > > > I would recommend the manual build process defined at > > http://directory.fedoraproject.org/wiki/Building . I would avoid the > > "one-step build" because I suspect this is going to be very iterative > > and while the auto-fetching is nice developing in that environment > > just adds another layer of pain. > > > > It is possible to build on Solaris with gcc, the trick is figuring out > > > the magic to tell the various components to use it. I think things > > like NSS, NSPR and FDS itself use the env variable NS_USE_GCC. Set > > that to 1 and give it a go. There may be other tweaks required. > > > > And note that the manual instructions just cover the server itself. > > For console, the plugins, etc there is more to do. > > > > rob > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users My guess is that you just need to create the cert files. Look for the certutil-bin binary in /opt/fedora-ds/shared/bin (no clue where on Solaris). Do certutil-bin -h . The cert db files will need to be named appropriately and located in alias. Something like: slapd-lsctsol06-key3.db slapd-lsctsol06-cert8.db Also, I think that secmod.db is needed but I don't know what it contains. Dave -------------- next part -------------- An HTML attachment was scrubbed... URL: From srigler at marathonoil.com Wed Sep 12 12:16:44 2007 From: srigler at marathonoil.com (Steve Rigler) Date: Wed, 12 Sep 2007 07:16:44 -0500 Subject: [Fedora-directory-users] ssh login fail In-Reply-To: References: Message-ID: <1189599404.2965.6.camel@houuc8> On Wed, 2007-09-12 at 10:07 +1200, Steven Jones wrote: > > I must have had multiple issues and initially I created accounts with a > posix user but later as I had re-done fully it sooo many times, I > stopped bothering....not realising it could have been an issue. > > SO I just setup the posix account settings (as shown above) and ssh > login now works.... > > ****slaps self repeatedly***** > > So under the ssh howtos there needs to be at least some pre-requsits ie > full posix setup.... > I wouldn't consider this a "ssh setup" issue. You'd probably finally plenty of helpful info googling for LDAP NIS replacement. This would translate into a setup that would work for ssh. -Steve From srigler at marathonoil.com Wed Sep 12 12:43:34 2007 From: srigler at marathonoil.com (Steve Rigler) Date: Wed, 12 Sep 2007 07:43:34 -0500 Subject: [Fedora-directory-users] failover works but very slow. In-Reply-To: <41fdffa10709111654m144ceb5ctf357ddb3a01de064@mail.gmail.com> References: <41fdffa10709111654m144ceb5ctf357ddb3a01de064@mail.gmail.com> Message-ID: <1189601014.2965.27.camel@houuc8> On Tue, 2007-09-11 at 16:54 -0700, Hai Wu wrote: > Hi, > > We are using fedora 1.0.4, When the first ldap server dies and does not ping, > the clients can still bind to second server but it is very slow to do > anything on clients, opening a terminal or listing a dir takes a few > seconds. I find when ldap service is down on the first server but > server it still up and pingable, there is no delay on clients at all, > so I have the workaround to set up a eth0:0 on second ldap server(or > any other machine) to assume the IP of the first ldap server when > first ldap server does not ping. > We put our FDS servers behind a Piranha load-balancer and pointed the clients at the VIP. Works like a dream; loads are evenly distributed and if a server goes down the clients don't even notice it. -Steve From rcritten at redhat.com Wed Sep 12 13:08:47 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 12 Sep 2007 09:08:47 -0400 Subject: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris 10? In-Reply-To: <1189597753.7534.14.camel@springer> References: <46E6A53A.5080002@redhat.com> <46E73902.3080301@redhat.com> <1189597753.7534.14.camel@springer> Message-ID: <46E7E4DF.70808@redhat.com> Dave Augustus wrote: > > > On Tue, 2007-09-11 at 19:56 -0700, Scott Ding wrote: >> /home/dings/fds/alias does exist. I am starting FDS by using start-slapd >> as root user. /home/dings/fds/alias is writable by the server. It looks >> like start-slapd is looking for some certificate under >> /home/dings/fds/alias. I checked the content under /home/dings/alias. It >> contains only one file: libnssckbi.so. >> >> >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com ] On Behalf Of Richard >> Megginson >> Sent: Tuesday, September 11, 2007 5:56 PM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris >> 10? >> >> Scott Ding wrote: >> > I got the FDS installed on Solaris 10 by calling ds_newinst.pl with a >> > inf file. However, when I tried to start the FDS, I got the following >> > error. It looks like I did not set up SSL correctly. Can anyone help? >> > >> > [11/Sep/2007:16:05:13 -0700] - SSL alert: Security Initialization: NSS >> >> > initialization failed (Netscape Portable Runtime error -8174 - >> > security >> > library: bad database.): path: /home/dings/fds/alias/, certdb prefix: >> > slapd-lsctsol06-, keydb prefix: slapd-lsctsol06-. >> > >> Does the directory /home/dings/fds/alias exist? Is it owned by the >> server user? Is it writable by the server user? >> > [11/Sep/2007:16:05:13 -0700] - ERROR: NSS Initialization Failed. >> > >> > -----Original Message----- >> > From: Scott Ding >> > Sent: Tuesday, September 11, 2007 2:50 PM >> > To: General discussion list for the Fedora Directory server project. >> > Subject: RE: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris >> >> > 10? >> > >> > Rob, >> > >> > We got the FDS compiled on Solaris 10 with NET-SNMP 5.4.1. The >> > compiled result contains the following files: >> > >> > LICENSE.txt >> > README.txt >> > disktune >> > slapd.tar.gz >> > >> > >> > After I untar slapd.tar.gz, I got the following: >> > >> > alias >> > manual >> > shared >> > bin >> > - slapd >> > - admin >> > - server >> > - install >> > - property >> > -lib >> > lib >> > plugins >> > >> > I checked the Installation Guide. The instructions are based on >> RedHat. >> > Are there any installation instructions based on Solaris? >> > >> > Regards, >> > Scott >> > >> > >> > >> > >> > -----Original Message----- >> > From: fedora-directory-users-bounces at redhat.com >> > [mailto:fedora-directory-users-bounces at redhat.com ] On Behalf Of Rob >> > Crittenden >> > Sent: Tuesday, September 11, 2007 7:25 AM >> > To: General discussion list for the Fedora Directory server project. >> > Subject: Re: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris >> >> > 10? >> > >> > Scott Ding wrote: >> > >> >> Has anyone built Fedora DS 1.0.4 on Solaris 10 (SPARC 32bit)? >> >> >> >> >> > >> > In theory this should work ok. >> > >> > I spent a little time many months ago to try to build it on Solaris 10 >> > x86 and nearly got there before running out of time and I never got >> > back to it because I needed to reclaim the disk space :-( >> > >> > I would recommend the manual build process defined at >> > http://directory.fedoraproject.org/wiki/Building . I would avoid the >> > "one-step build" because I suspect this is going to be very iterative >> > and while the auto-fetching is nice developing in that environment >> > just adds another layer of pain. >> > >> > It is possible to build on Solaris with gcc, the trick is figuring out >> >> > the magic to tell the various components to use it. I think things >> > like NSS, NSPR and FDS itself use the env variable NS_USE_GCC. Set >> > that to 1 and give it a go. There may be other tweaks required. >> > >> > And note that the manual instructions just cover the server itself. >> > For console, the plugins, etc there is more to do. >> > >> > rob >> > >> > >> > -- >> > Fedora-directory-users mailing list >> > Fedora-directory-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > My guess is that you just need to create the cert files. Look for the > certutil-bin binary in /opt/fedora-ds/shared/bin (no clue where on > Solaris). Do certutil-bin -h . The cert db files will need to be named > appropriately and located in alias. Something like: > slapd-lsctsol06-key3.db > slapd-lsctsol06-cert8.db > Also, I think that secmod.db is needed but I don't know what it contains. Solaris should already have certutil. You need to run something like: # certutil -N -d /home/dings/fds/alias -P slapd-lsctsol06- Note that there is a trailing dash. This is important. You'll be prompted to set a security password. Enter one or just press ENTER twice to not set one. That should do the trick. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mwallnoefer at yahoo.de Tue Sep 11 17:59:55 2007 From: mwallnoefer at yahoo.de (=?ISO-8859-15?Q?Matthias_Dieter_Walln=F6fer?=) Date: Tue, 11 Sep 2007 19:59:55 +0200 Subject: [Fedora-directory-users] FDS schema Message-ID: <46E6D79B.4010306@yahoo.de> Hi all! On a FDS installation I notice many installed schema files that are used by the old Netscape or SUN enterprise services (50ns-*). I think they aren't necessary for many environments and shouldn't be installed by default anymore. For the next release I would propose an advanced option for this issue. Would this be possible or is there a special reason for keeping them? Matthias From rmeggins at redhat.com Wed Sep 12 14:39:22 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 12 Sep 2007 08:39:22 -0600 Subject: [Fedora-directory-users] FDS schema In-Reply-To: <46E6D79B.4010306@yahoo.de> References: <46E6D79B.4010306@yahoo.de> Message-ID: <46E7FA1A.2000108@redhat.com> Matthias Dieter Walln?fer wrote: > Hi all! > > On a FDS installation I notice many installed schema files that are > used by the old Netscape or SUN enterprise services (50ns-*). I think > they aren't necessary for many environments and shouldn't be installed > by default anymore. For the next release I would propose an advanced > option for this issue. Would this be possible or is there a special > reason for keeping them? No. The obsolete schema will be gone with the next release. It's already been removed from CVS HEAD. > > Matthias > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From davea at support.kcm.org Wed Sep 12 15:54:14 2007 From: davea at support.kcm.org (Dave Augustus) Date: Wed, 12 Sep 2007 10:54:14 -0500 Subject: [Fedora-directory-users] FDS crash - happened after adding views In-Reply-To: <46E73943.6070605@redhat.com> References: <1189548647.31875.10.camel@kcm40202.kcmhq.org> <1189550806.31875.13.camel@kcm40202.kcmhq.org> <46E73943.6070605@redhat.com> Message-ID: <1189612454.5923.1.camel@kcm40202.kcmhq.org> On Tue, 2007-09-11 at 18:56 -0600, Richard Megginson wrote: > Dave Augustus wrote: > > On Tue, 2007-09-11 at 17:10 -0500, Dave Augustus wrote: > > > >> Hello all, > >> > >> On Centos 5 x86_64, we have fedora-ds-1.0.4-1.FC6.x86_64 installed. > >> > >> We are in the painful process of migrating from OpenLDAP to FDS. After > >> adding around 40 views. The server crashed and won't restart. > >> > >> Running slapd-server -d 1 provides no clues until the last statement: > >> > >> [11/Sep/2007:16:42:33 -0500] views-plugin - <-- > >> views_cache_build_view_list > >> ./start-slapd: line 33: 14540 Segmentation fault ./ns-slapd - > >> D /opt/fedora-ds/slapd-ldap1-server1 -i /opt/fedora-ds/slapd-ldap1- > >> server1/logs/pid -w $STARTPIDFILE "$@" > >> > >> Is there a limit to views? The changelog shows that it has been around > >> for awhile. > >> > >> How do I recover? I have an ldif export but if I import the data with > >> these views will I run into the same problems? > >> > >> Thanks, > >> Dave > >> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > > > > > > Also, when this occurred, the "Maximum Number of Files Open" via > > "fs.file-max" was not set. It is now set to 8192. > > > > Could this have caused my problem? > > > Possibly, but I doubt it. This looks like it could be a bug. Please > file a bug in bugzilla.redhat.com. > > OK, will do. I was kind of surprised with the problem as it seems that views have been around awhile. Would using a different rpm perhaps help? > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Wed Sep 12 15:56:42 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 12 Sep 2007 09:56:42 -0600 Subject: [Fedora-directory-users] FDS crash - happened after adding views In-Reply-To: <1189612454.5923.1.camel@kcm40202.kcmhq.org> References: <1189548647.31875.10.camel@kcm40202.kcmhq.org> <1189550806.31875.13.camel@kcm40202.kcmhq.org> <46E73943.6070605@redhat.com> <1189612454.5923.1.camel@kcm40202.kcmhq.org> Message-ID: <46E80C3A.3090406@redhat.com> Dave Augustus wrote: > On Tue, 2007-09-11 at 18:56 -0600, Richard Megginson wrote: > >> Dave Augustus wrote: >> >>> On Tue, 2007-09-11 at 17:10 -0500, Dave Augustus wrote: >>> >>> >>>> Hello all, >>>> >>>> On Centos 5 x86_64, we have fedora-ds-1.0.4-1.FC6.x86_64 installed. >>>> >>>> We are in the painful process of migrating from OpenLDAP to FDS. After >>>> adding around 40 views. The server crashed and won't restart. >>>> >>>> Running slapd-server -d 1 provides no clues until the last statement: >>>> >>>> [11/Sep/2007:16:42:33 -0500] views-plugin - <-- >>>> views_cache_build_view_list >>>> ./start-slapd: line 33: 14540 Segmentation fault ./ns-slapd - >>>> D /opt/fedora-ds/slapd-ldap1-server1 -i /opt/fedora-ds/slapd-ldap1- >>>> server1/logs/pid -w $STARTPIDFILE "$@" >>>> >>>> Is there a limit to views? The changelog shows that it has been around >>>> for awhile. >>>> >>>> How do I recover? I have an ldif export but if I import the data with >>>> these views will I run into the same problems? >>>> >>>> Thanks, >>>> Dave >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>> Also, when this occurred, the "Maximum Number of Files Open" via >>> "fs.file-max" was not set. It is now set to 8192. >>> >>> Could this have caused my problem? >>> >>> >> Possibly, but I doubt it. This looks like it could be a bug. Please >> file a bug in bugzilla.redhat.com. >> > OK, will do. I was kind of surprised with the problem as it seems that > views have been around awhile. > > Would using a different rpm perhaps help? > Perhaps, but I doubt it. CentOS 5 is very, very close to FC6, so that should be the most appropriate binary to use. Could you narrow the problem down? You say it crashes when using 40 views - does it work if you use fewer views? > >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From scott.ding at autodesk.com Wed Sep 12 17:46:28 2007 From: scott.ding at autodesk.com (Scott Ding) Date: Wed, 12 Sep 2007 10:46:28 -0700 Subject: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris 10? References: <46E6A53A.5080002@redhat.com> <46E73902.3080301@redhat.com> <1189597753.7534.14.camel@springer> <46E7E4DF.70808@redhat.com> Message-ID: Using the certutil-bin instructions given by Rob, I was able to generate slapd-lsctsol06-key3.db,slapd-lsctsol06-cert8.db, and secmod.db successfully under /home/dings/fds/alias. However, when I call start-slapd as root, I still get the same errors. Attached is the errors log file under logs. -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rob Crittenden Sent: Wednesday, September 12, 2007 6:09 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris 10? Dave Augustus wrote: > > > On Tue, 2007-09-11 at 19:56 -0700, Scott Ding wrote: >> /home/dings/fds/alias does exist. I am starting FDS by using >> start-slapd as root user. /home/dings/fds/alias is writable by the >> server. It looks like start-slapd is looking for some certificate >> under /home/dings/fds/alias. I checked the content under >> /home/dings/alias. It contains only one file: libnssckbi.so. >> >> >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> >> [mailto:fedora-directory-users-bounces at redhat.com >> ] On Behalf Of >> Richard Megginson >> Sent: Tuesday, September 11, 2007 5:56 PM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: [Fedora-directory-users] Fedora DS 1.0.4 build on >> Solaris 10? >> >> Scott Ding wrote: >> > I got the FDS installed on Solaris 10 by calling ds_newinst.pl with >> > a inf file. However, when I tried to start the FDS, I got the >> > following error. It looks like I did not set up SSL correctly. Can anyone help? >> > >> > [11/Sep/2007:16:05:13 -0700] - SSL alert: Security Initialization: >> > NSS >> >> > initialization failed (Netscape Portable Runtime error -8174 - >> > security >> > library: bad database.): path: /home/dings/fds/alias/, certdb prefix: >> > slapd-lsctsol06-, keydb prefix: slapd-lsctsol06-. >> > >> Does the directory /home/dings/fds/alias exist? Is it owned by the >> server user? Is it writable by the server user? >> > [11/Sep/2007:16:05:13 -0700] - ERROR: NSS Initialization Failed. >> > >> > -----Original Message----- >> > From: Scott Ding >> > Sent: Tuesday, September 11, 2007 2:50 PM >> > To: General discussion list for the Fedora Directory server project. >> > Subject: RE: [Fedora-directory-users] Fedora DS 1.0.4 build on >> > Solaris >> >> > 10? >> > >> > Rob, >> > >> > We got the FDS compiled on Solaris 10 with NET-SNMP 5.4.1. The >> > compiled result contains the following files: >> > >> > LICENSE.txt >> > README.txt >> > disktune >> > slapd.tar.gz >> > >> > >> > After I untar slapd.tar.gz, I got the following: >> > >> > alias >> > manual >> > shared >> > bin >> > - slapd >> > - admin >> > - server >> > - install >> > - property >> > -lib >> > lib >> > plugins >> > >> > I checked the Installation Guide. The instructions are based on >> RedHat. >> > Are there any installation instructions based on Solaris? >> > >> > Regards, >> > Scott >> > >> > >> > >> > >> > -----Original Message----- >> > From: fedora-directory-users-bounces at redhat.com >> > >> > [mailto:fedora-directory-users-bounces at redhat.com >> > ] On Behalf Of >> > Rob Crittenden >> > Sent: Tuesday, September 11, 2007 7:25 AM >> > To: General discussion list for the Fedora Directory server project. >> > Subject: Re: [Fedora-directory-users] Fedora DS 1.0.4 build on >> > Solaris >> >> > 10? >> > >> > Scott Ding wrote: >> > >> >> Has anyone built Fedora DS 1.0.4 on Solaris 10 (SPARC 32bit)? >> >> >> >> >> > >> > In theory this should work ok. >> > >> > I spent a little time many months ago to try to build it on Solaris >> > 10 >> > x86 and nearly got there before running out of time and I never got >> > back to it because I needed to reclaim the disk space :-( >> > >> > I would recommend the manual build process defined at >> > http://directory.fedoraproject.org/wiki/Building . I would avoid >> > the "one-step build" because I suspect this is going to be very >> > iterative and while the auto-fetching is nice developing in that >> > environment just adds another layer of pain. >> > >> > It is possible to build on Solaris with gcc, the trick is figuring >> > out >> >> > the magic to tell the various components to use it. I think things >> > like NSS, NSPR and FDS itself use the env variable NS_USE_GCC. Set >> > that to 1 and give it a go. There may be other tweaks required. >> > >> > And note that the manual instructions just cover the server itself. >> > For console, the plugins, etc there is more to do. >> > >> > rob >> > >> > >> > -- >> > Fedora-directory-users mailing list >> > Fedora-directory-users at redhat.com >> > >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > My guess is that you just need to create the cert files. Look for the > certutil-bin binary in /opt/fedora-ds/shared/bin (no clue where on > Solaris). Do certutil-bin -h . The cert db files will need to be named > appropriately and located in alias. Something like: > slapd-lsctsol06-key3.db > slapd-lsctsol06-cert8.db > Also, I think that secmod.db is needed but I don't know what it contains. Solaris should already have certutil. You need to run something like: # certutil -N -d /home/dings/fds/alias -P slapd-lsctsol06- Note that there is a trailing dash. This is important. You'll be prompted to set a security password. Enter one or just press ENTER twice to not set one. That should do the trick. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: errors Type: application/octet-stream Size: 430 bytes Desc: errors URL: From gholbert at broadcom.com Wed Sep 12 17:59:54 2007 From: gholbert at broadcom.com (George Holbert) Date: Wed, 12 Sep 2007 10:59:54 -0700 Subject: [Fedora-directory-users] failover works but very slow. In-Reply-To: <41fdffa10709112007u57c2d4f7g1d5481b8388236e2@mail.gmail.com> References: <41fdffa10709111654m144ceb5ctf357ddb3a01de064@mail.gmail.com> <46E72CBC.5000002@broadcom.com> <41fdffa10709111730s42bbe114xa799197d4c31700@mail.gmail.com> <46E73642.9090408@broadcom.com> <41fdffa10709112007u57c2d4f7g1d5481b8388236e2@mail.gmail.com> Message-ID: <46E8291A.3030801@broadcom.com> > > I just want to add that our SUSE 10 clients do not have this problem at all. Interesting! Do you know what versions of pam_ldap and nss_ldap are used on those clients? Hai Wu wrote: > I just want to add that our SUSE 10 clients do not have this problem at all. > > On 9/11/07, George Holbert wrote: > >>> Thanks for your quick reply, it is hard to believe Redhat's Fedora DS >>> has such problem on their OS. >>> >> Actually this is more related to the pam and nss_ldap libraries from >> PADL, which RedHat (and pretty much everyone else) bundles with their Linux. >> It's unlikely that recent improvements to PADL's software will show up >> in RHEL3 or RHEL4, but sometimes certain bugfixes are backported by RedHat. >> >> >> Hai Wu wrote: >> >>> Thanks for your quick reply, it is hard to believe Redhat's Fedora DS >>> has such problem on their OS. >>> I tried to reduce bind_timelimit from 3 to 1 and it almost reduced the >>> delay to an acceptable(but still noticeable) level, I think we will >>> do this if there is no side effect to have such a small >>> bind_timelimit. In the meaning time, I will stick to my >>> taking-primary-IP workaround which reduces the delay to zero. >>> >>> On 9/11/07, George Holbert wrote: >>> >>> >>>> This is just the way it is with pam/nss_ldap as bundled in RHEL3 and >>>> RHEL4. There is no easy fix. >>>> If you like, you can reduce bind_timelimit to something very small. But >>>> this still isn't much of a solution, since clients will definitely >>>> notice when the primary is down. >>>> It's possible that newer versions of pam/nss_ldap handle failover more >>>> elegantly (I've seen notes to this effect in their Changelog). I >>>> haven't tested this myself yet. >>>> Another possibility is to put some kind of load balancer in front of >>>> your LDAP servers, which hides from clients the failure of any >>>> individual LDAP server. >>>> >>>> >>>> Hai Wu wrote: >>>> >>>> >>>>> Hi, >>>>> >>>>> We are using fedora 1.0.4, When the first ldap server dies and does not ping, >>>>> the clients can still bind to second server but it is very slow to do >>>>> anything on clients, opening a terminal or listing a dir takes a few >>>>> seconds. I find when ldap service is down on the first server but >>>>> server it still up and pingable, there is no delay on clients at all, >>>>> so I have the workaround to set up a eth0:0 on second ldap server(or >>>>> any other machine) to assume the IP of the first ldap server when >>>>> first ldap server does not ping. >>>>> >>>>> Please see our /etc/ldap.conf and /etc/openldap/ldap.conf , we have >>>>> only Rhel 3 and 4 clients. Any idea how to fix this? >>>>> >>>>> Thanks >>>>> Mark >>>>> >>>>> /etc/ldap.conf >>>>> host 1.1.1.1 2.2.2.2 >>>>> port 636 >>>>> ldap_version 3 >>>>> base o=unix,dc=company,dc=com >>>>> scope sub >>>>> timelimit 5 >>>>> bind_timelimit 3 >>>>> pam_filter objectclass=posixAccount >>>>> pam_login_attribute uid >>>>> pam_member_attribute memberUid >>>>> pam_password crypt >>>>> idle_timelimit 3600 >>>>> >>>>> /etc/openldap/ldap.conf >>>>> BASE o=unix,dc=company,dc=com >>>>> HOST 1.1.1.1 2.2.2.2 >>>>> PORT 636 >>>>> >>>>> SIZELIMIT 0 >>>>> TIMELIMIT 0 >>>>> >>>>> From rcritten at redhat.com Wed Sep 12 18:06:04 2007 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 12 Sep 2007 14:06:04 -0400 Subject: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris 10? In-Reply-To: References: <46E6A53A.5080002@redhat.com> <46E73902.3080301@redhat.com> <1189597753.7534.14.camel@springer> <46E7E4DF.70808@redhat.com> Message-ID: <46E82A8C.5090501@redhat.com> Scott Ding wrote: > Using the certutil-bin instructions given by Rob, I was able to generate slapd-lsctsol06-key3.db,slapd-lsctsol06-cert8.db, and secmod.db successfully under /home/dings/fds/alias. However, when I call start-slapd as root, I still get the same errors. Attached is the errors log file under logs. > Are the files readable by the user the server run as? You can find out what that is configured by by looking for nsslapd-localuser in config/dse.ldif. I'm a glutton for punishment so I might run truss on the start script and look for where the NSS database is being opened and see if any errors are thrown (EPERM, etc). You'll need a flag to follow forks, I think it is -f. rob > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rob Crittenden > Sent: Wednesday, September 12, 2007 6:09 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris 10? > > Dave Augustus wrote: >> >> On Tue, 2007-09-11 at 19:56 -0700, Scott Ding wrote: >>> /home/dings/fds/alias does exist. I am starting FDS by using >>> start-slapd as root user. /home/dings/fds/alias is writable by the >>> server. It looks like start-slapd is looking for some certificate >>> under /home/dings/fds/alias. I checked the content under >>> /home/dings/alias. It contains only one file: libnssckbi.so. >>> >>> >>> >>> -----Original Message----- >>> From: fedora-directory-users-bounces at redhat.com >>> >>> [mailto:fedora-directory-users-bounces at redhat.com >>> ] On Behalf Of >>> Richard Megginson >>> Sent: Tuesday, September 11, 2007 5:56 PM >>> To: General discussion list for the Fedora Directory server project. >>> Subject: Re: [Fedora-directory-users] Fedora DS 1.0.4 build on >>> Solaris 10? >>> >>> Scott Ding wrote: >>>> I got the FDS installed on Solaris 10 by calling ds_newinst.pl with >>>> a inf file. However, when I tried to start the FDS, I got the >>>> following error. It looks like I did not set up SSL correctly. Can anyone help? >>>> >>>> [11/Sep/2007:16:05:13 -0700] - SSL alert: Security Initialization: >>>> NSS >>>> initialization failed (Netscape Portable Runtime error -8174 - >>>> security >>>> library: bad database.): path: /home/dings/fds/alias/, certdb prefix: >>>> slapd-lsctsol06-, keydb prefix: slapd-lsctsol06-. >>>> >>> Does the directory /home/dings/fds/alias exist? Is it owned by the >>> server user? Is it writable by the server user? >>>> [11/Sep/2007:16:05:13 -0700] - ERROR: NSS Initialization Failed. >>>> >>>> -----Original Message----- >>>> From: Scott Ding >>>> Sent: Tuesday, September 11, 2007 2:50 PM >>>> To: General discussion list for the Fedora Directory server project. >>>> Subject: RE: [Fedora-directory-users] Fedora DS 1.0.4 build on >>>> Solaris >>>> 10? >>>> >>>> Rob, >>>> >>>> We got the FDS compiled on Solaris 10 with NET-SNMP 5.4.1. The >>>> compiled result contains the following files: >>>> >>>> LICENSE.txt >>>> README.txt >>>> disktune >>>> slapd.tar.gz >>>> >>>> >>>> After I untar slapd.tar.gz, I got the following: >>>> >>>> alias >>>> manual >>>> shared >>>> bin >>>> - slapd >>>> - admin >>>> - server >>>> - install >>>> - property >>>> -lib >>>> lib >>>> plugins >>>> >>>> I checked the Installation Guide. The instructions are based on >>> RedHat. >>>> Are there any installation instructions based on Solaris? >>>> >>>> Regards, >>>> Scott >>>> >>>> >>>> >>>> >>>> -----Original Message----- >>>> From: fedora-directory-users-bounces at redhat.com >>>> >>>> [mailto:fedora-directory-users-bounces at redhat.com >>>> ] On Behalf Of >>>> Rob Crittenden >>>> Sent: Tuesday, September 11, 2007 7:25 AM >>>> To: General discussion list for the Fedora Directory server project. >>>> Subject: Re: [Fedora-directory-users] Fedora DS 1.0.4 build on >>>> Solaris >>>> 10? >>>> >>>> Scott Ding wrote: >>>> >>>>> Has anyone built Fedora DS 1.0.4 on Solaris 10 (SPARC 32bit)? >>>>> >>>>> >>>> In theory this should work ok. >>>> >>>> I spent a little time many months ago to try to build it on Solaris >>>> 10 >>>> x86 and nearly got there before running out of time and I never got >>>> back to it because I needed to reclaim the disk space :-( >>>> >>>> I would recommend the manual build process defined at >>>> http://directory.fedoraproject.org/wiki/Building . I would avoid >>>> the "one-step build" because I suspect this is going to be very >>>> iterative and while the auto-fetching is nice developing in that >>>> environment just adds another layer of pain. >>>> >>>> It is possible to build on Solaris with gcc, the trick is figuring >>>> out >>>> the magic to tell the various components to use it. I think things >>>> like NSS, NSPR and FDS itself use the env variable NS_USE_GCC. Set >>>> that to 1 and give it a go. There may be other tweaks required. >>>> >>>> And note that the manual instructions just cover the server itself. >>>> For console, the plugins, etc there is more to do. >>>> >>>> rob >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> My guess is that you just need to create the cert files. Look for the >> certutil-bin binary in /opt/fedora-ds/shared/bin (no clue where on >> Solaris). Do certutil-bin -h . The cert db files will need to be named >> appropriately and located in alias. Something like: >> slapd-lsctsol06-key3.db >> slapd-lsctsol06-cert8.db >> Also, I think that secmod.db is needed but I don't know what it contains. > > Solaris should already have certutil. You need to run something like: > > # certutil -N -d /home/dings/fds/alias -P slapd-lsctsol06- > > Note that there is a trailing dash. This is important. > > You'll be prompted to set a security password. Enter one or just press ENTER twice to not set one. > > That should do the trick. > > rob > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From scott.ding at autodesk.com Wed Sep 12 19:57:12 2007 From: scott.ding at autodesk.com (Scott Ding) Date: Wed, 12 Sep 2007 12:57:12 -0700 Subject: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris 10? References: <46E6A53A.5080002@redhat.com> <46E73902.3080301@redhat.com> <1189597753.7534.14.camel@springer> <46E7E4DF.70808@redhat.com> <46E82A8C.5090501@redhat.com> Message-ID: The three certificate db files need to be read/write. After I changed them, the NSS initialization errors are gone. However, I now get server failed to start prompt on the console. The logs/errors does not show any specific errors. I used the truss on start-slapd. It seems complaining it could not find logs/startpid. Attached is the errors log file. The tail of truss output below. ---- 4431: getrlimit(RLIMIT_STACK, 0xFFBFF740) = 0 4431: getpid() = 4431 [4388] 4431: setustack(0xFF3A2088) 4431: brk(0x000222F8) = 0 4431: brk(0x000242F8) = 0 4431: stat("/platform/SUNW,Sun-Fire-480R/lib/libc_psr.so.1", 0xFFBFECF8) = 0 4431: resolvepath("/platform/SUNW,Sun-Fire-480R/lib/libc_psr.so.1", "/platform/sun4u-us3/lib/libc_psr.so.1", 1023) = 37 4431: open("/platform/SUNW,Sun-Fire-480R/lib/libc_psr.so.1", O_RDONLY) = 3 4431: mmap(0x00010000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_ALIGN, 3, 0) = 0xFF390000 4431: mmap(0x00000000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFF380000 4431: close(3) = 0 4431: stat("/usr/lib/locale/en_US/en_US.so.3", 0xFFBFEE80) Err#2 ENOENT 4431: open("/usr/lib/locale/en_US/LC_MESSAGES/SUNW_OST_SGS.mo", O_RDONLY) Err#2 ENOENT 4431: open("/usr/lib/locale/en_US/LC_MESSAGES/SUNW_OST_OSLIB.mo", O_RDONLY) Err#2 ENOENT 4431: sigaction(SIGALRM, 0xFFBFFAF0, 0xFFBFFB90) = 0 4388: waitid(P_PID, 4431, 0xFFBFF808, WEXITED|WTRAPPED|WNOWAIT) (sleeping...) 4431: nanosleep(0xFFBFFBC8, 0xFFBFFBC0) = 0 4431: _exit(0) 4388: waitid(P_PID, 4431, 0xFFBFF808, WEXITED|WTRAPPED|WNOWAIT) = 0 4388: ioctl(0, TIOCGPGRP, 0xFFBFF824) = 0 4388: ioctl(0, TCGETS, 0x00039178) = 0 4388: waitid(P_PID, 4431, 0xFFBFF808, WEXITED|WTRAPPED) = 0 4388: brk(0x0003AB20) = 0 4388: read(19, " t e s t ! - f $".., 128) = 128 4388: stat64("/home/dings/fds/slapd-lsctsol06/logs/startpid", 0xFFBFF7C0) Err#2 ENOENT Server failed to start !!! Please check errors log for problems 4388: write(1, " S e r v e r f a i l e".., 64) = 64 4388: _exit(1) -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rob Crittenden Sent: Wednesday, September 12, 2007 11:06 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris 10? Scott Ding wrote: > Using the certutil-bin instructions given by Rob, I was able to generate slapd-lsctsol06-key3.db,slapd-lsctsol06-cert8.db, and secmod.db successfully under /home/dings/fds/alias. However, when I call start-slapd as root, I still get the same errors. Attached is the errors log file under logs. > Are the files readable by the user the server run as? You can find out what that is configured by by looking for nsslapd-localuser in config/dse.ldif. I'm a glutton for punishment so I might run truss on the start script and look for where the NSS database is being opened and see if any errors are thrown (EPERM, etc). You'll need a flag to follow forks, I think it is -f. rob > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rob > Crittenden > Sent: Wednesday, September 12, 2007 6:09 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris 10? > > Dave Augustus wrote: >> >> On Tue, 2007-09-11 at 19:56 -0700, Scott Ding wrote: >>> /home/dings/fds/alias does exist. I am starting FDS by using >>> start-slapd as root user. /home/dings/fds/alias is writable by the >>> server. It looks like start-slapd is looking for some certificate >>> under /home/dings/fds/alias. I checked the content under >>> /home/dings/alias. It contains only one file: libnssckbi.so. >>> >>> >>> >>> -----Original Message----- >>> From: fedora-directory-users-bounces at redhat.com >>> >>> [mailto:fedora-directory-users-bounces at redhat.com >>> ] On Behalf Of >>> Richard Megginson >>> Sent: Tuesday, September 11, 2007 5:56 PM >>> To: General discussion list for the Fedora Directory server project. >>> Subject: Re: [Fedora-directory-users] Fedora DS 1.0.4 build on >>> Solaris 10? >>> >>> Scott Ding wrote: >>>> I got the FDS installed on Solaris 10 by calling ds_newinst.pl with >>>> a inf file. However, when I tried to start the FDS, I got the >>>> following error. It looks like I did not set up SSL correctly. Can anyone help? >>>> >>>> [11/Sep/2007:16:05:13 -0700] - SSL alert: Security Initialization: >>>> NSS >>>> initialization failed (Netscape Portable Runtime error -8174 - >>>> security >>>> library: bad database.): path: /home/dings/fds/alias/, certdb prefix: >>>> slapd-lsctsol06-, keydb prefix: slapd-lsctsol06-. >>>> >>> Does the directory /home/dings/fds/alias exist? Is it owned by the >>> server user? Is it writable by the server user? >>>> [11/Sep/2007:16:05:13 -0700] - ERROR: NSS Initialization Failed. >>>> >>>> -----Original Message----- >>>> From: Scott Ding >>>> Sent: Tuesday, September 11, 2007 2:50 PM >>>> To: General discussion list for the Fedora Directory server project. >>>> Subject: RE: [Fedora-directory-users] Fedora DS 1.0.4 build on >>>> Solaris 10? >>>> >>>> Rob, >>>> >>>> We got the FDS compiled on Solaris 10 with NET-SNMP 5.4.1. The >>>> compiled result contains the following files: >>>> >>>> LICENSE.txt >>>> README.txt >>>> disktune >>>> slapd.tar.gz >>>> >>>> >>>> After I untar slapd.tar.gz, I got the following: >>>> >>>> alias >>>> manual >>>> shared >>>> bin >>>> - slapd >>>> - admin >>>> - server >>>> - install >>>> - property >>>> -lib >>>> lib >>>> plugins >>>> >>>> I checked the Installation Guide. The instructions are based on >>> RedHat. >>>> Are there any installation instructions based on Solaris? >>>> >>>> Regards, >>>> Scott >>>> >>>> >>>> >>>> >>>> -----Original Message----- >>>> From: fedora-directory-users-bounces at redhat.com >>>> >>>> [mailto:fedora-directory-users-bounces at redhat.com >>>> ] On Behalf Of >>>> Rob Crittenden >>>> Sent: Tuesday, September 11, 2007 7:25 AM >>>> To: General discussion list for the Fedora Directory server project. >>>> Subject: Re: [Fedora-directory-users] Fedora DS 1.0.4 build on >>>> Solaris 10? >>>> >>>> Scott Ding wrote: >>>> >>>>> Has anyone built Fedora DS 1.0.4 on Solaris 10 (SPARC 32bit)? >>>>> >>>>> >>>> In theory this should work ok. >>>> >>>> I spent a little time many months ago to try to build it on Solaris >>>> 10 >>>> x86 and nearly got there before running out of time and I never got >>>> back to it because I needed to reclaim the disk space :-( >>>> >>>> I would recommend the manual build process defined at >>>> http://directory.fedoraproject.org/wiki/Building . I would avoid >>>> the "one-step build" because I suspect this is going to be very >>>> iterative and while the auto-fetching is nice developing in that >>>> environment just adds another layer of pain. >>>> >>>> It is possible to build on Solaris with gcc, the trick is figuring >>>> out the magic to tell the various components to use it. I think >>>> things like NSS, NSPR and FDS itself use the env variable >>>> NS_USE_GCC. Set that to 1 and give it a go. There may be other >>>> tweaks required. >>>> >>>> And note that the manual instructions just cover the server itself. >>>> For console, the plugins, etc there is more to do. >>>> >>>> rob >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> My guess is that you just need to create the cert files. Look for the >> certutil-bin binary in /opt/fedora-ds/shared/bin (no clue where on >> Solaris). Do certutil-bin -h . The cert db files will need to be >> named appropriately and located in alias. Something like: >> slapd-lsctsol06-key3.db >> slapd-lsctsol06-cert8.db >> Also, I think that secmod.db is needed but I don't know what it contains. > > Solaris should already have certutil. You need to run something like: > > # certutil -N -d /home/dings/fds/alias -P slapd-lsctsol06- > > Note that there is a trailing dash. This is important. > > You'll be prompted to set a security password. Enter one or just press ENTER twice to not set one. > > That should do the trick. > > rob > > > > ---------------------------------------------------------------------- > -- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: errors Type: application/octet-stream Size: 183 bytes Desc: errors URL: From Steven.Jones at vuw.ac.nz Wed Sep 12 20:19:31 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 13 Sep 2007 08:19:31 +1200 Subject: [Fedora-directory-users] ssh login fail In-Reply-To: <1189599404.2965.6.camel@houuc8> Message-ID: Thanks, like a dictionary, google only retunrs useful stuff if you know what to look for...a bit catch 22. Some of the docs I did read only covered ssh, and while yes it is probably a wider issue, leaving this point out of an ssh setup page is an issue... regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Steve Rigler Sent: Thursday, 13 September 2007 12:17 a.m. To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] ssh login fail On Wed, 2007-09-12 at 10:07 +1200, Steven Jones wrote: > > I must have had multiple issues and initially I created accounts with a > posix user but later as I had re-done fully it sooo many times, I > stopped bothering....not realising it could have been an issue. > > SO I just setup the posix account settings (as shown above) and ssh > login now works.... > > ****slaps self repeatedly***** > > So under the ssh howtos there needs to be at least some pre-requsits ie > full posix setup.... > I wouldn't consider this a "ssh setup" issue. You'd probably finally plenty of helpful info googling for LDAP NIS replacement. This would translate into a setup that would work for ssh. -Steve -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From scott.ding at autodesk.com Wed Sep 12 20:45:56 2007 From: scott.ding at autodesk.com (Scott Ding) Date: Wed, 12 Sep 2007 13:45:56 -0700 Subject: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris 10? References: <46E6A53A.5080002@redhat.com> <46E73902.3080301@redhat.com> <1189597753.7534.14.camel@springer> <46E7E4DF.70808@redhat.com> <46E82A8C.5090501@redhat.com> Message-ID: I got it working. The logs directory needs executable permission. Thank you all for helping me out! -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rob Crittenden Sent: Wednesday, September 12, 2007 11:06 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris 10? Scott Ding wrote: > Using the certutil-bin instructions given by Rob, I was able to generate slapd-lsctsol06-key3.db,slapd-lsctsol06-cert8.db, and secmod.db successfully under /home/dings/fds/alias. However, when I call start-slapd as root, I still get the same errors. Attached is the errors log file under logs. > Are the files readable by the user the server run as? You can find out what that is configured by by looking for nsslapd-localuser in config/dse.ldif. I'm a glutton for punishment so I might run truss on the start script and look for where the NSS database is being opened and see if any errors are thrown (EPERM, etc). You'll need a flag to follow forks, I think it is -f. rob > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rob > Crittenden > Sent: Wednesday, September 12, 2007 6:09 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Fedora DS 1.0.4 build on Solaris 10? > > Dave Augustus wrote: >> >> On Tue, 2007-09-11 at 19:56 -0700, Scott Ding wrote: >>> /home/dings/fds/alias does exist. I am starting FDS by using >>> start-slapd as root user. /home/dings/fds/alias is writable by the >>> server. It looks like start-slapd is looking for some certificate >>> under /home/dings/fds/alias. I checked the content under >>> /home/dings/alias. It contains only one file: libnssckbi.so. >>> >>> >>> >>> -----Original Message----- >>> From: fedora-directory-users-bounces at redhat.com >>> >>> [mailto:fedora-directory-users-bounces at redhat.com >>> ] On Behalf Of >>> Richard Megginson >>> Sent: Tuesday, September 11, 2007 5:56 PM >>> To: General discussion list for the Fedora Directory server project. >>> Subject: Re: [Fedora-directory-users] Fedora DS 1.0.4 build on >>> Solaris 10? >>> >>> Scott Ding wrote: >>>> I got the FDS installed on Solaris 10 by calling ds_newinst.pl with >>>> a inf file. However, when I tried to start the FDS, I got the >>>> following error. It looks like I did not set up SSL correctly. Can anyone help? >>>> >>>> [11/Sep/2007:16:05:13 -0700] - SSL alert: Security Initialization: >>>> NSS >>>> initialization failed (Netscape Portable Runtime error -8174 - >>>> security >>>> library: bad database.): path: /home/dings/fds/alias/, certdb prefix: >>>> slapd-lsctsol06-, keydb prefix: slapd-lsctsol06-. >>>> >>> Does the directory /home/dings/fds/alias exist? Is it owned by the >>> server user? Is it writable by the server user? >>>> [11/Sep/2007:16:05:13 -0700] - ERROR: NSS Initialization Failed. >>>> >>>> -----Original Message----- >>>> From: Scott Ding >>>> Sent: Tuesday, September 11, 2007 2:50 PM >>>> To: General discussion list for the Fedora Directory server project. >>>> Subject: RE: [Fedora-directory-users] Fedora DS 1.0.4 build on >>>> Solaris 10? >>>> >>>> Rob, >>>> >>>> We got the FDS compiled on Solaris 10 with NET-SNMP 5.4.1. The >>>> compiled result contains the following files: >>>> >>>> LICENSE.txt >>>> README.txt >>>> disktune >>>> slapd.tar.gz >>>> >>>> >>>> After I untar slapd.tar.gz, I got the following: >>>> >>>> alias >>>> manual >>>> shared >>>> bin >>>> - slapd >>>> - admin >>>> - server >>>> - install >>>> - property >>>> -lib >>>> lib >>>> plugins >>>> >>>> I checked the Installation Guide. The instructions are based on >>> RedHat. >>>> Are there any installation instructions based on Solaris? >>>> >>>> Regards, >>>> Scott >>>> >>>> >>>> >>>> >>>> -----Original Message----- >>>> From: fedora-directory-users-bounces at redhat.com >>>> >>>> [mailto:fedora-directory-users-bounces at redhat.com >>>> ] On Behalf Of >>>> Rob Crittenden >>>> Sent: Tuesday, September 11, 2007 7:25 AM >>>> To: General discussion list for the Fedora Directory server project. >>>> Subject: Re: [Fedora-directory-users] Fedora DS 1.0.4 build on >>>> Solaris 10? >>>> >>>> Scott Ding wrote: >>>> >>>>> Has anyone built Fedora DS 1.0.4 on Solaris 10 (SPARC 32bit)? >>>>> >>>>> >>>> In theory this should work ok. >>>> >>>> I spent a little time many months ago to try to build it on Solaris >>>> 10 >>>> x86 and nearly got there before running out of time and I never got >>>> back to it because I