From james at jameswhite.org Fri Aug 1 17:29:39 2008 From: james at jameswhite.org (James S. White) Date: Fri, 1 Aug 2008 12:29:39 -0500 (CDT) Subject: [Fedora-directory-users] blank fedora-idm-console after login Message-ID: I am having trouble getting fedora-ds-admin to do anything but display an empty dialog. I am attempting this on CentOS 5.2 and I've tried it with both java-1.5.0-sun and java-1.5.0-ibm. fedora-idm-console -D 9 http:127.0.0.1:9830 > http://pastebin.com/f4c8867aa 2>&1 This is on a development VM, in a Lab, and I completely rebuild it when I toggle out the jdks, so the personal information in the pastebin is irrelevant. Any help would be apprecieated. From G.Seaman at lse.ac.uk Mon Aug 4 08:41:57 2008 From: G.Seaman at lse.ac.uk (Graham Seaman) Date: Mon, 04 Aug 2008 09:41:57 +0100 Subject: [Fedora-directory-users] forcing reload? Message-ID: <4896C0D5.2000101@lse.ac.uk> Hi, How do I persuade fedora-ds to load new schema? Restarting the slapd daemon doesn't seem to do it. Completing removing a directory and then recreating it does, but I don't want to have to keep doing that if possible... Thanks Graham From solarflow99 at gmail.com Mon Aug 4 09:06:12 2008 From: solarflow99 at gmail.com (solarflow99) Date: Mon, 4 Aug 2008 10:06:12 +0100 Subject: [Fedora-directory-users] forcing reload? In-Reply-To: <4896C0D5.2000101@lse.ac.uk> References: <4896C0D5.2000101@lse.ac.uk> Message-ID: <7020fd000808040206p77ca2c16j4f1a908a8fb0bdc2@mail.gmail.com> I'd just restart dirsrv, and probably even dirsrv-admin too. On 8/4/08, Graham Seaman wrote: > > Hi, > > How do I persuade fedora-ds to load new schema? Restarting the slapd daemon > doesn't seem to do it. Completing removing a directory and then recreating > it does, but I don't want to have to keep doing that if possible... > > Thanks > Graham > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From G.Seaman at lse.ac.uk Mon Aug 4 09:15:08 2008 From: G.Seaman at lse.ac.uk (Graham Seaman) Date: Mon, 04 Aug 2008 10:15:08 +0100 Subject: [Fedora-directory-users] forcing reload? In-Reply-To: <7020fd000808040206p77ca2c16j4f1a908a8fb0bdc2@mail.gmail.com> References: <4896C0D5.2000101@lse.ac.uk> <7020fd000808040206p77ca2c16j4f1a908a8fb0bdc2@mail.gmail.com> Message-ID: <4896C89C.2040002@lse.ac.uk> solarflow99 wrote: > I'd just restart dirsrv, and probably even dirsrv-admin too. > > I'm not running the admin server. Restarting dirsrv doesn't appear to do it. If it should normally, I guess I've got something else wrong... Graham > > On 8/4/08, *Graham Seaman* > wrote: > > Hi, > > How do I persuade fedora-ds to load new schema? Restarting the > slapd daemon doesn't seem to do it. Completing removing a > directory and then recreating it does, but I don't want to have to > keep doing that if possible... > > Thanks > Graham > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From solarflow99 at gmail.com Mon Aug 4 09:40:16 2008 From: solarflow99 at gmail.com (solarflow99) Date: Mon, 4 Aug 2008 10:40:16 +0100 Subject: [Fedora-directory-users] forcing reload? In-Reply-To: <4896C89C.2040002@lse.ac.uk> References: <4896C0D5.2000101@lse.ac.uk> <7020fd000808040206p77ca2c16j4f1a908a8fb0bdc2@mail.gmail.com> <4896C89C.2040002@lse.ac.uk> Message-ID: <7020fd000808040240v52eaf46fs8ab0cbf14aac4e35@mail.gmail.com> what platform are you running on? a service restart should have dirsrv take the new schema, do the logs show anything wrong? On 8/4/08, Graham Seaman wrote: > > solarflow99 wrote: > >> I'd just restart dirsrv, and probably even dirsrv-admin too. >> >> >> I'm not running the admin server. Restarting dirsrv doesn't appear to do > it. If it should normally, I guess I've got something else wrong... > > Graham > > > On 8/4/08, *Graham Seaman* > >> wrote: >> >> Hi, >> >> How do I persuade fedora-ds to load new schema? Restarting the >> slapd daemon doesn't seem to do it. Completing removing a >> directory and then recreating it does, but I don't want to have to >> keep doing that if possible... >> >> Thanks >> Graham >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From howard at cohtech.com Mon Aug 4 09:44:41 2008 From: howard at cohtech.com (Howard Wilkinson) Date: Mon, 04 Aug 2008 10:44:41 +0100 Subject: [Fedora-directory-users] Recover directory database files when disk fills up! In-Reply-To: <488F2D9E.1000805@redhat.com> References: <488EDA1E.1000005@cohtech.com> <488F2D9E.1000805@redhat.com> Message-ID: <4896CF89.3020600@cohtech.com> Richard Megginson wrote: > Howard Wilkinson wrote: >> > These are messages from sasl. I believe you can ignore them, I don't > think they have anything to do with the problem. >> >> >> What can I do to recover the database so that I can start the server? > What messages do you get in the directory server error log? Fedora-Directory/1.1.1 B2008.151.1915 bastion.finsbury.cohtech.co.uk:636 (/etc/dirsrv/slapd-bastion) [04/Aug/2008:10:40:15 +0100] - Fedora-Directory/1.1.1 B2008.151.1915 starting up [04/Aug/2008:10:40:15 +0100] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [04/Aug/2008:10:40:17 +0100] - libdb: file userRoot/id2entry.db4 has LSN 518/7178886, past end of log at 1/4431 [04/Aug/2008:10:40:17 +0100] - libdb: Commonly caused by moving a database from one database environment [04/Aug/2008:10:40:17 +0100] - libdb: to another without clearing the database LSNs, or by removing all of [04/Aug/2008:10:40:17 +0100] - libdb: the log files from a database environment [04/Aug/2008:10:40:17 +0100] - libdb: /var/lib/dirsrv/slapd-bastion/db/userRoot/id2entry.db4: unexpected file type or format [04/Aug/2008:10:40:17 +0100] - dbp->open("userRoot/id2entry.db4") failed: Invalid argument (22) [04/Aug/2008:10:40:17 +0100] - dblayer_instance_start fail: Invalid argument (22) [04/Aug/2008:10:40:18 +0100] - libdb: file NetscapeRoot/id2entry.db4 has LSN 210/949652, past end of log at 1/6026 [04/Aug/2008:10:40:18 +0100] - libdb: Commonly caused by moving a database from one database environment [04/Aug/2008:10:40:18 +0100] - libdb: to another without clearing the database LSNs, or by removing all of [04/Aug/2008:10:40:18 +0100] - libdb: the log files from a database environment [04/Aug/2008:10:40:18 +0100] - libdb: /var/lib/dirsrv/slapd-bastion/db/NetscapeRoot/id2entry.db4: unexpected file type or format [04/Aug/2008:10:40:18 +0100] - dbp->open("NetscapeRoot/id2entry.db4") failed: Invalid argument (22) [04/Aug/2008:10:40:18 +0100] - dblayer_instance_start fail: Invalid argument (22) [04/Aug/2008:10:40:18 +0100] - libdb: file cohtechNet/id2entry.db4 has LSN 400/7475236, past end of log at 1/6478 [04/Aug/2008:10:40:18 +0100] - libdb: Commonly caused by moving a database from one database environment [04/Aug/2008:10:40:18 +0100] - libdb: to another without clearing the database LSNs, or by removing all of [04/Aug/2008:10:40:18 +0100] - libdb: the log files from a database environment [04/Aug/2008:10:40:18 +0100] - libdb: /var/lib/dirsrv/slapd-bastion/db/cohtechNet/id2entry.db4: unexpected file type or format [04/Aug/2008:10:40:18 +0100] - dbp->open("cohtechNet/id2entry.db4") failed: Invalid argument (22) [04/Aug/2008:10:40:18 +0100] - dblayer_instance_start fail: Invalid argument (22) [04/Aug/2008:10:40:18 +0100] - libdb: file cohtechCom/id2entry.db4 has LSN 198/9190421, past end of log at 1/6478 [04/Aug/2008:10:40:18 +0100] - libdb: Commonly caused by moving a database from one database environment [04/Aug/2008:10:40:18 +0100] - libdb: to another without clearing the database LSNs, or by removing all of [04/Aug/2008:10:40:18 +0100] - libdb: the log files from a database environment [04/Aug/2008:10:40:18 +0100] - libdb: /var/lib/dirsrv/slapd-bastion/db/cohtechCom/id2entry.db4: unexpected file type or format [04/Aug/2008:10:40:18 +0100] - dbp->open("cohtechCom/id2entry.db4") failed: Invalid argument (22) [04/Aug/2008:10:40:18 +0100] - dblayer_instance_start fail: Invalid argument (22) [04/Aug/2008:10:40:18 +0100] - WARNING---no write permission to file /var/lib/dirsrv/slapd-bastion/db/cohCoUk/log.0000000001 [04/Aug/2008:10:40:18 +0100] - start: Failed to start databases, err=22 Invalid argument [04/Aug/2008:10:40:18 +0100] - Failed to allocate 10000000 byte dbcache. Please reduce nsslapd-cache-autosize and Restart the server. [04/Aug/2008:10:40:18 +0100] - Failed to start database plugin ldbm database [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance willertonCohtechNet already exists [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance viaFonCohtechNet already exists [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance userRoot already exists [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance towerbridgeCohtechNet already exists [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance time2joininCohtechNet already exists [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance sudaminltdCom already exists [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance stokieCohtechCoUk already exists [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance seamsysCom already exists [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance palmPrintsCom already exists [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance orbItNet already exists [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance orbItCom already exists [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance orbCoUk already exists [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance NetscapeRoot already exists [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance finsburyCohtechCoUk already exists [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance conceptsIntCohtechNet already exists [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance cohtechOrg already exists [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance cohtechNet already exists [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance cohtechCom already exists [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance coherentTechnologyOrg already exists [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance coherentTechnologyNet already exists [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance coherentTechnologyCoUk already exists [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance coherentTechnologyCom already exists [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance coherentLocal already exists [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance cohCoUk already exists [04/Aug/2008:10:40:18 +0100] binder-based resource limits - nsLookThroughLimit: parameter error (slapi_reslimit_register() already registered) [04/Aug/2008:10:40:18 +0100] - start: Resource limit registration failed [04/Aug/2008:10:40:18 +0100] - Failed to start database plugin ldbm database [04/Aug/2008:10:40:18 +0100] - Error: Failed to resolve plugin dependencies [04/Aug/2008:10:40:18 +0100] - Error: accesscontrol plugin ACL Plugin is not started [04/Aug/2008:10:40:18 +0100] - Error: preoperation plugin ACL preoperation is not started [04/Aug/2008:10:40:18 +0100] - Error: object plugin Class of Service is not started [04/Aug/2008:10:40:18 +0100] - Error: preoperation plugin HTTP Client is not started [04/Aug/2008:10:40:18 +0100] - Error: database plugin ldbm database is not started [04/Aug/2008:10:40:18 +0100] - Error: object plugin Legacy Replication Plugin is not started [04/Aug/2008:10:40:19 +0100] - Error: object plugin Multimaster Replication Plugin is not started [04/Aug/2008:10:40:19 +0100] - Error: object plugin Roles Plugin is not started [04/Aug/2008:10:40:19 +0100] - Error: object plugin Views is not started -------------- next part -------------- An HTML attachment was scrubbed... URL: From G.Seaman at lse.ac.uk Mon Aug 4 10:06:07 2008 From: G.Seaman at lse.ac.uk (Graham Seaman) Date: Mon, 04 Aug 2008 11:06:07 +0100 Subject: [Fedora-directory-users] forcing reload? In-Reply-To: <7020fd000808040240v52eaf46fs8ab0cbf14aac4e35@mail.gmail.com> References: <4896C0D5.2000101@lse.ac.uk> <7020fd000808040206p77ca2c16j4f1a908a8fb0bdc2@mail.gmail.com> <4896C89C.2040002@lse.ac.uk> <7020fd000808040240v52eaf46fs8ab0cbf14aac4e35@mail.gmail.com> Message-ID: <4896D48F.503@lse.ac.uk> solarflow99 wrote: > what platform are you running on? a service restart should have > dirsrv take the new schema, do the logs show anything wrong? uname -a says: Linux enterprise1.lse.ac.uk 2.6.18-53.1.14.el5 #1 SMP Tue Feb 19 07:18:21 EST 2008 i686 i686 i386 GNU/Linux ns-slapd -version says: Fedora-Directory/1.1.0 B2007.354.1236 There are no errors reported in access or errors when I restart; the only error I'm getting is when I try to create an entry using the new schema I'm trying to load, which gives me: [04/Aug/2008:10:12:25 +0100] conn=1 op=5 RESULT err=65 tag=105 nentries=0 etime=0 [04/Aug/2008:11:02:12 +0100] - Entry "cn=test,ou=flame users,dc=lse,dc=ac,dc=uk" has unknown object class "eduPerson" eduPerson is a standard schema which works fine. It is the schema I accidentally missed out when I started and am trying to add. I have the same problem with Fedora-ds on another system running CentOS: I can add a new schema only by deleting the directory and populating it from scratch. I am new to Ldap, so am not sure what is expected behaviour and what isn't. Graham > > > On 8/4/08, *Graham Seaman* > wrote: > > solarflow99 wrote: > > I'd just restart dirsrv, and probably even dirsrv-admin too. > > > I'm not running the admin server. Restarting dirsrv doesn't appear > to do it. If it should normally, I guess I've got something else > wrong... > > Graham > > > On 8/4/08, *Graham Seaman* >> wrote: > > Hi, > > How do I persuade fedora-ds to load new schema? Restarting the > slapd daemon doesn't seem to do it. Completing removing a > directory and then recreating it does, but I don't want to > have to > keep doing that if possible... > > Thanks > Graham > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From solarflow99 at gmail.com Mon Aug 4 10:43:02 2008 From: solarflow99 at gmail.com (solarflow99) Date: Mon, 4 Aug 2008 11:43:02 +0100 Subject: [Fedora-directory-users] forcing reload? In-Reply-To: <4896D48F.503@lse.ac.uk> References: <4896C0D5.2000101@lse.ac.uk> <7020fd000808040206p77ca2c16j4f1a908a8fb0bdc2@mail.gmail.com> <4896C89C.2040002@lse.ac.uk> <7020fd000808040240v52eaf46fs8ab0cbf14aac4e35@mail.gmail.com> <4896D48F.503@lse.ac.uk> Message-ID: <7020fd000808040343i6fb3b8a6mab8f275c6f735a72@mail.gmail.com> On 8/4/08, Graham Seaman wrote: > > solarflow99 wrote: > >> what platform are you running on? a service restart should have dirsrv >> take the new schema, do the logs show anything wrong? >> > uname -a says: > > Linux enterprise1.lse.ac.uk 2.6.18-53.1.14.el5 #1 SMP Tue Feb 19 07:18:21 > EST 2008 i686 i686 i386 GNU/Linux > > ns-slapd -version says: > > Fedora-Directory/1.1.0 B2007.354.1236 > > There are no errors reported in access or errors when I restart; the only > error I'm getting is when I try to create an entry using the new schema I'm > trying to load, which gives me: > > [04/Aug/2008:10:12:25 +0100] conn=1 op=5 RESULT err=65 tag=105 nentries=0 > etime=0 > [04/Aug/2008:11:02:12 +0100] - Entry "cn=test,ou=flame > users,dc=lse,dc=ac,dc=uk" has unknown object class "eduPerson" > > eduPerson is a standard schema which works fine. It is the schema I > accidentally missed out when I started and am trying to add. > > I have the same problem with Fedora-ds on another system running CentOS: I > can add a new schema only by deleting the directory and populating it from > scratch. > > I am new to Ldap, so am not sure what is expected behaviour and what isn't. > > Graham ok, it sounds like what I think it is. When you created the existing users, they were not added with the eduPerson objectclass since the schema didn't exist in FDS, so now only new users will automatically get it assuming your front end provides it, not sure what you are using since you said its not dirsrv-admin, you must have a way of adding new users, etc. Thats why its best to add the schema to FDS first, then start creating new users. The way I understand it, the schema only makes it possible for an ldap server to allow the extra feature, but its the user (object) that has its necessary objectclasses assigned to it, for each objectclass, you can assign the values and attributes. For example: samba requires adding the samba schema into FDS, then each user needs to have the "sambasamaccount" objectclass which has numerous values that samba accounts use. I was new with ldap not long ago too, hope this helps.. On 8/4/08, *Graham Seaman* > >> wrote: >> >> solarflow99 wrote: >> >> I'd just restart dirsrv, and probably even dirsrv-admin too. >> >> >> I'm not running the admin server. Restarting dirsrv doesn't appear >> to do it. If it should normally, I guess I've got something else >> wrong... >> >> Graham >> >> >> On 8/4/08, *Graham Seaman* > > >> wrote: >> >> Hi, >> >> How do I persuade fedora-ds to load new schema? Restarting the >> slapd daemon doesn't seem to do it. Completing removing a >> directory and then recreating it does, but I don't want to >> have to >> keep doing that if possible... >> >> Thanks >> Graham >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> >> > > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From G.Seaman at lse.ac.uk Mon Aug 4 10:59:34 2008 From: G.Seaman at lse.ac.uk (Graham Seaman) Date: Mon, 04 Aug 2008 11:59:34 +0100 Subject: [Fedora-directory-users] forcing reload? In-Reply-To: <7020fd000808040343i6fb3b8a6mab8f275c6f735a72@mail.gmail.com> References: <4896C0D5.2000101@lse.ac.uk> <7020fd000808040206p77ca2c16j4f1a908a8fb0bdc2@mail.gmail.com> <4896C89C.2040002@lse.ac.uk> <7020fd000808040240v52eaf46fs8ab0cbf14aac4e35@mail.gmail.com> <4896D48F.503@lse.ac.uk> <7020fd000808040343i6fb3b8a6mab8f275c6f735a72@mail.gmail.com> Message-ID: <4896E116.2060407@lse.ac.uk> solarflow99 wrote: > > ok, it sounds like what I think it is. When you created the existing > users, they were not added with the eduPerson objectclass since the > schema didn't exist in FDS, so now only new users will > automatically get it assuming your front end provides it, not sure > what you are using since you said its not dirsrv-admin, you must have > a way of adding new users, etc. Thats why its best to add the schema > to FDS first, then start creating new users. I'm tinkering with new schema as well as including the standard eduPerson and was hoping to avoid having to strip out all the data and then repopulate each time I make a minor change to the schema. I'm populating it from a large Active Directory by script, which already has quite a long run time. But I don't have any users in the directory at all yet, which is why I was a bit surprised at the behaviour. I thought at least adding new users with a new schema wouldn't be a problem. I guess if that is out the next thing I need to check is what happens if I add a new 'may' field to an existing schema - will it force me to drop all the old data to install that, too. > The way I understand it, the schema only makes it possible for an > ldap server to allow the extra feature, but its the user (object) that > has its necessary objectclasses assigned to it, for each objectclass, > you can assign the values and attributes. For example: samba > requires adding the samba schema into FDS, then each user needs to > have the "sambasamaccount" objectclass which has numerous values that > samba accounts use. > > I was new with ldap not long ago too, hope this helps.. :-) Thanks Graham > > > On 8/4/08, *Graham Seaman* >> wrote: > > solarflow99 wrote: > > I'd just restart dirsrv, and probably even dirsrv-admin > too. > > > I'm not running the admin server. Restarting dirsrv doesn't > appear > to do it. If it should normally, I guess I've got > something else > wrong... > > Graham > > > On 8/4/08, *Graham Seaman* > > > > > >>> wrote: > > Hi, > > How do I persuade fedora-ds to load new schema? > Restarting the > slapd daemon doesn't seem to do it. Completing > removing a > directory and then recreating it does, but I don't > want to > have to > keep doing that if possible... > > Thanks > Graham > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > > > > >> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From k.brown at bbk.ac.uk Mon Aug 4 11:44:26 2008 From: k.brown at bbk.ac.uk (ken) Date: Mon, 04 Aug 2008 12:44:26 +0100 Subject: [Fedora-directory-users] forcing reload? In-Reply-To: <4896E116.2060407@lse.ac.uk> References: <4896C0D5.2000101@lse.ac.uk> <7020fd000808040206p77ca2c16j4f1a908a8fb0bdc2@mail.gmail.com> <4896C89C.2040002@lse.ac.uk> <7020fd000808040240v52eaf46fs8ab0cbf14aac4e35@mail.gmail.com> <4896D48F.503@lse.ac.uk> <7020fd000808040343i6fb3b8a6mab8f275c6f735a72@mail.gmail.com> <4896E116.2060407@lse.ac.uk> Message-ID: <4896EB9A.5070008@bbk.ac.uk> Graham Seaman wrote: > I'm tinkering with new schema as well as including the standard > eduPerson Perhaps best to get it working with the standard before changing anything? > and was hoping to avoid having to strip out all the data and > then repopulate each time I make a minor change to the schema. That should not be neccessary unless your new or altered schema removed or redefines attributes or classes that are already in place in the directory. I added three or four new schemata to the directory I just installed, including EduPerson, and each time the data remained in place but I became able to add new attribute types to existing directory objects What order are you loading the schema files in? (Controlled by the two digits at the start of the file name) > I'm > populating it from a large Active Directory by script, which already has > quite a long run time. Pretty much exactly what I'm doing! > But I don't have any users in the directory at all yet, which is why I > was a bit surprised at the behaviour. I thought at least adding new > users with a new schema wouldn't be a problem. I guess if that is out > the next thing I need to check is what happens if I add a new 'may' > field to an existing schema - will it force me to drop all the old data > to install that, too. I do not think it should not do this at all. As far as I know adding EduPerson (or any other new schema) ought not to change what is in the directory already as long as you do not delete or redefine old classes or attributes that are used by existing entries. Are there no error messages at startup? Does the "new schema" you say you are "tinkering with" contain any attributes or classes with the same names or OIDs as ones in any other schema? Does the version of the eduPerson schema you are using contain a "changetype:" or any "add:" or "delete:" attributes? (I had to strip them all out to get mine working because Fedora didn't like an attempt to modify things that didn't exist) I wouldn't want to bet on what happens if a class is defined in one schema, then referred to in another, then redefined in a third! From k.brown at bbk.ac.uk Mon Aug 4 12:03:32 2008 From: k.brown at bbk.ac.uk (ken) Date: Mon, 04 Aug 2008 13:03:32 +0100 Subject: [Fedora-directory-users] forcing reload? In-Reply-To: <4896EB9A.5070008@bbk.ac.uk> References: <4896C0D5.2000101@lse.ac.uk> <7020fd000808040206p77ca2c16j4f1a908a8fb0bdc2@mail.gmail.com> <4896C89C.2040002@lse.ac.uk> <7020fd000808040240v52eaf46fs8ab0cbf14aac4e35@mail.gmail.com> <4896D48F.503@lse.ac.uk> <7020fd000808040343i6fb3b8a6mab8f275c6f735a72@mail.gmail.com> <4896E116.2060407@lse.ac.uk> <4896EB9A.5070008@bbk.ac.uk> Message-ID: <4896F014.7050205@bbk.ac.uk> > Graham Seaman wrote: >> will it force me to drop all the old >> data to install that, too. and I incompetently replied: > I do not think it should not do this at all. which of course should have been either "I do not think it should do this..." or else "I think it should not do this..." Whoops From G.Seaman at lse.ac.uk Mon Aug 4 12:50:23 2008 From: G.Seaman at lse.ac.uk (Graham Seaman) Date: Mon, 04 Aug 2008 13:50:23 +0100 Subject: [Fedora-directory-users] forcing reload? In-Reply-To: <4896EB9A.5070008@bbk.ac.uk> References: <4896C0D5.2000101@lse.ac.uk> <7020fd000808040206p77ca2c16j4f1a908a8fb0bdc2@mail.gmail.com> <4896C89C.2040002@lse.ac.uk> <7020fd000808040240v52eaf46fs8ab0cbf14aac4e35@mail.gmail.com> <4896D48F.503@lse.ac.uk> <7020fd000808040343i6fb3b8a6mab8f275c6f735a72@mail.gmail.com> <4896E116.2060407@lse.ac.uk> <4896EB9A.5070008@bbk.ac.uk> Message-ID: <4896FB0F.9060108@lse.ac.uk> ken wrote: > Graham Seaman wrote: > >> I'm tinkering with new schema as well as including the standard >> eduPerson > > Perhaps best to get it working with the standard before changing > anything? Well, it does work on another Fedora install so I know there's nothing syntactically wrong with the schema. But I just know I'm going to have to make changes to my new schema after the thing goes live... (I'm not modifying eduPerson, the new schema is something separate) > >> and was hoping to avoid having to strip out all the data and then >> repopulate each time I make a minor change to the schema. > > That should not be neccessary unless your new or altered schema > removed or redefines attributes or classes that are already in place > in the directory. I added three or four new schemata to the directory > I just installed, including EduPerson, and each time the data remained > in place but I became able to add new attribute types to existing > directory objects OK, that's the way I thought it should work. So I must have something setup wrong. What Fedora version are you using? > What order are you loading the schema files in? (Controlled by the > two digits at the start of the file name) 60pam-plugin.ldif 65eduperson200806.ldif 70edumember.ldif 80testperson.ldif 99user.ldif > > > I'm >> populating it from a large Active Directory by script, which already >> has quite a long run time. > > Pretty much exactly what I'm doing! > >> But I don't have any users in the directory at all yet, which is why >> I was a bit surprised at the behaviour. I thought at least adding new >> users with a new schema wouldn't be a problem. I guess if that is >> out the next thing I need to check is what happens if I add a new >> 'may' field to an existing schema - will it force me to drop all the >> old data to install that, too. > > I do not think it should not do this at all. As far as I know adding > EduPerson (or any other new schema) ought not to change what is in the > directory already as long as you do not delete or redefine old > classes or attributes that are used by existing entries. > > Are there no error messages at startup? None. Maybe I should look at increasing the log level. But I just realised the admin server (which I'm not using) does have a problem - [13:39 g_seaman at enterprise1:~/Ldap] sudo /etc/init.d/dirsrv-admin start Starting dirsrv-admin: grep: /etc/dirsrv/admin-serv/adm.conf: No such file or directory /var/run/dirsrv is not writable for Odd, since /var/run/dirsrv is world writeable (and the main directory is writing to it fine). But there genuinely is no adm.conf. All the same, I can't see how this would relate to my original problem. > > Does the "new schema" you say you are "tinkering with" contain any > attributes or classes with the same names or OIDs as ones in any other > schema? > No. It works fine in another fedora-ds install anyway. It's mainly just to mop up a few Active Directory attributes I want to keep which don't have equivalents in the other schema I'm using (things like department (not departmentNumber), coursecode, etc). It's there exactly because those names don't exist anywhere else. > Does the version of the eduPerson schema you are using contain a > "changetype:" or any "add:" or "delete:" attributes? (I had to strip > them all out to get mine working because Fedora didn't like an attempt > to modify things that didn't exist) > No, I didn't even know you could do that in a schema. Mine is a straight version of the latest one on the educause site. > I wouldn't want to bet on what happens if a class is defined in one > schema, then referred to in another, then redefined in a third! Nor me, but I'm sure that's not the problem. Graham From rmeggins at redhat.com Mon Aug 4 14:22:22 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 04 Aug 2008 08:22:22 -0600 Subject: [Fedora-directory-users] forcing reload? In-Reply-To: <4896D48F.503@lse.ac.uk> References: <4896C0D5.2000101@lse.ac.uk> <7020fd000808040206p77ca2c16j4f1a908a8fb0bdc2@mail.gmail.com> <4896C89C.2040002@lse.ac.uk> <7020fd000808040240v52eaf46fs8ab0cbf14aac4e35@mail.gmail.com> <4896D48F.503@lse.ac.uk> Message-ID: <4897109E.9010708@redhat.com> Graham Seaman wrote: > solarflow99 wrote: >> what platform are you running on? a service restart should have >> dirsrv take the new schema, do the logs show anything wrong? > uname -a says: > > Linux enterprise1.lse.ac.uk 2.6.18-53.1.14.el5 #1 SMP Tue Feb 19 > 07:18:21 EST 2008 i686 i686 i386 GNU/Linux > > ns-slapd -version says: > > Fedora-Directory/1.1.0 B2007.354.1236 > > There are no errors reported in access or errors when I restart; the > only error I'm getting is when I try to create an entry using the new > schema I'm trying to load, which gives me: > > [04/Aug/2008:10:12:25 +0100] conn=1 op=5 RESULT err=65 tag=105 > nentries=0 etime=0 > [04/Aug/2008:11:02:12 +0100] - Entry "cn=test,ou=flame > users,dc=lse,dc=ac,dc=uk" has unknown object class "eduPerson" > > eduPerson is a standard schema which works fine. It is the schema I > accidentally missed out when I started and am trying to add. > > I have the same problem with Fedora-ds on another system running > CentOS: I can add a new schema only by deleting the directory and > populating it from scratch. Deleting which directory? To which directory are you adding the schema files? > > I am new to Ldap, so am not sure what is expected behaviour and what > isn't. > > Graham > > > >> >> >> On 8/4/08, *Graham Seaman* > > wrote: >> >> solarflow99 wrote: >> >> I'd just restart dirsrv, and probably even dirsrv-admin too. >> >> >> I'm not running the admin server. Restarting dirsrv doesn't appear >> to do it. If it should normally, I guess I've got something else >> wrong... >> >> Graham >> >> >> On 8/4/08, *Graham Seaman* > > >> wrote: >> >> Hi, >> >> How do I persuade fedora-ds to load new schema? Restarting >> the >> slapd daemon doesn't seem to do it. Completing removing a >> directory and then recreating it does, but I don't want to >> have to >> keep doing that if possible... >> >> Thanks >> Graham >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> >> > > >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Aug 4 14:27:17 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 04 Aug 2008 08:27:17 -0600 Subject: [Fedora-directory-users] blank fedora-idm-console after login In-Reply-To: References: Message-ID: <489711C5.9070309@redhat.com> James S. White wrote: > I am having trouble getting fedora-ds-admin to do anything but display > an empty dialog. I am attempting this on CentOS 5.2 and I've tried it with > both java-1.5.0-sun and java-1.5.0-ibm. > > fedora-idm-console -D 9 http:127.0.0.1:9830 > http://pastebin.com/f4c8867aa 2>&1 > > This is on a development VM, in a Lab, and I completely rebuild it when I toggle out the jdks, so the personal information in the pastebin is irrelevant. > > Any help would be apprecieated. > You get the login dialog, put in the admin user name and password, then press Enter, then does it pop up the console main window? Does it have an empty server list? Is this server standalone and self contained, or are you using another server for your configuration directory server? > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Aug 4 14:28:10 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 04 Aug 2008 08:28:10 -0600 Subject: [Fedora-directory-users] Recover directory database files when disk fills up! In-Reply-To: <4896CF89.3020600@cohtech.com> References: <488EDA1E.1000005@cohtech.com> <488F2D9E.1000805@redhat.com> <4896CF89.3020600@cohtech.com> Message-ID: <489711FA.7060007@redhat.com> Howard Wilkinson wrote: > Richard Megginson wrote: >> Howard Wilkinson wrote: >>> >> These are messages from sasl. I believe you can ignore them, I don't >> think they have anything to do with the problem. >>> >>> >>> What can I do to recover the database so that I can start the server? >> What messages do you get in the directory server error log? > > Fedora-Directory/1.1.1 B2008.151.1915 > bastion.finsbury.cohtech.co.uk:636 (/etc/dirsrv/slapd-bastion) > > [04/Aug/2008:10:40:15 +0100] - Fedora-Directory/1.1.1 > B2008.151.1915 starting up > [04/Aug/2008:10:40:15 +0100] - Detected Disorderly Shutdown last > time Directory Server was running, recovering database. > [04/Aug/2008:10:40:17 +0100] - libdb: file userRoot/id2entry.db4 > has LSN 518/7178886, past end of log at 1/4431 > [04/Aug/2008:10:40:17 +0100] - libdb: Commonly caused by moving a > database from one database environment > [04/Aug/2008:10:40:17 +0100] - libdb: to another without clearing > the database LSNs, or by removing all of > [04/Aug/2008:10:40:17 +0100] - libdb: the log files from a > database environment > How did you create the backup? > > [04/Aug/2008:10:40:17 +0100] - libdb: > /var/lib/dirsrv/slapd-bastion/db/userRoot/id2entry.db4: unexpected > file type or format > [04/Aug/2008:10:40:17 +0100] - dbp->open("userRoot/id2entry.db4") > failed: Invalid argument (22) > [04/Aug/2008:10:40:17 +0100] - dblayer_instance_start fail: > Invalid argument (22) > [04/Aug/2008:10:40:18 +0100] - libdb: file > NetscapeRoot/id2entry.db4 has LSN 210/949652, past end of log at > 1/6026 > [04/Aug/2008:10:40:18 +0100] - libdb: Commonly caused by moving a > database from one database environment > [04/Aug/2008:10:40:18 +0100] - libdb: to another without clearing > the database LSNs, or by removing all of > [04/Aug/2008:10:40:18 +0100] - libdb: the log files from a > database environment > [04/Aug/2008:10:40:18 +0100] - libdb: > /var/lib/dirsrv/slapd-bastion/db/NetscapeRoot/id2entry.db4: > unexpected file type or format > [04/Aug/2008:10:40:18 +0100] - > dbp->open("NetscapeRoot/id2entry.db4") failed: Invalid argument (22) > [04/Aug/2008:10:40:18 +0100] - dblayer_instance_start fail: > Invalid argument (22) > [04/Aug/2008:10:40:18 +0100] - libdb: file cohtechNet/id2entry.db4 > has LSN 400/7475236, past end of log at 1/6478 > [04/Aug/2008:10:40:18 +0100] - libdb: Commonly caused by moving a > database from one database environment > [04/Aug/2008:10:40:18 +0100] - libdb: to another without clearing > the database LSNs, or by removing all of > [04/Aug/2008:10:40:18 +0100] - libdb: the log files from a > database environment > [04/Aug/2008:10:40:18 +0100] - libdb: > /var/lib/dirsrv/slapd-bastion/db/cohtechNet/id2entry.db4: > unexpected file type or format > [04/Aug/2008:10:40:18 +0100] - > dbp->open("cohtechNet/id2entry.db4") failed: Invalid argument (22) > [04/Aug/2008:10:40:18 +0100] - dblayer_instance_start fail: > Invalid argument (22) > [04/Aug/2008:10:40:18 +0100] - libdb: file cohtechCom/id2entry.db4 > has LSN 198/9190421, past end of log at 1/6478 > [04/Aug/2008:10:40:18 +0100] - libdb: Commonly caused by moving a > database from one database environment > [04/Aug/2008:10:40:18 +0100] - libdb: to another without clearing > the database LSNs, or by removing all of > [04/Aug/2008:10:40:18 +0100] - libdb: the log files from a > database environment > [04/Aug/2008:10:40:18 +0100] - libdb: > /var/lib/dirsrv/slapd-bastion/db/cohtechCom/id2entry.db4: > unexpected file type or format > [04/Aug/2008:10:40:18 +0100] - > dbp->open("cohtechCom/id2entry.db4") failed: Invalid argument (22) > [04/Aug/2008:10:40:18 +0100] - dblayer_instance_start fail: > Invalid argument (22) > [04/Aug/2008:10:40:18 +0100] - WARNING---no write permission to > file /var/lib/dirsrv/slapd-bastion/db/cohCoUk/log.0000000001 > [04/Aug/2008:10:40:18 +0100] - start: Failed to start databases, > err=22 Invalid argument > [04/Aug/2008:10:40:18 +0100] - Failed to allocate 10000000 byte > dbcache. Please reduce nsslapd-cache-autosize and Restart the server. > [04/Aug/2008:10:40:18 +0100] - Failed to start database plugin > ldbm database > [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance > willertonCohtechNet already exists > [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance > viaFonCohtechNet already exists > [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance userRoot > already exists > [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance > towerbridgeCohtechNet already exists > [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance > time2joininCohtechNet already exists > [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance > sudaminltdCom already exists > [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance > stokieCohtechCoUk already exists > [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance seamsysCom > already exists > [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance > palmPrintsCom already exists > [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance orbItNet > already exists > [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance orbItCom > already exists > [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance orbCoUk > already exists > [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance NetscapeRoot > already exists > [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance > finsburyCohtechCoUk already exists > [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance > conceptsIntCohtechNet already exists > [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance cohtechOrg > already exists > [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance