From bbahar3 at gmail.com Mon Dec 1 07:38:14 2008 From: bbahar3 at gmail.com (Eric) Date: Mon, 1 Dec 2008 11:08:14 +0330 Subject: [Fedora-directory-users] fedora-idm-console error Message-ID: <38a27c8c0811302338r19864d65paf383ba2b613a790@mail.gmail.com> Hi, fedora-ds is migrated from 1.0.4 to fedora-ds-1.1.2-1.fc6. fedora-idm-console opens console but with error: class loader error : failed to install a local copy of fedora-ds-1.1.jar or one of its supporting files.please ensure that the appropriate console package is installed on the administration server. I did this: rpm -ql fedora-idm-console: /usr/bin/fedora-idm-console /usr/share/doc/fedora-idm-console-1.1.1 /usr/share/doc/fedora-idm-console-1.1.1/LICENSE /usr/share/java/fedora-idm-console-1.1.1_en.jar /usr/share/java/fedora-idm-console-1.1_en.jar /usr/share/java/fedora-idm-console_en.jar are there other jars not downloded? when I started console with -D , error is: ClassLoader: getLocalJarList():Unable to read /root/.fedora-idm-console/patch/ directory ClassLoader: start parsing ClassLoader: getLocalJarList():Unable to read /root/.fedora-idm-console/jars/ directory ClassLoader: done ClassLoader: Cannot create LocalJarClassLoader for fedora-ds-1.1.jar ClassLoader: File not found: fedora-ds-1.1.jar ClassLoaderUtil.getClass(com.netscape.admin.dirserv.roledit.ResEditorRoleMembers at fedora-ds-1.1.jar ) ClassLoader: Cannot create LocalJarClassLoader for fedora-ds-1.1.jar ClassLoader: File not found: fedora-ds-1.1.jar ClassLoaderUtil.getClass(com.netscape.admin.dirserv.roledit.ResEditorRoleAccountPage at fedora-ds-1.1.jar ) ClassLoader: Cannot create LocalJarClassLoader for fedora-ds-1.1.jar ClassLoader: File not found: fedora-ds-1.1.jar ClassLoaderUtil.getClass(com.netscape.admin.dirserv.cosedit.ResEditorCosInfo at fedora-ds-1.1.jar ) ClassLoader: Cannot create LocalJarClassLoader for fedora-ds-1.1.jar ClassLoader: File not found: fedora-ds-1.1.jar ClassLoaderUtil.getClass(com.netscape.admin.dirserv.cosedit.ResEditorCosAttributes at fedora-ds-1.1.jar ) ClassLoader: Cannot create LocalJarClassLoader for fedora-ds-1.1.jar ClassLoader: File not found: fedora-ds-1.1.jar ClassLoaderUtil.getClass(com.netscape.admin.dirserv.cosedit.ResEditorCosTemplate at fedora-ds-1.1.jar ) ClassLoader: Cannot create LocalJarClassLoader for fedora-ds-1.1.jar ClassLoader: File not found: fedora-ds-1.1.jar .. .. AdminGroupNode.findAdminURL: LDAP Error: netscape.ldap.LDAPException: error result (32) -------------- next part -------------- An HTML attachment was scrubbed... URL: From philipp.rusch at gw-world.com Mon Dec 1 14:59:32 2008 From: philipp.rusch at gw-world.com (Rusch Philipp pru09) Date: Mon, 1 Dec 2008 15:59:32 +0100 Subject: [Fedora-directory-users] Use multiple servers with TLS Message-ID: Hello all, I have a problem to use multiple Fedora DS servers which are secured with their own certificate. What do I have to do to use two servers with two different certificates? I have already added them to the /etc/ldap.conf and without the TLS the connection works fine. When I activate the use TLS checkbox the connection could not be established. Both certificates are in /etc/openldap/certs, but only one is linked/activated. In the /etc/ldap.conf the server listed as follows: Host ns1.abc-def.com ns2.abc-def.com Thank you in advance! Regards Philipp -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Dec 1 15:52:48 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 01 Dec 2008 08:52:48 -0700 Subject: [Fedora-directory-users] fedora-idm-console error In-Reply-To: <38a27c8c0811302338r19864d65paf383ba2b613a790@mail.gmail.com> References: <38a27c8c0811302338r19864d65paf383ba2b613a790@mail.gmail.com> Message-ID: <49340850.80602@redhat.com> Eric wrote: > Hi, > fedora-ds is migrated from 1.0.4 to fedora-ds-1.1.2-1.fc6. > fedora-idm-console opens console but with error: > > class loader error : failed to install a local copy of > fedora-ds-1.1.jar or one of its supporting files.please ensure that > the appropriate console package is installed on the administration > server. > > I did this: > rpm -ql fedora-idm-console: > /usr/bin/fedora-idm-console > /usr/share/doc/fedora-idm-console-1.1.1 > /usr/share/doc/fedora-idm-console-1.1.1/LICENSE > /usr/share/java/fedora-idm-console-1.1.1_en.jar > /usr/share/java/fedora-idm-console-1.1_en.jar > /usr/share/java/fedora-idm-console_en.jar > > are there other jars not downloded? > when I started console with -D , error is: > > ClassLoader: getLocalJarList():Unable to read > /root/.fedora-idm-console/patch/ directory > ClassLoader: start parsing > ClassLoader: getLocalJarList():Unable to read > /root/.fedora-idm-console/jars/ directory Does this directory exist? Is it writable? If it exists and is writable, try rm -rf /root/.fedora-idm-console and try again > ClassLoader: done > ClassLoader: Cannot create LocalJarClassLoader for fedora-ds-1.1.jar > ClassLoader: File not found: fedora-ds-1.1.jar > ClassLoaderUtil.getClass(com.netscape.admin.dirserv.roledit.ResEditorRoleMembers at fedora-ds-1.1.jar) > ClassLoader: Cannot create LocalJarClassLoader for fedora-ds-1.1.jar > ClassLoader: File not found: fedora-ds-1.1.jar > ClassLoaderUtil.getClass(com.netscape.admin.dirserv.roledit.ResEditorRoleAccountPage at fedora-ds-1.1.jar) > ClassLoader: Cannot create LocalJarClassLoader for fedora-ds-1.1.jar > ClassLoader: File not found: fedora-ds-1.1.jar > ClassLoaderUtil.getClass(com.netscape.admin.dirserv.cosedit.ResEditorCosInfo at fedora-ds-1.1.jar) > ClassLoader: Cannot create LocalJarClassLoader for fedora-ds-1.1.jar > ClassLoader: File not found: fedora-ds-1.1.jar > ClassLoaderUtil.getClass(com.netscape.admin.dirserv.cosedit.ResEditorCosAttributes at fedora-ds-1.1.jar) > ClassLoader: Cannot create LocalJarClassLoader for fedora-ds-1.1.jar > ClassLoader: File not found: fedora-ds-1.1.jar > ClassLoaderUtil.getClass(com.netscape.admin.dirserv.cosedit.ResEditorCosTemplate at fedora-ds-1.1.jar) > ClassLoader: Cannot create LocalJarClassLoader for fedora-ds-1.1.jar > ClassLoader: File not found: fedora-ds-1.1.jar > .. > .. > AdminGroupNode.findAdminURL: LDAP Error: netscape.ldap.LDAPException: > error result (32) > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Dec 1 15:53:36 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 01 Dec 2008 08:53:36 -0700 Subject: [Fedora-directory-users] Re: fedora ds migration error In-Reply-To: <38a27c8c0811290408l21220919j58e5096759b2c250@mail.gmail.com> References: <38a27c8c0811290408l21220919j58e5096759b2c250@mail.gmail.com> Message-ID: <49340880.8000103@redhat.com> Eric wrote: > there is /var/run/dirsrv on my system and there is dsgw/cookies in it. > why server fails to start? Is /var/run/dirsrv writable by your directory server user? If so, try starting the server with debug on: /usr/lib/dirsrv/slapd-INSTANCENAME/start-slapd -d 1 > > > Date: Wed, 26 Nov 2008 08:25:31 -0700 > From: Rich Megginson > > Subject: Re: [Fedora-directory-users] Re: error in yum fedora-ds > To: "General discussion list for the Fedora Directory server project." > > > Message-ID: <492D6A6B.2080802 at redhat.com > > > Content-Type: text/plain; charset="iso-8859-1" > Eric wrote: > > I used :rpm --import > > 'http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA7B02652 > ' > > > > > and the problem solved. I installed fedora-ds then used > > /usr/sbin/migrate-ds-admin.pl for migration from fedora ds-1.0.4. > > I stoped slapd-instance before this. it faild in start server: > mkdir /var/run/dirsrv > make sure that directory is writable by your directory server user > > > > /usr/sbin/migrate-ds-admin.pl General. > ConfigDirectoryAdminPwd=mypassword > > Beginning migration of Directory and Administration servers from > > /opt/fedora-ds . . . > > Beginning migration of directory server instances in /opt/fedora-ds > . . . > > Your new DS instance 'slapd-ldap' was successfully created. > > Server failed to start !!! Please check errors log for problems > > Beginning migration of Administration