needed to reclaim the disk space :-( >>>> >>>> I would recommend the manual build process defined at >>>> http://directory.fedoraproject.org/wiki/Building . I would avoid >>>> the "one-step build" because I suspect this is going to be very >>>> iterative and while the auto-fetching is nice developing in that >>>> environment just adds another layer of pain. >>>> >>>> It is possible to build on Solaris with gcc, the trick is figuring >>>> out the magic to tell the various components to use it. I think >>>> things like NSS, NSPR and FDS itself use the env variable >>>> NS_USE_GCC. Set that to 1 and give it a go. There may be other >>>> tweaks required. >>>> >>>> And note that the manual instructions just cover the server itself. >>>> For console, the plugins, etc there is more to do. >>>> >>>> rob >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> My guess is that you just need to create the cert files. Look for the >> certutil-bin binary in /opt/fedora-ds/shared/bin (no clue where on >> Solaris). Do certutil-bin -h . The cert db files will need to be >> named appropriately and located in alias. Something like: >> slapd-lsctsol06-key3.db >> slapd-lsctsol06-cert8.db >> Also, I think that secmod.db is needed but I don't know what it contains. > > Solaris should already have certutil. You need to run something like: > > # certutil -N -d /home/dings/fds/alias -P slapd-lsctsol06- > > Note that there is a trailing dash. This is important. > > You'll be prompted to set a security password. Enter one or just press ENTER twice to not set one. > > That should do the trick. > > rob > > > > ---------------------------------------------------------------------- > -- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From Steven.Jones at vuw.ac.nz Wed Sep 12 21:33:30 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 13 Sep 2007 09:33:30 +1200 Subject: [Fedora-directory-users] ssh login fail ~ a gottha on RHAS4 In-Reply-To: Message-ID: While setting up a second AS4 client I ran authconfig-gtk and started to compare the before and after ldap.conf files, only to find I could not see any differences, doing a diff proved it. I even > ldap.conf the file to zero it and authconfig-gtk did not write a thing.... So I ran authconfig instead and this correctly edited the ldap.conf and ssh worked straight off (after a sshd re-start).... So anyone out there trying to setup a client using authconfig-gtk should probably try/stick to authconfig instead. regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 From Steven.Jones at vuw.ac.nz Wed Sep 12 23:25:08 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 13 Sep 2007 11:25:08 +1200 Subject: [Fedora-directory-users] Debian and MAC OSX (10.4) clients to FDS In-Reply-To: Message-ID: Anybody got some good URLs or docs? regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 From Steven.Jones at vuw.ac.nz Thu Sep 13 03:01:23 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 13 Sep 2007 15:01:23 +1200 Subject: [Fedora-directory-users] Setting a self ssl certificate In-Reply-To: Message-ID: While following the RDS manual to make a self cert, the last command is to convert the certification database, 8><----- 9. Run pk12util to convert the certificate database to pkcs12 format, so it is accessible by the Directory Server: /serverRoot/shared/bin/pk12util -d . -o cert.pk12 -n Server-Cert It then asks me for, "Enter Password or Pin for "NSS Certificate DB":" Which I have no idea about....the password I have been using does not work so I have no idea what this password is! So where would I find it/set it, or am I using the wrong manual and if so what is the correct one? regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 From Steven.Jones at vuw.ac.nz Thu Sep 13 03:40:21 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 13 Sep 2007 15:40:21 +1200 Subject: [Fedora-directory-users] Setting a self ssl certificate In-Reply-To: Message-ID: Since it appears the LDAP server was stuffed, I re-installed it and again followed the instructions, now I find that in attempting to re-start the server it will not....so I have had to re-install again. So this particular set of instructions, http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1085091 breaks the setup.... So is there a set of instructions to setup a self certified SSL server? regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Steven Jones Sent: Thursday, 13 September 2007 3:01 p.m. To: General discussion list for the Fedora Directory server project. Subject: [Fedora-directory-users] Setting a self ssl certificate While following the RDS manual to make a self cert, the last command is to convert the certification database, 8><----- 9. Run pk12util to convert the certificate database to pkcs12 format, so it is accessible by the Directory Server: /serverRoot/shared/bin/pk12util -d . -o cert.pk12 -n Server-Cert It then asks me for, "Enter Password or Pin for "NSS Certificate DB":" Which I have no idea about....the password I have been using does not work so I have no idea what this password is! So where would I find it/set it, or am I using the wrong manual and if so what is the correct one? regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From peters at psinergybbs.com Thu Sep 13 03:55:31 2007 From: peters at psinergybbs.com (Peter Santiago) Date: Thu, 13 Sep 2007 11:55:31 +0800 Subject: [Fedora-directory-users] Setting a self ssl certificate In-Reply-To: References: Message-ID: <46E8B4B3.6060603@psinergybbs.com> Steven Jones wrote: > Since it appears the LDAP server was stuffed, I re-installed it and > again followed the instructions, now I find that in attempting to > re-start the server it will not....so I have had to re-install again. > > So this particular set of instructions, > > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1085091 > > breaks the setup.... > > So is there a set of instructions to setup a self certified SSL server? > > regards > > Steven Jones > Senior Linux/Unix/San/Vmware System Administrator > APG -Technology Integration Team > Victoria University of Wellington > Phone: +64 4 463 6272 > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Steven > Jones > Sent: Thursday, 13 September 2007 3:01 p.m. > To: General discussion list for the Fedora Directory server project. > Subject: [Fedora-directory-users] Setting a self ssl certificate > > > While following the RDS manual to make a self cert, the last command is > to convert the certification database, > > 8><----- > > 9. Run pk12util to convert the certificate database to pkcs12 format, > so it is accessible by the Directory Server: > > /serverRoot/shared/bin/pk12util -d . -o cert.pk12 -n Server-Cert > > It then asks me for, > > "Enter Password or Pin for "NSS Certificate DB":" > > Which I have no idea about....the password I have been using does not > work so I have no idea what this password is! > > So where would I find it/set it, or am I using the wrong manual and if > so what is the correct one? > > regards > > Steven Jones > Senior Linux/Unix/San/Vmware System Administrator > APG -Technology Integration Team > Victoria University of Wellington > Phone: +64 4 463 6272 > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > Try using TinyCA2 or Webmin Certificate module to generate SSL certs... -- Peter Santiago peters at psinergybbs.com My website: www.psinergybbs.com My spamtrap address: r34987y at psinergybbs.com -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3257 bytes Desc: S/MIME Cryptographic Signature URL: From mwallnoefer at yahoo.de Wed Sep 12 19:19:41 2007 From: mwallnoefer at yahoo.de (=?ISO-8859-15?Q?Matthias_Dieter_Walln=F6fer?=) Date: Wed, 12 Sep 2007 21:19:41 +0200 Subject: [Fedora-directory-users] FDS schema Message-ID: <46E83BCD.1090300@yahoo.de> > No. The obsolete schema will be gone with the next release. It's > already been removed from CVS HEAD. But if I look in the HEAD branch (http://cvs.fedora.redhat.com/viewcvs/?root=dirsec&only_with_tag=HEAD ) and change to ldapserver/ldap/schema (http://cvs.fedora.redhat.com/viewcvs/ldapserver/ldap/schema/?root=dirsec&only_with_tag=HEAD ) I see them again. Is this alright? Matthias From rmeggins at redhat.com Thu Sep 13 13:07:47 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 13 Sep 2007 07:07:47 -0600 Subject: [Fedora-directory-users] Setting a self ssl certificate In-Reply-To: References: Message-ID: <46E93623.5010804@redhat.com> Steven Jones wrote: > Since it appears the LDAP server was stuffed, How so? > I re-installed it and > again followed the instructions, now I find that in attempting to > re-start the server it will not.... Any errors? > so I have had to re-install again. > > So this particular set of instructions, > > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1085091 > > breaks the setup.... > How so? Did you see this - http://directory.fedoraproject.org/wiki/Howto:SSL The ssl.html above should mostly work, except for the NOTE under the link to ssl.html at http://directory.fedoraproject.org/wiki/Howto:SSL#Basic_Steps > So is there a set of instructions to setup a self certified SSL server? > If http://directory.fedoraproject.org/wiki/Howto:SSL doesn't work for you, try http://www.csse.uwa.edu.au/~ashley/fedora-ds/fedora-ds-26072006.html which is also listed on the Howto:SSL page. > regards > > Steven Jones > Senior Linux/Unix/San/Vmware System Administrator > APG -Technology Integration Team > Victoria University of Wellington > Phone: +64 4 463 6272 > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Steven > Jones > Sent: Thursday, 13 September 2007 3:01 p.m. > To: General discussion list for the Fedora Directory server project. > Subject: [Fedora-directory-users] Setting a self ssl certificate > > > While following the RDS manual to make a self cert, the last command is > to convert the certification database, > > 8><----- > > 9. Run pk12util to convert the certificate database to pkcs12 format, > so it is accessible by the Directory Server: > > /serverRoot/shared/bin/pk12util -d . -o cert.pk12 -n Server-Cert > > It then asks me for, > > "Enter Password or Pin for "NSS Certificate DB":" > > Which I have no idea about....the password I have been using does not > work so I have no idea what this password is! > > So where would I find it/set it, or am I using the wrong manual and if > so what is the correct one? > > regards > > Steven Jones > Senior Linux/Unix/San/Vmware System Administrator > APG -Technology Integration Team > Victoria University of Wellington > Phone: +64 4 463 6272 > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Sep 13 13:10:47 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 13 Sep 2007 07:10:47 -0600 Subject: [Fedora-directory-users] Setting a self ssl certificate In-Reply-To: References: Message-ID: <46E936D7.9010305@redhat.com> Steven Jones wrote: > While following the RDS manual to make a self cert, the last command is > to convert the certification database, > > 8><----- > > 9. Run pk12util to convert the certificate database to pkcs12 format, > so it is accessible by the Directory Server: > > /serverRoot/shared/bin/pk12util -d . -o cert.pk12 -n Server-Cert > > It then asks me for, > > "Enter Password or Pin for "NSS Certificate DB":" > > Which I have no idea about....the password I have been using does not > work so I have no idea what this password is! > Did you create a pin.txt file? Note that this is the same pin/password you will have to provide in order to start the directory server in SSL mode. You can skip this step. This step is just to allow you to backup your private key material in a portable format. > So where would I find it/set it, or am I using the wrong manual and if > so what is the correct one? > > regards > > Steven Jones > Senior Linux/Unix/San/Vmware System Administrator > APG -Technology Integration Team > Victoria University of Wellington > Phone: +64 4 463 6272 > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Sep 13 13:15:53 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 13 Sep 2007 07:15:53 -0600 Subject: [Fedora-directory-users] FDS schema In-Reply-To: <46E83BCD.1090300@yahoo.de> References: <46E83BCD.1090300@yahoo.de> Message-ID: <46E93809.2090904@redhat.com> Matthias Dieter Walln?fer wrote: >> No. The obsolete schema will be gone with the next release. It's >> already been removed from CVS HEAD. > But if I look in the HEAD branch > (http://cvs.fedora.redhat.com/viewcvs/?root=dirsec&only_with_tag=HEAD > ) > and change to ldapserver/ldap/schema > (http://cvs.fedora.redhat.com/viewcvs/ldapserver/ldap/schema/?root=dirsec&only_with_tag=HEAD > ) > I see them again. Is this alright? Sorry, you are correct. It seems this has not yet been removed. It is scheduled to be removed soon. > > Matthias > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Steven.Jones at vuw.ac.nz Thu Sep 13 20:24:41 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 14 Sep 2007 08:24:41 +1200 Subject: [Fedora-directory-users] Setting a self ssl certificate In-Reply-To: <46E93623.5010804@redhat.com> Message-ID: Steven Jones wrote: > Since it appears the LDAP server was stuffed, How so? Wont start, cannot access. > I re-installed it and > again followed the instructions, now I find that in attempting to > re-start the server it will not.... Any errors? I never looked for logs, simply re-installed FDS, I'm getting good at it. > so I have had to re-install again. > > So this particular set of instructions, > > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1085091 > > breaks the setup.... > How so? Following the RH page seemed to trash the setup so a start/restart failed. Also trying to login to the admin server failed...I suspect replacing the two keys under alias/ broke "something". Did you see this - http://directory.fedoraproject.org/wiki/Howto:SSL I found it last night while googl'ing from home after work, will work through it this morning. The ssl.html above should mostly work, except for the NOTE under the link to ssl.html at http://directory.fedoraproject.org/wiki/Howto:SSL#Basic_Steps > So is there a set of instructions to setup a self certified SSL server? > If http://directory.fedoraproject.org/wiki/Howto:SSL doesn't work for you, try http://www.csse.uwa.edu.au/~ashley/fedora-ds/fedora-ds-26072006.html which is also listed on the Howto:SSL page. Ditto, I found that as well. Regards Steven From Steven.Jones at vuw.ac.nz Thu Sep 13 20:45:01 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 14 Sep 2007 08:45:01 +1200 Subject: [Fedora-directory-users] Debian client to FDS howto In-Reply-To: Message-ID: I have written the below, if it is helpful/correct by all means place it on FDS wiki. Debian client setup Important notes There would seem to be at least 2 places (if not three) containing information for ldap. In order to make Debian 4 work I have deleted 2 and sym linked. It is possible on patching Debian that these files maybe restored and LDAP authentication will no longer work. There may well be an official method to setup Debian but I have not been able to locate one via Google. Ldap client setup (command line method) Move to the ldap directory and backup the ldap.conf file. cd /etc/ldap/ ; cp ldap.conf orig-ldap.conf add/edit /etc/ldap/ldap.conf, =========== # $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $ # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. host xxxx.195.87.249 base dc=xxxx,dc=ac,dc=nz ssl no TLS_CACERTDIR /etc/openldap/cacerts pam_password exop #pam_password md5 HOST xxx.195.87.249 BASE dc=xxxx,dc=ac,dc=nz =========== cd /etc/ and back up pam_ldap.conf cp /etc/pam_ldap.conf /etc/orig-pam_ldap.conf and delete this file and link it to /etc/ldap/ldap.conf ln -s /etc/ldap/ldap.conf /etc/pam_ldap.conf cd /usr/share/libpam-ldap/ ; mv ldap.conf orig-ldap.conf ln -s /etc/ldap/ldap.conf /usr/share/libpam-ldap/ldap.conf At this point the ldapsearch tool and pam should be querying the LDAP server and this will show up in the access log. ssh We will start with using ssh vi LDAP, cd /etc/ssh and more sshd_config and make sure, "UsePAM yes" is present, if not add it (should be there by default). cd /etc/pam.d/ to set up the ssh file for pam. Add in these lines at the beginning of the file, #allow ldap auth sufficient pam_ldap.so account sufficient pam_ldap.so session sufficient pam_ldap.so password sufficient pam_ldap.so restart ssh with /etc/init.d/ssh restart ssh logins should now work OK. regards Steven From Steven.Jones at vuw.ac.nz Thu Sep 13 21:56:13 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 14 Sep 2007 09:56:13 +1200 Subject: [Fedora-directory-users] Setting a self ssl certificate In-Reply-To: <46E93623.5010804@redhat.com> Message-ID: Errors while following, http://directory.fedoraproject.org/wiki/Howto:SSL # ../shared/bin/certutil -S -n "CA certificate" -s \ > "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z noise.txt -f \ > pwdfile.txt Generating key. This may take a few moments... certutil-bin: could not obtain certificate from file: DER-encoded message contained extra unused data. Does this mean anything? Followed by this error, [root at vuwunicvfdsm001 alias]# ../shared/bin/certutil -S -n "Server-Cert" -s\ > "cn=vuw.ac.nz" -c "CA certificate" -t "u,u,u" -m 1001 -v \ > 120 -d . -z noise.txt -f pwdfile.txt Generating key. This may take a few moments... certutil-bin: could not find certificate named "CA certificate": security library: bad database. certutil-bin: unable to create cert (security library: bad database.) [root at vuwunicvfdsm001 alias]# Does this mean anything? The contents of alias/ are, [root at vuwunicvfdsm001 alias]# ls -l total 608 -rw------- 1 nobody nobody 65536 Sep 14 09:27 admin-serv-vuwunicvfdsm001-cert8.db -rw------- 1 nobody nobody 16384 Sep 14 09:27 admin-serv-vuwunicvfdsm001-key3.db -rw------- 1 root root 65536 Sep 14 09:46 cert8.db -rw------- 1 root root 16384 Sep 14 09:46 key3.db -rwxr-xr-x 1 nobody nobody 239744 Nov 8 2006 libnssckbi.so -rw-r--r-- 1 nobody nobody 62 Sep 14 09:44 noise.txt -rw------- 1 nobody nobody 65536 Sep 13 15:43 orig-slapd-vuwunicvfdsm001-cert8.db -rw------- 1 nobody nobody 16384 Sep 13 15:43 orig-slapd-vuwunicvfdsm001-key3.db -rw-r--r-- 1 nobody nobody 9 Sep 13 15:43 pwdfile.txt -rw------- 1 nobody nobody 16384 Sep 13 15:33 secmod.db -rw------- 1 nobody nobody 65536 Sep 13 15:33 slapd-vuwunicvfdsm001-cert8.db -rw------- 1 nobody nobody 16384 Sep 14 09:29 slapd-vuwunicvfdsm001-key3.db -rw-r----- 1 nobody nobody 416 Sep 14 09:27 tempcert -rw-r----- 1 nobody nobody 345 Sep 14 09:27 tempcertreq It is possible that since I generated some keys earlier there is some "residue" that needs removing? Secmod.db? Tempcert? Tempcertreq? Regards Steven From Steven.Jones at vuw.ac.nz Thu Sep 13 22:21:33 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 14 Sep 2007 10:21:33 +1200 Subject: [Fedora-directory-users] Setting a self ssl certificate In-Reply-To: Message-ID: The Fedora ssl document talks about replacing instruction 7. with its own, OK But, do I then carry on following the RDS document? ie do 8. and 9. and if so is the syntax for 9. correct? Eg, ".....9. Run pk12util to convert the certificate database to pkcs12 format, so it is accessbile by the Directory Server: /serverRoot/shared/bin/pk12util -d . -o cert.pk12 -n Server-Cert ......." Or is this bit missing from the RDS howto command as well? "-P slapd-serverID-" Then do I follow on with the fedora doc? regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 From Steven.Jones at vuw.ac.nz Thu Sep 13 22:28:17 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 14 Sep 2007 10:28:17 +1200 Subject: [Fedora-directory-users] Setting a self ssl certificate In-Reply-To: Message-ID: Attempting to run steps 9 and 10 I get failures, [root at vuwunicvfdsm001 alias]# ../shared/bin/pk12util -d . -P slapd-serverID- -o cacert.pfx -n "CA certificate" Enter Password or Pin for "NSS Certificate DB": pk12util-bin: find user certs from nickname failed: security library: bad database. [root at vuwunicvfdsm001 alias]# ../shared/bin/pk12util -d . -P slapd-serverID- -o servercert.pfx -n Server-Cert Enter Password or Pin for "NSS Certificate DB": pk12util-bin: find user certs from nickname failed: security library: bad database. [root at vuwunicvfdsm001 alias]# regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 From Steven.Jones at vuw.ac.nz Thu Sep 13 22:33:17 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 14 Sep 2007 10:33:17 +1200 Subject: [Fedora-directory-users] Setting a self ssl certificate In-Reply-To: Message-ID: Attempting to carry on I seem to have a terminal failure, [root at vuwunicvfdsm001 alias]# ../shared/bin/certutil -L -d . -P slapd-serverID- -n "CA certificate" -a > cacert.asc certutil-bin: Could not find: CA certificate : security library: bad database. [root at vuwunicvfdsm001 alias]# So what went wrong and how is it fixed? regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 From scott.ding at autodesk.com Fri Sep 14 00:13:48 2007 From: scott.ding at autodesk.com (Scott Ding) Date: Thu, 13 Sep 2007 17:13:48 -0700 Subject: [Fedora-directory-users] syntax in inf file References: <46E6A53A.5080002@redhat.com> Message-ID: Below is an inf file I created. Can someone tell me if it is correct syntactically? I am not sure about Suffix, RootDN. In the installation guide, there are spaces in front of the actual values like this. Suffix= dc=example,dc=com RootDN= cn=Directory Manager Are those spaces required? In my inf, I did not have the spaces. Using LDAP browser, I couldn't find any objects below dc=example. ------ [General] FullMachineName=lsctsol06.autodesk.com SuiteSpotUserID=nobody ServerRoot=/opt/fds ConfigDirectoryAdminID=admin ConfigDirectoryAdminPwd=test1234 ConfigDirectoryLdapURL=ldap://lsctsol06.autodesk.tld:389/o=NetscapeRoot AdminDomain=lsctsol06.autodesk.com UserDirectoryLdapURL=ldap://lsctsol06.autodesk.tld:389/dc=example,dc=com [slapd] ServerPort=389 ServerIdentifier=lsctsol06 Suffix=dc=example,dc=com RootDN=cn=Directory Manager RootDNPwd=test1234 InstallLdifFile=/opt/fds/bin/slapd/install/ldif/Example.ldif From Steven.Jones at vuw.ac.nz Fri Sep 14 00:58:10 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 14 Sep 2007 12:58:10 +1200 Subject: [Fedora-directory-users] Setting a self ssl certificate In-Reply-To: Message-ID: [root at vuwunicvfdsm001 slapd-vuwunicvfdsm001]# ./start-slapd Enter PIN for Internal (Software) Token: After installing a ssl certificate I now need to enter a password every time I start it, how to negate this need? [root at vuwunicvfdsm001 slapd-vuwunicvfdsm001]# ./start-slapd Enter PIN for Internal (Software) Token: [root at vuwunicvfdsm001 slapd-vuwunicvfdsm001]# cd ../ [root at vuwunicvfdsm001 fedora-ds]# ./startconsole -u admin -a http://vuwunicvfdsm001.vuw.ac.nz:54200/ & [1] 3244 [root at vuwunicvfdsm001 fedora-ds]# Regards Steven From rmeggins at redhat.com Fri Sep 14 01:05:17 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 13 Sep 2007 19:05:17 -0600 Subject: [Fedora-directory-users] Setting a self ssl certificate In-Reply-To: References: Message-ID: <46E9DE4D.5070405@redhat.com> Steven Jones wrote: > Steven Jones wrote: > >> Since it appears the LDAP server was stuffed, >> > How so? > > Wont start, cannot access. > No errors? Just nothing? > >> I re-installed it and >> again followed the instructions, now I find that in attempting to >> re-start the server it will not.... >> > Any errors? > > I never looked for logs, simply re-installed FDS, I'm getting good at > it. > It should almost never be necessary to reinstall from scratch. However, that may be the most expeditious route for you. > >> so I have had to re-install again. >> >> So this particular set of instructions, >> >> http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1085091 >> >> breaks the setup.... >> >> > How so? > > > Following the RH page seemed to trash the setup so a start/restart > failed. If the server fails to start, it will almost always print something to the errors log file, and that will usually give a pretty good clue about why the server failed to start. Posting those log messages to this forum can be very helpful to diagnose problems. If the log excerpts are too long, paste them to pastebin.com and paste the link here. > Also trying to login to the admin server failed...I suspect > replacing the two keys under alias/ broke "something". > > Did you see this - > > http://directory.fedoraproject.org/wiki/Howto:SSL > > I found it last night while googl'ing from home after work, will work > through it this morning. > > The ssl.html above should mostly work, except for the NOTE under the > link to ssl.html at > http://directory.fedoraproject.org/wiki/Howto:SSL#Basic_Steps > >> So is there a set of instructions to setup a self certified SSL >> > server? > >> >> > If http://directory.fedoraproject.org/wiki/Howto:SSL doesn't work for > you, try > http://www.csse.uwa.edu.au/~ashley/fedora-ds/fedora-ds-26072006.html > which is also listed on the Howto:SSL page. > > Ditto, I found that as well. > > Regards > > Steven > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Sep 14 01:14:28 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 13 Sep 2007 19:14:28 -0600 Subject: [Fedora-directory-users] Setting a self ssl certificate In-Reply-To: References: Message-ID: <46E9E074.4000206@redhat.com> Steven Jones wrote: > Errors while following, > > http://directory.fedoraproject.org/wiki/Howto:SSL > > # ../shared/bin/certutil -S -n "CA certificate" -s \ > >> "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z noise.txt -f \ >> pwdfile.txt >> > > > Generating key. This may take a few moments... > > certutil-bin: could not obtain certificate from file: DER-encoded > message contained extra unused data. > I've never seen this error message before. I'm not sure what it means. Do you have a cert8.db and a key3.db in this directory? They should have been created by a previous step. > Does this mean anything? > > Followed by this error, > > [root at vuwunicvfdsm001 alias]# ../shared/bin/certutil -S -n "Server-Cert" > -s\ > >> "cn=vuw.ac.nz" -c "CA certificate" -t "u,u,u" -m 1001 -v \ >> 120 -d . -z noise.txt -f pwdfile.txt >> > > > Generating key. This may take a few moments... > > certutil-bin: could not find certificate named "CA certificate": > security library: bad database. > certutil-bin: unable to create cert (security library: bad database.) > [root at vuwunicvfdsm001 alias]# > > Does this mean anything? > It means the previous step failed, and you cannot continue until it is resolved. > The contents of alias/ are, > > [root at vuwunicvfdsm001 alias]# ls -l > total 608 > -rw------- 1 nobody nobody 65536 Sep 14 09:27 > admin-serv-vuwunicvfdsm001-cert8.db > -rw------- 1 nobody nobody 16384 Sep 14 09:27 > admin-serv-vuwunicvfdsm001-key3.db > -rw------- 1 root root 65536 Sep 14 09:46 cert8.db > -rw------- 1 root root 16384 Sep 14 09:46 key3.db > -rwxr-xr-x 1 nobody nobody 239744 Nov 8 2006 libnssckbi.so > -rw-r--r-- 1 nobody nobody 62 Sep 14 09:44 noise.txt > -rw------- 1 nobody nobody 65536 Sep 13 15:43 > orig-slapd-vuwunicvfdsm001-cert8.db > -rw------- 1 nobody nobody 16384 Sep 13 15:43 > orig-slapd-vuwunicvfdsm001-key3.db > -rw-r--r-- 1 nobody nobody 9 Sep 13 15:43 pwdfile.txt > -rw------- 1 nobody nobody 16384 Sep 13 15:33 secmod.db > -rw------- 1 nobody nobody 65536 Sep 13 15:33 > slapd-vuwunicvfdsm001-cert8.db > -rw------- 1 nobody nobody 16384 Sep 14 09:29 > slapd-vuwunicvfdsm001-key3.db > -rw-r----- 1 nobody nobody 416 Sep 14 09:27 tempcert > -rw-r----- 1 nobody nobody 345 Sep 14 09:27 tempcertreq > > It is possible that since I generated some keys earlier there is some > "residue" that needs removing? > That's possible. Did you already have a CA certificate? > Secmod.db? > Generated automatically by NSS if it doesn't exist. > Tempcert? > Tempcertreq? > Not sure what these are. > Regards > > Steven > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Steven.Jones at vuw.ac.nz Fri Sep 14 01:17:17 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 14 Sep 2007 13:17:17 +1200 Subject: [Fedora-directory-users] Setting a self ssl certificate In-Reply-To: <46E9E074.4000206@redhat.com> Message-ID: I deleted the previous files and re-started, looks like the previous attempts had indeed left files to cause issues. 8><---- That's possible. Did you already have a CA certificate? > Secmod.db? > Generated automatically by NSS if it doesn't exist. > Tempcert? > Tempcertreq? > Regards Steven From rmeggins at redhat.com Fri Sep 14 01:22:23 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 13 Sep 2007 19:22:23 -0600 Subject: [Fedora-directory-users] Setting a self ssl certificate In-Reply-To: References: Message-ID: <46E9E24F.9040401@redhat.com> Steven Jones wrote: > The Fedora ssl document talks about replacing instruction 7. > > with its own, OK > > But, do I then carry on following the RDS document? ie do 8. and 9. and > if so is the syntax for 9. correct? Eg, > > ".....9. Run pk12util to convert the certificate database to pkcs12 > format, so it is accessbile by the Directory Server: > > /serverRoot/shared/bin/pk12util -d . -o cert.pk12 -n > Server-Cert > > ......." > Yes. This is correct. However, this step is not really necessary, it's only used in order to backup your newly generated private key material in a portable format. This step is not needed in order to activate SSL in the server. The setupssl.sh script http://directory.fedoraproject.org/wiki/Howto:SSL#Script does this: pk12util -d $secdir $prefixarg -o $secdir/adminserver.p12 -n server-cert -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt There are two passwords. -w is the password used to encrypt the key material in the pk12 file. -k is the password for your key database, from where the private key is extracted. So you could do something like this (assuming you created a file pwdfile.txt with your password): pk12util -d . -o cert.pk12 -n Server-Cert -w pwdfile.txt -k pwdfile.txt This also assumes you use the same password for your key database as to encrypt your pk12 file. > Or is this bit missing from the RDS howto command as well? > > "-P slapd-serverID-" > > Then do I follow on with the fedora doc? > You can use or omit the -P slapd-serverID- step 8 does this: mv key3.db slapd-server-key3.db mv cert8.db slapd-server-cert8.db ln -s slapd-server-key3.db key3.db ln -s slapd-server-cert8.db cert8.db So you have both cert8.db and slapd-server-cert8.db which refer to the same file. So you can specify -P or omit it, it should not matter. > regards > > Steven Jones > Senior Linux/Unix/San/Vmware System Administrator > APG -Technology Integration Team > Victoria University of Wellington > Phone: +64 4 463 6272 > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Steven.Jones at vuw.ac.nz Fri Sep 14 01:22:52 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 14 Sep 2007 13:22:52 +1200 Subject: [Fedora-directory-users] Setting up a client for ssl In-Reply-To: <46E9E074.4000206@redhat.com> Message-ID: While testing a RHAS4 client the logs seems to indicate ssl is working as I get startTLS in the access log. When I do a ssh connection though I do not see startTLS in the access log, so is this actually working correctly? ldapsearch -x -ZZ '(uid=jonesst1)' Output on the client will typically be, ================ # extended LDIF # # LDAPv3 # base <> with scope sub # filter: (uid=jonesst1) # requesting: ALL # # jonesst1, People, vuw.ac.nz dn: uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz givenName: Steven sn: Jones loginShell: /bin/bash uidNumber: 500 gidNumber: 500 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount uid: jonesst1 cn: Steven Jones homeDirectory: /home/jonesst1 # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1 ========== Cannot see startTLS in this part though when ssh'ing in, ========== [14/Sep/2007:13:10:26 +1200] conn=44 fd=67 slot=67 connection from 130.195.87.250 to 130.195.87.249 [14/Sep/2007:13:10:26 +1200] conn=44 op=0 BIND dn="" method=128 version=3 [14/Sep/2007:13:10:26 +1200] conn=44 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [14/Sep/2007:13:10:26 +1200] conn=44 op=1 SRCH base="dc=vuw,dc=ac,dc=nz" scope=2 filter="(uid=jonesst1)" attrs=ALL [14/Sep/2007:13:10:26 +1200] conn=44 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [14/Sep/2007:13:10:26 +1200] conn=44 op=2 BIND dn="" method=128 version=3 [14/Sep/2007:13:10:26 +1200] conn=44 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [14/Sep/2007:13:10:26 +1200] conn=44 op=3 BIND dn="uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz" method=128 version=3 [14/Sep/2007:13:10:26 +1200] conn=44 op=3 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=jonesst1,ou=people,dc=vuw,dc=ac,dc=nz" [14/Sep/2007:13:10:26 +1200] conn=44 op=4 BIND dn="" method=128 version=3 [14/Sep/2007:13:10:26 +1200] conn=44 op=4 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [14/Sep/2007:13:10:26 +1200] conn=45 fd=68 slot=68 connection from 130.195.87.250 to 130.195.87.249 [14/Sep/2007:13:10:26 +1200] conn=45 op=0 BIND dn="" method=128 version=3 [14/Sep/2007:13:10:26 +1200] conn=45 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [14/Sep/2007:13:10:26 +1200] conn=45 op=1 SRCH base="dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(objectClass=posixAccount)(uid=jonesst1))" attrs=ALL [14/Sep/2007:13:10:26 +1200] conn=45 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [14/Sep/2007:13:10:26 +1200] conn=45 op=2 SRCH base="dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(objectClass=posixGroup)(|(memberUid=jonesst1)(uniqueMember=ui d=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz)))" attrs="gidNumber" [14/Sep/2007:13:10:26 +1200] conn=45 op=2 RESULT err=0 tag=101 nentries=0 etime=0 [14/Sep/2007:13:10:26 +1200] conn=44 op=5 UNBIND [14/Sep/2007:13:10:26 +1200] conn=44 op=5 fd=67 closed - U1 ========== regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 From rmeggins at redhat.com Fri Sep 14 01:25:35 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 13 Sep 2007 19:25:35 -0600 Subject: [Fedora-directory-users] Setting a self ssl certificate In-Reply-To: References: Message-ID: <46E9E30F.70902@redhat.com> Steven Jones wrote: > Attempting to carry on I seem to have a terminal failure, > > [root at vuwunicvfdsm001 alias]# ../shared/bin/certutil -L -d . -P > slapd-serverID- -n "CA certificate" -a > cacert.asc > certutil-bin: Could not find: CA certificate > : security library: bad database. > [root at vuwunicvfdsm001 alias]# > > So what went wrong and how is it fixed? > It looks like step 6 failed, so you have no CA certificate. > regards > > Steven Jones > Senior Linux/Unix/San/Vmware System Administrator > APG -Technology Integration Team > Victoria University of Wellington > Phone: +64 4 463 6272 > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Steven.Jones at vuw.ac.nz Fri Sep 14 01:26:02 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 14 Sep 2007 13:26:02 +1200 Subject: [Fedora-directory-users] Setting up a Debian client for ssl In-Reply-To: Message-ID: Is this correct/expected? vuwunicvdebian1:/etc/ldap# ldapsearch -x -ZZ '(uid=jonesst1)' ldap_start_tls: Connect error (-11) additional info: Start TLS request accepted.Server willing to negotiate SSL. vuwunicvdebian1:/etc/ldap# On the server I check check the access log for "startTLS" and see it, [14/Sep/2007:13:08:08 +1200] conn=39 fd=67 slot=67 connection from 130.195.87.235 to 130.195.87.249 [14/Sep/2007:13:08:08 +1200] conn=39 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [14/Sep/2007:13:08:08 +1200] conn=39 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [14/Sep/2007:13:08:08 +1200] conn=39 op=-1 fd=67 closed - Encountered end of file. But the "Connect error (-11)" concerns me. Regards Steven From rmeggins at redhat.com Fri Sep 14 01:30:17 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 13 Sep 2007 19:30:17 -0600 Subject: [Fedora-directory-users] Setting a self ssl certificate In-Reply-To: References: Message-ID: <46E9E429.5050808@redhat.com> Steven Jones wrote: > [root at vuwunicvfdsm001 slapd-vuwunicvfdsm001]# ./start-slapd > Enter PIN for Internal (Software) Token: > > After installing a ssl certificate I now need to enter a password every > time I start it, how to negate this need? > 1) You can use modutil to remove the password for your key/cert database: modutil -dbdir . -dbprefix slapd-serverID- -changepw 'NSS Certificate DB' Then just hit Enter for the new password. 2) You can create a pin.txt file cat > slapd-serverID-pin.txt Internal (Software) Token:thepasswordforyourkeydb ^D make sure the pin.txt file is owned by your server user (e.g. chown nobody:nobody) and is mode 0400 > [root at vuwunicvfdsm001 slapd-vuwunicvfdsm001]# ./start-slapd > Enter PIN for Internal (Software) Token: > [root at vuwunicvfdsm001 slapd-vuwunicvfdsm001]# cd ../ > > [root at vuwunicvfdsm001 fedora-ds]# ./startconsole -u admin -a > http://vuwunicvfdsm001.vuw.ac.nz:54200/ & > [1] 3244 > [root at vuwunicvfdsm001 fedora-ds]# > > Regards > > Steven > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Sep 14 01:35:26 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 13 Sep 2007 19:35:26 -0600 Subject: [Fedora-directory-users] Setting up a Debian client for ssl In-Reply-To: References: Message-ID: <46E9E55E.4050805@redhat.com> Steven Jones wrote: > Is this correct/expected? > > vuwunicvdebian1:/etc/ldap# ldapsearch -x -ZZ '(uid=jonesst1)' > ldap_start_tls: Connect error (-11) > additional info: Start TLS request accepted.Server willing to > negotiate SSL. > vuwunicvdebian1:/etc/ldap# > > On the server I check check the access log for "startTLS" and see it, > > [14/Sep/2007:13:08:08 +1200] conn=39 fd=67 slot=67 connection from > 130.195.87.235 to 130.195.87.249 > [14/Sep/2007:13:08:08 +1200] conn=39 op=0 EXT > oid="1.3.6.1.4.1.1466.20037" name="startTLS" > [14/Sep/2007:13:08:08 +1200] conn=39 op=0 RESULT err=0 tag=120 > nentries=0 etime=0 > [14/Sep/2007:13:08:08 +1200] conn=39 op=-1 fd=67 closed - Encountered > end of file. > > But the "Connect error (-11)" concerns me. > I think this can happen if the server cert does not have a subject DN that starts with cn=foo.example.com, where foo.example.com is the FQDN of the directory server machine. Or, the server cert has a subject DN like this: cn=foo.example.com,.... and the client either cannot resolve (via DNS or /etc/hosts or whatever it says in the /etc/nsswitch.conf file) foo.example.com, or the reverse DNS lookup on the server's IP address does not resolve to foo.example.com > Regards > > Steven > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Sep 14 01:42:15 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 13 Sep 2007 19:42:15 -0600 Subject: [Fedora-directory-users] syntax in inf file In-Reply-To: References: <46E6A53A.5080002@redhat.com> Message-ID: <46E9E6F7.6050703@redhat.com> Scott Ding wrote: > Below is an inf file I created. Can someone tell me if it is correct > syntactically? I am not sure about Suffix, RootDN. In the installation > guide, there are spaces in front of the actual values like this. > > Suffix= dc=example,dc=com > RootDN= cn=Directory Manager > > > Are those spaces required? No. > In my inf, I did not have the spaces. Using > LDAP browser, I couldn't find any objects below dc=example. > I'm not sure if InstallLdifFile works. Try using ldif2db after ds_newinst > ------ > > [General] > FullMachineName=lsctsol06.autodesk.com > SuiteSpotUserID=nobody > ServerRoot=/opt/fds > ConfigDirectoryAdminID=admin > ConfigDirectoryAdminPwd=test1234 > ConfigDirectoryLdapURL=ldap://lsctsol06.autodesk.tld:389/o=NetscapeRoot > AdminDomain=lsctsol06.autodesk.com > UserDirectoryLdapURL=ldap://lsctsol06.autodesk.tld:389/dc=example,dc=com > [slapd] > ServerPort=389 > ServerIdentifier=lsctsol06 > Suffix=dc=example,dc=com > RootDN=cn=Directory Manager > RootDNPwd=test1234 > InstallLdifFile=/opt/fds/bin/slapd/install/ldif/Example.ldif > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Steven.Jones at vuw.ac.nz Fri Sep 14 02:00:29 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 14 Sep 2007 14:00:29 +1200 Subject: [Fedora-directory-users] Setting up a Debian client for ssl In-Reply-To: <46E9E55E.4050805@redhat.com> Message-ID: I checked DNS and it was indeed broken, but I am connecting to the IP, Fixing DNS still sees the same error on Debian. regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Friday, 14 September 2007 1:35 p.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Setting up a Debian client for ssl Steven Jones wrote: > Is this correct/expected? > > vuwunicvdebian1:/etc/ldap# ldapsearch -x -ZZ '(uid=jonesst1)' > ldap_start_tls: Connect error (-11) > additional info: Start TLS request accepted.Server willing to > negotiate SSL. > vuwunicvdebian1:/etc/ldap# > > On the server I check check the access log for "startTLS" and see it, > > [14/Sep/2007:13:08:08 +1200] conn=39 fd=67 slot=67 connection from > 130.195.87.235 to 130.195.87.249 > [14/Sep/2007:13:08:08 +1200] conn=39 op=0 EXT > oid="1.3.6.1.4.1.1466.20037" name="startTLS" > [14/Sep/2007:13:08:08 +1200] conn=39 op=0 RESULT err=0 tag=120 > nentries=0 etime=0 > [14/Sep/2007:13:08:08 +1200] conn=39 op=-1 fd=67 closed - Encountered > end of file. > > But the "Connect error (-11)" concerns me. > I think this can happen if the server cert does not have a subject DN that starts with cn=foo.example.com, where foo.example.com is the FQDN of the directory server machine. Or, the server cert has a subject DN like this: cn=foo.example.com,.... and the client either cannot resolve (via DNS or /etc/hosts or whatever it says in the /etc/nsswitch.conf file) foo.example.com, or the reverse DNS lookup on the server's IP address does not resolve to foo.example.com > Regards > > Steven > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Fri Sep 14 02:29:24 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 13 Sep 2007 20:29:24 -0600 Subject: [Fedora-directory-users] Setting up a Debian client for ssl In-Reply-To: References: Message-ID: <46E9F204.2040106@redhat.com> Steven Jones wrote: > I checked DNS and it was indeed broken, but I am connecting to the IP, > > Fixing DNS still sees the same error on Debian. > Try -d 1 or -v arguments to ldapsearch > regards > > Steven Jones > Senior Linux/Unix/San/Vmware System Administrator > APG -Technology Integration Team > Victoria University of Wellington > Phone: +64 4 463 6272 > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard > Megginson > Sent: Friday, 14 September 2007 1:35 p.m. > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Setting up a Debian client for ssl > > Steven Jones wrote: > >> Is this correct/expected? >> >> vuwunicvdebian1:/etc/ldap# ldapsearch -x -ZZ '(uid=jonesst1)' >> ldap_start_tls: Connect error (-11) >> additional info: Start TLS request accepted.Server willing to >> negotiate SSL. >> vuwunicvdebian1:/etc/ldap# >> >> On the server I check check the access log for "startTLS" and see it, >> >> [14/Sep/2007:13:08:08 +1200] conn=39 fd=67 slot=67 connection from >> 130.195.87.235 to 130.195.87.249 >> [14/Sep/2007:13:08:08 +1200] conn=39 op=0 EXT >> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >> [14/Sep/2007:13:08:08 +1200] conn=39 op=0 RESULT err=0 tag=120 >> nentries=0 etime=0 >> [14/Sep/2007:13:08:08 +1200] conn=39 op=-1 fd=67 closed - Encountered >> end of file. >> >> But the "Connect error (-11)" concerns me. >> >> > I think this can happen if the server cert does not have a subject DN > that starts with cn=foo.example.com, where foo.example.com is the FQDN > of the directory server machine. Or, the server cert has a subject DN > like this: > cn=foo.example.com,.... > and the client either cannot resolve (via DNS or /etc/hosts or whatever > it says in the /etc/nsswitch.conf file) foo.example.com, or the reverse > DNS lookup on the server's IP address does not resolve to > foo.example.com > >> Regards >> >> Steven >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Steven.Jones at vuw.ac.nz Fri Sep 14 02:41:19 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 14 Sep 2007 14:41:19 +1200 Subject: [Fedora-directory-users] Setting up a Debian client for ssl In-Reply-To: <46E9F204.2040106@redhat.com> Message-ID: This looks broken?, 8><------ TLS: could not load client CA list (file:`',dir:`/etc/openldap/cacerts/'). TLS: error:0200A002:system library:opendir:No such file or directory ssl_cert.c:816 TLS: error:140D7002:SSL routines:SSL_add_dir_cert_subjects_to_stack:system lib ssl_cert.c:818 8><------ I tried cp'ing the file on the fds server, cp /opt/fedora-ds/alias/cacert.asc cacert.asc and changing the debian's client ldap.conf to, #TLS_CACERTDIR /etc/openldap/cacerts/ TLS_CACERT /etc/openldap/cacerts/cacert.asc But no joy.... ======================== vuwunicvdebian1:/etc/ldap# ldapsearch -d 1 -x -ZZ '(uid=jonesst1)' ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 130.195.87.249:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 130.195.87.249:389 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush: 31 bytes to sd 3 ldap_result ld 0x8057e30 msgid 1 ldap_chkResponseList ld 0x8057e30 msgid 1 all 1 ldap_chkResponseList returns ld 0x8057e30 NULL wait4msg ld 0x8057e30 msgid 1 (infinite timeout) wait4msg continue ld 0x8057e30 msgid 1 all 1 ** ld 0x8057e30 Connections: * host: 130.195.87.249 port: 389 (default) refcnt: 2 status: Connected last used: Fri Sep 14 14:32:25 2007 ** ld 0x8057e30 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x8057e30 Response Queue: Empty ldap_chkResponseList ld 0x8057e30 msgid 1 all 1 ldap_chkResponseList returns ld 0x8057e30 NULL ldap_int_select read1msg: ld 0x8057e30 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 95 contents: read1msg: ld 0x8057e30 msgid 1 message type extended-result ber_scanf fmt ({eaa) ber: read1msg: ld 0x8057e30 0 new referrals read1msg: mark request completed, ld 0x8057e30 msgid 1 request done: ld 0x8057e30 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ber_scanf fmt ({eaa) ber: ber_scanf fmt (a) ber: ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (x) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS: could not load client CA list (file:`',dir:`/etc/openldap/cacerts/'). TLS: error:0200A002:system library:opendir:No such file or directory ssl_cert.c:816 TLS: error:140D7002:SSL routines:SSL_add_dir_cert_subjects_to_stack:system lib ssl_cert.c:818 ldap_perror ldap_start_tls: Connect error (-11) additional info: Start TLS request accepted.Server willing to negotiate SSL. Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Friday, 14 September 2007 2:29 p.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Setting up a Debian client for ssl Steven Jones wrote: > I checked DNS and it was indeed broken, but I am connecting to the IP, > > Fixing DNS still sees the same error on Debian. > Try -d 1 or -v arguments to ldapsearch > regards > > Steven Jones > Senior Linux/Unix/San/Vmware System Administrator > APG -Technology Integration Team > Victoria University of Wellington > Phone: +64 4 463 6272 > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard > Megginson > Sent: Friday, 14 September 2007 1:35 p.m. > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Setting up a Debian client for ssl > > Steven Jones wrote: > >> Is this correct/expected? >> >> vuwunicvdebian1:/etc/ldap# ldapsearch -x -ZZ '(uid=jonesst1)' >> ldap_start_tls: Connect error (-11) >> additional info: Start TLS request accepted.Server willing to >> negotiate SSL. >> vuwunicvdebian1:/etc/ldap# >> >> On the server I check check the access log for "startTLS" and see it, >> >> [14/Sep/2007:13:08:08 +1200] conn=39 fd=67 slot=67 connection from >> 130.195.87.235 to 130.195.87.249 >> [14/Sep/2007:13:08:08 +1200] conn=39 op=0 EXT >> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >> [14/Sep/2007:13:08:08 +1200] conn=39 op=0 RESULT err=0 tag=120 >> nentries=0 etime=0 >> [14/Sep/2007:13:08:08 +1200] conn=39 op=-1 fd=67 closed - Encountered >> end of file. >> >> But the "Connect error (-11)" concerns me. >> >> > I think this can happen if the server cert does not have a subject DN > that starts with cn=foo.example.com, where foo.example.com is the FQDN > of the directory server machine. Or, the server cert has a subject DN > like this: > cn=foo.example.com,.... > and the client either cannot resolve (via DNS or /etc/hosts or whatever > it says in the /etc/nsswitch.conf file) foo.example.com, or the reverse > DNS lookup on the server's IP address does not resolve to > foo.example.com > >> Regards >> >> Steven >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From Steven.Jones at vuw.ac.nz Fri Sep 14 02:44:03 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 14 Sep 2007 14:44:03 +1200 Subject: [Fedora-directory-users] Setting up clients for ssl only? In-Reply-To: Message-ID: Is there a way to force clients to only connect via ssl? regards Steven From rmeggins at redhat.com Fri Sep 14 02:51:43 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 13 Sep 2007 20:51:43 -0600 Subject: [Fedora-directory-users] Setting up a Debian client for ssl In-Reply-To: References: Message-ID: <46E9F73F.20006@redhat.com> Steven Jones wrote: > This looks broken?, > > 8><------ > > TLS: could not load client CA list > (file:`',dir:`/etc/openldap/cacerts/'). > TLS: error:0200A002:system library:opendir:No such file or directory > ssl_cert.c:816 > TLS: error:140D7002:SSL > routines:SSL_add_dir_cert_subjects_to_stack:system lib ssl_cert.c:818 > > 8><------ > > I tried cp'ing the file on the fds server, > > cp /opt/fedora-ds/alias/cacert.asc cacert.asc > > and changing the debian's client ldap.conf to, > > #TLS_CACERTDIR /etc/openldap/cacerts/ > TLS_CACERT /etc/openldap/cacerts/cacert.asc > > But no joy.... > > ======================== > > vuwunicvdebian1:/etc/ldap# ldapsearch -d 1 -x -ZZ '(uid=jonesst1)' > ldap_create > ldap_extended_operation_s > ldap_extended_operation > ldap_send_initial_request > ldap_new_connection 1 1 0 > ldap_int_open_connection > ldap_connect_to_host: TCP 130.195.87.249:389 > ldap_new_socket: 3 > ldap_prepare_socket: 3 > ldap_connect_to_host: Trying 130.195.87.249:389 > ldap_connect_timeout: fd: 3 tm: -1 async: 0 > ldap_open_defconn: successful > ldap_send_server_request > ber_scanf fmt ({it) ber: > ber_scanf fmt ({) ber: > ber_flush: 31 bytes to sd 3 > ldap_result ld 0x8057e30 msgid 1 > ldap_chkResponseList ld 0x8057e30 msgid 1 all 1 > ldap_chkResponseList returns ld 0x8057e30 NULL > wait4msg ld 0x8057e30 msgid 1 (infinite timeout) > wait4msg continue ld 0x8057e30 msgid 1 all 1 > ** ld 0x8057e30 Connections: > * host: 130.195.87.249 port: 389 (default) > refcnt: 2 status: Connected > last used: Fri Sep 14 14:32:25 2007 > > ** ld 0x8057e30 Outstanding Requests: > * msgid 1, origid 1, status InProgress > outstanding referrals 0, parent count 0 > ** ld 0x8057e30 Response Queue: > Empty > ldap_chkResponseList ld 0x8057e30 msgid 1 all 1 > ldap_chkResponseList returns ld 0x8057e30 NULL > ldap_int_select > read1msg: ld 0x8057e30 msgid 1 all 1 > ber_get_next > ber_get_next: tag 0x30 len 95 contents: > read1msg: ld 0x8057e30 msgid 1 message type extended-result > ber_scanf fmt ({eaa) ber: > read1msg: ld 0x8057e30 0 new referrals > read1msg: mark request completed, ld 0x8057e30 msgid 1 > request done: ld 0x8057e30 msgid 1 > res_errno: 0, res_error: <>, res_matched: <> > ldap_free_request (origid 1, msgid 1) > ldap_free_connection 0 1 > ldap_free_connection: refcnt 1 > ldap_parse_extended_result > ber_scanf fmt ({eaa) ber: > ber_scanf fmt (a) ber: > ldap_parse_result > ber_scanf fmt ({iaa) ber: > ber_scanf fmt (x) ber: > ber_scanf fmt (}) ber: > ldap_msgfree > TLS: could not load client CA list > (file:`',dir:`/etc/openldap/cacerts/'). > TLS: error:0200A002:system library:opendir:No such file or directory > ssl_cert.c:816 > TLS: error:140D7002:SSL > routines:SSL_add_dir_cert_subjects_to_stack:system lib ssl_cert.c:818 > ldap_perror > ldap_start_tls: Connect error (-11) > additional info: Start TLS request accepted.Server willing to > negotiate SSL. > I'm not sure. It says "No such file or directory" - permissions? http://directory.fedoraproject.org/wiki/Howto:SSL#Configure_LDAP_clients > > > Steven Jones > Senior Linux/Unix/San/Vmware System Administrator > APG -Technology Integration Team > Victoria University of Wellington > Phone: +64 4 463 6272 > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard > Megginson > Sent: Friday, 14 September 2007 2:29 p.m. > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Setting up a Debian client for ssl > > Steven Jones wrote: > >> I checked DNS and it was indeed broken, but I am connecting to the IP, >> >> Fixing DNS still sees the same error on Debian. >> >> > Try -d 1 or -v arguments to ldapsearch > >> regards >> >> Steven Jones >> Senior Linux/Unix/San/Vmware System Administrator >> APG -Technology Integration Team >> Victoria University of Wellington >> Phone: +64 4 463 6272 >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >> > Richard > >> Megginson >> Sent: Friday, 14 September 2007 1:35 p.m. >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: [Fedora-directory-users] Setting up a Debian client for >> > ssl > >> Steven Jones wrote: >> >> >>> Is this correct/expected? >>> >>> vuwunicvdebian1:/etc/ldap# ldapsearch -x -ZZ '(uid=jonesst1)' >>> ldap_start_tls: Connect error (-11) >>> additional info: Start TLS request accepted.Server willing to >>> negotiate SSL. >>> vuwunicvdebian1:/etc/ldap# >>> >>> On the server I check check the access log for "startTLS" and see it, >>> >>> [14/Sep/2007:13:08:08 +1200] conn=39 fd=67 slot=67 connection from >>> 130.195.87.235 to 130.195.87.249 >>> [14/Sep/2007:13:08:08 +1200] conn=39 op=0 EXT >>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>> [14/Sep/2007:13:08:08 +1200] conn=39 op=0 RESULT err=0 tag=120 >>> nentries=0 etime=0 >>> [14/Sep/2007:13:08:08 +1200] conn=39 op=-1 fd=67 closed - Encountered >>> end of file. >>> >>> But the "Connect error (-11)" concerns me. >>> >>> >>> >> I think this can happen if the server cert does not have a subject DN >> that starts with cn=foo.example.com, where foo.example.com is the FQDN >> > > >> of the directory server machine. Or, the server cert has a subject DN >> > > >> like this: >> cn=foo.example.com,.... >> and the client either cannot resolve (via DNS or /etc/hosts or >> > whatever > >> it says in the /etc/nsswitch.conf file) foo.example.com, or the >> > reverse > >> DNS lookup on the server's IP address does not resolve to >> foo.example.com >> >> >>> Regards >>> >>> Steven >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Sep 14 02:52:18 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 13 Sep 2007 20:52:18 -0600 Subject: [Fedora-directory-users] Setting up clients for ssl only? In-Reply-To: References: Message-ID: <46E9F762.30402@redhat.com> Steven Jones wrote: > Is there a way to force clients to only connect via ssl? > You can set the nsslapd-port attribute in cn=config in dse.ldif to 0. > regards > > Steven > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Steven.Jones at vuw.ac.nz Fri Sep 14 03:05:00 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 14 Sep 2007 15:05:00 +1200 Subject: [Fedora-directory-users] Setting up a Debian client for ssl In-Reply-To: <46E9F73F.20006@redhat.com> Message-ID: 8><---- I'm not sure. It says "No such file or directory" - permissions? http://directory.fedoraproject.org/wiki/Howto:SSL#Configure_LDAP_clients > > 8><---- I tried changing permissions, [root at vuwunicvfdsm001 openldap]# ls -l total 16 drwxrwxrwx 2 root root 4096 Sep 14 14:38 cacerts -rw-r--r-- 1 root root 320 Aug 24 10:56 ldap.conf [root at vuwunicvfdsm001 openldap]# ls -l cacerts/ total 8 -rw-r--r-- 1 nobody nobody 619 Sep 14 12:49 5be5959f.0 -rw-r--r-- 1 nobody nobody 619 Sep 14 14:38 cacert.asc [root at vuwunicvfdsm001 openldap]# no joy, 8><---- TLS: could not load verify locations (file:`/etc/openldap/cacerts/5be5959f.0',dir:`/etc/openldap/cacerts/'). TLS: error:02001002:system library:fopen:No such file or directory bss_file.c:122 TLS: error:2006D080:BIO routines:BIO_new_file:no such file bss_file.c:125 TLS: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib by_file.c:274 ldap_perror ldap_start_tls: Connect error (-11) additional info: Start TLS request accepted.Server willing to negotiate SSL. From hyc at symas.com Fri Sep 14 03:12:13 2007 From: hyc at symas.com (Howard Chu) Date: Thu, 13 Sep 2007 20:12:13 -0700 Subject: [Fedora-directory-users] Debian client to FDS howto In-Reply-To: <20070914012231.B379B73334@hormel.redhat.com> References: <20070914012231.B379B73334@hormel.redhat.com> Message-ID: <46E9FC0D.6020000@symas.com> > Date: Fri, 14 Sep 2007 08:45:01 +1200 > From: "Steven Jones" > I have written the below, if it is helpful/correct by all means place it > on FDS wiki. > > > Debian client setup > > Important notes > > There would seem to be at least 2 places (if not three) containing > information for ldap. In order to make Debian 4 work I have deleted 2 > and sym linked. It is possible on patching Debian that these files maybe > restored and LDAP authentication will no longer work. Never symlink the pam/nss_ldap config files with the OpenLDAP libldap config file. There's a reason all of these things are in separate config files - they each have distinct syntaxes. You don't know what you're doing, and you have no guarantees that any particular version of a given library won't barf all over the keywords it doesn't recognize. > There may well be an official method to setup Debian but I have not been > able to locate one via Google. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From Steven.Jones at vuw.ac.nz Fri Sep 14 03:27:01 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 14 Sep 2007 15:27:01 +1200 Subject: [Fedora-directory-users] Debian client to FDS howto In-Reply-To: <46E9FC0D.6020000@symas.com> Message-ID: Cool....nothing like an explanation of why not to do things. Of course lacking any documentation at all....I'm left with experimentation. regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Howard Chu Sent: Friday, 14 September 2007 3:12 p.m. To: fedora-directory-users at redhat.com Subject: re: [Fedora-directory-users] Debian client to FDS howto > Date: Fri, 14 Sep 2007 08:45:01 +1200 > From: "Steven Jones" > I have written the below, if it is helpful/correct by all means place it > on FDS wiki. > > > Debian client setup > > Important notes > > There would seem to be at least 2 places (if not three) containing > information for ldap. In order to make Debian 4 work I have deleted 2 > and sym linked. It is possible on patching Debian that these files maybe > restored and LDAP authentication will no longer work. Never symlink the pam/nss_ldap config files with the OpenLDAP libldap config file. There's a reason all of these things are in separate config files - they each have distinct syntaxes. You don't know what you're doing, and you have no guarantees that any particular version of a given library won't barf all over the keywords it doesn't recognize. > There may well be an official method to setup Debian but I have not been > able to locate one via Google. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From del at babel.com.au Fri Sep 14 06:53:53 2007 From: del at babel.com.au (Del) Date: Fri, 14 Sep 2007 16:53:53 +1000 Subject: [Fedora-directory-users] FDS and OpenLDAP integration In-Reply-To: <46E69772.3030401@redhat.com> References: <0A175DA6-C6A6-4439-B840-FA4B039914D9@mfn.unipmn.it> <46E160CC.8050401@redhat.com> <46E16EF9.1040907@sys-net.it> <46E17A44.8050708@sys-net.it> <4332FDA6-AEDB-48E9-856E-232413A6312E@mfn.unipmn.it> <46E56280.3000406@redhat.com> <46E563C5.6040900@sys-net.it> <46E6486C.1080207@babel.com.au> <46E69772.3030401@redhat.com> Message-ID: <46EA3001.1010601@babel.com.au> Richard Megginson wrote: >>>> Great! I've added this information here - >>>> http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration >>> >>> Rich, I've cleaned up that entry, please check. >> >> That entry would make more sense if it began with: >> >> There are ways to sync data from OpenLDAP to Fedora DS. NOTE: sync is >> one way only. >> >> instead of: >> >> There are ways to sync data between OpenLDAP and Fedora DS. NOTE: sync >> is one way only. >> >> "between X and Y" implies two way, but then in the next sentence you >> say that it is one way only -- which way is supported and which way >> is not, is not specified. I've added a bit more wording to that page to make things clear. -- Del Babel Com Australia http://www.babel.com.au/ ph: 02 9368 0728 fax: 02 9368 0758 From rmeggins at redhat.com Fri Sep 14 13:41:24 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 14 Sep 2007 07:41:24 -0600 Subject: [Fedora-directory-users] Setting up a Debian client for ssl In-Reply-To: References: Message-ID: <46EA8F84.5020108@redhat.com> Steven Jones wrote: > 8><---- > > I'm not sure. It says "No such file or directory" - permissions? > http://directory.fedoraproject.org/wiki/Howto:SSL#Configure_LDAP_clients > >> > 8><---- > > I tried changing permissions, > > [root at vuwunicvfdsm001 openldap]# ls -l > total 16 > drwxrwxrwx 2 root root 4096 Sep 14 14:38 cacerts > -rw-r--r-- 1 root root 320 Aug 24 10:56 ldap.conf > [root at vuwunicvfdsm001 openldap]# ls -l cacerts/ > total 8 > -rw-r--r-- 1 nobody nobody 619 Sep 14 12:49 5be5959f.0 > -rw-r--r-- 1 nobody nobody 619 Sep 14 14:38 cacert.asc > [root at vuwunicvfdsm001 openldap]# > > no joy, > > 8><---- > TLS: could not load verify locations > (file:`/etc/openldap/cacerts/5be5959f.0',dir:`/etc/openldap/cacerts/'). > TLS: error:02001002:system library:fopen:No such file or directory > bss_file.c:122 > TLS: error:2006D080:BIO routines:BIO_new_file:no such file > bss_file.c:125 > TLS: error:0B084002:x509 certificate > routines:X509_load_cert_crl_file:system lib by_file.c:274 > ldap_perror > ldap_start_tls: Connect error (-11) > additional info: Start TLS request accepted.Server willing to > negotiate SSL. > I've had trouble getting TLS_CACERTDIR to work on some platforms. To be safe, I would use TLS_CACERT instead. http://directory.fedoraproject.org/wiki/Howto:SSL#Configure_LDAP_clients > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From hyc at symas.com Fri Sep 14 16:13:04 2007 From: hyc at symas.com (Howard Chu) Date: Fri, 14 Sep 2007 09:13:04 -0700 Subject: [Fedora-directory-users] Debian client to FDS howto In-Reply-To: <20070914160005.D5F42735C7@hormel.redhat.com> References: <20070914160005.D5F42735C7@hormel.redhat.com> Message-ID: <46EAB310.6030605@symas.com> > Date: Fri, 14 Sep 2007 15:27:01 +1200 > From: "Steven Jones" > Cool....nothing like an explanation of why not to do things. > > Of course lacking any documentation at all....I'm left with > experimentation. If you're lacking documentation, perhaps you should complain to your distro packager. On my system (OpenSUSE) I see: viola:~/OD/hobj/tests> man pam_ldap Reformatting pam_ldap(5), please wait... viola:~/OD/hobj/tests> man nss_ldap Reformatting nss_ldap(5), please wait... viola:~/OD/hobj/tests> man ldap.conf Reformatting ldap.conf(5), please wait... ... -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From jeff_clowser at fanniemae.com Fri Sep 14 18:58:53 2007 From: jeff_clowser at fanniemae.com (Clowser, Jeff (Contractor)) Date: Fri, 14 Sep 2007 14:58:53 -0400 Subject: [Fedora-directory-users] Directory Server capabilities Message-ID: I have a question about capabilities in the Fedora/RH Directory server: First, can it do dynamic groups as Novell eDirectory does (or is there any effort to add this): http://support.novell.com/techcenter/articles/ana20020405.html Basically, it's similar to the groupofURL's that is supported by the RH/Sun directory server, but when the group is retrieved, dn's for entries that match the ldap url dynamic criteria is returned added to the uniquemember attribute, and you can do searches/compares on the uniquemember attribute that includes dynamic members. I realise there are some significant performance considerations with this, but for modest use, it would really be useful. (FWIW, I asked a similar question when FDS first was released, but didn't have another product to point to as a comparable implementation at the time. Haven't looked at FDS for a while, so I'm hoping some things might have changed :) ) Second, can it log to syslog (or some centralized logging facility), rather than local files? I run a load balanced cluster with ~20 Sun Directory server machines in it, and troubleshooting things in access/error logs is a real pain because I have to look at 20 machines to find which server the connection went to so I can find the correct log entries to find out what's going on. Has RH added other options to logging to log to syslog-ng, etc so that we can create one consolidated set of logs? Thanks, - Jeff -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Sat Sep 15 02:16:42 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Sat, 15 Sep 2007 14:16:42 +1200 Subject: [Fedora-directory-users] Debian client to FDS howto In-Reply-To: <46EAB310.6030605@symas.com> Message-ID: I don't actually class man pages as documentation... regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Howard Chu Sent: Saturday, 15 September 2007 4:13 a.m. To: fedora-directory-users at redhat.com Subject: RE: [Fedora-directory-users] Debian client to FDS howto > Date: Fri, 14 Sep 2007 15:27:01 +1200 > From: "Steven Jones" > Cool....nothing like an explanation of why not to do things. > > Of course lacking any documentation at all....I'm left with > experimentation. If you're lacking documentation, perhaps you should complain to your distro packager. On my system (OpenSUSE) I see: viola:~/OD/hobj/tests> man pam_ldap Reformatting pam_ldap(5), please wait... viola:~/OD/hobj/tests> man nss_ldap Reformatting nss_ldap(5), please wait... viola:~/OD/hobj/tests> man ldap.conf Reformatting ldap.conf(5), please wait... ... -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From hyc at symas.com Sat Sep 15 11:21:18 2007 From: hyc at symas.com (Howard Chu) Date: Sat, 15 Sep 2007 04:21:18 -0700 Subject: [Fedora-directory-users] Directory Server capabilities Message-ID: <46EBC02E.4040404@symas.com> > From: "Clowser, Jeff (Contractor)" > Date: Fri, 14 Sep 2007 14:58:53 -0400 > I have a question about capabilities in the Fedora/RH Directory server: > > First, can it do dynamic groups as Novell eDirectory does (or is there any > effort to add this): > http://support.novell.com/techcenter/articles/ana20020405.html Just fyi, the Novell guys have also published this spec as an Internet Draft. http://tools.ietf.org/html/draft-haripriya-dynamicgroup-02 The spec is full of flaws, however, as discussed here: http://www.openldap.org/lists/ietf-ldapext/200702/threads.html If this approach to dynamic groups is of interest to you, you should probably get involved in the discussion and give some feedback. > Basically, it's similar to the groupofURL's that is supported by the RH/Sun > directory server, but when the group is retrieved, dn's for entries that > match the ldap url dynamic criteria is returned added to the uniquemember > attribute, and you can do searches/compares on the uniquemember attribute > that includes dynamic members. Note that uniqueMember is a useless attribute in LDAP. Likewise the NameAndOptionalUID syntax (which is the syntax of uniqueMember) is totally misused in LDAP and should be avoided by modern software. > I realise there are some significant performance considerations with this, > but for modest use, it would really be useful. (FWIW, I asked a similar > question when FDS first was released, but didn't have another product to > point to as a comparable implementation at the time. Haven't looked at FDS > for a while, so I'm hoping some things might have changed :) ) As a footnote, OpenLDAP supports some of the less controversial features of dynamic groups and has for quite some time already... -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From ando at sys-net.it Sat Sep 15 13:01:22 2007 From: ando at sys-net.it (Pierangelo Masarati) Date: Sat, 15 Sep 2007 15:01:22 +0200 Subject: [Fedora-directory-users] FDS and OpenLDAP integration In-Reply-To: <46E69772.3030401@redhat.com> References: <0A175DA6-C6A6-4439-B840-FA4B039914D9@mfn.unipmn.it> <46E160CC.8050401@redhat.com> <46E16EF9.1040907@sys-net.it> <46E17A44.8050708@sys-net.it> <4332FDA6-AEDB-48E9-856E-232413A6312E@mfn.unipmn.it> <46E56280.3000406@redhat.com> <46E563C5.6040900@sys-net.it> <46E6486C.1080207@babel.com.au> <46E69772.3030401@redhat.com> Message-ID: <46EBD7A2.8000005@sys-net.it> Richard Megginson wrote: > But there are ways to sync data from Fedora DS to OpenLDAP also. You > just can't do both directions at the same time. How could I word that > appropriately? Can you elaborate on that? From the Wiki, it seems that there are some, but they're undocumented. The other way 'round (OL => FDS), one could try out OpenLDAP's slapo-accesslog(5) in the changelog-like variant (haven't tested, could need some hacking). THis should work fine with changelog (Retro Changelog). Or (and it would probably be a big plus for RFC 4533) FDS could be added a plugin that makes use of LDAP Sync. I note that, for applications that do not want to reinvent the wheel, OpenLDAP's libldap that ships with 2.4 provides a ldap_sync API that hides RFC 4533 details, so one only needs to deal with making use of the results of the various phases of the sync replication. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati at sys-net.it --------------------------------------- From Steven.Jones at vuw.ac.nz Sun Sep 16 22:16:06 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 17 Sep 2007 10:16:06 +1200 Subject: [Fedora-directory-users] Setting up a Debian client for ssl In-Reply-To: <46EA8F84.5020108@redhat.com> Message-ID: This is my pam_ldap.conf, I seem unable to get ssl to work....what am I missing? I also need to set ssl only so no plain text passwords are sent... #file copied from openldap syntax might have issues but seems to work. #but not in ssl mode # # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. host 130.195.87.249 base dc=vuw,dc=ac,dc=nz #ssl no # this syntax does not work --> ssl on ssl yes ssl start_tls pam_password exop #pam_password md5 HOST 130.195.87.249 BASE dc=vuw,dc=ac,dc=nz #nss_base_passwd ou=People,dc=vuw,dc=ac,dc=nz #nss_base_shadow ou=People,dc=vuw,dc=ac,dc=nz TLS_CACERTDIR /etc/openldap/cacerts/ TLS_CACERT /etc/openldap/cacerts/cacert.asc #TLS_CACERT /etc/openldap/cacerts/5be5959f.0 TLS_REQCERT allow #syntax not liked --> uri ldapi://130.195.87.249 URI ldap://ldap.vuw.ac.nz regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 From Steven.Jones at vuw.ac.nz Sun Sep 16 22:19:58 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 17 Sep 2007 10:19:58 +1200 Subject: [Fedora-directory-users] Setting up clients for ssl only? In-Reply-To: <46E9F762.30402@redhat.com> Message-ID: 8><---- Uh.....this means not a thing....where and how is it set? On the server? Client? Ie What and where is dse.ldif? > Steven Jones wrote: > Is there a way to force clients to only connect via ssl? > You can set the nsslapd-port attribute in cn=config in dse.ldif to 0. 8><---- regards Steven From Steven.Jones at vuw.ac.nz Mon Sep 17 03:00:32 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 17 Sep 2007 15:00:32 +1200 Subject: [Fedora-directory-users] rhas4 Setting up clients for ssl only? In-Reply-To: Message-ID: I seem unable to get this to work in anything but simple mode..... Here is my ldap.conf for RHAS4, URI ldap://ldap.vuw.ac.nz #host 130.195.87.249 base dc=vuw,dc=ac,dc=nz #ssl no #ssl on pam_password md5 #HOST 130.195.87.249 BASE dc=vuw,dc=ac,dc=nz TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow Trying "ssl on" breaks ssh So has anyone got an example ldap.conf? Since Debian also wont ssl, it is possible the server is the issue..... regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Steven Jones Sent: Monday, 17 September 2007 10:20 a.m. To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] Setting up clients for ssl only? 8><---- Uh.....this means not a thing....where and how is it set? On the server? Client? Ie What and where is dse.ldif? > Steven Jones wrote: > Is there a way to force clients to only connect via ssl? > You can set the nsslapd-port attribute in cn=config in dse.ldif to 0. 8><---- regards Steven -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From Steven.Jones at vuw.ac.nz Mon Sep 17 04:37:23 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 17 Sep 2007 16:37:23 +1200 Subject: [Fedora-directory-users] rhas4 Setting up clients for ssl only? In-Reply-To: Message-ID: Reading through the http://www.csse.uwa.edu.au/~ashley/fedora-ds/fedora-ds-26072006.html document.... 8><--------- 3.3 Binding Linux/Unix Machines to LDAPs First of all for your client LDAP machine to connect via LDAPs you need to have the Certificate Authority file installed on your client which was generated for the Directory Server to allow it to recognize that the SSL connection is valid. 8><--------- So I have all these choices.... [root at vuwunicvfdsm001 cacerts]# cd /opt/fedora-ds/alias [root at vuwunicvfdsm001 alias]# ls -l total 640 -rw-r--r-- 1 nobody nobody 193 Sep 14 11:31 addRSA.ldif -rw------- 1 nobody nobody 16384 Sep 13 15:33 admin-serv-secmod.db -rw------- 1 nobody nobody 65536 Sep 14 11:19 admin-serv-vuwunicvfdsm001-cert8.db -rw------- 1 nobody nobody 16384 Sep 14 11:19 admin-serv-vuwunicvfdsm001-key3.db -rw-r--r-- 1 nobody nobody 619 Sep 14 11:13 cacert.asc -rw------- 1 nobody nobody 1554 Sep 14 11:10 cacert.pfx -rwxr-xr-x 1 nobody nobody 239744 Nov 8 2006 libnssckbi.so -rw-r--r-- 1 nobody nobody 62 Sep 14 09:44 noise.txt -rw------- 1 nobody nobody 65536 Sep 13 15:43 orig-slapd-vuwunicvfdsm001-cert8.db -rw------- 1 nobody nobody 16384 Sep 13 15:43 orig-slapd-vuwunicvfdsm001-key3.db -rw-r--r-- 1 nobody nobody 9 Sep 13 15:43 pwdfile.txt -rw------- 1 nobody nobody 16384 Sep 14 13:37 secmod.db -rw------- 1 nobody nobody 2044 Sep 14 11:11 servercert.pfx -rw------- 1 nobody nobody 65536 Sep 14 10:29 slapd-serverID-cert8.db -rw------- 1 nobody nobody 16384 Sep 14 10:29 slapd-serverID-key3.db -rw-r--r-- 1 nobody nobody 0 Sep 14 13:35 slapd-serverID-pin.txt -rw------- 1 nobody nobody 65536 Sep 14 11:11 slapd-vuwunicvfdsm001-cert8.db -rw------- 1 nobody nobody 16384 Sep 14 11:11 slapd-vuwunicvfdsm001-key3.db -r-------- 1 nobody nobody 35 Sep 14 13:36 slapd-vuwunicvfdsm001-pin.txt -rw-r--r-- 1 nobody nobody 693 Sep 14 11:23 ssl_enable.ldif So is this the file I am meant to copy over? -rw-r--r-- 1 root root 619 Sep 17 16:27 5be5959f.0 -rw-r--r-- 1 root root 619 Sep 17 16:27 cacert.asc [root at vuwunicvfwall02 cacerts]# ldapsearch -x -ZZ '(uid=jonesst1)' ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed [root at vuwunicvfwall02 cacerts]# pwd /etc/openldap/cacerts [root at vuwunicvfwall02 cacerts]# If so it is failing, but at least it appears it is consistant with the Debian client which also has a -11 error....at least I think so..... regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Steven Jones Sent: Monday, 17 September 2007 3:01 p.m. To: General discussion list for the Fedora Directory server project. Subject: [Fedora-directory-users] rhas4 Setting up clients for ssl only? I seem unable to get this to work in anything but simple mode..... Here is my ldap.conf for RHAS4, URI ldap://ldap.vuw.ac.nz #host 130.195.87.249 base dc=vuw,dc=ac,dc=nz #ssl no #ssl on pam_password md5 #HOST 130.195.87.249 BASE dc=vuw,dc=ac,dc=nz TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow Trying "ssl on" breaks ssh So has anyone got an example ldap.conf? Since Debian also wont ssl, it is possible the server is the issue..... regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Steven Jones Sent: Monday, 17 September 2007 10:20 a.m. To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] Setting up clients for ssl only? 8><---- Uh.....this means not a thing....where and how is it set? On the server? Client? Ie What and where is dse.ldif? > Steven Jones wrote: > Is there a way to force clients to only connect via ssl? > You can set the nsslapd-port attribute in cn=config in dse.ldif to 0. 8><---- regards Steven -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From linuxtrap at yahoo.co.in Mon Sep 17 13:46:33 2007 From: linuxtrap at yahoo.co.in (satish patel) Date: Mon, 17 Sep 2007 14:46:33 +0100 (BST) Subject: [Fedora-directory-users] samba + Directory server + windows client Message-ID: <998453.97612.qm@web8402.mail.in.yahoo.com> Dear all I am going to implement Intranet server on my organization i m very intreseted on FDS now thing is that my users on windows client and i am installing samba 4.0 as a PDC. so is it possible i can create group policy or network controll through FDS + samba PDC means i dont want to give access of Network to a specific user or not give access of telnet command or something like that which is possible on windows 2003 PDC it will support all policy on OpenSource Setup ??? Regards satish patel $ cat ~/satish/url.txt http://www.linuxbug.org _____________________________________________________________________________________________________ --------------------------------- Why delete messages? Unlimited storage is just a click away. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Sep 17 13:56:43 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 17 Sep 2007 07:56:43 -0600 Subject: [Fedora-directory-users] FDS and OpenLDAP integration In-Reply-To: <46EBD7A2.8000005@sys-net.it> References: <0A175DA6-C6A6-4439-B840-FA4B039914D9@mfn.unipmn.it> <46E160CC.8050401@redhat.com> <46E16EF9.1040907@sys-net.it> <46E17A44.8050708@sys-net.it> <4332FDA6-AEDB-48E9-856E-232413A6312E@mfn.unipmn.it> <46E56280.3000406@redhat.com> <46E563C5.6040900@sys-net.it> <46E6486C.1080207@babel.com.au> <46E69772.3030401@redhat.com> <46EBD7A2.8000005@sys-net.it> Message-ID: <46EE879B.7060409@redhat.com> Pierangelo Masarati wrote: > Richard Megginson wrote: > > >> But there are ways to sync data from Fedora DS to OpenLDAP also. You >> just can't do both directions at the same time. How could I word that >> appropriately? >> > > Can you elaborate on that? From the Wiki, it seems that there are some, > but they're undocumented. > I haven't had time to properly test and document this, but there are at least 3 ways that I know of. 1) Enable audit logging, and use a process to periodically read from the audit log and send those changes to another ldap server. 2) Enable audit logging, but use a named pipe instead of a file. 1 and 2 could probably be a Net::LDAP perl script or a python-ldap script - read in the LDIF change records from the audit log, convert to LDAP add/modify/delete commands. 3) Use the Retro Changelog in conjunction with persistent search. This could also be a script (if the LDAP client implementation understands Fedora DS persistent search) that does basically the same thing as 1 and 2 above. > The other way 'round (OL => FDS), one could try out OpenLDAP's > slapo-accesslog(5) in the changelog-like variant (haven't tested, could > need some hacking). THis should work fine with changelog (Retro > Changelog). > > Or (and it would probably be a big plus for RFC 4533) FDS could be added > a plugin that makes use of LDAP Sync. I note that, for applications > that do not want to reinvent the wheel, OpenLDAP's libldap that ships > with 2.4 provides a ldap_sync API that hides RFC 4533 details, so one > only needs to deal with making use of the results of the various phases > of the sync replication. > That's good to know. Thanks! > p. > > > > Ing. Pierangelo Masarati > OpenLDAP Core Team > > SysNet s.r.l. > via Dossi, 8 - 27100 Pavia - ITALIA > http://www.sys-net.it > --------------------------------------- > Office: +39 02 23998309 > Mobile: +39 333 4963172 > Email: pierangelo.masarati at sys-net.it > --------------------------------------- > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Sep 17 14:01:01 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 17 Sep 2007 08:01:01 -0600 Subject: [Fedora-directory-users] Setting up a Debian client for ssl In-Reply-To: References: Message-ID: <46EE889D.3070201@redhat.com> Steven Jones wrote: > This is my pam_ldap.conf, > > I seem unable to get ssl to work....what am I missing? > > I also need to set ssl only so no plain text passwords are sent... > > #file copied from openldap syntax might have issues but seems to work. > #but not in ssl mode > # > # > # LDAP Defaults > # > > # See ldap.conf(5) for details > # This file should be world readable but not world writable. > host 130.195.87.249 > base dc=vuw,dc=ac,dc=nz > #ssl no > # this syntax does not work --> ssl on > ssl yes > ssl start_tls > pam_password exop > #pam_password md5 > HOST 130.195.87.249 > BASE dc=vuw,dc=ac,dc=nz > #nss_base_passwd ou=People,dc=vuw,dc=ac,dc=nz > #nss_base_shadow ou=People,dc=vuw,dc=ac,dc=nz > TLS_CACERTDIR /etc/openldap/cacerts/ > TLS_CACERT /etc/openldap/cacerts/cacert.asc > #TLS_CACERT /etc/openldap/cacerts/5be5959f.0 > TLS_REQCERT allow > #syntax not liked --> uri ldapi://130.195.87.249 > URI ldap://ldap.vuw.ac.nz > To rule out cert CA issues, set TLS_REQCERT to never. I don't think you can specify both TLS_CACERTDIR and TLS_CACERT - or maybe you can, but I always have problems when trying to use TLS_CACERTDIR > regards > > Steven Jones > Senior Linux/Unix/San/Vmware System Administrator > APG -Technology Integration Team > Victoria University of Wellington > Phone: +64 4 463 6272 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Sep 17 14:09:06 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 17 Sep 2007 08:09:06 -0600 Subject: [Fedora-directory-users] Setting up clients for ssl only? In-Reply-To: References: Message-ID: <46EE8A82.2010805@redhat.com> Steven Jones wrote: > 8><---- > > Uh.....this means not a thing....where and how is it set? > > On the server? Client? Ie What and where is dse.ldif? > Sorry, I assumed a level of familiarity with the product that I should not have. The file /opt/fedora-ds/slapd-instance/config/dse.ldif is the main server configuration file. This file is in LDIF format. The configuration is broken up into LDIF/LDAP entries. Each entry begins with a line like this: dn: Where is the distinguished name (DN) of the configuration entry. Each entry ends with a blank line (e.g. in perl this matches /^$/). The main configuration entry is cn=config - it begins in the file dse.ldif with the line dn: cn=config In this entry is an attribute named nsslapd-port which by default has a value of 389 e.g. nsslapd-port: 389 Some default values are not written to dse.ldif. This one might not be, not sure. If you set this value to 0, the server will not listen for non-secure connections. In order to change this value, you must first shutdown the server. Then, using a text editor, edit the file, and change 389 to 0. If the attribute is not present in the entry, add it as the last line in the entry - make sure there are no empty lines before this one, and make sure there is a single empty line after it, before the start of the next entry. Finally, I'll note that in one of your previous configurations that you posted, you have set it to use start_tls. If you want to use LDAP startTLS, _you must use the non-secure LDAP port_. Which means you cannot set it to 0. Fedora DS currently has no way to force all connections to first use the startTLS command. So if you use startTLS, there is no way to force all connections to use TLS/SSL. > >> Steven Jones wrote: >> Is there a way to force clients to only connect via ssl? >> >> > You can set the nsslapd-port attribute in cn=config in dse.ldif to 0. > > 8><---- > > regards > > Steven > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Steven.Jones at vuw.ac.nz Mon Sep 17 17:55:09 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 18 Sep 2007 05:55:09 +1200 Subject: [Fedora-directory-users] Setting up a Debian client for ssl In-Reply-To: <46EE889D.3070201@redhat.com> Message-ID: My /etc/ldap.conf now looks like this, # http://www.padl.com URI ldap://ldap.vuw.ac.nz #host 130.195.87.249 base dc=vuw,dc=ac,dc=nz #ssl no #ssl on pam_password md5 #HOST 130.195.87.249 BASE dc=vuw,dc=ac,dc=nz #tls_cacertdir /etc/openldap/cacerts tls_cacertfile /etc/openldap/cacerts/ca.crt #TLS_REQCERT allow TLS_REQCERT never host ldap.vuw.ac.nz ssl start_tls When I do, [root at vuwunicvfwall01 etc]# ldapsearch -x -ZZ '(uid=jonesst1)' # extended LDIF # # LDAPv3 # base <> with scope sub # filter: (uid=jonesst1) # requesting: ALL # # jonesst1, People, vuw.ac.nz dn: uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz givenName: Steven sn: Jones loginShell: /bin/bash uidNumber: 500 gidNumber: 500 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount uid: jonesst1 cn: Steven Jones homeDirectory: /home/jonesst1 # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1 [root at vuwunicvfwall01 etc]# Log file shows, [root at vuwunicvfdsm001 logs]# tail -f access [18/Sep/2007:05:46:37 +1200] conn=2326 fd=70 slot=70 connection from 130.195.87.250 to 130.195.87.249 [18/Sep/2007:05:46:37 +1200] conn=2326 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [18/Sep/2007:05:46:37 +1200] conn=2326 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [18/Sep/2007:05:46:37 +1200] conn=2326 SSL 256-bit AES [18/Sep/2007:05:46:37 +1200] conn=2326 op=1 BIND dn="" method=128 version=3 [18/Sep/2007:05:46:37 +1200] conn=2326 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [18/Sep/2007:05:46:37 +1200] conn=2326 op=2 SRCH base="dc=vuw,dc=ac,dc=nz" scope=2 filter="(uid=jonesst1)" attrs=ALL [18/Sep/2007:05:46:37 +1200] conn=2326 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [18/Sep/2007:05:46:37 +1200] conn=2326 op=3 UNBIND [18/Sep/2007:05:46:37 +1200] conn=2326 op=3 fd=70 closed - U1 However ssh no longer works. The access log shows (it has "startTLS", which I guess is good), [18/Sep/2007:05:49:27 +1200] conn=2327 op=-1 fd=70 closed - Encountered end of file. [18/Sep/2007:05:49:52 +1200] conn=2328 fd=70 slot=70 connection from 130.195.87.250 to 130.195.87.249 [18/Sep/2007:05:49:52 +1200] conn=2328 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [18/Sep/2007:05:49:52 +1200] conn=2328 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [18/Sep/2007:05:50:00 +1200] conn=2329 fd=71 slot=71 connection from 127.0.0.1 to 127.0.0.1 [18/Sep/2007:05:50:00 +1200] conn=2329 op=0 BIND dn="" method=128 version=3 [18/Sep/2007:05:50:00 +1200] conn=2329 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [18/Sep/2007:05:50:00 +1200] conn=2329 op=1 SRCH base="dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(objectClass=posixAccount)(uid=root))" attrs=ALL [18/Sep/2007:05:50:00 +1200] conn=2329 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [18/Sep/2007:05:50:00 +1200] conn=2329 op=2 SRCH base="dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(objectClass=posixGroup)(memberUid=root))" attrs="gidNumber" [18/Sep/2007:05:50:00 +1200] conn=2329 op=2 RESULT err=0 tag=101 nentries=0 etime=0 [18/Sep/2007:05:50:00 +1200] conn=2329 op=-1 fd=71 closed - B1 [18/Sep/2007:05:50:01 +1200] conn=2330 fd=71 slot=71 connection from 130.195.87.250 to 130.195.87.249 [18/Sep/2007:05:50:01 +1200] conn=2330 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [18/Sep/2007:05:50:01 +1200] conn=2330 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [18/Sep/2007:05:50:01 +1200] conn=2330 op=-1 fd=71 closed - Encountered end of file. [18/Sep/2007:05:50:01 +1200] conn=2331 fd=71 slot=71 connection from 130.195.87.246 to 130.195.87.249 [18/Sep/2007:05:50:01 +1200] conn=2331 op=0 BIND dn="" method=128 version=3 [18/Sep/2007:05:50:01 +1200] conn=2331 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [18/Sep/2007:05:50:01 +1200] conn=2331 op=1 SRCH base="ou=People,dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(objectClass=posixAccount)(uid=root))" attrs=ALL [18/Sep/2007:05:50:01 +1200] conn=2331 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [18/Sep/2007:05:50:01 +1200] conn=2331 op=2 SRCH base="ou=Groups,dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(objectClass=posixGroup)(memberUid=root))" attrs="gidNumber" [18/Sep/2007:05:50:01 +1200] conn=2331 op=2 RESULT err=32 tag=101 nentries=0 etime=0 [18/Sep/2007:05:50:01 +1200] conn=2331 op=-1 fd=71 closed - B1 regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Tuesday, 18 September 2007 2:01 a.