cohtechNet > already exists > [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance cohtechCom > already exists > [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance > coherentTechnologyOrg already exists > [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance > coherentTechnologyNet already exists > [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance > coherentTechnologyCoUk already exists > [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance > coherentTechnologyCom already exists > [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance > coherentLocal already exists > [04/Aug/2008:10:40:18 +0100] - WARNING: ldbm instance cohCoUk > already exists > [04/Aug/2008:10:40:18 +0100] binder-based resource limits - > nsLookThroughLimit: parameter error (slapi_reslimit_register() > already registered) > [04/Aug/2008:10:40:18 +0100] - start: Resource limit registration > failed > [04/Aug/2008:10:40:18 +0100] - Failed to start database plugin > ldbm database > [04/Aug/2008:10:40:18 +0100] - Error: Failed to resolve plugin > dependencies > [04/Aug/2008:10:40:18 +0100] - Error: accesscontrol plugin ACL > Plugin is not started > [04/Aug/2008:10:40:18 +0100] - Error: preoperation plugin ACL > preoperation is not started > [04/Aug/2008:10:40:18 +0100] - Error: object plugin Class of > Service is not started > [04/Aug/2008:10:40:18 +0100] - Error: preoperation plugin HTTP > Client is not started > [04/Aug/2008:10:40:18 +0100] - Error: database plugin ldbm > database is not started > [04/Aug/2008:10:40:18 +0100] - Error: object plugin Legacy > Replication Plugin is not started > [04/Aug/2008:10:40:19 +0100] - Error: object plugin Multimaster > Replication Plugin is not started > [04/Aug/2008:10:40:19 +0100] - Error: object plugin Roles Plugin > is not started > [04/Aug/2008:10:40:19 +0100] - Error: object plugin Views is not > started > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From G.Seaman at lse.ac.uk Mon Aug 4 14:39:54 2008 From: G.Seaman at lse.ac.uk (Graham Seaman) Date: Mon, 04 Aug 2008 15:39:54 +0100 Subject: [Fedora-directory-users] forcing reload? In-Reply-To: <4897109E.9010708@redhat.com> References: <4896C0D5.2000101@lse.ac.uk> <7020fd000808040206p77ca2c16j4f1a908a8fb0bdc2@mail.gmail.com> <4896C89C.2040002@lse.ac.uk> <7020fd000808040240v52eaf46fs8ab0cbf14aac4e35@mail.gmail.com> <4896D48F.503@lse.ac.uk> <4897109E.9010708@redhat.com> Message-ID: <489714BA.5000106@lse.ac.uk> Rich Megginson wrote: > Graham Seaman wrote: >> >> I have the same problem with Fedora-ds on another system running >> CentOS: I can add a new schema only by deleting the directory and >> populating it from scratch. > Deleting which directory? To which directory are you adding the > schema files? I am adding the schema files to /etc/dirsrv/schema I am having to delete /etc/dirsrv/slapd-[directory server identifier] and rerun the setup-ds.pl script to get a new schema loaded. Graham From howard at cohtech.com Mon Aug 4 15:02:48 2008 From: howard at cohtech.com (Howard Wilkinson) Date: Mon, 04 Aug 2008 16:02:48 +0100 Subject: [Fedora-directory-users] Recover directory database files when disk fills up! In-Reply-To: <489711FA.7060007@redhat.com> References: <488EDA1E.1000005@cohtech.com> <488F2D9E.1000805@redhat.com> <4896CF89.3020600@cohtech.com> <489711FA.7060007@redhat.com> Message-ID: <48971A18.1060907@cohtech.com> Rich Megginson wrote: > Howard Wilkinson wrote: >> Richard Megginson wrote: >>> Howard Wilkinson wrote: >>>> >>> These are messages from sasl. I believe you can ignore them, I >>> don't think they have anything to do with the problem. >>>> >>>> >>>> What can I do to recover the database so that I can start the server? >>> What messages do you get in the directory server error log? >> >> Fedora-Directory/1.1.1 B2008.151.1915 >> bastion.finsbury.cohtech.co.uk:636 (/etc/dirsrv/slapd-bastion) >> >> [04/Aug/2008:10:40:15 +0100] - Fedora-Directory/1.1.1 >> B2008.151.1915 starting up >> [04/Aug/2008:10:40:15 +0100] - Detected Disorderly Shutdown last >> time Directory Server was running, recovering database. >> [04/Aug/2008:10:40:17 +0100] - libdb: file userRoot/id2entry.db4 >> has LSN 518/7178886, past end of log at 1/4431 >> [04/Aug/2008:10:40:17 +0100] - libdb: Commonly caused by moving a >> database from one database environment >> [04/Aug/2008:10:40:17 +0100] - libdb: to another without clearing >> the database LSNs, or by removing all of >> [04/Aug/2008:10:40:17 +0100] - libdb: the log files from a >> database environment >> > How did you create the backup? [Snip] There was no backup created. The system ran out of disk space in the log partition and in the database partition during an OS upgrade. It looks ike the version of db4 has changed and the directory server failed while this was happening. I would like to recover by rolling forward if possible, but if not this is a multi-master instance and I can probably rebuild if I have to. Howard. From rmeggins at redhat.com Mon Aug 4 15:11:19 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 04 Aug 2008 09:11:19 -0600 Subject: [Fedora-directory-users] forcing reload? In-Reply-To: <489714BA.5000106@lse.ac.uk> References: <4896C0D5.2000101@lse.ac.uk> <7020fd000808040206p77ca2c16j4f1a908a8fb0bdc2@mail.gmail.com> <4896C89C.2040002@lse.ac.uk> <7020fd000808040240v52eaf46fs8ab0cbf14aac4e35@mail.gmail.com> <4896D48F.503@lse.ac.uk> <4897109E.9010708@redhat.com> <489714BA.5000106@lse.ac.uk> Message-ID: <48971C17.3030509@redhat.com> Graham Seaman wrote: > Rich Megginson wrote: >> Graham Seaman wrote: >>> >>> I have the same problem with Fedora-ds on another system running >>> CentOS: I can add a new schema only by deleting the directory and >>> populating it from scratch. >> Deleting which directory? To which directory are you adding the >> schema files? > I am adding the schema files to /etc/dirsrv/schema Ah. That is the source of the confusion. /etc/dirsrv/schema stores the default schema to use for new instances. If you already have an instance (/etc/dirsrv/slapd-something) you should put the schema you want to use in /etc/dirsrv/slapd-something/schema, then restart the server. > I am having to delete /etc/dirsrv/slapd-[directory server identifier] > and rerun the setup-ds.pl script to get a new schema loaded. > > Graham > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From G.Seaman at lse.ac.uk Mon Aug 4 15:19:50 2008 From: G.Seaman at lse.ac.uk (Graham Seaman) Date: Mon, 04 Aug 2008 16:19:50 +0100 Subject: [Fedora-directory-users] forcing reload? In-Reply-To: <48971C17.3030509@redhat.com> References: <4896C0D5.2000101@lse.ac.uk> <7020fd000808040206p77ca2c16j4f1a908a8fb0bdc2@mail.gmail.com> <4896C89C.2040002@lse.ac.uk> <7020fd000808040240v52eaf46fs8ab0cbf14aac4e35@mail.gmail.com> <4896D48F.503@lse.ac.uk> <4897109E.9010708@redhat.com> <489714BA.5000106@lse.ac.uk> <48971C17.3030509@redhat.com> Message-ID: <48971E16.3040800@lse.ac.uk> Rich Megginson wrote: > Graham Seaman wrote: >> I am adding the schema files to /etc/dirsrv/schema > Ah. That is the source of the confusion. /etc/dirsrv/schema stores > the default schema to use for new instances. If you already have an > instance (/etc/dirsrv/slapd-something) you should put the schema you > want to use in /etc/dirsrv/slapd-something/schema, then restart the > server. Ahhh. So simple. Thank you. Graham From rmeggins at redhat.com Mon Aug 4 15:25:58 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 04 Aug 2008 09:25:58 -0600 Subject: [Fedora-directory-users] Recover directory database files when disk fills up! In-Reply-To: <48971A18.1060907@cohtech.com> References: <488EDA1E.1000005@cohtech.com> <488F2D9E.1000805@redhat.com> <4896CF89.3020600@cohtech.com> <489711FA.7060007@redhat.com> <48971A18.1060907@cohtech.com> Message-ID: <48971F86.9000604@redhat.com> Howard Wilkinson wrote: > Rich Megginson wrote: >> Howard Wilkinson wrote: >>> Richard Megginson wrote: >>>> Howard Wilkinson wrote: >>>>> >>>> These are messages from sasl. I believe you can ignore them, I >>>> don't think they have anything to do with the problem. >>>>> >>>>> >>>>> What can I do to recover the database so that I can start the server? >>>> What messages do you get in the directory server error log? >>> >>> Fedora-Directory/1.1.1 B2008.151.1915 >>> bastion.finsbury.cohtech.co.uk:636 (/etc/dirsrv/slapd-bastion) >>> >>> [04/Aug/2008:10:40:15 +0100] - Fedora-Directory/1.1.1 >>> B2008.151.1915 starting up >>> [04/Aug/2008:10:40:15 +0100] - Detected Disorderly Shutdown last >>> time Directory Server was running, recovering database. >>> [04/Aug/2008:10:40:17 +0100] - libdb: file userRoot/id2entry.db4 >>> has LSN 518/7178886, past end of log at 1/4431 >>> [04/Aug/2008:10:40:17 +0100] - libdb: Commonly caused by moving a >>> database from one database environment >>> [04/Aug/2008:10:40:17 +0100] - libdb: to another without clearing >>> the database LSNs, or by removing all of >>> [04/Aug/2008:10:40:17 +0100] - libdb: the log files from a >>> database environment >>> >> How did you create the backup? > > [Snip] > > There was no backup created. The system ran out of disk space in the > log partition and in the database partition during an OS upgrade. It > looks ike the version of db4 has changed and the directory server > failed while this was happening. I would like to recover by rolling > forward if possible, but if not this is a multi-master instance and I > can probably rebuild if I have to. Ok, I see. I'm not sure if directory server auto-recovery is possible with this sort of failure. You might be able to use the berkeley db command line utilities to upgrade and/or recover your database files. http://www.oracle.com/technology/documentation/berkeley-db/db/utility/index.html - you may have to figure out which version of bdb you are using, then find the appropriate documentation - rpm -qi db4 or rpm -qi db4-utils. You might try db2ldif to export your data, then re-import using ldif2db, but that would force a replication re-init anyway. > > Howard. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From vipulramani at gmail.com Tue Aug 5 00:40:47 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Mon, 4 Aug 2008 17:40:47 -0700 Subject: [Fedora-directory-users] FDS to iplanet replication Message-ID: Cheers, 1st is it possible to establish replication between FDS and iplanet ?? .. i think this is possible both , FDs is extended version or modified version of iplanet.but most of things are same as iplanet then it should allow to do...this .... I am trying to setup one way replication from FDS ( primary server ) -----> Iplanet directory server on solaris . I am getting permission denied i dont know where ----------- i am getting this error in errors of FDS ---------------------- cn=config" does not have permission to supply replication updates to the replica. Will retry later. [04/Aug/2008:13:48:04 -0400] NSMMReplicationPlugin - agmt="cn=consume" (10:389): Unable to acquire replica: permission denied. The bind dn "cn=replication,cn=config" does not have permission to supply replication updates to the replica. Will retry later. ---------------------------------------------------------------------------------------------- -- Regards Vipul Ramani -------------- next part -------------- An HTML attachment was scrubbed... URL: From benetage at hotmail.com Mon Aug 4 15:45:01 2008 From: benetage at hotmail.com (Mister Anonyme) Date: Mon, 4 Aug 2008 11:45:01 -0400 Subject: [Fedora-directory-users] Configuration Directory Server failover Message-ID: Rich Megginson wrote: > Try setup-ds-admin.pl -ddd Here you go: +Processing /usr/share/dirsrv/data/template-dse.ldif ... +++check_and_add_entry: Entry not found cn=config error No such object +Entry cn=config is added +++check_and_add_entry: Entry not found cn=plugins, cn=config error No such object +Entry cn=plugins, cn=config is added [...] As you may see, cn=config doesn't exist but was added after ("is added"). Then, processing ldif that I created: +Processing repluser.ldif ... +++check_and_add_entry: Entry not found cn=replication manager,cn=config error No such object +Processing changelog.ldif ... +++check_and_add_entry: Entry not found cn=changelog5,cn=config error No such object +Processing replica.ldif ... +++check_and_add_entry: Entry not found cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config error No such object +Processing replagreement.ldif ... +++check_and_add_entry: Entry not found cn=replication_netscaperoot,cn=replica,cn="o=Netscaperoot",cn=mapping tree,cn=config error No such object Content of repluser.ldif: dn: cn=replication manager,cn=config changetype: add objectClass: inetorgperson objectClass: person objectClass: top cn: replication manager sn: RM userPassword: _PASSWORD_ passwordExpirationTime: 20380119031407Z > Do you see those replica entries in /etc/dirsrv/slapd-instancename/dse.ldif ? No. Thanks! _________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Aug 5 14:29:25 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 05 Aug 2008 08:29:25 -0600 Subject: [Fedora-directory-users] Configuration Directory Server failover In-Reply-To: References: Message-ID: <489863C5.3090002@redhat.com> Mister Anonyme wrote: > Rich Megginson wrote: > > > Try setup-ds-admin.pl -ddd > > > Here you go: > > > +Processing /usr/share/dirsrv/data/template-dse.ldif ... > +++check_and_add_entry: Entry not found cn=config error No such object > +Entry cn=config is added > +++check_and_add_entry: Entry not found cn=plugins, cn=config error No > such object > +Entry cn=plugins, cn=config is added > [...] > > > As you may see, cn=config doesn't exist but was added after ("is added"). > > Then, processing ldif that I created: > > > +Processing repluser.ldif ... > +++check_and_add_entry: Entry not found cn=replication > manager,cn=config error No such object > > +Processing changelog.ldif ... > +++check_and_add_entry: Entry not found cn=changelog5,cn=config error > No such object > > +Processing replica.ldif ... > +++check_and_add_entry: Entry not found > cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config error No such > object > > +Processing replagreement.ldif ... > +++check_and_add_entry: Entry not found > cn=replication_netscaperoot,cn=replica,cn="o=Netscaperoot",cn=mapping > tree,cn=config error No such object > > > > Content of repluser.ldif: It could be that setup doesn't like the changetype: add in there - try removing that. > > > dn: cn=replication manager,cn=config > changetype: add > objectClass: inetorgperson > objectClass: person > objectClass: top > cn: replication manager > sn: RM > userPassword: _PASSWORD_ > passwordExpirationTime: 20380119031407Z > > > > > Do you see those replica entries in > /etc/dirsrv/slapd-instancename/dse.ldif ? > > No. > > Thanks! > ------------------------------------------------------------------------ > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From triswimjoe at hotmail.com Tue Aug 5 21:54:22 2008 From: triswimjoe at hotmail.com (Joe Sheehan) Date: Tue, 5 Aug 2008 17:54:22 -0400 Subject: [Fedora-directory-users] NMC_STATUS CODE In-Reply-To: <488728A5.4050408@redhat.com> References: <488728A5.4050408@redhat.com> Message-ID: Is there any place I can find information of what the following means when starting ldap? Thanks NMC_ErrInfo: NMC_STATUS: -2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Aug 5 22:00:32 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 05 Aug 2008 16:00:32 -0600 Subject: [Fedora-directory-users] NMC_STATUS CODE In-Reply-To: References: <488728A5.4050408@redhat.com> Message-ID: <4898CD80.6090706@redhat.com> Joe Sheehan wrote: > > Is there any place I can find information of what the following means > when starting ldap? starting ldap from where? how? > Thanks > > NMC_ErrInfo: > NMC_STATUS: -2 > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From svetoslav.chukov at gmail.com Wed Aug 6 09:21:59 2008 From: svetoslav.chukov at gmail.com (Svetoslav P. Chukov) Date: Wed, 6 Aug 2008 12:21:59 +0300 Subject: [Fedora-directory-users] Fedora directory server installation fails. Message-ID: Hello, I have a mysterious problem with installation of Fedora Directory Server on a Fedora 9. This is very strange since I actually do not see what could make that problem. There are some warnings about the pagesize, so is it possible to be a filesystem related issue? Or probably just a FDS bug? The installed packages are: fedora-ds-admin-console-1.1.1-3.fc9.noarch fedora-ds-1.1.1-3.fc9.i386 fedora-ds-admin-1.1.5-1.fc9.i386 fedora-ds-console-1.1.1-3.fc9.noarch fedora-ds-base-1.1.1-1.fc9.i386 The errors log: [06/Aug/2008:11:21:33 +0300] - dblayer_instance_start: pagesize: 4096, pages: 256434, procpages: 7643 [06/Aug/2008:11:21:33 +0300] - cache autosizing: import cache: 204800k [06/Aug/2008:11:21:33 +0300] - li_import_cache_autosize: 50, import_pages: 51200, pagesize: 4096 [06/Aug/2008:11:21:33 +0300] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [06/Aug/2008:11:21:33 +0300] - dblayer_instance_start: pagesize: 4096, pages: 256434, procpages: 7643 [06/Aug/2008:11:21:33 +0300] - cache autosizing: import cache: 204800k [06/Aug/2008:11:21:33 +0300] - li_import_cache_autosize: 50, import_pages: 51200, pagesize: 4096 [06/Aug/2008:11:21:33 +0300] - import userRoot: Beginning import job... [06/Aug/2008:11:21:33 +0300] - import userRoot: Index buffering enabled with bucket size 100 [06/Aug/2008:11:21:33 +0300] - import userRoot: Processing file "/tmp/ldif67qP07.ldif" [06/Aug/2008:11:21:34 +0300] - import userRoot: Finished scanning file "/tmp/ldif67qP07.ldif" (9 entries) [06/Aug/2008:11:21:34 +0300] - import userRoot: Workers finished; cleaning up... [06/Aug/2008:11:21:34 +0300] - import userRoot: Workers cleaned up. [06/Aug/2008:11:21:34 +0300] - import userRoot: Cleaning up producer thread... [06/Aug/2008:11:21:34 +0300] - import userRoot: Indexing complete. Post-processing... [06/Aug/2008:11:21:34 +0300] - import userRoot: Flushing caches... [06/Aug/2008:11:21:34 +0300] - import userRoot: Closing files... [06/Aug/2008:11:21:34 +0300] - All database threads now stopped [06/Aug/2008:11:21:34 +0300] - import userRoot: Import complete. Processed 9 entries in 1 seconds. (9.00 entries/sec) [06/Aug/2008:11:21:34 +0300] - Fedora-Directory/1.1.0 B2008.107.1816 starting up Svetoslav P. Chukov -------------- next part -------------- An HTML attachment was scrubbed... URL: From howard at cohtech.com Wed Aug 6 09:30:29 2008 From: howard at cohtech.com (Howard Wilkinson) Date: Wed, 06 Aug 2008 10:30:29 +0100 Subject: [Fedora-directory-users] Recover directory database files when disk fills up! In-Reply-To: <48971F86.9000604@redhat.com> References: <488EDA1E.1000005@cohtech.com> <488F2D9E.1000805@redhat.com> <4896CF89.3020600@cohtech.com> <489711FA.7060007@redhat.com> <48971A18.1060907@cohtech.com> <48971F86.9000604@redhat.com> Message-ID: <48996F35.2050603@cohtech.com> Rich Megginson wrote: [Snip] > Ok, I see. I'm not sure if directory server auto-recovery is possible > with this sort of failure. You might be able to use the berkeley db > command line utilities to upgrade and/or recover your database files. > http://www.oracle.com/technology/documentation/berkeley-db/db/utility/index.html > - you may have to figure out which version of bdb you are using, then > find the appropriate documentation - rpm -qi db4 or rpm -qi db4-utils. > You might try db2ldif to export your data, then re-import using > ldif2db, but that would force a replication re-init anyway. I have rebuilt the system and reinitialised the roots from the other multi-master. The directory server looks as though it is working properly and I can connect to the admin server from one of the other machines that is running the older version of the code (fedora-idm-console) but if I run the same command on the restored box then it will not do anything just sits there having typed in the command. How do I diagnose and fix this? Howard. From aleksander.adamowski.fedora at altkom.pl Wed Aug 6 10:25:36 2008 From: aleksander.adamowski.fedora at altkom.pl (Aleksander Adamowski) Date: Wed, 06 Aug 2008 12:25:36 +0200 Subject: [Fedora-directory-users] Limiting Directory Manager (nsslapd-rootdn) by source host (e.g. 127.0.0.1)? Message-ID: <48997C20.5040100@altkom.pl> Hi! The Direcroty Manager account (the one whose DN is specified in dse.ldif as nsslapd-rootdn) is a dangerously privileged account. Access control does not apply to this user and compromising its DN and password gives full control over the directory server. Therefore, it would be desirable to limit this user's bind access based on some additional criteria, in addition to the knowledge of the password. Limits based on the source host (e.g. localhost) and time of day (e.g. only work hours) would be very useful. Is there a way to limit Directory Manager binds based on those criteria in Fedora Directory Server? Note that in OpenLDAP this is possible using the following ACL: access to dn.base="cn=Manager,o=Example" by peername.regex=127\.0\.0\.1 auth by users none by anonymous none This ACL however requires creating a concrete LDAP entry that corresponds to rootdn, setting a userPassword in taht entry, and leaving the rootpw in OpenLDAP configuration undefined. This way the concrete userPassword is used when binding and is subject to that ACL which only allows access from connections that origin from 127.0.0.1. More details in this post on OpenLDAP mailing list: http://www.openldap.org/lists/openldap-software/200711/msg00342.html -- Best Regards, Aleksander Adamowski GG#: 274614 ICQ UIN: 19780575 http://olo.org.pl From rmeggins at redhat.com Wed Aug 6 13:25:30 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 06 Aug 2008 07:25:30 -0600 Subject: [Fedora-directory-users] Fedora directory server installation fails. In-Reply-To: References: Message-ID: <4899A64A.2040401@redhat.com> Svetoslav P. Chukov wrote: > Hello, > I have a mysterious problem with installation of Fedora Directory > Server on a Fedora 9. > This is very strange since I actually do not see what could make that > problem. There are some warnings about the pagesize, so is it possible > to be a filesystem related issue? Or probably just a FDS bug? There is no problem. Those are just informative messages. You can ignore the warning. I guess the real bug here is that the server should not spew quite so many messages by default. > > The installed packages are: > > fedora-ds-admin-console-1.1.1-3.fc9.noarch > fedora-ds-1.1.1-3.fc9.i386 > fedora-ds-admin-1.1.5-1.fc9.i386 > fedora-ds-console-1.1.1-3.fc9.noarch > fedora-ds-base-1.1.1-1.fc9.i386 > > The errors log: > > [06/Aug/2008:11:21:33 +0300] - dblayer_instance_start: pagesize: 4096, > pages: 256434, procpages: 7643 > [06/Aug/2008:11:21:33 +0300] - cache autosizing: import cache: 204800k > [06/Aug/2008:11:21:33 +0300] - li_import_cache_autosize: 50, > import_pages: 51200, pagesize: 4096 > [06/Aug/2008:11:21:33 +0300] - WARNING: Import is running with > nsslapd-db-private-import-mem on; No other process is allowed to > access the database > [06/Aug/2008:11:21:33 +0300] - dblayer_instance_start: pagesize: 4096, > pages: 256434, procpages: 7643 > [06/Aug/2008:11:21:33 +0300] - cache autosizing: import cache: 204800k > [06/Aug/2008:11:21:33 +0300] - li_import_cache_autosize: 50, > import_pages: 51200, pagesize: 4096 > [06/Aug/2008:11:21:33 +0300] - import userRoot: Beginning import job... > [06/Aug/2008:11:21:33 +0300] - import userRoot: Index buffering > enabled with bucket size 100 > [06/Aug/2008:11:21:33 +0300] - import userRoot: Processing file > "/tmp/ldif67qP07.ldif" > [06/Aug/2008:11:21:34 +0300] - import userRoot: Finished scanning file > "/tmp/ldif67qP07.ldif" (9 entries) > [06/Aug/2008:11:21:34 +0300] - import userRoot: Workers finished; > cleaning up... > [06/Aug/2008:11:21:34 +0300] - import userRoot: Workers cleaned up. > [06/Aug/2008:11:21:34 +0300] - import userRoot: Cleaning up producer > thread... > [06/Aug/2008:11:21:34 +0300] - import userRoot: Indexing complete. > Post-processing... > [06/Aug/2008:11:21:34 +0300] - import userRoot: Flushing caches... > [06/Aug/2008:11:21:34 +0300] - import userRoot: Closing files... > [06/Aug/2008:11:21:34 +0300] - All database threads now stopped > [06/Aug/2008:11:21:34 +0300] - import userRoot: Import complete. > Processed 9 entries in 1 seconds. (9.00 entries/sec) > [06/Aug/2008:11:21:34 +0300] - Fedora-Directory/1.1.0 B2008.107.1816 > starting up > > Svetoslav P. Chukov > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Aug 6 13:26:11 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 06 Aug 2008 07:26:11 -0600 Subject: [Fedora-directory-users] Recover directory database files when disk fills up! In-Reply-To: <48996F35.2050603@cohtech.com> References: <488EDA1E.1000005@cohtech.com> <488F2D9E.1000805@redhat.com> <4896CF89.3020600@cohtech.com> <489711FA.7060007@redhat.com> <48971A18.1060907@cohtech.com> <48971F86.9000604@redhat.com> <48996F35.2050603@cohtech.com> Message-ID: <4899A673.7020704@redhat.com> Howard Wilkinson wrote: > Rich Megginson wrote: > > [Snip] >> Ok, I see. I'm not sure if directory server auto-recovery is >> possible with this sort of failure. You might be able to use the >> berkeley db command line utilities to upgrade and/or recover your >> database files. >> http://www.oracle.com/technology/documentation/berkeley-db/db/utility/index.html >> - you may have to figure out which version of bdb you are using, then >> find the appropriate documentation - rpm -qi db4 or rpm -qi db4-utils. >> You might try db2ldif to export your data, then re-import using >> ldif2db, but that would force a replication re-init anyway. > I have rebuilt the system and reinitialised the roots from the other > multi-master. The directory server looks as though it is working > properly and I can connect to the admin server from one of the other > machines that is running the older version of the code > (fedora-idm-console) but if I run the same command on the restored box > then it will not do anything just sits there having typed in the command. fedora-idm-console -D 9 -f console.log - does that show anything? > How do I diagnose and fix this? > > Howard. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Aug 6 13:29:37 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 06 Aug 2008 07:29:37 -0600 Subject: [Fedora-directory-users] Limiting Directory Manager (nsslapd-rootdn) by source host (e.g. 127.0.0.1)? In-Reply-To: <48997C20.5040100@altkom.pl> References: <48997C20.5040100@altkom.pl> Message-ID: <4899A741.9080301@redhat.com> Aleksander Adamowski wrote: > Hi! > > The Direcroty Manager account (the one whose DN is specified in > dse.ldif as nsslapd-rootdn) is a dangerously privileged account. > > Access control does not apply to this user and compromising its DN and > password gives full control over the directory server. > > Therefore, it would be desirable to limit this user's bind access > based on some additional criteria, in addition to the knowledge of the > password. > > Limits based on the source host (e.g. localhost) and time of day (e.g. > only work hours) would be very useful. > > Is there a way to limit Directory Manager binds based on those > criteria in Fedora Directory Server? No. But please file a bug so we can track this issue. > > > Note that in OpenLDAP this is possible using the following ACL: > > access to dn.base="cn=Manager,o=Example" > by peername.regex=127\.0\.0\.1 auth > by users none > by anonymous none > > This ACL however requires creating a concrete LDAP entry that > corresponds to rootdn, setting a userPassword in taht entry, and > leaving the rootpw in OpenLDAP configuration undefined. > This way the concrete userPassword is used when binding and is subject > to that ACL which only allows access from connections that origin from > 127.0.0.1. > > More details in this post on OpenLDAP mailing list: > http://www.openldap.org/lists/openldap-software/200711/msg00342.html > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From aleksander.adamowski.fedora at altkom.pl Wed Aug 6 22:20:19 2008 From: aleksander.adamowski.fedora at altkom.pl (Aleksander Adamowski) Date: Thu, 07 Aug 2008 00:20:19 +0200 Subject: [Fedora-directory-users] Limiting Directory Manager (nsslapd-rootdn) by source host (e.g. 127.0.0.1)? In-Reply-To: <4899A741.9080301@redhat.com> References: <48997C20.5040100@altkom.pl> <4899A741.9080301@redhat.com> Message-ID: <489A23A3.6050904@altkom.pl> Rich Megginson wrote: > Aleksander Adamowski wrote: >> Limits based on the source host (e.g. localhost) and time of day >> (e.g. only work hours) would be very useful. >> >> Is there a way to limit Directory Manager binds based on those >> criteria in Fedora Directory Server? > > No. But please file a bug so we can track this issue. > > OK, filed bug 458187: https://bugzilla.redhat.com/show_bug.cgi?id=458187 -- Best Regards, Aleksander Adamowski GG#: 274614 ICQ UIN: 19780575 http://olo.org.pl From blue_moon_ro at yahoo.com Thu Aug 7 13:02:41 2008 From: blue_moon_ro at yahoo.com (Sebastian Tabarce) Date: Thu, 7 Aug 2008 06:02:41 -0700 (PDT) Subject: [Fedora-directory-users] Unable to SSL with Windows Sync Agreement In-Reply-To: <72965855C48009408D297A78108567160714E621@nl-ex008.groupinfra.com> Message-ID: <752182.38594.qm@web36507.mail.mud.yahoo.com> Mathisj, If I'm not mistaking, in order for the two servers to be able to talk with each other, they need to have certificates signed by Certificate Authorities recognized by the two servers (meaning, the certificates of these root CAs must be installed on the two servers). Even more straightforward is to generate certificate requests for both servers and get them signed by the same root CA. --- On Thu, 7/31/08, Groot, Mathijs de (IDT Competence Java) wrote: From: Groot, Mathijs de (IDT Competence Java) Subject: [Fedora-directory-users] Unable to SSL with Windows Sync Agreement To: fedora-directory-users at redhat.com Date: Thursday, July 31, 2008, 12:18 PM Hello everyone, ? I can use some help with setting up the Windows Sync. ? Ill give some context first, im trying to sync user, groups and passwords from a Windows 2003 server with Active Directory with a Red Hat enterprise 5, Red Hat Directory Server 8.0. It is a test environment with where I can access and configure the servers easily. ? But ive got some problems setting a new Windows Sync Agreement. ? It comes down to the following: I can?t get an SSL connection? with the a new? Windows Sync Agreement, from the Red Hat DS to the Windows AD server. ? In the Windows Sync Server info screen I get the following message when clicking on next:? "unable to contact Active Directory server, continue" (Windows Sync Server info screen located In the Directory Server Console ->? Configuration tab ->? Replication -> userRoot -> highlight the database -> Object -> New Windows Sync Agreement -> The second screen reads Windows Sync Server Info) ? But when I uncheck the checkbox ?Using encrypted SSL connection? the connection works and the Windows AD server is reached. So this concludes (and ive tested) that the Windows Server and domain is reachable and the Bind DN is valid, and entered values are correct. ? The SSL connection seems to be setup correctly, the checks (ldapsearch query) described by the fedora manual outputs the correct result. Following: ? http://directory.fedoraproject.org/wiki/Howto:WindowsSync Testing your Configuration Test to make sure you can talk SSL from Fedora Directory to AD This is how you test to verify that the Windows side SSL is enabled properly: ldapsearch -Z -P -h -p -D "? -w < sync manager password> -s -b "" "" ? My ldapsearch query: /usr/lib64/mozldap/dapsearch -Z -P /etc/dirsrv/slapd-/cert8.db -h compute.domain.com -p 636 -D "CN=Administrator,CN=Users,DC=domain,DC=com"? -w -s base -b "dc=domain,dc=com" "objectclass=top" ? But strangely enough there is not network traffic at all when the SSL? connection is checked! (when clicking on next and the message "unable to contact Active Directory server, continue" appears) ? Ive done the following actions to make to monitor it: ? First I?ve disabled SELinux, in case that blocks something (just for testing). ? watch the tcp ip traffic with: tcpdump -nn -p port not ssh and ip host Here I can see that, when I don?t use the SSL connection, there is traffic towards my Widows AD, but when ive check the SSL option, there is no traffic at all, nothing. ? As well when I look at the iptables: added an extra line: iptables -I OUTPUT? 1 -d -j ACCEPT watch -d iptables -L ?nv ? I see the same result, traffic when I don?t use the SSL option and no traffic at all when the SSL option is checked. ? How can I get the message "unable to contact Active Directory server, continue" when there is no outgoing request from my Red Hat server. ? Ive made certificates at both sides (Windows and Red Hat) and exported and imported these certificated to the other server. ? Please advice on following steps I can take, what the problem can be and how it is possible that there is no traffic at all. ? Thanks in advanced. ? Matt ? ? Mathijs A. de Groot Consultant - Software Engineer _________________________________________ Logica - Releasing your potential George Hintzenweg 89 3068 AX Rotterdam Postbus 8566 3009 AN?Rotterdam Nederland T:? +31 (0) 10 253 7000 D: ? +31(0) 70 37 56627 E: math.de.groot at logica.com www.logica.com Logica Nederland B.V. Registered office in Amstelveen, The Netherlands Registration Number Chamber of Commerce: 33136004 ? This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From math.de.groot at logica.com Thu Aug 7 14:19:48 2008 From: math.de.groot at logica.com (Groot, Mathijs de (IDT Competence Java)) Date: Thu, 7 Aug 2008 16:19:48 +0200 Subject: [Fedora-directory-users] Unable to SSL with Windows Sync Agreement In-Reply-To: <752182.38594.qm@web36507.mail.mud.yahoo.com> References: <72965855C48009408D297A78108567160714E621@nl-ex008.groupinfra.com> <752182.38594.qm@web36507.mail.mud.yahoo.com> Message-ID: <72965855C48009408D297A78108567160714E634@nl-ex008.groupinfra.com> Hi Sebastian, Thanks for your reply. We've created the CA and Server certificates on Red Hat Directory Server (like described in: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_SSL-Using_ certutil.html ) And created a server certificate on the Windows Server (http://support.microsoft.com/kb/931351 ) The CA and Server certificates are exchanged between the both Servers and are trusted, like the certutil output shows: On the Red Hat Directory (rhds.grep): # certutil -L -d . Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI rhds_ds_ca_cert CTu,u,u parijs_server_cert ,, rhds_server_cert u,u,u parijs_ca_cert CT,, on the Windows Active Directory (parijs.gem): C:\Program Files\Red Hat Directory Password Synchronization>certutil -L -d . rhds_ds_ca_cert CT,C,C rhds_ds_server_cert Pu,Pu,Pu And the ldapsearch in the command line from the Red Hat server over SSL works with the use of the certificate database, the following command returns entries of Windows Active Directory: /usr/lib64/mozldap/ldapsearch -Z -P /etc/dirsrv/slapd-rhds/cert8.db -h adsync.parijs.gem -p 636 -D "CN=Administrator,CN=Users,DC=parijs,DC=gem" -w - -s base -b "dc=parijs,dc=gem" "objectclass=top" Note that I'm using a Red Hat Enterprise 64 bits version and a Windows 2003 32bits. Do you've got any suggestions why there are no outgoing tcp/ip packages from the Red hat Directory Server when the new Windows Sync Agreement is configured and the message is shown that the Red Hat server is unable to contact Active Directory server? Mathijs. From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Sebastian Tabarce Sent: donderdag 7 augustus 2008 15:03 To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Unable to SSL with Windows Sync Agreement Mathisj, If I'm not mistaking, in order for the two servers to be able to talk with each other, they need to have certificates signed by Certificate Authorities recognized by the two servers (meaning, the certificates of these root CAs must be installed on the two servers). Even more straightforward is to generate certificate requests for both servers and get them signed by the same root CA. --- On Thu, 7/31/08, Groot, Mathijs de (IDT Competence Java) wrote: From: Groot, Mathijs de (IDT Competence Java) Subject: [Fedora-directory-users] Unable to SSL with Windows Sync Agreement To: fedora-directory-users at redhat.com Date: Thursday, July 31, 2008, 12:18 PM Hello everyone, I can use some help with setting up the Windows Sync. Ill give some context first, im trying to sync user, groups and passwords from a Windows 2003 server with Active Directory with a Red Hat enterprise 5, Red Hat Directory Server 8.0. It is a test environment with where I can access and configure the servers easily. But ive got some problems setting a new Windows Sync Agreement. It comes down to the following: I can't get an SSL connection with the a new Windows Sync Agreement, from the Red Hat DS to the Windows AD server. In the Windows Sync Server info screen I get the following message when clicking on next: "unable to contact Active Directory server, continue" (Windows Sync Server info screen located In the Directory Server Console -> Configuration tab -> Replication -> userRoot -> highlight the database -> Object -> New Windows Sync Agreement -> The second screen reads Windows Sync Server Info) But when I uncheck the checkbox "Using encrypted SSL connection" the connection works and the Windows AD server is reached. So this concludes (and ive tested) that the Windows Server and domain is reachable and the Bind DN is valid, and entered values are correct. The SSL connection seems to be setup correctly, the checks (ldapsearch query) described by the fedora manual outputs the correct result. Following: " http://directory.fedoraproject.org/wiki/Howto:WindowsSync Testing your Configuration Test to make sure you can talk SSL from Fedora Directory to AD This is how you test to verify that the Windows side SSL is enabled properly: ldapsearch -Z -P -h -p -D "" -w < sync manager password> -s -b "" "" " My ldapsearch query: /usr/lib64/mozldap/dapsearch -Z -P /etc/dirsrv/slapd-/cert8.db -h compute.domain.com -p 636 -D "CN=Administrator,CN=Users,DC=domain,DC=com" -w -s base -b "dc=domain,dc=com" "objectclass=top" But strangely enough there is not network traffic at all when the SSL connection is checked! (when clicking on next and the message "unable to contact Active Directory server, continue" appears) Ive done the following actions to make to monitor it: First I've disabled SELinux, in case that blocks something (just for testing). watch the tcp ip traffic with: tcpdump -nn -p port not ssh and ip host Here I can see that, when I don't use the SSL connection, there is traffic towards my Widows AD, but when ive check the SSL option, there is no traffic at all, nothing. As well when I look at the iptables: added an extra line: iptables -I OUTPUT 1 -d -j ACCEPT watch -d iptables -L -nv I see the same result, traffic when I don't use the SSL option and no traffic at all when the SSL option is checked. How can I get the message "unable to contact Active Directory server, continue" when there is no outgoing request from my Red Hat server. Ive made certificates at both sides (Windows and Red Hat) and exported and imported these certificated to the other server. Please advice on following steps I can take, what the problem can be and how it is possible that there is no traffic at all. Thanks in advanced. Matt Mathijs A. de Groot Consultant - Software Engineer _________________________________________ Logica - Releasing your potential George Hintzenweg 89 3068 AX Rotterdam Postbus 8566 3009 AN Rotterdam Nederland T: +31 (0) 10 253 7000 D: +31(0) 70 37 56627 E: math.de.groot at logica.com www.logica.com Logica Nederland B.V. Registered office in Amstelveen, The Netherlands Registration Number Chamber of Commerce: 33136004 This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From james_roman at ssaihq.com Thu Aug 7 19:49:12 2008 From: james_roman at ssaihq.com (James Roman) Date: Thu, 07 Aug 2008 15:49:12 -0400 Subject: [Fedora-directory-users] Configuring an objectclass for all children Message-ID: <489B51B8.1000301@ssaihq.com> I am relatively new to setting up directory servers. I would like all accounts in one of my OUs to be configured with the radiusprofile object class, and with some default attributes set. I thought this might be possible with a Class of Service, but it seems to be stubling on assigning the objectclass, so no attributes are assigned. I tried setting up a pointer object class with no luck. Is there a trick to setting this up for an objectclass or is there a better way of reaching my objective? -- James D. Roman Sr. Network Administrator Science Systems and Application, Inc. Phone: 301-867-2101 From rmeggins at redhat.com Thu Aug 7 20:12:42 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 07 Aug 2008 14:12:42 -0600 Subject: [Fedora-directory-users] Configuring an objectclass for all children In-Reply-To: <489B51B8.1000301@ssaihq.com> References: <489B51B8.1000301@ssaihq.com> Message-ID: <489B573A.8050801@redhat.com> James Roman wrote: > I am relatively new to setting up directory servers. I would like all > accounts in one of my OUs to be configured with the radiusprofile > object class, and with some default attributes set. I thought this > might be possible with a Class of Service, but it seems to be stubling > on assigning the objectclass, so no attributes are assigned. Right. You cannot assign objectclass values with Class of Service. > I tried setting up a pointer object class with no luck. Is there a > trick to setting this up for an objectclass or is there a better way > of reaching my objective? > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From math.de.groot at logica.com Fri Aug 8 09:29:06 2008 From: math.de.groot at logica.com (Groot, Mathijs de (IDT Competence Java)) Date: Fri, 8 Aug 2008 11:29:06 +0200 Subject: [Fedora-directory-users] Unable to SSL with Windows Sync Agreement In-Reply-To: <322039.58986.qm@web36506.mail.mud.yahoo.com> References: <72965855C48009408D297A78108567160714E634@nl-ex008.groupinfra.com> <322039.58986.qm@web36506.mail.mud.yahoo.com> Message-ID: <72965855C48009408D297A78108567160714E638@nl-ex008.groupinfra.com> Hi Sebastian, Thanks for your suggestion. I'm assuming that when the CA is trusted for Server and Client certificates (CT) the server certificates signed by that CA are automatically trusted peer as well. I have made the trust changes to the certificates and imported the third windows certificate as well, my (clean installed) windows Server has three certificates, the last one added is the domain certificate. the CA and Server certificates should be sufficient according to the manual. Red Hat Directory Server (gemeente.grep) # certutil -L -d . Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI gemeente_ds_ca_cert CTu,u,u gemeente_ds_server_cert u,u,u parijs_ca_cert CT,, parijs_domain_cert P,P,P parijs_server_cert P,P,P Windows Active Directory (parijs.gem) unchanged C:\Program Files\Red Hat Directory Password Synchronization>certutil -L -d . rhds_ds_ca_cert CT,C,C rhds_ds_server_cert Pu,Pu,Pu In the mean while, I've run some extra test to check the connectivity between the Red Hat and Windows Server, but all of the following test outputs the expected result of the query These search queries are executed from the Red Hat Directory Server. #/usr/lib64/mozldap/dapsearch -Z -P /etc/dirsrv/slapd-rhds/cert8.db -h adsync.parijs.gem -p 636 -D "CN=Administrator,CN=Users,DC=parijs,DC=gem" -w -s base -b "dc=parijs,dc=gem" "objectclass=top" #/usr/lib64/mozldap/ldapsearch -x -ZZ -b 'dc=gemeente,dc=grep' -D "cn=Directory Manager" -w '(objectclass=*)' # /usr/lib64/mozldap/ldapsearch -x -ZZ -h adsync.parijs.gem -b 'dc=parijs,dc=gem' -D "CN=Administrator,CN=Users,DC=parijs,DC=gem" -w '(objectclass=*)' But there are still no outgoing tcp/ip packages from the Red Hat Directory Server when the new Windows Sync Agreement is configured and the message is shown that the Red Hat server is unable to contact Active Directory server. Problem summary: I can't get an SSL connection with the a new Windows Sync Agreement, from the Red Hat DS to the Windows AD server. Ldapsearch queries over SSL seems to work fine, But strangely enough there is not network traffic at all when the SSL connection is checked! (when clicking on next and the message "unable to contact Active Directory server, continue" appears). See emails below for more information. Does anyone has a suggestion how to trouble shoot this problem? Mathijs de Groot From: Sebastian Tabarce [mailto:blue_moon_ro at yahoo.com] Sent: donderdag 7 augustus 2008 20:23 To: Groot, Mathijs de (IDT Competence Java) Subject: RE: [Fedora-directory-users] Unable to SSL with Windows Sync Agreement Hi Mathijs, >From what you showed us, it seems that while RHDS is a trusted peer of Active Directory, Active Directory is not a trusted peer of RHDS. This might be a reason for RHDS to not even try to establish a sync with AD. Other then this, I have no other ideas for now. I'm not an experimented RHDS admin, but maybe others will be of more help. Good luck, Sebastian --- On Thu, 8/7/08, Groot, Mathijs de (IDT Competence Java) wrote: From: Groot, Mathijs de (IDT Competence Java) Subject: RE: [Fedora-directory-users] Unable to SSL with Windows Sync Agreement To: blue_moon_ro at yahoo.com, "General discussion list for the Fedora Directory server project." Date: Thursday, August 7, 2008, 5:19 PM Hi Sebastian, Thanks for your reply. We've created the CA and Server certificates on Red Hat Directory Server (like described in: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_SSL-Using_ certutil.html ) And created a server certificate on the Windows Server (http://support.microsoft.com/kb/931351 ) The CA and Server certificates are exchanged between the both Servers and are trusted, like the certutil output shows: On the Red Hat Directory (rhds.grep): # certutil -L -d . Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI rhds_ds_ca_cert CTu,u,u parijs_server_cert ,, rhds_server_cert u,u,u parijs_ca_cert CT,, on the Windows Active Directory (parijs.gem): C:\Program Files\Red Hat Directory Password Synchronization>certutil -L -d . rhds_ds_ca_cert CT,C,C rhds_ds_server_cert Pu,Pu,Pu And the ldapsearch in the command line from the Red Hat server over SSL works with the use of the certificate database, the following command returns entries of Windows Active Directory: /usr/lib64/mozldap/ldapsearch -Z -P /etc/dirsrv/slapd-rhds/cert8.db -h adsync.parijs.gem -p 636 -D "CN=Administrator,CN=Users,DC=parijs,DC=gem" -w - -s base -b "dc=parijs,dc=gem" "objectclass=top" Note that I'm using a Red Hat Enterprise 64 bits version and a Windows 2003 32bits. Do you've got any suggestions why there are no outgoing tcp/ip packages from the Red hat Directory Server when the new Windows Sync Agreement is configured and the message is shown that the Red Hat server is unable to contact Active Directory server? Mathijs From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Sebastian Tabarce Sent: donderdag 7 augustus 2008 15:03 To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Unable to SSL with Windows Sync Agreement Mathisj, If I'm not mistaking, in order for the two servers to be able to talk with each other, they need to have certificates signed by Certificate Authorities recognized by the two servers (meaning, the certificates of these root CAs must be installed on the two servers). Even more straightforward is to generate certificate requests for both servers and get them signed by the same root CA. --- On Thu, 7/31/08, Groot, Mathijs de (IDT Competence Java) wrote: From: Groot, Mathijs de (IDT Competence Java) Subject: [Fedora-directory-users] Unable to SSL with Windows Sync Agreement To: fedora-directory-users at redhat.com Date: Thursday, July 31, 2008, 12:18 PM Hello everyone, I can use some help with setting up the Windows Sync. Ill give some context first, im trying to sync user, groups and passwords from a Windows 2003 server with Active Directory with a Red Hat enterprise 5, Red Hat Directory Server 8.0. It is a test environment with where I can access and configure the servers easily. But ive got some problems setting a new Windows Sync Agreement. It comes down to the following: I can't get an SSL connection with the a new Windows Sync Agreement, from the Red Hat DS to the Windows AD server. In the Windows Sync Server info screen I get the following message when clicking on next: "unable to contact Active Directory server, continue" (Windows Sync Server info screen located In the Directory Server Console -> Configuration tab -> Replication -> userRoot -> highlight the database -> Object -> New Windows Sync Agreement -> The second screen reads Windows Sync Server Info) But when I uncheck the checkbox "Using encrypted SSL connection" the connection works and the Windows AD server is reached. So this concludes (and ive tested) that the Windows Server and domain is reachable and the Bind DN is valid, and entered values are correct. The SSL connection seems to be setup correctly, the checks (ldapsearch query) described by the fedora manual outputs the correct result. Following: " http://directory.fedoraproject.org/wiki/Howto:WindowsSync Testing your Configuration Test to make sure you can talk SSL from Fedora Directory to AD This is how you test to verify that the Windows side SSL is enabled properly: ldapsearch -Z -P -h -p -D "" -w < sync manager password> -s -b "" "" " My ldapsearch query: /usr/lib64/mozldap/dapsearch -Z -P /etc/dirsrv/slapd-/cert8.db -h compute.domain.com -p 636 -D "CN=Administrator,CN=Users,DC=domain,DC=com" -w -s base -b "dc=domain,dc=com" "objectclass=top" But strangely enough there is not network traffic at all when the SSL connection is checked! (when clicking on next and the message "unable to contact Active Directory server, continue" appears) Ive done the following actions to make to monitor it: First I've disabled SELinux, in case that blocks something (just for testing). watch the tcp ip traffic with: tcpdump -nn -p port not ssh and ip host Here I can see that, when I don't use the SSL connection, there is traffic towards my Widows AD, but when ive check the SSL option, there is no traffic at all, nothing. As well when I look at the iptables: added an extra line: iptables -I OUTPUT 1 -d -j ACCEPT watch -d iptables -L -nv I see the same result, traffic when I don't use the SSL option and no traffic at all when the SSL option is checked. How can I get the message "unable to contact Active Directory server, continue" when there is no outgoing request from my Red Hat server. Ive made certificates at both sides (Windows and Red Hat) and exported and imported these certificated to the other server. Please advice on following steps I can take, what the problem can be and how it is possible that there is no traffic at all. Thanks in advanced. Matt Mathijs A. de Groot Consultant - Software Engineer _________________________________________ Logica - Releasing your potential George Hintzenweg 89 3068 AX Rotterdam Postbus 8566 3009 AN Rotterdam Nederland T: +31 (0) 10 253 7000 D: +31(0) 70 37 56627 E: math.de.groot at logica.com www.logica.com Logica Nederland B.V. Registered office in Amstelveen, The Netherlands Registration Number Chamber of Commerce: 33136004 This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From tycoon1_98 at yahoo.com Sat Aug 9 04:22:12 2008 From: tycoon1_98 at yahoo.com (Mike Carroll) Date: Fri, 8 Aug 2008 21:22:12 -0700 (PDT) Subject: [Fedora-directory-users] mod_nss Message-ID: <321766.61053.qm@web32008.mail.mud.yahoo.com> I've currently configured mod_nss-1.0.7 to replace mod_ssl in apache 2.2.9 and there is a configuration paramater nss.conf, NSSOCSPDefaultURL, where you can specfic the URL for an ocsp server. In order to route traffic out-bound from the server we have to route all http traffic through a proxy server. However, the documentation has been?vague on this point and?looking at mod_ocsp.c doesn't give me a lot of hope eaither (Although I am not a C coder). So my question is it possible to route OCSP trafficfrom mod_nss through an http proxy server? if so how? Thanks, Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: From zahra_bahar at ec.iut.ac.ir Sun Aug 10 08:37:20 2008 From: zahra_bahar at ec.iut.ac.ir (Zahra Bahar) Date: Sun, 10 Aug 2008 12:07:20 +0330 (IRST) Subject: [Fedora-directory-users] administeratly prohibit Message-ID: <17658649.342321218357440093.JavaMail.root@mta.iut.ac.ir> Hi all, A radius server is working with fedora DS. radius sends authentication packets, but ldap server doesn't accept and sends administeratly prohibit reply. should be radius server introduced in ldap server?if yes,where? From rcritten at redhat.com Mon Aug 11 03:00:21 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Sun, 10 Aug 2008 23:00:21 -0400 Subject: [Fedora-directory-users] mod_nss In-Reply-To: <321766.61053.qm@web32008.mail.mud.yahoo.com> References: <321766.61053.qm@web32008.mail.mud.yahoo.com> Message-ID: <489FAB45.9070404@redhat.com> Mike Carroll wrote: > I've currently configured mod_nss-1.0.7 to replace mod_ssl in apache > 2.2.9 and there is a configuration paramater nss.conf, > NSSOCSPDefaultURL, where you can specfic the URL for an ocsp server. In > order to route traffic out-bound from the server we have to route all > http traffic through a proxy server. However, the documentation has > been vague on this point and looking at mod_ocsp.c doesn't give me a lot > of hope eaither (Although I am not a C coder). So my question is it > possible to route OCSP trafficfrom mod_nss through an http proxy server? > if so how? Unfortunately, no. Right now mod_nss relies on the built-in NSS OCSP client which is relatively feature-poor. I had worked on curl integration at one point long ago but never got it to to a point where I was satisfied with its quality. I can see about reviving this code, if I can find it, to see what state it is in, perhaps as an experimental feature. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From snake007uk at gmail.com Mon Aug 11 09:36:52 2008 From: snake007uk at gmail.com (Kashif Ali) Date: Mon, 11 Aug 2008 10:36:52 +0100 Subject: [Fedora-directory-users] ObjectClass PosixGroup + UID/GID auto-generation Message-ID: <879a677e0808110236u1d5d0f90n7fd2c7bd4c9ed4eb@mail.gmail.com> Hello All, After spending a long weekend, configuring Fedora-DS to have central autentication + Central home dirs, I now have two issues which I would like to know if anyone can help me with. 1) Currently when adding a new user, I have to manually goto advanced options and add a value called posixgroup to the object class, this is so that groupID have a name and you dont see the error GroupID name not found when logging onto a box. Is there anyway to update the default user template, so that, when you enable posixaccount, posixgroup objectclass is automatically added? thus removing the manual process? 2) Is there anyway to get the directory server generate UNIQUE UID/GID based on last uid created. Ideally I would like the range to start from 5000 and finish at 8000. The automatic procedure would just use the next available uid/gid in the list, again removing the need for the user to check and make sure the id is unique. any help with either of these issues would be much appreciated. Regards Kashif -------------- next part -------------- An HTML attachment was scrubbed... URL: From solarflow99 at gmail.com Mon Aug 11 11:00:55 2008 From: solarflow99 at gmail.com (solarflow99) Date: Mon, 11 Aug 2008 12:00:55 +0100 Subject: [Fedora-directory-users] ObjectClass PosixGroup + UID/GID auto-generation In-Reply-To: <879a677e0808110236u1d5d0f90n7fd2c7bd4c9ed4eb@mail.gmail.com> References: <879a677e0808110236u1d5d0f90n7fd2c7bd4c9ed4eb@mail.gmail.com> Message-ID: <7020fd000808110400r30dfbe3by5f08a69480d74340@mail.gmail.com> On 8/11/08, Kashif Ali wrote: > > Hello All, > > After spending a long weekend, configuring Fedora-DS to have central > autentication + Central home dirs, I now have two issues which I would like > to know if anyone can help me with. > > 1) Currently when adding a new user, I have to manually goto advanced > options and add a value called posixgroup to the object class, this is so > that groupID have a name and you dont see the error GroupID name not found > when logging onto a box. Is there anyway to update the default user > template, so that, when you enable posixaccount, posixgroup objectclass is > automatically added? thus removing the manual process? > This is in the FDS console you are talking about right? This would be nice to have, but I guess unless you can change the java code, its still less flexible in this way. Often people will use a different front end such as ldapadmin, while the FDS console is preferred for controlling replication, etc. 2) Is there anyway to get the directory server generate UNIQUE UID/GID > based on last uid created. Ideally I would like the range to start from 5000 > and finish at 8000. The automatic procedure would just use the next > available uid/gid in the list, again removing the need for the user to check > and make sure the id is unique. > It looks like most front ends favour choosing a random one, then require you to set it manually to what you want. This is to avoid possible conflicts without having to build in a way to check for this, I agree it should be an available option though. http://sourceforge.net/forum/forum.php?thread_id=1965645&forum_id=305548&abmode=1 any help with either of these issues would be much appreciated. > > Regards > > Kashif > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From snake007uk at gmail.com Mon Aug 11 11:35:50 2008 From: snake007uk at gmail.com (Kashif Ali) Date: Mon, 11 Aug 2008 12:35:50 +0100 Subject: [Fedora-directory-users] ObjectClass PosixGroup + UID/GID auto-generation In-Reply-To: <7020fd000808110400r30dfbe3by5f08a69480d74340@mail.gmail.com> References: <879a677e0808110236u1d5d0f90n7fd2c7bd4c9ed4eb@mail.gmail.com> <7020fd000808110400r30dfbe3by5f08a69480d74340@mail.gmail.com> Message-ID: <879a677e0808110435q1bf87d5ewff85966c1fb8a328@mail.gmail.com> Yes I was talking about FDS :) Well atleast I can hope that more people want these features so they get added in :). I have created a wiki article on the installation if anyone is interested. http://wiki.unixcraft.com/display/MainPage/Fedora+Directory+Server 2008/8/11 solarflow99 > > > On 8/11/08, Kashif Ali wrote: >> >> Hello All, >> >> After spending a long weekend, configuring Fedora-DS to have central >> autentication + Central home dirs, I now have two issues which I would like >> to know if anyone can help me with. >> >> 1) Currently when adding a new user, I have to manually goto advanced >> options and add a value called posixgroup to the object class, this is so >> that groupID have a name and you dont see the error GroupID name not found >> when logging onto a box. Is there anyway to update the default user >> template, so that, when you enable posixaccount, posixgroup objectclass is >> automatically added? thus removing the manual process? >> > > This is in the FDS console you are talking about right? This would be nice > to have, but I guess unless you can change the java code, its still less > flexible in this way. Often people will use a different front end such as > ldapadmin, while the FDS console is preferred for controlling replication, > etc. > > 2) Is there anyway to get the directory server generate UNIQUE UID/GID >> based on last uid created. Ideally I would like the range to start from 5000 >> and finish at 8000. The automatic procedure would just use the next >> available uid/gid in the list, again removing the need for the user to check >> and make sure the id is unique. >> > > > It looks like most front ends favour choosing a random one, then require > you to set it manually to what you want. This is to avoid possible > conflicts without having to build in a way to check for this, I agree it > should be an available option though. > > http://sourceforge.net/forum/forum.php?thread_id=1965645&forum_id=305548&abmode=1 > > > > any help with either of these issues would be much appreciated. >> >> Regards >> >> Kashif >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ryan.braun at ec.gc.ca Mon Aug 11 19:38:28 2008 From: ryan.braun at ec.gc.ca (Ryan Braun [ADS]) Date: Mon, 11 Aug 2008 19:38:28 +0000 Subject: [Fedora-directory-users] ObjectClass PosixGroup + UID/GID auto-generation In-Reply-To: <879a677e0808110435q1bf87d5ewff85966c1fb8a328@mail.gmail.com> References: <879a677e0808110236u1d5d0f90n7fd2c7bd4c9ed4eb@mail.gmail.com> <7020fd000808110400r30dfbe3by5f08a69480d74340@mail.gmail.com> <879a677e0808110435q1bf87d5ewff85966c1fb8a328@mail.gmail.com> Message-ID: <200808111938.28588.ryan.braun@ec.gc.ca> On Monday 11 August 2008 11:35, Kashif Ali wrote: I use perl for most of my user management, and I grabbed this idea from one of the samba-ldap helper scripts, could be from idealx not too sure really. But basically, you just create an object that holds 2 values. The current available UID and GID. Then your perl script queries ldap for that object, uses the available UID, then increments it and writes it back to ldap. Something like # grab it from ldap $mesg = $ldap->search(filter=>"(objectClass=UnixIdPool)", base=>"ou=Special Users,$config{BASE_DN}", attrs=> ['uidNumber'], ); $config{NextID} = $mesg->entry(0)->get_value('uidNumber'); # update nextfreeid attribute $mesg = $ldap->modify("cn=idPool,ou=Special Users,$config{BASE_DN}", replace => { "uidNumber" => $config{NextID}+1 } ); Here is the schema I use for the object. objectClasses: ( UnixIdPool-oid NAME 'UnixIdPool' SUP top STRUCTURAL MUST ( cn $ gidNumber $ uidNumber ) X-ORIGIN 'user defined' ) Ryan > Yes I was talking about FDS :) > > Well atleast I can hope that more people want these features so they get > added in :). > > I have created a wiki article on the installation if anyone is interested. > > http://wiki.unixcraft.com/display/MainPage/Fedora+Directory+Server > > > 2008/8/11 solarflow99 > > > On 8/11/08, Kashif Ali wrote: > >> Hello All, > >> > >> After spending a long weekend, configuring Fedora-DS to have central > >> autentication + Central home dirs, I now have two issues which I would > >> like to know if anyone can help me with. > >> > >> 1) Currently when adding a new user, I have to manually goto advanced > >> options and add a value called posixgroup to the object class, this is > >> so that groupID have a name and you dont see the error GroupID name not > >> found when logging onto a box. Is there anyway to update the default > >> user template, so that, when you enable posixaccount, posixgroup > >> objectclass is automatically added? thus removing the manual process? > > > > This is in the FDS console you are talking about right? This would be > > nice to have, but I guess unless you can change the java code, its still > > less flexible in this way. Often people will use a different front end > > such as ldapadmin, while the FDS console is preferred for controlling > > replication, etc. > > > > 2) Is there anyway to get the directory server generate UNIQUE UID/GID > > > >> based on last uid created. Ideally I would like the range to start from > >> 5000 and finish at 8000. The automatic procedure would just use the next > >> available uid/gid in the list, again removing the need for the user to > >> check and make sure the id is unique. > > > > It looks like most front ends favour choosing a random one, then require > > you to set it manually to what you want. This is to avoid possible > > conflicts without having to build in a way to check for this, I agree it > > should be an available option though. > > > > http://sourceforge.net/forum/forum.php?thread_id=1965645&forum_id=305548& > >abmode=1 > > > > > > > > any help with either of these issues would be much appreciated. > > From tycoon1_98 at yahoo.com Tue Aug 12 04:20:58 2008 From: tycoon1_98 at yahoo.com (Mike Carroll) Date: Mon, 11 Aug 2008 21:20:58 -0700 (PDT) Subject: [Fedora-directory-users] Re: Fedora-directory-users Digest, Vol 39, Issue 12 Message-ID: <918355.58406.qm@web32004.mail.mud.yahoo.com> ? I'm sorry if I am screwing up my reply to your comment, but this is the first time I've gotten involved with a mailing list before.? To your comment Rob I think adding this in would be a really cool feature. Ever since that article showed up in bigadmin about integrating mod_nss into Apache it has created a lot of buzz within the department of defense because of the OCSP plug-in. The DoD currently has the largest PKI implementation in the world and key component is efficient, and easy, OCSP checking which mod_nss has the capability of doing (on paper at least: I still haven't gotten it to work in my dev enviornment) without dropping some cash to Tumbleweed and Corestreet. However, alot of the servers (and especially?desktop users) have to route their http traffic through a proxy server in order to go outside the network enclave. So I can definitly see the need for the ability to proxy OCSP traffic. ? Also, on a side note...but where you the one who responded to my support question to Red Hat on this...they gave me the same answer :) Mike Carroll wrote: > I've currently configured mod_nss-1.0.7 to replace mod_ssl in apache > 2.2.9 and there is a configuration paramater nss.conf, > NSSOCSPDefaultURL, where you can specfic the URL for an ocsp server. In > order to route traffic out-bound from the server we have to route all > http traffic through a proxy server. However, the documentation has > been vague on this point and looking at mod_ocsp.c doesn't give me a lot > of hope eaither (Although I am not a C coder). So my question is it > possible to route OCSP trafficfrom mod_nss through an http proxy server? > if so how? Unfortunately, no. Right now mod_nss relies on the built-in NSS OCSP client which is relatively feature-poor. I had worked on curl integration at one point long ago but never got it to to a point where I was satisfied with its quality. I can see about reviving this code, if I can find it, to see what state it is in, perhaps as an experimental feature. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature Url : https://www.redhat.com/archives/fedora-directory-users/attachments/20080810/e8eb83cb/smime.bin -------------- next part -------------- An HTML attachment was scrubbed... URL: From duskglow at gmail.com Tue Aug 12 04:29:44 2008 From: duskglow at gmail.com (Russell Miller) Date: Mon, 11 Aug 2008 21:29:44 -0700 Subject: [Fedora-directory-users] can I ditch the gui? Message-ID: <4eea36270808112129s3f41cccr3074e66daf02e020@mail.gmail.com> Hi all, OK, I run a moderate sized LDAP system that I inherited. It's been broken to one degree or another for literally years and it's my task to fix it. I've already upgraded every single server to redhat-ds 8, and am in the process of nailing down a few bugs that we have never been able to address. Not being able to change expired passwords, etc. I would like to integrate setup with, say puppet. I would like to be able to say "OK, here's a host, let's build a working LDAP setup, *without human intervention*.". It seems to be impossible. Many steps I can't do except for through the GUI, the SSL key setup (which I can do via command line using certutil though it doesn't seem to be documented and I don't know yet how to do a request) is very awkward, and basically setting up a new server is currently an intensely manual process. I don't like this. I would like a command like utility of some kind where I can do everything the admin gui can do - turning options on and off, etc. And I would like just one tool, not having to go around to all sorts of different places and change entries here and there. I know it can be done because the gui does it. How about making it admin friendly? Or am I missing something and it's already there? Thanks, --Russell -------------- next part -------------- An HTML attachment was scrubbed... URL: From zahra_bahar at ec.iut.ac.ir Tue Aug 12 05:28:22 2008 From: zahra_bahar at ec.iut.ac.ir (Zahra Bahar) Date: Tue, 12 Aug 2008 08:58:22 +0330 (IRST) Subject: Fwd: [Fedora-directory-users] administeratly prohibit In-Reply-To: <17658649.342321218357440093.JavaMail.root@mta.iut.ac.ir> Message-ID: <3723789.366371218518902730.JavaMail.root@mta.iut.ac.ir> ----- Forwarded Message ----- From: "Zahra Bahar" To: "Fedora-directory-users" Sent: Sunday, August 10, 2008 12:07:20 PM (GMT+0330) Asia/Tehran Subject: [Fedora-directory-users] administeratly prohibit Hi all, A radius server is working with fedora DS. radius sends authentication packets, but ldap server doesn't accept and sends administeratly prohibit reply. should be radius server introduced in ldap server?if yes,where? -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From benetage at hotmail.com Mon Aug 11 15:00:54 2008 From: benetage at hotmail.com (Mister Anonyme) Date: Mon, 11 Aug 2008 11:00:54 -0400 Subject: [Fedora-directory-users] register-ds-admin.pl Message-ID: Hi, I tried to follow the guidelines here: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Replicating-ADS-for-Failover.html And it doesn't work. So, I did it in another way. On the first server, I created this inf file: ================================== [General] FullMachineName = firstserver.domain AdminDomain = domain SuiteSpotUserID = nobody SuiteSpotGroup = nobody ConfigDirectoryLdapURL = ldap://firstserver.domain:389/o=NetscapeRoot ConfigDirectoryAdminID = admin ConfigDirectoryAdminPwd = pass [admin] ServerAdminID = admin ServerAdminPwd = pass SysUser = nobody ServerIpAddress = 1.1.1.1 Port = 9830 [slapd] InstallLdifFile = suggest ServerIdentifier = firstserver ServerPort = 389 AddOrgEntries = Yes RootDN = cn=Directory Manager RootDNPwd = pass SlapdConfigForMC = yes Suffix = dc=host, dc=domain UseExistingMC = 0 AddSampleEntries = No ========================= I ran like this: # /usr/sbin/setup-ds-admin.pl -s -f file.inf Then, I configured the replication in the console for the DB NetscapeRoot. On the second server, I created this inf file: ======== [General] FullMachineName = secodserver.domain AdminDomain = domain SuiteSpotUserID = nobody SuiteSpotGroup = nobody ConfigDirectoryLdapURL = ldap://firstserver.domain:389/o=NetscapeRoot ConfigDirectoryAdminID = admin ConfigDirectoryAdminPwd = pass [admin] ServerAdminID = admin ServerAdminPwd = pass SysUser = nobody ServerIpAddress = 1.1.1.1 Port = 9830 [slapd] InstallLdifFile = suggest ServerIdentifier = secodserver ServerPort = 389 AddOrgEntries = Yes RootDN = cn=Directory Manager RootDNPwd = pass SlapdConfigForMC = yes Suffix = dc=host, dc=domain UseExistingMC = 1 AddSampleEntries = No ================ As you can see, I installed the second server but it uses the Administrative Server on the first server. I created NetscapeRoot database on the second server and I configured the replication. Until now, it works very well. When I want to change the second server that to use its own Administrative Server, I ran this command on the second server: # /usr/sbin/register-ds-admin.pl it seems that this server isn't able to clean his old DS directory and it always asking me to enter the password... I also tried to installe the second server without installing the Administrative Server (setup-ds.pl instead of setup-ds-admin.pl) and I still face the same issue, not really same, but it always asks the password. I tried the trick of "PTA (Pass Thru Authentication" and it doesn't fix the issue. Here the log: [root at nlnmlp22 eleblanc]# /usr/sbin/register-ds-admin.pl Beginning registration of the Directory Server ==================================================================== The Directory Server locates its configuration file (dse.ldif) at /etc/dirsrv/slapd-ID, by default. If you have Directory Server(s) which configuration file is put at the other location, you need to input it to register the server. If you have such Directory Server, type the full path that stores the configuration file. If you don't, type return. [configuration directory path or return]: ==================================================================== Candidate servers to register: /etc/dirsrv/slapd-nlnmlp22 ==================================================================== Do you want to use this server as Configuration Directory Server? Directory server identifier: nlnmlp22 ==================================================================== Cleaning up old Config DS: ==================================================================== Please input the password for the Administrator User uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot: Error: failed to clean up the configuration info from the old Configuration Directory Server . ==================================================================== Please input the password for the Administrator User uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot: Error: failed to clean up the configuration info from the old Configuration Directory Server . Thank you very much for your help! E. _________________________________________________________________ If you like crossword puzzles, then you'll love Flexicon, a game which combines four overlapping crossword puzzles into one! http://g.msn.ca/ca55/208 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Aug 12 15:50:24 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 12 Aug 2008 09:50:24 -0600 Subject: [Fedora-directory-users] can I ditch the gui? In-Reply-To: <4eea36270808112129s3f41cccr3074e66daf02e020@mail.gmail.com> References: <4eea36270808112129s3f41cccr3074e66daf02e020@mail.gmail.com> Message-ID: <48A1B140.7040903@redhat.com> Russell Miller wrote: > > Hi all, > > OK, I run a moderate sized LDAP system that I inherited. It's been > broken to one degree or another for literally years and it's my task > to fix it. I've already upgraded every single server to redhat-ds 8, > and am in the process of nailing down a few bugs that we have never > been able to address. Not being able to change expired passwords, etc. > > I would like to integrate setup with, say puppet. I would like to be > able to say "OK, here's a host, let's build a working LDAP setup, > *without human intervention*.". It seems to be impossible. Many > steps I can't do except for through the GUI, the SSL key setup (which > I can do via command line using certutil though it doesn't seem to be > documented and I don't know yet how to do a request) is very awkward, > and basically setting up a new server is currently an intensely manual > process. > > I don't like this. > > I would like a command like utility of some kind where I can do > everything the admin gui can do - turning options on and off, etc. > And I would like just one tool, not having to go around to all sorts > of different places and change entries here and there. I know it can > be done because the gui does it. How about making it admin friendly? > > Or am I missing something and it's already there? You can do everything from the command line, including everything the GUI does. The documentation describes how to do a task with the GUI and how to do that same task with the command line in most cases [1]. If you need more information about the configuration entries and attributes, we have a reference manual [2]. The crypto/SSL commands are not well documented, but you can use the -H argument to get some help with certutil, pk12util, and modutil, as well as the examples on the wiki [3]. If you decide to go this route, I strongly encourage you to use a scripting language. I prefer python and python-ldap - you can do a great deal of work quickly with these. I've also used perl in the past. If you're interested, I have a collection of scripts I use to perform various tasks. Unfortunately, there is not one single command you can use to do everything (e.g. dsadmin setupreplication host1 host2 or something like that). The freeipa.org project has been established to make LDAP, NIS, Kerberos, and eventually SSL easy to setup and deploy. While they may not have all of the pieces, they have come a long way, and depending on what your deployment looks like, you might be able to use freeipa.org to easily and quickly set up your environment. http://www.freeipa.org/ 1 - http://www.redhat.com/docs/manuals/dir-server/ag/8.0/index.html 2 - http://www.redhat.com/docs/manuals/dir-server/cli/8.0/index.html 3 - http://directory.fedoraproject.org/wiki/Howto:SSL > > Thanks, > > --Russell > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From michael at stroeder.com Tue Aug 12 22:24:34 2008 From: michael at stroeder.com (=?ISO-8859-15?Q?Michael_Str=F6der?