server from /opt/fedora-ds . . . > > Creating Admin Server files and directories . . . > > Updating the configuration for the httpd engine . . . > > Starting admin server . . . > > The admin server was successfully started. > > Registering the directory server instances with the configuration > > directory server . . . > > Directory and Administration servers migration is complete. Please > > check output and log files for details. > > Exiting . . . > > > > what is wrong? now the slapd in /opt/fedora-ds doesn't work too! > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Dec 1 15:55:06 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 01 Dec 2008 08:55:06 -0700 Subject: [Fedora-directory-users] Sudo in directory server In-Reply-To: <664c5a070811270208k22fdda22s17b8b1e3af470dcb@mail.gmail.com> References: <664c5a070811270208k22fdda22s17b8b1e3af470dcb@mail.gmail.com> Message-ID: <493408DA.7040803@redhat.com> Erling Ringen Elvsrud wrote: > I try to add the schema for sudoers from README.LDAP in > the srpm-file of sudo-1.6.8p12. I assume the iPlanet-version will work best, but > get this problem when I restart directory server: > > [root at testserver schema]# service dirsrv restart > Shutting down dirsrv: > testserver... [ OK ] > Starting dirsrv: > testserver...[27/Nov/2008:10:37:31 +0100] - Entry "cn=schema > attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC > 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseE" > required attribute "objectclass" missing > The sudo schema is now in CVS HEAD and will be part of the next release of Fedora DS: http://cvs.fedoraproject.org/viewvc/ldapserver/ldap/schema/60sudo.ldif?revision=1.1&root=dirsec&view=markup You can go ahead and download and use this file with any version of Fedora DS. > [ OK ] > [root at testserver schema]# cat 99sudoers.ldif > dn: cn=schema attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME > 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match > SUBSTR caseE > > xactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) > attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC > 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseEx > > actIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) > attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC > 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match S > > YNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) > attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC > 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1 > > .3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) > attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC > 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1 > > .3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) > objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top > STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sud > > oHost $ sudoCommand $ sudoRunAs $ sudoOption $ description ) X-ORIGIN 'SUDO' ) > > Any help to get the schema for sudo correctly added is appreciated. > > Thanks, > > Erling > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From beyonddc.storage at gmail.com Mon Dec 1 16:03:44 2008 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Mon, 1 Dec 2008 11:03:44 -0500 Subject: [Fedora-directory-users] Modify existing listening port for the Admin Server Message-ID: <20e4c38c0812010803j28b6d97ci93e8a169f06c70c8@mail.gmail.com> Hi All, Can anyone tell me how to modify existing listening port for the Admin Server? Basically I just want the Admin Server to listen to another port. I'm using a fairly old Fedora Directory 1.0.2. Thanks! David -------------- next part -------------- An HTML attachment was scrubbed... URL: From zach.casper at envieta.com Mon Dec 1 16:14:07 2008 From: zach.casper at envieta.com (Zach Casper) Date: Mon, 1 Dec 2008 11:14:07 -0500 Subject: [Fedora-directory-users] LDAP User mngmt & console Message-ID: <000f01c953cf$d888f600$899ae200$@casper@envieta.com> I'm using the default installation of dirsrv within my Dogtag/ESC/Coolkey on Fedora 8. My goal is to simply set up a testing environment so that I may test my Coolkey applet installation on smart cards. The documentation seems to be a bit all-over-the-place. I used the "yum install fedora-ds" command to install the LDAP server for Dogtag but I do not have the console installed. I've looked in /usr/bin for fedora-idm. Nothing. I tried to install fedora-idm-console but the package is stated not to exist. How can I manage (add/delete) users in the LDAP directory so that I can format my smart cards? Upon using the ESC is asks me to log into the LDAP dir srvr and I am unable to. Any help would be greatly appreciated as I've been dealing w/ this issue for a few days now. -- Zach Casper Envieta LLC 410/290-1136 x105 (Office) 330/618-5618 (Mobile) zach.casper at envieta.com www.envieta.com ---------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 486 bytes Desc: not available URL: From Jeff.Williams at infospace.com Mon Dec 1 16:26:34 2008 From: Jeff.Williams at infospace.com (Jeff Williams) Date: Mon, 1 Dec 2008 08:26:34 -0800 Subject: [Fedora-directory-users] Passsync fails to update directory Message-ID: <9598680C8A333F49AC6A9B78095E4D4A2E014477@CPWPRX01N.inspinc.ad> Hello all, I'm unable to get the windows passsync service to provide password updates to our ds. I can see it start, and it appears to be running. The resulting log looks like this: 12/01/08 07:56:21: PassSync service started 12/01/08 07:56:21: Failed to load entries from file 12/01/08 07:58:39: Failed to load entries from file 12/01/08 07:58:39: PassSync service stopped 12/01/08 07:59:42: PassSync service started 12/01/08 07:59:42: Failed to load entries from file 12/01/08 08:05:42: Failed to load entries from file 12/01/08 08:05:42: PassSync service stopped 12/01/08 08:05:44: PassSync service started 12/01/08 08:05:44: Failed to load entries from file I've seen a previous thread that pointed at c:\windows\system32\passhook.dat needing correct permissions, so I've confirmed that any service or user has full read/write to write to the this file Is there something I'm missing? Thanks, Jeff Williams -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Dec 1 16:34:11 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 01 Dec 2008 09:34:11 -0700 Subject: [Fedora-directory-users] LDAP User mngmt & console In-Reply-To: <000f01c953cf$d888f600$899ae200$@casper@envieta.com> References: <000f01c953cf$d888f600$899ae200$@casper@envieta.com> Message-ID: <49341203.7050404@redhat.com> Zach Casper wrote: > > I?m using the default installation of dirsrv within my > Dogtag/ESC/Coolkey on Fedora 8. > > My goal is to simply set up a testing environment so that I may test > my Coolkey applet installation on smart cards. > > The documentation seems to be a bit all-over-the-place. I used the > ?yum install fedora-ds? command to install the LDAP server for Dogtag > but I do not have the console installed. I?ve looked in /usr/bin for > fedora-idm. Nothing. > rpm -qa|grep fedora-ds you should see several packages > > I tried to install fedora-idm-console but the package is stated not to > exist. > what does yum install fedora-idm-console do? > > How can I manage (add/delete) users in the LDAP directory so that I > can format my smart cards? > > Upon using the ESC is asks me to log into the LDAP dir srvr and I am > unable to. > > Any help would be greatly appreciated as I?ve been dealing w/ this > issue for a few days now. > > -- > > Zach Casper > > Envieta LLC > > 410/290-1136 x105 (Office) > > 330/618-5618 (Mobile) > > zach.casper at envieta.com > > www.envieta.com > > ---------------------------------------- > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From stpierre at NebrWesleyan.edu Mon Dec 1 16:33:36 2008 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Mon, 1 Dec 2008 10:33:36 -0600 (CST) Subject: [Fedora-directory-users] Fedora DS Graph 1.1 released Message-ID: Fedora DS Graph 1.1 has been released; please see https://sourceforge.net/forum/forum.php?forum_id=893245 for the announcement and a link to download. This is a significant improvement over the old 1.0.x series, and I recommend all Fedora DS Graph users upgrade promptly. Additionally, moving the project to Sourceforge gets me the ability to run a mailing list; please subscribe at https://lists.sourceforge.net/lists/listinfo/fedora-ds-graph-announce if you want further updates on Fedora DS Graph. No further mailings about this will go to this list. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University From zach.casper at envieta.com Mon Dec 1 16:38:39 2008 From: zach.casper at envieta.com (Zach Casper) Date: Mon, 1 Dec 2008 11:38:39 -0500 Subject: [Fedora-directory-users] LDAP User mngmt & console In-Reply-To: <49341203.7050404@redhat.com> References: <000f01c953cf$d888f600$899ae200$@casper@envieta.com> <49341203.7050404@redhat.com> Message-ID: <002c01c953d3$45fd68d0$d1f83a70$@casper@envieta.com> Only package that shows is fedora-ds-base Yum responds with the fedora-idm-console package not being available. -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson Sent: Monday, December 01, 2008 11:34 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] LDAP User mngmt & console * PGP Signed by an unverified key: 12/01/08 at 11:34:11 Zach Casper wrote: > > I?m using the default installation of dirsrv within my > Dogtag/ESC/Coolkey on Fedora 8. > > My goal is to simply set up a testing environment so that I may test > my Coolkey applet installation on smart cards. > > The documentation seems to be a bit all-over-the-place. I used the > ?yum install fedora-ds? command to install the LDAP server for Dogtag > but I do not have the console installed. I?ve looked in /usr/bin for > fedora-idm. Nothing. > rpm -qa|grep fedora-ds you should see several packages > > I tried to install fedora-idm-console but the package is stated not to > exist. > what does yum install fedora-idm-console do? > > How can I manage (add/delete) users in the LDAP directory so that I > can format my smart cards? > > Upon using the ESC is asks me to log into the LDAP dir srvr and I am > unable to. > > Any help would be greatly appreciated as I?ve been dealing w/ this > issue for a few days now. > > -- > > Zach Casper > > Envieta LLC > > 410/290-1136 x105 (Office) > > 330/618-5618 (Mobile) > > zach.casper at envieta.com > > www.envieta.com > > ---------------------------------------- > > ---------------------------------------------------------------------- > -- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > * Thawte Freemail Member * Issuer: Thawte Consulting (Pty) Ltd. - Unverified -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 486 bytes Desc: not available URL: From jsullivan at opensourcedevel.com Mon Dec 1 16:56:36 2008 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Mon, 01 Dec 2008 11:56:36 -0500 Subject: [Fedora-directory-users] LDAP User mngmt & console In-Reply-To: <002c01c953d3$45fd68d0$d1f83a70$@casper@envieta.com> References: <000f01c953cf$d888f600$899ae200$@casper@envieta.com> <49341203.7050404@redhat.com> <002c01c953d3$45fd68d0$d1f83a70$@casper@envieta.com> Message-ID: <1228150596.7654.11.camel@jaspav.missionsit.net.missionsit.net> On Mon, 2008-12-01 at 11:38 -0500, Zach Casper wrote: > Only package that shows is fedora-ds-base > > Yum responds with the fedora-idm-console package not being available. > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson > Sent: Monday, December 01, 2008 11:34 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] LDAP User mngmt & console > > * PGP Signed by an unverified key: 12/01/08 at 11:34:11 > > Zach Casper wrote: > > > > I?m using the default installation of dirsrv within my > > Dogtag/ESC/Coolkey on Fedora 8. > > > > My goal is to simply set up a testing environment so that I may test > > my Coolkey applet installation on smart cards. > > > > The documentation seems to be a bit all-over-the-place. I used the > > ?yum install fedora-ds? command to install the LDAP server for Dogtag > > but I do not have the console installed. I?ve looked in /usr/bin for > > fedora-idm. Nothing. > > > rpm -qa|grep fedora-ds > > you should see several packages > > > > I tried to install fedora-idm-console but the package is stated not to > > exist. > > > what does yum install fedora-idm-console do? > > > > How can I manage (add/delete) users in the LDAP directory so that I > > can format my smart cards? > > > > Upon using the ESC is asks me to log into the LDAP dir srvr and I am > > unable to. > > > > Any help would be greatly appreciated as I?ve been dealing w/ this > > issue for a few days now. I recall hitting something like this. What does yum install fedora-ds-console do for you? You may also need fedora-ds-admin. Not sure. Hope this helps - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From zach.casper at envieta.com Mon Dec 1 17:10:32 2008 From: zach.casper at envieta.com (Zach Casper) Date: Mon, 1 Dec 2008 12:10:32 -0500 Subject: [Fedora-directory-users] LDAP User mngmt & console In-Reply-To: <1228150596.7654.11.camel@jaspav.missionsit.net.missionsit.net> References: <000f01c953cf$d888f600$899ae200$@casper@envieta.com> <49341203.7050404@redhat.com> <002c01c953d3$45fd68d0$d1f83a70$@casper@envieta.com> <1228150596.7654.11.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <003e01c953d7$bb31ffe0$3195ffa0$@casper@envieta.com> Yum install fedora-ds-admin & yum install fedora-idm-console All state No package available - any advice? -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of John A. Sullivan III Sent: Monday, December 01, 2008 11:57 AM To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] LDAP User mngmt & console On Mon, 2008-12-01 at 11:38 -0500, Zach Casper wrote: > Only package that shows is fedora-ds-base > > Yum responds with the fedora-idm-console package not being available. > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson > Sent: Monday, December 01, 2008 11:34 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] LDAP User mngmt & console > > * PGP Signed by an unverified key: 12/01/08 at 11:34:11 > > Zach Casper wrote: > > > > I?m using the default installation of dirsrv within my > > Dogtag/ESC/Coolkey on Fedora 8. > > > > My goal is to simply set up a testing environment so that I may test > > my Coolkey applet installation on smart cards. > > > > The documentation seems to be a bit all-over-the-place. I used the > > ?yum install fedora-ds? command to install the LDAP server for Dogtag > > but I do not have the console installed. I?ve looked in /usr/bin for > > fedora-idm. Nothing. > > > rpm -qa|grep fedora-ds > > you should see several packages > > > > I tried to install fedora-idm-console but the package is stated not to > > exist. > > > what does yum install fedora-idm-console do? > > > > How can I manage (add/delete) users in the LDAP directory so that I > > can format my smart cards? > > > > Upon using the ESC is asks me to log into the LDAP dir srvr and I am > > unable to. > > > > Any help would be greatly appreciated as I?ve been dealing w/ this > > issue for a few days now. I recall hitting something like this. What does yum install fedora-ds-console do for you? You may also need fedora-ds-admin. Not sure. Hope this helps - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 486 bytes Desc: not available URL: From jsullivan at opensourcedevel.com Mon Dec 1 17:24:51 2008 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Mon, 01 Dec 2008 12:24:51 -0500 Subject: [Fedora-directory-users] LDAP User mngmt & console In-Reply-To: <003e01c953d7$bb31ffe0$3195ffa0$@casper@envieta.com> References: <000f01c953cf$d888f600$899ae200$@casper@envieta.com> <49341203.7050404@redhat.com> <002c01c953d3$45fd68d0$d1f83a70$@casper@envieta.com> <1228150596.7654.11.camel@jaspav.missionsit.net.missionsit.net> <003e01c953d7$bb31ffe0$3195ffa0$@casper@envieta.com> Message-ID: <1228152291.7654.13.camel@jaspav.missionsit.net.missionsit.net> On Mon, 2008-12-01 at 12:10 -0500, Zach Casper wrote: > Yum install fedora-ds-admin & yum install fedora-idm-console > > All state No package available - any advice? > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of John A. Sullivan III > Sent: Monday, December 01, 2008 11:57 AM > To: General discussion list for the Fedora Directory server project. > Subject: RE: [Fedora-directory-users] LDAP User mngmt & console > > On Mon, 2008-12-01 at 11:38 -0500, Zach Casper wrote: > > Only package that shows is fedora-ds-base > > > > Yum responds with the fedora-idm-console package not being available. > > > > -----Original Message----- > > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson > > Sent: Monday, December 01, 2008 11:34 AM > > To: General discussion list for the Fedora Directory server project. > > Subject: Re: [Fedora-directory-users] LDAP User mngmt & console > > > > * PGP Signed by an unverified key: 12/01/08 at 11:34:11 > > > > Zach Casper wrote: > > > > > > I?m using the default installation of dirsrv within my > > > Dogtag/ESC/Coolkey on Fedora 8. > > > > > > My goal is to simply set up a testing environment so that I may test > > > my Coolkey applet installation on smart cards. > > > > > > The documentation seems to be a bit all-over-the-place. I used the > > > ?yum install fedora-ds? command to install the LDAP server for Dogtag > > > but I do not have the console installed. I?ve looked in /usr/bin for > > > fedora-idm. Nothing. > > > > > rpm -qa|grep fedora-ds > > > > you should see several packages > > > > > > I tried to install fedora-idm-console but the package is stated not to > > > exist. > > > > > what does yum install fedora-idm-console do? > > > > > > How can I manage (add/delete) users in the LDAP directory so that I > > > can format my smart cards? > > > > > > Upon using the ESC is asks me to log into the LDAP dir srvr and I am > > > unable to. > > > > > > Any help would be greatly appreciated as I?ve been dealing w/ this > > > issue for a few days now. > > I recall hitting something like this. What does yum install > fedora-ds-console do for you? You may also need fedora-ds-admin. Not > sure. Hope this helps - John I just fired up my fedora installation and here's what a yum list gives me: fedora-ds.i386 1.1.2-1.fc9 installed fedora-ds-admin.i386 1.1.6-1.fc9 installed fedora-ds-admin-console.noarch 1.1.2-1.fc9 installed fedora-ds-base.i386 1.1.3-2.fc9 installed fedora-ds-console.noarch 1.1.2-2.fc9 installed fedora-ds-dsgw.i386 1.1.1-1.fc9 installed -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From rmeggins at redhat.com Mon Dec 1 18:09:12 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 01 Dec 2008 11:09:12 -0700 Subject: [Fedora-directory-users] LDAP User mngmt & console In-Reply-To: <002c01c953d3$45fd68d0$d1f83a70$@casper@envieta.com> References: <000f01c953cf$d888f600$899ae200$@casper@envieta.com> <49341203.7050404@redhat.com> <002c01c953d3$45fd68d0$d1f83a70$@casper@envieta.com> Message-ID: <49342848.60409@redhat.com> Zach Casper wrote: > Only package that shows is fedora-ds-base > > Yum responds with the fedora-idm-console package not being available. > Have you done a yum upgrade since the new rekeyed Fedora repositories were released? > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson > Sent: Monday, December 01, 2008 11:34 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] LDAP User mngmt & console > > * PGP Signed by an unverified key: 12/01/08 at 11:34:11 > > Zach Casper wrote: > >> I?m using the default installation of dirsrv within my >> Dogtag/ESC/Coolkey on Fedora 8. >> >> My goal is to simply set up a testing environment so that I may test >> my Coolkey applet installation on smart cards. >> >> The documentation seems to be a bit all-over-the-place. I used the >> ?yum install fedora-ds? command to install the LDAP server for Dogtag >> but I do not have the console installed. I?ve looked in /usr/bin for >> fedora-idm. Nothing. >> >> > rpm -qa|grep fedora-ds > > you should see several packages > >> I tried to install fedora-idm-console but the package is stated not to >> exist. >> >> > what does yum install fedora-idm-console do? > >> How can I manage (add/delete) users in the LDAP directory so that I >> can format my smart cards? >> >> Upon using the ESC is asks me to log into the LDAP dir srvr and I am >> unable to. >> >> Any help would be greatly appreciated as I?ve been dealing w/ this >> issue for a few days now. >> >> -- >> >> Zach Casper >> >> Envieta LLC >> >> 410/290-1136 x105 (Office) >> >> 330/618-5618 (Mobile) >> >> zach.casper at envieta.com >> >> www.envieta.com >> >> ---------------------------------------- >> >> ---------------------------------------------------------------------- >> -- >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > > * Thawte Freemail Member > * Issuer: Thawte Consulting (Pty) Ltd. - Unverified > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From nalin at redhat.com Mon Dec 1 18:36:24 2008 From: nalin at redhat.com (Nalin Dahyabhai) Date: Mon, 1 Dec 2008 13:36:24 -0500 Subject: [Fedora-directory-users] Ubuntu not enforcing password policies In-Reply-To: <1227851351.6618.47.camel@jaspav.missionsit.net.missionsit.net> References: <1227851351.6618.47.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <20081201183624.GA3220@redhat.com> On Fri, Nov 28, 2008 at 12:49:11AM -0500, John A. Sullivan III wrote: > Hello, all. We're continuing to dive ever deeper into DS. Our thanks > to the developers for such a powerful product. > > Our integration with the RedHat family has gone well but now we're > working on Ubuntu. Most is working well but we are finding Ubuntu is > not enforcing password policies. For example, we require a user to > change their password after a reset. When a user logs into a RedHat > system, they are prompted for the change. However, Ubuntu just lets > them right in again and again with the same reset password. > > Any pointers on what to look for to fix this in our configuration before > we scour the world for a solution? We've already done quite a bit of > googling. > > We've tried enabling pam_lookup_policy but that didn't > work. /etc/pam.d/common-password reads: > > password requisite pam_cracklib.so retry=3 minlen=8 difok=3 > password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 > password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass > # here's the fallback if no module succeeds > password requisite pam_deny.so > > # prime the stack with a positive return value if there isn't one already; > # this avoids us returning an error just because nothing sets a success code > # since the modules above will each just jump around > password required pam_permit.so > > We've also tried disabling that last pam_permit.so. That didn't help. Where should we look? Thanks - John When using PAM, the calling application "knows" that the user's password needs to be changed because the account management modules signal it, so you'll want to check the "account" portions of the PAM configuration. Specifically, you want to ensure that pam_ldap.so is being used, and that some other module isn't causing the account management function to return a success code before pam_ldap.so gets a chance to check on the user's account and return a password-needs-changing code. Just a guess, but going on what I get on my Fedora system, it might look something like this: account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account [[default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so HTH, Nalin From zach.casper at envieta.com Mon Dec 1 18:35:03 2008 From: zach.casper at envieta.com (Zach Casper) Date: Mon, 1 Dec 2008 13:35:03 -0500 Subject: [Fedora-directory-users] LDAP User mngmt & console In-Reply-To: <49342848.60409@redhat.com> References: <000f01c953cf$d888f600$899ae200$@casper@envieta.com> <49341203.7050404@redhat.com> <002c01c953d3$45fd68d0$d1f83a70$@casper@envieta.com> <49342848.60409@redhat.com> Message-ID: <006601c953e3$895fd350$9c1f79f0$@casper@envieta.com> Ah! That was it - Thank you very much Rich. zach -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson Sent: Monday, December 01, 2008 1:09 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] LDAP User mngmt & console * PGP Signed by an unverified key: 12/01/08 at 13:09:12 Zach Casper wrote: > Only package that shows is fedora-ds-base > > Yum responds with the fedora-idm-console package not being available. > Have you done a yum upgrade since the new rekeyed Fedora repositories were released? > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich > Megginson > Sent: Monday, December 01, 2008 11:34 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] LDAP User mngmt & console > > > Old Signed by an unverified key: 12/01/08 at 11:34:11 > > Zach Casper wrote: > >> I?m using the default installation of dirsrv within my >> Dogtag/ESC/Coolkey on Fedora 8. >> >> My goal is to simply set up a testing environment so that I may test >> my Coolkey applet installation on smart cards. >> >> The documentation seems to be a bit all-over-the-place. I used the >> ?yum install fedora-ds? command to install the LDAP server for Dogtag >> but I do not have the console installed. I?ve looked in /usr/bin for >> fedora-idm. Nothing. >> >> > rpm -qa|grep fedora-ds > > you should see several packages > >> I tried to install fedora-idm-console but the package is stated not >> to exist. >> >> > what does yum install fedora-idm-console do? > >> How can I manage (add/delete) users in the LDAP directory so that I >> can format my smart cards? >> >> Upon using the ESC is asks me to log into the LDAP dir srvr and I am >> unable to. >> >> Any help would be greatly appreciated as I?ve been dealing w/ this >> issue for a few days now. >> >> -- >> >> Zach Casper >> >> Envieta LLC >> >> 410/290-1136 x105 (Office) >> >> 330/618-5618 (Mobile) >> >> zach.casper at envieta.com >> >> www.envieta.com >> >> ---------------------------------------- >> >> --------------------------------------------------------------------- >> - >> -- >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > > * Thawte Freemail Member > * Issuer: Thawte Consulting (Pty) Ltd. - Unverified > > > ---------------------------------------------------------------------- > -- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > * Thawte Freemail Member * Issuer: Thawte Consulting (Pty) Ltd. - Unverified -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 486 bytes Desc: not available URL: From jsullivan at opensourcedevel.com Mon Dec 1 19:33:05 2008 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Mon, 01 Dec 2008 14:33:05 -0500 Subject: [Fedora-directory-users] Ubuntu not enforcing password policies In-Reply-To: <20081201183624.GA3220@redhat.com> References: <1227851351.6618.47.camel@jaspav.missionsit.net.missionsit.net> <20081201183624.GA3220@redhat.com> Message-ID: <1228159985.7654.15.camel@jaspav.missionsit.net.missionsit.net> On Mon, 2008-12-01 at 13:36 -0500, Nalin Dahyabhai wrote: > On Fri, Nov 28, 2008 at 12:49:11AM -0500, John A. Sullivan III wrote: > > Hello, all. We're continuing to dive ever deeper into DS. Our thanks > > to the developers for such a powerful product. > > > > Our integration with the RedHat family has gone well but now we're > > working on Ubuntu. Most is working well but we are finding Ubuntu is > > not enforcing password policies. For example, we require a user to > > change their password after a reset. When a user logs into a RedHat > > system, they are prompted for the change. However, Ubuntu just lets > > them right in again and again with the same reset password. > > > > Any pointers on what to look for to fix this in our configuration before > > we scour the world for a solution? We've already done quite a bit of > > googling. > > > > We've tried enabling pam_lookup_policy but that didn't > > work. /etc/pam.d/common-password reads: > > > > password requisite pam_cracklib.so retry=3 minlen=8 difok=3 > > password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 > > password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass > > # here's the fallback if no module succeeds > > password requisite pam_deny.so > > > > # prime the stack with a positive return value if there isn't one already; > > # this avoids us returning an error just because nothing sets a success code > > # since the modules above will each just jump around > > password required pam_permit.so > > > > We've also tried disabling that last pam_permit.so. That didn't help. Where should we look? Thanks - John > > When using PAM, the calling application "knows" that the user's password > needs to be changed because the account management modules signal it, so > you'll want to check the "account" portions of the PAM configuration. > > Specifically, you want to ensure that pam_ldap.so is being used, and > that some other module isn't causing the account management function to > return a success code before pam_ldap.so gets a chance to check on the > user's account and return a password-needs-changing code. > > Just a guess, but going on what I get on my Fedora system, it might look > something like this: > > account required pam_unix.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [[default=bad success=ok user_unknown=ignore] pam_ldap.so > account required pam_permit.so > > HTH, > > Nalin > > -- Thank you. That was it. It had autoconfigured with ldap first: account sufficient pam_ldap.so account required pam_unix.so -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From jsullivan at opensourcedevel.com Mon Dec 1 19:36:50 2008 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Mon, 01 Dec 2008 14:36:50 -0500 Subject: [Fedora-directory-users] Ubuntu not enforcing password policies In-Reply-To: <1228159985.7654.15.camel@jaspav.missionsit.net.missionsit.net> References: <1227851351.6618.47.camel@jaspav.missionsit.net.missionsit.net> <20081201183624.GA3220@redhat.com> <1228159985.7654.15.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <1228160210.7654.17.camel@jaspav.missionsit.net.missionsit.net> On Mon, 2008-12-01 at 14:33 -0500, John A. Sullivan III wrote: > On Mon, 2008-12-01 at 13:36 -0500, Nalin Dahyabhai wrote: > > On Fri, Nov 28, 2008 at 12:49:11AM -0500, John A. Sullivan III wrote: > > > Hello, all. We're continuing to dive ever deeper into DS. Our thanks > > > to the developers for such a powerful product. > > > > > > Our integration with the RedHat family has gone well but now we're > > > working on Ubuntu. Most is working well but we are finding Ubuntu is > > > not enforcing password policies. For example, we require a user to > > > change their password after a reset. When a user logs into a RedHat > > > system, they are prompted for the change. However, Ubuntu just lets > > > them right in again and again with the same reset password. > > > > > > Any pointers on what to look for to fix this in our configuration before > > > we scour the world for a solution? We've already done quite a bit of > > > googling. > > > > > > We've tried enabling pam_lookup_policy but that didn't > > > work. /etc/pam.d/common-password reads: > > > > > > password requisite pam_cracklib.so retry=3 minlen=8 difok=3 > > > password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 > > > password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass > > > # here's the fallback if no module succeeds > > > password requisite pam_deny.so > > > > > > # prime the stack with a positive return value if there isn't one already; > > > # this avoids us returning an error just because nothing sets a success code > > > # since the modules above will each just jump around > > > password required pam_permit.so > > > > > > We've also tried disabling that last pam_permit.so. That didn't help. Where should we look? Thanks - John > > > > When using PAM, the calling application "knows" that the user's password > > needs to be changed because the