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Setting up a Debian client for ssl Steven Jones wrote: > This is my pam_ldap.conf, > > I seem unable to get ssl to work....what am I missing? > > I also need to set ssl only so no plain text passwords are sent... > > #file copied from openldap syntax might have issues but seems to work. > #but not in ssl mode > # > # > # LDAP Defaults > # > > # See ldap.conf(5) for details > # This file should be world readable but not world writable. > host 130.195.87.249 > base dc=vuw,dc=ac,dc=nz > #ssl no > # this syntax does not work --> ssl on > ssl yes > ssl start_tls > pam_password exop > #pam_password md5 > HOST 130.195.87.249 > BASE dc=vuw,dc=ac,dc=nz > #nss_base_passwd ou=People,dc=vuw,dc=ac,dc=nz > #nss_base_shadow ou=People,dc=vuw,dc=ac,dc=nz > TLS_CACERTDIR /etc/openldap/cacerts/ > TLS_CACERT /etc/openldap/cacerts/cacert.asc > #TLS_CACERT /etc/openldap/cacerts/5be5959f.0 > TLS_REQCERT allow > #syntax not liked --> uri ldapi://130.195.87.249 > URI ldap://ldap.vuw.ac.nz > To rule out cert CA issues, set TLS_REQCERT to never. I don't think you can specify both TLS_CACERTDIR and TLS_CACERT - or maybe you can, but I always have problems when trying to use TLS_CACERTDIR > regards > > Steven Jones > Senior Linux/Unix/San/Vmware System Administrator > APG -Technology Integration Team > Victoria University of Wellington > Phone: +64 4 463 6272 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From Steven.Jones at vuw.ac.nz Mon Sep 17 18:28:35 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 18 Sep 2007 06:28:35 +1200 Subject: [Fedora-directory-users] Setting up a redhat client for ssl In-Reply-To: Message-ID: Hi, Please ignore the previous post I will go shoot myself.... I was testing with two clients and had the ca.crt on one but was working on the other, so it is not surprising it did not work.... Doh..... So once I scp'd over the file, both rhas4 clients work.... Doh..... My final /etc/ldap.conf looks like this, # http://www.padl.com URI ldap://ldap.vuw.ac.nz #host 130.195.87.249 base dc=vuw,dc=ac,dc=nz #ssl no #ssl on pam_password md5 #HOST 130.195.87.249 BASE dc=vuw,dc=ac,dc=nz #tls_cacertdir /etc/openldap/cacerts tls_cacertfile /etc/openldap/cacerts/ca.crt TLS_REQCERT allow #TLS_REQCERT never host ldap.vuw.ac.nz ssl start_tls The access log shows this while doing a ssh into the (LDAP) client, [root at vuwunicvfdsm001 logs]# tail -f access [18/Sep/2007:06:15:14 +1200] conn=2370 op=-1 fd=74 closed - B1 [18/Sep/2007:06:15:18 +1200] conn=2376 fd=71 slot=71 connection from 130.195.87.250 to 130.195.87.249 [18/Sep/2007:06:15:18 +1200] conn=2376 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [18/Sep/2007:06:15:18 +1200] conn=2376 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [18/Sep/2007:06:15:18 +1200] conn=2376 SSL 256-bit AES 8><--------- So this is now all correct? regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 From jeff_clowser at fanniemae.com Mon Sep 17 19:06:10 2007 From: jeff_clowser at fanniemae.com (Clowser, Jeff (Contractor)) Date: Mon, 17 Sep 2007 15:06:10 -0400 Subject: [Fedora-directory-users] Directory Server capabilities (Dynamic Groups) In-Reply-To: <46EBC02E.4040404@symas.com> References: <46EBC02E.4040404@symas.com> Message-ID: OK - I see the following in openldap: http://linux.die.net/man/5/slapo-dynlist My previous example was Novell eDirectory, but this works just as well or better for what I'm looking for (I actually like this better because I can dynamically generate more than just group members, but even that would be enough.) So... Any chance that something like this is available or being worked on for FDS? > ... > As a footnote, OpenLDAP supports some of the less controversial features of > dynamic groups and has for quite some time already... > -- > -- Howard Chu > Chief Architect, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ From prowley at redhat.com Mon Sep 17 19:23:06 2007 From: prowley at redhat.com (Pete Rowley) Date: Mon, 17 Sep 2007 12:23:06 -0700 Subject: [Fedora-directory-users] Directory Server capabilities (Dynamic Groups) In-Reply-To: References: <46EBC02E.4040404@symas.com> Message-ID: <46EED41A.4070401@redhat.com> Clowser, Jeff (Contractor) wrote: > OK - I see the following in openldap: > http://linux.die.net/man/5/slapo-dynlist > > My previous example was Novell eDirectory, but this works just as well > or better > for what I'm looking for (I actually like this better because I can > dynamically > generate more than just group members, but even that would be enough.) > > So... Any chance that something like this is available or being worked > on for FDS? > > > Roles: http://www.redhat.com/docs/manuals/dir-server/deploy/7.1/dit.html#15038 http://www.redhat.com/docs/manuals/dir-server/ag/7.1/roles.html#1115402 >> ... >> As a footnote, OpenLDAP supports some of the less controversial >> > features of > >> dynamic groups and has for quite some time already... >> -- >> -- Howard Chu >> Chief Architect, Symas Corp. http://www.symas.com >> Director, Highland Sun http://highlandsun.com/hyc/ >> Chief Architect, OpenLDAP http://www.openldap.org/project/ >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From Steven.Jones at vuw.ac.nz Mon Sep 17 19:23:56 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 18 Sep 2007 07:23:56 +1200 Subject: [Fedora-directory-users] Setting up a Debian client for ssl In-Reply-To: Message-ID: I have almost have a debian client working but it has a small error, the first login fails but the second succeeds.... /etc/pam_ldap.conf looks like this, # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #pam_password exop BASE dc=vuw,dc=ac,dc=nz #URI ldap://ldap.vuw.ac.nz base dc=vuw,dc=ac,dc=nz #ssl no ssl on pam_password md5 BASE dc=vuw,dc=ac,dc=nz tls_cacertfile /etc/ssl/certs/ldap/ca.crt TLS_REQCERT allow #TLS_REQCERT never host ldap.vuw.ac.nz ssl start_tls log output for ssh connections has "startTLS", [root at vuwunicvfdsm001 logs]# > access [root at vuwunicvfdsm001 logs]# tail -f access [18/Sep/2007:07:19:26 +1200] conn=2409 fd=71 slot=71 connection from 130.195.87.235 to 130.195.87.249 [18/Sep/2007:07:19:26 +1200] conn=2409 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [18/Sep/2007:07:19:26 +1200] conn=2409 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [18/Sep/2007:07:19:26 +1200] conn=2409 SSL 256-bit AES [18/Sep/2007:07:19:30 +1200] conn=2409 op=2 BIND dn="" method=128 version=3 [18/Sep/2007:07:19:30 +1200] conn=2409 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [18/Sep/2007:07:19:30 +1200] conn=2409 op=3 SRCH base="dc=vuw,dc=ac,dc=nz" scope=2 filter="(uid=jonesst1)" attrs=ALL [18/Sep/2007:07:19:30 +1200] conn=2409 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [18/Sep/2007:07:19:30 +1200] conn=2409 op=4 BIND dn="uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz" method=128 version=3 [18/Sep/2007:07:19:30 +1200] conn=2409 op=4 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=jonesst1,ou=people,dc=vuw,dc=ac,dc=nz" [18/Sep/2007:07:19:30 +1200] conn=2409 op=5 BIND dn="" method=128 version=3 [18/Sep/2007:07:19:30 +1200] conn=2409 op=5 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [18/Sep/2007:07:19:30 +1200] conn=2409 op=6 UNBIND [18/Sep/2007:07:19:30 +1200] conn=2409 op=6 fd=71 closed - U1 So I just need to figure out why the first attempt fails but the second succeeds. Regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 From rmeggins at redhat.com Mon Sep 17 19:25:55 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 17 Sep 2007 13:25:55 -0600 Subject: [Fedora-directory-users] Directory Server capabilities (Dynamic Groups) In-Reply-To: References: <46EBC02E.4040404@symas.com> Message-ID: <46EED4C3.3020004@redhat.com> Clowser, Jeff (Contractor) wrote: > OK - I see the following in openldap: > http://linux.die.net/man/5/slapo-dynlist > > My previous example was Novell eDirectory, but this works just as well > or better > for what I'm looking for (I actually like this better because I can > dynamically > generate more than just group members, but even that would be enough.) > > So... Any chance that something like this is available or being worked > on for FDS? > Not that I know of, but this does seem like a generally useful feature. Please file an enhancement request for this feature at bugzilla.redhat.com -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jeff_clowser at fanniemae.com Mon Sep 17 19:57:08 2007 From: jeff_clowser at fanniemae.com (Clowser, Jeff (Contractor)) Date: Mon, 17 Sep 2007 15:57:08 -0400 Subject: [Fedora-directory-users] Directory Server capabilities (DynamicGroups) In-Reply-To: <46EED4C3.3020004@redhat.com> References: <46EBC02E.4040404@symas.com> <46EED4C3.3020004@redhat.com> Message-ID: While looking at the openldap overlays, I also saw a "slapo-constraint" overlay: "slapo-constraint - Constraint checking of attribute-values provides a convenient method for enforcing local policy for directory content when the existing standard schema syntax rules are too lenient. Both character sets and full regular expressions are supported." That kind of functionality would be really useful in FDS as well, if it's not there already :) - Jeff -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Monday, September 17, 2007 3:26 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Directory Server capabilities (DynamicGroups) Clowser, Jeff (Contractor) wrote: > OK - I see the following in openldap: > http://linux.die.net/man/5/slapo-dynlist > > My previous example was Novell eDirectory, but this works just as well > or better > for what I'm looking for (I actually like this better because I can > dynamically > generate more than just group members, but even that would be enough.) > > So... Any chance that something like this is available or being worked > on for FDS? > Not that I know of, but this does seem like a generally useful feature. Please file an enhancement request for this feature at bugzilla.redhat.com From rmeggins at redhat.com Mon Sep 17 20:00:48 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 17 Sep 2007 14:00:48 -0600 Subject: [Fedora-directory-users] Directory Server capabilities (DynamicGroups) In-Reply-To: References: <46EBC02E.4040404@symas.com> <46EED4C3.3020004@redhat.com> Message-ID: <46EEDCF0.3060105@redhat.com> Clowser, Jeff (Contractor) wrote: > > While looking at the openldap overlays, I also saw a "slapo-constraint" > overlay: > > "slapo-constraint - Constraint checking of attribute-values provides a > convenient method for enforcing local policy for directory content when > the existing standard schema syntax rules are too lenient. Both > character sets and full regular expressions are supported." > > That kind of functionality would be really useful in FDS as well, if > it's not there already :) > No, Fedora DS doesn't have that either. > - Jeff > > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard > Megginson > Sent: Monday, September 17, 2007 3:26 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Directory Server capabilities > (DynamicGroups) > > Clowser, Jeff (Contractor) wrote: > >> OK - I see the following in openldap: >> http://linux.die.net/man/5/slapo-dynlist >> >> My previous example was Novell eDirectory, but this works just as well >> or better >> for what I'm looking for (I actually like this better because I can >> dynamically >> generate more than just group members, but even that would be enough.) >> >> So... Any chance that something like this is available or being >> > worked > >> on for FDS? >> >> > Not that I know of, but this does seem like a generally useful feature. > > Please file an enhancement request for this feature at > bugzilla.redhat.com > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From phanoko at gmail.com Mon Sep 17 20:04:03 2007 From: phanoko at gmail.com (matt wells) Date: Mon, 17 Sep 2007 13:04:03 -0700 Subject: [Fedora-directory-users] Directory Server capabilities (DynamicGroups) In-Reply-To: <46EEDCF0.3060105@redhat.com> References: <46EBC02E.4040404@symas.com> <46EED4C3.3020004@redhat.com> <46EEDCF0.3060105@redhat.com> Message-ID: You can't use any type of dynamic group with posix groups right? -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Mon Sep 17 23:41:33 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 18 Sep 2007 11:41:33 +1200 Subject: [Fedora-directory-users] getting sh on RHAS5 to work with FDS. In-Reply-To: Message-ID: It seems the settings needed to get RHAS5 going differ to RHAS4.... This is how I did RHAS4, any ideas what additions or changes are needed for RHAS5? The client connects to the server but fails to get a password......I disabled TLS but it still fails suggesting something a bit more fundamental.... Red Hat AS4 client ssl setup First thing, scp the ca cert over, otherwise you may not be able to scp it over once you have edited some of the files below. On the server if you have not already done so generate the certificate, cd /opt/fedora-ds/alias ; cp cacert.asc /etc/openldap/cacerts/`openssl x509 \ -noout -hash -in cacert.asc`.0 There will now be two files of interest, -rw-r--r-- 1 root root 619 Sep 17 16:27 5be5959f.0 -rw-r--r-- 1 root root 619 Sep 17 16:27 cacert.asc On the server, tar these into a file move the certificate over to the client via scp, Move them to /etc/openldap/cacerts/ And create a symbolic link, ln -s 5be5959f.0 ca.crt -rw-r--r-- 1 root root 619 Sep 17 16:27 5be5959f.0 -rw-r--r-- 1 root root 619 Sep 17 16:27 cacert.asc lrwxrwxrwx 1 root root 10 Sep 17 16:44 ca.crt -> 5be5959f.0 Check dependancies, rpm -q nss_ldap , needs to be installed. Move to the ldap directory and backup the files, cd /etc/openldap ; cp ldap.conf no-ssl-fully-working-ldap.conf \ cd /etc/ ; cp ldap.conf no-ssl-fully-working-ldap.conf ssh uses the /etc/ldap.conf, edit /etc/ldap.conf to this, =============== # http://www.padl.com URI ldap://ldap.vuw.ac.nz base dc=vuw,dc=ac,dc=nz pam_password md5 BASE dc=vuw,dc=ac,dc=nz tls_cacertfile /etc/openldap/cacerts/ca.crt TLS_REQCERT allow host ldap.vuw.ac.nz ssl start_tls =============== Set up nsswitch.conf Change, ========= #passwd: db files ldap nis #shadow: db files ldap nis #group: db files ldap nis ========= To, ========= passwd: files ldap shadow: files ldap group: files ldap ========= Setup /etc/pam.d/ssh ========= auth sufficient /lib/security/pam_ldap.so use_first_pass account sufficient /lib/security/pam_ldap.so use_first_pass password sufficient /lib/security/pam_ldap.so use_first_pass ========= Check settings for /etc/ssh/sshd_config ========= #UsePAM no UsePAM yes ========= UsePAM has to be set to yes. Restart ssh and try to connect to the client, the access log on the server should show "start_TLS" and "SSL 256-bit AES". ============ [root at vuwunicvfdsm001 logs]# tail -f access [18/Sep/2007:06:15:14 +1200] conn=2370 op=-1 fd=74 closed - B1 [18/Sep/2007:06:15:18 +1200] conn=2376 fd=71 slot=71 connection from 130.195.87.250 to 130.195.87.249 [18/Sep/2007:06:15:18 +1200] conn=2376 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [18/Sep/2007:06:15:18 +1200] conn=2376 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [18/Sep/2007:06:15:18 +1200] conn=2376 SSL 256-bit AES 8><----------- ================= Another test you can do is, ldapsearch -x -ZZ '(uid=jonesst1)' Output on the client will typically be, ================ # extended LDIF # # LDAPv3 # base <> with scope sub # filter: (uid=jonesst1) # requesting: ALL # # jonesst1, People, vuw.ac.nz dn: uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz givenName: Steven sn: Jones loginShell: /bin/bash uidNumber: 500 gidNumber: 500 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount uid: jonesst1 cn: Steven Jones homeDirectory: /home/jonesst1 # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1 On the server check the access log for "startTLS", [root at vuwunicvfdsm001 logs]# tail -f access [14/Sep/2007:12:52:59 +1200] conn=30 fd=67 slot=67 connection from 130.195.87.250 to 130.195.87.249 [14/Sep/2007:12:52:59 +1200] conn=30 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [14/Sep/2007:12:52:59 +1200] conn=30 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [14/Sep/2007:12:52:59 +1200] conn=30 SSL 256-bit AES [14/Sep/2007:12:52:59 +1200] conn=30 op=1 BIND dn="" method=128 version=3 [14/Sep/2007:12:52:59 +1200] conn=30 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [14/Sep/2007:12:52:59 +1200] conn=30 op=2 SRCH base="dc=vuw,dc=ac,dc=nz" scope=2 filter="(uid=jonesst1)" attrs=ALL [14/Sep/2007:12:52:59 +1200] conn=30 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [14/Sep/2007:12:52:59 +1200] conn=30 op=3 UNBIND [14/Sep/2007:12:52:59 +1200] conn=30 op=3 fd=67 closed - U1 NB. If you get (-11) errors this suggests a ca.crt issue.... regards Steven -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Tue Sep 18 00:29:29 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 18 Sep 2007 12:29:29 +1200 Subject: [Fedora-directory-users] getting sh on RHAS5 to work with FDS. In-Reply-To: Message-ID: I am also getting this error, [root at vuwunicoadmin01 etc]# service sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ] [root at vuwunicoadmin01 etc]# ldapsearch -x -ZZ '(uid=jonesst1)' ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed [root at vuwunicoadmin01 etc]# Yet ldapsearch works ok, [root at vuwunicoadmin01 etc]# ldapsearch -x -b "ou=People,dc=vuw,dc=ac,dc=nz" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # People, vuw.ac.nz dn: ou=People,dc=vuw,dc=ac,dc=nz ou: People objectClass: top objectClass: organizationalunit # jonesst1, People, vuw.ac.nz dn: uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz givenName: Steven sn: Jones loginShell: /bin/bash uidNumber: 500 gidNumber: 500 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount uid: jonesst1 cn: Steven Jones homeDirectory: /home/jonesst1 # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 ________________________________ From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Steven Jones Sent: Tuesday, 18 September 2007 11:42 a.m. To: General discussion list for the Fedora Directory server project. Subject: [Fedora-directory-users] getting sh on RHAS5 to work with FDS. It seems the settings needed to get RHAS5 going differ to RHAS4.... This is how I did RHAS4, any ideas what additions or changes are needed for RHAS5? The client connects to the server but fails to get a password......I disabled TLS but it still fails suggesting something a bit more fundamental.... Red Hat AS4 client ssl setup First thing, scp the ca cert over, otherwise you may not be able to scp it over once you have edited some of the files below. On the server if you have not already done so generate the certificate, cd /opt/fedora-ds/alias ; cp cacert.asc /etc/openldap/cacerts/`openssl x509 \ -noout -hash -in cacert.asc`.0 There will now be two files of interest, -rw-r--r-- 1 root root 619 Sep 17 16:27 5be5959f.0 -rw-r--r-- 1 root root 619 Sep 17 16:27 cacert.asc On the server, tar these into a file move the certificate over to the client via scp, Move them to /etc/openldap/cacerts/ And create a symbolic link, ln -s 5be5959f.0 ca.crt -rw-r--r-- 1 root root 619 Sep 17 16:27 5be5959f.0 -rw-r--r-- 1 root root 619 Sep 17 16:27 cacert.asc lrwxrwxrwx 1 root root 10 Sep 17 16:44 ca.crt -> 5be5959f.0 Check dependancies, rpm -q nss_ldap , needs to be installed. Move to the ldap directory and backup the files, cd /etc/openldap ; cp ldap.conf no-ssl-fully-working-ldap.conf \ cd /etc/ ; cp ldap.conf no-ssl-fully-working-ldap.conf ssh uses the /etc/ldap.conf, edit /etc/ldap.conf to this, =============== # http://www.padl.com URI ldap://ldap.vuw.ac.nz base dc=vuw,dc=ac,dc=nz pam_password md5 BASE dc=vuw,dc=ac,dc=nz tls_cacertfile /etc/openldap/cacerts/ca.crt TLS_REQCERT allow host ldap.vuw.ac.nz ssl start_tls =============== Set up nsswitch.conf Change, ========= #passwd: db files ldap nis #shadow: db files ldap nis #group: db files ldap nis ========= To, ========= passwd: files ldap shadow: files ldap group: files ldap ========= Setup /etc/pam.d/ssh ========= auth sufficient /lib/security/pam_ldap.so use_first_pass account sufficient /lib/security/pam_ldap.so use_first_pass password sufficient /lib/security/pam_ldap.so use_first_pass ========= Check settings for /etc/ssh/sshd_config ========= #UsePAM no UsePAM yes ========= UsePAM has to be set to yes. Restart ssh and try to connect to the client, the access log on the server should show "start_TLS" and "SSL 256-bit AES". ============ [root at vuwunicvfdsm001 logs]# tail -f access [18/Sep/2007:06:15:14 +1200] conn=2370 op=-1 fd=74 closed - B1 [18/Sep/2007:06:15:18 +1200] conn=2376 fd=71 slot=71 connection from 130.195.87.250 to 130.195.87.249 [18/Sep/2007:06:15:18 +1200] conn=2376 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [18/Sep/2007:06:15:18 +1200] conn=2376 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [18/Sep/2007:06:15:18 +1200] conn=2376 SSL 256-bit AES 8><----------- ================= Another test you can do is, ldapsearch -x -ZZ '(uid=jonesst1)' Output on the client will typically be, ================ # extended LDIF # # LDAPv3 # base <> with scope sub # filter: (uid=jonesst1) # requesting: ALL # # jonesst1, People, vuw.ac.nz dn: uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz givenName: Steven sn: Jones loginShell: /bin/bash uidNumber: 500 gidNumber: 500 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount uid: jonesst1 cn: Steven Jones homeDirectory: /home/jonesst1 # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1 On the server check the access log for "startTLS", [root at vuwunicvfdsm001 logs]# tail -f access [14/Sep/2007:12:52:59 +1200] conn=30 fd=67 slot=67 connection from 130.195.87.250 to 130.195.87.249 [14/Sep/2007:12:52:59 +1200] conn=30 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [14/Sep/2007:12:52:59 +1200] conn=30 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [14/Sep/2007:12:52:59 +1200] conn=30 SSL 256-bit AES [14/Sep/2007:12:52:59 +1200] conn=30 op=1 BIND dn="" method=128 version=3 [14/Sep/2007:12:52:59 +1200] conn=30 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [14/Sep/2007:12:52:59 +1200] conn=30 op=2 SRCH base="dc=vuw,dc=ac,dc=nz" scope=2 filter="(uid=jonesst1)" attrs=ALL [14/Sep/2007:12:52:59 +1200] conn=30 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [14/Sep/2007:12:52:59 +1200] conn=30 op=3 UNBIND [14/Sep/2007:12:52:59 +1200] conn=30 op=3 fd=67 closed - U1 NB. If you get (-11) errors this suggests a ca.crt issue.... regards Steven -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Tue Sep 18 01:28:23 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 18 Sep 2007 13:28:23 +1200 Subject: [Fedora-directory-users] getting sh on RHAS5 to work with FDS. In-Reply-To: Message-ID: An "improved" ldap.conf (with no ssl/TLS) for RHAS5 =============== # http://www.padl.com base dc=vuw,dc=ac,dc=nz pam_password md5 BASE dc=vuw,dc=ac,dc=nz TLS_REQCERT never uri ldap://ldap.vuw.ac.nz/ ssl no tls_cacertdir /etc/openldap/cacerts =============== Trying TLS with, =============== #ssl setup # http://www.padl.com base dc=vuw,dc=ac,dc=nz pam_password md5 BASE dc=vuw,dc=ac,dc=nz TLS_REQCERT allow #TLS_REQCERT never host ldap.vuw.ac.nz ssl start_tls uri ldap://ldap.vuw.ac.nz/ tls_cacertdir /etc/openldap/cacerts =============== Produces this error, [root at vuwunicoadmin01 etc]# ldapsearch -x -ZZ '(uid=jonesst1)' ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate Which is an interesting error..... regards Steven -------------- next part -------------- An HTML attachment was scrubbed... URL: From brgurung at gmail.com Tue Sep 18 03:50:24 2007 From: brgurung at gmail.com (bikas gurung) Date: Mon, 17 Sep 2007 22:50:24 -0500 Subject: [Fedora-directory-users] help....unable to start fedora server Message-ID: <84aaaaeb0709172050i60c40a45l1d983940183b5a48@mail.gmail.com> Hi all, I'm certainly in deep s*&#t now. I just updated my file-server with new updates and patches and tried to reboot it; but it hanged: reason - Kernel Panic. So I had to shutdown the system manually and had to run 'fsck' manually afterwards. Everything seemed to run well afterwards. But today evening I found that I was not able to connect my pc to file-server. When I checked, it turns out that 'slapd' daemon wasn't started at all. I manually tried to start the server using the scripts (in /rc.d/init.d ) but got an error. Here's an error logged in log file: Fedora-Directory/1.0.2 B2006.060.1928 isec-file:636 (/opt/fedora-ds/slapd-isec-file) [17/Sep/2007:20:52:06 -0500] - Fedora-Directory/1.0.2 B2006.060.1928starting up [17/Sep/2007:20:52:06 -0500] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [17/Sep/2007:20:52:06 -0500] - libdb: Ignoring log file: /opt/fedora-ds/slapd-isec-file/db/log.0000000206: magic number 0, not 40988 [17/Sep/2007:20:52:06 -0500] - libdb: Invalid log file: log.0000000206: Invalid argument [17/Sep/2007:20:52:06 -0500] - libdb: PANIC: Invalid argument [17/Sep/2007:20:52:06 -0500] - libdb: PANIC: DB_RUNRECOVERY: Fatal error, run database recovery [17/Sep/2007:20:52:06 -0500] - Database Recovery Process FAILED. The database is not recoverable. err=-30978: DB_RUNRECOVERY: Fatal error, run database recovery [17/Sep/2007:20:52:06 -0500] - Please make sure there is enough disk space for dbcache (10485760 bytes) and db region files [17/Sep/2007:20:52:06 -0500] - start: Failed to init database, err=-30978 DB_RUNRECOVERY: Fatal error, run database recovery [17/Sep/2007:20:52:06 -0500] - Failed to start database plugin ldbm database [17/Sep/2007:20:52:06 -0500] - WARNING: ldbm instance userRoot already exists [17/Sep/2007:20:52:06 -0500] - WARNING: ldbm instance NetscapeRoot already exists [17/Sep/2007:20:52:06 -0500] binder-based resource limits - nsLookThroughLimit: parameter error (slapi_reslimit_register() already registered) [17/Sep/2007:20:52:06 -0500] - start: Resource limit registration failed [17/Sep/2007:20:52:06 -0500] - Failed to start database plugin ldbm database [17/Sep/2007:20:52:06 -0500] - Error: Failed to resolve plugin dependencies [17/Sep/2007:20:52:06 -0500] - Error: preoperation plugin 7-bit check is not started [17/Sep/2007:20:52:06 -0500] - Error: accesscontrol plugin ACL Plugin is not started [17/Sep/2007:20:52:06 -0500] - Error: preoperation plugin ACL preoperation is not started [17/Sep/2007:20:52:06 -0500] - Error: postoperation plugin Class of Service is not started [17/Sep/2007:20:52:06 -0500] - Error: preoperation plugin HTTP Client is not started [17/Sep/2007:20:52:06 -0500] - Error: database plugin ldbm database is not started [17/Sep/2007:20:52:06 -0500] - Error: object plugin Legacy Replication Plugin is not started [17/Sep/2007:20:52:06 -0500] - Error: object plugin Multimaster Replication Plugin is not started [17/Sep/2007:20:52:06 -0500] - Error: postoperation plugin Roles Plugin is not started [17/Sep/2007:20:52:06 -0500] - Error: object plugin Views is not started As all the client machines depend upon this server for authentication and as weekend is still far away, I'm in big trouble now. I'm quite clueless what to do and would really appreciate any kind of help. And no, unfortunately I don't have a backup to fall back to . Thanking you in advance bikas -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Tue Sep 18 04:21:12 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 18 Sep 2007 16:21:12 +1200 Subject: [Fedora-directory-users] help....unable to start fedora server In-Reply-To: <84aaaaeb0709172050i60c40a45l1d983940183b5a48@mail.gmail.com> Message-ID: Not knowing a huge amount about FDS/LDAP....I'd start with checking the OS. Eg., [17/Sep/2007:20:52:06 -0500] - Please make sure there is enough disk space for dbcache (10485760 bytes) and db region files Suggests to me to check the filesystem with df -h to make sure there is space left....possibly there is a core dump or something that needs deleting...rare in Linux but not known on Solaris.... Or maybe some mount point failed to mount as the OS considered it too damaged....make sure all the filespaces are mounted... Beyond this I cannot help, sorry. Making no backups or at least not exporting the database is hopefully something you will not do again.... regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 ________________________________ From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of bikas gurung Sent: Tuesday, 18 September 2007 3:50 p.m. To: fedora-directory-users at redhat.com Subject: [Fedora-directory-users] help....unable to start fedora server Hi all, I'm certainly in deep s*&#t now. I just updated my file-server with new updates and patches and tried to reboot it; but it hanged: reason - Kernel Panic. So I had to shutdown the system manually and had to run 'fsck' manually afterwards. Everything seemed to run well afterwards. But today evening I found that I was not able to connect my pc to file-server. When I checked, it turns out that 'slapd' daemon wasn't started at all. I manually tried to start the server using the scripts (in /rc.d/init.d ) but got an error. Here's an error logged in log file: Fedora-Directory/1.0.2 B2006.060.1928 isec-file:636 (/opt/fedora-ds/slapd-isec -file) [17/Sep/2007:20:52:06 -0500] - Fedora-Directory/1.0.2 B2006.060.1928 starting up [17/Sep/2007:20:52:06 -0500] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [17/Sep/2007:20:52:06 -0500] - libdb: Ignoring log file: /opt/fedora-ds/slapd-isec-file/db/log.0000000206: magic number 0, not 40988 [17/Sep/2007:20:52:06 -0500] - libdb: Invalid log file: log.0000000206: Invalid argument [17/Sep/2007:20:52:06 -0500] - libdb: PANIC: Invalid argument [17/Sep/2007:20:52:06 -0500] - libdb: PANIC: DB_RUNRECOVERY: Fatal error, run database recovery [17/Sep/2007:20:52:06 -0500] - Database Recovery Process FAILED. The database is not recoverable. err=-30978: DB_RUNRECOVERY: Fatal error, run database recovery [17/Sep/2007:20:52:06 -0500] - Please make sure there is enough disk space for dbcache (10485760 bytes) and db region files [17/Sep/2007:20:52:06 -0500] - start: Failed to init database, err=-30978 DB_RUNRECOVERY: Fatal error, run database recovery [17/Sep/2007:20:52:06 -0500] - Failed to start database plugin ldbm database [17/Sep/2007:20:52:06 -0500] - WARNING: ldbm instance userRoot already exists [17/Sep/2007:20:52:06 -0500] - WARNING: ldbm instance NetscapeRoot already exists [17/Sep/2007:20:52:06 -0500] binder-based resource limits - nsLookThroughLimit: parameter error (slapi_reslimit_register() already registered) [17/Sep/2007:20:52:06 -0500] - start: Resource limit registration failed [17/Sep/2007:20:52:06 -0500] - Failed to start database plugin ldbm database [17/Sep/2007:20:52:06 -0500] - Error: Failed to resolve plugin dependencies [17/Sep/2007:20:52:06 -0500] - Error: preoperation plugin 7-bit check is not started [17/Sep/2007:20:52:06 -0500] - Error: accesscontrol plugin ACL Plugin is not started [17/Sep/2007:20:52:06 -0500] - Error: preoperation plugin ACL preoperation is not started [17/Sep/2007:20:52:06 -0500] - Error: postoperation plugin Class of Service is not started [17/Sep/2007:20:52:06 -0500] - Error: preoperation plugin HTTP Client is not started [17/Sep/2007:20:52:06 -0500] - Error: database plugin ldbm database is not started [17/Sep/2007:20:52:06 -0500] - Error: object plugin Legacy Replication Plugin is not started [17/Sep/2007:20:52:06 -0500] - Error: object plugin Multimaster Replication Plugin is not started [17/Sep/2007:20:52:06 -0500] - Error: postoperation plugin Roles Plugin is not started [17/Sep/2007:20:52:06 -0500] - Error: object plugin Views is not started As all the client machines depend upon this server for authentication and as weekend is still far away, I'm in big trouble now. I'm quite clueless what to do and would really appreciate any kind of help. And no, unfortunately I don't have a backup to fall back to . Thanking you in advance bikas -------------- next part -------------- An HTML attachment was scrubbed... URL: From gvenkat at gmail.com Tue Sep 18 05:28:28 2007 From: gvenkat at gmail.com (G Venkataraman) Date: Mon, 17 Sep 2007 22:28:28 -0700 Subject: [Fedora-directory-users] help....unable to start fedora server In-Reply-To: References: <84aaaaeb0709172050i60c40a45l1d983940183b5a48@mail.gmail.com> Message-ID: Hi, The error: [17/Sep/2007:20:52:06 -0500] - libdb: Ignoring log file: /opt/fedora-ds/slapd-isec-file/db/log.0000000206: magic number 0, not 40988 indicates that the backend Berkeley failed to use the log file log.0000000206 as it is not a valid Berkeley DB logfile. Since you mentioned that you had to shutdown the system manually and do a fsck when it came back up, one possibility is that the log.0000000206 log file (and may be more files) could have been corrupted. Have you checked the lost+found directory for any recovered files ? In any case, I would recommend that before you do any more troubleshooting with the server, you take a snapshot (tar ball) of the affected directory tree (/opt/fedora-ds and any other directories you can think of as belonging to the directory server) and store the tar ball separately (on another directory or even on another machine, for example). This would be useful if you need to go back and change your troubleshooting methodology all over again. Of course, if files are corrupt to begin with, then I am not sure ho useful it would be to begin with. Check whether everything is fine at the system level. Look back in the directory server error log file to see what types of errors showed up (when the directory server tried to start the first time after the system reboot). Check in the system log to make sure that things are fine. Finally, you can also see if by chance, you had taken any ldif dumps of the directory server data at any point in time in the past. Or may be the file system (or the system) itself was backed up by chance for some other purpose. Do you have just one directory server instance running (i.e., only 1 master and no replicas/consumers) ? PS: A couple of things that could have helped in this scenario is to have regular backups of the system and also regular backups of the directory server data (db2ldif.pl). Also, another system (or a virtual machine) that is part of a development or test environment and one which is similar to this production server in setup and operation would be useful to have so that things can be tested on it first before being deployed into production. -=Venkat=- gvenkat at gmail.com On 9/17/07, Steven Jones wrote: > > Not knowing a huge amount about FDS/LDAP?.I'd start with checking the OS. > Eg., > > [17/Sep/2007:20:52:06 -0500] - Please make sure there is enough disk space > for dbcache (10485760 bytes) and db region files > > Suggests to me to check the filesystem with df ?h to make sure there is > space left?.possibly there is a core dump or something that needs > deleting?rare in Linux but not known on Solaris?. > > Or maybe some mount point failed to mount as the OS considered it too > damaged?.make sure all the filespaces are mounted? > > Beyond this I cannot help, sorry. > > Making no backups or at least not exporting the database is hopefully > something you will not do again?. > > regards > > Steven Jones > Senior Linux/Unix/San/Vmware System Administrator > APG -Technology Integration Team > Victoria University of Wellington > Phone: +64 4 463 6272 > ------------------------------ > > *From:* fedora-directory-users-bounces at redhat.com [mailto: > fedora-directory-users-bounces at redhat.com] *On Behalf Of *bikas gurung > *Sent:* Tuesday, 18 September 2007 3:50 p.m. > *To:* fedora-directory-users at redhat.com > *Subject:* [Fedora-directory-users] help....unable to start fedora server > > Hi all, > I'm certainly in deep s*&#t now. I just updated my file-server with new > updates and patches and tried to reboot it; but it hanged: reason - Kernel > Panic. So I had to shutdown the system manually and had to run 'fsck' > manually afterwards. Everything seemed to run well afterwards. But today > evening I found that I was not able to connect my pc to file-server. When I > checked, it turns out that 'slapd' daemon wasn't started at all. I manually > tried to start the server using the scripts (in /rc.d/init.d ) but got an > error. Here's an error logged in log file: > > Fedora-Directory/1.0.2 B2006.060.1928 > isec-file:636 (/opt/fedora-ds/slapd-isec-file) > > [17/Sep/2007:20:52:06 -0500] - Fedora-Directory/1.0.2 B2006.060.1928starting up > [17/Sep/2007:20:52:06 -0500] - Detected Disorderly Shutdown last time > Directory Server was running, recovering database. > [17/Sep/2007:20:52:06 -0500] - libdb: Ignoring log file: > /opt/fedora-ds/slapd-isec-file/db/log.0000000206: magic number 0, not 40988 > [17/Sep/2007:20:52:06 -0500] - libdb: Invalid log file: log.0000000206: > Invalid argument > [17/Sep/2007:20:52:06 -0500] - libdb: PANIC: Invalid argument > [17/Sep/2007:20:52:06 -0500] - libdb: PANIC: DB_RUNRECOVERY: Fatal error, > run database recovery > [17/Sep/2007:20:52:06 -0500] - Database Recovery Process FAILED. The > database is not recoverable. err=-30978: DB_RUNRECOVERY: Fatal error, run > database recovery > [17/Sep/2007:20:52:06 -0500] - Please make sure there is enough disk space > for dbcache (10485760 bytes) and db region files > [17/Sep/2007:20:52:06 -0500] - start: Failed to init database, err=-30978 > DB_RUNRECOVERY: Fatal error, run database recovery > [17/Sep/2007:20:52:06 -0500] - Failed to start database plugin ldbm > database > [17/Sep/2007:20:52:06 -0500] - WARNING: ldbm instance userRoot already > exists > [17/Sep/2007:20:52:06 -0500] - WARNING: ldbm instance NetscapeRoot already > exists > [17/Sep/2007:20:52:06 -0500] binder-based resource limits - > nsLookThroughLimit: parameter error (slapi_reslimit_register() already > registered) > [17/Sep/2007:20:52:06 -0500] - start: Resource limit registration failed > [17/Sep/2007:20:52:06 -0500] - Failed to start database plugin ldbm > database > [17/Sep/2007:20:52:06 -0500] - Error: Failed to resolve plugin > dependencies > [17/Sep/2007:20:52:06 -0500] - Error: preoperation plugin 7-bit check is > not started > [17/Sep/2007:20:52:06 -0500] - Error: accesscontrol plugin ACL Plugin is > not started > [17/Sep/2007:20:52:06 -0500] - Error: preoperation plugin ACL preoperation > is not started > [17/Sep/2007:20:52:06 -0500] - Error: postoperation plugin Class of > Service is not started > [17/Sep/2007:20:52:06 -0500] - Error: preoperation plugin HTTP Client is > not started > [17/Sep/2007:20:52:06 -0500] - Error: database plugin ldbm database is not > started > [17/Sep/2007:20:52:06 -0500] - Error: object plugin Legacy Replication > Plugin is not started > [17/Sep/2007:20:52:06 -0500] - Error: object plugin Multimaster > Replication Plugin is not started > [17/Sep/2007:20:52:06 -0500] - Error: postoperation plugin Roles Plugin is > not started > [17/Sep/2007:20:52:06 -0500] - Error: object plugin Views is not started > > As all the client machines depend upon this server for authentication and > as weekend is still far away, I'm in big trouble now. I'm quite clueless > what to do and would really appreciate any kind of help. And no, > unfortunately I don't have a backup to fall back to . > > Thanking you in advance > bikas > -------------- next part -------------- An HTML attachment was scrubbed... URL: From maumar at cost.it Tue Sep 18 12:23:23 2007 From: maumar at cost.it (Maurizio Marini) Date: Tue, 18 Sep 2007 14:23:23 +0200 Subject: [Fedora-directory-users] Password Expiration Warning notification In-Reply-To: <46E55FBF.40503@redhat.com> References: <20070910145634.5070C7405E3@mailman.roundbox.com> <46E55FBF.40503@redhat.com> Message-ID: <200709181423.23589.maumar@cost.it> On Mon September 10 2007 17:16, Richard Megginson wrote: > about-to-expire Hi which attribute is to be used to retrieve "about-to-expire" password? i am using php-ldap to authentication backend and i dunno how can i retrieve password expiration dates TIA Maurizio From racerx at makeworld.com Tue Sep 18 12:26:23 2007 From: racerx at makeworld.com (Chris) Date: Tue, 18 Sep 2007 07:26:23 -0500 Subject: [Fedora-directory-users] One way replication FROM Active Directory Message-ID: <20070918072623.3bfe92cd@racerx.makeworld.com> Has anyone done this? If so, please, please point me to relevant and complete documentation. -- Best regards, Chris Registerd Linux user number 448639 From puestadelsol83 at libero.it Tue Sep 18 09:10:12 2007 From: puestadelsol83 at libero.it (puestadelsol83) Date: Tue, 18 Sep 2007 11:10:12 +0200 Subject: [Fedora-directory-users] question about certificate Message-ID: Hi! I don't now if this is the right email address to ask my problem.. I'm using fedora Directory -server to implement ldap. The problem is about certificate: I create a certificate but is impossible to use that because the issuer's certificate is not recornize. How can i solve this problem?Whit console I fixed CA cert name and I edit trust. Is necessary to fix certmap mappingName issuerDN in certmap.conf file? I try to do this but nothing changed. Sorry for my bad english! Thanks! ------------------------------------------------------ Leggi GRATIS le tue mail con il telefonino i-mode? di Wind http://i-mode.wind.it/ _______________________________________________ Like your solution? Hate it? Go to your software vendor's page at RHX - http://rhx.redhat.com - and tell us what you think! Help improve RHX. The RHX team is looking for your feedback with a short, 12 question survey: http://www.keysurvey.com/survey/162511/fa85/ ------------------------------------------------------ Leggi GRATIS le tue mail con il telefonino i-mode? di Wind http://i-mode.wind.it/ From rmeggins at redhat.com Tue Sep 18 14:27:04 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 18 Sep 2007 08:27:04 -0600 Subject: [Fedora-directory-users] Password Expiration Warning notification In-Reply-To: <200709181423.23589.maumar@cost.it> References: <20070910145634.5070C7405E3@mailman.roundbox.com> <46E55FBF.40503@redhat.com> <200709181423.23589.maumar@cost.it> Message-ID: <46EFE038.3040207@redhat.com> Maurizio Marini wrote: > On Mon September 10 2007 17:16, Richard Megginson wrote: > >> about-to-expire >> > Hi > which attribute is to be used to retrieve "about-to-expire" password? > i am using php-ldap to authentication backend and i dunno how can i retrieve > password expiration dates > There are some operational attributes: passwordExpirationTime - this is the time at which the password will expire pwdExpirationWarned - if this is > 0, this means the server has sent a warning in the response control to the BIND operation passwordWarning - the server will begin sending warnings in the response control to the BIND operation when the password has this many seconds or fewer left until expiration > TIA > Maurizio > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Sep 18 14:31:17 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 18 Sep 2007 08:31:17 -0600 Subject: [Fedora-directory-users] question about certificate In-Reply-To: References: Message-ID: <46EFE135.7050808@redhat.com> puestadelsol83 wrote: > Hi! > I don't now if this is the right email address to ask my problem.. > I'm using fedora Directory -server to implement ldap. > The problem is about certificate: I create a certificate but is impossible to use that because the issuer's certificate is not recornize. A user certificate or a server certificate? What did you use to create the cert? What do you mean by impossible to use? Who says the cert is not recognized? Can you post an error message that says this? What application is it from? > How can i solve this problem?Whit console I fixed CA cert name and I edit trust. It depends on the application, where/how you specify the CA cert. See http://directory.fedoraproject.org/wiki/Howto:SSL > Is necessary to fix certmap mappingName issuerDN in certmap.conf file? That is only if you are using client cert based authentication. It's not used for TLS/SSL server side. > I try to do this but nothing changed. > Sorry for my bad english! > Thanks! > > > ------------------------------------------------------ > Leggi GRATIS le tue mail con il telefonino i-mode? di Wind > http://i-mode.wind.it/ > > > _______________________________________________ > Like your solution? Hate it? Go to your software vendor's page at RHX - http://rhx.redhat.com - and tell us what you think! > > Help improve RHX. The RHX team is looking for your feedback with a short, 12 question survey: > http://www.keysurvey.com/survey/162511/fa85/ > > > > ------------------------------------------------------ > Leggi GRATIS le tue mail con il telefonino i-mode? di Wind > http://i-mode.wind.it/ > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Sep 18 14:39:55 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 18 Sep 2007 08:39:55 -0600 Subject: [Fedora-directory-users] getting sh on RHAS5 to work with FDS. In-Reply-To: References: Message-ID: <46EFE33B.2020800@redhat.com> Steven Jones wrote: > > An ?improved? ldap.conf (with no ssl/TLS) for RHAS5 > > =============== > > # http://www.padl.com > > base dc=vuw,dc=ac,dc=nz > > pam_password md5 > > BASE dc=vuw,dc=ac,dc=nz > > TLS_REQCERT never > > uri ldap://ldap.vuw.ac.nz/ > > ssl no > > tls_cacertdir /etc/openldap/cacerts > > =============== > > Trying TLS with, > > =============== > > #ssl setup > > # http://www.padl.com > > base dc=vuw,dc=ac,dc=nz > > pam_password md5 > > BASE dc=vuw,dc=ac,dc=nz > > TLS_REQCERT allow > > #TLS_REQCERT never > > host ldap.vuw.ac.nz > > ssl start_tls > > uri ldap://ldap.vuw.ac.nz/ > > tls_cacertdir /etc/openldap/cacerts > > =============== > > Produces this error, > > [root at vuwunicoadmin01 etc]# ldapsearch -x -ZZ '(uid=jonesst1)' > > ldap_start_tls: Connect error (-11) > > additional info: TLS: hostname does not match CN in peer certificate > > Which is an interesting error?.. > Yes, very. http://directory.fedoraproject.org/wiki/Howto:SSL#Basic_Steps NOTE - *Do not use cn=server-cert for your server certificate*. In step 7 of the linked instructions, it says to use certutil .... -s cn=server-cert - this will cause clients to fail to validate the cert. Instead, you must use the fully qualified domain name of your server host as the value of the cn attribute in the subject DN. For example, if your directory server hostname is foo.example.com, use ../shared/bin/certutil -S -n "Server-Cert" -s cn=foo.example.com -c "CA certificate" \ -t "u,u,u" -m 1001 -v 120 -d . -z noise.txt -f pwdfile.txt to generate your server cert. This is the minimum. You may wish to provide your clients with more details about your server. For more information, see RFC 1485 . You could choose to specify the subject DN like this: ../shared/bin/certutil ... -s "cn=foo.example.com,ou=engineering,o=example corp,c=us" ... Note that this also means that if you use cn=foo.example.com, clients must be able to resolve the server's IP address to "foo.example.com". If you don't care/can't do this, then use TLS_REQCERT never in your /etc/openldap/ldap.conf to make ldapsearch stop complaining. I highly recommend you do not do this though. > > regards > > Steven > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From hyc at symas.com Tue Sep 18 16:41:45 2007 From: hyc at symas.com (Howard Chu) Date: Tue, 18 Sep 2007 09:41:45 -0700 Subject: [Fedora-directory-users] Re: getting sh on RHAS5 to work with FDS. In-Reply-To: <20070918160006.AAE0C733EB@hormel.redhat.com> References: <20070918160006.AAE0C733EB@hormel.redhat.com> Message-ID: <46EFFFC9.1000203@symas.com> > Date: Tue, 18 Sep 2007 08:39:55 -0600 > From: Richard Megginson > Yes, very. > http://directory.fedoraproject.org/wiki/Howto:SSL#Basic_Steps > > > NOTE - *Do not use cn=server-cert for your server certificate*. In step > 7 of the linked instructions, it says to use certutil .... -s > cn=server-cert - this will cause clients to fail to validate the cert. > Instead, you must use the fully qualified domain name of your server > host as the value of the cn attribute in the subject DN. For example, if > your directory server hostname is foo.example.com, use Also look at the constraints in RFC4513, section 3.1.3. Use subjectAltName extensions to get more flexibility here. > > ../shared/bin/certutil -S -n "Server-Cert" -s cn=foo.example.com -c "CA certificate" \ > -t "u,u,u" -m 1001 -v 120 -d . -z noise.txt -f pwdfile.txt > > to generate your server cert. This is the minimum. You may wish to > provide your clients with more details about your server. For more > information, see RFC 1485 . You > could choose to specify the subject DN like this: > > ../shared/bin/certutil ... -s "cn=foo.example.com,ou=engineering,o=example corp,c=us" ... > > > > Note that this also means that if you use cn=foo.example.com, clients > must be able to resolve the server's IP address to "foo.example.com". If > you don't care/can't do this, then use TLS_REQCERT never in your > /etc/openldap/ldap.conf to make ldapsearch stop complaining. I highly > recommend you do not do this though. Agreed, bad idea. By the way, the OpenLDAP libraries never do a DNS lookup on the name you provide, so whether the name resolves or not doesn't matter. We expect the name passed in to exactly match the CN, or to match the subjectAltName. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From myacc at roundbox.com Tue Sep 18 19:48:47 2007 From: myacc at roundbox.com (Raj Seenivasan) Date: Tue, 18 Sep 2007 15:48:47 -0400 Subject: [Fedora-directory-users] FDS and Samba3 Message-ID: <3185E02C-466D-45ED-922C-5A17AA3C907A@roundbox.com> I have 2 questions to ask. I searched the list and couldn't find anything related... 1. Is there a way to setup samba and FDS on 2 different boxes and use FDS as the backend for samba? FDS wiki (http://directory.fedoraproject.org/wiki/Howto:Samba) has instructions to setup both samba and fds on the same box. What special steps needs to be done if on 2 different boxes? 2. I had setup samba+fds on a single box and password syncing works only one way. FDS --> Samba sync is not working. Passwords changed using smbpasswd gets synced with fds. Am I missing something? Thanks. CONFIDENTIALITY NOTICE: This email message and any attachments contain proprietary and privileged information of Roundbox, Inc., which are provided for the sole and confidential use of the intended recipients. Any review, use, disclosure or distribution of this information is restricted and must comply with the nondisclosure agreement between Roundbox, Inc. and you (or your company). All other uses are prohibited. If you are not an intended recipient, please contact the sender by reply email and promptly delete and otherwise destroy all copies of the message and its attachments. From rmeggins at redhat.com Tue Sep 18 19:53:15 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 18 Sep 2007 13:53:15 -0600 Subject: [Fedora-directory-users] FDS and Samba3 In-Reply-To: <3185E02C-466D-45ED-922C-5A17AA3C907A@roundbox.com> References: <3185E02C-466D-45ED-922C-5A17AA3C907A@roundbox.com> Message-ID: <46F02CAB.3010601@redhat.com> Raj Seenivasan wrote: > I have 2 questions to ask. I searched the list and couldn't find > anything related... > > 1. Is there a way to setup samba and FDS on 2 different boxes and use > FDS as the backend for samba? > FDS wiki (http://directory.fedoraproject.org/wiki/Howto:Samba) has > instructions to setup both samba and fds on the same box. > What special steps needs to be done if on 2 different boxes? > > 2. I had setup samba+fds on a single box and password syncing works > only one way. > FDS --> Samba sync is not working. Passwords changed using smbpasswd > gets synced with fds. > Am I missing something? There is currently no way to have FDS -> Samba password sync (that is, have updates to userPassword automatically update sambaLMPassword and sambaNTPassword). > > Thanks. > > > CONFIDENTIALITY NOTICE: This email message and any attachments > contain proprietary and privileged information of Roundbox, Inc., > which are provided for the sole and confidential use of the intended > recipients. Any review, use, disclosure or distribution of this > information is restricted and must comply with the nondisclosure > agreement between Roundbox, Inc. and you (or your company). All other > uses are prohibited. If you are not an intended recipient, please > contact the sender by reply email and promptly delete and otherwise > destroy all copies of the message and its attachments. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jay.coleman at cctechnol.com Tue Sep 18 20:00:14 2007 From: jay.coleman at cctechnol.com (Jeremiah Coleman) Date: Tue, 18 Sep 2007 15:00:14 -0500 Subject: [Fedora-directory-users] FDS and Solaris Client Question Message-ID: <1190145614.4865.9.camel@europa> I'm trying to set up a Solaris 10 client with FDS (all my linux clients are working beautifully), but authentication is acting very strange. Monitoring the net traffic, I can see the Solaris system bind, search for info about the username, get a normal response, but then it just unbinds. It never asks to authenticate a password. My configuration is below. Any help would be much appreciated. ldap_client_file: NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= fds1.wherever.com NS_LDAP_SEARCH_BASEDN= dc=wherever,dc=com NS_LDAP_AUTH= simple NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_SCOPE= one NS_LDAP_SEARCH_TIME= 30 NS_LDAP_CACHETTL= 43200 NS_LDAP_PROFILE= default NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=wherever,dc=com?one NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=wherever,dc=com?one NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=wherever,dc=com?one NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=wherever,dc=com?one NS_LDAP_BIND_TIME= 2 /etc/nsswitch.conf (note, I pulled ldap from networks, etc, since not all of that is configured on ldap as yet): # the following two lines obviate the "+" entry in /etc/passwd and /etc/group. passwd: files ldap group: files ldap shadow: files ldap # consult /etc "files" only if ldap is down. hosts: dns files ldap # Note that IPv4 addresses are searched for in all of the ipnodes databases # before searching the hosts databases. ipnodes: files networks: files protocols: files rpc: files ethers: files netmasks: files bootparams: files publickey: files netgroup: ldap automount: files ldap aliases: files ldap # for efficient getservbyname() avoid ldap services: files ldap printers: user files ldap auth_attr: files ldap prof_attr: files ldap project: files ldap tnrhtp: files ldap tnrhdb: files ldap /etc/pam.conf: # login service (explicit because of pam_dial_auth) # login auth required pam_ldap.so.1 login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_ldap.so.1 rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth required pam_unix_auth.so.1 # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth sufficient pam_ldap.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth required pam_unix_auth.so.1 # # passwd command (explicit because of a different authentication module) # passwd auth sufficient pam_ldap.so.1 passwd auth required pam_passwd_auth.so.1 # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account sufficient pam_ldap.so.1 other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session sufficient pam_ldap.so.1 other session required pam_unix_session.so.1 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 -- Jeremiah Coleman Systems Administrator C & C Technologies 337-261-0660 x3421 jay.coleman at cctechnol.com From myacc at roundbox.com Tue Sep 18 20:08:13 2007 From: myacc at roundbox.com (Raj Seenivasan) Date: Tue, 18 Sep 2007 16:08:13 -0400 Subject: [Fedora-directory-users] FDS and Samba3 In-Reply-To: <46F02CAB.3010601@redhat.com> References: <3185E02C-466D-45ED-922C-5A17AA3C907A@roundbox.com> <46F02CAB.3010601@redhat.com> Message-ID: Thanks. Is it possible to setup samba on one box and use fds as the backend running on a second box? On Sep 18, 2007, at 3:53 PM, Richard Megginson wrote: > Raj Seenivasan wrote: >> I have 2 questions to ask. I searched the list and couldn't find >> anything related... >> >> 1. Is there a way to setup samba and FDS on 2 different boxes and >> use FDS as the backend for samba? >> FDS wiki (http://directory.fedoraproject.org/wiki/Howto:Samba) has >> instructions to setup both samba and fds on the same box. >> What special steps needs to be done if on 2 different boxes? >> >> 2. I had setup samba+fds on a single box and password syncing >> works only one way. >> FDS --> Samba sync is not working. Passwords changed using >> smbpasswd gets synced with fds. >> Am I missing something? > There is currently no way to have FDS -> Samba password sync (that > is, have updates to userPassword automatically update > sambaLMPassword and sambaNTPassword). >> >> Thanks. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users CONFIDENTIALITY NOTICE: This email message and any attachments contain proprietary and privileged information of Roundbox, Inc., which are provided for the sole and confidential use of the intended recipients. Any review, use, disclosure or distribution of this information is restricted and must comply with the nondisclosure agreement between Roundbox, Inc. and you (or your company). All other uses are prohibited. If you are not an intended recipient, please contact the sender by reply email and promptly delete and otherwise destroy all copies of the message and its attachments. From rmeggins at redhat.com Tue Sep 18 20:12:28 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 18 Sep 2007 14:12:28 -0600 Subject: [Fedora-directory-users] FDS and Samba3 In-Reply-To: References: <3185E02C-466D-45ED-922C-5A17AA3C907A@roundbox.com> <46F02CAB.3010601@redhat.com> Message-ID: <46F0312C.7080404@redhat.com> Raj Seenivasan wrote: > Thanks. > Is it possible to setup samba on one box and use fds as the backend > running on a second box? I don't see why not, but I don't know. > > On Sep 18, 2007, at 3:53 PM, Richard Megginson wrote: > >> Raj Seenivasan wrote: >>> I have 2 questions to ask. I searched the list and couldn't find >>> anything related... >>> >>> 1. Is there a way to setup samba and FDS on 2 different boxes and >>> use FDS as the backend for samba? >>> FDS wiki (http://directory.fedoraproject.org/wiki/Howto:Samba) has >>> instructions to setup both samba and fds on the same box. >>> What special steps needs to be done if on 2 different boxes? >>> >>> 2. I had setup samba+fds on a single box and password syncing works >>> only one way. >>> FDS --> Samba sync is not working. Passwords changed using smbpasswd >>> gets synced with fds. >>> Am I missing something? >> There is currently no way to have FDS -> Samba password sync (that >> is, have updates to userPassword automatically update sambaLMPassword >> and sambaNTPassword). >>> >>> Thanks. >>> >>> --Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > CONFIDENTIALITY NOTICE: This email message and any attachments > contain proprietary and privileged information of Roundbox, Inc., > which are provided for the sole and confidential use of the intended > recipients. Any review, use, disclosure or distribution of this > information is restricted and must comply with the nondisclosure > agreement between Roundbox, Inc. and you (or your company). All other > uses are prohibited. If you are not an intended recipient, please > contact the sender by reply email and promptly delete and otherwise > destroy all copies of the message and its attachments. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From msauton at redhat.com Tue Sep 18 20:53:13 2007 From: msauton at redhat.com (Marc Sauton) Date: Tue, 18 Sep 2007 13:53:13 -0700 Subject: [Fedora-directory-users] FDS and Solaris Client Question In-Reply-To: <1190145614.4865.9.camel@europa> References: <1190145614.4865.9.camel@europa> Message-ID: <46F03AB9.90200@redhat.com> Jeremiah Coleman wrote: > I'm trying to set up a Solaris 10 client with FDS (all my linux clients > are working beautifully), but authentication is acting very strange. > Monitoring the net traffic, I can see the Solaris system bind, search > for info about the username, get a normal response, but then it just > Not sure for the "normal" reponse. If the rootbinddn in /etc/ldap.conf and associated pw or file permissions are correct, what about a "getent passwd" and logs or trace ? > unbinds. It never asks to authenticate a password. My configuration is > below. > > May want to restart / sighup your sshd to get the last configurations. System logs and getent could confirm the uid is found, to eliminate the nss_ldap part. > Any help would be much appreciated. > > ldap_client_file: > NS_LDAP_FILE_VERSION= 2.0 > NS_LDAP_SERVERS= fds1.wherever.com > NS_LDAP_SEARCH_BASEDN= dc=wherever,dc=com > NS_LDAP_AUTH= simple > NS_LDAP_SEARCH_REF= TRUE > NS_LDAP_SEARCH_SCOPE= one > NS_LDAP_SEARCH_TIME= 30 > NS_LDAP_CACHETTL= 43200 > NS_LDAP_PROFILE= default > NS_LDAP_CREDENTIAL_LEVEL= proxy > NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=wherever,dc=com?one > NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=wherever,dc=com?one > NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=wherever,dc=com?one > NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=wherever,dc=com?one > NS_LDAP_BIND_TIME= 2 > > /etc/nsswitch.conf (note, I pulled ldap from networks, etc, since not > all of that is configured on ldap as yet): > # the following two lines obviate the "+" entry in /etc/passwd and /etc/group. > passwd: files ldap > group: files ldap > shadow: files ldap > > # consult /etc "files" only if ldap is down. > hosts: dns files ldap > > # Note that IPv4 addresses are searched for in all of the ipnodes databases > # before searching the hosts databases. > ipnodes: files > > networks: files > protocols: files > rpc: files > ethers: files > netmasks: files > bootparams: files > publickey: files > > netgroup: ldap > > automount: files ldap > aliases: files ldap > > # for efficient getservbyname() avoid ldap > services: files ldap > > printers: user files ldap > > auth_attr: files ldap > prof_attr: files ldap > > project: files ldap > > tnrhtp: files ldap > tnrhdb: files ldap > > > Is it possible you are missing some entries in your /etc/pam.d/ for ssh on Solaris 10 ? > /etc/pam.conf: > # login service (explicit because of pam_dial_auth) > # > login auth required pam_ldap.so.1 > login auth requisite pam_authtok_get.so.1 > login auth required pam_dhkeys.so.1 > login auth required pam_unix_cred.so.1 > login auth required pam_unix_auth.so.1 > login auth required pam_dial_auth.so.1 > # > # rlogin service (explicit because of pam_rhost_auth) > # > rlogin auth sufficient pam_ldap.so.1 > rlogin auth sufficient pam_rhosts_auth.so.1 > rlogin auth requisite pam_authtok_get.so.1 > rlogin auth required pam_dhkeys.so.1 > rlogin auth required pam_unix_cred.so.1 > rlogin auth required pam_unix_auth.so.1 > # Default definitions for Authentication management > # Used when service name is not explicitly mentioned for authentication > # > other auth sufficient pam_ldap.so.1 > other auth requisite pam_authtok_get.so.1 > other auth required pam_dhkeys.so.1 > other auth required pam_unix_cred.so.1 > other auth required pam_unix_auth.so.1 > # > # passwd command (explicit because of a different authentication module) > # > passwd auth sufficient pam_ldap.so.1 > passwd auth required pam_passwd_auth.so.1 > # > # cron service (explicit because of non-usage of pam_roles.so.1) > # > cron account required pam_unix_account.so.1 > # > # Default definition for Account management > # Used when service name is not explicitly mentioned for account management > # > other account sufficient pam_ldap.so.1 > other account requisite pam_roles.so.1 > other account required pam_unix_account.so.1 > # > # Default definition for Session management > # Used when service name is not explicitly mentioned for session management > # > other session sufficient pam_ldap.so.1 > other session required pam_unix_session.so.1 > # > # Default definition for Password management > # Used when service name is not explicitly mentioned for password management > # > other password required pam_dhkeys.so.1 > other password requisite pam_authtok_get.so.1 > other password requisite pam_authtok_check.so.1 > other password required pam_authtok_store.so.1 > > > From jay.coleman at cctechnol.com Tue Sep 18 21:44:38 2007 From: jay.coleman at cctechnol.com (Jeremiah Coleman) Date: Tue, 18 Sep 2007 16:44:38 -0500 Subject: [Fedora-directory-users] FDS and Solaris Client Question In-Reply-To: <46F03AB9.90200@redhat.com> References: <1190145614.4865.9.camel@europa> <46F03AB9.90200@redhat.com> Message-ID: <1190151878.4865.26.camel@europa> On Tue, 2007-09-18 at 13:53 -0700, Marc Sauton wrote: > Jeremiah Coleman wrote: > > I'm trying to set up a Solaris 10 client with FDS (all my linux clients > > are working beautifully), but authentication is acting very strange. > > Monitoring the net traffic, I can see the Solaris system bind, search > > for info about the username, get a normal response, but then it just > > > Not sure for the "normal" reponse. The client asks for the posixAccount info, and gets all that is available, then asks for the shadowAccount info, and gets the uid (same as the linux clients). Repeats this a couple of times, then stops. > If the rootbinddn in /etc/ldap.conf and associated pw or file > permissions are correct, what about a "getent passwd" and logs or trace ? > > unbinds. It never asks to authenticate a password. My configuration is > > below. I'm using Solaris 10 native, not OpenLDAP. No /etc/ldap.conf. Would I be better off switching to OpenLDAP? getent passwd gives me a passwd file list from the ldap server, with x instead of actual passwords. As for logs, I've been unable to find a way to get the authentication stuff to log effectively. Thanks, Jay > > > > > May want to restart / sighup your sshd to get the last configurations. > System logs and getent could confirm the uid is found, to eliminate the > nss_ldap part. > > Any help would be much appreciated. > > > > ldap_client_file: > > NS_LDAP_FILE_VERSION= 2.0 > > NS_LDAP_SERVERS= fds1.wherever.com > > NS_LDAP_SEARCH_BASEDN= dc=wherever,dc=com > > NS_LDAP_AUTH= simple > > NS_LDAP_SEARCH_REF= TRUE > > NS_LDAP_SEARCH_SCOPE= one > > NS_LDAP_SEARCH_TIME= 30 > > NS_LDAP_CACHETTL= 43200 > > NS_LDAP_PROFILE= default > > NS_LDAP_CREDENTIAL_LEVEL= proxy > > NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=wherever,dc=com?one > > NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=wherever,dc=com?one > > NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=wherever,dc=com?one > > NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=wherever,dc=com?one > > NS_LDAP_BIND_TIME= 2 > > > > /etc/nsswitch.conf (note, I pulled ldap from networks, etc, since not > > all of that is configured on ldap as yet): > > # the following two lines obviate the "+" entry in /etc/passwd and /etc/group. > > passwd: files ldap > > group: files ldap > > shadow: files ldap > > > > # consult /etc "files" only if ldap is down. > > hosts: dns files ldap > > > > # Note that IPv4 addresses are searched for in all of the ipnodes databases > > # before searching the hosts databases. > > ipnodes: files > > > > networks: files > > protocols: files > > rpc: files > > ethers: files > > netmasks: files > > bootparams: files > > publickey: files > > > > netgroup: ldap > > > > automount: files ldap > > aliases: files ldap > > > > # for efficient getservbyname() avoid ldap > > services: files ldap > > > > printers: user files ldap > > > > auth_attr: files ldap > > prof_attr: files ldap > > > > project: files ldap > > > > tnrhtp: files ldap > > tnrhdb: files ldap > > > > > > > Is it possible you are missing some entries in your /etc/pam.d/ for ssh > on Solaris 10 ? > > /etc/pam.conf: > > # login service (explicit because of pam_dial_auth) > > # > > login auth required pam_ldap.so.1 > > login auth requisite pam_authtok_get.so.1 > > login auth required pam_dhkeys.so.1 > > login auth required pam_unix_cred.so.1 > > login auth required pam_unix_auth.so.1 > > login auth required pam_dial_auth.so.1 > > # > > # rlogin service (explicit because of pam_rhost_auth) > > # > > rlogin auth sufficient pam_ldap.so.1 > > rlogin auth sufficient pam_rhosts_auth.so.1 > > rlogin auth requisite pam_authtok_get.so.1 > > rlogin auth required pam_dhkeys.so.1 > > rlogin auth required pam_unix_cred.so.1 > > rlogin auth required pam_unix_auth.so.1 > > # Default definitions for Authentication management > > # Used when service name is not explicitly mentioned for authentication > > # > > other auth sufficient pam_ldap.so.1 > > other auth requisite pam_authtok_get.so.1 > > other auth required pam_dhkeys.so.1 > > other auth required pam_unix_cred.so.1 > > other auth required pam_unix_auth.so.1 > > # > > # passwd command (explicit because of a different authentication module) > > # > > passwd auth sufficient pam_ldap.so.1 > > passwd auth required pam_passwd_auth.so.1 > > # > > # cron service (explicit because of non-usage of pam_roles.so.1) > > # > > cron account required pam_unix_account.so.1 > > # > > # Default definition for Account management > > # Used when service name is not explicitly mentioned for account management > > # > > other account sufficient pam_ldap.so.1 > > other account requisite pam_roles.so.1 > > other account required pam_unix_account.so.1 > > # > > # Default definition for Session management > > # Used when service name is not explicitly mentioned for session management > > # > > other session sufficient pam_ldap.so.1 > > other session required pam_unix_session.so.1 > > # > > # Default definition for Password management > > # Used when service name is not explicitly mentioned for password management > > # > > other password required pam_dhkeys.so.1 > > other password requisite pam_authtok_get.so.1 > > other password requisite pam_authtok_check.so.1 > > other password required pam_authtok_store.so.1 > > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Jeremiah Coleman Systems Administrator C & C Technologies 337-261-0660 x3421 jay.coleman at cctechnol.com From msauton at redhat.com Tue Sep 18 22:30:22 2007 From: msauton at redhat.com (Marc Sauton) Date: Tue, 18 Sep 2007 15:30:22 -0700 Subject: [Fedora-directory-users] FDS and Solaris Client Question In-Reply-To: <1190151878.4865.26.camel@europa> References: <1190145614.4865.9.camel@europa> <46F03AB9.90200@redhat.com> <1190151878.4865.26.camel@europa> Message-ID: <46F0517E.8030606@redhat.com> Jeremiah Coleman wrote: > On Tue, 2007-09-18 at 13:53 -0700, Marc Sauton wrote: > >> Jeremiah Coleman wrote: >> >>> I'm trying to set up a Solaris 10 client with FDS (all my linux clients >>> are working beautifully), but authentication is acting very strange. >>> Monitoring the net traffic, I can see the Solaris system bind, search >>> for info about the username, get a normal response, but then it just >>> >>> >> Not sure for the "normal" reponse. >> > > The client asks for the posixAccount info, and gets all that is > available, then asks for the shadowAccount info, and gets the uid (same > as the linux clients). Repeats this a couple of times, then stops. > > >> If the rootbinddn in /etc/ldap.conf and associated pw or file >> permissions are correct, what about a "getent passwd" and logs or trace ? >> >>> unbinds. It never asks to authenticate a password. My configuration is >>> below. >>> > > I'm using Solaris 10 native, not OpenLDAP. No /etc/ldap.conf. Would I > be better off switching to OpenLDAP? getent passwd gives me a passwd > file list from the ldap server, with x instead of actual passwords. > If getent shows the non local uid's, the failed ssh login could be related to your pam client configuration or to a service not running on the client ? (client system logs should provide you some hints) M. > As for logs, I've been unable to find a way to get the authentication > stuff to log effectively. > > Thanks, > Jay > > >>> >>> >> May want to restart / sighup your sshd to get the last configurations. >> System logs and getent could confirm the uid is found, to eliminate the >> nss_ldap part. >> >>> Any help would be much appreciated. >>> >>> ldap_client_file: >>> NS_LDAP_FILE_VERSION= 2.0 >>> NS_LDAP_SERVERS= fds1.wherever.com >>> NS_LDAP_SEARCH_BASEDN= dc=wherever,dc=com >>> NS_LDAP_AUTH= simple >>> NS_LDAP_SEARCH_REF= TRUE >>> NS_LDAP_SEARCH_SCOPE= one >>> NS_LDAP_SEARCH_TIME= 30 >>> NS_LDAP_CACHETTL= 43200 >>> NS_LDAP_PROFILE= default >>> NS_LDAP_CREDENTIAL_LEVEL= proxy >>> NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=wherever,dc=com?one >>> NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=wherever,dc=com?one >>> NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=wherever,dc=com?one >>> NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=wherever,dc=com?one >>> NS_LDAP_BIND_TIME= 2 >>> >>> /etc/nsswitch.conf (note, I pulled ldap from networks, etc, since not >>> all of that is configured on ldap as yet): >>> # the following two lines obviate the "+" entry in /etc/passwd and /etc/group. >>> passwd: files ldap >>> group: files ldap >>> shadow: files ldap >>> >>> # consult /etc "files" only if ldap is down. >>> hosts: dns files ldap >>> >>> # Note that IPv4 addresses are searched for in all of the ipnodes databases >>> # before searching the hosts databases. >>> ipnodes: files >>> >>> networks: files >>> protocols: files >>> rpc: files >>> ethers: files >>> netmasks: files >>> bootparams: files >>> publickey: files >>> >>> netgroup: ldap >>> >>> automount: files ldap >>> aliases: files ldap >>> >>> # for efficient getservbyname() avoid ldap >>> services: files ldap >>> >>> printers: user files ldap >>> >>> auth_attr: files ldap >>> prof_attr: files ldap >>> >>> project: files ldap >>> >>> tnrhtp: files ldap >>> tnrhdb: files ldap >>> >>> >>> >>> >> Is it possible you are missing some entries in your /etc/pam.d/ for ssh >> on Solaris 10 ? >> >>> /etc/pam.conf: >>> # login service (explicit because of pam_dial_auth) >>> # >>> login auth required pam_ldap.so.1 >>> login auth requisite pam_authtok_get.so.1 >>> login auth required pam_dhkeys.so.1 >>> login auth required pam_unix_cred.so.1 >>> login auth required pam_unix_auth.so.1 >>> login auth required pam_dial_auth.so.1 >>> # >>> # rlogin service (explicit because of pam_rhost_auth) >>> # >>> rlogin auth sufficient pam_ldap.so.1 >>> rlogin auth sufficient pam_rhosts_auth.so.1 >>> rlogin auth requisite pam_authtok_get.so.1 >>> rlogin auth required pam_dhkeys.so.1 >>> rlogin auth required pam_unix_cred.so.1 >>> rlogin auth required pam_unix_auth.so.1 >>> # Default definitions for Authentication management >>> # Used when service name is not explicitly mentioned for authentication >>> # >>> other auth sufficient pam_ldap.so.1 >>> other auth requisite pam_authtok_get.so.1 >>> other auth required pam_dhkeys.so.1 >>> other auth required pam_unix_cred.so.1 >>> other auth required pam_unix_auth.so.1 >>> # >>> # passwd command (explicit because of a different authentication module) >>> # >>> passwd auth sufficient pam_ldap.so.1 >>> passwd auth required pam_passwd_auth.so.1 >>> # >>> # cron service (explicit because of non-usage of pam_roles.so.1) >>> # >>> cron account required pam_unix_account.so.1 >>> # >>> # Default definition for Account management >>> # Used when service name is not explicitly mentioned for account management >>> # >>> other account sufficient pam_ldap.so.1 >>> other account requisite pam_roles.so.1 >>> other account required pam_unix_account.so.1 >>> # >>> # Default definition for Session management >>> # Used when service name is not explicitly mentioned for session management >>> # >>> other session sufficient pam_ldap.so.1 >>> other session required pam_unix_session.so.1 >>> # >>> # Default definition for Password management >>> # Used when service name is not explicitly mentioned for password management >>> # >>> other password required pam_dhkeys.so.1 >>> other password requisite pam_authtok_get.so.1 >>> other password requisite pam_authtok_check.so.1 >>> other password required pam_authtok_store.so.1 >>> >>> >>> >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> From niranjan.ashok at gmail.com Wed Sep 19 02:44:26 2007 From: niranjan.ashok at gmail.com (mallapadi niranjan) Date: Wed, 19 Sep 2007 08:14:26 +0530 Subject: [Fedora-directory-users] FDS and Samba3 In-Reply-To: <46F0312C.7080404@redhat.com> References: <3185E02C-466D-45ED-922C-5A17AA3C907A@roundbox.com> <46F02CAB.3010601@redhat.com> <46F0312C.7080404@redhat.com> Message-ID: <73e979680709181944y13e18d7an5ba1a831460818ad@mail.gmail.com> Hi Raj I believe it should be possible to setup samba and Fedora Directory Server on Different boxes. For example if i have setup Fedora directory server on one box and if it's called ldap.example.com and samba on different box say samba.example.com then my smb.conf would have below entries, i am just providing only those entries where we have to mention the ldap server name. [global] passdb backend = ldapsam:ldap://ldap.example.com idmap backend = ldap:ldap://ldap.example.com And if you are using samba.schema and idealx scripts, then your smbldap.confwould contain slaveLDAP=" wrote: > > Raj Seenivasan wrote: > > Thanks. > > Is it possible to setup samba on one box and use fds as the backend > > running on a second box? > I don't see why not, but I don't know. > > > > On Sep 18, 2007, at 3:53 PM, Richard Megginson wrote: > > > >> Raj Seenivasan wrote: > >>> I have 2 questions to ask. I searched the list and couldn't find > >>> anything related... > >>> > >>> 1. Is there a way to setup samba and FDS on 2 different boxes and > >>> use FDS as the backend for samba? > >>> FDS wiki (http://directory.fedoraproject.org/wiki/Howto:Samba) has > >>> instructions to setup both samba and fds on the same box. > >>> What special steps needs to be done if on 2 different boxes? > >>> > >>> 2. I had setup samba+fds on a single box and password syncing works > >>> only one way. > >>> FDS --> Samba sync is not working. Passwords changed using smbpasswd > >>> gets synced with fds. > >>> Am I missing something? > >> There is currently no way to have FDS -> Samba password sync (that > >> is, have updates to userPassword automatically update sambaLMPassword > >> and sambaNTPassword). > >>> > >>> Thanks. > >>> > >>> --Fedora-directory-users mailing list > >>> Fedora-directory-users at redhat.com > >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > CONFIDENTIALITY NOTICE: This email message and any attachments > > contain proprietary and privileged information of Roundbox, Inc., > > which are provided for the sole and confidential use of the intended > > recipients. Any review, use, disclosure or distribution of this > > information is restricted and must comply with the nondisclosure > > agreement between Roundbox, Inc. and you (or your company). All other > > uses are prohibited. If you are not an intended recipient, please > > contact the sender by reply email and promptly delete and otherwise > > destroy all copies of the message and its attachments. > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From linuxtrap at yahoo.co.in Wed Sep 19 07:06:06 2007 From: linuxtrap at yahoo.co.in (satish patel) Date: Wed, 19 Sep 2007 08:06:06 +0100 (BST) Subject: [Fedora-directory-users] samba + PDC + FDS Message-ID: <574220.62572.qm@web8405.mail.in.yahoo.com> dear all it is possible to implement samba as PDC + FDS and it will give fully functionality like Win 2003 DC ?? Regards $ cat ~/satish/url.txt http://www.linuxbug.org _____________________________________________________________________________________________________ --------------------------------- Forgot the famous last words? Access your message archive online. Click here. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Wed Sep 19 20:44:07 2007 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 20 Sep 2007 08:44:07 +1200 Subject: [Fedora-directory-users] getting sh on RHAS5 to work with FDS. In-Reply-To: <46EFE33B.2020800@redhat.com> Message-ID: Hi, Ahhhh, I made good notes as I went along and I think can see my error, ============ 7. Generate the server certificate: ../shared/bin/certutil -S -n "Server-Cert" -s \ "cn=vuw.ac.nz" -c "CA certificate" -t "u,u,u" -m 1001 -v \ 120 -d . -z noise.txt -f pwdfile.txt ============ cn should have been "vuwunicvfdsm001.vuw.ac.nz" and not "vuw.ac.nz"..... RHAS4 cannot check too closely as it seems to be working, for Debian and RHAS5 not.... So, if I have multiple LDAP [master] servers each LDAP server's key needs installing on the client? Slaves as well? I though of a DNS issue but that looks OK. Thanks, Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard Megginson Sent: Wednesday, 19 September 2007 2:40 a.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] getting sh on RHAS5 to work with FDS. Steven Jones wrote: > > An "improved" ldap.conf (with no ssl/TLS) for RHAS5 > > =============== > > # http://www.padl.com > > base dc=vuw,dc=ac,dc=nz > > pam_password md5 > > BASE dc=vuw,dc=ac,dc=nz > > TLS_REQCERT never > > uri ldap://ldap.vuw.ac.nz/ > > ssl no > > tls_cacertdir /etc/openldap/cacerts > > =============== > > Trying TLS with, > > =============== > > #ssl setup > > # http://www.padl.com > > base dc=vuw,dc=ac,dc=nz > > pam_password md5 > > BASE dc=vuw,dc=ac,dc=nz > > TLS_REQCERT allow > > #TLS_REQCERT never > > host ldap.vuw.ac.nz > > ssl start_tls > > uri ldap://ldap.vuw.ac.nz/ > > tls_cacertdir /etc/openldap/cacerts > > =============== > > Produces this error, > > [root at vuwunicoadmin01 etc]# ldapsearch -x -ZZ '(uid=jonesst1)' > > ldap_start_tls: Connect error (-11) > > additional info: TLS: hostname does not match CN in peer certificate > > Which is an interesting error..... > Yes, very. http://directory.fedoraproject.org/wiki/Howto:SSL#Basic_Steps NOTE - *Do not use cn=server-cert for your server certificate*. In step 7 of the linked instructions, it says to use certutil .... -s cn=server-cert - this will cause clients to fail to validate the cert. Instead, you must use the fully qualified domain name of your server host as the value of the cn attribute in the subject DN. For example, if your directory server hostname is foo.example.com, use ../shared/bin/certutil -S -n "Server-Cert" -s cn=foo.example.com -c "CA certificate" \ -t "u,u,u" -m 1001 -v 120 -d . -z noise.txt -f pwdfile.txt to generate your server cert. This is the minimum. You may wish to provide your clients with more details about your server. For more information, see RFC 1485 . You could choose to specify the subject DN like this: ../shared/bin/certutil ... -s "cn=foo.example.com,ou=engineering,o=example corp,c=us" ... Note that this also means that if you use cn=foo.example.com, clients must be able to resolve the server's IP address to "foo.example.com". If you don't care/can't do this, then use TLS_REQCERT never in your /etc/openldap/ldap.conf to make ldapsearch stop complaining. I highly recommend you do not do this though. > > regards > > Steven > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Wed Sep 19 21:01:33 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 19 Sep 2007 15:01:33 -0600 Subject: [Fedora-directory-users] getting sh on RHAS5 to work with FDS. In-Reply-To: References: Message-ID: <46F18E2D.5030907@redhat.com> Steven Jones wrote: > Hi, > > Ahhhh, I made good notes as I went along and I think can see my error, > > ============ > 7. Generate the server certificate: > ../shared/bin/certutil -S -n "Server-Cert" -s \ > "cn=vuw.ac.nz" -c "CA certificate" -t "u,u,u" -m 1001 -v \ > 120 -d . -z noise.txt -f pwdfile.txt > ============ > > cn should have been "vuwunicvfdsm001.vuw.ac.nz" and not "vuw.ac.nz"..... > > RHAS4 cannot check too closely as it seems to be working, for Debian and > RHAS5 not.... > > So, if I have multiple LDAP [master] servers each LDAP server's key > needs installing on the client? No, only the CA cert. An SSL client only needs the CA cert. > Slaves as well? > Each server will need its own server cert and key, and the CA cert. > I though of a DNS issue but that looks OK. > > Thanks, > > Steven Jones > Senior Linux/Unix/San/Vmware System Administrator > APG -Technology Integration Team > Victoria University of Wellington > Phone: +64 4 463 6272 > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard > Megginson > Sent: Wednesday, 19 September 2007 2:40 a.m. > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] getting sh on RHAS5 to work with > FDS. > > Steven Jones wrote: > >> An "improved" ldap.conf (with no ssl/TLS) for RHAS5 >> >> =============== >> >> # http://www.padl.com >> >> base dc=vuw,dc=ac,dc=nz >> >> pam_password md5 >> >> BASE dc=vuw,dc=ac,dc=nz >> >> TLS_REQCERT never >> >> uri ldap://ldap.vuw.ac.nz/ >> >> ssl no >> >> tls_cacertdir /etc/openldap/cacerts >> >> =============== >> >> Trying TLS with, >> >> =============== >> >> #ssl setup >> >> # http://www.padl.com >> >> base dc=vuw,dc=ac,dc=nz >> >> pam_password md5 >> >> BASE dc=vuw,dc=ac,dc=nz >> >> TLS_REQCERT allow >> >> #TLS_REQCERT never >> >> host ldap.vuw.ac.nz >> >> ssl start_tls >> >> uri ldap://ldap.vuw.ac.nz/ >> >> tls_cacertdir /etc/openldap/cacerts >> >> =============== >> >> Produces this error, >> >> [root at vuwunicoadmin01 etc]# ldapsearch -x -ZZ '(uid=jonesst1)' >> >> ldap_start_tls: Connect error (-11) >> >> additional info: TLS: hostname does not match CN in peer certificate >> >> Which is an interesting error..... >> >> > Yes, very. > http://directory.fedoraproject.org/wiki/Howto:SSL#Basic_Steps > > > NOTE - *Do not use cn=server-cert for your server certificate*. In step > 7 of the linked instructions, it says to use certutil .... -s > cn=server-cert - this will cause clients to fail to validate the cert. > Instead, you must use the fully qualified domain name of your server > host as the value of the cn attribute in the subject DN. For example, if > > your directory server hostname is foo.example.com, use > > ../shared/bin/certutil -S -n "Server-Cert" -s cn=foo.example.com -c "CA > certificate" \ > -t "u,u,u" -m 1001 -v 120 -d . -z noise.txt -f pwdfile.txt > > to generate your server cert. This is the minimum. You may wish to > provide your clients with more details about your server. For more > information, see RFC 1485 . You > could choose to specify the subject DN like this: > > ../shared/bin/certutil ... -s > "cn=foo.example.com,ou=engineering,o=example corp,c=us" ... > > > > Note that this also means that if you use cn=foo.example.com, clients > must be able to resolve the server's IP address to "foo.example.com". If > > you don't care/can't do this, then use TLS_REQCERT never in your > /etc/openldap/ldap.conf to make ldapsearch stop complaining. I highly > recommend you do not do this though. > >> regards >> >> Steven >> >> >> > ------------------------------------------------------------------------ > >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From g.digiambelardini at fabaris.it Thu Sep 20 12:04:30 2007 From: g.digiambelardini at fabaris.it (Di Giambelardini Gabriele) Date: Thu, 20 Sep 2007 14:04:30 +0200 (CEST) Subject: [Fedora-directory-users] acls problem Message-ID: <55454.192.168.1.1.1190289870.squirrel@webmail2.fabaris.it> HI to all, I have a problem with some acls needed from a mail client to visit a address book. I need to restrict for anonymous user, the fileds ( attributes ) he can see. other solution may be, negate to anonymous user access to the ldap and create an specific user for address book, or use the same mail user also for address book. Some body can help me: for restrict accesso to anonymous user? for deny access to ldap for anonymous user? set the right permission for the same user used for mail login?? Thanks, excuse me in advance for my english. From g.digiambelardini at fabaris.it Thu Sep 20 12:24:50 2007 From: g.digiambelardini at fabaris.it (Di Giambelardini Gabriele) Date: Thu, 20 Sep 2007 14:24:50 +0200 (CEST) Subject: [Fedora-directory-users] acls problem In-Reply-To: <55454.192.168.1.1.1190289870.squirrel@webmail2.fabaris.it> References: <55454.192.168.1.1.1190289870.squirrel@webmail2.fabaris.it> Message-ID: <55989.192.168.1.1.1190291090.squirrel@webmail2.fabaris.it> HI to all, or I need to create ad my attribute as UserPassword attribute, no visible from all user but only from admin users thanks > HI to all, I have a problem with some acls needed from a mail client to > visit a address book. > I need to restrict for anonymous user, the fileds ( attributes ) he can > see. other solution may be, negate to anonymous user access to the ldap > and create an specific user for address book, or use the same mail user > also for address book. > > Some body can help me: > for restrict accesso to anonymous user? > for deny access to ldap for anonymous user? > set the right permission for the same user used for mail login?? > > Thanks, excuse me in advance for my english. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > Di Giambelardini Gabriele System/Network Administrator __________________________________________ FABARIS s.r.l. Cel. +39 3488504467 Tel. +39 0765 22181 - Fax +39 0765 410100 Via G. Mameli, 90 02047 Poggio Mirteto (RI) Filiale: Viale dell'Universit?, 25 00185 Roma (RM) www.fabaris.it __________________________________________ From g.digiambelardini at fabaris.it Thu Sep 20 13:11:05 2007 From: g.digiambelardini at fabaris.it (Di Giambelardini Gabriele) Date: Thu, 20 Sep 2007 15:11:05 +0200 (CEST) Subject: [Fedora-directory-users] acls problem In-Reply-To: <55989.192.168.1.1.1190291090.squirrel@webmail2.fabaris.it> References: <55454.192.168.1.1.1190289870.squirrel@webmail2.fabaris.it> <55989.192.168.1.1.1190291090.squirrel@webmail2.fabaris.it> Message-ID: <57228.192.168.1.1.1190293865.squirrel@webmail2.fabaris.it> If it' s possible I need when an normal user authenticate him self to ldap, he can see all attributes about him self, but about other user only some attributes, this is necessary for all users. some body know the method?? thanks > HI to all, > or I need to create ad my attribute as UserPassword attribute, no visible > from all user but only from admin users > thanks > > >> HI to all, I have a problem with some acls needed from a mail client to >> visit a address book. >> I need to restrict for anonymous user, the fileds ( attributes ) he can >> see. other solution may be, negate to anonymous user access to the ldap >> and create an specific user for address book, or use the same mail user >> also for address book. >> >> Some body can help me: >> for restrict accesso to anonymous user? >> for deny access to ldap for anonymous user? >> set the right permission for the same user used for mail login?? >> >> Thanks, excuse me in advance for my english. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > Di Giambelardini Gabriele > System/Network Administrator > __________________________________________ > FABARIS s.r.l. > Cel. +39 3488504467 > Tel. +39 0765 22181 - Fax +39 0765 410100 > Via G. Mameli, 90 02047 Poggio Mirteto (RI) > Filiale: Viale dell'Universit?, 25 00185 Roma (RM) > www.fabaris.it > __________________________________________ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > Di Giambelardini Gabriele System/Network Administrator __________________________________________ FABARIS s.r.l. Cel. +39 3488504467 Tel. +39 0765 22181 - Fax +39 0765 410100 Via G. Mameli, 90 02047 Poggio Mirteto (RI) Filiale: Viale dell'Universit?, 25 00185 Roma (RM) www.fabaris.it __________________________________________ From gholbert at broadcom.com Thu Sep 20 17:59:45 2007 From: gholbert at broadcom.com (George Holbert) Date: Thu, 20 Sep 2007 10:59:45 -0700 Subject: [Fedora-directory-users] acls problem In-Reply-To: <55454.192.168.1.1.1190289870.squirrel@webmail2.fabaris.it> References: <55454.192.168.1.1.1190289870.squirrel@webmail2.fabaris.it> Message-ID: <46F2B511.2060309@broadcom.com> The RedHat documentation covers pretty much everything you've asked: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html Be prepared for some trial and error to get your ACIs working as you'd like. Di Giambelardini Gabriele wrote: > HI to all, I have a problem with some acls needed from a mail client to > visit a address book. > I need to restrict for anonymous user, the fileds ( attributes ) he can > see. other solution may be, negate to anonymous user access to the ldap > and create an specific user for address book, or use the same mail user > also for address book. > > Some body can help me: > for restrict accesso to anonymous user? > for deny access to ldap for anonymous user? > set the right permission for the same user used for mail login?? > > Thanks, excuse me in advance for my english. > > -- From Ryan.Braun at ec.gc.ca Thu Sep 20 20:12:24 2007 From: Ryan.Braun at ec.gc.ca (Ryan Braun) Date: Thu, 20 Sep 2007 20:12:24 +0000 Subject: [Fedora-directory-users] question about SSL configuration with IP takeover HA setup Message-ID: <200709202012.24444.Ryan.Braun@ec.gc.ca> Hey guys, installed FDS on a couple debian servers this week and am liking it so far. I have a couple questions regarding SSL/TLS setup with servers setup for IP takeover type HA setup. Keep in mind I have some experience with the LDAP side of things, it's the ssl and all the different certs and whatnot that keeps me up at night. Essentially what I'm looking at is a 4 way multimaster setup, ending up with 2 HA pairs of servers. call them eastldap and westldap. I've implemented the east side in my test lab and have it replicating and can pull any user info I need off the directory no problem. so eastldap0.test.com ip 192.168.0.11 eastldap1.test.com ip 192.168.0.12 and the virtual interface on whichever machine is master would be eastldap.test.com ip 192.168.0.10 and then the exact same setup with the last 2 westldap0.test.com ip 192.168.1.11 westldap1.test.com ip 192.168.1.12 westldap.test.com ip 192.168.1.10 Once everything is setup and running clients would be primarily only connecting to either virtual interface west/eastldap using TLS over port 389 and the 4 masters replicating with encryption (not sure but I imagine this takes place on ldaps port). I followed the instructions on the howto:ssl page and created a cert located on eastldap0. But instead of using the eastldap0.test.com as the cn, I used eastldap.test.com. Cert installed ok, made sure eastldap0 was the HA master and restarted fds. When I copied over the cacert to a linux client, I can run searches using ldapsearch -ZZ -h eastldap.test.com. Server logs and wire sniffs confirm everything is coming back encrypted. It seems to be behaving as expected, when I try ldapsearch -ZZ -h eastldap0.test.com, it pukes with error 11 additional info: TLS: hostname does not match CN in peer certificate, which is right as the name in the cert is eastldap.test.com. So it would appear I'm on my way, I just am not sure about what certs I need now, and how to add them properly. I would think I need at the very least eastldap0 - eastldap0.test.com cert - eastldap.test.com cert eastldap1 - eastldap1.test.com cert - eastldap.test.com cert westldap0 - westldap0.test.com cert - westldap.test.com cert westldap1 - westldap1.test.com cert - westldap.test.com cert I'm just not sure if that is the proper way to go about it. Also, I would like to have the clients to be able to have all the cacerts to be able to communicate with all virtual and physical address' if need be. Later on, I would be adding probably 5 or 6 consumer read only replicas inbetween the suppliers and the clients, but one must walk before they run I guess :) Long post I know, just trying to make sure I get all the important stuff out there. Be kind if I was using the incorrect terminology for the certs/cacerts :) Ryan PS. anyone have a good SSL for dummies reference that lays out what the heck is going on with SSL (pems,keys,certs,cacerts etc) From gholbert at broadcom.com Thu Sep 20 21:36:56 2007 From: gholbert at broadcom.com (George Holbert) Date: Thu, 20 Sep 2007 14:36:56 -0700 Subject: [Fedora-directory-users] question about SSL configuration with IP takeover HA setup In-Reply-To: <200709202012.24444.Ryan.Braun@ec.gc.ca> References: <200709202012.24444.Ryan.Braun@ec.gc.ca> Message-ID: <46F2E7F8.2010002@broadcom.com> > > eastldap0 > - eastldap0.test.com cert > - eastldap.test.com cert > ... Each running FDS server instance will have just one SSL certificate. If you want your server to identify with multiple names, you can either: - Do a cert with subjectAltName extensions. - Do a cert with a wildcard in the subject's CN (e.g., cn=*.test.com). LDAP / SSL client support for these varies, so you will probably want to test both ways and see what works with better with your clients. If it works for you, the subjectAltName method is probably preferable, because you can precisely list the valid names for your server. Also, consider keeping it simple and just doing certs with single names (e.g., one cert each for 'westldap.test.com' and 'eastldap.test.com'), and installing that same cert on each server which should have that SSL identity. This is actually a pretty common way to do it, though it will limit your ability to make SSL connections to individual nodenames, like eastldap0.test.com (as you noticed). Ryan Braun wrote: > Hey guys, installed FDS on a couple debian servers this week and am liking it > so far. I have a couple questions regarding SSL/TLS setup with servers setup > for IP takeover type HA setup. Keep in mind I have some experience with the > LDAP side of things, it's the ssl and all the different certs and whatnot > that keeps me up at night. > > Essentially what I'm looking at is a 4 way multimaster setup, ending up with > 2 HA pairs of servers. call them eastldap and westldap. I've implemented > the east side in my test lab and have it replicating and can pull any user > info I need off the directory no problem. > > so > eastldap0.test.com ip 192.168.0.11 > eastldap1.test.com ip 192.168.0.12 > and the virtual interface on whichever machine is master would be > eastldap.test.com ip 192.168.0.10 > > and then the exact same setup with the last 2 > > westldap0.test.com ip 192.168.1.11 > westldap1.test.com ip 192.168.1.12 > westldap.test.com ip 192.168.1.10 > > Once everything is setup and running clients would be primarily only > connecting to either virtual interface west/eastldap using TLS over port 389 > and the 4 masters replicating with encryption (not sure but I imagine this > takes place on ldaps port). > > I followed the instructions on the howto:ssl page and created a cert located > on eastldap0. But instead of using the eastldap0.test.com as the cn, I used > eastldap.test.com. Cert installed ok, made sure eastldap0 was the HA master > and restarted fds. > > When I copied over the cacert to a linux client, I can run searches using > ldapsearch -ZZ -h eastldap.test.com. Server logs and wire sniffs confirm > everything is coming back encrypted. It seems to be behaving as expected, > when I try ldapsearch -ZZ -h eastldap0.test.com, it pukes with error 11 > additional info: TLS: hostname does not match CN in peer certificate, which > is right as the name in the cert is eastldap.test.com. > > So it would appear I'm on my way, I just am not sure about what certs I need > now, and how to add them properly. I would think I need at the very least > > eastldap0 > - eastldap0.test.com cert > - eastldap.test.com cert > eastldap1 > - eastldap1.test.com cert > - eastldap.test.com cert > westldap0 > - westldap0.test.com cert > - westldap.test.com cert > westldap1 > - westldap1.test.com cert > - westldap.test.com cert > > I'm just not sure if that is the proper way to go about it. Also, I would > like to have the clients to be able to have all the cacerts to be able to > communicate with all virtual and physical address' if need be. Later on, I > would be adding probably 5 or 6 consumer read only replicas inbetween the > suppliers and the clients, but one must walk before they run I guess :) > > Long post I know, just trying to make sure I get all the important stuff out > there. Be kind if I was using the incorrect terminology for the > certs/cacerts :) > > Ryan > > PS. anyone have a good SSL for dummies reference that lays out what the heck > is going on with SSL (pems,keys,certs,cacerts etc) > > -- > From jamesdeuchar at hotmail.com Fri Sep 21 09:51:16 2007 From: jamesdeuchar at hotmail.com (James Deuchar) Date: Fri, 21 Sep 2007 10:51:16 +0100 Subject: [Fedora-directory-users] Unknown attribute syntax OID Message-ID: Hi, I'm trying to create some custom schema via 99user.ldif using: attributeTypes: ( 1.3.6.1.4.1.24813.1.10 NAME 'cmDateOfBirth' DESC 'Date of birth (format YYYYMMDD, only numeric chars)' EQUALITY numericStringMatch SUBSTR numericsNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 SINGLE-VALUE X-ORIGIN 'user defined' ) I'm getting the following error when starting up slapd: # ./start-slapd [21/Sep/2007:11:30:05 +0100] dse - The entry cn=schema in file /opt/fedora-ds/slapd-master01/config/schema/99user.ldif is invalid, error code 21 (Invalid syntax) - attribute type cmDateOfBirth: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.36" [21/Sep/2007:11:30:05 +0100] dse - Please edit the file to correct the reported problems and then restart the server As far as I can tell from RFC2252 this should be ok?: Numeric String Y 1.3.6.1.4.1.1466.115.121.1.36 Any ideas? Thanks, James As far as I can tell from RFC2252 this should be ok? _________________________________________________________________ The next generation of MSN Hotmail has arrived - Windows Live Hotmail http://www.newhotmail.co.uk -------------- next part -------------- An HTML attachment was scrubbed... URL: From markwu05 at gmail.com Wed Sep 19 22:57:07 2007 From: markwu05 at gmail.com (Hai Wu) Date: Wed, 19 Sep 2007 15:57:07 -0700 Subject: [Fedora-directory-users] failover works but very slow. In-Reply-To: <41fdffa10709112007u57c2d4f7g1d5481b8388236e2@mail.gmail.com> References: <41fdffa10709111654m144ceb5ctf357ddb3a01de064@mail.gmail.com> <46E72CBC.5000002@broadcom.com> <41fdffa10709111730s42bbe114xa799197d4c31700@mail.gmail.com> <46E73642.9090408@broadcom.com> <41fdffa10709112007u57c2d4f7g1d5481b8388236e2@mail.gmail.com> Message-ID: <41fdffa10709191557m27429d75u80566ff4ee89b23e@mail.gmail.com> pam_ldap and nss_ldap are in in one package nss_ldap on Redhat and we have nss_ldap-207-17 on redhat 3.8 nss_ldap-226-18 on redhat 4.5 On suse 10, We have pam_ldap-180-13.12 and nss_ldap-246-14.13 On 9/11/07, Hai Wu wrote: > I just want to add that our SUSE 10 clients do not have this problem at all. > > On 9/11/07, George Holbert wrote: > > > > > > Thanks for your quick reply, it is hard to believe Redhat's Fedora DS > > > has such problem on their OS. > > > > Actually this is more related to the pam and nss_ldap libraries from > > PADL, which RedHat (and pretty much everyone else) bundles with their Linux. > > It's unlikely that recent improvements to PADL's software will show up > > in RHEL3 or RHEL4, but sometimes certain bugfixes are backported by RedHat. > > > > > > Hai Wu wrote: > > > Thanks for your quick reply, it is hard to believe Redhat's Fedora DS > > > has such problem on their OS. > > > I tried to reduce bind_timelimit from 3 to 1 and it almost reduced the > > > delay to an acceptable(but still noticeable) level, I think we will > > > do this if there is no side effect to have such a small > > > bind_timelimit. In the meaning time, I will stick to my > > > taking-primary-IP workaround which reduces the delay to zero. > > > > > > On 9/11/07, George Holbert wrote: > > > > > >> This is just the way it is with pam/nss_ldap as bundled in RHEL3 and > > >> RHEL4. There is no easy fix. > > >> If you like, you can reduce bind_timelimit to something very small. But > > >> this still isn't much of a solution, since clients will definitely > > >> notice when the primary is down. > > >> It's possible that newer versions of pam/nss_ldap handle failover more > > >> elegantly (I've seen notes to this effect in their Changelog). I > > >> haven't tested this myself yet. > > >> Another possibility is to put some kind of load balancer in front of > > >> your LDAP servers, which hides from clients the failure of any > > >> individual LDAP server. > > >> > > >> > > >> Hai Wu wrote: > > >> > > >>> Hi, > > >>> > > >>> We are using fedora 1.0.4, When the first ldap server dies and does not ping, > > >>> the clients can still bind to second server but it is very slow to do > > >>> anything on clients, opening a terminal or listing a dir takes a few > > >>> seconds. I find when ldap service is down on the first server but > > >>> server it still up and pingable, there is no delay on clients at all, > > >>> so I have the workaround to set up a eth0:0 on second ldap server(or > > >>> any other machine) to assume the IP of the first ldap server when > > >>> first ldap server does not ping. > > >>> > > >>> Please see our /etc/ldap.conf and /etc/openldap/ldap.conf , we have > > >>> only Rhel 3 and 4 clients. Any idea how to fix this? > > >>> > > >>> Thanks > > >>> Mark > > >>> > > >>> /etc/ldap.conf > > >>> host 1.1.1.1 2.2.2.2 > > >>> port 636 > > >>> ldap_version 3 > > >>> base o=unix,dc=company,dc=com > > >>> scope sub > > >>> timelimit 5 > > >>> bind_timelimit 3 > > >>> pam_filter objectclass=posixAccount > > >>> pam_login_attribute uid > > >>> pam_member_attribute memberUid > > >>> pam_password crypt > > >>> idle_timelimit 3600 > > >>> > > >>> /etc/openldap/ldap.conf > > >>> BASE o=unix,dc=company,dc=com > > >>> HOST 1.1.1.1 2.2.2.2 > > >>> PORT 636 > > >>> > > >>> SIZELIMIT 0 > > >>> TIMELIMIT 0 > > >>> > > >>> -- > > >>> Fedora-directory-users mailing list > > >>> Fedora-directory-users at redhat.com > > >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >>> > > >>> > > >>> > > >> > > >> -- > > >> Fedora-directory-users mailing list > > >> Fedora-directory-users at redhat.com > > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >> > > >> > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > From rmeggins at redhat.com Fri Sep 21 13:23:33 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 21 Sep 2007 07:23:33 -0600 Subject: [Fedora-directory-users] Unknown attribute syntax OID In-Reply-To: References: Message-ID: <46F3C5D5.6070104@redhat.com> James Deuchar wrote: > Hi, > > I'm trying to create some custom schema via 99user.ldif using: > > attributeTypes: ( 1.3.6.1.4.1.24813.1.10 > NAME 'cmDateOfBirth' > DESC 'Date of birth (format YYYYMMDD, only numeric chars)' > EQUALITY numericStringMatch > SUBSTR numericsNumberSubstringsMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 > SINGLE-VALUE > X-ORIGIN 'user defined' ) > > I'm getting the following error when starting up slapd: > > # ./start-slapd > [21/Sep/2007:11:30:05 +0100] dse - The entry cn=schema in file > /opt/fedora-ds/slapd-master01/config/schema/99user.ldif is invalid, > error code 21 (Invalid syntax) - attribute type cmDateOfBirth: Unknown > attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.36" > [21/Sep/2007:11:30:05 +0100] dse - Please edit the file to correct the > reported problems and then restart the server > > As far as I can tell from RFC2252 this should be ok?: > Numeric String Y 1.3.6.1.4.1.1466.115.121.1.36 > Any ideas? Fedora DS does not support that syntax. I suggest using DirectoryString instead. > > Thanks, > > James > > As far as I can tell from RFC2252 this should be ok? > > > ------------------------------------------------------------------------ > Play Movie Mash-up and win BIG prizes! > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Ryan.Braun at ec.gc.ca Fri Sep 21 16:14:01 2007 From: Ryan.Braun at ec.gc.ca (Ryan Braun) Date: Fri, 21 Sep 2007 16:14:01 +0000 Subject: [Fedora-directory-users] question about SSL configuration with IP takeover HA setup In-Reply-To: <46F2E7F8.2010002@broadcom.com> References: <200709202012.24444.Ryan.Braun@ec.gc.ca> <46F2E7F8.2010002@broadcom.com> Message-ID: <200709211614.01638.Ryan.Braun@ec.gc.ca> On Thursday 20 September 2007 21:36, George Holbert wrote: Ok so I managed to create a new certificate using subjectAltName extenstions, and it works as advertised. I can run ldapsearchs on eastldap on both eastldap0. Now my question is for generating certs for the other servers. Now that I have the CA cert on eastldap0, I would assume I need to install the CA on each additional server. Can I just copy and paste the cacert.asc into the manage certificate wizard? Then I would generate new certs for each server. Now do I need to generate the certs all from eastldap0? or once the CA cert is installed on the rest of the boxes, am I able to generate the required certs on each box? Is it generally a good idea to keep all the cert creation in a central location? And for the clients, all they need is the one cacert.asc to be able to encrypt comms with each server? Thanks Ryan > > Each running FDS server instance will have just one SSL certificate. > If you want your server to identify with multiple names, you can either: > - Do a cert with subjectAltName extensions. > - Do a cert with a wildcard in the subject's CN (e.g., cn=*.test.com). > > LDAP / SSL client support for these varies, so you will probably want to > test both ways and see what works with better with your clients. > If it works for you, the subjectAltName method is probably preferable, > because you can precisely list the valid names for your server. > > Also, consider keeping it simple and just doing certs with single names > (e.g., one cert each for 'westldap.test.com' and 'eastldap.test.com'), > and installing that same cert on each server which should have that SSL > identity. This is actually a pretty common way to do it, though it will > limit your ability to make SSL connections to individual nodenames, like > eastldap0.test.com (as you noticed). > > Ryan Braun wrote: > > Hey guys, installed FDS on a couple debian servers this week and am > > liking it so far. I have a couple questions regarding SSL/TLS setup with > > servers setup for IP takeover type HA setup. Keep in mind I have some > > experience with the LDAP side of things, it's the ssl and all the > > different certs and whatnot that keeps me up at night. > > > > Essentially what I'm looking at is a 4 way multimaster setup, ending up > > with 2 HA pairs of servers. call them eastldap and westldap. I've > > implemented the east side in my test lab and have it replicating and can > > pull any user info I need off the directory no problem. > > > > so > > eastldap0.test.com ip 192.168.0.11 > > eastldap1.test.com ip 192.168.0.12 > > and the virtual interface on whichever machine is master would be > > eastldap.test.com ip 192.168.0.10 > > > > and then the exact same setup with the last 2 > > > > westldap0.test.com ip 192.168.1.11 > > westldap1.test.com ip 192.168.1.12 > > westldap.test.com ip 192.168.1.10 > > > > Once everything is setup and running clients would be primarily only > > connecting to either virtual interface west/eastldap using TLS over port > > 389 and the 4 masters replicating with encryption (not sure but I imagine > > this takes place on ldaps port). > > > > I followed the instructions on the howto:ssl page and created a cert > > located on eastldap0. But instead of using the eastldap0.test.com as the > > cn, I used eastldap.test.com. Cert installed ok, made sure eastldap0 > > was the HA master and restarted fds. > > > > When I copied over the cacert to a linux client, I can run searches > > using ldapsearch -ZZ -h eastldap.test.com. Server logs and wire sniffs > > confirm everything is coming back encrypted. It seems to be behaving as > > expected, when I try ldapsearch -ZZ -h eastldap0.test.com, it pukes with > > error 11 additional info: TLS: hostname does not match CN in peer > > certificate, which is right as the name in the cert is > > eastldap.test.com. > > > > So it would appear I'm on my way, I just am not sure about what certs I > > need now, and how to add them properly. I would think I need at the very > > least > > > > eastldap0 > > - eastldap0.test.com cert > > - eastldap.test.com cert > > eastldap1 > > - eastldap1.test.com cert > > - eastldap.test.com cert > > westldap0 > > - westldap0.test.com cert > > - westldap.test.com cert > > westldap1 > > - westldap1.test.com cert > > - westldap.test.com cert > > > > I'm just not sure if that is the proper way to go about it. Also, I > > would like to have the clients to be able to have all the cacerts to be > > able to communicate with all virtual and physical address' if need be. > > Later on, I would be adding probably 5 or 6 consumer read only replicas > > inbetween the suppliers and the clients, but one must walk before they > > run I guess :) > > > > Long post I know, just trying to make sure I get all the important stuff > > out there. Be kind if I was using the incorrect terminology for the > > certs/cacerts :) > > > > Ryan > > > > PS. anyone have a good SSL for dummies reference that lays out what the > > heck is going on with SSL (pems,keys,certs,cacerts etc) > > > > -- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Fri Sep 21 16:37:10 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 21 Sep 2007 10:37:10 -0600 Subject: [Fedora-directory-users] question about SSL configuration with IP takeover HA setup In-Reply-To: <200709211614.01638.Ryan.Braun@ec.gc.ca> References: <200709202012.24444.Ryan.Braun@ec.gc.ca> <46F2E7F8.2010002@broadcom.com> <200709211614.01638.Ryan.Braun@ec.gc.ca> Message-ID: <46F3F336.8000903@redhat.com> Ryan Braun wrote: > On Thursday 20 September 2007 21:36, George Holbert wrote: > > Ok so I managed to create a new certificate using subjectAltName extenstions, > and it works as advertised. I can run ldapsearchs on eastldap on both > eastldap0. > > Now my question is for generating certs for the other servers. Now that I > have the CA cert on eastldap0, I would assume I need to install the CA on > each additional server. Can I just copy and paste the cacert.asc into the > manage certificate wizard? > You cannot use the CA cert to generate server certs. You need the CA cert and key. This CA key was created when you created your initial CA cert. The CA key is stored in the key3.db in which you initially created in steps 5 and 6 here - http://directory.fedoraproject.org/wiki/Howto:SSL#Basic_Steps I would suggest you create all of your server certs using this initial CA cert and key. cd /opt/fedora-ds/alias serialnumber=1002 for server in serverFQDN ; do ../shared/bin/certutil -d . -S -n "Server-Cert-$server" -s "cn=$server,ou=Fedora Directory Server" -c "CA certificate" -t "u,u,u" -m $serialnumber -v 120 -d . -z noise.txt -f pwdfile.txt # each cert must have a unique serial number serialnumber=`expr $serialnumber + 1` # export the new server cert+key ../shared/bin/pk12util -d . -o $server.p12 -n "Server-Cert-$server" -k pwdfile.txt -w pwdfile.txt done For all of the commands listed above, you may have to specify -P slapd-instance- if you are not using cert8.db and key3.db. Then, copy each file $server.p12 to that $server, along with the cacert.asc file Then, on each server: cd /opt/fedora-ds/alias ../shared/bin/pk12util -d . -P slapd-instance- -i $server.p12 -w pwdfile.txt -k pwdfile.txt # the -w argument is the file containing the password used to encrypt the .p12 file # the -k argument is the file containing the password for the new key database # you may use a different password for -k here - this is the same password used # in your slapd-instance-pin.txt file ../shared/bin/certutil -A -d . -P slapd-instance- -n "CA certificate" -t "CT,," -a -i cacert.asc # this imports your CA cert > Then I would generate new certs for each server. Now do I need to generate > the certs all from eastldap0? or once the CA cert is installed on the rest > of the boxes, am I able to generate the required certs on each box? Is it > generally a good idea to keep all the cert creation in a central location? > > And for the clients, all they need is the one cacert.asc to be able to > encrypt comms with each server? > Yes. > Thanks > > Ryan > > > >> Each running FDS server instance will have just one SSL certificate. >> If you want your server to identify with multiple names, you can either: >> - Do a cert with subjectAltName extensions. >> - Do a cert with a wildcard in the subject's CN (e.g., cn=*.test.com). >> >> LDAP / SSL client support for these varies, so you will probably want to >> test both ways and see what works with better with your clients. >> If it works for you, the subjectAltName method is probably preferable, >> because you can precisely list the valid names for your server. >> >> Also, consider keeping it simple and just doing certs with single names >> (e.g., one cert each for 'westldap.test.com' and 'eastldap.test.com'), >> and installing that same cert on each server which should have that SSL >> identity. This is actually a pretty common way to do it, though it will >> limit your ability to make SSL connections to individual nodenames, like >> eastldap0.test.com (as you noticed). >> >> Ryan Braun wrote: >> >>> Hey guys, installed FDS on a couple debian servers this week and am >>> liking it so far. I have a couple questions regarding SSL/TLS setup with >>> servers setup for IP takeover type HA setup. Keep in mind I have some >>> experience with the LDAP side of things, it's the ssl and all the >>> different certs and whatnot that keeps me up at night. >>> >>> Essentially what I'm looking at is a 4 way multimaster setup, ending up >>> with 2 HA pairs of servers. call them eastldap and westldap. I've >>> implemented the east side in my test lab and have it replicating and can >>> pull any user info I need off the directory no problem. >>> >>> so >>> eastldap0.test.com ip 192.168.0.11 >>> eastldap1.test.com ip 192.168.0.12 >>> and the virtual interface on whichever machine is master would be >>> eastldap.test.com ip 192.168.0.10 >>> >>> and then the exact same setup with the last 2 >>> >>> westldap0.test.com ip 192.168.1.11 >>> westldap1.test.com ip 192.168.1.12 >>> westldap.test.com ip 192.168.1.10 >>> >>> Once everything is setup and running clients would be primarily only >>> connecting to either virtual interface west/eastldap using TLS over port >>> 389 and the 4 masters replicating with encryption (not sure but I imagine >>> this takes place on ldaps port). >>> >>> I followed the instructions on the howto:ssl page and created a cert >>> located on eastldap0. But instead of using the eastldap0.test.com as the >>> cn, I used eastldap.test.com. Cert installed ok, made sure eastldap0 >>> was the HA master and restarted fds. >>> >>> When I copied over the cacert to a linux client, I can run searches >>> using ldapsearch -ZZ -h eastldap.test.com. Server logs and wire sniffs >>> confirm everything is coming back encrypted. It seems to be behaving as >>> expected, when I try ldapsearch -ZZ -h eastldap0.test.com, it pukes with >>> error 11 additional info: TLS: hostname does not match CN in peer >>> certificate, which is right as the name in the cert is >>> eastldap.test.com. >>> >>> So it would appear I'm on my way, I just am not sure about what certs I >>> need now, and how to add them properly. I would think I need at the very >>> least >>> >>> eastldap0 >>> - eastldap0.test.com cert >>> - eastldap.test.com cert >>> eastldap1 >>> - eastldap1.test.com cert >>> - eastldap.test.com cert >>> westldap0 >>> - westldap0.test.com cert >>> - westldap.test.com cert >>> westldap1 >>> - westldap1.test.com cert >>> - westldap.test.com cert >>> >>> I'm just not sure if that is the proper way to go about it. Also, I >>> would like to have the clients to be able to have all the cacerts to be >>> able to communicate with all virtual and physical address' if need be. >>> Later on, I would be adding probably 5 or 6 consumer read only replicas >>> inbetween the suppliers and the clients, but one must walk before they >>> run I guess :) >>> >>> Long post I know, just trying to make sure I get all the important stuff >>> out there. Be kind if I was using the incorrect terminology for the >>> certs/cacerts :) >>> >>> Ryan >>> >>> PS. anyone have a good SSL for dummies reference that lays out what the >>> heck is going on with SSL (pems,keys,certs,cacerts etc) >>> >>> -- >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Ryan.Braun at ec.gc.ca Fri Sep 21 18:16:04 2007 From: Ryan.Braun at ec.gc.ca (Ryan Braun) Date: Fri, 21 Sep 2007 18:16:04 +0000 Subject: [Fedora-directory-users] question about SSL configuration with =?iso-8859-15?q?IP=09takeover_HA?= setup In-Reply-To: <46F3F336.8000903@redhat.com> References: <200709202012.24444.Ryan.Braun@ec.gc.ca> <200709211614.01638.Ryan.Braun@ec.gc.ca> <46F3F336.8000903@redhat.com> Message-ID: <200709211816.04840.Ryan.Braun@ec.gc.ca> On Friday 21 September 2007 16:37, Richard Megginson wrote: > Ryan Braun wrote: > > On Thursday 20 September 2007 21:36, George Holbert wrote: > > > > Ok so I managed to create a new certificate using subjectAltName > > extenstions, and it works as advertised. I can run ldapsearchs on > > eastldap on both eastldap0. > > > > Now my question is for generating certs for the other servers. Now that > > I have the CA cert on eastldap0, I would assume I need to install the CA > > on each additional server. Can I just copy and paste the cacert.asc into > > the manage certificate wizard? > > You cannot use the CA cert to generate server certs. You need the CA > cert and key. This CA key was created when you created your initial CA > cert. The CA key is stored in the key3.db in which you initially > created in steps 5 and 6 here - > http://directory.fedoraproject.org/wiki/Howto:SSL#Basic_Steps > > I would suggest you create all of your server certs using this initial > CA cert and key. > cd /opt/fedora-ds/alias > serialnumber=1002 > for server in serverFQDN ; do > ../shared/bin/certutil -d . -S -n "Server-Cert-$server" -s > "cn=$server,ou=Fedora Directory Server" -c "CA certificate" -t "u,u,u" > -m $serialnumber -v 120 -d . -z noise.txt -f pwdfile.txt > # each cert must have a unique serial number > serialnumber=`expr $serialnumber + 1` > # export the new server cert+key > ../shared/bin/pk12util -d . -o $server.p12 -n "Server-Cert-$server" -k > pwdfile.txt -w pwdfile.txt > done Rather then run the script, I tried to run it for one example first eastldap0:/opt/fedora-ds/alias#../shared/bin/certutil -d . -S -n "Server-Cert-eastldap1" -s "cn=eastldap1.test.com" -c "CA certificate" -t "u,u,u" -m 2000 -v 120 -8 eastldap.test.com,eastldap,eastldap1 -d . -z noise.txt -f pwdfile.txt Generating key. This may take a few moments... eastldap0:/opt/fedora-ds/alias#../shared/bin/pk12util -d . -o ywgldap1.isb.ec.gc.ca.p12 -n "Server-Cert-ywgldap1" -k pwdfile.txt -w pwdfile.txt pk12util-bin: PKCS12 EXPORT SUCCESSFUL So at this point I had the .p12 file and the existing cacert.asc created, and sent them over to eastldap1. > > For all of the commands listed above, you may have to specify -P > slapd-instance- if you are not using cert8.db and key3.db. > > Then, copy each file $server.p12 to that $server, along with the > cacert.asc file > Then, on each server: > cd /opt/fedora-ds/alias > ../shared/bin/pk12util -d . -P slapd-instance- -i $server.p12 -w > pwdfile.txt -k pwdfile.txt > # the -w argument is the file containing the password used to encrypt > the .p12 file > # the -k argument is the file containing the password for the new key > database > # you may use a different password for -k here - this is the same > password used > # in your slapd-instance-pin.txt file > > ../shared/bin/certutil -A -d . -P slapd-instance- -n "CA certificate" -t > "CT,," -a -i cacert.asc > > # this imports your CA cert Now the importing, eastldap1:/opt/fedora-ds/alias# ../shared/bin/pk12util -d . -P slapd-eastldap1- -i eastldap1.test.com.p12 -w pwdfile-0.txt -k pwdfile.txt pk12util-bin: PKCS12 IMPORT SUCCESSFUL ywgldap1:/opt/fedora-ds/alias# ../shared/bin/certutil -A -d . -P slapd-eastldap1- -n "CA certificate" -t "CT,," -a -i cacert.asc Send over enable ssl ldif ryan at infinity:~/fds-tools$ ldapmodify -x -h eastldap1 -D "cn=directory manager" -W -f ssl_enable.ldif Enter LDAP Password: modifying entry "cn=encryption,cn=config" modifying entry "cn=config" ryan at infinity:~/fds-tools$ ldapmodify -x -h eastldap1 -D "cn=directory manager" -W -f addrsa.ldif Enter LDAP Password: adding new entry "cn=RSA,cn=encryption,cn=config" But when I restart slapd on eastldap1 Enter PIN for Internal (Software) Token: [21/Sep/2007:17:52:33 +0000] - SSL alert: Security Initialization: Can't find certificate (Server-Cert) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [21/Sep/2007:17:52:33 +0000] - SSL alert: Security Initialization: Unable to retrieve private key for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) [21/Sep/2007:17:52:33 +0000] - SSL failure: None of the cipher are valid Did I miss importing a private key from somewhere? Do I need to use the cacert.pfx I created in the basic steps? Thanks Ryan From rmeggins at redhat.com Fri Sep 21 18:27:56 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 21 Sep 2007 12:27:56 -0600 Subject: [Fedora-directory-users] question about SSL configuration with IP takeover HA setup In-Reply-To: <200709211816.04840.Ryan.Braun@ec.gc.ca> References: <200709202012.24444.Ryan.Braun@ec.gc.ca> <200709211614.01638.Ryan.Braun@ec.gc.ca> <46F3F336.8000903@redhat.com> <200709211816.04840.Ryan.Braun@ec.gc.ca> Message-ID: <46F40D2C.7030803@redhat.com> Ryan Braun wrote: > On Friday 21 September 2007 16:37, Richard Megginson wrote: > >> Ryan Braun wrote: >> >>> On Thursday 20 September 2007 21:36, George Holbert wrote: >>> >>> Ok so I managed to create a new certificate using subjectAltName >>> extenstions, and it works as advertised. I can run ldapsearchs on >>> eastldap on both eastldap0. >>> >>> Now my question is for generating certs for the other servers. Now that >>> I have the CA cert on eastldap0, I would assume I need to install the CA >>> on each additional server. Can I just copy and paste the cacert.asc into >>> the manage certificate wizard? >>> >> You cannot use the CA cert to generate server certs. You need the CA >> cert and key. This CA key was created when you created your initial CA >> cert. The CA key is stored in the key3.db in which you initially >> created in steps 5 and 6 here - >> http://directory.fedoraproject.org/wiki/Howto:SSL#Basic_Steps >> >> I would suggest you create all of your server certs using this initial >> CA cert and key. >> cd /opt/fedora-ds/alias >> serialnumber=1002 >> for server in serverFQDN ; do >> ../shared/bin/certutil -d . -S -n "Server-Cert-$server" -s >> "cn=$server,ou=Fedora Directory Server" -c "CA certificate" -t "u,u,u" >> -m $serialnumber -v 120 -d . -z noise.txt -f pwdfile.txt >> # each cert must have a unique serial number >> serialnumber=`expr $serialnumber + 1` >> # export the new server cert+key >> ../shared/bin/pk12util -d . -o $server.p12 -n "Server-Cert-$server" -k >> pwdfile.txt -w pwdfile.txt >> done >> > Rather then run the script, I tried to run it for one example first > > eastldap0:/opt/fedora-ds/alias#../shared/bin/certutil -d . -S -n "Server-Cert-eastldap1" -s "cn=eastldap1.test.com" -c "CA certificate" -t "u,u,u" -m 2000 -v 120 -8 eastldap.test.com,eastldap,eastldap1 -d . -z noise.txt -f pwdfile.txt > Generating key. This may take a few moments... > eastldap0:/opt/fedora-ds/alias#../shared/bin/pk12util -d . -o ywgldap1.isb.ec.gc.ca.p12 -n "Server-Cert-ywgldap1" -k pwdfile.txt -w pwdfile.txt > pk12util-bin: PKCS12 EXPORT SUCCESSFUL > > So at this point I had the .p12 file and the existing cacert.asc created, and sent them over to eastldap1. > > >> For all of the commands listed above, you may have to specify -P >> slapd-instance- if you are not using cert8.db and key3.db. >> >> Then, copy each file $server.p12 to that $server, along with the >> cacert.asc file >> Then, on each server: >> cd /opt/fedora-ds/alias >> ../shared/bin/pk12util -d . -P slapd-instance- -i $server.p12 -w >> pwdfile.txt -k pwdfile.txt >> # the -w argument is the file containing the password used to encrypt >> the .p12 file >> # the -k argument is the file containing the password for the new key >> database >> # you may use a different password for -k here - this is the same >> password used >> # in your slapd-instance-pin.txt file >> >> ../shared/bin/certutil -A -d . -P slapd-instance- -n "CA certificate" -t >> "CT,," -a -i cacert.asc >> >> # this imports your CA cert >> > > Now the importing, > > eastldap1:/opt/fedora-ds/alias# ../shared/bin/pk12util -d . -P slapd-eastldap1- -i eastldap1.test.com.p12 -w pwdfile-0.txt -k pwdfile.txt > pk12util-bin: PKCS12 IMPORT SUCCESSFUL > ywgldap1:/opt/fedora-ds/alias# ../shared/bin/certutil -A -d . -P slapd-eastldap1- -n "CA certificate" -t "CT,," -a -i cacert.asc > > > Send over enable ssl ldif > > ryan at infinity:~/fds-tools$ ldapmodify -x -h eastldap1 -D "cn=directory manager" -W -f ssl_enable.ldif > Enter LDAP Password: > modifying entry "cn=encryption,cn=config" > > modifying entry "cn=config" > ryan at infinity:~/fds-tools$ ldapmodify -x -h eastldap1 -D "cn=directory manager" -W -f addrsa.ldif > Enter LDAP Password: > adding new entry "cn=RSA,cn=encryption,cn=config" > > But when I restart slapd on eastldap1 > > Enter PIN for Internal (Software) Token: > [21/Sep/2007:17:52:33 +0000] - SSL alert: Security Initialization: Can't find certificate (Server-Cert) for family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) > [21/Sep/2007:17:52:33 +0000] - SSL alert: Security Initialization: Unable to retrieve private key for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - security library: bad database.) > [21/Sep/2007:17:52:33 +0000] - SSL failure: None of the cipher are valid > > Did I miss importing a private key from somewhere? Do I need to use the cacert.pfx I created in the basic steps? > No. I think the problem is that the name of the server cert in the cert db is Server-Cert-$server not Server-Cert. I thought there was an option to pk12util to import it and rename it, but apparently not. To find out what the server cert name is: cd /opt/fedora-ds/alias ../shared/bin/certutil -L -d . -P slapd-eastldap1- I'm assuming it will be Server-Cert-$server Unless someone knows an easy way to rename it, you can just tell slapd to use the new name. stop-slapd edit dse.ldif - look for Server-Cert and change it to whatever the actual name of your server cert is (Server-Cert-$server) save and start-slapd > Thanks > > Ryan > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Ryan.Braun at ec.gc.ca Fri Sep 21 19:16:10 2007 From: Ryan.Braun at ec.gc.ca (Ryan Braun) Date: Fri, 21 Sep 2007 19:16:10 +0000 Subject: [Fedora-directory-users] question about SSL configuration with IP takeover HA setup In-Reply-To: <46F40D2C.7030803@redhat.com> References: <200709202012.24444.Ryan.Braun@ec.gc.ca> <200709211816.04840.Ryan.Braun@ec.gc.ca> <46F40D2C.7030803@redhat.com> Message-ID: <200709211916.11015.Ryan.Braun@ec.gc.ca> On Friday 21 September 2007 18:27, Richard Megginson wrote: > > Rather then run the script, I tried to run it for one example first > > > > eastldap0:/opt/fedora-ds/alias#../shared/bin/certutil -d . -S -n > > "Server-Cert-eastldap1" -s "cn=eastldap1.test.com" -c "CA certificate" -t > > "u,u,u" -m 2000 -v 120 -8 eastldap.test.com,eastldap,eastldap1 -d . -z > > noise.txt -f pwdfile.txt Generating key. This may take a few moments... > > eastldap0:/opt/fedora-ds/alias#../shared/bin/pk12util -d . -o > > eastldap1.test.com.p12 -n "Server-Cert-eastdap1" -k pwdfile.txt -w > > pwdfile.txt pk12util-bin: PKCS12 EXPORT SUCCESSFUL > > > > So at this point I had the .p12 file and the existing cacert.asc created, > > and sent them over to eastldap1. > > > >> For all of the commands listed above, you may have to specify -P > >> slapd-instance- if you are not using cert8.db and key3.db. > >> > >> Then, copy each file $server.p12 to that $server, along with the > >> cacert.asc file > >> Then, on each server: > >> cd /opt/fedora-ds/alias > >> ../shared/bin/pk12util -d . -P slapd-instance- -i $server.p12 -w > >> pwdfile.txt -k pwdfile.txt > >> # the -w argument is the file containing the password used to encrypt > >> the .p12 file > >> # the -k argument is the file containing the password for the new key > >> database > >> # you may use a different password for -k here - this is the same > >> password used > >> # in your slapd-instance-pin.txt file > >> > >> ../shared/bin/certutil -A -d . -P slapd-instance- -n "CA certificate" -t > >> "CT,," -a -i cacert.asc > >> > >> # this imports your CA cert > > > > Now the importing, > > > > eastldap1:/opt/fedora-ds/alias# ../shared/bin/pk12util -d . -P > > slapd-eastldap1- -i eastldap1.test.com.p12 -w pwdfile-0.txt -k > > pwdfile.txt pk12util-bin: PKCS12 IMPORT SUCCESSFUL > > ywgldap1:/opt/fedora-ds/alias# ../shared/bin/certutil -A -d . -P > > slapd-eastldap1- -n "CA certificate" -t "CT,," -a -i cacert.asc > > > > > > Send over enable ssl ldif > > > > ryan at infinity:~/fds-tools$ ldapmodify -x -h eastldap1 -D "cn=directory > > manager" -W -f ssl_enable.ldif Enter LDAP Password: > > modifying entry "cn=encryption,cn=config" > > > > modifying entry "cn=config" > > ryan at infinity:~/fds-tools$ ldapmodify -x -h eastldap1 -D "cn=directory > > manager" -W -f addrsa.ldif Enter LDAP Password: > > adding new entry "cn=RSA,cn=encryption,cn=config" > > > > But when I restart slapd on eastldap1 > > > > Enter PIN for Internal (Software) Token: > > [21/Sep/2007:17:52:33 +0000] - SSL alert: Security Initialization: Can't > > find certificate (Server-Cert) for family cn=RSA,cn=encryption,cn=config > > (Netscape Portable Runtime error -8174 - security library: bad database.) > > [21/Sep/2007:17:52:33 +0000] - SSL alert: Security Initialization: Unable > > to retrieve private key for cert Server-Cert of family > > cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - > > security library: bad database.) [21/Sep/2007:17:52:33 +0000] - SSL > > failure: None of the cipher are valid > > > > Did I miss importing a private key from somewhere? Do I need to use the > > cacert.pfx I created in the basic steps? > > No. I think the problem is that the name of the server cert in the cert > db is Server-Cert-$server not Server-Cert. I thought there was an > option to pk12util to import it and rename it, but apparently not. To > find out what the server cert name is: > cd /opt/fedora-ds/alias > ../shared/bin/certutil -L -d . -P slapd-eastldap1- > I'm assuming it will be Server-Cert-$server > Unless someone knows an easy way to rename it, you can just tell slapd > to use the new name. > stop-slapd > edit dse.ldif - look for Server-Cert and change it to whatever the > actual name of your server cert is (Server-Cert-$server) > save and start-slapd > Thanks for the help!, the modifying of dse.ldif did the trick and it all seems to be working. Now what in the process would I have to change in order to be able to generate the certs with a Server-Cert-$server nickname and have fds recognize the proper name, without having to edit dse.ldif for each box? Ryan From lance.raymond at gmail.com Fri Sep 21 20:04:50 2007 From: lance.raymond at gmail.com (lance raymond) Date: Fri, 21 Sep 2007 16:04:50 -0400 Subject: [Fedora-directory-users] Good afternoon .... 