=) Date: Wed, 13 Aug 2008 00:24:34 +0200 Subject: [Fedora-directory-users] ObjectClass PosixGroup + UID/GID auto-generation In-Reply-To: <200808111938.28588.ryan.braun@ec.gc.ca> References: <879a677e0808110236u1d5d0f90n7fd2c7bd4c9ed4eb@mail.gmail.com> <7020fd000808110400r30dfbe3by5f08a69480d74340@mail.gmail.com> <879a677e0808110435q1bf87d5ewff85966c1fb8a328@mail.gmail.com> <200808111938.28588.ryan.braun@ec.gc.ca> Message-ID: <48A20DA2.5010507@stroeder.com> Ryan Braun [ADS] wrote: > On Monday 11 August 2008 11:35, Kashif Ali wrote: > > But basically, you just create an object that holds 2 values. The current > available UID and GID. Then your perl script queries ldap for that object, > uses the available UID, then increments it and writes it back to ldap. > [..] > $mesg = $ldap->modify("cn=idPool,ou=Special Users,$config{BASE_DN}", replace > => { "uidNumber" => $config{NextID}+1 } ); FWIW the original idea was different: For this to work reliably with multiple instances generating IDs from the same ID pool entry you have to explicitly delete the old value and add the new one. If the ID was already incremented by another process the old value was already replaced and the modify request fails. Ciao, Michael. From snake007uk at gmail.com Wed Aug 13 07:42:02 2008 From: snake007uk at gmail.com (Kashif Ali) Date: Wed, 13 Aug 2008 08:42:02 +0100 Subject: [Fedora-directory-users] ObjectClass PosixGroup + UID/GID auto-generation In-Reply-To: <48A20DA2.5010507@stroeder.com> References: <879a677e0808110236u1d5d0f90n7fd2c7bd4c9ed4eb@mail.gmail.com> <7020fd000808110400r30dfbe3by5f08a69480d74340@mail.gmail.com> <879a677e0808110435q1bf87d5ewff85966c1fb8a328@mail.gmail.com> <200808111938.28588.ryan.braun@ec.gc.ca> <48A20DA2.5010507@stroeder.com> Message-ID: <879a677e0808130042p6463e699t314cc4825f83ad4c@mail.gmail.com> how would you search for the next value? I.e search all UID/GID and show you the results, I could then sort them and work out which number should be next? 2008/8/12 Michael Str?der > Ryan Braun [ADS] wrote: > >> On Monday 11 August 2008 11:35, Kashif Ali wrote: >> >> But basically, you just create an object that holds 2 values. The >> current available UID and GID. Then your perl script queries ldap for that >> object, uses the available UID, then increments it and writes it back to >> ldap. >> > > [..] > >> $mesg = $ldap->modify("cn=idPool,ou=Special Users,$config{BASE_DN}", >> replace => { "uidNumber" => $config{NextID}+1 } ); >> > > FWIW the original idea was different: For this to work reliably with > multiple instances generating IDs from the same ID pool entry you have to > explicitly delete the old value and add the new one. If the ID was already > incremented by another process the old value was already replaced and the > modify request fails. > > Ciao, Michael. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Wed Aug 13 08:33:10 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 13 Aug 2008 10:33:10 +0200 Subject: [Fedora-directory-users] ObjectClass PosixGroup + UID/GID auto-generation In-Reply-To: <879a677e0808130042p6463e699t314cc4825f83ad4c@mail.gmail.com> References: <879a677e0808110236u1d5d0f90n7fd2c7bd4c9ed4eb@mail.gmail.com> <7020fd000808110400r30dfbe3by5f08a69480d74340@mail.gmail.com> <879a677e0808110435q1bf87d5ewff85966c1fb8a328@mail.gmail.com> <200808111938.28588.ryan.braun@ec.gc.ca> <48A20DA2.5010507@stroeder.com> <879a677e0808130042p6463e699t314cc4825f83ad4c@mail.gmail.com> Message-ID: <48A29C46.8000308@stroeder.com> Kashif Ali wrote: > how would you search for the next value? I.e search all UID/GID and show > you the results, I could then sort them and work out which number should > be next? The idea with using a pool was to increment the ID as pointed out in the example code posted by Ryan. Additionally you should have a unique constraint configured for these attributes. Ciao, Michael. > > 2008/8/12 Michael Str?der > > > Ryan Braun [ADS] wrote: > > On Monday 11 August 2008 11:35, Kashif Ali wrote: > > But basically, you just create an object that holds 2 values. > The current available UID and GID. Then your perl script > queries ldap for that object, uses the available UID, then > increments it and writes it back to ldap. > > > [..] > > $mesg = $ldap->modify("cn=idPool,ou=Special > Users,$config{BASE_DN}", replace => { "uidNumber" => > $config{NextID}+1 } ); > > > FWIW the original idea was different: For this to work reliably with > multiple instances generating IDs from the same ID pool entry you > have to explicitly delete the old value and add the new one. If the > ID was already incremented by another process the old value was > already replaced and the modify request fails. > > Ciao, Michael. From ben.van.veen at planet.nl Wed Aug 13 15:13:36 2008 From: ben.van.veen at planet.nl (ben.van.veen at planet.nl) Date: Wed, 13 Aug 2008 17:13:36 +0200 Subject: [Fedora-directory-users] new user entry starts with uid= Message-ID: Hi, Fedora-ds 1.0.4. New User entry in the directory will have a RDN starting with uid= . I would like to change that to cn= Know that in de advanced properties one can change the Naming Attribute, but I want it to be cn= on creation of a new entry. Where can I change those default setting(s). Thnx -------------- next part -------------- An HTML attachment was scrubbed... URL: From MichaelFan.Zhang at moneris.com Wed Aug 13 15:20:24 2008 From: MichaelFan.Zhang at moneris.com (Zhang, Michael) Date: Wed, 13 Aug 2008 11:20:24 -0400 Subject: [Fedora-directory-users] How to reset ldap admin password In-Reply-To: References: Message-ID: <80BFCE4C39EE3547AD79863AC01A6DC504785E0E@SCLAVIP02.MONAD.MONERIS.COM> Hello guys, Just want to know is there any way can reset LDAP admin password without directory manager password and old admin password in fedora-ds 1.0.2? Thanks Fan ________________________________ From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of ben.van.veen at planet.nl Sent: Wednesday, August 13, 2008 11:14 AM To: fedora-directory-users at redhat.com Subject: [Fedora-directory-users] new user entry starts with uid= Hi, Fedora-ds 1.0.4. New User entry in the directory will have a RDN starting with uid= . I would like to change that to cn= Know that in de advanced properties one can change the Naming Attribute, but I want it to be cn= on creation of a new entry. Where can I change those default setting(s). Thnx ______________________________________________________________________ This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations.Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized.If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. ______________________________________________________________________ This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations.Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized.If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. -------------- next part -------------- An HTML attachment was scrubbed... URL: From nkinder at redhat.com Wed Aug 13 16:17:35 2008 From: nkinder at redhat.com (Nathan Kinder) Date: Wed, 13 Aug 2008 09:17:35 -0700 Subject: [Fedora-directory-users] ObjectClass PosixGroup + UID/GID auto-generation In-Reply-To: <879a677e0808110236u1d5d0f90n7fd2c7bd4c9ed4eb@mail.gmail.com> References: <879a677e0808110236u1d5d0f90n7fd2c7bd4c9ed4eb@mail.gmail.com> Message-ID: <48A3091F.6000307@redhat.com> Kashif Ali wrote: > Hello All, > > After spending a long weekend, configuring Fedora-DS to have central > autentication + Central home dirs, I now have two issues which I would > like to know if anyone can help me with. > > 1) Currently when adding a new user, I have to manually goto advanced > options and add a value called posixgroup to the object class, this is > so that groupID have a name and you dont see the error GroupID name > not found when logging onto a box. Is there anyway to update the > default user template, so that, when you enable posixaccount, > posixgroup objectclass is automatically added? thus removing the > manual process? > > 2) Is there anyway to get the directory server generate UNIQUE UID/GID > based on last uid created. Ideally I would like the range to start > from 5000 and finish at 8000. The automatic procedure would just use > the next available uid/gid in the list, again removing the need for > the user to check and make sure the id is unique. There is a first version of a "Distributed Numeric Assignment" plug-in in the current Fedora Directory Server code that deals with this problem. It is designed to manage a range of unique numeric values across multiple master FDS instances. You can read more about the current implementation at http://directory.fedoraproject.org/wiki/DNA_Plugin_Implementation I am currently doing some re-design and improvement to this plug-in to address some shortcomings of the current implementation. These areas are pointed out at the bottom of the above page. -NGK > > any help with either of these issues would be much appreciated. > > Regards > > Kashif > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3254 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Aug 13 16:25:44 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 13 Aug 2008 10:25:44 -0600 Subject: [Fedora-directory-users] register-ds-admin.pl In-Reply-To: References: Message-ID: <48A30B08.9040208@redhat.com> Mister Anonyme wrote: > Hi, > > I tried to follow the guidelines here: > > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Replicating-ADS-for-Failover.html > > And it doesn't work. Can you be more specific? > So, I did it in another way. > > On the first server, I created this inf file: > > ================================== > [General] > FullMachineName = firstserver.domain > AdminDomain = domain > SuiteSpotUserID = nobody > SuiteSpotGroup = nobody > ConfigDirectoryLdapURL = ldap://firstserver.domain:389/o=NetscapeRoot > ConfigDirectoryAdminID = admin > ConfigDirectoryAdminPwd = pass > > [admin] > ServerAdminID = admin > ServerAdminPwd = pass > SysUser = nobody > ServerIpAddress = 1.1.1.1 > Port = 9830 > > [slapd] > InstallLdifFile = suggest > ServerIdentifier = firstserver > ServerPort = 389 > AddOrgEntries = Yes > RootDN = cn=Directory Manager > RootDNPwd = pass > SlapdConfigForMC = yes > Suffix = dc=host, dc=domain > UseExistingMC = 0 > AddSampleEntries = No > ========================= > > I ran like this: > # /usr/sbin/setup-ds-admin.pl -s -f file.inf > > Then, I configured the replication in the console for the DB NetscapeRoot. > > On the second server, I created this inf file: > > ======== > [General] > FullMachineName = secodserver.domain > AdminDomain = domain > SuiteSpotUserID = nobody > SuiteSpotGroup = nobody > ConfigDirectoryLdapURL = ldap://firstserver.domain:389/o=NetscapeRoot > ConfigDirectoryAdminID = admin > ConfigDirectoryAdminPwd = pass > > [admin] > ServerAdminID = admin > ServerAdminPwd = pass > SysUser = nobody > ServerIpAddress = 1.1.1.1 > Port = 9830 > > [slapd] > InstallLdifFile = suggest > ServerIdentifier = secodserver > ServerPort = 389 > AddOrgEntries = Yes > RootDN = cn=Directory Manager > RootDNPwd = pass > SlapdConfigForMC = yes > Suffix = dc=host, dc=domain > UseExistingMC = 1 > AddSampleEntries = No > ================ > > As you can see, I installed the second server but it uses the > Administrative Server on the first server. You can't really do that. The purpose of the Administration Server is to provide a management agent on each machine. This allows you to remotely manage the directory server (e.g. start it remotely, and run other CGIs, among other things). A "remote Admin Server" doesn't make sense. > > I created NetscapeRoot database on the second server and I configured > the replication. > > Until now, it works very well. > > When I want to change the second server that to use its own > Administrative Server, I ran this command on the second server: You can't really do that. > > # /usr/sbin/register-ds-admin.pl > > it seems that this server isn't able to clean his old DS directory and > it always asking me to enter the password... I also tried to installe > the second server without installing the Administrative Server > (setup-ds.pl instead of setup-ds-admin.pl) and I still face the same > issue, not really same, but it always asks the password. I tried the > trick of "PTA (Pass Thru Authentication" and it doesn't fix the issue. > > > Here the log: > > [root at nlnmlp22 eleblanc]# /usr/sbin/register-ds-admin.pl > Beginning registration of the Directory Server > ==================================================================== > The Directory Server locates its configuration file (dse.ldif) at > /etc/dirsrv/slapd-ID, by default. If you have Directory Server(s) > which configuration file is put at the other location, you need to > input it to register the server. > > If you have such Directory Server, type the full path that stores the > configuration file. > > If you don't, type return. > [configuration directory path or return]: > > > ==================================================================== > Candidate servers to register: > /etc/dirsrv/slapd-nlnmlp22 > > ==================================================================== > Do you want to use this server as Configuration Directory Server? > > Directory server identifier: nlnmlp22 > > ==================================================================== > Cleaning up old Config DS: > > ==================================================================== > Please input the password for the Administrator User uid=admin, > ou=Administrators, ou=TopologyManagement, o=NetscapeRoot: > Error: failed to clean up the configuration info from the old > Configuration > Directory Server . > > ==================================================================== > Please input the password for the Administrator User uid=admin, > ou=Administrators, ou=TopologyManagement, o=NetscapeRoot: > Error: failed to clean up the configuration info from the old > Configuration > Directory Server . > > > Thank you very much for your help! > > E. > > ------------------------------------------------------------------------ > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rob at rsee.net Wed Aug 13 19:10:26 2008 From: rob at rsee.net (Rob See) Date: Wed, 13 Aug 2008 15:10:26 -0400 Subject: [Fedora-directory-users] FDS on OpenSolaris Message-ID: <48A331A2.4080505@rsee.net> Hi, Painfully, I was able to get FDS compiled and installed on the latest build OpenSolaris x86, but I've run into to a problem during the setup process. When the setup script performs the ldif2db, it fails with a Database Error 2. Here is the complete error log: [13/Aug/2008:14:40:46 -0400] - Backend Instance: userRoot [13/Aug/2008:14:40:46 -0400] - dblayer_instance_start: pagesize: 4096, pages: 393103, procpages: 7245 [13/Aug/2008:14:40:46 -0400] - cache autosizing: import cache: 204800k [13/Aug/2008:14:40:46 -0400] - li_import_cache_autosize: 50, import_pages: 51200, pagesize: 4096 [13/Aug/2008:14:40:46 -0400] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [13/Aug/2008:14:40:46 -0400] - dblayer_instance_start: pagesize: 4096, pages: 393103, procpages: 7245 [13/Aug/2008:14:40:46 -0400] - cache autosizing: import cache: 204800k [13/Aug/2008:14:40:46 -0400] - li_import_cache_autosize: 50, import_pages: 51200, pagesize: 4096 [13/Aug/2008:14:40:47 -0400] - import userRoot: Beginning import job... [13/Aug/2008:14:40:47 -0400] - import userRoot: Index buffering enabled with bucket size 100 [13/Aug/2008:14:40:47 -0400] - import userRoot: Processing file "/tmp/ldifd8ULLD.ldif" [13/Aug/2008:14:40:47 -0400] - import userRoot: Finished scanning file "/tmp/ldifd8ULLD.ldif" (9 entries) [13/Aug/2008:14:40:47 -0400] - database error 2 [13/Aug/2008:14:40:47 -0400] - import userRoot: ERROR: Could not add op attrs to entry ending at line 17 of file "/tmp/ldifd8ULLD.ldif" [13/Aug/2008:14:40:47 -0400] - import userRoot: Aborting all import threads... [13/Aug/2008:14:40:53 -0400] - import userRoot: Import threads aborted. [13/Aug/2008:14:40:53 -0400] - import userRoot: Closing files... [13/Aug/2008:14:40:53 -0400] - libdb: userRoot/id2entry.db4: unable to flush: No such file or directory [13/Aug/2008:14:40:53 -0400] - All database threads now stopped [13/Aug/2008:14:40:53 -0400] - import userRoot: Import failed. Does anyone know what database error 2 means, and how I might be able to fix it. Thanks, -Rob -- From benetage at hotmail.com Wed Aug 13 19:47:33 2008 From: benetage at hotmail.com (Mister Anonyme) Date: Wed, 13 Aug 2008 15:47:33 -0400 Subject: [Fedora-directory-users] (no subject) Message-ID: > Rich Megginson wrote: >> Mister Anonyme wrote: >> Hi, >> I tried to follow the guidelines here: >> http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Replicating-ADS-for-Failover.html >> And it doesn't work. > >Can you be more specific? There you go... SERVER1 is first server, SERVER2 is second server (failover) ======================================== First step (from the doc): Install and configure the first Directory Server instance. ======================================== ****** file.inf ****** FullMachineName = SERVER1 AdminDomain = MY DOMAIN NAME SuiteSpotUserID = nobody SuiteSpotGroup = nobody ConfigDirectoryLdapURL = ldap://SERVER1:389/o=NetscapeRoot ConfigDirectoryAdminID = admin ConfigDirectoryAdminPwd = MY PASSWORD [admin] ServerAdminID = admin ServerAdminPwd = MY PASSWORD SysUser = nobody ServerIpAddress = MY SERVER IP ADDRESS Port = 9830 [slapd] InstallLdifFile = suggest ServerIdentifier = SERVER1 ServerPort = 389 AddOrgEntries = Yes RootDN = cn=Directory Manager RootDNPwd = MY DS PASSWORD SlapdConfigForMC = yes Suffix = dc=EXAMPLE, dc=NET UseExistingMC = 0 AddSampleEntries = Yes ConfigFile = repluser.ldif ConfigFile = changelog.ldif ConfigFile = replica.ldif ConfigFile = replagreement.ldif *************** repluser.ldif *************** dn: cn=replication manager,cn=config objectClass: inetorgperson objectClass: person objectClass: top cn: replication manager sn: RM userPassword: MY ENCRYPTED PASSWORD passwordExpirationTime: 20380119031407Z **************** changelog.ldif **************** dn: cn=changelog5,cn=config objectclass: top objectclass: extensibleObject cn: changelog5 nsslapd-changelogdir: /var/lib/dirsrv/slapd-MYINSTANCE/changelogdb ************ replica.ldif ************* dn: cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config objectclass: top objectclass: nsds5replica objectclass: extensibleObject cn: replica nsds5replicaroot: o=NetscapeRoot nsds5replicaid: 1 nsds5replicatype: 3 nsds5flags: 1 nsds5ReplicaPurgeDelay: 604800 nsds5ReplicaBindDN: cn=replication manager,cn=config ****************** replagreement.ldif ****************** dn: cn=replication_netscaperoot,cn=replica,cn="o=Netscaperoot",cn=mapping tree,cn=config objectclass: top objectclass: nsds5replicationagreement cn: replication_netscaperoot nsds5replicahost: SECONDARY LDAP SERVER HOSTNAME nsds5replicaport: 389 nsds5ReplicaBindDN: cn=replication manager nsds5replicabindmethod: SIMPLE nsds5replicaroot: o=Netscaperoot description: replication netscaperoot nsds5replicacredentials: ENCRYPTEDPASSWORD nsds5BeginReplicaRefresh: start I run this command: # /usr/sbin/setup-ds-admin -s -f file.inf Here's the log: [...] +Processing repluser.ldif ... +++check_and_add_entry: Entry not found cn=replication manager,cn=config error No such object +Entry cn=replication manager,cn=config is added +Processing changelog.ldif ... +++check_and_add_entry: Entry not found cn=changelog5,cn=config error No such object +Entry cn=changelog5,cn=config is added +Processing replica.ldif ... +++check_and_add_entry: Entry not found cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config error No such object +ERROR: adding an entry cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config failed, error: No such object dn: cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config objectclass: top objectclass: nsds5replica objectclass: extensibleObject cn: replica nsds5replicaroot: o=NetscapeRoot nsds5replicaid: 1 nsds5replicatype: 3 nsds5flags: 1 nsds5replicapurgedelay: 604800 nsds5replicabinddn: cn=replication manager,cn=config +ERROR: There was an error processing entry cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config +Cannot continue processing entries. So, I created another file (the documentation didn't mention this so I don't know if it's the 'good' procedure...): ************* replica_1.ldif ************* dn: cn="o=NetscapeRoot",cn=mapping tree,cn=config objectclass: top objectclass: nsMappingTree objectclass: extensibleObject cn: "o=NetscapeRoot" I added just before the replica.ldif in the "file.inf", [slapd] section. Then: # /usr/sbin/setup-ds-admin -s -f file.inf It works well until...: [...] +[13/Aug/2008:15:07:17 -0400] NSMMReplicationPlugin - _replica_configure_ruv: replication broken for entry (o=NetscapeRoot); LDAP error - 1 +[13/Aug/2008:15:07:17 -0400] NSMMReplicationPlugin - Unable to configure replica o=NetscapeRoot: +[13/Aug/2008:15:07:17 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests +Your new directory server has been started. Your new DS instance 'INSTANCENAME' was successfully created. Creating the configuration directory server . . . The suffix 'o=NetscapeRoot' already exists. Config entry DN 'cn="o=NetscapeRoot",cn=mapping tree,cn=config'. Failed to create the configuration directory server Exiting . . . So, it won't process LDIF files that I created according to the documentation, but if I force the creation of NetscapeRoot so the replica.ldif can be processed, it won't continue because it already exists... Great... I removed replica_1.ldif, replica.ldif, replagreement.ldif from file.inf and ran this agan: # /usr/sbin/setup-ds-admin -s -f file.inf [...] The admin server was successfully started. Admin server was successfully created, configured, and started. Then, I manually created a replica and a replica agreement: /usr/lib/mozldap6/ldapmodify -cvD "cn=Directory manager" -w PASSWD < replica.ldif /usr/lib/mozldap6/ldapmodify -cvD "cn=Directory manager" -w PASSWD < replagreement.ldif It went with sucess. Now, step 2 from the doc... The inf file of the second server: ****** file.inf ****** [General] AdminDomain = EXAMPLE.DOMAIN SuiteSpotGroup = nobody ConfigDirectoryLdapURL = ldap://SERVER1 (or SERVER2, doesn't matter, it fails).nl.rsft.net:389/o=NetscapeRoot ConfigDirectoryAdminID = admin FullMachineName = SERVER2 SuiteSpotUserID = nobody ConfigDirectoryAdminPwd = PASS [admin] ServerAdminID = admin ServerAdminPwd = PASS SysUser = nobody Port = 9830 [slapd] InstallLdifFile = suggest ServerIdentifier = SERVER2 ServerPort = 389 AddOrgEntries = Yes RootDN = cn=Directory Manager RootDNPwd = SERVER2 Suffix = dc=EXAMPLE,dc=DOMAIN UseExistingMC = 0 AddSampleEntries = No ConfigFile = netscaperootdb.ldif ConfigFile = repluser.ldif ConfigFile = changelog.ldif ConfigFile = replica.ldif ConfigFile = replagreement.ldif I won't show repluser.ldif, changelog.ldif, replica.ldif and replagreement.ldif, they are same as above, except for netscapeootdb.ldif: ****************** netscaperootdb.ldif ****************** dn: cn="o=netscaperoot",cn=mapping tree,cn=config objectclass: top objectclass: extensibleObject objectclass: nsMappingTree nsslapd-state: backend nsslapd-backend: NetscapeRoot cn: o=NetscapeRoot I ran the script: # /usr/sbin/setup-ds.pl -s -f file.inf There's not error until... [...] +importing data ... [13/Aug/2008:15:30:35 -0400] - dblayer_instance_start: pagesize: 4096, pages: 258922, procpages: 6198 [13/Aug/2008:15:30:35 -0400] - cache autosizing: import cache: 204800k [13/Aug/2008:15:30:35 -0400] - li_import_cache_autosize: 50, import_pages: 51200, pagesize: 4096 [13/Aug/2008:15:30:35 -0400] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [13/Aug/2008:15:30:35 -0400] - dblayer_instance_start: pagesize: 4096, pages: 258922, procpages: 6198 [13/Aug/2008:15:30:35 -0400] - cache autosizing: import cache: 204800k [13/Aug/2008:15:30:35 -0400] - li_import_cache_autosize: 50, import_pages: 51200, pagesize: 4096 [13/Aug/2008:15:30:36 -0400] - import userRoot: Beginning import job... [13/Aug/2008:15:30:36 -0400] - import userRoot: Index buffering enabled with bucket size 100 [13/Aug/2008:15:30:36 -0400] - import userRoot: Processing file "/tmp/ldifBTMcP9.ldif" [13/Aug/2008:15:30:36 -0400] - import userRoot: Finished scanning file "/tmp/ldifBTMcP9.ldif" (9 entries) [13/Aug/2008:15:30:37 -0400] - import userRoot: Workers finished; cleaning up... [13/Aug/2008:15:30:37 -0400] - import userRoot: Workers cleaned up. [13/Aug/2008:15:30:37 -0400] - import userRoot: Cleaning up producer thread... [13/Aug/2008:15:30:37 -0400] - import userRoot: Indexing complete. Post-processing... [13/Aug/2008:15:30:37 -0400] - import userRoot: Flushing caches... [13/Aug/2008:15:30:37 -0400] - import userRoot: Closing files... [13/Aug/2008:15:30:37 -0400] - All database threads now stopped [13/Aug/2008:15:30:37 -0400] - import userRoot: Import complete. Processed 9 entries in 1 seconds. (9.00 entries/sec) +Starting the server: /usr/lib/dirsrv/slapd-myinstance/start-slapd +Started the server: code 256 Server failed to start !!! Please check errors log for problems + Red Hat-Directory/8.0.0 B2007.353.1757 + server2:389 (/etc/dirsrv/slapd-myinstance) + +[13/Aug/2008:15:30:35 -0400] - dblayer_instance_start: pagesize: 4096, pages: 258922, procpages: 6198 +[13/Aug/2008:15:30:35 -0400] - cache autosizing: import cache: 204800k +[13/Aug/2008:15:30:35 -0400] - li_import_cache_autosize: 50, import_pages: 51200, pagesize: 4096 +[13/Aug/2008:15:30:35 -0400] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database +[13/Aug/2008:15:30:35 -0400] - dblayer_instance_start: pagesize: 4096, pages: 258922, procpages: 6198 +[13/Aug/2008:15:30:35 -0400] - cache autosizing: import cache: 204800k +[13/Aug/2008:15:30:35 -0400] - li_import_cache_autosize: 50, import_pages: 51200, pagesize: 4096 +[13/Aug/2008:15:30:36 -0400] - import userRoot: Beginning import job... +[13/Aug/2008:15:30:36 -0400] - import userRoot: Index buffering enabled with bucket size 100 +[13/Aug/2008:15:30:36 -0400] - import userRoot: Processing file "/tmp/ldifBTMcP9.ldif" +[13/Aug/2008:15:30:36 -0400] - import userRoot: Finished scanning file "/tmp/ldifBTMcP9.ldif" (9 entries) +[13/Aug/2008:15:30:37 -0400] - import userRoot: Workers finished; cleaning up... +[13/Aug/2008:15:30:37 -0400] - import userRoot: Workers cleaned up. +[13/Aug/2008:15:30:37 -0400] - import userRoot: Cleaning up producer thread... +[13/Aug/2008:15:30:37 -0400] - import userRoot: Indexing complete. Post-processing... +[13/Aug/2008:15:30:37 -0400] - import userRoot: Flushing caches... +[13/Aug/2008:15:30:37 -0400] - import userRoot: Closing files... +[13/Aug/2008:15:30:37 -0400] - All database threads now stopped +[13/Aug/2008:15:30:37 -0400] - import userRoot: Import complete. Processed 9 entries in 1 seconds. (9.00 entries/sec) +[13/Aug/2008:15starting up +[13/Aug/2008:15:30:39 -0400] - I'm resizing my cache now...cache was 209715200 and is now 8000000 +[13/Aug/2008:15:30:39 -0400] - Warning: Mapping tree node entry for o=NetscapeRoot point to an unknown backend : NetscapeRoot +[13/Aug/2008:15:30:40 -0400] - Warning: Mapping tree node entry for o=NetscapeRoot point to an unknown backend : NetscapeRoot +[13/Aug/2008:15:30:40 -0400] - Warning: Mapping tree node entry for o=NetscapeRoot point to an unknown backend : NetscapeRoot +[13/Aug/2008:15:30:40 -0400] - Warning: Mapping tree node entry for o=NetscapeRoot point to an unknown backend : NetscapeRoot +[13/Aug/2008:15:30:40 -0400] - Warning: Mapping tree node entry for o=NetscapeRoot point to an unknown backend : NetscapeRoot +[13/Aug/2008:15:30:40 -0400] - Warning: Mapping tree node entry for o=NetscapeRoot point to an unknown backend : NetscapeRoot And it hung up. I had to do CTRL-C to have prompt. Well, maybe it's normal.. This server isn't completely installed. So, step 3 from the doc, I ran it on the SERVER1: # /usr/lib/mozldap6/ldapmodify -cvD "cn=Directory manager" -w PASSWD ldapmodify-bin: started Wed Aug 13 15:37:03 2008 ldap_init( localhost, 389 ) dn: cn=ExampleAgreement1,cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config changetype: modify replace: nsds5beginreplicarefresh nsds5beginreplicarefresh: start replace nsds5beginreplicarefresh: start modifying entry cn=ExampleAgreement1,cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config ldap_modify: No such object This is when I gave up and decided to create a NetscapeRoot's replication directly from the Java console. I mean, I installed two LDAP servers with the second server that it uses the Configuration Server from the first server. The replication works very well between two servers (only if I setup from the Java console) but when I want to do the the step 4 from the doc (create local Administration Server), it doesn't work, the script 'register-ds-admin.pl' always fails. Thank you very much for your help! _________________________________________________________________ If you like crossword puzzles, then you'll love Flexicon, a game which combines four overlapping crossword puzzles into one! http://g.msn.ca/ca55/208 -------------- next part -------------- An HTML attachment was scrubbed... URL: From benetage at hotmail.com Wed Aug 13 19:59:26 2008 From: benetage at hotmail.com (Mister Anonyme) Date: Wed, 13 Aug 2008 15:59:26 -0400 Subject: [Fedora-directory-users] Failover issues (PLEASE READ THIS BEFORE REPLYING) In-Reply-To: References: Message-ID: I did a small mistake. I tried to re-create a scenario of when I tried to create a failover system. About step 3, the synchronization, Instead of sending this command: dn: cn=ExampleAgreement1,cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config changetype: modify replace: nsds5beginreplicarefresh nsds5beginreplicarefresh: start I sent this: *************************************** dn: cn=replication_netscaperoot,cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config changetype: modify replace: nsds5beginreplicarefresh nsds5beginreplicarefresh: start *************************************** The result is: modifying entry cn=replication_netscaperoot,cn=replica,cn="o=Netscaperoot",cn=mapping tree,cn=config modify complete Then, the error in the console is: invalid credentials in 'status' tab, 'replication status'. I can confirm that the credentials are OK because I used the same file repluser.ldif in both servers. Also, when I try to open the console in SERVER2, I got this error: Cannot connect to the Admin Server "http://SERVER2:9830/" The URL is not correct or the server is not running. I restarted the SERVER2 without success. Thanks From: benetage at hotmail.com To: fedora-directory-users at redhat.com Date: Wed, 13 Aug 2008 15:47:33 -0400 Subject: [Fedora-directory-users] (no subject) > Rich Megginson wrote: >> Mister Anonyme wrote: >> Hi, >> I tried to follow the guidelines here: >> http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Replicating-ADS-for-Failover.html >> And it doesn't work. > >Can you be more specific? There you go... SERVER1 is first server, SERVER2 is second server (failover) ======================================== First step (from the doc): Install and configure the first Directory Server instance. ======================================== ****** file.inf ****** FullMachineName = SERVER1 AdminDomain = MY DOMAIN NAME SuiteSpotUserID = nobody SuiteSpotGroup = nobody ConfigDirectoryLdapURL = ldap://SERVER1:389/o=NetscapeRoot ConfigDirectoryAdminID = admin ConfigDirectoryAdminPwd = MY PASSWORD [admin] ServerAdminID = admin ServerAdminPwd = MY PASSWORD SysUser = nobody ServerIpAddress = MY SERVER IP ADDRESS Port = 9830 [slapd] InstallLdifFile = suggest ServerIdentifier = SERVER1 ServerPort = 389 AddOrgEntries = Yes RootDN = cn=Directory Manager RootDNPwd = MY DS PASSWORD SlapdConfigForMC = yes Suffix = dc=EXAMPLE, dc=NET UseExistingMC = 0 AddSampleEntries = Yes ConfigFile = repluser.ldif ConfigFile = changelog.ldif ConfigFile = replica.ldif ConfigFile = replagreement.ldif *************** repluser.ldif *************** dn: cn=replication manager,cn=config objectClass: inetorgperson objectClass: person objectClass: top cn: replication manager sn: RM userPassword: MY ENCRYPTED PASSWORD passwordExpirationTime: 20380119031407Z **************** changelog.ldif **************** dn: cn=changelog5,cn=config objectclass: top objectclass: extensibleObject cn: changelog5 nsslapd-changelogdir: /var/lib/dirsrv/slapd-MYINSTANCE/changelogdb ************ replica.ldif ************* dn: cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config objectclass: top objectclass: nsds5replica objectclass: extensibleObject cn: replica nsds5replicaroot: o=NetscapeRoot nsds5replicaid: 1 nsds5replicatype: 3 nsds5flags: 1 nsds5ReplicaPurgeDelay: 604800 nsds5ReplicaBindDN: cn=replication manager,cn=config ****************** replagreement.ldif ****************** dn: cn=replication_netscaperoot,cn=replica,cn="o=Netscaperoot",cn=mapping tree,cn=config objectclass: top objectclass: nsds5replicationagreement cn: replication_netscaperoot nsds5replicahost: SECONDARY LDAP SERVER HOSTNAME nsds5replicaport: 389 nsds5ReplicaBindDN: cn=replication manager nsds5replicabindmethod: SIMPLE nsds5replicaroot: o=Netscaperoot description: replication netscaperoot nsds5replicacredentials: ENCRYPTEDPASSWORD nsds5BeginReplicaRefresh: start I run this command: # /usr/sbin/setup-ds-admin -s -f file.inf Here's the log: [...] +Processing repluser.ldif ... +++check_and_add_entry: Entry not found cn=replication manager,cn=config error No such object +Entry cn=replication manager,cn=config is added +Processing changelog.ldif ... +++check_and_add_entry: Entry not found cn=changelog5,cn=config error No such object +Entry cn=changelog5,cn=config is added +Processing replica.ldif ... +++check_and_add_entry: Entry not found cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config error No such object +ERROR: adding an entry cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config failed, error: No such object dn: cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config objectclass: top objectclass: nsds5replica objectclass: extensibleObject cn: replica nsds5replicaroot: o=NetscapeRoot nsds5replicaid: 1 nsds5replicatype: 3 nsds5flags: 1 nsds5replicapurgedelay: 604800 nsds5replicabinddn: cn=replication manager,cn=config +ERROR: There was an error processing entry cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config +Cannot continue processing entries. So, I created another file (the documentation didn't mention this so I don't know if it's the 'good' procedure...): ************* replica_1.ldif ************* dn: cn="o=NetscapeRoot",cn=mapping tree,cn=config objectclass: top objectclass: nsMappingTree objectclass: extensibleObject cn: "o=NetscapeRoot" I added just before the replica.ldif in the "file.inf", [slapd] section. Then: # /usr/sbin/setup-ds-admin -s -f file.inf It works well until...: [...] +[13/Aug/2008:15:07:17 -0400] NSMMReplicationPlugin - _replica_configure_ruv: replication broken for entry (o=NetscapeRoot); LDAP error - 1 +[13/Aug/2008:15:07:17 -0400] NSMMReplicationPlugin - Unable to configure replica o=NetscapeRoot: +[13/Aug/2008:15:07:17 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests +Your new directory server has been started. Your new DS instance 'INSTANCENAME' was successfully created. Creating the configuration directory server . . . The suffix 'o=NetscapeRoot' already exists. Config entry DN 'cn="o=NetscapeRoot",cn=mapping tree,cn=config'. Failed to create the configuration directory server Exiting . . . So, it won't process LDIF files that I created according to the documentation, but if I force the creation of NetscapeRoot so the replica.ldif can be processed, it won't continue because it already exists... Great... I removed replica_1.ldif, replica.ldif, replagreement.ldif from file.inf and ran this agan: # /usr/sbin/setup-ds-admin -s -f file.inf [...] The admin server was