account management modules signal it, so > > you'll want to check the "account" portions of the PAM configuration. > > > > Specifically, you want to ensure that pam_ldap.so is being used, and > > that some other module isn't causing the account management function to > > return a success code before pam_ldap.so gets a chance to check on the > > user's account and return a password-needs-changing code. > > > > Just a guess, but going on what I get on my Fedora system, it might look > > something like this: > > > > account required pam_unix.so > > account sufficient pam_succeed_if.so uid < 500 quiet > > account [[default=bad success=ok user_unknown=ignore] pam_ldap.so > > account required pam_permit.so > > > > HTH, > > > > Nalin > > > > -- > > Thank you. That was it. It had autoconfigured with ldap first: > > account sufficient pam_ldap.so > account required pam_unix.so > Oops! I spoke too soon. Now, after changing the password, I cannot log in. If I change it back to the original order, I can. I'll have to dig a little further - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From beyonddc.storage at gmail.com Mon Dec 1 20:12:31 2008 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Mon, 1 Dec 2008 15:12:31 -0500 Subject: [Fedora-directory-users] Couldn't launch the Administration Server Console Message-ID: <20e4c38c0812011212o1324bf8dye3bef22815dc6dec@mail.gmail.com> Hi All, I am having a problem opening the "Administration Server Console" from the "Fedora Management Console". When I highlighted "Administration Server" under the "Server Group" and clicked on the "Open" button. After I clicked the "Open" button, all I see is "Opening server window" message on the lower left status bar of the "Fedora Management Console". I do not see any JAVA exception in my terminal where I launch the Fedora Management Console. Can anyone give me any suggestion on how to resolve or debug this problem? I'm currently using Fedora Directory 1.0.2 Thanks, David -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Dec 1 20:46:56 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 01 Dec 2008 13:46:56 -0700 Subject: [Fedora-directory-users] Couldn't launch the Administration Server Console In-Reply-To: <20e4c38c0812011212o1324bf8dye3bef22815dc6dec@mail.gmail.com> References: <20e4c38c0812011212o1324bf8dye3bef22815dc6dec@mail.gmail.com> Message-ID: <49344D40.1040009@redhat.com> Chun Tat David Chu wrote: > Hi All, > > I am having a problem opening the "Administration Server Console" from > the "Fedora Management Console". > > When I highlighted "Administration Server" under the "Server Group" > and clicked on the "Open" button. > > After I clicked the "Open" button, all I see is "Opening server > window" message on the lower left status bar of the "Fedora Management > Console". > > I do not see any JAVA exception in my terminal where I launch the > Fedora Management Console. > > Can anyone give me any suggestion on how to resolve or debug this problem? startconsole -D 9 -f console.log > > I'm currently using Fedora Directory 1.0.2 > > Thanks, > > David > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From beyonddc.storage at gmail.com Mon Dec 1 21:17:38 2008 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Mon, 1 Dec 2008 16:17:38 -0500 Subject: [Fedora-directory-users] Couldn't launch the Administration Server Console In-Reply-To: <49344D40.1040009@redhat.com> References: <20e4c38c0812011212o1324bf8dye3bef22815dc6dec@mail.gmail.com> <49344D40.1040009@redhat.com> Message-ID: <20e4c38c0812011317k7aef2d05rda4e039b8681ab8f@mail.gmail.com> Hi Rich, Thanks for your information. I ran with debug enabled and now I see the following JAVA stacktrace. ResourceSet: found loader1321488068:com.netscape.management.client.console.console Framework: location set: java.awt.Point[x=147,y=38] TaskPage.pageSelected: parent=com.netscape.management.client.Framework[frame1,147,38,948x855,invalid,hidden,layout=java.awt.BorderLayout,title=Administration Server,resizable,normal,defaultCloseOperation=DO_NOTHING_ON_CLOSE,rootPane=javax.swing.JRootPane[,0,0,0x0,invalid,layout=javax.swing.JRootPane$RootLayout,alignmentX=0.0,alignmentY=0.0,border=,flags=16777673,maximumSize=,minimumSize=,preferredSize=],rootPaneCheckingEnabled=true] java.lang.IllegalArgumentException: Width (0) and height (0) cannot be <= 0 at java.awt.image.DirectColorModel.createCompatibleWritableRaster(DirectColorModel.java:1031) at sun.awt.X11.XFramePeer.setIconImage(XFramePeer.java:247) at sun.awt.X11.XFramePeer.postInit(XFramePeer.java:104) at sun.awt.X11.XBaseWindow.init(XBaseWindow.java:146) at sun.awt.X11.XBaseWindow.(XBaseWindow.java:179) at sun.awt.X11.XWindow.(XWindow.java:114) at sun.awt.X11.XComponentPeer.(XComponentPeer.java:128) at sun.awt.X11.XPanelPeer.(XPanelPeer.java:55) at sun.awt.X11.XWindowPeer.(XWindowPeer.java:75) at sun.awt.X11.XDecoratedPeer.(XDecoratedPeer.java:58) at sun.awt.X11.XFramePeer.(XFramePeer.java:70) at sun.awt.X11.XToolkit.createFrame(XToolkit.java:380) at java.awt.Frame.addNotify(Frame.java:524) at java.awt.Window.show(Window.java:539) at com.netscape.management.client.Framework.(Unknown Source) at com.netscape.management.admserv.AdminServer.createFramework(Unknown Source) at com.netscape.management.admserv.AdminServer.run(Unknown Source) at com.netscape.management.admserv.AdminServer.run(Unknown Source) at com.netscape.management.client.topology.AbstractServerObject$ServerRunThread.run(Unknown Source) AbstractServerObject.ServerRunThread java.lang.IllegalArgumentException: Width (0) and height (0) cannot be <= 0 AbstractServerObject.StatusThread: waiting for chanage listeners to register AbstractServerObject.StatusThread: waiting for chanage listeners to register Any idea on top of your head that could cause this problem? I don't think this matters, but I do have SSL enabled on the Directory Server. Thanks, David On Mon, Dec 1, 2008 at 3:46 PM, Rich Megginson wrote: > Chun Tat David Chu wrote: > >> Hi All, >> >> I am having a problem opening the "Administration Server Console" from the >> "Fedora Management Console". >> >> When I highlighted "Administration Server" under the "Server Group" and >> clicked on the "Open" button. >> >> After I clicked the "Open" button, all I see is "Opening server window" >> message on the lower left status bar of the "Fedora Management Console". >> >> I do not see any JAVA exception in my terminal where I launch the Fedora >> Management Console. >> >> Can anyone give me any suggestion on how to resolve or debug this problem? >> > startconsole -D 9 -f console.log > >> >> I'm currently using Fedora Directory 1.0.2 >> >> Thanks, >> >> David >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Dec 1 21:27:28 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 01 Dec 2008 14:27:28 -0700 Subject: [Fedora-directory-users] Couldn't launch the Administration Server Console In-Reply-To: <20e4c38c0812011317k7aef2d05rda4e039b8681ab8f@mail.gmail.com> References: <20e4c38c0812011212o1324bf8dye3bef22815dc6dec@mail.gmail.com> <49344D40.1040009@redhat.com> <20e4c38c0812011317k7aef2d05rda4e039b8681ab8f@mail.gmail.com> Message-ID: <493456C0.50306@redhat.com> Chun Tat David Chu wrote: > Hi Rich, > > Thanks for your information. I ran with debug enabled and now I see > the following JAVA stacktrace. > > ResourceSet: found > loader1321488068:com.netscape.management.client.console.console > Framework: location set: java.awt.Point[x=147,y=38] > TaskPage.pageSelected: > parent=com.netscape.management.client.Framework[frame1,147,38,948x855,invalid,hidden,layout=java.awt.BorderLayout,title=Administration > Server,resizable,normal,defaultCloseOperation=DO_NOTHING_ON_CLOSE,rootPane=javax.swing.JRootPane[,0,0,0x0,invalid,layout=javax.swing.JRootPane$RootLayout,alignmentX=0.0,alignmentY=0.0,border=,flags=16777673,maximumSize=,minimumSize=,preferredSize=],rootPaneCheckingEnabled=true] > java.lang.IllegalArgumentException: Width (0) and height (0) cannot be > <= 0 > at > java.awt.image.DirectColorModel.createCompatibleWritableRaster(DirectColorModel.java:1031) > at sun.awt.X11.XFramePeer.setIconImage(XFramePeer.java:247) > at sun.awt.X11.XFramePeer.postInit(XFramePeer.java:104) > at sun.awt.X11.XBaseWindow.init(XBaseWindow.java:146) > at sun.awt.X11.XBaseWindow.