1st post by the new guy Message-ID: <5d1656000709211304x46ff1cf3u661d5384ea5a0e8@mail.gmail.com> OK, so not sure how big this list is, but I hope to get better response then on the fedora forums. I will start this on a high/basic level to make sure i am headed in the right direction, We want a central database of users, so naturally I looked at openldap. It's not a 1-2-3 as much as Fedora's directory services seems. So I have installed it on a fedora machine, added my company DN, as well as a few test users. Now I setup my fc7 desktop to look @ him as an ldap server, pointed to that IP and saved. Tried to ssh in as a user not on the local machine but in the directory service thinking he would look to the DS server and authenticate, but it fails. So the high level question is, that is how it's supposed to work right? I used a windows ldap browser and connected, fetched the DN from a dropdown it found (confirming it's running, and has the right context) but couldn't browse the tree (I don't know if DS let's you view the tree via a basic ldap browser) But if the above is the case, there is a lot of reading but no clear cut client setup connect like this. There are pages of tree, scheme, etc. We are a small group 15 people but have 50+ servers, so it would be nice to have a single login place, so any help, step in the right direction will be appreciated. I tried openldap, was able to browse the tree, but the same result when I tried to ssh in as my test user. So I guess I am interested if people are really using this or sticking with another ldap solution. Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Sep 21 20:31:43 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 21 Sep 2007 14:31:43 -0600 Subject: [Fedora-directory-users] question about SSL configuration with IP takeover HA setup In-Reply-To: <200709211916.11015.Ryan.Braun@ec.gc.ca> References: <200709202012.24444.Ryan.Braun@ec.gc.ca> <200709211816.04840.Ryan.Braun@ec.gc.ca> <46F40D2C.7030803@redhat.com> <200709211916.11015.Ryan.Braun@ec.gc.ca> Message-ID: <46F42A2F.6030500@redhat.com> Ryan Braun wrote: > On Friday 21 September 2007 18:27, Richard Megginson wrote: > >>> Rather then run the script, I tried to run it for one example first >>> >>> eastldap0:/opt/fedora-ds/alias#../shared/bin/certutil -d . -S -n >>> "Server-Cert-eastldap1" -s "cn=eastldap1.test.com" -c "CA certificate" -t >>> "u,u,u" -m 2000 -v 120 -8 eastldap.test.com,eastldap,eastldap1 -d . -z >>> noise.txt -f pwdfile.txt Generating key. This may take a few moments... >>> eastldap0:/opt/fedora-ds/alias#../shared/bin/pk12util -d . -o >>> eastldap1.test.com.p12 -n "Server-Cert-eastdap1" -k pwdfile.txt -w >>> pwdfile.txt pk12util-bin: PKCS12 EXPORT SUCCESSFUL >>> >>> So at this point I had the .p12 file and the existing cacert.asc created, >>> and sent them over to eastldap1. >>> >>> >>>> For all of the commands listed above, you may have to specify -P >>>> slapd-instance- if you are not using cert8.db and key3.db. >>>> >>>> Then, copy each file $server.p12 to that $server, along with the >>>> cacert.asc file >>>> Then, on each server: >>>> cd /opt/fedora-ds/alias >>>> ../shared/bin/pk12util -d . -P slapd-instance- -i $server.p12 -w >>>> pwdfile.txt -k pwdfile.txt >>>> # the -w argument is the file containing the password used to encrypt >>>> the .p12 file >>>> # the -k argument is the file containing the password for the new key >>>> database >>>> # you may use a different password for -k here - this is the same >>>> password used >>>> # in your slapd-instance-pin.txt file >>>> >>>> ../shared/bin/certutil -A -d . -P slapd-instance- -n "CA certificate" -t >>>> "CT,," -a -i cacert.asc >>>> >>>> # this imports your CA cert >>>> >>> Now the importing, >>> >>> eastldap1:/opt/fedora-ds/alias# ../shared/bin/pk12util -d . -P >>> slapd-eastldap1- -i eastldap1.test.com.p12 -w pwdfile-0.txt -k >>> pwdfile.txt pk12util-bin: PKCS12 IMPORT SUCCESSFUL >>> ywgldap1:/opt/fedora-ds/alias# ../shared/bin/certutil -A -d . -P >>> slapd-eastldap1- -n "CA certificate" -t "CT,," -a -i cacert.asc >>> >>> >>> Send over enable ssl ldif >>> >>> ryan at infinity:~/fds-tools$ ldapmodify -x -h eastldap1 -D "cn=directory >>> manager" -W -f ssl_enable.ldif Enter LDAP Password: >>> modifying entry "cn=encryption,cn=config" >>> >>> modifying entry "cn=config" >>> ryan at infinity:~/fds-tools$ ldapmodify -x -h eastldap1 -D "cn=directory >>> manager" -W -f addrsa.ldif Enter LDAP Password: >>> adding new entry "cn=RSA,cn=encryption,cn=config" >>> >>> But when I restart slapd on eastldap1 >>> >>> Enter PIN for Internal (Software) Token: >>> [21/Sep/2007:17:52:33 +0000] - SSL alert: Security Initialization: Can't >>> find certificate (Server-Cert) for family cn=RSA,cn=encryption,cn=config >>> (Netscape Portable Runtime error -8174 - security library: bad database.) >>> [21/Sep/2007:17:52:33 +0000] - SSL alert: Security Initialization: Unable >>> to retrieve private key for cert Server-Cert of family >>> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 - >>> security library: bad database.) [21/Sep/2007:17:52:33 +0000] - SSL >>> failure: None of the cipher are valid >>> >>> Did I miss importing a private key from somewhere? Do I need to use the >>> cacert.pfx I created in the basic steps? >>> >> No. I think the problem is that the name of the server cert in the cert >> db is Server-Cert-$server not Server-Cert. I thought there was an >> option to pk12util to import it and rename it, but apparently not. To >> find out what the server cert name is: >> cd /opt/fedora-ds/alias >> ../shared/bin/certutil -L -d . -P slapd-eastldap1- >> I'm assuming it will be Server-Cert-$server >> Unless someone knows an easy way to rename it, you can just tell slapd >> to use the new name. >> stop-slapd >> edit dse.ldif - look for Server-Cert and change it to whatever the >> actual name of your server cert is (Server-Cert-$server) >> save and start-slapd >> >> > > Thanks for the help!, the modifying of dse.ldif did the trick and it all > seems to be working. > > Now what in the process would I have to change in order to be able to generate > the certs with a Server-Cert-$server nickname and have fds recognize the > proper name, without having to edit dse.ldif for each box? > I'm not sure. There's probably a way to use pk12util to export/import a cert with a different name, or use certutil to change the name, but I just don't know. > Ryan > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From sbelnap at byuh.edu Mon Sep 24 19:42:09 2007 From: sbelnap at byuh.edu (Scott Belnap) Date: Mon, 24 Sep 2007 09:42:09 -1000 Subject: [Fedora-directory-users] slapd_poll timed out error Message-ID: <1190662929.3347.7.camel@zhou> Can someone tell me what this error message means or how to resolve it? [24/Sep/2007:09:08:21 -1000] - slapd_poll(255) timed out [24/Sep/2007:09:23:04 -1000] - slapd_poll(249) timed out [24/Sep/2007:09:27:21 -1000] - slapd_poll(248) timed out Thanks. From edlinuxguru at gmail.com Mon Sep 24 20:37:03 2007 From: edlinuxguru at gmail.com (Eddie C) Date: Mon, 24 Sep 2007 16:37:03 -0400 Subject: [Fedora-directory-users] white space at the end of attributes that refuses to go away Message-ID: I am having an issue that may be related to multi-master replication, or it may be related to a non viewable ascii value in an attribute. We have a custom schema. We have a multivalued attribute departalloweddomain this attribute has three values inside it. "a.com" "b.com " "c.com " My goal is to remove the trailing white space. Which may be a space or a weird character. I have tried deleting the individual values and re-adding them. I attempted to delete the entire attribute and re-add. The value keeps appearing like so. "b.com " Any ideas on how to clean this up. We do thousands of add and remove operations a day and this has happened a few times. From dlannom at umd.umich.edu Mon Sep 24 21:41:04 2007 From: dlannom at umd.umich.edu (Dan Lannom) Date: Mon, 24 Sep 2007 17:41:04 -0400 Subject: [Fedora-directory-users] white space at the end of attributes that refuses to go away In-Reply-To: References: Message-ID: <46F82EF0.70503@umd.umich.edu> Eddie C wrote: > I am having an issue that may be related to multi-master replication, > or it may be related to a non viewable ascii value in an attribute. > > We have a custom schema. We have a multivalued attribute > departalloweddomain > > this attribute has three values inside it. > "a.com" > "b.com " > "c.com " > > My goal is to remove the trailing white space. Which may be a space or > a weird character. You can determine what the white space is by saving an .ldif representation [ldapsearch -LLL ... > file]and viewing with a program that views hexcodes like xxd. > I have tried deleting the individual values and re-adding them. > I attempted to delete the entire attribute and re-add. > > The value keeps appearing like so. > > "b.com " > Try editing the .ldif file above and removing the extra characters, modify enough of the attributes so that its unique and add it into the directory using ldapmodify or other standard tool. If this still shows a problem then there is something very unusual about your configuration. If importing the .ldif file is clean I would suspect the technique used to normally add the attributes. Dan Lannom From ergoxsx at gmail.com Tue Sep 25 01:22:32 2007 From: ergoxsx at gmail.com (ergoxsx) Date: Tue, 25 Sep 2007 09:22:32 +0800 Subject: [Fedora-directory-users] new installation - console working but web can not find objects In-Reply-To: <46F82EF0.70503@umd.umich.edu> References: <46F82EF0.70503@umd.umich.edu> Message-ID: <46F862D8.2020300@gmail.com> hi, am a directory service newbie and i just got fedora-ds installed on fedora 7. i can search users/objects thru console but web can not do any search. message is the ff: ------------------------------------------ Forbidden You don't have permission to access /dsgw/bin/lang on this server. ------------------------------------------ same message for any kind of search thru the web. tried to change permissions for dsgw but nothing changed. any idea? TIA. -ergo- From rmeggins at redhat.com Tue Sep 25 01:28:13 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 24 Sep 2007 19:28:13 -0600 Subject: [Fedora-directory-users] new installation - console working but web can not find objects In-Reply-To: <46F862D8.2020300@gmail.com> References: <46F82EF0.70503@umd.umich.edu> <46F862D8.2020300@gmail.com> Message-ID: <46F8642D.3050106@redhat.com> ergoxsx wrote: > hi, > > am a directory service newbie and i just got fedora-ds installed on > fedora 7. > i can search users/objects thru console but web can not do any search. > > message is the ff: > > > ------------------------------------------ > Forbidden > > You don't have permission to access /dsgw/bin/lang on this server. > > ------------------------------------------ > > > same message for any kind of search thru the web. > tried to change permissions for dsgw but nothing changed. > > any idea? Check the access and error logs for the admin server - /opt/fedora-ds/admin-serv/logs > > TIA. > > -ergo- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From listas.vhs at gmail.com Tue Sep 25 13:55:33 2007 From: listas.vhs at gmail.com (Victor Hugo dos Santos) Date: Tue, 25 Sep 2007 09:55:33 -0400 Subject: [Fedora-directory-users] posixaccount and shadowlastchange Message-ID: <5dce4940709250655s3b378e01pb66fcabc9269c300@mail.gmail.com> Hello, Linux authentication based in FDS work fine, i log in the system for ssh and all users is in the FDS directory. cool !!! but, i need use police security account for users (for example, in 60 days this users need change the password or can't use the same password 3 times consecutive). but the FDS dont work with shadow parameters, i run "getent passwd" and look all users (local and in FDS) but I run "getent shadow" and only show the local account, none account in the FDS. how is possible manage the security police from posixaccount and more important, that for users continue being one transparent process. URL ?? manual ?? docs ?? others ?? thanks -- -- Victor Hugo dos Santos Linux Counter #224399 From srigler at marathonoil.com Tue Sep 25 15:31:20 2007 From: srigler at marathonoil.com (Steve Rigler) Date: Tue, 25 Sep 2007 10:31:20 -0500 Subject: [Fedora-directory-users] posixaccount and shadowlastchange In-Reply-To: <5dce4940709250655s3b378e01pb66fcabc9269c300@mail.gmail.com> References: <5dce4940709250655s3b378e01pb66fcabc9269c300@mail.gmail.com> Message-ID: <1190734280.30552.9.camel@houuc8> On Tue, 2007-09-25 at 09:55 -0400, Victor Hugo dos Santos wrote: > Hello, > > Linux authentication based in FDS work fine, i log in the system for > ssh and all users is in the FDS directory. cool !!! > > but, i need use police security account for users (for example, in 60 > days this users need change the password or can't use the same > password 3 times consecutive). > > but the FDS dont work with shadow parameters, i run "getent passwd" > and look all users (local and in FDS) but I run "getent shadow" and > only show the local account, none account in the FDS. > > how is possible manage the security police from posixaccount and more > important, that for users continue being one transparent process. > > URL ?? manual ?? docs ?? others ?? > > thanks > > -- Your accounts need to have the "shadowAccount" objectclass and "shadowLastChange" needs to be writable by ldap://self or by the dn that changes their password on their behalf (if you use "rootbinddn" in your pam ldap.conf). -Steve From listas.vhs at gmail.com Tue Sep 25 16:08:24 2007 From: listas.vhs at gmail.com (Victor Hugo dos Santos) Date: Tue, 25 Sep 2007 12:08:24 -0400 Subject: [Fedora-directory-users] posixaccount and shadowlastchange In-Reply-To: <1190734280.30552.9.camel@houuc8> References: <5dce4940709250655s3b378e01pb66fcabc9269c300@mail.gmail.com> <1190734280.30552.9.camel@houuc8> Message-ID: <5dce4940709250908g310988c2l8a9b36ee521b1276@mail.gmail.com> 2007/9/25, Steve Rigler : > On Tue, 2007-09-25 at 09:55 -0400, Victor Hugo dos Santos wrote: [...] > Your accounts need to have the "shadowAccount" objectclass and > "shadowLastChange" needs to be writable by ldap://self or by the dn that > changes their password on their behalf (if you use "rootbinddn" in your > pam ldap.conf). mmm... in test don't work.. debian2:/etc/ssl/certs# getent shadow | grep camador camador:*:13524::99999:7:::0 debian2:/etc/ssl/certs# passwd camador Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information changed for camador passwd: password updated successfully debian2:/etc/ssl/certs# getent shadow | grep camador camador:*:13524::99999:7:::0 how you can look.. the shadow info is the same, before y after the change of password. any other idea ?? thanks -- -- Victor Hugo dos Santos Linux Counter #224399 From srigler at MarathonOil.Com Tue Sep 25 17:21:49 2007 From: srigler at MarathonOil.Com (Steve Rigler) Date: Tue, 25 Sep 2007 12:21:49 -0500 Subject: [Fedora-directory-users] posixaccount and shadowlastchange In-Reply-To: <5dce4940709250908g310988c2l8a9b36ee521b1276@mail.gmail.com> References: <5dce4940709250655s3b378e01pb66fcabc9269c300@mail.gmail.com> <1190734280.30552.9.camel@houuc8> <5dce4940709250908g310988c2l8a9b36ee521b1276@mail.gmail.com> Message-ID: <1190740909.30552.28.camel@houuc8> On Tue, 2007-09-25 at 12:08 -0400, Victor Hugo dos Santos wrote: > 2007/9/25, Steve Rigler : > > On Tue, 2007-09-25 at 09:55 -0400, Victor Hugo dos Santos wrote: > > [...] > > > Your accounts need to have the "shadowAccount" objectclass and > > "shadowLastChange" needs to be writable by ldap://self or by the dn that > > changes their password on their behalf (if you use "rootbinddn" in your > > pam ldap.conf). > > mmm... in test don't work.. > > debian2:/etc/ssl/certs# getent shadow | grep camador > camador:*:13524::99999:7:::0 > > debian2:/etc/ssl/certs# passwd camador > Enter login(LDAP) password: > New UNIX password: > Retype new UNIX password: > LDAP password information changed for camador > passwd: password updated successfully > > debian2:/etc/ssl/certs# getent shadow | grep camador > camador:*:13524::99999:7:::0 > > how you can look.. the shadow info is the same, before y after the > change of password. > > any other idea ?? > > thanks > Did you add an aci to allow write access to "shadowLastChange"? -Steve From edlinuxguru at gmail.com Tue Sep 25 17:47:20 2007 From: edlinuxguru at gmail.com (Eddie C) Date: Tue, 25 Sep 2007 13:47:20 -0400 Subject: [Fedora-directory-users] white space at the end of attributes that refuses to go away In-Reply-To: <46F82EF0.70503@umd.umich.edu> References: <46F82EF0.70503@umd.umich.edu> Message-ID: I have tried adding/removing these attributes a number of different ways. LDIF/LDAP Browser/ FDS admin console. I fully remove the values and the entire attribute but when I re-add them they keep having extra spaces in the end. I almost believe the entry is corrupted in some way. I do not want to do anything very drastic because only this one entry is showing problems (that I know of) On 9/24/07, Dan Lannom wrote: > Eddie C wrote: > > I am having an issue that may be related to multi-master replication, > > or it may be related to a non viewable ascii value in an attribute. > > > > We have a custom schema. We have a multivalued attribute > > departalloweddomain > > > > this attribute has three values inside it. > > "a.com" > > "b.com " > > "c.com " > > > > My goal is to remove the trailing white space. Which may be a space or > > a weird character. > > You can determine what the white space is by saving an .ldif > representation [ldapsearch -LLL ... > file]and viewing with a program > that views hexcodes like xxd. > > > > I have tried deleting the individual values and re-adding them. > > I attempted to delete the entire attribute and re-add. > > > > The value keeps appearing like so. > > > > "b.com " > > > > Try editing the .ldif file above and removing the extra characters, > modify enough of the attributes so that its unique and add it into the > directory using ldapmodify or other standard tool. If this still shows > a problem then there is something very unusual about your configuration. > If importing the .ldif file is clean I would suspect the technique > used to normally add the attributes. > > Dan Lannom > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From listas.vhs at gmail.com Tue Sep 25 18:12:40 2007 From: listas.vhs at gmail.com (Victor Hugo dos Santos) Date: Tue, 25 Sep 2007 14:12:40 -0400 Subject: [Fedora-directory-users] posixaccount and shadowlastchange In-Reply-To: <1190740909.30552.28.camel@houuc8> References: <5dce4940709250655s3b378e01pb66fcabc9269c300@mail.gmail.com> <1190734280.30552.9.camel@houuc8> <5dce4940709250908g310988c2l8a9b36ee521b1276@mail.gmail.com> <1190740909.30552.28.camel@houuc8> Message-ID: <5dce4940709251112s4e45050fw41bba41248beee26@mail.gmail.com> 2007/9/25, Steve Rigler : > On Tue, 2007-09-25 at 12:08 -0400, Victor Hugo dos Santos wrote: > > 2007/9/25, Steve Rigler : > > > On Tue, 2007-09-25 at 09:55 -0400, Victor Hugo dos Santos wrote: > > > > [...] > > > > > Your accounts need to have the "shadowAccount" objectclass and > > > "shadowLastChange" needs to be writable by ldap://self or by the dn that > > > changes their password on their behalf (if you use "rootbinddn" in your > > > pam ldap.conf). > > > > mmm... in test don't work.. > > > > debian2:/etc/ssl/certs# getent shadow | grep camador > > camador:*:13524::99999:7:::0 > > > > debian2:/etc/ssl/certs# passwd camador > > Enter login(LDAP) password: > > New UNIX password: > > Retype new UNIX password: > > LDAP password information changed for camador > > passwd: password updated successfully > > > > debian2:/etc/ssl/certs# getent shadow | grep camador > > camador:*:13524::99999:7:::0 > > > > how you can look.. the shadow info is the same, before y after the > > change of password. > > > > any other idea ?? > > > > thanks > > > > Did you add an aci to allow write access to "shadowLastChange"? ups... sorry. now work fine !!! any other recommendation for work with posixaccount and FDS and security ?? very, very thanks -- -- Victor Hugo dos Santos Linux Counter #224399 From ulf.weltman at hp.com Tue Sep 25 18:21:59 2007 From: ulf.weltman at hp.com (Ulf Weltman) Date: Tue, 25 Sep 2007 11:21:59 -0700 Subject: [Fedora-directory-users] white space at the end of attributes that refuses to go away In-Reply-To: References: <46F82EF0.70503@umd.umich.edu> Message-ID: <46F951C7.2070909@hp.com> When attribute values are deleted from entries in a replicated partition they are moved to a hidden state, they need to be kept around in case they need to be resurrected by the update resolution protocol. If you add the same value after deleting it, the underlying mechanism moves it back from the hidden state. I wonder if it's considering the old value equivalent to what you're trying to add. I'm pretty sure spaces don't slip through though, can you verify what character codes the trailing characters are so I can test it? Ulf Eddie C wrote: > I have tried adding/removing these attributes a number of different > ways. LDIF/LDAP Browser/ FDS admin console. I fully remove the values > and the entire attribute but when I re-add them they keep having extra > spaces in the end. I almost believe the entry is corrupted in some > way. > > I do not want to do anything very drastic because only this one entry > is showing problems (that I know of) > > > > On 9/24/07, Dan Lannom wrote: > >> Eddie C wrote: >> >>> I am having an issue that may be related to multi-master replication, >>> or it may be related to a non viewable ascii value in an attribute. >>> >>> We have a custom schema. We have a multivalued attribute >>> departalloweddomain >>> >>> this attribute has three values inside it. >>> "a.com" >>> "b.com " >>> "c.com " >>> >>> My goal is to remove the trailing white space. Which may be a space or >>> a weird character. >>> >> You can determine what the white space is by saving an .ldif >> representation [ldapsearch -LLL ... > file]and viewing with a program >> that views hexcodes like xxd. >> >> >> >>> I have tried deleting the individual values and re-adding them. >>> I attempted to delete the entire attribute and re-add. >>> >>> The value keeps appearing like so. >>> >>> "b.com " >>> >>> >> Try editing the .ldif file above and removing the extra characters, >> modify enough of the attributes so that its unique and add it into the >> directory using ldapmodify or other standard tool. If this still shows >> a problem then there is something very unusual about your configuration. >> If importing the .ldif file is clean I would suspect the technique >> used to normally add the attributes. >> >> Dan Lannom >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6097 bytes Desc: S/MIME Cryptographic Signature URL: From yinyang at eburg.com Tue Sep 25 23:11:52 2007 From: yinyang at eburg.com (Gordon Messmer) Date: Tue, 25 Sep 2007 16:11:52 -0700 Subject: [Fedora-directory-users] white space at the end of attributes that refuses to go away In-Reply-To: <46F951C7.2070909@hp.com> References: <46F82EF0.70503@umd.umich.edu> <46F951C7.2070909@hp.com> Message-ID: <46F995B8.4020101@eburg.com> Ulf Weltman wrote: > When attribute values are deleted from entries in a replicated partition > they are moved to a hidden state, they need to be kept around in case > they need to be resurrected by the update resolution protocol. If you > add the same value after deleting it, the underlying mechanism moves it > back from the hidden state. I wonder if it's considering the old value > equivalent to what you're trying to add. I'm pretty sure spaces don't > slip through though, can you verify what character codes the trailing > characters are so I can test it? I think they do... I've seen this same problem previously under Sun's directory server. From ergoxsx at gmail.com Wed Sep 26 08:31:50 2007 From: ergoxsx at gmail.com (ergoxsx) Date: Wed, 26 Sep 2007 16:31:50 +0800 Subject: [Fedora-directory-users] new installation - console working but web can not find objects In-Reply-To: <46F8642D.3050106@redhat.com> References: <46F82EF0.70503@umd.umich.edu> <46F862D8.2020300@gmail.com> <46F8642D.3050106@redhat.com> Message-ID: <46FA18F6.1070601@gmail.com> /opt/fedora-ds/admin-serv/logs shows the following. ldap.abc.com is registered in local dns server and also in /etc/hosts. [Wed Sep 26 13:57:34 2007] [notice] [client 10.0.0.22] admserv_host_ip_check: ap_get_remote_host could not resolve 10.0.0.2, referer: http://ldap.abc.com:1500/clients/dsgw/bin/dosearch any ideas? Richard Megginson wrote: > ergoxsx wrote: >> hi, >> >> am a directory service newbie and i just got fedora-ds installed on >> fedora 7. >> i can search users/objects thru console but web can not do any search. >> >> message is the ff: >> >> >> ------------------------------------------ >> Forbidden >> >> You don't have permission to access /dsgw/bin/lang on this server. >> >> ------------------------------------------ >> >> >> same message for any kind of search thru the web. >> tried to change permissions for dsgw but nothing changed. >> >> any idea? > Check the access and error logs for the admin server - > /opt/fedora-ds/admin-serv/logs >> >> TIA. >> >> -ergo- >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From trever.adams at gmail.com Wed Sep 26 13:28:04 2007 From: trever.adams at gmail.com (Trever L. Adams) Date: Wed, 26 Sep 2007 07:28:04 -0600 Subject: [Fedora-directory-users] Email and LDAP Message-ID: <46FA5E64.7080405@gmail.com> I am very sorry if this is an easy question to answer. I have tried OpenLDAP and FDS several times. I just can't seem to get it to do what I want. I am trying to setup a directory server for my folks (may expand to the entire family). Basically, I would like the following features: * Global directory where all common contacts are stored * Private directories where all private/non-common contacts are stored The above terminology may not match common LDAP terminology. They are using Thunderbird on more than one computer in Windows and Linux, hence the desire to get it out of the Thunderbird and into an LDAP server. I would love it if I could have authentication be against an Active Directory (which I may be moving them too soon), but this is not necessary. How do I do access control for write to the private directories? How do I do control on the global? How do I even get it working? I am sorry, as I said, I have read many howtos and just can't seem to get anywhere. I am not stupid, but I am ignorant when it comes to LDAP. Thank you for any help. Trever Adams From rmeggins at redhat.com Wed Sep 26 13:45:50 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 26 Sep 2007 07:45:50 -0600 Subject: [Fedora-directory-users] new installation - console working but web can not find objects In-Reply-To: <46FA18F6.1070601@gmail.com> References: <46F82EF0.70503@umd.umich.edu> <46F862D8.2020300@gmail.com> <46F8642D.3050106@redhat.com> <46FA18F6.1070601@gmail.com> Message-ID: <46FA628E.9080705@redhat.com> ergoxsx wrote: > /opt/fedora-ds/admin-serv/logs shows the following. > ldap.abc.com is registered in local dns server and also in /etc/hosts. > > [Wed Sep 26 13:57:34 2007] [notice] [client 10.0.0.22] > admserv_host_ip_check: ap_get_remote_host could not resolve 10.0.0.2, > referer: http://ldap.abc.com:1500/clients/dsgw/bin/dosearch Can you see the request for dsgw/bin/lang in the access log? > > any ideas? > > > > Richard Megginson wrote: >> ergoxsx wrote: >>> hi, >>> >>> am a directory service newbie and i just got fedora-ds installed on >>> fedora 7. >>> i can search users/objects thru console but web can not do any search. >>> >>> message is the ff: >>> >>> >>> ------------------------------------------ >>> Forbidden >>> >>> You don't have permission to access /dsgw/bin/lang on this server. >>> >>> ------------------------------------------ >>> >>> >>> same message for any kind of search thru the web. >>> tried to change permissions for dsgw but nothing changed. >>> >>> any idea? >> Check the access and error logs for the admin server - >> /opt/fedora-ds/admin-serv/logs >>> >>> TIA. >>> >>> -ergo- >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From partridgedv at comcast.net Wed Sep 26 01:32:46 2007 From: partridgedv at comcast.net (David Partridge) Date: Tue, 25 Sep 2007 21:32:46 -0400 Subject: [Fedora-directory-users] Disabling SASL Message-ID: <46F9B6BE.90808@comcast.net> How do you disable SASL if there is no requirement to support? David Partridge Lead Engineer DoD Joint Enerprise Directory Server From koippa at gmail.com Wed Sep 26 18:17:23 2007 From: koippa at gmail.com (Kimmo Koivisto) Date: Wed, 26 Sep 2007 21:17:23 +0300 Subject: [Fedora-directory-users] Five-way MMR Message-ID: <200709262117.23715.koippa@gmail.com> Hello I have five servers with FDS 1.0.4 and I would like to use multimaster replication in those servers. I know that there is some kind of limit for the number of servers in MMR, four servers is the maximun if I remember correctly. So, can I add replication agreements to five servers, is there a hardcoded limit for four servers or what? What happends if I add those agreements? Regards, Kimmo Koivisto From rmeggins at redhat.com Wed Sep 26 18:27:40 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 26 Sep 2007 12:27:40 -0600 Subject: [Fedora-directory-users] Five-way MMR In-Reply-To: <200709262117.23715.koippa@gmail.com> References: <200709262117.23715.koippa@gmail.com> Message-ID: <46FAA49C.7030302@redhat.com> Kimmo Koivisto wrote: > Hello > > I have five servers with FDS 1.0.4 and I would like to use multimaster > replication in those servers. > > I know that there is some kind of limit for the number of servers in MMR, > four servers is the maximun if I remember correctly. > > So, can I add replication agreements to five servers, is there a hardcoded > limit for four servers or what? What happends if I add those agreements? > There is no hard coded limit. 4 is the number of masters we have tested extensively with. The MMR protocol supports a theoretical limit of 65000+ masters, but we've never actually tested with that many :-) The practical limit is the number of threads, since each replication agreement is a separate thread within the server process. So at some point you will see performance degradation, depending on what type of processors you have, how many you have, the amount of RAM, the size of your databases, and the transaction rate. That being said, 5 masters should work. Please let us know, if you try it, what your experience is, and some information about your replication topology. > Regards, > Kimmo Koivisto > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ergoxsx at gmail.com Thu Sep 27 03:31:42 2007 From: ergoxsx at gmail.com (ergoxsx) Date: Thu, 27 Sep 2007 11:31:42 +0800 Subject: [Fedora-directory-users] new installation - console working but web can not find objects In-Reply-To: <46FA628E.9080705@redhat.com> References: <46F82EF0.70503@umd.umich.edu> <46F862D8.2020300@gmail.com> <46F8642D.3050106@redhat.com> <46FA18F6.1070601@gmail.com> <46FA628E.9080705@redhat.com> Message-ID: <46FB241E.6090401@gmail.com> ah, sorry... here it is: [Wed Sep 26 13:57:30 2007] [notice] [client 10.0.0.22] admserv_host_ip_check: ap_get_remote_host could not resolve 10.0.0.22, referer: http://ldap.abc.com:1500/clients/dsgw/bin/lang?context=pb&file=intro.html [Wed Sep 26 13:57:30 2007] [notice] [client 10.0.0.22] admserv_host_ip_check: ap_get_remote_host could not resolve 10.0.0.22, referer: http://ldap.abc.com:1500/clients/dsgw/bin/lang?context=pb&file=phone.html [Wed Sep 26 13:57:34 2007] [notice] [client 10.0.0.22] admserv_host_ip_check: ap_get_remote_host could not resolve 10.0.0.22, referer: http://ldap.abc.com:1500/clients/dsgw/bin/lang?context=pb&file=phone.html what does this mean? i tried to change permissions but same type of output. Richard Megginson wrote: > ergoxsx wrote: >> /opt/fedora-ds/admin-serv/logs shows the following. >> ldap.abc.com is registered in local dns server and also in /etc/hosts. >> >> [Wed Sep 26 13:57:34 2007] [notice] [client 10.0.0.22] >> admserv_host_ip_check: ap_get_remote_host could not resolve >> 10.0.0.22, referer: http://ldap.abc.com:1500/clients/dsgw/bin/dosearch > Can you see the request for dsgw/bin/lang in the access log? >> >> any ideas? >> >> >> >> Richard Megginson wrote: >>> ergoxsx wrote: >>>> hi, >>>> >>>> am a directory service newbie and i just got fedora-ds installed on >>>> fedora 7. >>>> i can search users/objects thru console but web can not do any search. >>>> >>>> message is the ff: >>>> >>>> >>>> ------------------------------------------ >>>> Forbidden >>>> >>>> You don't have permission to access /dsgw/bin/lang on this server. >>>> >>>> ------------------------------------------ >>>> >>>> >>>> same message for any kind of search thru the web. >>>> tried to change permissions for dsgw but nothing changed. >>>> >>>> any idea? >>> Check the access and error logs for the admin server - >>> /opt/fedora-ds/admin-serv/logs >>>> >>>> TIA. >>>> >>>> -ergo- >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From edlinuxguru at gmail.com Thu Sep 27 04:45:26 2007 From: edlinuxguru at gmail.com (Eddie C) Date: Thu, 27 Sep 2007 00:45:26 -0400 Subject: [Fedora-directory-users] white space at the end of attributes that refuses to go away In-Reply-To: <46F995B8.4020101@eburg.com> References: <46F82EF0.70503@umd.umich.edu> <46F951C7.2070909@hp.com> <46F995B8.4020101@eburg.com> Message-ID: Just for reference this was some error with replication. When I found the entry on our second multi-master server the spacing was different then the first. After I corrected the second and modified the values again everything corrected itself. Some how the data fell out of sync and refused to get back in-sync unless it was dealt with on both machines. On 9/25/07, Gordon Messmer wrote: > Ulf Weltman wrote: > > When attribute values are deleted from entries in a replicated partition > > they are moved to a hidden state, they need to be kept around in case > > they need to be resurrected by the update resolution protocol. If you > > add the same value after deleting it, the underlying mechanism moves it > > back from the hidden state. I wonder if it's considering the old value > > equivalent to what you're trying to add. I'm pretty sure spaces don't > > slip through though, can you verify what character codes the trailing > > characters are so I can test it? > > I think they do... I've seen this same problem previously under Sun's > directory server. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From paolo.barbato at igi.cnr.it Thu Sep 27 08:06:40 2007 From: paolo.barbato at igi.cnr.it (Paolo Barbato) Date: Thu, 27 Sep 2007 10:06:40 +0200 Subject: [Fedora-directory-users] fds vs passsync vs AD Message-ID: Hi all! I've succesfully installed fds and passync msi on windows AD. I admit that some probem have arisen since documentation is a bit poor on SSL part, especially on AD, but then finally I was able to make things works. I'm facing an odd problem that I'm not able to understand, but probably already discussed on the list. I'm able to take in sync password in AD and FDS when I change password from AD, but not viceversa. Really from Windows event log things seem go right: it tell me that pasword has been succesfully updated (passwd is issued from linux). But that stored password is somewhat different . Could be an encryption problem ? Any hints ? Regards, Paolo. -- ------------------------------------------------------------------------------------------------ Paolo Barbato email: mailto:paolo.barbato at igi.cnr.it Network Administrator phone: (39-049)-829-5097 (39-049)-829-5000 Corso Stati Uniti,4 www: http://www.igi.cnr.it 35127 Camin-Padova PGP: http://www.igi.cnr.it/wwwpgp/rfx_paolo_barbato.pgp ITALY JabberID: rfx_paolo_barbato at messenger.efda.org ------------------------------------------------------------------------------------------------ From rubin at xs4all.nl Thu Sep 27 08:28:07 2007 From: rubin at xs4all.nl (Rubin) Date: Thu, 27 Sep 2007 10:28:07 +0200 Subject: [Fedora-directory-users] Dynamic Groups and PAM/NSS _ldap Message-ID: <46FB6997.7050508@xs4all.nl> Hi Group, A while ago there was a discussion here about dynamic groups and the fact that the client(s) needs to handle this. I've been working with RHDS in combination with HP's LDAP-UX, where the client side of LDAP-UX does something smart to get dynamic groups working as posix groups, which is really really cool. Essentially, you get dynamic posix groups and a getent group (or grget on hp-ux) return the group including all dynamic (memberURL) and static (memberuid) members of a group. I'm trying to get a conclusive answer about if this is possible under linux. I thought pam_member_attribute would come to the rescue in this case, but that does not seem to work. So: is it possible to have dynamic members in a posix group under linux using nss_ldap and pam_ldap so a "getent group" returns dynamic members? If not, is there somebody working on it? or maybe even a commercial tool/add-on? Kind regards, Rubin. From rmeggins at redhat.com Thu Sep 27 14:04:32 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 27 Sep 2007 08:04:32 -0600 Subject: [Fedora-directory-users] new installation - console working but web can not find objects In-Reply-To: <46FB241E.6090401@gmail.com> References: <46F82EF0.70503@umd.umich.edu> <46F862D8.2020300@gmail.com> <46F8642D.3050106@redhat.com> <46FA18F6.1070601@gmail.com> <46FA628E.9080705@redhat.com> <46FB241E.6090401@gmail.com> Message-ID: <46FBB870.7040507@redhat.com> ergoxsx wrote: > ah, sorry... here it is: > > [Wed Sep 26 13:57:30 2007] [notice] [client 10.0.0.22] > admserv_host_ip_check: ap_get_remote_host could not resolve 10.0.0.22, > referer: > http://ldap.abc.com:1500/clients/dsgw/bin/lang?context=pb&file=intro.html > [Wed Sep 26 13:57:30 2007] [notice] [client 10.0.0.22] > admserv_host_ip_check: ap_get_remote_host could not resolve 10.0.0.22, > referer: > http://ldap.abc.com:1500/clients/dsgw/bin/lang?context=pb&file=phone.html > [Wed Sep 26 13:57:34 2007] [notice] [client 10.0.0.22] > admserv_host_ip_check: ap_get_remote_host could not resolve 10.0.0.22, > referer: > http://ldap.abc.com:1500/clients/dsgw/bin/lang?context=pb&file=phone.html > > what does this mean? This message is usually benign. > i tried to change permissions but same type of output. This looks like the output from the error log. Can you find the corresponding request from the access log? > > > > > Richard Megginson wrote: >> ergoxsx wrote: >>> /opt/fedora-ds/admin-serv/logs shows the following. >>> ldap.abc.com is registered in local dns server and also in /etc/hosts. >>> >>> [Wed Sep 26 13:57:34 2007] [notice] [client 10.0.0.22] >>> admserv_host_ip_check: ap_get_remote_host could not resolve >>> 10.0.0.22, referer: http://ldap.abc.com:1500/clients/dsgw/bin/dosearch >> Can you see the request for dsgw/bin/lang in the access log? >>> >>> any ideas? >>> >>> >>> >>> Richard Megginson wrote: >>>> ergoxsx wrote: >>>>> hi, >>>>> >>>>> am a directory service newbie and i just got fedora-ds installed >>>>> on fedora 7. >>>>> i can search users/objects thru console but web can not do any >>>>> search. >>>>> >>>>> message is the ff: >>>>> >>>>> >>>>> ------------------------------------------ >>>>> Forbidden >>>>> >>>>> You don't have permission to access /dsgw/bin/lang on this server. >>>>> >>>>> ------------------------------------------ >>>>> >>>>> >>>>> same message for any kind of search thru the web. >>>>> tried to change permissions for dsgw but nothing changed. >>>>> >>>>> any idea? >>>> Check the access and error logs for the admin server - >>>> /opt/fedora-ds/admin-serv/logs >>>>> >>>>> TIA. >>>>> >>>>> -ergo- >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ianmmeyer at gmail.com Thu Sep 27 15:28:26 2007 From: ianmmeyer at gmail.com (Ian Meyer) Date: Thu, 27 Sep 2007 11:28:26 -0400 Subject: [Fedora-directory-users] How can you monitor replication? Message-ID: Hello, We have a decent sized env. (1 master, 16 slaves in different datacenters across the world) and we're trying to find a way to effectively monitor the status of replication. When was the last update? How many changes were made? How long did it take from start to finish? I know you can get most of this information from the gui, but we need to tie it in to our monitoring application. Is this information stored in a db anywhere? In ldap itself? Any insight would be appreciated. Thanks in advance! - Ian From iferreir at personal.com.py Thu Sep 27 15:32:53 2007 From: iferreir at personal.com.py (Ivan Ferreira) Date: Thu, 27 Sep 2007 11:32:53 -0400 Subject: [Fedora-directory-users] How can you monitor replication? In-Reply-To: Message-ID: I use a script like this: #! /bin/bash # Script para verificar el estado de la replicacion del directorio # Ivan Ferreira - Enero 2007 MAILTO=iferreir at domain.com.py STATUSFILE=/var/log/DSLastUpdateStatus.log ldapsearch -x -D "uid=replmon,ou=Special Users,dc=sis,dc=personal,dc=net,dc=py" \ -b 'cn=replica,cn="dc=sis,dc=personal,dc=net,dc=py",cn=mapping tree,cn=config' \ -w objectClass=nsDS5ReplicationAgreement \ nsds5replicaLastUpdateStatus nsds5replicaLastUpdateStart | grep -E \ "^nsds5replicaLastUpdateStatus|^nsds5replicaLastUpdateStart" > $STATUSFILE 2>&1 STATUS=`grep "^nsds5replicaLastUpdateStatus" $STATUSFILE |awk '{ print $2 }'` DETAIL=`grep "^nsds5replicaLastUpdateStatus" $STATUSFILE | awk '{ for (i=3; i<=NF; i++) printf "%s ", $i }'` if [ $STATUS -ne 0 ] then echo "ALERT!! Directory replication failed with status: $DETAIL" | mail \ -s "Directory replication failed" $MAILTO fi # echo $STATUS $DETAIL Para "General discussion list for the Fedora Directory server "Ian Meyer" project." fedora-directory-users-b cc ounces at redhat.com Asunto 27/09/2007 11:28 a.m. [Fedora-directory-users] How can you monitor replication? Clasificaci?n Uso Interno Por favor, responda a "General discussion list for the Fedora Directory server project." Hello, We have a decent sized env. (1 master, 16 slaves in different datacenters across the world) and we're trying to find a way to effectively monitor the status of replication. When was the last update? How many changes were made? How long did it take from start to finish? I know you can get most of this information from the gui, but we need to tie it in to our monitoring application. Is this information stored in a db anywhere? In ldap itself? Any insight would be appreciated. Thanks in advance! - Ian -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. From rmeggins at redhat.com Thu Sep 27 15:36:51 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 27 Sep 2007 09:36:51 -0600 Subject: [Fedora-directory-users] How can you monitor replication? In-Reply-To: References: Message-ID: <46FBCE13.60405@redhat.com> Ian Meyer wrote: > Hello, > > We have a decent sized env. (1 master, 16 slaves in different > datacenters across the world) and we're trying to find a way to > effectively monitor the status of replication. When was the last > update? How many changes were made? How long did it take from start to > finish? I know you can get most of this information from the gui, but > we need to tie it in to our monitoring application. Is this > information stored in a db anywhere? In ldap itself? Any insight would > be appreciated. > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/replicat.html#1106144 > Thanks in advance! > - Ian > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ianmmeyer at gmail.com Thu Sep 27 15:42:53 2007 From: ianmmeyer at gmail.com (Ian Meyer) Date: Thu, 27 Sep 2007 11:42:53 -0400 Subject: [Fedora-directory-users] How can you monitor replication? In-Reply-To: <46FBCE13.60405@redhat.com> References: <46FBCE13.60405@redhat.com> Message-ID: Thank you Richard and Ivan.. your replies are very helpful. :) - Ian On 9/27/07, Richard Megginson wrote: > Ian Meyer wrote: > > Hello, > > > > We have a decent sized env. (1 master, 16 slaves in different > > datacenters across the world) and we're trying to find a way to > > effectively monitor the status of replication. When was the last > > update? How many changes were made? How long did it take from start to > > finish? I know you can get most of this information from the gui, but > > we need to tie it in to our monitoring application. Is this > > information stored in a db anywhere? In ldap itself? Any insight would > > be appreciated. > > > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/replicat.html#1106144 > > > Thanks in advance! > > - Ian > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > From djh5983 at ksu.edu Thu Sep 27 16:08:13 2007 From: djh5983 at ksu.edu (Dusty Herrman) Date: Thu, 27 Sep 2007 11:08:13 -0500 Subject: [Fedora-directory-users] Active Directory Password Question Message-ID: <46FBD56D.3020907@ksu.edu> I work for a University where Microsoft and Unix/Linux products are both heavily present. We currently have both MS Active Directory servers and OpenLDAP servers. We are currently looking at upgraded both of these technologies. Currently we store all the user's passwords in LDAP (encrypted). Using the "Windows Sync" feature of Fedora DS, is there a way to push the encrypted passwords into Active Directory? Or is it only a AD -> LDAP password push? Thanks in advance, Dusty Herrman KEAS Authentication/Directory Engineer Kansas State University djh5983 at k-state.edu From iferreir at personal.com.py Thu Sep 27 16:12:51 2007 From: iferreir at personal.com.py (Ivan Ferreira) Date: Thu, 27 Sep 2007 12:12:51 -0400 Subject: [Fedora-directory-users] Active Directory Password Question In-Reply-To: <46FBD56D.3020907@ksu.edu> Message-ID: Fedora DS password sync is bidirectional. You must create a "Windows Sync" agreement and you have to specify one account with domain admin privileges in that agreement. You should configure SSL first before the Windows Sync agreement. Para fedora-directory-users at redhat.co m Dusty Herrman cc Enviado por: Asunto fedora-directory-users-b [Fedora-directory-users] Active ounces at redhat.com Directory Password Question Clasificaci?n 27/09/2007 12:08 p.m. Uso Interno Por favor, responda a "General discussion list for the Fedora Directory server project." I work for a University where Microsoft and Unix/Linux products are both heavily present. We currently have both MS Active Directory servers and OpenLDAP servers. We are currently looking at upgraded both of these technologies. Currently we store all the user's passwords in LDAP (encrypted). Using the "Windows Sync" feature of Fedora DS, is there a way to push the encrypted passwords into Active Directory? Or is it only a AD -> LDAP password push? Thanks in advance, Dusty Herrman KEAS Authentication/Directory Engineer Kansas State University djh5983 at k-state.edu -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. From sys.mailing at gmail.com Thu Sep 27 18:42:24 2007 From: sys.mailing at gmail.com (Bjorn Oglefjorn) Date: Thu, 27 Sep 2007 14:42:24 -0400 Subject: [Fedora-directory-users] glibc errors Message-ID: <926ab61b0709271142x2d951d4bvaa77e63889e156c7@mail.gmail.com> I am trying to track down the cause of some errors that have been occurring on a number of our servers using LDAP. We have noticed that when a certain LDAP group exceeds 65 users we begin seeing glibc errors for users in the group. Users that are not in the group do not exhibit this behavior. We have seen this issue on machines running Centos 4.5 x86 & x86_64 with glibc-2.3.4-2.36 and RH4 x86_64 running glibc-2.3.4-2.25. We are running Fedora Directory Server 1.0.4 on Centos 4.5. We have added a 3rd FDS slave and turned up debugging but have not seen anything that appears to be relevant in the logs on the 3rd slave. This problem is not a 65 user limit as we have other groups with well over 65 members that do not display this behavior. We also created a new group with identical users and it did not display this problem. 