successfully started. Admin server was successfully created, configured, and started. Then, I manually created a replica and a replica agreement: /usr/lib/mozldap6/ldapmodify -cvD "cn=Directory manager" -w PASSWD < replica.ldif /usr/lib/mozldap6/ldapmodify -cvD "cn=Directory manager" -w PASSWD < replagreement.ldif It went with sucess. Now, step 2 from the doc... The inf file of the second server: ****** file.inf ****** [General] AdminDomain = EXAMPLE.DOMAIN SuiteSpotGroup = nobody ConfigDirectoryLdapURL = ldap://SERVER1 (or SERVER2, doesn't matter, it fails).nl.rsft.net:389/o=NetscapeRoot ConfigDirectoryAdminID = admin FullMachineName = SERVER2 SuiteSpotUserID = nobody ConfigDirectoryAdminPwd = PASS [admin] ServerAdminID = admin ServerAdminPwd = PASS SysUser = nobody Port = 9830 [slapd] InstallLdifFile = suggest ServerIdentifier = SERVER2 ServerPort = 389 AddOrgEntries = Yes RootDN = cn=Directory Manager RootDNPwd = SERVER2 Suffix = dc=EXAMPLE,dc=DOMAIN UseExistingMC = 0 AddSampleEntries = No ConfigFile = netscaperootdb.ldif ConfigFile = repluser.ldif ConfigFile = changelog.ldif ConfigFile = replica.ldif ConfigFile = replagreement.ldif I won't show repluser.ldif, changelog.ldif, replica.ldif and replagreement.ldif, they are same as above, except for netscapeootdb.ldif: ****************** netscaperootdb.ldif ****************** dn: cn="o=netscaperoot",cn=mapping tree,cn=config objectclass: top objectclass: extensibleObject objectclass: nsMappingTree nsslapd-state: backend nsslapd-backend: NetscapeRoot cn: o=NetscapeRoot I ran the script: # /usr/sbin/setup-ds.pl -s -f file.inf There's not error until... [...] +importing data ... [13/Aug/2008:15:30:35 -0400] - dblayer_instance_start: pagesize: 4096, pages: 258922, procpages: 6198 [13/Aug/2008:15:30:35 -0400] - cache autosizing: import cache: 204800k [13/Aug/2008:15:30:35 -0400] - li_import_cache_autosize: 50, import_pages: 51200, pagesize: 4096 [13/Aug/2008:15:30:35 -0400] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [13/Aug/2008:15:30:35 -0400] - dblayer_instance_start: pagesize: 4096, pages: 258922, procpages: 6198 [13/Aug/2008:15:30:35 -0400] - cache autosizing: import cache: 204800k [13/Aug/2008:15:30:35 -0400] - li_import_cache_autosize: 50, import_pages: 51200, pagesize: 4096 [13/Aug/2008:15:30:36 -0400] - import userRoot: Beginning import job... [13/Aug/2008:15:30:36 -0400] - import userRoot: Index buffering enabled with bucket size 100 [13/Aug/2008:15:30:36 -0400] - import userRoot: Processing file "/tmp/ldifBTMcP9.ldif" [13/Aug/2008:15:30:36 -0400] - import userRoot: Finished scanning file "/tmp/ldifBTMcP9.ldif" (9 entries) [13/Aug/2008:15:30:37 -0400] - import userRoot: Workers finished; cleaning up... [13/Aug/2008:15:30:37 -0400] - import userRoot: Workers cleaned up. [13/Aug/2008:15:30:37 -0400] - import userRoot: Cleaning up producer thread... [13/Aug/2008:15:30:37 -0400] - import userRoot: Indexing complete. Post-processing... [13/Aug/2008:15:30:37 -0400] - import userRoot: Flushing caches... [13/Aug/2008:15:30:37 -0400] - import userRoot: Closing files... [13/Aug/2008:15:30:37 -0400] - All database threads now stopped [13/Aug/2008:15:30:37 -0400] - import userRoot: Import complete. Processed 9 entries in 1 seconds. (9.00 entries/sec) +Starting the server: /usr/lib/dirsrv/slapd-myinstance/start-slapd +Started the server: code 256 Server failed to start !!! Please check errors log for problems + Red Hat-Directory/8.0.0 B2007.353.1757 + server2:389 (/etc/dirsrv/slapd-myinstance) + +[13/Aug/2008:15:30:35 -0400] - dblayer_instance_start: pagesize: 4096, pages: 258922, procpages: 6198 +[13/Aug/2008:15:30:35 -0400] - cache autosizing: import cache: 204800k +[13/Aug/2008:15:30:35 -0400] - li_import_cache_autosize: 50, import_pages: 51200, pagesize: 4096 +[13/Aug/2008:15:30:35 -0400] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database +[13/Aug/2008:15:30:35 -0400] - dblayer_instance_start: pagesize: 4096, pages: 258922, procpages: 6198 +[13/Aug/2008:15:30:35 -0400] - cache autosizing: import cache: 204800k +[13/Aug/2008:15:30:35 -0400] - li_import_cache_autosize: 50, import_pages: 51200, pagesize: 4096 +[13/Aug/2008:15:30:36 -0400] - import userRoot: Beginning import job... +[13/Aug/2008:15:30:36 -0400] - import userRoot: Index buffering enabled with bucket size 100 +[13/Aug/2008:15:30:36 -0400] - import userRoot: Processing file "/tmp/ldifBTMcP9.ldif" +[13/Aug/2008:15:30:36 -0400] - import userRoot: Finished scanning file "/tmp/ldifBTMcP9.ldif" (9 entries) +[13/Aug/2008:15:30:37 -0400] - import userRoot: Workers finished; cleaning up... +[13/Aug/2008:15:30:37 -0400] - import userRoot: Workers cleaned up. +[13/Aug/2008:15:30:37 -0400] - import userRoot: Cleaning up producer thread... +[13/Aug/2008:15:30:37 -0400] - import userRoot: Indexing complete. Post-processing... +[13/Aug/2008:15:30:37 -0400] - import userRoot: Flushing caches... +[13/Aug/2008:15:30:37 -0400] - import userRoot: Closing files... +[13/Aug/2008:15:30:37 -0400] - All database threads now stopped +[13/Aug/2008:15:30:37 -0400] - import userRoot: Import complete. Processed 9 entries in 1 seconds. (9.00 entries/sec) +[13/Aug/2008:15starting up +[13/Aug/2008:15:30:39 -0400] - I'm resizing my cache now...cache was 209715200 and is now 8000000 +[13/Aug/2008:15:30:39 -0400] - Warning: Mapping tree node entry for o=NetscapeRoot point to an unknown backend : NetscapeRoot +[13/Aug/2008:15:30:40 -0400] - Warning: Mapping tree node entry for o=NetscapeRoot point to an unknown backend : NetscapeRoot +[13/Aug/2008:15:30:40 -0400] - Warning: Mapping tree node entry for o=NetscapeRoot point to an unknown backend : NetscapeRoot +[13/Aug/2008:15:30:40 -0400] - Warning: Mapping tree node entry for o=NetscapeRoot point to an unknown backend : NetscapeRoot +[13/Aug/2008:15:30:40 -0400] - Warning: Mapping tree node entry for o=NetscapeRoot point to an unknown backend : NetscapeRoot +[13/Aug/2008:15:30:40 -0400] - Warning: Mapping tree node entry for o=NetscapeRoot point to an unknown backend : NetscapeRoot And it hung up. I had to do CTRL-C to have prompt. Well, maybe it's normal.. This server isn't completely installed. So, step 3 from the doc, I ran it on the SERVER1: # /usr/lib/mozldap6/ldapmodify -cvD "cn=Directory manager" -w PASSWD ldapmodify-bin: started Wed Aug 13 15:37:03 2008 ldap_init( localhost, 389 ) dn: cn=ExampleAgreement1,cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config changetype: modify replace: nsds5beginreplicarefresh nsds5beginreplicarefresh: start replace nsds5beginreplicarefresh: start modifying entry cn=ExampleAgreement1,cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config ldap_modify: No such object This is when I gave up and decided to create a NetscapeRoot's replication directly from the Java console. I mean, I installed two LDAP servers with the second server that it uses the Configuration Server from the first server. The replication works very well between two servers (only if I setup from the Java console) but when I want to do the the step 4 from the doc (create local Administration Server), it doesn't work, the script 'register-ds-admin.pl' always fails. Thank you very much for your help! _________________________________________________________________ Try Chicktionary, a game that tests how many words you can form from the letters given. Find this and more puzzles at Live Search Games! http://g.msn.ca/ca55/207 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Aug 13 20:03:31 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 13 Aug 2008 14:03:31 -0600 Subject: [Fedora-directory-users] (no subject) In-Reply-To: References: Message-ID: <48A33E13.2080409@redhat.com> Mister Anonyme wrote: > > Rich Megginson wrote: > >> Mister Anonyme wrote: > >> Hi, > >> I tried to follow the guidelines here: > >> > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Replicating-ADS-for-Failover.html > >> And it doesn't work. > > > >Can you be more specific? > > There you go... > > SERVER1 is first server, SERVER2 is second server (failover) > > ======================================== > First step (from the doc): Install and configure the first Directory > Server instance. > ======================================== > > ****** > file.inf > ****** > FullMachineName = SERVER1 > AdminDomain = MY DOMAIN NAME > SuiteSpotUserID = nobody > SuiteSpotGroup = nobody > ConfigDirectoryLdapURL = ldap://SERVER1:389/o=NetscapeRoot > ConfigDirectoryAdminID = admin > ConfigDirectoryAdminPwd = MY PASSWORD > > > [admin] > ServerAdminID = admin > ServerAdminPwd = MY PASSWORD > SysUser = nobody > ServerIpAddress = MY SERVER IP ADDRESS > Port = 9830 > > [slapd] > InstallLdifFile = suggest > ServerIdentifier = SERVER1 > ServerPort = 389 > AddOrgEntries = Yes > RootDN = cn=Directory Manager > RootDNPwd = MY DS PASSWORD > SlapdConfigForMC = yes > Suffix = dc=EXAMPLE, dc=NET > UseExistingMC = 0 > AddSampleEntries = Yes > ConfigFile = repluser.ldif > ConfigFile = changelog.ldif > ConfigFile = replica.ldif > ConfigFile = replagreement.ldif > > *************** > repluser.ldif > *************** > dn: cn=replication manager,cn=config > objectClass: inetorgperson > objectClass: person > objectClass: top > cn: replication manager > sn: RM > userPassword: MY ENCRYPTED PASSWORD > passwordExpirationTime: 20380119031407Z > > **************** > changelog.ldif > **************** > dn: cn=changelog5,cn=config > objectclass: top > objectclass: extensibleObject > cn: changelog5 > nsslapd-changelogdir: /var/lib/dirsrv/slapd-MYINSTANCE/changelogdb > > > ************ > replica.ldif > ************* > dn: cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config > objectclass: top > objectclass: nsds5replica > objectclass: extensibleObject > cn: replica > nsds5replicaroot: o=NetscapeRoot > nsds5replicaid: 1 > nsds5replicatype: 3 > nsds5flags: 1 > nsds5ReplicaPurgeDelay: 604800 > nsds5ReplicaBindDN: cn=replication manager,cn=config > > > ****************** > replagreement.ldif > ****************** > dn: cn=replication_netscaperoot,cn=replica,cn="o=Netscaperoot",cn=mapping > tree,cn=config > objectclass: top > objectclass: nsds5replicationagreement > cn: replication_netscaperoot > nsds5replicahost: SECONDARY LDAP SERVER HOSTNAME > nsds5replicaport: 389 > nsds5ReplicaBindDN: cn=replication manager > nsds5replicabindmethod: SIMPLE > nsds5replicaroot: o=Netscaperoot > description: replication netscaperoot > nsds5replicacredentials: ENCRYPTEDPASSWORD > nsds5BeginReplicaRefresh: start > > I run this command: > > > # /usr/sbin/setup-ds-admin -s -f file.inf > > > Here's the log: > [...] > +Processing repluser.ldif ... > +++check_and_add_entry: Entry not found cn=replication > manager,cn=config error No such object > +Entry cn=replication manager,cn=config is added > > +Processing changelog.ldif ... > +++check_and_add_entry: Entry not found cn=changelog5,cn=config error > No such object > +Entry cn=changelog5,cn=config is added > > +Processing replica.ldif ... > +++check_and_add_entry: Entry not found > cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config error No such > object > +ERROR: adding an entry cn=replica,cn="o=NetscapeRoot",cn=mapping > tree,cn=config failed, error: No such object > dn: cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config > objectclass: top > objectclass: nsds5replica > objectclass: extensibleObject > cn: replica > nsds5replicaroot: o=NetscapeRoot > nsds5replicaid: 1 > nsds5replicatype: 3 > nsds5flags: 1 > nsds5replicapurgedelay: 604800 > nsds5replicabinddn: cn=replication manager,cn=config > > +ERROR: There was an error processing entry > cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config > +Cannot continue processing entries. > > > So, I created another file (the documentation didn't mention this so I > don't know if it's the 'good' procedure...): I think it is mentioned in the documentation. http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Replicating-ADS-for-Failover.html "2. Install and configure the second Directory Server instance. For the second server, |server2.example.com|, use the |setup-ds.pl| command, which installs a Directory Server instance without installing a local Administration Server. " Which is what you did below anyway. However, there is a doc bug: "ConfigFile = netscaperootdb.ldif example suffix entry" This links to an example of the suffix only, which is what you did below - the ldif only creates the suffix, not the associated database. The LDIF file should contain this: dn: cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config objectclass: top objectclass: extensibleObject objectclass: nsBackendInstance nsslapd-suffix: o=NetscapeRoot cn: NetscapeRoot dn: cn=encrypted attribute keys,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: encrypted attributes keys dn: cn=encrypted attributes,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: encrypted attributes dn: cn="o=NetscapeRoot",cn=mapping tree,cn=config objectclass: top objectclass: extensibleObject objectclass: nsMappingTree cn: "o=NetscapeRoot" nsslapd-state: backend nsslapd-backend: NetscapeRoot > > ************* > replica_1.ldif > ************* > dn: cn="o=NetscapeRoot",cn=mapping tree,cn=config > objectclass: top > objectclass: nsMappingTree > objectclass: extensibleObject > cn: "o=NetscapeRoot" > > > I added just before the replica.ldif in the "file.inf", [slapd] section. > > Then: > > # /usr/sbin/setup-ds-admin -s -f file.inf > > It works well until...: > [...] > +[13/Aug/2008:15:07:17 -0400] NSMMReplicationPlugin - > _replica_configure_ruv: replication broken for entry (o=NetscapeRoot); > LDAP error - 1 > +[13/Aug/2008:15:07:17 -0400] NSMMReplicationPlugin - Unable to > configure replica o=NetscapeRoot: > +[13/Aug/2008:15:07:17 -0400] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > +Your new directory server has been started. > Your new DS instance 'INSTANCENAME' was successfully created. > Creating the configuration directory server . . . > The suffix 'o=NetscapeRoot' already exists. Config entry DN > 'cn="o=NetscapeRoot",cn=mapping tree,cn=config'. > > Failed to create the configuration directory server > Exiting . . . > > So, it won't process LDIF files that I created according to the > documentation, but if I force the creation of NetscapeRoot so the > replica.ldif can be processed, it won't continue because it already > exists... > > Great... > > I removed replica_1.ldif, replica.ldif, replagreement.ldif from > file.inf and ran this agan: > > # /usr/sbin/setup-ds-admin -s -f file.inf > > [...] > The admin server was successfully started. > Admin server was successfully created, configured, and started. > > Then, I manually created a replica and a replica agreement: > > /usr/lib/mozldap6/ldapmodify -cvD "cn=Directory manager" -w PASSWD < > replica.ldif > /usr/lib/mozldap6/ldapmodify -cvD "cn=Directory manager" -w PASSWD < > replagreement.ldif > > It went with sucess. > > Now, step 2 from the doc... > > The inf file of the second server: > > ****** > file.inf > ****** > [General] > AdminDomain = EXAMPLE.DOMAIN > SuiteSpotGroup = nobody > ConfigDirectoryLdapURL = ldap://SERVER1 (or SERVER2, doesn't matter, > it fails).nl.rsft.net:389/o=NetscapeRoot > ConfigDirectoryAdminID = admin > FullMachineName = SERVER2 > SuiteSpotUserID = nobody > ConfigDirectoryAdminPwd = PASS > > [admin] > ServerAdminID = admin > ServerAdminPwd = PASS > SysUser = nobody > Port = 9830 > > > [slapd] > InstallLdifFile = suggest > ServerIdentifier = SERVER2 > ServerPort = 389 > AddOrgEntries = Yes > RootDN = cn=Directory Manager > RootDNPwd = SERVER2 > Suffix = dc=EXAMPLE,dc=DOMAIN > UseExistingMC = 0 > AddSampleEntries = No > ConfigFile = netscaperootdb.ldif > ConfigFile = repluser.ldif > ConfigFile = changelog.ldif > ConfigFile = replica.ldif > ConfigFile = replagreement.ldif > > > I won't show repluser.ldif, changelog.ldif, replica.ldif and > replagreement.ldif, they are same as above, except for netscapeootdb.ldif: > > ****************** > netscaperootdb.ldif > ****************** > dn: cn="o=netscaperoot",cn=mapping tree,cn=config > objectclass: top > objectclass: extensibleObject > objectclass: nsMappingTree > nsslapd-state: backend > nsslapd-backend: NetscapeRoot > cn: o=NetscapeRoot > > > I ran the script: > > # /usr/sbin/setup-ds.pl -s -f file.inf > > There's not error until... > [...] > +importing data ... > [13/Aug/2008:15:30:35 -0400] - dblayer_instance_start: pagesize: 4096, > pages: 258922, procpages: 6198 > [13/Aug/2008:15:30:35 -0400] - cache autosizing: import cache: 204800k > [13/Aug/2008:15:30:35 -0400] - li_import_cache_autosize: 50, > import_pages: 51200, pagesize: 4096 > [13/Aug/2008:15:30:35 -0400] - WARNING: Import is running with > nsslapd-db-private-import-mem on; No other process is allowed to > access the database > [13/Aug/2008:15:30:35 -0400] - dblayer_instance_start: pagesize: 4096, > pages: 258922, procpages: 6198 > [13/Aug/2008:15:30:35 -0400] - cache autosizing: import cache: 204800k > [13/Aug/2008:15:30:35 -0400] - li_import_cache_autosize: 50, > import_pages: 51200, pagesize: 4096 > [13/Aug/2008:15:30:36 -0400] - import userRoot: Beginning import job... > [13/Aug/2008:15:30:36 -0400] - import userRoot: Index buffering > enabled with bucket size 100 > [13/Aug/2008:15:30:36 -0400] - import userRoot: Processing file > "/tmp/ldifBTMcP9.ldif" > [13/Aug/2008:15:30:36 -0400] - import userRoot: Finished scanning file > "/tmp/ldifBTMcP9.ldif" (9 entries) > [13/Aug/2008:15:30:37 -0400] - import userRoot: Workers finished; > cleaning up... > [13/Aug/2008:15:30:37 -0400] - import userRoot: Workers cleaned up. > [13/Aug/2008:15:30:37 -0400] - import userRoot: Cleaning up producer > thread... > [13/Aug/2008:15:30:37 -0400] - import userRoot: Indexing complete. > Post-processing... > [13/Aug/2008:15:30:37 -0400] - import userRoot: Flushing caches... > [13/Aug/2008:15:30:37 -0400] - import userRoot: Closing files... > [13/Aug/2008:15:30:37 -0400] - All database threads now stopped > [13/Aug/2008:15:30:37 -0400] - import userRoot: Import complete. > Processed 9 entries in 1 seconds. (9.00 entries/sec) > +Starting the server: /usr/lib/dirsrv/slapd-myinstance/start-slapd > +Started the server: code 256 > Server failed to start !!! Please check errors log for problems > + Red Hat-Directory/8.0.0 B2007.353.1757 > + server2:389 (/etc/dirsrv/slapd-myinstance) > + > +[13/Aug/2008:15:30:35 -0400] - dblayer_instance_start: pagesize: > 4096, pages: 258922, procpages: 6198 > +[13/Aug/2008:15:30:35 -0400] - cache autosizing: import cache: 204800k > +[13/Aug/2008:15:30:35 -0400] - li_import_cache_autosize: 50, > import_pages: 51200, pagesize: 4096 > +[13/Aug/2008:15:30:35 -0400] - WARNING: Import is running with > nsslapd-db-private-import-mem on; No other process is allowed to > access the database > +[13/Aug/2008:15:30:35 -0400] - dblayer_instance_start: pagesize: > 4096, pages: 258922, procpages: 6198 > +[13/Aug/2008:15:30:35 -0400] - cache autosizing: import cache: 204800k > +[13/Aug/2008:15:30:35 -0400] - li_import_cache_autosize: 50, > import_pages: 51200, pagesize: 4096 > +[13/Aug/2008:15:30:36 -0400] - import userRoot: Beginning import job... > +[13/Aug/2008:15:30:36 -0400] - import userRoot: Index buffering > enabled with bucket size 100 > +[13/Aug/2008:15:30:36 -0400] - import userRoot: Processing file > "/tmp/ldifBTMcP9.ldif" > +[13/Aug/2008:15:30:36 -0400] - import userRoot: Finished scanning > file "/tmp/ldifBTMcP9.ldif" (9 entries) > +[13/Aug/2008:15:30:37 -0400] - import userRoot: Workers finished; > cleaning up... > +[13/Aug/2008:15:30:37 -0400] - import userRoot: Workers cleaned up. > +[13/Aug/2008:15:30:37 -0400] - import userRoot: Cleaning up producer > thread... > +[13/Aug/2008:15:30:37 -0400] - import userRoot: Indexing complete. > Post-processing... > +[13/Aug/2008:15:30:37 -0400] - import userRoot: Flushing caches... > +[13/Aug/2008:15:30:37 -0400] - import userRoot: Closing files... > +[13/Aug/2008:15:30:37 -0400] - All database threads now stopped > +[13/Aug/2008:15:30:37 -0400] - import userRoot: Import complete. > Processed 9 entries in 1 seconds. (9.00 entries/sec) > +[13/Aug/2008:15starting up > +[13/Aug/2008:15:30:39 -0400] - I'm resizing my cache now...cache was > 209715200 and is now 8000000 > +[13/Aug/2008:15:30:39 -0400] - Warning: Mapping tree node entry for > o=NetscapeRoot point to an unknown backend : NetscapeRoot > +[13/Aug/2008:15:30:40 -0400] - Warning: Mapping tree node entry for > o=NetscapeRoot point to an unknown backend : NetscapeRoot > +[13/Aug/2008:15:30:40 -0400] - Warning: Mapping tree node entry for > o=NetscapeRoot point to an unknown backend : NetscapeRoot > +[13/Aug/2008:15:30:40 -0400] - Warning: Mapping tree node entry for > o=NetscapeRoot point to an unknown backend : NetscapeRoot > +[13/Aug/2008:15:30:40 -0400] - Warning: Mapping tree node entry for > o=NetscapeRoot point to an unknown backend : NetscapeRoot > +[13/Aug/2008:15:30:40 -0400] - Warning: Mapping tree node entry for > o=NetscapeRoot point to an unknown backend : NetscapeRoot > > > And it hung up. I had to do CTRL-C to have prompt. Well, maybe it's > normal.. This server isn't completely installed. > > So, step 3 from the doc, I ran it on the SERVER1: > > # /usr/lib/mozldap6/ldapmodify -cvD "cn=Directory manager" -w PASSWD > ldapmodify-bin: started Wed Aug 13 15:37:03 2008 > > ldap_init( localhost, 389 ) > dn: cn=ExampleAgreement1,cn=replica,cn="o=NetscapeRoot",cn=mapping > tree,cn=config > changetype: modify > replace: nsds5beginreplicarefresh > nsds5beginreplicarefresh: start > replace nsds5beginreplicarefresh: > start > modifying entry > cn=ExampleAgreement1,cn=replica,cn="o=NetscapeRoot",cn=mapping > tree,cn=config > ldap_modify: No such object > > This is when I gave up and decided to create a NetscapeRoot's > replication directly from the Java console. I mean, I installed two > LDAP servers with the second server that it uses the Configuration > Server from the first server. > > The replication works very well between two servers (only if I setup > from the Java console) but when I want to do the the step 4 from the > doc (create local Administration Server), it doesn't work, the script > 'register-ds-admin.pl' always fails. > > Thank you very much for your help! > > ------------------------------------------------------------------------ > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From vipulramani at gmail.com Wed Aug 13 20:29:08 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Wed, 13 Aug 2008 13:29:08 -0700 Subject: [Fedora-directory-users] FDS and Active directory Sync Message-ID: HI All, I am tryting to sync FDS and ADC. I have done everything http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Step_1_Configure_SSL But some how it does not work .... i am getting error in FDS error log... 5/May/2008:07:45:42 -0400] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime error -5938 - Encountered end of file.) [15/May/2008:07:46:30 -0400] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime error -5938 - Encountered end of file.) [15/May/2008:07:48:06 -0400] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime error -5938 - Encountered end of file.) [15/May/2008:07:51:18 -0400] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime error -5938 - Encountered end of file.) [15/May/2008:07:56:18 -0400] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime error -5938 - Encountered end of file.) [15/May/2008:08:01:18 -0400] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime error -5938 - Encountered end of file.) from passsync.log --------------- Ldap bind error in Connect 81:Can't connect to LDAP Server Can not connect to ldap server in syncPasswords ------------------------- -- Regards Vipul Ramani -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Aug 13 20:35:18 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 13 Aug 2008 14:35:18 -0600 Subject: [Fedora-directory-users] FDS and Active directory Sync In-Reply-To: References: Message-ID: <48A34586.5070002@redhat.com> Vipul Ramani wrote: > > HI All, > > I am tryting to sync FDS and ADC. I have done everything > > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Step_1_Configure_SSL > > But some how it does not work .... > > i am getting error in FDS error log... > > 5/May/2008:07:45:42 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime > error -5938 - Encountered end of file.) > [15/May/2008:07:46:30 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime > error -5938 - Encountered end of file.) > [15/May/2008:07:48:06 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime > error -5938 - Encountered end of file.) > [15/May/2008:07:51:18 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime > error -5938 - Encountered end of file.) > [15/May/2008:07:56:18 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime > error -5938 - Encountered end of file.) > [15/May/2008:08:01:18 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime > error -5938 - Encountered end of file.) Looks like you're attempting to do client cert based auth? You probably want to just do simple password auth over SSL. > > > from passsync.log > --------------- > Ldap bind error in Connect > 81:Can't connect to LDAP Server > Can not connect to ldap server in syncPasswords > > ------------------------- > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From benetage at hotmail.com Wed Aug 13 20:51:47 2008 From: benetage at hotmail.com (Mister Anonyme) Date: Wed, 13 Aug 2008 16:51:47 -0400 Subject: [Fedora-directory-users] (no subject) In-Reply-To: <48A33E13.2080409@redhat.com> References: <48A33E13.2080409@redhat.com> Message-ID: > Date: Wed, 13 Aug 2008 14:03:31 -0600 > From: rmeggins at redhat.com > To: fedora-directory-users at redhat.com > Subject: Re: [Fedora-directory-users] (no subject) > I think it is mentioned in the documentation. > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Replicating-ADS-for-Failover.html > "2. Install and configure the second Directory Server instance. For the > second server, |server2.example.com|, use the |setup-ds.pl| command, > which installs a Directory Server instance without installing a local > Administration Server. " > > Which is what you did below anyway. However, there is a doc bug: > "ConfigFile = netscaperootdb.ldif example suffix entry" > This links to an example of the suffix only, which is what you did below > - the ldif only creates the suffix, not the associated database. > > The LDIF file should contain this: > > dn: cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config > objectclass: top > objectclass: extensibleObject > objectclass: nsBackendInstance > nsslapd-suffix: o=NetscapeRoot > cn: NetscapeRoot > > dn: cn=encrypted attribute keys,cn=NetscapeRoot,cn=ldbm > database,cn=plugins,cn=config > objectClass: top > objectClass: extensibleObject > cn: encrypted attributes keys > > dn: cn=encrypted attributes,cn=NetscapeRoot,cn=ldbm > database,cn=plugins,cn=config > objectClass: top > objectClass: extensibleObject > cn: encrypted attributes > > dn: cn="o=NetscapeRoot",cn=mapping tree,cn=config > objectclass: top > objectclass: extensibleObject > objectclass: nsMappingTree > cn: "o=NetscapeRoot" > nsslapd-state: backend > nsslapd-backend: NetscapeRoot Great! It fixed the issue. I was also able to synchronize between two servers. But, when I execute the register-ds-admin.pl (step 4), I have this: # /usr/sbin/register-ds-admin.pl Beginning registration of the Directory Server ============================================================================== The Directory Server locates its configuration file (dse.ldif) at /etc/dirsrv/slapd-ID, by default. If you have Directory Server(s) which configuration file is put at the other location, you need to input it to register the server. If you have such Directory Server, type the full path that stores the configuration file. If you don't, type return. [configuration directory path or return]: ============================================================================== Candidate servers to register: /etc/dirsrv/slapd-myinstance ============================================================================== Do you want to use this server as Configuration Directory Server? Directory server identifier [myinstance]: ============================================================================== The server must run as a specific user in a specific group. It is strongly recommended that this user should have no privileges on the computer (i.e. a non-root user). The setup procedure will give this user/group some permissions in specific paths/files to perform server-specific operations. If you have not yet created a user and group for the server, create this user and group using your native operating system utilities. System User [nobody]: System Group [nobody]: ============================================================================== Please specify the information about your configuration directory server. The following information is required: - host (fully qualified), port (non-secure or secure), suffix, protocol (ldap or ldaps) - this information should be provided in the form of an LDAP url e.g. for non-secure ldap://host.example.com:389/o=NetscapeRoot or for secure ldaps://host.example.com:636/o=NetscapeRoot - admin ID and password - admin domain - a CA certificate file may be required if you choose to use ldaps and security has not yet been configured - the file must be in PEM/ASCII format - specify the absolute path and filename Configuration directory server URL [ldap://SERVER2:389/o=NetscapeRoot]: Configuration directory server admin ID [admin]: Configuration directory server admin password: Configuration directory server admin password (confirm): Configuration directory server admin domain [DOMAIN]: DOMAIN ============================================================================== The information stored in the configuration directory server can be separated into different Administration Domains. If you are managing multiple software releases at the same time, or managing information about multiple domains, you may use the Administration Domain to keep them separate. If you are not using administrative domains, press Enter to select the default. Otherwise, enter some descriptive, unique name for the administration domain, such as the name of the organization responsible for managing the domain. Administration Domain [DOMAIN]: ============================================================================== The Administration Server is separate from any of your web or application servers since it listens to a different port and access to it is restricted. Pick a port number between 1024 and 65535 to run your Administration Server on. You should NOT use a port number which you plan to run a web or application server on, rather, select a number which you will remember and which will not be used for anything else. Administration port [9830]: ============================================================================== Registering new Config DS: SERVER2 ============================================================================== Input the Directory Server password on the server SERVER2: Error: failed to register the configuration server info to the Configuration Directory Server SERVER2. _________________________________________________________________ Find hidden words, unscramble celebrity names, or try the ultimate crossword puzzle with Live Search Games. Play now! http://g.msn.ca/ca55/212 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Aug 13 20:57:59 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 13 Aug 2008 14:57:59 -0600 Subject: [Fedora-directory-users] (no subject) In-Reply-To: References: <48A33E13.2080409@redhat.com> Message-ID: <48A34AD7.9050403@redhat.com> Mister Anonyme wrote: > > Date: Wed, 13 Aug 2008 14:03:31 -0600 > > From: rmeggins at redhat.com > > To: fedora-directory-users at redhat.com > > Subject: Re: [Fedora-directory-users] (no subject) > > > I think it is mentioned in the documentation. > > > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Replicating-ADS-for-Failover.html > > "2. Install and configure the second Directory Server instance. For the > > second server, |server2.example.com|, use the |setup-ds.pl| command, > > which installs a Directory Server instance without installing a local > > Administration Server. " > > > > Which is what you did below anyway. However, there is a doc bug: > > "ConfigFile = netscaperootdb.ldif example suffix entry" > > This links to an example of the suffix only, which is what you did > below > > - the ldif only creates the suffix, not the associated database. > > > > The LDIF file should contain this: > > > > dn: cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config > > objectclass: top > > objectclass: extensibleObject > > objectclass: nsBackendInstance > > nsslapd-suffix: o=NetscapeRoot > > cn: NetscapeRoot > > > > dn: cn=encrypted attribute keys,cn=NetscapeRoot,cn=ldbm > > database,cn=plugins,cn=config > > objectClass: top > > objectClass: extensibleObject > > cn: encrypted attributes keys > > > > dn: cn=encrypted attributes,cn=NetscapeRoot,cn=ldbm > > database,cn=plugins,cn=config > > objectClass: top > > objectClass: extensibleObject > > cn: encrypted attributes > > > > dn: cn="o=NetscapeRoot",cn=mapping tree,cn=config > > objectclass: top > > objectclass: extensibleObject > > objectclass: nsMappingTree > > cn: "o=NetscapeRoot" > > nsslapd-state: backend > > nsslapd-backend: NetscapeRoot > > > Great! It fixed the issue. > > I was also able to synchronize between two servers. > > But, when I execute the register-ds-admin.pl (step 4), I have this: > > # /usr/sbin/register-ds-admin.pl > Beginning registration of the Directory Server > ============================================================================== > The Directory Server locates its configuration file (dse.ldif) at > /etc/dirsrv/slapd-ID, by default. If you have Directory Server(s) > which configuration file is put at the other location, you need to > input it to register the server. > > If you have such Directory Server, type the full path that stores the > configuration file. > > If you don't, type return. > [configuration directory path or return]: > > > ============================================================================== > Candidate servers to register: > /etc/dirsrv/slapd-myinstance > > ============================================================================== > Do you want to use this server as Configuration Directory Server? > > Directory server identifier [myinstance]: > > ============================================================================== > The server must run as a specific user in a specific group. > It is strongly recommended that this user should have no privileges > on the computer (i.e. a non-root user). The setup procedure > will give this user/group some permissions in specific paths/files > to perform server-specific operations. > > If you have not yet created a user and group for the server, > create this user and group using your native operating > system utilities. > > System User [nobody]: > System Group [nobody]: > > ============================================================================== > Please specify the information about your configuration directory > server. The following information is required: > - host (fully qualified), port (non-secure or secure), suffix, > protocol (ldap or ldaps) - this information should be provided in the > form of an LDAP url e.g. for non-secure > ldap://host.example.com:389/o=NetscapeRoot > or for secure > ldaps://host.example.com:636/o=NetscapeRoot > - admin ID and password > - admin domain > - a CA certificate file may be required if you choose to use ldaps and > security has not yet been configured - the file must be in PEM/ASCII > format - specify the absolute path and filename > > Configuration directory server URL [ldap://SERVER2:389/o=NetscapeRoot]: > Configuration directory server admin ID [admin]: > Configuration directory server admin password: > Configuration directory server admin password (confirm): > Configuration directory server admin domain [DOMAIN]: DOMAIN > > ============================================================================== > The information stored in the configuration directory server can be > separated into different Administration Domains. If you are managing > multiple software releases at the same time, or managing information > about multiple domains, you may use the Administration Domain to keep > them separate. > > If you are not using administrative domains, press Enter to select the > default. Otherwise, enter some descriptive, unique name for the > administration domain, such as the name of the organization > responsible for managing the domain. > > Administration Domain [DOMAIN]: > > ============================================================================== > The Administration Server is separate from any of your web or application > servers since it listens to a different port and access to it is > restricted. > > Pick a port number between 1024 and 65535 to run your Administration > Server on. You should NOT use a port number which you plan to > run a web or application server on, rather, select a number which you > will remember and which will not be used for anything else. > > Administration port [9830]: > > ============================================================================== > Registering new Config DS: SERVER2 > > ============================================================================== > Input the Directory Server password on