(XBaseWindow.java:179) > at sun.awt.X11.XWindow.(XWindow.java:114) > at sun.awt.X11.XComponentPeer.(XComponentPeer.java:128) > at sun.awt.X11.XPanelPeer.(XPanelPeer.java:55) > at sun.awt.X11.XWindowPeer.(XWindowPeer.java:75) > at sun.awt.X11.XDecoratedPeer.(XDecoratedPeer.java:58) > at sun.awt.X11.XFramePeer.(XFramePeer.java:70) > at sun.awt.X11.XToolkit.createFrame(XToolkit.java:380) > at java.awt.Frame.addNotify(Frame.java:524) > at java.awt.Window.show(Window.java:539) > at com.netscape.management.client.Framework.(Unknown Source) > at > com.netscape.management.admserv.AdminServer.createFramework(Unknown > Source) > at com.netscape.management.admserv.AdminServer.run(Unknown Source) > at com.netscape.management.admserv.AdminServer.run(Unknown Source) > at > com.netscape.management.client.topology.AbstractServerObject$ServerRunThread.run(Unknown > Source) > AbstractServerObject.ServerRunThread > java.lang.IllegalArgumentException: Width (0) and height (0) cannot be > <= 0 > AbstractServerObject.StatusThread: waiting for chanage listeners to > register > AbstractServerObject.StatusThread: waiting for chanage listeners to > register > > Any idea on top of your head that could cause this problem? No. Did this ever work? If so, what changed? I can't remember where this information is stored in 1.0.2 - look for ~/.idm* or ~/.fedora* > > I don't think this matters, but I do have SSL enabled on the Directory > Server. > > Thanks, > > David > > On Mon, Dec 1, 2008 at 3:46 PM, Rich Megginson > wrote: > > Chun Tat David Chu wrote: > > Hi All, > > I am having a problem opening the "Administration Server > Console" from the "Fedora Management Console". > > When I highlighted "Administration Server" under the "Server > Group" and clicked on the "Open" button. > > After I clicked the "Open" button, all I see is "Opening > server window" message on the lower left status bar of the > "Fedora Management Console". > > I do not see any JAVA exception in my terminal where I launch > the Fedora Management Console. > > Can anyone give me any suggestion on how to resolve or debug > this problem? > > startconsole -D 9 -f console.log > > > I'm currently using Fedora Directory 1.0.2 > > Thanks, > > David > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From snake007uk at gmail.com Mon Dec 1 22:49:27 2008 From: snake007uk at gmail.com (Kashif Ali) Date: Mon, 1 Dec 2008 22:49:27 +0000 Subject: [Fedora-directory-users] Sudo in directory server In-Reply-To: <493408DA.7040803@redhat.com> References: <664c5a070811270208k22fdda22s17b8b1e3af470dcb@mail.gmail.com> <493408DA.7040803@redhat.com> Message-ID: <879a677e0812011449r38c4f90y7c35a972c737468a@mail.gmail.com> Hi, I have wiki'd my sudo setup http://wiki.unixcraft.com/display/MainPage/Sudo+in+Centos+Directory+Server 2008/12/1 Rich Megginson > Erling Ringen Elvsrud wrote: > >> I try to add the schema for sudoers from README.LDAP in >> the srpm-file of sudo-1.6.8p12. I assume the iPlanet-version will work >> best, but >> get this problem when I restart directory server: >> >> [root at testserver schema]# service dirsrv restart >> Shutting down dirsrv: >> testserver... [ OK ] >> Starting dirsrv: >> testserver...[27/Nov/2008:10:37:31 +0100] - Entry "cn=schema >> attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC >> 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseE" >> required attribute "objectclass" missing >> >> > > The sudo schema is now in CVS HEAD and will be part of the next release of > Fedora DS: > > http://cvs.fedoraproject.org/viewvc/ldapserver/ldap/schema/60sudo.ldif?revision=1.1&root=dirsec&view=markup > > You can go ahead and download and use this file with any version of Fedora > DS. > >> [ OK ] >> [root at testserver schema]# cat 99sudoers.ldif >> dn: cn=schema attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME >> 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match >> SUBSTR caseE >> >> xactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN >> 'SUDO' ) >> attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC >> 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseEx >> >> actIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' >> ) >> attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC >> 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match S >> >> YNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) >> attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC >> 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1 >> >> .3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) >> attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC >> 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1 >> >> .3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) >> objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top >> STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sud >> >> oHost $ sudoCommand $ sudoRunAs $ sudoOption $ description ) X-ORIGIN >> 'SUDO' ) >> >> Any help to get the schema for sudo correctly added is appreciated. >> >> Thanks, >> >> Erling >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bbahar3 at gmail.com Tue Dec 2 10:41:12 2008 From: bbahar3 at gmail.com (Eric) Date: Tue, 2 Dec 2008 14:11:12 +0330 Subject: [Fedora-directory-users] Re: fedora-idm-console error Message-ID: <38a27c8c0812020241x29ce8065pa2c1c8875110921f@mail.gmail.com> /root/.fedora-idm-console/Console.1.1.2.Login.preferences is on the system and is writable. I removed /root/.fedora-idm-console and tried to start console but there is same error and this directory was made also. > Message: 3 > Date: Mon, 01 Dec 2008 08:52:48 -0700 > From: Rich Megginson > Subject: Re: [Fedora-directory-users] fedora-idm-console error > To: "General discussion list for the Fedora Directory server project." > > Message-ID: <49340850.80602 at redhat.com> > Content-Type: text/plain; charset="iso-8859-1" > > Eric wrote: > > Hi, > > fedora-ds is migrated from 1.0.4 to fedora-ds-1.1.2-1.fc6. > > fedora-idm-console opens console but with error: > > > > class loader error : failed to install a local copy of > > fedora-ds-1.1.jar or one of its supporting files.please ensure that > > the appropriate console package is installed on the administration > > server. > > > > I did this: > > rpm -ql fedora-idm-console: > > /usr/bin/fedora-idm-console > > /usr/share/doc/fedora-idm-console-1.1.1 > > /usr/share/doc/fedora-idm-console-1.1.1/LICENSE > > /usr/share/java/fedora-idm-console-1.1.1_en.jar > > /usr/share/java/fedora-idm-console-1.1_en.jar > > /usr/share/java/fedora-idm-console_en.jar > > > > are there other jars not downloded? > > when I started console with -D , error is: > > > > ClassLoader: getLocalJarList():Unable to read > > /root/.fedora-idm-console/patch/ directory > > ClassLoader: start parsing > > ClassLoader: getLocalJarList():Unable to read > > /root/.fedora-idm-console/jars/ directory > Does this directory exist? Is it writable? If it exists and is > writable, try rm -rf /root/.fedora-idm-console and try again > > ClassLoader: done > > ClassLoader: Cannot create LocalJarClassLoader for fedora-ds-1.1.jar > > ClassLoader: File not found: fedora-ds-1.1.jar > > > ClassLoaderUtil.getClass(com.netscape.admin.dirserv.roledit.ResEditorRoleMembers at fedora-ds-1.1.jar > ) > > ClassLoader: Cannot create LocalJarClassLoader for fedora-ds-1.1.jar > > ClassLoader: File not found: fedora-ds-1.1.jar > > > ClassLoaderUtil.getClass(com.netscape.admin.dirserv.roledit.ResEditorRoleAccountPage at fedora-ds-1.1.jar > ) > > ClassLoader: Cannot create LocalJarClassLoader for fedora-ds-1.1.jar > > ClassLoader: File not found: fedora-ds-1.1.jar > > > ClassLoaderUtil.getClass(com.netscape.admin.dirserv.cosedit.ResEditorCosInfo