1) With 66 users in the massweb group [root at megalon ~]# getent group massweb *** glibc detected *** free(): invalid next size (normal): 0x09a225b0 *** Aborted 2) After removing any user from the massweb group to reduce the total members to 65 [root at megalon ~]# getent group massweb massweb:x:3016:afaxon,ashairza,ccrump,jhorowit,mmarum,morendai,usmall,adroffne,afaxon,amurphre,aoliver,ayellipe,bdonohue,bdunn,beckert,blarsen,bwphilli,catanis,ccrump,chaynes,clyons,cwong,dbarber,dmuse,dnicol,edougher,egallant,ekubosia,evizcain,feeddrop,gtulonen,halokush,hbraverm,jbartus,jbrown,jhobbs,jking,jlederma,jpecora,jthayer,kbalbedi,kbeam,kginn,mbuonfig,mcrawfor,mlarsen,mlong,mwalsh,osedano,proche,prondeau,pweinber,rhorriga,rkersey,rskutins,sasaro,sbrodeur,sculver,smoriart,support,swestenh,tbaltimo,torgelfi,usmall,vvalenti Has anyone encountered a similar problem? Any suggestions would be most welcome. Best regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Sep 27 18:50:24 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 27 Sep 2007 12:50:24 -0600 Subject: [Fedora-directory-users] glibc errors In-Reply-To: <926ab61b0709271142x2d951d4bvaa77e63889e156c7@mail.gmail.com> References: <926ab61b0709271142x2d951d4bvaa77e63889e156c7@mail.gmail.com> Message-ID: <46FBFB70.9000304@redhat.com> Bjorn Oglefjorn wrote: > I am trying to track down the cause of some errors that have been > occurring on a number of our servers using LDAP. We have noticed that > when a certain LDAP group exceeds 65 users we begin seeing glibc > errors for users in the group. Users that are not in the group do not > exhibit this behavior. > > We have seen this issue on machines running Centos 4.5 x86 & x86_64 > with glibc-2.3.4-2.36 and RH4 x86_64 running glibc-2.3.4-2.25. We are > running Fedora Directory Server 1.0.4 on Centos 4.5. We have added a > 3rd FDS slave and turned up debugging but have not seen anything that > appears to be relevant in the logs on the 3rd slave. > > This problem is not a 65 user limit as we have other groups with well > over 65 members that do not display this behavior. We also created a > new group with identical users and it did not display this problem. This sounds like a problem with pam_ldap or nss_ldap. You might want to report this on a CentOS list. If you are a Red Hat customer, you can report it through your usual support channel. I don't think this is a directory server problem. > > 1) With 66 users in the massweb group > > [root at megalon ~]# getent group massweb > *** glibc detected *** free(): invalid next size (normal): 0x09a225b0 *** > Aborted > > > 2) After removing any user from the massweb group to reduce the total > members to 65 > > [root at megalon ~]# getent group massweb > massweb:x:3016:afaxon,ashairza,ccrump,jhorowit,mmarum,morendai,usmall,adroffne,afaxon,amurphre,aoliver,ayellipe,bdonohue,bdunn,beckert,blarsen,bwphilli,catanis,ccrump,chaynes,clyons,cwong,dbarber,dmuse,dnicol,edougher,egallant,ekubosia,evizcain,feeddrop,gtulonen,halokush,hbraverm,jbartus,jbrown,jhobbs,jking,jlederma,jpecora,jthayer,kbalbedi,kbeam,kginn,mbuonfig,mcrawfor,mlarsen,mlong,mwalsh,osedano,proche,prondeau,pweinber,rhorriga,rkersey,rskutins,sasaro,sbrodeur,sculver,smoriart,support,swestenh,tbaltimo,torgelfi,usmall,vvalenti > > > Has anyone encountered a similar problem? Any suggestions would be > most welcome. > > Best regards > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From glenn at mail.txwes.edu Thu Sep 27 18:52:14 2007 From: glenn at mail.txwes.edu (Glenn) Date: Thu, 27 Sep 2007 13:52:14 -0500 Subject: [Fedora-directory-users] Active Directory Password Question In-Reply-To: <46FBD56D.3020907@ksu.edu> References: <46FBD56D.3020907@ksu.edu> Message-ID: <20070927182851.M50518@mail.txwes.edu> Dusty - The password encryption format is different in FD and AD, so the passwords can't be ported directly from one to the other. Windows Sync makes it possible to synchronize passwords automatically, but it doesn't work until the user changes his or her password. After that, password changes on either system are replicated to the other. One way to deal with this is to force each user to change his or her AD password shortly after you bring up the Windows Sync agreement. -Glenn. ---------- Original Message ----------- From: Dusty Herrman To: fedora-directory-users at redhat.com Sent: Thu, 27 Sep 2007 11:08:13 -0500 Subject: [Fedora-directory-users] Active Directory Password Question > I work for a University where Microsoft and Unix/Linux products are > both heavily present. We currently have both MS Active Directory > servers and OpenLDAP servers. We are currently looking at > upgraded both of these technologies. > > Currently we store all the user's passwords in LDAP (encrypted). > Using the "Windows Sync" feature of Fedora DS, is there a way to > push the encrypted passwords into Active Directory? Or is it only a > AD -> LDAP password push? > > Thanks in advance, > > Dusty Herrman > KEAS Authentication/Directory Engineer > Kansas State University > djh5983 at k-state.edu > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users ------- End of Original Message ------- From glenn at mail.txwes.edu Thu Sep 27 19:24:00 2007 From: glenn at mail.txwes.edu (Glenn) Date: Thu, 27 Sep 2007 14:24:00 -0500 Subject: [Fedora-directory-users] fds vs passsync vs AD In-Reply-To: References: Message-ID: <20070927192028.M70507@mail.txwes.edu> Paolo - Maybe your certificates are not set up correctly. You should have the same CA certificate in the database in both FDS and AD. Also, the server certs in each database should be issued by the same certificate authority. It is convenient to use the Certificate Authority included with recent Microsoft Windows servers to create a CA certificate to import into both databases. You can then create server certificates using the MSCA and import them into their respective databases. You may also need to import the server certificate from FDS into the database on AD and vice-versa. Once this is done, you should review and possibly modify the trust attributes on all the certs. As you can see from my examples, I used a scatter-gun approach. You will need to use certutil for all import and modify operations on the certificate databases. "certutil -H" gives a nice reference. Examples: sibelius=FD boccherini=AD TWCA=CA [root at sibelius alias]# ./certutil -L -d . -P slapd-sibelius- TWCA CT,c,c boccherini P,P,P server-cert CTu,cu,cu C:\Program Files\RHD Password Sync>certutil -L -d . TWCA CT,C,C server-cert Pu,Pu,Pu boccherini P,P,P Remember to restart FDS and PassSync after making changes. -G. ---------- Original Message ----------- From: Paolo Barbato To: fedora-directory-users at redhat.com Sent: Thu, 27 Sep 2007 10:06:40 +0200 Subject: [Fedora-directory-users] fds vs passsync vs AD > Hi all! > > I've succesfully installed fds and passync msi on windows AD. I > admit that some probem have arisen since documentation is a bit poor > on SSL part, especially on AD, but then finally I was able to make > things works. > > I'm facing an odd problem that I'm not able to understand, but > probably already discussed on the list. > > I'm able to take in sync password in AD and FDS when I change > password from AD, but not viceversa. Really from Windows event log > things seem go right: it tell me that pasword has been succesfully > updated (passwd is issued from linux). But that stored password is > somewhat different . Could be an encryption problem ? Any hints ? > > Regards, > Paolo. > -- > ---------------------------------------------------------------------------- -------------------- > Paolo Barbato email: mailto:paolo.barbato at igi.cnr.it > Network Administrator phone: (39-049)-829-5097 > (39-049)-829-5000 > Corso Stati Uniti,4 www: http://www.igi.cnr.it > 35127 Camin-Padova PGP: > http://www.igi.cnr.it/wwwpgp/rfx_paolo_barbato.pgp > ITALY JabberID: rfx_paolo_barbato at messenger.efda.org > ---------------------------------------------------------------------------- -------------------- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users ------- End of Original Message ------- From rmeggins at redhat.com Thu Sep 27 19:49:20 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 27 Sep 2007 13:49:20 -0600 Subject: [Fedora-directory-users] fds vs passsync vs AD In-Reply-To: <20070927192028.M70507@mail.txwes.edu> References: <20070927192028.M70507@mail.txwes.edu> Message-ID: <46FC0940.20109@redhat.com> Glenn wrote: > Paolo - Maybe your certificates are not set up correctly. You should have the > same CA certificate in the database in both FDS and AD. Also, the server > certs in each database should be issued by the same certificate authority. > > It is convenient to use the Certificate Authority included with recent > Microsoft Windows servers to create a CA certificate to import into both > databases. You can then create server certificates using the MSCA and import > them into their respective databases. > > You may also need to import the server certificate from FDS into the database > on AD and vice-versa. You should not need to do this. All that should be required is that each cert db has the cert for that server plus the trusted CA cert. > Once this is done, you should review and possibly > modify the trust attributes on all the certs. As you can see from my > examples, I used a scatter-gun approach. > > You will need to use certutil for all import and modify operations on the > certificate databases. "certutil -H" gives a nice reference. > > Examples: > > sibelius=FD > boccherini=AD > TWCA=CA > > [root at sibelius alias]# ./certutil -L -d . -P slapd-sibelius- > TWCA CT,c,c > boccherini P,P,P > server-cert CTu,cu,cu > > C:\Program Files\RHD Password Sync>certutil -L -d . > TWCA CT,C,C > server-cert Pu,Pu,Pu > boccherini P,P,P > > Remember to restart FDS and PassSync after making changes. -G. > > > ---------- Original Message ----------- > From: Paolo Barbato > To: fedora-directory-users at redhat.com > Sent: Thu, 27 Sep 2007 10:06:40 +0200 > Subject: [Fedora-directory-users] fds vs passsync vs AD > > >> Hi all! >> >> I've succesfully installed fds and passync msi on windows AD. I >> admit that some probem have arisen since documentation is a bit poor >> on SSL part, especially on AD, but then finally I was able to make >> things works. >> >> I'm facing an odd problem that I'm not able to understand, but >> probably already discussed on the list. >> >> I'm able to take in sync password in AD and FDS when I change >> password from AD, but not viceversa. Really from Windows event log >> things seem go right: it tell me that pasword has been succesfully >> updated (passwd is issued from linux). But that stored password is >> somewhat different . Could be an encryption problem ? Any hints ? >> >> Regards, >> Paolo. >> -- >> ---------------------------------------------------------------------------- >> > -------------------- > >> Paolo Barbato email: mailto:paolo.barbato at igi.cnr.it >> Network Administrator phone: (39-049)-829-5097 >> (39-049)-829-5000 >> Corso Stati Uniti,4 www: http://www.igi.cnr.it >> 35127 Camin-Padova PGP: >> http://www.igi.cnr.it/wwwpgp/rfx_paolo_barbato.pgp >> ITALY JabberID: rfx_paolo_barbato at messenger.efda.org >> ---------------------------------------------------------------------------- >> > -------------------- > >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > ------- End of Original Message ------- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From yinyang at eburg.com Thu Sep 27 22:41:33 2007 From: yinyang at eburg.com (Gordon Messmer) Date: Thu, 27 Sep 2007 15:41:33 -0700 Subject: [Fedora-directory-users] glibc errors In-Reply-To: <926ab61b0709271142x2d951d4bvaa77e63889e156c7@mail.gmail.com> References: <926ab61b0709271142x2d951d4bvaa77e63889e156c7@mail.gmail.com> Message-ID: <46FC319D.7080404@eburg.com> Bjorn Oglefjorn wrote: > > 1) With 66 users in the massweb group > > [root at megalon ~]# getent group massweb > *** glibc detected *** free(): invalid next size (normal): 0x09a225b0 *** > Aborted ... > Has anyone encountered a similar problem? Any suggestions would be most > welcome. Sounds kind of like a bug in glibc that was fixed in 2.3.4-2.13. You're probably best off reporting this to RH via bugzilla. I might be able to help you track down the precise cause of the problem, if you'd like, and help Red Hat get the issue resolved more quickly. * confirm the version of glibc on that system * install "ltrace" if necessary * stop the "nscd" service temporarily * run "ltrace -s 512 -S getent group massweb > /tmp/ltrace.getent 2>&1" Email me /tmp/ltrace.getent off-list. If there is any private info in /etc/ldap.conf, you'll want to clear it out of the ltrace file before sending it. From peters at psinergybbs.com Fri Sep 28 03:13:25 2007 From: peters at psinergybbs.com (Peter Santiago) Date: Fri, 28 Sep 2007 11:13:25 +0800 Subject: [Fedora-directory-users] fds vs passsync vs AD In-Reply-To: <46FC0940.20109@redhat.com> References: <20070927192028.M70507@mail.txwes.edu> <46FC0940.20109@redhat.com> Message-ID: <46FC7155.8000602@psinergybbs.com> Richard Megginson wrote: > Glenn wrote: >> Paolo - Maybe your certificates are not set up correctly. You should >> have the >> same CA certificate in the database in both FDS and AD. Also, the >> server certs in each database should be issued by the same >> certificate authority. >> >> It is convenient to use the Certificate Authority included with >> recent Microsoft Windows servers to create a CA certificate to import >> into both databases. You can then create server certificates using >> the MSCA and import them into their respective databases. >> >> You may also need to import the server certificate from FDS into the >> database on AD and vice-versa. > You should not need to do this. All that should be required is that > each cert db has the cert for that server plus the trusted CA cert. >> Once this is done, you should review and possibly modify the trust >> attributes on all the certs. As you can see from my examples, I used >> a scatter-gun approach. >> You will need to use certutil for all import and modify operations on >> the certificate databases. "certutil -H" gives a nice reference. >> [snip] Just need confirmation. In order for the passsync to work, does FDS first need to have the corresponding users from Windows ADS manually created ? Doesn't Passsync do this automatically? TIA -- Peter Santiago peters at psinergybbs.com My website: www.psinergybbs.com My spamtrap address: r34987y at psinergybbs.com -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3257 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Sep 28 13:59:53 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 28 Sep 2007 07:59:53 -0600 Subject: [Fedora-directory-users] fds vs passsync vs AD In-Reply-To: <46FC7155.8000602@psinergybbs.com> References: <20070927192028.M70507@mail.txwes.edu> <46FC0940.20109@redhat.com> <46FC7155.8000602@psinergybbs.com> Message-ID: <46FD08D9.7050208@redhat.com> Peter Santiago wrote: > Richard Megginson wrote: >> Glenn wrote: >>> Paolo - Maybe your certificates are not set up correctly. You >>> should have the >>> same CA certificate in the database in both FDS and AD. Also, the >>> server certs in each database should be issued by the same >>> certificate authority. >>> >>> It is convenient to use the Certificate Authority included with >>> recent Microsoft Windows servers to create a CA certificate to >>> import into both databases. You can then create server certificates >>> using the MSCA and import them into their respective databases. >>> >>> You may also need to import the server certificate from FDS into the >>> database on AD and vice-versa. >> You should not need to do this. All that should be required is that >> each cert db has the cert for that server plus the trusted CA cert. >>> Once this is done, you should review and possibly modify the trust >>> attributes on all the certs. As you can see from my examples, I >>> used a scatter-gun approach. >>> You will need to use certutil for all import and modify operations >>> on the certificate databases. "certutil -H" gives a nice reference. >>> > [snip] > > Just need confirmation. In order for the passsync to work, does FDS > first need to have the corresponding users from Windows ADS manually > created ? Doesn't Passsync do this automatically? TIA Not passsync (the AD "plug-in" that only sync passwords one way from AD to FDS) but winsync (the component that runs in FDS that pushes user, group, and password changes to AD, and pulls user and group changes from AD to FDS). > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From paolo.barbato at igi.cnr.it Fri Sep 28 14:00:02 2007 From: paolo.barbato at igi.cnr.it (Paolo Barbato) Date: Fri, 28 Sep 2007 16:00:02 +0200 Subject: [Fedora-directory-users] fds vs passsync vs AD In-Reply-To: <46FC0940.20109@redhat.com> References: <20070927192028.M70507@mail.txwes.edu> <46FC0940.20109@redhat.com> Message-ID: Thanks for reply, but I suspect I'm facing a different problem. Talking about SSL. As far as I understand SSL is used both for passync (AD -> FDS) and replication agreement (AD <-> FDS). Note two different tasks. In first case work cert.db8 certificates. I've installed on both AD and FDS, my CA certificate and FDS server certificate. Passync works without a hic. When I change pasword from windows it's exactly set on FDS. Replication agreement is based on cert.db8 on FDS and MS architecture on AD, I mean that I make use of mmc to install CA and AD server signed certificate. Replication seems also work, since I see that AD and FDS users are "merged" in one (almost) identical list. So users that were in AD are created on FDS and viceversa, with (almost) all parameters setted. My problem arise when from a linux machine authenticated on FDS I issue and passwd change password. Really all seems go right, since FDS register new password, and also AD tell me that the change has been committed : first event User Account Changed: Target Account Name: barbato Target Domain: TEST Target Account ID: TEST\barbato Caller User Name: sync manager Caller Domain: TEST Caller Logon ID: (0x0,0x318F76) Privileges: - Changed Attributes: Sam Account Name: - Display Name: - User Principal Name: - Home Directory: - and after a while a second security event: User Account password set: Target Account Name: barbato Target Domain: TEST Target Account ID: TEST\barbato Caller User Name: sync manager Caller Domain: TEST Caller Logon ID: (0x0,0x318F76) But when I try to log on AD with this new password AD tell me that I'm usinig the wrong one. Note that also the previous doesn't work, and this confirm that it has been really changed. Anybody has faced this ? Some other things to look into ? Regards, Paolo. At 13:49 -0600 27-09-2007, Richard Megginson wrote: >Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; > micalg=sha1; boundary="------------ms080709050607070004030508" > >Glenn wrote: >>Paolo - Maybe your certificates are not set up correctly. You >>should have the >>same CA certificate in the database in both FDS and AD. Also, the >>server certs in each database should be issued by the same >>certificate authority. >> >>It is convenient to use the Certificate Authority included with >>recent Microsoft Windows servers to create a CA certificate to >>import into both databases. You can then create server >>certificates using the MSCA and import them into their respective >>databases. >> >>You may also need to import the server certificate from FDS into >>the database on AD and vice-versa. >You should not need to do this. All that should be required is that >each cert db has the cert for that server plus the trusted CA cert. >>Once this is done, you should review and possibly modify the trust >>attributes on all the certs. As you can see from my examples, I >>used a scatter-gun approach. >>You will need to use certutil for all import and modify operations >>on the certificate databases. "certutil -H" gives a nice reference. >> >>Examples: >>sibelius=FD >>boccherini=AD >>TWCA=CA >> >>[root at sibelius alias]# ./certutil -L -d . -P slapd-sibelius- TWCA >>CT,c,c >>boccherini P,P,P >>server-cert CTu,cu,cu >> >>C:\Program Files\RHD Password Sync>certutil -L -d . >>TWCA CT,C,C >>server-cert Pu,Pu,Pu >>boccherini P,P,P >> >>Remember to restart FDS and PassSync after making changes. -G. >> >> >>---------- Original Message ----------- >>From: Paolo Barbato >>To: fedora-directory-users at redhat.com >>Sent: Thu, 27 Sep 2007 10:06:40 +0200 >>Subject: [Fedora-directory-users] fds vs passsync vs AD >> >> >>>Hi all! >>> >>>I've succesfully installed fds and passync msi on windows AD. I >>>admit that some probem have arisen since documentation is a bit >>>poor on SSL part, especially on AD, but then finally I was able to >>>make things works. >>> >>>I'm facing an odd problem that I'm not able to understand, but >>>probably already discussed on the list. >>> >>>I'm able to take in sync password in AD and FDS when I change >>>password from AD, but not viceversa. Really from Windows event log >>>things seem go right: it tell me that pasword has been succesfully >>>updated (passwd is issued from linux). But that stored password is >>>somewhat different . Could be an encryption problem ? Any hints ? >>> >>>Regards, >>>Paolo. >>>-- >>>---------------------------------------------------------------------------- >>> >>-------------------- >> >>>Paolo Barbato email: mailto:paolo.barbato at igi.cnr.it >>>Network Administrator phone: (39-049)-829-5097 >>> (39-049)-829-5000 >>>Corso Stati Uniti,4 www: http://www.igi.cnr.it >>>35127 Camin-Padova PGP: >>>http://www.igi.cnr.it/wwwpgp/rfx_paolo_barbato.pgp >>>ITALY JabberID: rfx_paolo_barbato at messenger.efda.org >>>---------------------------------------------------------------------------- >>> >>-------------------- >> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>------- End of Original Message ------- >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > >--===============1715542137== >Content-Type: text/plain; name="smime.p7s" >; x-mac-type="65417070" >; x-mac-creator="43534F6D" >Content-Disposition: attachment; filename="smime.p7s" >Content-Transfer-Encoding: imap_stub > >0,118924,1.2,4448,0, > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users -- ------------------------------------------------------------------------------------------------ Paolo Barbato email: mailto:paolo.barbato at igi.cnr.it Network Administrator phone: (39-049)-829-5097 (39-049)-829-5000 Corso Stati Uniti,4 www: http://www.igi.cnr.it 35127 Camin-Padova PGP: http://www.igi.cnr.it/wwwpgp/rfx_paolo_barbato.pgp ITALY JabberID: rfx_paolo_barbato at messenger.efda.org ------------------------------------------------------------------------------------------------ From peters at psinergybbs.com Fri Sep 28 19:47:55 2007 From: peters at psinergybbs.com (Peter Santiago) Date: Sat, 29 Sep 2007 03:47:55 +0800 Subject: [Fedora-directory-users] fds vs passsync vs AD In-Reply-To: <46FD08D9.7050208@redhat.com> References: <20070927192028.M70507@mail.txwes.edu> <46FC0940.20109@redhat.com> <46FC7155.8000602@psinergybbs.com> <46FD08D9.7050208@redhat.com> Message-ID: <46FD5A6B.3040002@psinergybbs.com> Richard Megginson wrote: [SNIP] > Not passsync (the AD "plug-in" that only sync passwords one way from > AD to FDS) but winsync (the component that runs in FDS that pushes > user, group, and password changes to AD, and pulls user and group > changes from AD to FDS). >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > Winsync? I hope you can point where I can find this? Is this alreadty included by default with FDS 1.0.4? Or do I have to download and compile this tool? Thank a lot... -- Peter Santiago peters at psinergybbs.com My website: www.psinergybbs.com My spamtrap address: r34987y at psinergybbs.com -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3257 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Sep 28 19:51:14 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 28 Sep 2007 13:51:14 -0600 Subject: [Fedora-directory-users] fds vs passsync vs AD In-Reply-To: <46FD5A6B.3040002@psinergybbs.com> References: <20070927192028.M70507@mail.txwes.edu> <46FC0940.20109@redhat.com> <46FC7155.8000602@psinergybbs.com> <46FD08D9.7050208@redhat.com> <46FD5A6B.3040002@psinergybbs.com> Message-ID: <46FD5B32.2060603@redhat.com> Peter Santiago wrote: > Richard Megginson wrote: > [SNIP] >> Not passsync (the AD "plug-in" that only sync passwords one way from >> AD to FDS) but winsync (the component that runs in FDS that pushes >> user, group, and password changes to AD, and pulls user and group >> changes from AD to FDS). >>> >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > Winsync? I hope you can point where I can find this? Is this alreadty > included by default with FDS 1.0.4? Or do I have to download and > compile this tool? Winsync is built into Fedora DS 1.0.4 - http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2836267 > > Thank a lot... > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From pedram at pr-sol.com Fri Sep 28 20:12:29 2007 From: pedram at pr-sol.com (Pedram M) Date: Fri, 28 Sep 2007 13:12:29 -0700 Subject: [Fedora-directory-users] fds vs passsync vs AD In-Reply-To: <46FD5B32.2060603@redhat.com> References: <20070927192028.M70507@mail.txwes.edu> <46FC0940.20109@redhat.com> <46FC7155.8000602@psinergybbs.com> <46FD08D9.7050208@redhat.com> <46FD5A6B.3040002@psinergybbs.com> <46FD5B32.2060603@redhat.com> Message-ID: <1191010349.21713.0.camel@23-0-168-192.internal.pragmatic> Is there a Passsync.exe or Winsync.exe for Active Directory to OpenLDAP integration (not using Fedora-DS) at the moment? Thanks, Pedram M On Fri, 2007-09-28 at 13:51 -0600, Richard Megginson wrote: > Peter Santiago wrote: > > Richard Megginson wrote: > > [SNIP] > >> Not passsync (the AD "plug-in" that only sync passwords one way from > >> AD to FDS) but winsync (the component that runs in FDS that pushes > >> user, group, and password changes to AD, and pulls user and group > >> changes from AD to FDS). > >>> > >>> ------------------------------------------------------------------------ > >>> > >>> > >>> -- > >>> Fedora-directory-users mailing list > >>> Fedora-directory-users at redhat.com > >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>> > >> > >> ------------------------------------------------------------------------ > >> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > > Winsync? I hope you can point where I can find this? Is this alreadty > > included by default with FDS 1.0.4? Or do I have to download and > > compile this tool? > Winsync is built into Fedora DS 1.0.4 - > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2836267 > > > > Thank a lot... > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Fri Sep 28 20:32:33 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 28 Sep 2007 14:32:33 -0600 Subject: [Fedora-directory-users] fds vs passsync vs AD In-Reply-To: <1191010349.21713.0.camel@23-0-168-192.internal.pragmatic> References: <20070927192028.M70507@mail.txwes.edu> <46FC0940.20109@redhat.com> <46FC7155.8000602@psinergybbs.com> <46FD08D9.7050208@redhat.com> <46FD5A6B.3040002@psinergybbs.com> <46FD5B32.2060603@redhat.com> <1191010349.21713.0.camel@23-0-168-192.internal.pragmatic> Message-ID: <46FD64E1.4030001@redhat.com> Pedram M wrote: > Is there a Passsync.exe or Winsync.exe for Active Directory to OpenLDAP > integration (not using Fedora-DS) at the moment? > I don't know. I don't know if passsync.exe (there is no winsync.exe) will work with OpenLDAP. > Thanks, > Pedram M > > On Fri, 2007-09-28 at 13:51 -0600, Richard Megginson wrote: > >> Peter Santiago wrote: >> >>> Richard Megginson wrote: >>> [SNIP] >>> >>>> Not passsync (the AD "plug-in" that only sync passwords one way from >>>> AD to FDS) but winsync (the component that runs in FDS that pushes >>>> user, group, and password changes to AD, and pulls user and group >>>> changes from AD to FDS). >>>> >>>>> ------------------------------------------------------------------------ >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>> ------------------------------------------------------------------------ >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>> Winsync? I hope you can point where I can find this? Is this alreadty >>> included by default with FDS 1.0.4? Or do I have to download and >>> compile this tool? >>> >> Winsync is built into Fedora DS 1.0.4 - >> http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2836267 >> >>> Thank a lot... >>> ------------------------------------------------------------------------ >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From daelic at gmail.com Fri Sep 28 22:07:55 2007 From: daelic at gmail.com (Jason) Date: Fri, 28 Sep 2007 15:07:55 -0700 Subject: [Fedora-directory-users] libatomic.o missing; Solaris 8 Build Message-ID: <5a69da6f0709281507m4bde7bddx2b564d3d9acd5fcd@mail.gmail.com> hello, I'm trying to compile FDS 1.0.4 on a 280R running Solaris 8. After getting all of the prerequisites installed (gnu make, apr, ant, sun workshop compiler, etc) I started following the directions located here: http://www.directory.fedora.redhat.com/wiki/Building#External_Requirements I created my ldap directory, and downloaded the mozilla components tarball linked. I successfully compiled NSS via 'gmake nss_build all' I successfully compiled SVRCORE Next, I attempted to compile LDAPSDK (mozilla/directory/c-sdk) but I get a File not found error when it tries to link libatomic.o. About the only thing I've been able to learn from a few hours of google is that it appears that libatomic.o should come from NSPR, which, in theory, was compiled during the gmake nss_build_all according to the build documentation. Unfortunately, I cannot find libatomic.o anywhere on the system. Is there a way to get past this problem? Am I crazy for expecting this to compile on solaris even though solaris support is listed? Is there a better build guide I should be following? I've copied the compile errors below, in case it helps anyone see what's going on. Any help that can be provided is greatly appreciated! ~Jason ======= making ./libldap60.so gcc -shared -Wl,-soname -Wl,libldap60.so -f libatomic.so -o libldap60.so./abandon.o ./add.o ./bind.o ./cache.o ./charray.o ./charset.o ./compare.o ./compat.o ./control.o ./countvalues.o ./delete.o ./disptmpl.o ./dsparse.o ./error.o ./extendop.o ./free.o ./freevalues.o ./friendly.o ./getattr.o ./getdn.o ./getdxbyname.o ./getentry.o ./getfilter.o ./getoption.o ./getvalues.o ./memcache.o ./message.o ./modify.o ./open.o ./os-ip.o./proxyauthctrl.o ./psearch.o ./pwmodext.o ./referral.o ./regex.o ./rename.o ./request.o ./reslist.o ./result.o ./saslbind.o ./sbind.o ./search.o ./setoption.o ./sort.o ./sortctrl.o ./srchpref.o ./tmplout.o ./ufn.o ./unbind.o ./unescape.o ./url.o ./utf8.o ./vlistctrl.o ./saslio.o -L../../../../../dist/lib -llber60 gcc: libatomic.so: No such file or directory gmake[3]: *** [libldap60.so] Error 1 gmake[3]: Leaving directory `/root/ldap/mozilla/directory/c-sdk/ldap/libraries/libldap' gmake[2]: *** [export] Error 2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Sep 28 22:13:40 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 28 Sep 2007 16:13:40 -0600 Subject: [Fedora-directory-users] libatomic.o missing; Solaris 8 Build In-Reply-To: <5a69da6f0709281507m4bde7bddx2b564d3d9acd5fcd@mail.gmail.com> References: <5a69da6f0709281507m4bde7bddx2b564d3d9acd5fcd@mail.gmail.com> Message-ID: <46FD7C94.9010506@redhat.com> Jason wrote: > hello, > > I'm trying to compile FDS 1.0.4 on a 280R running Solaris 8. After > getting all of the prerequisites installed (gnu make, apr, ant, sun > workshop compiler, etc) I started following the directions located here: > > http://www.directory.fedora.redhat.com/wiki/Building#External_Requirements > > I created my ldap directory, and downloaded the mozilla components > tarball linked. > I successfully compiled NSS via 'gmake nss_build all' > I successfully compiled SVRCORE > > Next, I attempted to compile LDAPSDK (mozilla/directory/c-sdk) but I > get a File not found error when it tries to link libatomic.o. > > About the only thing I've been able to learn from a few hours of > google is that it appears that libatomic.o should come from NSPR, > which, in theory, was compiled during the gmake nss_build_all > according to the build documentation. Unfortunately, I cannot find > libatomic.o anywhere on the system. > > Is there a way to get past this problem? Am I crazy for expecting this > to compile on solaris even though solaris support is listed? Is there > a better build guide I should be following? > > I've copied the compile errors below, in case it helps anyone see > what's going on. Any help that can be provided is greatly appreciated! > > ~Jason > > ======= making ./libldap60.so > gcc -shared -Wl,-soname -Wl, libldap60.so -f libatomic.so -o > libldap60.so ./abandon.o ./add.o ./bind.o ./cache.o ./charray.o > ./charset.o ./compare.o ./compat.o ./control.o ./countvalues.o > ./delete.o ./disptmpl.o ./dsparse.o ./error.o ./extendop.o ./free.o > ./freevalues.o ./friendly.o ./getattr.o ./getdn.o ./getdxbyname.o > ./getentry.o ./getfilter.o ./getoption.o ./getvalues.o ./memcache.o > ./message.o ./modify.o ./open.o ./os- ip.o ./proxyauthctrl.o > ./psearch.o ./pwmodext.o ./referral.o ./regex.o ./rename.o ./request.o > ./reslist.o ./result.o ./saslbind.o ./sbind.o ./search.o ./setoption.o > ./sort.o ./sortctrl.o ./srchpref.o ./tmplout.o ./ufn.o ./unbind.o > ./unescape.o ./url.o ./utf8.o ./vlistctrl.o ./saslio.o > -L../../../../../dist/lib -llber60 > gcc: libatomic.so: No such file or directory > gmake[3]: *** [libldap60.so] Error 1 > gmake[3]: Leaving directory > `/root/ldap/mozilla/directory/c-sdk/ldap/libraries/libldap' > gmake[2]: *** [export] Error 2 I'm not sure. I do know one thing - this is using gcc and not the sun workshop compiler. That might have something to do with it. You might try posting on the mozldap developers list - news.mozilla.org/mozilla.dev.tech.ldap > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Fri Sep 28 22:13:31 2007 From: david_list at boreham.org (David Boreham) Date: Fri, 28 Sep 2007 16:13:31 -0600 Subject: [Fedora-directory-users] libatomic.o missing; Solaris 8 Build In-Reply-To: <5a69da6f0709281507m4bde7bddx2b564d3d9acd5fcd@mail.gmail.com> References: <5a69da6f0709281507m4bde7bddx2b564d3d9acd5fcd@mail.gmail.com> Message-ID: <46FD7C8B.209@boreham.org> Jason wrote: > Is there a way to get past this problem? Am I crazy for expecting this > to compile on solaris even though solaris support is listed? Not crazy, but pretty darned close ;) A couple of things come to mind : the code may have rotted for Solaris 8 --- that's quite an old release. The build was always done (and the wiki page you reference confirms this) with the Sun compiler, not gcc. From daelic at gmail.com Fri Sep 28 23:18:47 2007 From: daelic at gmail.com (Jason) Date: Fri, 28 Sep 2007 16:18:47 -0700 Subject: [Fedora-directory-users] libatomic.o missing; Solaris 8 Build In-Reply-To: <46FD7C8B.209@boreham.org> References: <5a69da6f0709281507m4bde7bddx2b564d3d9acd5fcd@mail.gmail.com> <46FD7C8B.209@boreham.org> Message-ID: <5a69da6f0709281618x14cf230cq79e71b8e81025947@mail.gmail.com> Richard & David, Good point that it's using gcc, I didn't catch that. I do have the sun compiler installed, with /opt/SUNWspro/bin at the top of my PATH so I was going on the assumption that it would use CC rather than gcc. I tried to add a CC=/opt/SUNWspro/bin/CC to my gmake, but that created other problems that I suspect are a result of ./configure detecting gcc, and I'm not sure how to make configure see the correct compilers. In any case, it's the end of the day on friday, and this isn't anything that can't sit over the weekend. :) I appreciate the input, I'll take this to the dev list if I can't tackle it with a fresh mind on monday. On 9/28/07, David Boreham wrote: > > Jason wrote: > > Is there a way to get past this problem? Am I crazy for expecting this > > to compile on solaris even though solaris support is listed? > Not crazy, but pretty darned close ;) > > A couple of things come to mind : the code may have rotted for Solaris 8 > --- that's quite an old release. > The build was always done (and the wiki page you reference confirms > this) with the Sun compiler, > not gcc. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From wilmer at fedoraproject.org Sun Sep 30 02:31:05 2007 From: wilmer at fedoraproject.org (Wilmer Jaramillo M.) Date: Sat, 29 Sep 2007 22:31:05 -0400 Subject: [Fedora-directory-users] glibc errors In-Reply-To: <926ab61b0709271142x2d951d4bvaa77e63889e156c7@mail.gmail.com> References: <926ab61b0709271142x2d951d4bvaa77e63889e156c7@mail.gmail.com> Message-ID: <2b26c4260709291931l7fac0274x8ba74808875b3717@mail.gmail.com> 2007/9/27, Bjorn Oglefjorn : > I am trying to track down the cause of some errors that have been occurring > on a number of our servers using LDAP. We have noticed that when a certain > LDAP group exceeds 65 users we begin seeing glibc errors for users in the > group. Users that are not in the group do not exhibit this behavior. > > We have seen this issue on machines running Centos 4.5 x86 & x86_64 with > glibc-2.3.4-2.36 and RH4 x86_64 running glibc-2.3.4-2.25. We are running > Fedora Directory Server 1.0.4 on Centos 4.5. We have added a 3rd FDS slave > and turned up debugging but have not seen anything that appears to be > relevant in the logs on the 3rd slave. > > This problem is not a 65 user limit as we have other groups with well over > 65 members that do not display this behavior. We also created a new group > with identical users and it did not display this problem. > > 1) With 66 users in the massweb group > > [root at megalon ~]# getent group massweb > *** glibc detected *** free(): invalid next size (normal): 0x09a225b0 *** > Aborted You should disable the GLIBC internal sanity via MALLOC_CHECK_ environment variable with a zero(0) value. The RHEL4 Release Notes show how do that, check glibc section for more information: http://www.red-hat.com/docs/manuals/enterprise/RHEL-4-Manual/release-notes/ws-x86/ -- Wilmer Jaramillo M. GPG Key Fingerprint = 0666 D0D3 24CE 8935 9C24 BBF1 87DD BEA2 A4B2 1E8A