the server SERVER2: > Error: failed to register the configuration server info to the > Configuration Directory Server SERVER2. Hmm - not sure. Either earlier attempts have broken something past the point of repair, or there is a bug in register-ds-admin.pl - maybe it expects o=NetscapeRoot to not already exist? But then the setup step earlier would fail without it. Try register-ds-admin.pl -ddd > > > > ------------------------------------------------------------------------ > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From vipulramani at gmail.com Wed Aug 13 21:17:11 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Wed, 13 Aug 2008 14:17:11 -0700 Subject: [Fedora-directory-users] Re: FDS and Active directory Sync In-Reply-To: References: Message-ID: Can you suggest me good documentation. I have query http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Step_1_Configure_SSL ------- 1. Create a new cert8.db and key.db using certutil.exe on the *Password Sync * machine. certutil.exe -d . -N ln -s slapd-*serverID*-cert8.db cert8.db ln -s slapd-*serverID*-key3.db key3.db this is procedure is creating so much confusion ... - 1st what do to once new cert8.db and key.db are created on windows ADC box - 2nd ln is not part of windows ??? * I changed it ..but now i am getting this error ... * NSMMReplicationPlugin - agmt="cn=adc" (192:636): Simple bind failed, LDAP sdk error 81 (Can't contact LDAP server), Netscape Portable Runtime error -5938 (Encountered end of file.) On Wed, Aug 13, 2008 at 1:29 PM, Vipul Ramani wrote: > > HI All, > > I am tryting to sync FDS and ADC. I have done everything > > > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Step_1_Configure_SSL > > But some how it does not work .... > > i am getting error in FDS error log... > > 5/May/2008:07:45:42 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime error > -5938 - Encountered end of file.) > [15/May/2008:07:46:30 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime error > -5938 - Encountered end of file.) > [15/May/2008:07:48:06 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime error > -5938 - Encountered end of file.) > [15/May/2008:07:51:18 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime error > -5938 - Encountered end of file.) > [15/May/2008:07:56:18 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime error > -5938 - Encountered end of file.) > [15/May/2008:08:01:18 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable Runtime error > -5938 - Encountered end of file.) > > > from passsync.log > --------------- > Ldap bind error in Connect > 81:Can't connect to LDAP Server > Can not connect to ldap server in syncPasswords > > ------------------------- > > -- > Regards > > Vipul Ramani > > -- Regards Vipul Ramani -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Aug 13 21:28:17 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 13 Aug 2008 15:28:17 -0600 Subject: [Fedora-directory-users] Re: FDS and Active directory Sync In-Reply-To: References: Message-ID: <48A351F1.7040600@redhat.com> Vipul Ramani wrote: > > > Can you suggest me good documentation. > > I have query > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Step_1_Configure_SSL > > ------- > > 1. > > Create a new |cert8.db| and |key.db| using |certutil.exe| on the > *Password Sync* machine. > > certutil.exe -d . -N > ln -s slapd-/|serverID|/-cert8.db cert8.db > ln -s slapd-/|serverID|/-key3.db key3.db > > > > this is procedure is creating so much confusion ... > > > - 1st what do to once new cert8.db and key.db are created on windows > ADC box > - 2nd ln is not part of windows ??? Looks like a doc bug. You don't need to do the ln steps. > > * > I changed it ..but now i am getting this error ... * > > > NSMMReplicationPlugin - agmt="cn=adc" (192:636): Simple bind failed, > LDAP sdk error 81 (Can't contact LDAP server), Netscape Portable > Runtime error -5938 (Encountered end of file.) Has the active directory been configured to use SSL? > > > On Wed, Aug 13, 2008 at 1:29 PM, Vipul Ramani > wrote: > > > HI All, > > I am tryting to sync FDS and ADC. I have done everything > > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Step_1_Configure_SSL > > But some how it does not work .... > > i am getting error in FDS error log... > > 5/May/2008:07:45:42 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable > Runtime error -5938 - Encountered end of file.) > [15/May/2008:07:46:30 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable > Runtime error -5938 - Encountered end of file.) > [15/May/2008:07:48:06 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable > Runtime error -5938 - Encountered end of file.) > [15/May/2008:07:51:18 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable > Runtime error -5938 - Encountered end of file.) > [15/May/2008:07:56:18 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable > Runtime error -5938 - Encountered end of file.) > [15/May/2008:08:01:18 -0400] - SSL alert: > ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape Portable > Runtime error -5938 - Encountered end of file.) > > > from passsync.log > --------------- > Ldap bind error in Connect > 81:Can't connect to LDAP Server > Can not connect to ldap server in syncPasswords > > ------------------------- > > -- > Regards > > Vipul Ramani > > > > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From vipulramani at gmail.com Wed Aug 13 21:39:52 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Wed, 13 Aug 2008 14:39:52 -0700 Subject: [Fedora-directory-users] Re: FDS and Active directory Sync In-Reply-To: References: Message-ID: Hi Rich, yes it is enable . then also getting same error .. I am able to connect using LDAP Browser. is there any other way debug in to depth to resolve this problem... ( not firewall no accesslist or nothing is kinda blocking... ) Can you suggest me is document i have to follow ... i tried fedora , redhat but if , i m following step by step it does not work ..... -- Regards Vipul Ramani -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Aug 13 21:42:55 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 13 Aug 2008 15:42:55 -0600 Subject: [Fedora-directory-users] Re: FDS and Active directory Sync In-Reply-To: References: Message-ID: <48A3555F.9090407@redhat.com> Vipul Ramani wrote: > > Hi Rich, > > yes it is enable . then also getting same error .. I am able to > connect using LDAP Browser. is there any other way debug in to depth > to resolve this problem... > > ( not firewall no accesslist or nothing is kinda blocking... ) > > Can you suggest me is document i have to follow ... i tried fedora , > redhat but if , i m following step by step it does not work ..... See if ldapsearch from the command line works: /usr/lib/mozldap/ldapsearch -h windowshost -p 636 -Z -P /etc/dirsrv/slapd-yourinstance -D "cn=administrator,cn=users,dc=yourdomain,dc=com" -w thepassword -s base -b "" "objectclass=*" > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From vipulramani at gmail.com Wed Aug 13 21:53:28 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Wed, 13 Aug 2008 14:53:28 -0700 Subject: [Fedora-directory-users] Re: FDS and Active directory Sync In-Reply-To: References: Message-ID: Hi Rich, I did it ..but i am getting the error. :( I run from my directory server .... [root at linux1 ~]# /usr/lib/mozldap/ldapsearch -h 192.168.1.200 -p 636 -Z -P /etc/dirsrv/slapd-linux1 -D "cn=administrator,cn=users,dc=tf-lab,dc=exp,dc=com" -w ABC123@ -s base -b "" "objectclass=*" ldap_simple_bind: Can't contact LDAP server SSL error -5938 (Encountered end of file.) [root at linux1 ~]# On Wed, Aug 13, 2008 at 2:39 PM, Vipul Ramani wrote: > > Hi Rich, > > yes it is enable . then also getting same error .. I am able to connect > using LDAP Browser. is there any other way debug in to depth to resolve this > problem... > > ( not firewall no accesslist or nothing is kinda blocking... ) > > Can you suggest me is document i have to follow ... i tried fedora , > redhat but if , i m following step by step it does not work ..... > > -- > Regards > > Vipul Ramani > > -- Regards Vipul Ramani -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Aug 13 21:57:07 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 13 Aug 2008 15:57:07 -0600 Subject: [Fedora-directory-users] Re: FDS and Active directory Sync In-Reply-To: References: Message-ID: <48A358B3.1090401@redhat.com> Vipul Ramani wrote: > Hi Rich, > > I did it ..but i am getting the error. :( > > I run from my directory server .... > > [root at linux1 ~]# /usr/lib/mozldap/ldapsearch -h 192.168.1.200 > -p 636 -Z -P /etc/dirsrv/slapd-linux1 -D > "cn=administrator,cn=users,dc=tf-lab,dc=exp,dc=com" -w ABC123@ -s base > -b "" "objectclass=*" > ldap_simple_bind: Can't contact LDAP server > SSL error -5938 (Encountered end of file.) > [root at linux1 ~]# For one, it probably won't work to use -h IPaddress - in order to do the cert validation, it needs the FQDN of the windows host - that FQDN must be the value of the leftmost cn= in the AD server cert subjectDN. But this error indicates it's not even getting that far. Either AD is not listening on 636, or there is some sort of network/firewall problem. > > > On Wed, Aug 13, 2008 at 2:39 PM, Vipul Ramani > wrote: > > > Hi Rich, > > yes it is enable . then also getting same error .. I am able to > connect using LDAP Browser. is there any other way debug in to > depth to resolve this problem... > > ( not firewall no accesslist or nothing is kinda blocking... ) > > Can you suggest me is document i have to follow ... i tried > fedora , redhat but if , i m following step by step it does not > work ..... > > -- > Regards > > Vipul Ramani > > > > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From vipulramani at gmail.com Wed Aug 13 22:22:02 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Wed, 13 Aug 2008 15:22:02 -0700 Subject: [Fedora-directory-users] Re: FDS and Active directory Sync In-Reply-To: References: Message-ID: Cheers , Rich yes , your right ... i tried with hostname instead of ip address. I created new windows sync aggreement. But this time i did not selected SSL connecition.. then replication is happening.. but i noticed..there is userPassword field is missing in all users ( which are replicated from ADC ) .. why it is so ... SSL is mandatory to copy password from ...ADC to FDS ?? Why userPassword ( windows password attribute not repliacated on LDAP ??? ) . I made some progress.. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Aug 13 22:30:10 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 13 Aug 2008 16:30:10 -0600 Subject: [Fedora-directory-users] Re: FDS and Active directory Sync In-Reply-To: References: Message-ID: <48A36072.80000@redhat.com> Vipul Ramani wrote: > > Cheers , Rich > > yes , your right ... i tried with hostname instead of ip address. > > I created new windows sync aggreement. But this time i did not > selected SSL connecition.. then replication is happening.. but i > noticed..there is userPassword field is missing in all users ( which > are replicated from ADC ) .. why it is so ... SSL is mandatory to copy > password from ...ADC to FDS ?? Yes > > Why userPassword ( windows password attribute not repliacated on LDAP > ??? ) . AD requires an SSL connection for password changes > > > I made some progress.. > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From vipulramani at gmail.com Wed Aug 13 23:15:13 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Wed, 13 Aug 2008 16:15:13 -0700 Subject: [Fedora-directory-users] Re: FDS and Active directory Sync In-Reply-To: References: Message-ID: Cheers, Rich , Great only thing is now i have to find out how to enable SSL on ADC ..and most of thing will be done .... it is sync over 389 port ..but only password attribute is not replicated ..due to SSL is not enable on ADC ... anyways thanks for your gr8 ...help I feel i will create documentation stepwise and share with community .... On Wed, Aug 13, 2008 at 3:22 PM, Vipul Ramani wrote: > > Cheers , Rich > > yes , your right ... i tried with hostname instead of ip address. > > I created new windows sync aggreement. But this time i did not selected SSL > connecition.. then replication is happening.. but i noticed..there is > userPassword field is missing in all users ( which are replicated from ADC ) > .. why it is so ... SSL is mandatory to copy password from ...ADC to FDS ?? > > Why userPassword ( windows password attribute not repliacated on LDAP ??? ) > . > > > I made some progress.. > > > -- Regards Vipul Ramani -------------- next part -------------- An HTML attachment was scrubbed... URL: From vipulramani at gmail.com Thu Aug 14 00:01:06 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Wed, 13 Aug 2008 17:01:06 -0700 Subject: [Fedora-directory-users] Re: FDS and Active directory Sync In-Reply-To: References: Message-ID: Rich , Do really need CA certification on ADC server to enable SSL on ADC ... is not possible way to work out we can install self signed certified which was signed my FDS ( linux server ) and we can install in to ADC and make it SSL enable ?? is there any way to work around ??? On Wed, Aug 13, 2008 at 4:15 PM, Vipul Ramani wrote: > Cheers, Rich , > > Great only thing is now i have to find out how to enable SSL on ADC ..and > most of thing will be done .... it is sync over 389 port ..but only password > attribute is not replicated ..due to SSL is not enable on ADC ... > > > anyways thanks for your gr8 ...help > > I feel i will create documentation stepwise and share with community .... > > > > > On Wed, Aug 13, 2008 at 3:22 PM, Vipul Ramani wrote: > >> >> Cheers , Rich >> >> yes , your right ... i tried with hostname instead of ip address. >> >> I created new windows sync aggreement. But this time i did not selected >> SSL connecition.. then replication is happening.. but i noticed..there is >> userPassword field is missing in all users ( which are replicated from ADC ) >> .. why it is so ... SSL is mandatory to copy password from ...ADC to FDS ?? >> >> Why userPassword ( windows password attribute not repliacated on LDAP ??? >> ) . >> >> >> I made some progress.. >> >> >> > > > -- > Regards > > Vipul Ramani > > -- Regards Vipul Ramani -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Aug 14 01:23:51 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 13 Aug 2008 19:23:51 -0600 Subject: [Fedora-directory-users] Re: FDS and Active directory Sync In-Reply-To: References: Message-ID: <48A38927.9040900@redhat.com> Vipul Ramani wrote: > Rich , > > Do really need CA certification on ADC server to enable SSL on ADC ... > is not possible way to work out we can install self signed certified > which was signed my FDS ( linux server ) and we can install in to ADC > and make it SSL enable ?? I'm not sure. Firstly, there is http://directory.fedoraproject.org/wiki/Howto:WindowsSync In order for AD to be an SSL server, you have to generate a server cert from a CA or CA cert. I don't know much about this part. The easiest way is probably to use MS Cert Server to issue the AD SSL server cert. If you do that, you'll also have to get the CA cert because you must install that CA cert in the Fedora DS cert db. In Windows sync (except for the password part), Fedora DS is the client side of SSL, so it must have the CA cert of the CA that issued the AD server cert. For passsync, passsync is the client side of of SSL, so it must have the CA cert of the CA that issued the Fedora DS SSL server cert. > > is there any way to work around ??? > > > > On Wed, Aug 13, 2008 at 4:15 PM, Vipul Ramani > wrote: > > Cheers, Rich , > > Great only thing is now i have to find out how to enable SSL on > ADC ..and most of thing will be done .... it is sync over 389 port > ..but only password attribute is not replicated ..due to SSL is > not enable on ADC ... > > > anyways thanks for your gr8 ...help > > I feel i will create documentation stepwise and share with > community .... > > > > > > On Wed, Aug 13, 2008 at 3:22 PM, Vipul Ramani > > wrote: > > > Cheers , Rich > > yes , your right ... i tried with hostname instead of ip > address. > > I created new windows sync aggreement. But this time i did not > selected SSL connecition.. then replication is happening.. but > i noticed..there is userPassword field is missing in all users > ( which are replicated from ADC ) .. why it is so ... SSL is > mandatory to copy password from ...ADC to FDS ?? > > Why userPassword ( windows password attribute not repliacated > on LDAP ??? ) . > > > I made some progress.. > > > > > > -- > Regards > > Vipul Ramani > > > > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From duskglow at gmail.com Thu Aug 14 04:19:26 2008 From: duskglow at gmail.com (Russell Miller) Date: Wed, 13 Aug 2008 21:19:26 -0700 Subject: [Fedora-directory-users] Problem with referrals Message-ID: <4eea36270808132119u13c8ef2s2dd5f1fff19f0fdf@mail.gmail.com> I am working on a fairly simple DS system - one master and about 12 replication slaves. I didn't go multimaster because we don't have enough servers to justify that... but anyway. We've had a consistent problem for years with password changing - which I'm trying to fix. It used to be that changing passwords simply didn't work. I rebuilt the whole infrastructure to refer back to the replication master and added pam_password exop to the ldap.conf files. Now changing passwords works... sort of. When changing a password, it prompts for the password and the new password, and dutifully changes it on the server, gets the referral back, tries to follow it - and the server says "invalid credentials" and refuses to do the change. So I end up with our servers out of sync - the new password on the slave server and the old server still thinking it has the old password. Obviously that's not acceptable. I tried exop_send_old, it doesn't do any better. I'm running the latest version of nss_ldap. Anyone have any suggestions as to why the slave servers are allowing the credentials but the master isn't? Thanks, --Russell -------------- next part -------------- An HTML attachment was scrubbed... URL: From benetage at hotmail.com Thu Aug 14 12:16:55 2008 From: benetage at hotmail.com (Mister Anonyme) Date: Thu, 14 Aug 2008 08:16:55 -0400 Subject: [Fedora-directory-users] (no subject) In-Reply-To: <48A34AD7.9050403@redhat.com> References: <48A33E13.2080409@redhat.com> <48A34AD7.9050403@redhat.com> Message-ID: > Date: Wed, 13 Aug 2008 14:57:59 -0600 > From: rmeggins at redhat.com > To: fedora-directory-users at redhat.com > Subject: Re: [Fedora-directory-users] (no subject) ============================================================================== > > Input the Directory Server password on the server SERVER2: > > Error: failed to register the configuration server info to the > > Configuration Directory Server SERVER2. > Hmm - not sure. Either earlier attempts have broken something past the > point of repair, or there is a bug in register-ds-admin.pl - maybe it > expects o=NetscapeRoot to not already exist? But then the setup step > earlier would fail without it. Try register-ds-admin.pl -ddd OK. I deinstalled all packages and did a rm -rf of all directories like this: rm -rf /etc/dirsrv /usr/lib/dirsrv /usr/share/dirsrv /var/lib/dirsrv/ /var/lock/dirsrv /var/log/dirsrv /usr/share/dirsrv/manual/en/admin /tmp/setup*.{log,inf} And re-installed and I ran /usr/sbin/setup-ds.pl with the same LDIF files that I showed you earlier with a fix that you provided. After, I did a synchronize of the replication with success (replication status confirmed that it worked). In other words, it went without any errors. Then, I did a /usr/sbin/register-ds-admin.pl -ddd on the second server and there you go: [root at SERVER2 ~]# /usr/sbin/register-ds-admin.pl -ddd Beginning registration of the Directory Server ============================================================================== The Directory Server locates its configuration file (dse.ldif) at /etc/dirsrv/slapd-ID, by default. If you have Directory Server(s) which configuration file is put at the other location, you need to input it to register the server. If you have such Directory Server, type the full path that stores the configuration file. If you don't, type return. [configuration directory path or return]: ============================================================================== Candidate servers to register: /etc/dirsrv/slapd-SERVER2 ============================================================================== Do you want to use this server as Configuration Directory Server? Directory server identifier [SERVER2]: ============================================================================== The server must run as a specific user in a specific group. It is strongly recommended that this user should have no privileges on the computer (i.e. a non-root user). The setup procedure will give this user/group some permissions in specific paths/files to perform server-specific operations. If you have not yet created a user and group for the server, create this user and group using your native operating system utilities. System User [nobody]: System Group [nobody]: ============================================================================== Please specify the information about your configuration directory server. The following information is required: - host (fully qualified), port (non-secure or secure), suffix, protocol (ldap or ldaps) - this information should be provided in the form of an LDAP url e.g. for non-secure ldap://host.example.com:389/o=NetscapeRoot or for secure ldaps://host.example.com:636/o=NetscapeRoot - admin ID and password - admin domain - a CA certificate file may be required if you choose to use ldaps and security has not yet been configured - the file must be in PEM/ASCII format - specify the absolute path and filename Configuration directory server URL [ldap://SERVER2:389/o=NetscapeRoot]: Configuration directory server admin ID [admin]: Configuration directory server admin password: Configuration directory server admin password (confirm): Configuration directory server admin domain [DOMAIN.NET]: DOMAIN.NET ============================================================================== The information stored in the configuration directory server can be separated into different Administration Domains. If you are managing multiple software releases at the same time, or managing information about multiple domains, you may use the Administration Domain to keep them separate. If you are not using administrative domains, press Enter to select the default. Otherwise, enter some descriptive, unique name for the administration domain, such as the name of the organization responsible for managing the domain. Administration Domain [DOMAIN.NET]: DOMAIN.NET ============================================================================== The Administration Server is separate from any of your web or application servers since it listens to a different port and access to it is restricted. Pick a port number between 1024 and 65535 to run your Administration Server on. You should NOT use a port number which you plan to run a web or application server on, rather, select a number which you will remember and which will not be used for anything else. Administration port [9830]: ============================================================================== Registering new Config DS: SERVER2 ============================================================================== Input the Directory Server password on the server SERVER2: +Processing /usr/share/dirsrv/data/10dsdata.ldif.tmpl ... +++check_and_add_entry: Found entry o=NetscapeRoot +++Adding attr=aci value=(targetattr = "*")(version 3.0; acl "SIE Group (SERVER2)"; allow (all) groupdn = "ldap:///cn=slapd-SERVER2, cn=Red Hat Directory Server, cn=Server Group, cn=SERVER2., ou=DOMAIN, o=NetscapeRoot";) to entry o=NetscapeRoot +++check_and_add_entry: Entry not found cn=Red Hat Directory Server, cn=Server Group, cn=SERVER2., ou=DOMAIN, o=NetscapeRoot error No such object +ERROR: adding an entry cn=Red Hat Directory Server, cn=Server Group, cn=SERVER2., ou=DOMAIN, o=NetscapeRoot failed, error: No such object dn: cn=Red Hat Directory Server, cn=Server Group, cn=SERVER2., ou= DOMAIN, o=NetscapeRoot objectclass: nsApplication objectclass: groupOfUniqueNames objectclass: top cn: Red Hat Directory Server nsproductname: Red Hat Directory Server nsproductversion: 8.0.0 nsnickname: slapd nsbuildnumber: 2007.353.1757 nsvendor: Red Hat installationtimestamp: 20080814121046Z nsexpirationdate: 0 nsbuildsecurity: domestic uniquemember: cn=slapd-SERVER2, cn=Red Hat Directory Server, cn=Server Group, cn=SERVER2., ou=DOMAIN, o=NetscapeRoot nsservermigrationclassname: com.netscape.admin.dirserv.task.MigrateCreate at redh at-ds-8.0.jar at cn=admin-serv-SERVER2, cn=Red Hat Administration Server, cn=Se rver Group, cn=SERVER2., ou=DOMAIN, o=NetscapeRoot nsservercreationclassname: com.netscape.admin.dirserv.task.MigrateCreate at redha t-ds-8.0.jar at cn=admin-serv-SERVER2, cn=Red Hat Administration Server, cn=Ser ver Group, cn=SERVER2., ou=DOMAIN, o=NetscapeRoot +ERROR: There was an error processing entry cn=Red Hat Directory Server, cn=Server Group, cn=SERVER2., ou=DOMAIN, o=NetscapeRoot +Cannot continue processing entries. Error: failed to register the configuration server info to the Configuration Directory Server SERVER2. Thanks again for your help. _________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Aug 14 14:30:18 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 14 Aug 2008 08:30:18 -0600 Subject: [Fedora-directory-users] (no subject) In-Reply-To: References: <48A33E13.2080409@redhat.com> <48A34AD7.9050403@redhat.com> Message-ID: <48A4417A.9060308@redhat.com> Mister Anonyme wrote: > > Date: Wed, 13 Aug 2008 14:57:59 -0600 > > From: rmeggins at redhat.com > > To: fedora-directory-users at redhat.com > > Subject: Re: [Fedora-directory-users] (no subject) > ============================================================================== > > > Input the Directory Server password on the server SERVER2: > > > Error: failed to register the configuration server info to the > > > Configuration Directory Server SERVER2. > > Hmm - not sure. Either earlier attempts have broken something past the > > point of repair, or there is a bug in register-ds-admin.pl - maybe it > > expects o=NetscapeRoot to not already exist? But then the setup step > > earlier would fail without it. Try register-ds-admin.pl -ddd > > OK. > > I deinstalled all packages and did a rm -rf of all directories like this: > > rm -rf /etc/dirsrv /usr/lib/dirsrv /usr/share/dirsrv /var/lib/dirsrv/ > /var/lock/dirsrv /var/log/dirsrv /usr/share/dirsrv/manual/en/admin > /tmp/setup*.{log,inf} > > And re-installed and I ran /usr/sbin/setup-ds.pl with the same LDIF > files that I showed you earlier with a fix that you provided. After, > I did a synchronize of the replication with success (replication > status confirmed that it worked). In other words, it went without any > errors. > > Then, I did a /usr/sbin/register-ds-admin.pl -ddd on the second server > and there you go: > > [root at SERVER2 ~]# /usr/sbin/register-ds-admin.pl -ddd > Beginning registration of the Directory Server > ============================================================================== > The Directory Server locates its configuration file (dse.ldif) at > /etc/dirsrv/slapd-ID, by default. If you have Directory Server(s) > which configuration file is put at the other location, you need to > input it to register the server. > > If you have such Directory Server, type the full path that stores the > configuration file. > > If you don't, type return. > [configuration directory path or return]: > > > ============================================================================== > Candidate servers to register: > /etc/dirsrv/slapd-SERVER2 > > ============================================================================== > Do you want to use this server as Configuration Directory Server? > > Directory server identifier [SERVER2]: > > ============================================================================== > The server must run as a specific user in a specific group. > It is strongly recommended that this user should have no privileges > on the computer (i.e. a non-root user). The setup procedure > will give this user/group some permissions in specific paths/files > to perform server-specific operations. > > If you have not yet created a user and group for the server, > create this user and group using your native operating > system utilities. > > System User [nobody]: > System Group [nobody]: > > ============================================================================== > Please specify the information about your configuration directory > server. The following information is required: > - host (fully qualified), port (non-secure or secure), suffix, > protocol (ldap or ldaps) - this information should be provided in the > form of an LDAP url e.g. for non-secure > ldap://host.example.com:389/o=NetscapeRoot > or for secure > ldaps://host.example.com:636/o=NetscapeRoot > - admin ID and password > - admin domain > - a CA certificate file may be required if you choose to use ldaps and > security has not yet been configured - the file must be in PEM/ASCII > format - specify the absolute path and filename > > Configuration directory server URL [ldap://SERVER2:389/o=NetscapeRoot]: > Configuration directory server admin ID [admin]: > Configuration directory server admin password: > Configuration directory server admin password (confirm): > Configuration directory server admin domain [DOMAIN.NET]: DOMAIN.NET > > ============================================================================== > The information stored in the configuration directory server can be > separated into different Administration Domains. If you are managing > multiple software releases at the same time, or managing information > about multiple domains, you may use the Administration Domain to keep > them separate. > > If you are not using administrative domains, press Enter to select the > default. Otherwise, enter some descriptive, unique name for the > administration domain, such as the name of the organization > responsible for managing the domain. > > Administration Domain [DOMAIN.NET]: DOMAIN.NET > > ============================================================================== > The Administration Server is separate from any of your web or application > servers since it listens to a different port and access to it is > restricted. > > Pick a port number between 1024 and 65535 to run your Administration > Server on. You should NOT use a port number which you plan to > run a web or application server on, rather, select a number which you > will remember and which will not be used for anything else. > > Administration port [9830]: > > ============================================================================== > Registering new Config DS: SERVER2 > > ============================================================================== > Input the Directory Server password on the server SERVER2: > +Processing /usr/share/dirsrv/data/10dsdata.ldif.tmpl ... > +++check_and_add_entry: Found entry o=NetscapeRoot > +++Adding attr=aci value=(targetattr = "*")(version 3.0; acl "SIE > Group (SERVER2)"; allow (all) groupdn = "ldap:///cn=slapd-SERVER2, > cn=Red Hat Directory Server, cn=Server Group, cn=SERVER2., ou=DOMAIN, > o=NetscapeRoot";) to entry o=NetscapeRoot > +++check_and_add_entry: Entry not found cn=Red Hat Directory Server, > cn=Server Group, cn=SERVER2., ou=DOMAIN, o=NetscapeRoot error No such > object > +ERROR: adding an entry cn=Red Hat Directory Server, cn=Server Group, > cn=SERVER2., ou=DOMAIN, o=NetscapeRoot failed, error: No such object > dn: cn=Red Hat Directory Server, cn=Server Group, cn=SERVER2., ou= > DOMAIN, o=NetscapeRoot > objectclass: nsApplication > objectclass: groupOfUniqueNames > objectclass: top > cn: Red Hat Directory Server > nsproductname: Red Hat Directory Server > nsproductversion: 8.0.0 > nsnickname: slapd > nsbuildnumber: 2007.353.1757 > nsvendor: Red Hat > installationtimestamp: 20080814121046Z > nsexpirationdate: 0 > nsbuildsecurity: domestic > uniquemember: cn=slapd-SERVER2, cn=Red Hat Directory Server, cn=Server > Group, > cn=SERVER2., ou=DOMAIN, o=NetscapeRoot > nsservermigrationclassname: > com.netscape.admin.dirserv.task.MigrateCreate at redh > at-ds-8.0.jar at cn=admin-serv-SERVER2, cn=Red Hat Administration > Server, cn=Se > rver Group, cn=SERVER2., ou=DOMAIN, o=NetscapeRoot > nsservercreationclassname: > com.netscape.admin.dirserv.task.MigrateCreate at redha > t-ds-8.0.jar at cn=admin-serv-SERVER2, cn=Red Hat Administration Server, > cn=Ser > ver Group, cn=SERVER2., ou=DOMAIN, o=NetscapeRoot > > +ERROR: There was an error processing entry cn=Red Hat Directory > Server, cn=Server Group, cn=SERVER2., ou=DOMAIN, o=NetscapeRoot > +Cannot continue processing entries. > Error: failed to register the configuration server info to the > Configuration Directory Server SERVER2. > > Thanks again for your help. Looks like https://bugzilla.redhat.com/show_bug.cgi?id=431103 again rears its ugly head. > > > ------------------------------------------------------------------------ > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From benetage at hotmail.com Thu Aug 14 15:18:25 2008 From: benetage at hotmail.com (Mister Anonyme) Date: Thu, 14 Aug 2008 11:18:25 -0400 Subject: [Fedora-directory-users] (no subject) In-Reply-To: <48A4417A.9060308@redhat.com> References: <48A33E13.2080409@redhat.com> <48A34AD7.9050403@redhat.com> <48A4417A.9060308@redhat.com> Message-ID: > Date: Thu, 14 Aug 2008 08:30:18 -0600 > From: rmeggins at redhat.com > To: fedora-directory-users at redhat.com > Subject: Re: [Fedora-directory-users] (no subject) > > > Thanks again for your help. > Looks like https://bugzilla.redhat.com/show_bug.cgi?id=431103 again > rears its ugly head. > > Finally, it worked... It wasn't easy to setup that kind of fail-over system, but it works now. Thanks for your time and help! _________________________________________________________________ Find hidden words, unscramble celebrity names, or try the ultimate crossword puzzle with Live Search Games. Play now! http://g.msn.ca/ca55/212 -------------- next part -------------- An HTML attachment was scrubbed... URL: From nkinder at redhat.com Thu Aug 14 15:21:05 2008 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 14 Aug 2008 08:21:05 -0700 Subject: [Fedora-directory-users] Re: FDS and Active directory Sync In-Reply-To: References: Message-ID: <48A44D61.9030608@redhat.com> Vipul Ramani wrote: > Rich , > > Do really need CA certification on ADC server to enable SSL on ADC ... > is not possible way to work out we can install self signed certified > which was signed my FDS ( linux server ) and we can install in to ADC > and make it SSL enable ?? Yes, you can do this. See this article: http://support.microsoft.com/kb/321051 -NGK > > is there any way to work around ??? > > > > On Wed, Aug 13, 2008 at 4:15 PM, Vipul Ramani > wrote: > > Cheers, Rich , > > Great only thing is now i have to find out how to enable SSL on > ADC ..and most of thing will be done .... it is sync over 389 port > ..but only password attribute is not replicated ..due to SSL is > not enable on ADC ... > > > anyways thanks for your gr8 ...help > > I feel i will create documentation stepwise and share with > community .... > > > > > > On Wed, Aug 13, 2008 at 3:22 PM, Vipul Ramani > > wrote: > > > Cheers , Rich > > yes , your right ... i tried with hostname instead of ip > address. > > I created new windows sync aggreement. But this time i did not > selected SSL connecition.. then replication is happening.. but > i noticed..there is userPassword field is missing in all users > ( which are replicated from ADC ) .. why it is so ... SSL is > mandatory to copy password from ...ADC to FDS ?? > > Why userPassword ( windows password attribute not repliacated > on LDAP ??? ) . > > > I made some progress.. > > > > > > -- > Regards > > Vipul Ramani > > > > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3254 bytes Desc: S/MIME Cryptographic Signature URL: From kenoh23 at yahoo.fr Mon Aug 18 12:00:41 2008 From: kenoh23 at yahoo.fr (ken oh) Date: Mon, 18 Aug 2008 12:00:41 +0000 (GMT) Subject: [Fedora-directory-users] Problem with the synchronization agreement Message-ID: <601485.36879.qm@web26002.mail.ukl.yahoo.com> Hi, I'm back from my vacations. I sync the clock on fedora and windows 2003 server. When I use the ldapsearch from the command line to bind and search the AD from fedora on port 389, I still have the same result : ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) I also used ldp.exe from Win 2003 server to test the connection between the 2 server and I got this message : ld = cldap_open("servertest.tc.iut", 389); Established connection to servertest.tc.iut. Retrieving base DSA information... Server error: Error<94>: ldap_parse_result failed: No result present in message Getting 0 entries: So my problem comes from something else. For information I'm using fedora 9 under vmware workstation. Maybe the problem comes from here. Or I've thought that the problem comes perhaps from a bad configured file. Thanks Date: Fri, 25 Jul 2008 14:52:57 +0530 Hi, While creating sync agrement Dont check the Enable ssl option,it will work , and also check your certificates are proper on both windows and linux directory server.Make sure CLOCK is in sync on both windows and linux. Regards, pradeep On 7/25/08, ken oh wrote: > Thanks for your help > > I try your command with the right hostname "anubis" (and not anubix) using > the the sync and next the admin account in the command line and I get this > result for both account : > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > > I don't know if this info can help but my ad server is in native mode. > From: Rich Megginson To: kenoh23 yahoo fr, "General discussion list for the Fedora Directory server project." Cc: Subject: Re: [Fedora-directory-users] Problem with the synchronization agreementDate: Thu, 24 Jul 2008 08:39:59 -0600 ken oh wrote: Hi everybody, I'm at the Windows Sync Server Info screen, I have completed all the fields. And when I click next, I got the message "Unable to contact Active Directory server, continue ?" using the ssl connection or not. >From each side, I ping and I use a nslookup command to verify if the domain name is correct; and everything is ok. So I would like to know if someone can help me with what goes wrong, thanks. Try using ldapsearch from the command line to bind and search the AD from your linux box: ldapsearch -x -h anubix -p 389 -D "cn=sync,cn=users,dc=tc-gea,dc=iut,dc=univ-metz,dc=fr" -w password -s base -b "cn=users,dc=tc-gea,dc=iut,dc=univ-metz,dc=fr" "(objectclass=*)" Try 389 first to see if ldap is working - you'll have to do some additional configuration to get SSL working with ldapsearch. I'm assuming you've done all of the SSL setup correctly - http://directory.fedoraproject.org/wiki/Howto:WindowsSync and http://directory.fedoraproject.org/wiki/Howto:SSL This is my Windows Sync Server Info screen, if that can help : http://img291.imageshack.us/img291/4323/sync2ur5.jpg _____________________________________________________________________________ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr -------------- next part -------------- An HTML attachment was scrubbed... URL: From cobra at cobradevil.org Mon Aug 18 14:09:22 2008 From: cobra at cobradevil.org (cobra at cobradevil.org) Date: Mon, 18 Aug 2008 16:09:22 +0200 (CEST) Subject: [Fedora-directory-users] Business Case: Advantage Opensource Directory VS Active Directory Message-ID: <63118.217.169.226.122.1219068562.squirrel@webmail.spothost.nl> Hello all, I have a question why i should use an opensource directory server for my opensource activities! I work for a large company! 70k users We have a large MS Windows based infrastructure win2k3 with winxp workstations. For our open source servers and workstations we thought to get an Opensource Directory server because of the specific options that Active Directory cannot deliver. But now i get a lot of people who say that active directory can do all of it! Can someone help me with getting the right arguments so i have a valid reason to create an opensource directory server? The things i wanna administer are: Sudoldap Freeipa based authentication/dns application management and probably a lot more! Please let me know! With kind regards, William van de Velde From ben.van.veen at planet.nl Tue Aug 19 06:30:25 2008 From: ben.van.veen at planet.nl (ben.van.veen at planet.nl) Date: Tue, 19 Aug 2008 08:30:25 +0200 Subject: [Fedora-directory-users] Business Case: Advantage OpensourceDirectory VS Active Directory References: <63118.217.169.226.122.1219068562.squirrel@webmail.spothost.nl> Message-ID: Hi William, One of the things you need to address is the performance / speed of authentication. Can your (AD -) server forest handle the amount of new kind of authentication requests beside the WINS / DNS etc. I have 2-servers ( in replica) of Fedora DS (FDS) with over 800k users. This is only for authentication of our website. There is also an read-only replica of the AD on it for internal use. Till now there is no performance issue. We decided to move to FDS due to the amount of external users. We did this only for performance. AD could do it as well. Ben. ________________________________ Van: fedora-directory-users-bounces at redhat.com namens cobra at cobradevil.org Verzonden: ma 18-8-2008 16:09 Aan: fedora-directory-users at redhat.com Onderwerp: [Fedora-directory-users] Business Case: Advantage OpensourceDirectory VS Active Directory Hello all, I have a question why i should use an opensource directory server for my opensource activities! I work for a large company! 70k users We have a large MS Windows based infrastructure win2k3 with winxp workstations. For our open source servers and workstations we thought to get an Opensource Directory server because of the specific options that Active Directory cannot deliver. But now i get a lot of people who say that active directory can do all of it! Can someone help me with getting the right arguments so i have a valid reason to create an opensource directory server? The things i wanna administer are: Sudoldap Freeipa based authentication/dns application management and probably a lot more! Please let me know! With kind regards, William van de Velde -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From tycoon1_98 at yahoo.com Wed Aug 20 02:00:35 2008 From: tycoon1_98 at yahoo.com (Mike Carroll) Date: Tue, 19 Aug 2008 19:00:35 -0700 (PDT) Subject: [Fedora-directory-users] Re: Fedora-directory-users Digest, Vol 39, Issue 21 Message-ID: <281099.62870.qm@web32001.mail.mud.yahoo.com> Also, keep in mind that the?hugest directories...are often small in disk space and easy to do 100% caching in memory. I have a RHDS directory with over 120K users and I have 100% caching enabled...for about 3G of RAM. My response time is usually under 15 mils and the average cpu utilization is only around 4% at it's peak. ? Also, just from a cost perspective I would say RHDS or Fedora DS is a much much much better bargain then AD. I would only use AD if I was doing a windows network or using some other Microsoft centric technology. ----- Original Message ---- From: "fedora-directory-users-request at redhat.com" To: fedora-directory-users at redhat.com Sent: Tuesday, August 19, 2008 12:00:08 PM Subject: Fedora-directory-users Digest, Vol 39, Issue 21 Send Fedora-directory-users mailing list submissions to ??? fedora-directory-users at redhat.com To subscribe or unsubscribe via the World Wide Web, visit ??? https://www.redhat.com/mailman/listinfo/fedora-directory-users or, via email, send a message with subject or body 'help' to ??? fedora-directory-users-request at redhat.com You can reach the person managing the list at ??? fedora-directory-users-owner at redhat.com When replying, please edit your Subject line so it is more specific than "Re: Contents of Fedora-directory-users digest..." Today's Topics: ? 1. RE: Business Case: Advantage??? OpensourceDirectory VS Active ? ? ? Directory (ben.van.veen at planet.nl) ---------------------------------------------------------------------- Message: 1 Date: Tue, 19 Aug 2008 08:30:25 +0200 From: Subject: RE: [Fedora-directory-users] Business Case: Advantage ??? OpensourceDirectory VS Active Directory To: "General discussion list for the Fedora Directory server project." ??? Message-ID: ??? Content-Type: text/plain; charset="iso-8859-1" Hi William, One of the things you need to address is the performance / speed of authentication.? Can your (AD -) server forest handle the amount of new kind of authentication requests beside the WINS / DNS etc.? I have? 2-servers ( in replica) of Fedora DS (FDS) with over 800k users. This is only for authentication of our website. There is also an read-only replica of the AD on it for internal use. Till now there is no performance issue. We decided to move to FDS due to the amount of external users. We did this only for performance. AD could do it as well. Ben. ________________________________ Van: fedora-directory-users-bounces at redhat.com namens cobra at cobradevil.org Verzonden: ma 18-8-2008 16:09 Aan: fedora-directory-users at redhat.com Onderwerp: [Fedora-directory-users] Business Case: Advantage OpensourceDirectory VS Active Directory Hello all, I have a question why i should use an opensource directory server for my opensource activities! I work for a large company! 70k users We have a large MS Windows based infrastructure win2k3 with winxp workstations. For our open source servers and workstations we thought to get an Opensource Directory server because of the specific options that Active Directory cannot deliver. But now i get a lot of people who say that active directory can do all of it! Can someone help me with getting the right arguments so i have a valid reason to create an opensource directory server? The things i wanna administer are: Sudoldap Freeipa based authentication/dns application management and probably a lot more! Please let me know! With kind regards, William van de Velde -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: https://www.redhat.com/archives/fedora-directory-users/attachments/20080819/41f2d4de/attachment.html ------------------------------ -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users End of Fedora-directory-users Digest, Vol 39, Issue 21 ****************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: From Andrey.Ivanov at polytechnique.fr Wed Aug 20 06:51:21 2008 From: Andrey.Ivanov at polytechnique.fr (Andrey Ivanov) Date: Wed, 20 Aug 2008 08:51:21 +0200 Subject: [Fedora-directory-users] Business Case: Advantage Opensource Directory VS Active Directory In-Reply-To: <63118.217.169.226.122.1219068562.squirrel@webmail.spothost.nl> References: <63118.217.169.226.122.1219068562.squirrel@webmail.spothost.nl> Message-ID: <599093280.20080820085121@polytechnique.edu> Bonjour cobra, Monday, August 18, 2008, 4:09:22 PM, you wrote: cco> I have a question why i should use an opensource directory server for my cco> opensource activities! cco> I work for a large company! 70k users cco> We have a large MS Windows based infrastructure win2k3 with winxp cco> workstations. cco> Can someone help me with getting the right arguments so i have a valid cco> reason to create an opensource directory server? You can try this document to begin with (written for a customer by Symas and HP) : http://www.symas.com/documents/Adam-Eval1-0.pdf Andrey Ivanov tel +33-(0)1-69-33-99-24 fax +33-(0)1-69-33-99-55 Direction des Systemes d'Information Ecole Polytechnique 91128 Palaiseau CEDEX France From burnsenbacher at gmx.at Thu Aug 21 12:48:35 2008 From: burnsenbacher at gmx.at (Karl Gustav) Date: Thu, 21 Aug 2008 14:48:35 +0200 Subject: AW: [Fedora-directory-users] how to turn on memberof plugin? Message-ID: <20080821124835.220500@gmx.net> Does anybody of you found a solution how to turn on the memberof plugin?? -- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal f?r Modem und ISDN: http://www.gmx.net/de/go/smartsurfer From Dennis.DeMarco at lexisnexis.com Thu Aug 21 21:25:51 2008 From: Dennis.DeMarco at lexisnexis.com (DeMarco, Dennis) Date: Thu, 21 Aug 2008 17:25:51 -0400 Subject: [Fedora-directory-users] Replication of account lock out attribute, password expiration, etc In-Reply-To: <20080821124835.220500@gmx.net> References: <20080821124835.220500@gmx.net> Message-ID: I'm having an odd issue with replicating password policies to consumers. I'm finding certain account policy attributes existing on the masters, but not replicate correctly to the consumers. Is there a setting I need to specify account policies are replicated? Thanks Dennis This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. From msauton at redhat.com Thu Aug 21 22:25:53 2008 From: msauton at redhat.com (Marc Sauton) Date: Thu, 21 Aug 2008 15:25:53 -0700 Subject: [Fedora-directory-users] Replication of account lock out attribute, password expiration, etc In-Reply-To: References: <20080821124835.220500@gmx.net> Message-ID: <48ADEB71.10008@redhat.com> By default, passwordRetryCount, retryCountResetTime and accountUnlockTime attributes are not replicated, see "8.12. Replicating Account Lockout Attributes" http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Replicating-Password-Attributes.html M. DeMarco, Dennis wrote: > I'm having an odd issue with replicating password policies to consumers. I'm finding certain account policy attributes existing on the masters, but not replicate correctly to the consumers. > > Is there a setting I need to specify account policies are replicated? > > Thanks > Dennis > > > This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From duskglow at gmail.com Sat Aug 23 00:14:15 2008 From: duskglow at gmail.com (Russell Miller) Date: Fri, 22 Aug 2008 17:14:15 -0700 Subject: [Fedora-directory-users] Possible bug in directory server Message-ID: <4eea36270808221714s2e78214fkea45293b9d71e8dc@mail.gmail.com> I'm not opening an official bug for this because it's already in RedHat support's hands and I'm waiting for them to reproduce it. But I want to see if anyone else has encountered this too, I've spent a great deal of time diagnosting this and I want to make sure I'm not barking up the wrong tree while I wait (the more confident I am that it's a real problem, the more confident I am thinking about and proposing a fix). It seems that using the "exop" directive in ldap.conf causes password changes to be done using the extended operation (referrals don't seem to work properly in some cases if you don't use exop). However, it seems that in the directory server code, when you use the password change exop, it's considered "internal" (because it's a plugin), and thus a referral is never sent. So if you turn exop on and have a replicated setup where you are pointing to a slave, the correct referral is never sent. Has anyone else encountered this? I can provide details and the results of my testing that overwhelmingly points to this being a bug in the directory server. Thoughts? Am I completely out there and making an ass of myself with support? ;) Thanks. --Russell -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Sat Aug 23 00:20:17 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 22 Aug 2008 18:20:17 -0600 Subject: [Fedora-directory-users] Replication of account lock out attribute, password expiration, etc In-Reply-To: <48ADEB71.10008@redhat.com> References: <20080821124835.220500@gmx.net> <48ADEB71.10008@redhat.com> Message-ID: <48AF57C1.9080602@redhat.com> Marc Sauton wrote: > > By default, passwordRetryCount, retryCountResetTime and > accountUnlockTime attributes are not replicated, see "8.12. > Replicating Account Lockout Attributes" > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Replicating-Password-Attributes.html > > M. See also https://bugzilla.redhat.com/show_bug.cgi?id=450973 > > > DeMarco, Dennis wrote: >> I'm having an odd issue with replicating password policies to >> consumers. I'm finding certain account policy attributes existing on >> the masters, but not replicate correctly to the consumers. >> >> Is there a setting I need to specify account policies are replicated? >> >> Thanks >> Dennis >> >> >> This message (including any attachments) contains confidential >> information intended for a specific individual and purpose, and is >> protected by law. If you are not the intended recipient, you should >> delete this message. Any disclosure, copying, or distribution of >> this message, or the taking of any action based on it, is strictly >> prohibited. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From duskglow at gmail.com Sat Aug 23 00:23:07 2008 From: duskglow at gmail.com (Russell Miller) Date: Fri, 22 Aug 2008 17:23:07 -0700 Subject: [Fedora-directory-users] Replication of account lock out attribute, password expiration, etc In-Reply-To: <48AF57C1.9080602@redhat.com> References: <20080821124835.220500@gmx.net> <48ADEB71.10008@redhat.com> <48AF57C1.9080602@redhat.com> Message-ID: <4eea36270808221723x51b779ay47aef5e46e4985ed@mail.gmail.com> On Fri, Aug 22, 2008 at 5:20 PM, Rich Megginson wrote: > Marc Sauton wrote: > >> >> By default, passwordRetryCount, retryCountResetTime and accountUnlockTime >> attributes are not replicated, see "8.12. Replicating Account Lockout >> Attributes" >> >> http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Replicating-Password-Attributes.html >> M. >> > See also https://bugzilla.redhat.com/show_bug.cgi?id=450973 > > That patch does work, but the fractional replication part doesn't seem to if you don't upgrade *all* of your servers. I haven't done so yet, but I know it crashes and burns miserably if you don't. --Russell -------------- next part -------------- An HTML attachment was scrubbed... URL: From cobra at cobradevil.org Sat Aug 23 19:07:56 2008 From: cobra at cobradevil.org (cobra at cobradevil.org) Date: Sat, 23 Aug 2008 21:07:56 +0200 (CEST) Subject: [Fedora-directory-users] Business Case: Advantage Opensource Directory VS Active Directory In-Reply-To: <599093280.20080820085121@polytechnique.edu> References: <63118.217.169.226.122.1219068562.squirrel@webmail.spothost.nl> <599093280.20080820085121@polytechnique.edu> Message-ID: <40214.77.162.228.253.1219518476.squirrel@webmail.spothost.nl> Hello Andrey and Ben, Thanx for your answers! The document realy explains the differences between both directory's! I'm taking it for input for the why question for our project! For the performance we are going to test that! With kind regards, William van de Velde > Bonjour cobra, > > Monday, August 18, 2008, 4:09:22 PM, you wrote: > > > > cco> I have a question why i should use an opensource directory server for > my > cco> opensource activities! > > cco> I work for a large company! 70k users > > cco> We have a large MS Windows based infrastructure win2k3 with winxp > cco> workstations. > > cco> Can someone help me with getting the right arguments so i have a > valid > cco> reason to create an opensource directory server? > You can try this document to begin with (written for a customer by > Symas and HP) : http://www.symas.com/documents/Adam-Eval1-0.pdf > > > Andrey Ivanov > tel +33-(0)1-69-33-99-24 > fax +33-(0)1-69-33-99-55 > > Direction des Systemes d'Information > Ecole Polytechnique > 91128 Palaiseau CEDEX > France > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From merle.reine at gmail.com Sun Aug 24 02:06:16 2008 From: merle.reine at gmail.com (Merle Reine) Date: Sat, 23 Aug 2008 19:06:16 -0700 Subject: [Fedora-directory-users] Business Case: Advantage Opensource Directory VS Active Directory In-Reply-To: <40214.77.162.228.253.1219518476.squirrel@webmail.spothost.nl> References: <63118.217.169.226.122.1219068562.squirrel@webmail.spothost.nl> <599093280.20080820085121@polytechnique.edu> <40214.77.162.228.253.1219518476.squirrel@webmail.spothost.nl> Message-ID: <585947630808231906o65a2a49do937abd7a126243b@mail.gmail.com> Been using Fedora Directory Server since its inception and up until recently, I would have recommended it above all others. I am a Linux guru, windows hater and favor open source over any proprietary product. That being said, I recently switched to a new company and they happen to be all XP and 2003 server along with exchange. Having had the opportunity to work now with both FDS and Active Directory, I can tell you from first hand experience, Active Directory wins hands down. It was easy to setup, easy to replicate, support 6,000 users currently at my office and is easily running on a dual core system while hardly using any resources. I am no lover of Microsoft or any of its products but switching to ADAM was the best move i could have made. There is no comparison on ease of setup, ease of management, stability. ADAM wins hands down as much as I hate to say it, its true. Just one person's first hand experience... Merle Reine CTO Vanguard Industries, Inc. Email Address: echo zreyr.ervar at tznvy.pbz | perl -pe 'y/a-z/n-za-m/' On Sat, Aug 23, 2008 at 12:07 PM, wrote: > Hello Andrey and Ben, > > Thanx for your answers! > > The document realy explains the differences between both directory's! > I'm taking it for input for the why question for our project! > For the performance we are going to test that! > > With kind regards, > > William van de Velde > > > > Bonjour cobra, > > > > Monday, August 18, 2008, 4:09:22 PM, you wrote: > > > > > > > > cco> I have a question why i should use an opensource directory server > for > > my > > cco> opensource activities! > > > > cco> I work for a large company! 70k users > > > > cco> We have a large MS Windows based infrastructure win2k3 with winxp > > cco> workstations. > > > > cco> Can someone help me with getting the right arguments so i have a > > valid > > cco> reason to create an opensource directory server? > > You can try this document to begin with (written for a customer by > > Symas and HP) : http://www.symas.com/documents/Adam-Eval1-0.pdf > > > > > > Andrey Ivanov > > tel +33-(0)1-69-33-99-24 > > fax +33-(0)1-69-33-99-55 > > > > Direction des Systemes d'Information > > Ecole Polytechnique > > 91128 Palaiseau CEDEX > > France > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From solarflow99 at gmail.com Sun Aug 24 09:28:40 2008 From: solarflow99 at gmail.com (solarflow99) Date: Sun, 24 Aug 2008 10:28:40 +0100 Subject: [Fedora-directory-users] Business Case: Advantage Opensource Directory VS Active Directory In-Reply-To: <585947630808231906o65a2a49do937abd7a126243b@mail.gmail.com> References: <63118.217.169.226.122.1219068562.squirrel@webmail.spothost.nl> <599093280.20080820085121@polytechnique.edu> <40214.77.162.228.253.1219518476.squirrel@webmail.spothost.nl> <585947630808231906o65a2a49do937abd7a126243b@mail.gmail.com> Message-ID: <7020fd000808240228m52971acewd9ec2b392fba48bf@mail.gmail.com> I've used them both too, and I never noticed any real advantage with AD. In fact, FDS would do everything just like you said, and I wasnt forced into vendor lock-in to do it. What were your main drawbacks with LDAP? On Sun, Aug 24, 2008 at 3:06 AM, Merle Reine wrote: > Been using Fedora Directory Server since its inception and up until > recently, I would have recommended it above all others. I am a Linux guru, > windows hater and favor open source over any proprietary product. That > being said, I recently switched to a new company and they happen to be all > XP and 2003 server along with exchange. > > Having had the opportunity to work now with both FDS and Active Directory, > I can tell you from first hand experience, Active Directory wins hands > down. It was easy to setup, easy to replicate, support 6,000 users > currently at my office and is easily running on a dual core system while > hardly using any resources. > > I am no lover of Microsoft or any of its products but switching to ADAM was > the best move i could have made. There is no comparison on ease of setup, > ease of management, stability. ADAM wins hands down as much as I hate to > say it, its true. > > Just one person's first hand experience... > > > Merle Reine > CTO > Vanguard Industries, Inc. > > Email Address: echo zreyr.ervar at tznvy.pbz | perl -pe 'y/a-z/n-za-m/' > > > On Sat, Aug 23, 2008 at 12:07 PM, wrote: > >> Hello Andrey and Ben, >> >> Thanx for your answers! >> >> The document realy explains the differences between both directory's! >> I'm taking it for input for the why question for our project! >> For the performance we are going to test that! >> >> With kind regards, >> >> William van de Velde >> >> >> > Bonjour cobra, >> > >> > Monday, August 18, 2008, 4:09:22 PM, you wrote: >> > >> > >> > >> > cco> I have a question why i should use an opensource directory server >> for >> > my >> > cco> opensource activities! >> > >> > cco> I work for a large company! 70k users >> > >> > cco> We have a large MS Windows based infrastructure win2k3 with winxp >> > cco> workstations. >> > >> > cco> Can someone help me with getting the right arguments so i have a >> > valid >> > cco> reason to create an opensource directory server? >> > You can try this document to begin with (written for a customer by >> > Symas and HP) : http://www.symas.com/documents/Adam-Eval1-0.pdf >> > >> > >> > Andrey Ivanov >> > tel +33-(0)1-69-33-99-24 >> > fax +33-(0)1-69-33-99-55 >> > >> > Direction des Systemes d'Information >> > Ecole Polytechnique >> > 91128 Palaiseau CEDEX >> > France >> > >> > -- >> > Fedora-directory-users mailing list >> > Fedora-directory-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From merle.reine at gmail.com Mon Aug 25 04:30:33 2008 From: merle.reine at gmail.com (Merle Reine) Date: Sun, 24 Aug 2008 21:30:33 -0700 Subject: [Fedora-directory-users] Business Case: Advantage Opensource Directory VS Active Directory In-Reply-To: <7020fd000808240228m52971acewd9ec2b392fba48bf@mail.gmail.com> References: <63118.217.169.226.122.1219068562.squirrel@webmail.spothost.nl> <599093280.20080820085121@polytechnique.edu> <40214.77.162.228.253.1219518476.squirrel@webmail.spothost.nl> <585947630808231906o65a2a49do937abd7a126243b@mail.gmail.com> <7020fd000808240228m52971acewd9ec2b392fba48bf@mail.gmail.com> Message-ID: <585947630808242130g44deab0bj429452225499a53d@mail.gmail.com> Ease of use, speed, dependency. I love mysql, php, apache, linux but LDAP is just way too confusing and need to many hands on to manage. AD just works, was a breeze to setup (i setup exchange server, ADAM in 2 days serving 6,000 users) and I had 0 previous experience with either as I am a linux guy. It has worked flawlessly with not a single thing done to it since being setup. I don't like the licensing fees either but it is worth the money to not have to do any management on a daily basis and I mean 0 seconds of my time or my admins in the last 3 months. Merle Reine CTO Vanguard Industries, Inc. Email Address: echo zreyr.ervar at tznvy.pbz | perl -pe 'y/a-z/n-za-m/' On Sun, Aug 24, 2008 at 2:28 AM, solarflow99 wrote: > I've used them both too, and I never noticed any real advantage with AD. > In fact, FDS would do everything just like you said, and I wasnt forced into > vendor lock-in to do it. What were your main drawbacks with LDAP? > > > > On Sun, Aug 24, 2008 at 3:06 AM, Merle Reine wrote: > >> Been using Fedora Directory Server since its inception and up until >> recently, I would have recommended it above all others. I am a Linux guru, >> windows hater and favor open source over any proprietary product. That >> being said, I recently switched to a new company and they happen to be all >> XP and 2003 server along with exchange. >> >> Having had the opportunity to work now with both FDS and Active >> Directory, I can tell you from first hand experience, Active Directory wins >> hands down. It was easy to setup, easy to replicate, support 6,000 users >> currently at my office and is easily running on a dual core system while >> hardly using any resources. >> >> I am no lover of Microsoft or any of its products but switching to ADAM >> was the best move i could have made. There is no comparison on ease of >> setup, ease of management, stability. ADAM wins hands down as much as I >> hate to say it, its true. >> >> Just one person's first hand experience... >> >> >> Merle Reine >> CTO >> Vanguard Industries, Inc. >> >> Email Address: echo zreyr.ervar at tznvy.pbz | perl -pe 'y/a-z/n-za-m/' >> >> >> On Sat, Aug 23, 2008 at 12:07 PM, wrote: >> >>> Hello Andrey and Ben, >>> >>> Thanx for your answers! >>> >>> The document realy explains the differences between both directory's! >>> I'm taking it for input for the why question for our project! >>> For the performance we are going to test that! >>> >>> With kind regards, >>> >>> William van de Velde >>> >>> >>> > Bonjour cobra, >>> > >>> > Monday, August 18, 2008, 4:09:22 PM, you wrote: >>> > >>> > >>> > >>> > cco> I have a question why i should use an opensource directory server >>> for >>> > my >>> > cco> opensource activities! >>> > >>> > cco> I work for a large company! 70k users >>> > >>> > cco> We have a large MS Windows based infrastructure win2k3 with winxp >>> > cco> workstations. >>> > >>> > cco> Can someone help me with getting the right arguments so i have a >>> > valid >>> > cco> reason to create an opensource directory server? >>> > You can try this document to begin with (written for a customer by >>> > Symas and HP) : http://www.symas.com/documents/Adam-Eval1-0.pdf >>> > >>> > >>> > Andrey Ivanov >>> > tel +33-(0)1-69-33-99-24 >>> > fax +33-(0)1-69-33-99-55 >>> > >>> > Direction des Systemes d'Information >>> > Ecole Polytechnique >>> > 91128 Palaiseau CEDEX >>> > France >>> > >>> > -- >>> > Fedora-directory-users mailing list >>> > Fedora-directory-users at redhat.com >>> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> > >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From solarflow99 at gmail.com Mon Aug 25 09:24:10 2008 From: solarflow99 at gmail.com (solarflow99) Date: Mon, 25 Aug 2008 10:24:10 +0100 Subject: [Fedora-directory-users] Business Case: Advantage Opensource Directory VS Active Directory In-Reply-To: <585947630808242130g44deab0bj429452225499a53d@mail.gmail.com> References: <63118.217.169.226.122.1219068562.squirrel@webmail.spothost.nl> <599093280.20080820085121@polytechnique.edu> <40214.77.162.228.253.1219518476.squirrel@webmail.spothost.nl> <585947630808231906o65a2a49do937abd7a126243b@mail.gmail.com> <7020fd000808240228m52971acewd9ec2b392fba48bf@mail.gmail.com> <585947630808242130g44deab0bj429452225499a53d@mail.gmail.com> Message-ID: <7020fd000808250224k16c93353n2fbdbbfa0978b1b5@mail.gmail.com> in a windows only network, sure. have fun getting anything else to authenticate to it properly though. I dont think you even need to know a lot about ldap to get it going with fds, but its still a useful thing to know if you are a linux guy, AD is also ldap. I'd really doubt that it could ever be faster since AD also adds DNS, kerberos, DHCP, NTP all into it. On Mon, Aug 25, 2008 at 5:30 AM, Merle Reine wrote: > Ease of use, speed, dependency. I love mysql, php, apache, linux but LDAP > is just way too confusing and need to many hands on to manage. AD just > works, was a breeze to setup (i setup exchange server, ADAM in 2 days > serving 6,000 users) and I had 0 previous experience with either as I am a > linux guy. It has worked flawlessly with not a single thing done to it > since being setup. I don't like the licensing fees either but it is worth > the money to not have to do any management on a daily basis and I mean 0 > seconds of my time or my admins in the last 3 months. > > > Merle Reine > CTO > Vanguard Industries, Inc. > > Email Address: echo zreyr.ervar at tznvy.pbz | perl -pe 'y/a-z/n-za-m/' > > > On Sun, Aug 24, 2008 at 2:28 AM, solarflow99 wrote: > >> I've used them both too, and I never noticed any real advantage with AD. >> In fact, FDS would do everything just like you said, and I wasnt forced into >> vendor lock-in to do it. What were your main drawbacks with LDAP? >> >> >> >> On Sun, Aug 24, 2008 at 3:06 AM, Merle Reine wrote: >> >>> Been using Fedora Directory Server since its inception and up until >>> recently, I would have recommended it above all others. I am a Linux guru, >>> windows hater and favor open source over any proprietary product. That >>> being said, I recently switched to a new company and they happen to be all >>> XP and 2003 server along with exchange. >>> >>> Having had the opportunity to work now with both FDS and Active >>> Directory, I can tell you from first hand experience, Active Directory wins >>> hands down. It was easy to setup, easy to replicate, support 6,000 users >>> currently at my office and is easily running on a dual core system while >>> hardly using any resources. >>> >>> I am no lover of Microsoft or any of its products but switching to ADAM >>> was the best move i could have made. There is no comparison on ease of >>> setup, ease of management, stability. ADAM wins hands down as much as I >>> hate to say it, its true. >>> >>> Just one person's first hand experience... >>> >>> >>> Merle Reine >>> CTO >>> Vanguard Industries, Inc. >>> >>> Email Address: echo zreyr.ervar at tznvy.pbz | perl -pe 'y/a-z/n-za-m/' >>> >>> >>> On Sat, Aug 23, 2008 at 12:07 PM, wrote: >>> >>>> Hello Andrey and Ben, >>>> >>>> Thanx for your answers! >>>> >>>> The document realy explains the differences between both directory's! >>>> I'm taking it for input for the why question for our project! >>>> For the performance we are going to test that! >>>> >>>> With kind regards, >>>> >>>> William van de Velde >>>> >>>> >>>> > Bonjour cobra, >>>> > >>>> > Monday, August 18, 2008, 4:09:22 PM, you wrote: >>>> > >>>> > >>>> > >>>> > cco> I have a question why i should use an opensource directory server >>>> for >>>> > my >>>> > cco> opensource activities! >>>> > >>>> > cco> I work for a large company! 70k users >>>> > >>>> > cco> We have a large MS Windows based infrastructure win2k3 with winxp >>>> > cco> workstations. >>>> > >>>> > cco> Can someone help me with getting the right arguments so i have a >>>> > valid >>>> > cco> reason to create an opensource directory server? >>>> > You can try this document to begin with (written for a customer by >>>> > Symas and HP) : http://www.symas.com/documents/Adam-Eval1-0.pdf >>>> > >>>> > >>>> > Andrey Ivanov >>>> > tel +33-(0)1-69-33-99-24 >>>> > fax +33-(0)1-69-33-99-55 >>>> > >>>> > Direction des Systemes d'Information >>>> > Ecole Polytechnique >>>> > 91128 Palaiseau CEDEX >>>> > France >>>> > >>>> > -- >>>> > Fedora-directory-users mailing list >>>> > Fedora-directory-users at redhat.com >>>> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> > >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cobra at cobradevil.org Mon Aug 25 17:32:36 2008 From: cobra at cobradevil.org (cobra at cobradevil.org) Date: Mon, 25 Aug 2008 19:32:36 +0200 (CEST) Subject: [Fedora-directory-users] Business Case: Advantage Opensource Directory VS Active Directory In-Reply-To: <7020fd000808250224k16c93353n2fbdbbfa0978b1b5@mail.gmail.com> References: <63118.217.169.226.122.1219068562.squirrel@webmail.spothost.nl> <599093280.20080820085121@polytechnique.edu> <40214.77.162.228.253.1219518476.squirrel@webmail.spothost.nl> <585947630808231906o65a2a49do937abd7a126243b@mail.gmail.com> <7020fd000808240228m52971acewd9ec2b392fba48bf@mail.gmail.com> <585947630808242130g44deab0bj429452225499a53d@mail.gmail.com> <7020fd000808250224k16c93353n2fbdbbfa0978b1b5@mail.gmail.com> Message-ID: <47540.77.162.228.253.1219685556.squirrel@webmail.spothost.nl> Thanx for your answers. I am going to try to get this project going. just scared when i think off the following scenario's! When we get the next few years more then 300 linux servers and about 3000 workstations and we put those all in active directory and microsoft changes their license so you pay per entry then you feel very screwed!!!! Or lets say you have everything in AD and a f*cked up virus will delete your AD then your whole infrastructure is down (including DNS NTP LDAP USER AUTHENTICATION and AUTHORIZATION) and i think for more then 70000 users that will be a real disaster!!! How quick can you recover that? With an OSS directory server (we have some real experience like kerberos trusts and openldap/fds ) i think we will be in better control then with AD, but that is based on my feelings so not really interesting of course! Wish me all good luck and i hope i can learn from this project so i can help other people with these questions!! I will ask my bosses to get this project (directory services for OSS infrastructure) so open that i can release docs and stuff out in the wild for reference. With kind regards, William van de Velde > in a windows only network, sure. have fun getting anything else to > authenticate to it properly though. I dont think you even need to know a > lot about ldap to get it going with fds, but its still a useful thing to > know if you are a linux guy, AD is also ldap. I'd really doubt that it > could ever be faster since AD also adds DNS, kerberos, DHCP, NTP all into > it. > > > > > On Mon, Aug 25, 2008 at 5:30 AM, Merle Reine > wrote: > >> Ease of use, speed, dependency. I love mysql, php, apache, linux but >> LDAP >> is just way too confusing and need to many hands on to manage. AD just >> works, was a breeze to setup (i setup exchange server, ADAM in 2 days >> serving 6,000 users) and I had 0 previous experience with either as I am >> a >> linux guy. It has worked flawlessly with not a single thing done to it >> since being setup. I don't like the licensing fees either but it is >> worth >> the money to not have to do any management on a daily basis and I mean 0 >> seconds of my time or my admins in the last 3 months. >> >> >> Merle Reine >> CTO >> Vanguard Industries, Inc. >> >> Email Address: echo zreyr.ervar at tznvy.pbz | perl -pe 'y/a-z/n-za-m/' >> >> >> On Sun, Aug 24, 2008 at 2:28 AM, solarflow99 >> wrote: >> >>> I've used them both too, and I never noticed any real advantage with >>> AD. >>> In fact, FDS would do everything just like you said, and I wasnt forced >>> into >>> vendor lock-in to do it. What were your main drawbacks with LDAP? >>> >>> >>> >>> On Sun, Aug 24, 2008 at 3:06 AM, Merle Reine >>> wrote: >>> >>>> Been using Fedora Directory Server since its inception and up until >>>> recently, I would have recommended it above all others. I am a Linux >>>> guru, >>>> windows hater and favor open source over any proprietary product. >>>> That >>>> being said, I recently switched to a new company and they happen to >>>> be all >>>> XP and 2003 server along with exchange. >>>> >>>> Having had the opportunity to work now with both FDS and Active >>>> Directory, I can tell you from first hand experience, Active >>>> Directory wins >>>> hands down. It was easy to setup, easy to replicate, support 6,000 >>>> users >>>> currently at my office and is easily running on a dual core system >>>> while >>>> hardly using any resources. >>>> >>>> I am no lover of Microsoft or any of its products but switching to >>>> ADAM >>>> was the best move i could have made. There is no comparison on ease >>>> of >>>> setup, ease of management, stability. ADAM wins hands down as much as >>>> I >>>> hate to say it, its true. >>>> >>>> Just one person's first hand experience... >>>> >>>> >>>> Merle Reine >>>> CTO >>>> Vanguard Industries, Inc. >>>> >>>> Email Address: echo zreyr.ervar at tznvy.pbz | perl -pe 'y/a-z/n-za-m/' >>>> >>>> >>>> On Sat, Aug 23, 2008 at 12:07 PM, wrote: >>>> >>>>> Hello Andrey and Ben, >>>>> >>>>> Thanx for your answers! >>>>> >>>>> The document realy explains the differences between both directory's! >>>>> I'm taking it for input for the why question for our project! >>>>> For the performance we are going to test that! >>>>> >>>>> With kind regards, >>>>> >>>>> William van de Velde >>>>> >>>>> >>>>> > Bonjour cobra, >>>>> > >>>>> > Monday, August 18, 2008, 4:09:22 PM, you wrote: >>>>> > >>>>> > >>>>> > >>>>> > cco> I have a question why i should use an opensource directory >>>>> server >>>>> for >>>>> > my >>>>> > cco> opensource activities! >>>>> > >>>>> > cco> I work for a large company! 70k users >>>>> > >>>>> > cco> We have a large MS Windows based infrastructure win2k3 with >>>>> winxp >>>>> > cco> workstations. >>>>> > >>>>> > cco> Can someone help me with getting the right arguments so i have >>>>> a >>>>> > valid >>>>> > cco> reason to create an opensource directory server? >>>>> > You can try this document to begin with (written for a customer by >>>>> > Symas and HP) : http://www.symas.com/documents/Adam-Eval1-0.pdf >>>>> > >>>>> > >>>>> > Andrey Ivanov >>>>> > tel +33-(0)1-69-33-99-24 >>>>> > fax +33-(0)1-69-33-99-55 >>>>> > >>>>> > Direction des Systemes d'Information >>>>> > Ecole Polytechnique >>>>> > 91128 Palaiseau CEDEX >>>>> > France >>>>> > >>>>> > -- >>>>> > Fedora-directory-users mailing list >>>>> > Fedora-directory-users at redhat.com >>>>> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> > >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From upanwar at yahoo.com Tue Aug 26 03:53:43 2008 From: upanwar at yahoo.com (UMESH PANWAR) Date: Mon, 25 Aug 2008 20:53:43 -0700 (PDT) Subject: [Fedora-directory-users] Directory server password security Message-ID: <398432.67171.qm@web30404.mail.mud.yahoo.com> Hi, We are using Fredora Directory server 7.1 for authentication of users, mail accounts and proxy authentication. Yesterday I have observed that passwords goes in plain-text and anyone can retrieve actual user name and? password? easily with using a? software named cain.? Can anybody suggest how can i secure user's password so that the password should travel in encrypted form. I am new with fedora-ds so please explain me in detail. Regards Umesh Umesh Panwar +91-9829857475 -------------- next part -------------- An HTML attachment was scrubbed... URL: From duskglow at gmail.com Tue Aug 26 04:37:22 2008 From: duskglow at gmail.com (Russell Miller) Date: Mon, 25 Aug 2008 21:37:22 -0700 Subject: [Fedora-directory-users] Directory server password security In-Reply-To: <398432.67171.qm@web30404.mail.mud.yahoo.com> References: <398432.67171.qm@web30404.mail.mud.yahoo.com> Message-ID: <48B38882.6070608@gmail.com> UMESH PANWAR wrote: > Hi, > > We are using Fredora Directory server 7.1 for authentication of users, > mail accounts and proxy authentication. Yesterday I have observed that > passwords goes in plain-text and anyone can retrieve actual user name > and password easily with using a software named cain. > > Can anybody suggest how can i secure user's password so that the > password should travel in encrypted form. > > I am new with fedora-ds so please explain me in detail. > > Unfortunately I don't have time to explain to you in detail. But I can point you in the right direction. Probably the best and most secure way to do it is to set up SSL between the client and the server. This is going to take you a while to set up in the beginning, but once you have your CA and signing key, things will get much easier. --Russell From gene.poole at macys.com Tue Aug 26 13:43:01 2008 From: gene.poole at macys.com (Gene Poole) Date: Tue, 26 Aug 2008 09:43:01 -0400 Subject: [Fedora-directory-users] LDIF Documentation Message-ID: I've been examining the Example.ldif file attempting to understand it, without much success. Where can I find documentation on it's format and content? Or is there a piece of software that will read and existing ldif and report on it? Thanks, Gene Poole -------------- next part -------------- An HTML attachment was scrubbed... URL: From Soeren.Malchow at interone.de Tue Aug 26 13:49:20 2008 From: Soeren.Malchow at interone.de (=?ISO-8859-1?Q?S=F6ren_Malchow?=) Date: Tue, 26 Aug 2008 15:49:20 +0200 Subject: [Fedora-directory-users] LDIF Documentation In-Reply-To: Message-ID: Hi Gene ldif is a standardized format to exchange data between LDAP servers http://en.wikipedia.org/wiki/LDIF you can import it into any LDAP server ( as long as it knows all required schemas ) every entry represents an object in the LDAP server ( including its attributes with their values ) though this is the fedora-directory mailing list, maybe the openldap quickstart helps you a little ( http://www.openldap.org/doc/admin24/quickstart.html ) regards soeren fedora-directory-users-bounces at redhat.com wrote on 26.08.2008 15:43:01: > > I've been examining the Example.ldif file attempting to understand > it, without much success. Where can I find documentation on it's > format and content? Or is there a piece of software that will read > and existing ldif and report on it? > > Thanks, > Gene Poole-- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at runyanrants.net Tue Aug 26 13:50:51 2008 From: lists at runyanrants.net (Legatus) Date: Tue, 26 Aug 2008 08:50:51 -0500 Subject: [Fedora-directory-users] LDIF Documentation In-Reply-To: References: Message-ID: On Tue, Aug 26, 2008 at 08:43, Gene Poole wrote: > > I've been examining the Example.ldif file attempting to understand it, > without much success. Where can I find documentation on it's format and > content? Or is there a piece of software that will read and existing ldif > and report on it? > I really don't intend to be a jerk with this answer, but google is your friend in this. LDIF is an LDAP standard. It is well documented, and there are tons of commentaries, howtos, etc on the net. -- JD Runyan P. J. O'Rourke - "Never fight an inanimate object." From michael at stroeder.com Tue Aug 26 14:29:56 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 26 Aug 2008 16:29:56 +0200 Subject: [Fedora-directory-users] LDIF Documentation In-Reply-To: References: Message-ID: <48B41364.9070009@stroeder.com> Gene Poole wrote: > > I've been examining the Example.ldif file attempting to understand it, > without much success. Where can I find documentation on it's format and > content? Or is there a piece of software that will read and existing > ldif and report on it? See RFC 2849: http://www.ietf.org/rfc/rfc2849.txt Although it looks simple at first glance my recommendation is to use a decent LDIF module for your favourite programming language instead hacking your own incomplete parser. Ciao, Michael. From benetage at hotmail.com Tue Aug 26 17:14:38 2008 From: benetage at hotmail.com (Mister Anonyme) Date: Tue, 26 Aug 2008 13:14:38 -0400 Subject: [Fedora-directory-users] SSL communication between AD and DS Message-ID: Hi, This is driving me crazy.... I'm trying to setup a SSL communication between Directory Server and AD. Without SSL, the synchronization works very well, I can see all user accounts in DS, but I need SSL to be able to synchronize the passwords as well. So, here what I did: On AD, I opened IE on this following address: http://localhost/certsrv/ I requested a new certificate and installed it. I can see the new certificate in MMC console, in Certificate->Personal->Certificates. After, I exported the CA Certificate from DS like this: pk12util -d . -o CAcert.pfx -n CAcert I transfered the file to AD and imported it right here: MMC Console->Certificate->Trusted Root Certification Authorites->Certificates Then, I exported the CA Certificate (from AD) from the same directory as above and imported in DS with the DS Console (section Manage Certificates->CA Certs) I tested the communication by doing this: /usr/lib/mozldap6/ldapsearch -Z -P /etc/dirsrv/slapd-myinst/cert8.db -h 1.1.1.1 -p 636 -D "cn=Windows Sync,cn=users,dc=domain,dc=local" -w _PASS_ -s sub -b "ou=users,dc=domain,dc=local" "(objectClass=*)" Work well, I have a listing of user accounts. Then, I re-created a new Windows Sync agreement (with SSL and port 636) and I'm always getting this following error: The consumer initialization has unsuccessfully completed. The error received by the replica is: 48 - LDAP error: Inappropriate authentication Thank you for your help in advance. _________________________________________________________________ If you like crossword puzzles, then you'll love Flexicon, a game which combines four overlapping crossword puzzles into one! http://g.msn.ca/ca55/208 -------------- next part -------------- An HTML attachment was scrubbed... URL: From benetage at hotmail.com Tue Aug 26 17:15:17 2008 From: benetage at hotmail.com (Mister Anonyme) Date: Tue, 26 Aug 2008 13:15:17 -0400 Subject: [Fedora-directory-users] SSL communication between AD and DS Message-ID: Hi, This is driving me crazy.... I'm trying to setup a SSL communication between Directory Server and AD. Without SSL, the synchronization works very well, I can see all user accounts in DS, but I need SSL to be able to synchronize the passwords as well. So, here what I did: On AD, I opened IE on this following address: http://localhost/certsrv/ I requested a new certificate and installed it. I can see the new certificate in MMC console, in Certificate->Personal->Certificates. After, I exported the CA Certificate from DS like this: pk12util -d . -o CAcert.pfx -n CAcert I transfered the file to AD and imported it right here: MMC Console->Certificate->Trusted Root Certification Authorites->Certificates Then, I exported the CA Certificate (from AD) from the same directory as above and imported in DS with the DS Console (section Manage Certificates->CA Certs) I tested the communication by doing this: /usr/lib/mozldap6/ldapsearch -Z -P /etc/dirsrv/slapd-myinst/cert8.db -h 1.1.1.1 -p 636 -D "cn=Windows Sync,cn=users,dc=domain,dc=local" -w _PASS_ -s sub -b "ou=users,dc=domain,dc=local" "(objectClass=*)" Work well, I have a listing of user accounts. Then, I re-created a new Windows Sync agreement (with SSL and port 636) and I'm always getting this following error: The consumer initialization has unsuccessfully completed. The error received by the replica is: 48 - LDAP error: Inappropriate authentication Thank you for your help in advance. _________________________________________________________________ If you like crossword puzzles, then you'll love Flexicon, a game which combines four overlapping crossword puzzles into one! http://g.msn.ca/ca55/208 -------------- next part -------------- An HTML attachment was scrubbed... URL: From benetage at hotmail.com Tue Aug 26 19:25:49 2008 From: benetage at hotmail.com (Mister Anonyme) Date: Tue, 26 Aug 2008 15:25:49 -0400 Subject: [Fedora-directory-users] SSL communication between AD and DS In-Reply-To: References: Message-ID: Hi, Shame on me... I forgot to restart the LDAP server to activate the SSL. From: benetage at hotmail.com To: fedora-directory-users at redhat.com Date: Tue, 26 Aug 2008 13:15:17 -0400 Subject: [Fedora-directory-users] SSL communication between AD and DS Hi, This is driving me crazy.... I'm trying to setup a SSL communication between Directory Server and AD. Without SSL, the synchronization works very well, I can see all user accounts in DS, but I need SSL to be able to synchronize the passwords as well. So, here what I did: On AD, I opened IE on this following address: http://localhost/certsrv/ I requested a new certificate and installed it. I can see the new certificate in MMC console, in Certificate->Personal->Certificates. After, I exported the CA Certificate from DS like this: pk12util -d . -o CAcert.pfx -n CAcert I transfered the file to AD and imported it right here: MMC Console->Certificate->Trusted Root Certification Authorites->Certificates Then, I exported the CA Certificate (from AD) from the same directory as above and imported in DS with the DS Console (section Manage Certificates->CA Certs) I tested the communication by doing this: /usr/lib/mozldap6/ldapsearch -Z -P /etc/dirsrv/slapd-myinst/cert8.db -h 1.1.1.1 -p 636 -D "cn=Windows Sync,cn=users,dc=domain,dc=local" -w _PASS_ -s sub -b "ou=users,dc=domain,dc=local" "(objectClass=*)" Work well, I have a listing of user accounts. Then, I re-created a new Windows Sync agreement (with SSL and port 636) and I'm always getting this following error: The consumer initialization has unsuccessfully completed. The error received by the replica is: 48 - LDAP error: Inappropriate authentication Thank you for your help in advance. _________________________________________________________________ Try Chicktionary, a game that tests how many words you can form from the letters given. Find this and more puzzles at Live Search Games! http://g.msn.ca/ca55/207 -------------- next part -------------- An HTML attachment was scrubbed... URL: From beyonddc.storage at gmail.com Wed Aug 27 14:31:07 2008 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Wed, 27 Aug 2008 10:31:07 -0400 Subject: [Fedora-directory-users] Directory server password security In-Reply-To: <48B38882.6070608@gmail.com> References: <398432.67171.qm@web30404.mail.mud.yahoo.com> <48B38882.6070608@gmail.com> Message-ID: <20e4c38c0808270731w1f99c78fl5594773c16da3e0d@mail.gmail.com> To enable SSL on Fedora Directory Server, take a look at the Administrator Manual for Red Hat Directory Server 7.1 You can find the manual from below website http://www.redhat.com/docs/manuals/dir-server/ - dc On Tue, Aug 26, 2008 at 12:37 AM, Russell Miller wrote: > UMESH PANWAR wrote: > >> Hi, >> >> We are using Fredora Directory server 7.1 for authentication of users, >> mail accounts and proxy authentication. Yesterday I have observed that >> passwords goes in plain-text and anyone can retrieve actual user name and >> password easily with using a software named cain. >> Can anybody suggest how can i secure user's password so that the password >> should travel in encrypted form. >> >> I am new with fedora-ds so please explain me in detail. >> >> >> Unfortunately I don't have time to explain to you in detail. But I can > point you in the right direction. Probably the best and most secure way to > do it is to set up SSL between the client and the server. > > This is going to take you a while to set up in the beginning, but once you > have your CA and signing key, things will get much easier. > > --Russell > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Chris.Hendry at turner.com Wed Aug 27 16:10:42 2008 From: Chris.Hendry at turner.com (Hendry, Chris) Date: Wed, 27 Aug 2008 12:10:42 -0400 Subject: [Fedora-directory-users] Replication Errors after disabling and enabling replication In-Reply-To: <20080613160009.6124E61A79D@hormel.redhat.com> Message-ID: Using Fedora DS 1.0.4-1 I had multimaster replication working for some time for two servers. I wanted to make some changes so I disabled replication on one server, then configured it again, with the same values, but now it does not work at all. I get the following error message when starting up: [27/Aug/2008:12:04:56 -0400] - Fedora-Directory/1.0.4 B2006.312.1539 starting up [27/Aug/2008:12:04:56 -0400] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=xxxx,dc=xxx: 1 [27/Aug/2008:12:04:56 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests I have read some info on the web about this, have not found what I need to clean things up to get it up and running again. Any ideas? Chris From abliss at brockport.edu Wed Aug 27 16:13:41 2008 From: abliss at brockport.edu (Aaron Bliss) Date: Wed, 27 Aug 2008 12:13:41 -0400 Subject: [Fedora-directory-users] Replication Errors after disabling and enabling replication In-Reply-To: References: <20080613160009.6124E61A79D@hormel.redhat.com> Message-ID: <008701c9085f$df18ce70$9d4a6b50$@edu> Perhaps you can try re-initializing one of the masters...this might kick replication back into gear. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Hendry, Chris Sent: Wednesday, August 27, 2008 12:11 PM To: fedora-directory-users at redhat.com Subject: [Fedora-directory-users] Replication Errors after disabling and enabling replication Using Fedora DS 1.0.4-1 I had multimaster replication working for some time for two servers. I wanted to make some changes so I disabled replication on one server, then configured it again, with the same values, but now it does not work at all. I get the following error message when starting up: [27/Aug/2008:12:04:56 -0400] - Fedora-Directory/1.0.4 B2006.312.1539 starting up [27/Aug/2008:12:04:56 -0400] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=xxxx,dc=xxx: 1 [27/Aug/2008:12:04:56 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests I have read some info on the web about this, have not found what I need to clean things up to get it up and running again. Any ideas? Chris -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From Chris.Hendry at turner.com Thu Aug 28 20:31:56 2008 From: Chris.Hendry at turner.com (Hendry, Chris) Date: Thu, 28 Aug 2008 16:31:56 -0400 Subject: [Fedora-directory-users] Replication Errors after disablingand enabling replication In-Reply-To: <008701c9085f$df18ce70$9d4a6b50$@edu> Message-ID: I have re initialized and even re installed. I have gotten one sever to start replicating (A -> B) But I can not get server B to replicate to server A. I get the following error message: [28/Aug/2008:16:22:33 -0400] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=xxxx,dc=xxxx: 1 In looking at the differences in dn:cn="dc=xxxx,dc=xxxx",cn=mapping tree,cn=config" The server that works (A) has an attribute: nsslapd-referral The serve that does NOT work (B) has NO such attribute. I have tried to add it, but it does not show up as a choice when adding an attribute. Not sure if this is really an error. When I first set these servers up, it worked great the 1st time. Now I find it very difficult. Any insight? Chris -----Original Message----- From: Aaron Bliss [mailto:abliss at brockport.edu] Sent: Wednesday, August 27, 2008 12:14 PM To: 'General discussion list for the Fedora Directory server project.' Subject: RE: [Fedora-directory-users] Replication Errors after disablingand enabling replication Perhaps you can try re-initializing one of the masters...this might kick replication back into gear. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Hendry, Chris Sent: Wednesday, August 27, 2008 12:11 PM To: fedora-directory-users at redhat.com Subject: [Fedora-directory-users] Replication Errors after disabling and enabling replication Using Fedora DS 1.0.4-1 I had multimaster replication working for some time for two servers. I wanted to make some changes so I disabled replication on one server, then configured it again, with the same values, but now it does not work at all. I get the following error message when starting up: [27/Aug/2008:12:04:56 -0400] - Fedora-Directory/1.0.4 B2006.312.1539 starting up [27/Aug/2008:12:04:56 -0400] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=xxxx,dc=xxx: 1 [27/Aug/2008:12:04:56 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests I have read some info on the web about this, have not found what I need to clean things up to get it up and running again. Any ideas? Chris -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From craigwhite at azapple.com Thu Aug 28 20:53:51 2008 From: craigwhite at azapple.com (Craig White) Date: Thu, 28 Aug 2008 13:53:51 -0700 Subject: [Fedora-directory-users] ACI help Message-ID: <1219956831.2903.243.camel@lin-workstation.azapple.com> I have users personal address books as an ou under their accounts... ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc=example,dc=com but when I try to add an entry, I am blocked... [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 ADD dn="cn=Test,ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc=example,dc=com" [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 RESULT err=50 tag=105 nentries=0 etime=0 I need an ACi that allows each uid account to read/write entries in OU's under their own accounts and the only ACi's I have are the ones inherited Craig From malcolm at saafinternational.com Thu Aug 28 22:00:04 2008 From: malcolm at saafinternational.com (Malcolm Amir Hussain-Gambles) Date: Thu, 28 Aug 2008 23:00:04 +0100 Subject: [Fedora-directory-users] email clients Message-ID: <48B71FE4.8070409@saafinternational.com> Just wondering what email clients people use for address books. I've tried evolution, but it seems completely unstable for ldap, I've had no choice but to revert to people using thunderbird. (this is the fc9 version) Thunderbird is stable but lacks features. Claws is probably the best, but doesn't have that corporate feel like evolution. Are most people using outlook? Cheers, Malcolm From rmeggins at redhat.com Thu Aug 28 21:05:31 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 28 Aug 2008 15:05:31 -0600 Subject: [Fedora-directory-users] Replication Errors after disablingand enabling replication In-Reply-To: References: Message-ID: <48B7131B.1050803@redhat.com> Hendry, Chris wrote: > I have re initialized and even re installed. > I have gotten one sever to start replicating (A -> B) > But I can not get server B to replicate to server A. > > I get the following error message: > [28/Aug/2008:16:22:33 -0400] NSMMReplicationPlugin - > repl_set_mtn_referrals: could not set referrals for replica > dc=xxxx,dc=xxxx: 1 > > In looking at the differences in dn:cn="dc=xxxx,dc=xxxx",cn=mapping > tree,cn=config" > > The server that works (A) has an attribute: nsslapd-referral > The serve that does NOT work (B) has NO such attribute. > That attribute is supposed to be managed automatically by replication. If for some reason that's not working, see here- http://www.redhat.com/docs/manuals/dir-server/cli/8.0/Configuration_Command_File_Reference-Core_Server_Configuration_Reference-Core_Server_Configuration_Attributes_Reference.html#Configuration_Command_File_Reference-Replication_Attributes_under_cnreplica_cnsuffixName_cnmapping_tree_cnconfig-nsDS5ReplicaReferral > I have tried to add it, but it does not show up as a choice when adding > an attribute. > > Not sure if this is really an error. > When I first set these servers up, it worked great the 1st time. > Now I find it very difficult. > > Any insight? > > Chris > > > > > -----Original Message----- > From: Aaron Bliss [mailto:abliss at brockport.edu] > Sent: Wednesday, August 27, 2008 12:14 PM > To: 'General discussion list for the Fedora Directory server project.' > Subject: RE: [Fedora-directory-users] Replication Errors after > disablingand enabling replication > > Perhaps you can try re-initializing one of the masters...this might kick > replication back into gear. > > Aaron > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Hendry, > Chris > Sent: Wednesday, August 27, 2008 12:11 PM > To: fedora-directory-users at redhat.com > Subject: [Fedora-directory-users] Replication Errors after disabling and > enabling replication > > Using Fedora DS 1.0.4-1 > I had multimaster replication working for some time for two servers. > > I wanted to make some changes so I disabled replication on one server, > then configured it again, with the same values, but now it does not work > at all. > > I get the following error message when starting up: > > [27/Aug/2008:12:04:56 -0400] - Fedora-Directory/1.0.4 B2006.312.1539 > starting up > [27/Aug/2008:12:04:56 -0400] NSMMReplicationPlugin - > repl_set_mtn_referrals: could not set referrals for replica > dc=xxxx,dc=xxx: 1 > [27/Aug/2008:12:04:56 -0400] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > > I have read some info on the web about this, have not found what I need > to clean things up to get it up and running again. Any ideas? > > Chris > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From realrichardsharpe at gmail.com Fri Aug 29 04:27:37 2008 From: realrichardsharpe at gmail.com (Richard Sharpe) Date: Thu, 28 Aug 2008 21:27:37 -0700 Subject: [Fedora-directory-users] Access control and best practices etc ... Message-ID: <46b8a8850808282127s43869522j9e368d060d5db3a9@mail.gmail.com> Hi, I have set up Fedora Directory Services (albeit, on CentOS 5.2). Then I set up some PosixAccounts and they all work. Then I wanted to add the sambaSamAccount attribute using the smbldap-usermod tool from the Idealx site, but I keep getting told that I don't have 'write' privilege to add the attribute for the user I selected. Now, I set up the binddn as cn=Directory Manager and specified the correct password. What is going wrong? Secondly, I suspect that using the Directory Manager is not a good idea. Are there any links to documentation on best practice for this? From luke-fds at schierer.org Fri Aug 29 19:06:04 2008 From: luke-fds at schierer.org (Luke Schierer) Date: Fri, 29 Aug 2008 15:06:04 -0400 Subject: [Fedora-directory-users] questions about 2 node multi-master setup Message-ID: <20080829190604.GH14861@gabriel.twocrazyguys.net> Hi, I just set up Fedora Directory Server on two nodes, and have set up multi-master replication between them following the directions at http://directory.fedoraproject.org/wiki/Howto:WalkthroughMultimasterSSL It seems to mostly work, but I have a few questions. 1)After initializing nodeB and restarting nodesA and B, I can no longer connect to nodeB with the Console application. If I type in its hostname, it connects, but I can only open up the slapd directory if nodeA is up. I can continue to log into nodes authenticating against the pair, and I can use the command line utities to connect to nodeB. Any ideas what I might be doing wrong? 2)if I change a password (using the passwd command on a client) while nodeA is down, or add a user with ldapmodify while nodeA is down, the change does not seem to replicate back to nodeA after it comes back up. Do I have to force an initialization in such cases? Thanks, Luke From ben.van.veen at planet.nl Sun Aug 31 10:06:22 2008 From: ben.van.veen at planet.nl (ben.van.veen at planet.nl) Date: Sun, 31 Aug 2008 12:06:22 +0200 Subject: [Fedora-directory-users] Business Case: Advantage Opensource Directory VS Active Directory References: <63118.217.169.226.122.1219068562.squirrel@webmail.spothost.nl><599093280.20080820085121@polytechnique.edu><40214.77.162.228.253.1219518476.squirrel@webmail.spothost.nl><585947630808231906o65a2a49do937abd7a126243b@mail.gmail.com><7020fd000808240228m52971acewd9ec2b392fba48bf@mail.gmail.com><585947630808242130g44deab0bj429452225499a53d@mail.gmail.com><7020fd000808250224k16c93353n2fbdbbfa0978b1b5@mail.gmail.com> <47540.77.162.228.253.1219685556.squirrel@webmail.spothost.nl> Message-ID: William, If there is anything we can help you with let us know. Ben. -----Oorspronkelijk bericht----- Van: fedora-directory-users-bounces at redhat.com namens cobra at cobradevil.org Verzonden: ma 25-8-2008 19:32 Aan: General discussion list for the Fedora Directory server project. Onderwerp: Re: [Fedora-directory-users] Business Case: Advantage Opensource Directory VS Active Directory Thanx for your answers. I am going to try to get this project going. just scared when i think off the following scenario's! When we get the next few years more then 300 linux servers and about 3000 workstations and we put those all in active directory and microsoft changes their license so you pay per entry then you feel very screwed!!!! Or lets say you have everything in AD and a f*cked up virus will delete your AD then your whole infrastructure is down (including DNS NTP LDAP USER AUTHENTICATION and AUTHORIZATION) and i think for more then 70000 users that will be a real disaster!!! How quick can you recover that? With an OSS directory server (we have some real experience like kerberos trusts and openldap/fds ) i think we will be in better control then with AD, but that is based on my feelings so not really interesting of course! Wish me all good luck and i hope i can learn from this project so i can help other people with these questions!! I will ask my bosses to get this project (directory services for OSS infrastructure) so open that i can release docs and stuff out in the wild for reference. With kind regards, William van de Velde > in a windows only network, sure. have fun getting anything else to > authenticate to it properly though. I dont think you even need to know a > lot about ldap to get it going with fds, but its still a useful thing to > know if you are a linux guy, AD is also ldap. I'd really doubt that it > could ever be faster since AD also adds DNS, kerberos, DHCP, NTP all into > it. > > > > > On Mon, Aug 25, 2008 at 5:30 AM, Merle Reine > wrote: > >> Ease of use, speed, dependency. I love mysql, php, apache, linux but >> LDAP >> is just way too confusing and need to many hands on to manage. AD just >> works, was a breeze to setup (i setup exchange server, ADAM in 2 days >> serving 6,000 users) and I had 0 previous experience with either as I am >> a >> linux guy. It has worked flawlessly with not a single thing done to it >> since being setup. I don't like the licensing fees either but it is >> worth >> the money to not have to do any management on a daily basis and I mean 0 >> seconds of my time or my admins in the last 3 months. >> >> >> Merle Reine >> CTO >> Vanguard Industries, Inc. >> >> Email Address: echo zreyr.ervar at tznvy.pbz | perl -pe 'y/a-z/n-za-m/' >> >> >> On Sun, Aug 24, 2008 at 2:28 AM, solarflow99 >> wrote: >> >>> I've used them both too, and I never noticed any real advantage with >>> AD. >>> In fact, FDS would do everything just like you said, and I wasnt forced >>> into >>> vendor lock-in to do it. What were your main drawbacks with LDAP? >>> >>> >>> >>> On Sun, Aug 24, 2008 at 3:06 AM, Merle Reine >>> wrote: >>> >>>> Been using Fedora Directory Server since its inception and up until >>>> recently, I would have recommended it above all others. I am a Linux >>>> guru, >>>> windows hater and favor open source over any proprietary product. >>>> That >>>> being said, I recently switched to a new company and they happen to >>>> be all >>>> XP and 2003 server along with exchange. >>>> >>>> Having had the opportunity to work now with both FDS and Active >>>> Directory, I can tell you from first hand experience, Active >>>> Directory wins >>>> hands down. It was easy to setup, easy to replicate, support 6,000 >>>> users >>>> currently at my office and is easily running on a dual core system >>>> while >>>> hardly using any resources. >>>> >>>> I am no lover of Microsoft or any of its products but switching to >>>> ADAM >>>> was the best move i could have made. There is no comparison on ease >>>> of >>>> setup, ease of management, stability. ADAM wins hands down as much as >>>> I >>>> hate to say it, its true. >>>> >>>> Just one person's first hand experience... >>>> >>>> >>>> Merle Reine >>>> CTO >>>> Vanguard Industries, Inc. >>>> >>>> Email Address: echo zreyr.ervar at tznvy.pbz | perl -pe 'y/a-z/n-za-m/' >>>> >>>> >>>> On Sat, Aug 23, 2008 at 12:07 PM, wrote: >>>> >>>>> Hello Andrey and Ben, >>>>> >>>>> Thanx for your answers! >>>>> >>>>> The document realy explains the differences between both directory's! >>>>> I'm taking it for input for the why question for our project! >>>>> For the performance we are going to test that! >>>>> >>>>> With kind regards, >>>>> >>>>> William van de Velde >>>>> >>>>> >>>>> > Bonjour cobra, >>>>> > >>>>> > Monday, August 18, 2008, 4:09:22 PM, you wrote: >>>>> > >>>>> > >>>>> > >>>>> > cco> I have a question why i should use an opensource directory >>>>> server >>>>> for >>>>> > my >>>>> > cco> opensource activities! >>>>> > >>>>> > cco> I work for a large company! 70k users >>>>> > >>>>> > cco> We have a large MS Windows based infrastructure win2k3 with >>>>> winxp >>>>> > cco> workstations. >>>>> > >>>>> > cco> Can someone help me with getting the right arguments so i have >>>>> a >>>>> > valid >>>>> > cco> reason to create an opensource directory server? >>>>> > You can try this document to begin with (written for a customer by >>>>> > Symas and HP) : http://www.symas.com/documents/Adam-Eval1-0.pdf >>>>> > >>>>> > >>>>> > Andrey Ivanov >>>>> > tel +33-(0)1-69-33-99-24 >>>>> > fax +33-(0)1-69-33-99-55 >>>>> > >>>>> > Direction des Systemes d'Information >>>>> > Ecole Polytechnique >>>>> > 91128 Palaiseau CEDEX >>>>> > France >>>>> > >>>>> > -- >>>>> > Fedora-directory-users mailing list >>>>> > Fedora-directory-users at redhat.com >>>>> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> > >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From ben.van.veen at planet.nl Sun Aug 31 10:09:41 2008 From: ben.van.veen at planet.nl (ben.van.veen at planet.nl) Date: Sun, 31 Aug 2008 12:09:41 +0200 Subject: [Fedora-directory-users] Access control and best practices etc ... References: <46b8a8850808282127s43869522j9e368d060d5db3a9@mail.gmail.com> Message-ID: Richard, Can you add the value to the attribute with the FDS consol ? Ben. -----Oorspronkelijk bericht----- Van: fedora-directory-users-bounces at redhat.com namens Richard Sharpe Verzonden: vr 29-8-2008 6:27 Aan: fedora-directory-users at redhat.com Onderwerp: [Fedora-directory-users] Access control and best practices etc ... Hi, I have set up Fedora Directory Services (albeit, on CentOS 5.2). Then I set up some PosixAccounts and they all work. Then I wanted to add the sambaSamAccount attribute using the smbldap-usermod tool from the Idealx site, but I keep getting told that I don't have 'write' privilege to add the attribute for the user I selected. Now, I set up the binddn as cn=Directory Manager and specified the correct password. What is going wrong? Secondly, I suspect that using the Directory Manager is not a good idea. Are there any links to documentation on best practice for this? -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From realrichardsharpe at gmail.com Sun Aug 31 16:33:12 2008 From: realrichardsharpe at gmail.com (Richard Sharpe) Date: Sun, 31 Aug 2008 09:33:12 -0700 Subject: [Fedora-directory-users] Access control and best practices etc ... In-Reply-To: References: <46b8a8850808282127s43869522j9e368d060d5db3a9@mail.gmail.com> Message-ID: <46b8a8850808310933g7c7de3b8r86550d091cb04f3@mail.gmail.com> On Sun, Aug 31, 2008 at 3:09 AM, wrote: > > Richard, > > Can you add the value to the attribute with the FDS consol ? Turns out my problem was a mis-configuration of smbldap.conf. I had the wrong dn for Directory Manager. I was able to use ldapmodify to add the attribute, and then increasing the debugging output from the dirsrv daemon showed me what the problem was. However, I still suspect that it is good practice to create a separate entity that all the Samba stuff can use to bind with. From craigwhite at azapple.com Sun Aug 31 19:00:32 2008 From: craigwhite at azapple.com (Craig White) Date: Sun, 31 Aug 2008 12:00:32 -0700 Subject: [Fedora-directory-users] ACI help In-Reply-To: <1219956831.2903.243.camel@lin-workstation.azapple.com> References: <1219956831.2903.243.camel@lin-workstation.azapple.com> Message-ID: <1220209232.16070.8.camel@lin-workstation.azapple.com> On Thu, 2008-08-28 at 13:53 -0700, Craig White wrote: > I have users personal address books as an ou under their accounts... > > ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc=example,dc=com > > but when I try to add an entry, I am blocked... > > [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 ADD > dn="cn=Test,ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc=example,dc=com" > [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 RESULT err=50 tag=105 > nentries=0 etime=0 > > I need an ACi that allows each uid account to read/write entries in OU's > under their own accounts and the only ACi's I have are the ones > inherited ---- It would be great if I could get some help here. I know that in OpenLDAP, ACL's are processed top down and so I'm looking at the ACi's that would govern here. dc=example,dc=com has the following ACI (the second one after anonymous access)... (targetattr = "carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress ||roomNumber ||secretary ||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title ||userCertificate ||userPassword ||userSMIMECertificate ||x500UniqueIdentifier") (version 3.0; acl "Enable self write for common attributes"; allow (write) (userdn = "ldap:///self") ;) and I added one more (it's on the bottom of the list - #7)... (targetattr = "*") (version 3.0;acl "Personal Address Books";allow (write)(userdn = "ldap:///self");) but still... [31/Aug/2008:10:27:57 -0700] conn=2625 op=0 BIND dn="uid=administrator,ou=People,ou=Accounts,dc=example,dc=com" method=128 version=3 [31/Aug/2008:10:27:57 -0700] conn=2625 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=administrator,ou=people,ou=accounts,dc=example,dc=com" [31/Aug/2008:10:27:57 -0700] conn=2625 op=1 ADD dn="cn=Test,ou=AddressBook,uid=administrator,ou=People,ou=Accounts,dc=example,dc=com" [31/Aug/2008:10:27:57 -0700] conn=2625 op=1 RESULT err=50 tag=105 nentries=0 etime=0 Craig