at fedora-ds-1.1.jar > ) > > ClassLoader: Cannot create LocalJarClassLoader for fedora-ds-1.1.jar > > ClassLoader: File not found: fedora-ds-1.1.jar > > > ClassLoaderUtil.getClass(com.netscape.admin.dirserv.cosedit.ResEditorCosAttributes at fedora-ds-1.1.jar > ) > > ClassLoader: Cannot create LocalJarClassLoader for fedora-ds-1.1.jar > > ClassLoader: File not found: fedora-ds-1.1.jar > > > ClassLoaderUtil.getClass(com.netscape.admin.dirserv.cosedit.ResEditorCosTemplate at fedora-ds-1.1.jar > ) > > ClassLoader: Cannot create LocalJarClassLoader for fedora-ds-1.1.jar > > ClassLoader: File not found: fedora-ds-1.1.jar > > .. > > .. > > AdminGroupNode.findAdminURL: LDAP Error: netscape.ldap.LDAPException: > > error result (32) > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/x-pkcs7-signature > Size: 3258 bytes > Desc: S/MIME Cryptographic Signature > Url : > https://www.redhat.com/archives/fedora-directory-users/attachments/20081201/b0d8f0fd/smime.bin > > - -------------- next part -------------- An HTML attachment was scrubbed... URL: From Thomas.McManus at childrens.harvard.edu Tue Dec 2 13:02:55 2008 From: Thomas.McManus at childrens.harvard.edu (McManus, Thomas) Date: Tue, 2 Dec 2008 08:02:55 -0500 Subject: [Fedora-directory-users] adding ssl from the FMC Message-ID: <6192BB82C222E8498B1A28CD874EFC7B2543F1F839@CHEXCCRV3.CHBOSTON.ORG> I've been trying for the last 2 days to setup SSL on FDS without any luck and little feedback. Following the Redhat Directory Server 8.0 Administration Guide, Chapter 11, I've tried to install a local certificate both through the console and at the command line using certutil. >From the console going through every step. In step 2 the DN is: CN="ldap1.chip.org", OU="CHIP", O="Childrens Hospital Boston", L="Boston", ST="Massachusetts", C="US" In step 3 I get: Unable to convert DN to certificate name. Using the certutil these commands worked: certutil -N -d . -f pwdfile -P slapd-ldap1 certutil -S -n "CA certificate" -s "cn=Childrens Hospital Informatics Program, dc=chip, dc=org" -x -t "CT,," -m 1000 -v 120 -d . -k rsa -g 1024 -f pwdfile -P slapd-ldap1 certutil -S -n "Server-Cert" -s "cn=ldap1.chip.org,cn=DS1" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -k rsa -g 1024 -f ./pwdfile -P slapd-ldap1 certutil -d . -L -n "CA certificate" -a > cacert.asc -P slapd-ldap1 Using the pk12util failed pk12util -d . -o ldap1.p12 -n Server-Cert1 -w ./pwdfile.txt -k ./pwdfile.txt The error is: pk12util: find user certs from nickname failed: security library: bad database. I've run these 2 programs multiple times and googled to no avail. Could anyone help with this? Tom McManus System Manager II Research Computing Children's Hospital Boston 300 Longfellow Ave., Enders 146.1 Boston MA 02115 Office: 617 919 2308 Mobile: 617 997 2665 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Dec 2 15:33:36 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 02 Dec 2008 08:33:36 -0700 Subject: [Fedora-directory-users] Re: fedora-idm-console error In-Reply-To: <38a27c8c0812020241x29ce8065pa2c1c8875110921f@mail.gmail.com> References: <38a27c8c0812020241x29ce8065pa2c1c8875110921f@mail.gmail.com> Message-ID: <49355550.10802@redhat.com> Eric wrote: > > /root/.fedora-idm-console/Console.1.1.2.Login.preferences is on the > system and is writable. I removed /root/.fedora-idm-console and tried > to start console but there is same error and this directory was made also. > > > Message: 3 > Date: Mon, 01 Dec 2008 08:52:48 -0700 > From: Rich Megginson > > Subject: Re: [Fedora-directory-users] fedora-idm-console error > To: "General discussion list for the Fedora Directory server project." > > > Message-ID: <49340850.80602 at redhat.com > > > Content-Type: text/plain; charset="iso-8859-1" > > Eric wrote: > > Hi, > > fedora-ds is migrated from 1.0.4 to fedora-ds-1.1.2-1.fc6. > > fedora-idm-console opens console but with error: > > > > class loader error : failed to install a local copy of > > fedora-ds-1.1.jar or one of its supporting files.please ensure that > > the appropriate console package is installed on the administration > > server. > > > > I did this: > > rpm -ql fedora-idm-console: > > /usr/bin/fedora-idm-console > > /usr/share/doc/fedora-idm-console-1.1.1 > > /usr/share/doc/fedora-idm-console-1.1.1/LICENSE > > /usr/share/java/fedora-idm-console-1.1.1_en.jar > > /usr/share/java/fedora-idm-console-1.1_en.jar > > /usr/share/java/fedora-idm-console_en.jar > > > > are there other jars not downloded? > > when I started console with -D , error is: > > > > ClassLoader: getLocalJarList():Unable to read > > /root/.fedora-idm-console/patch/ directory > > ClassLoader: start parsing > > ClassLoader: getLocalJarList():Unable to read > > /root/.fedora-idm-console/jars/ directory > Does this directory exist? Is it writable? If it exists and is > writable, try rm -rf /root/.fedora-idm-console and try again > > ClassLoader: done > > ClassLoader: Cannot create LocalJarClassLoader for fedora-ds-1.1.jar > > ClassLoader: File not found: fedora-ds-1.1.jar > > > ClassLoaderUtil.getClass(com.netscape.admin.dirserv.roledit.ResEditorRoleMembers at fedora-ds-1.1.jar) > > ClassLoader: Cannot create LocalJarClassLoader for fedora-ds-1.1.jar > > ClassLoader: File not found: fedora-ds-1.1.jar > > > ClassLoaderUtil.getClass(com.netscape.admin.dirserv.roledit.ResEditorRoleAccountPage at fedora-ds-1.1.jar) > > ClassLoader: Cannot create LocalJarClassLoader for fedora-ds-1.1.jar > > ClassLoader: File not found: fedora-ds-1.1.jar > > > ClassLoaderUtil.getClass(com.netscape.admin.dirserv.cosedit.ResEditorCosInfo at fedora-ds-1.1.jar) > > ClassLoader: Cannot create LocalJarClassLoader for fedora-ds-1.1.jar > > ClassLoader: File not found: fedora-ds-1.1.jar > > > ClassLoaderUtil.getClass(com.netscape.admin.dirserv.cosedit.ResEditorCosAttributes at fedora-ds-1.1.jar) > > ClassLoader: Cannot create LocalJarClassLoader for fedora-ds-1.1.jar > > ClassLoader: File not found: fedora-ds-1.1.jar > > > ClassLoaderUtil.getClass(com.netscape.admin.dirserv.cosedit.ResEditorCosTemplate at fedora-ds-1.1.jar) > > ClassLoader: Cannot create LocalJarClassLoader for fedora-ds-1.1.jar > > ClassLoader: File not found: fedora-ds-1.1.jar > > .. > > .. > > AdminGroupNode.findAdminURL: LDAP Error: > netscape.ldap.LDAPException: > > error result (32) > Then perhaps this is the problem? Check the configuration directory server access log to see what search is returning err=32 > > > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/x-pkcs7-signature > Size: 3258 bytes > Desc: S/MIME Cryptographic Signature > Url : > https://www.redhat.com/archives/fedora-directory-users/attachments/20081201/b0d8f0fd/smime.bin > > - > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Dec 2 15:35:35 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 02 Dec 2008 08:35:35 -0700 Subject: [Fedora-directory-users] adding ssl from the FMC In-Reply-To: <6192BB82C222E8498B1A28CD874EFC7B2543F1F839@CHEXCCRV3.CHBOSTON.ORG> References: <6192BB82C222E8498B1A28CD874EFC7B2543F1F839@CHEXCCRV3.CHBOSTON.ORG> Message-ID: <493555C7.7090801@redhat.com> McManus, Thomas wrote: > > I've been trying for the last 2 days to setup SSL on FDS without any > luck and little feedback. Following the Redhat Directory Server 8.0 > Administration Guide, Chapter 11, I've tried to install a local > certificate both through the console and at the command line using > certutil. > What platform? What version of fedora ds? rpm -qi fedora-ds-base > > From the console going through every step. In step 2 the DN is: > > CN="ldap1.chip.org", OU="CHIP", O="Childrens Hospital Boston", > L="Boston", ST="Massachusetts", C="US" > > In step 3 I get: > > Unable to convert DN to certificate name. > This is a known console problem - try omitting the double quotes - you should not need them > > Using the certutil these commands worked: > > certutil -N -d . -f pwdfile -P slapd-ldap1 certutil -S -n "CA > certificate" -s "cn=Childrens Hospital Informatics Program, dc=chip, > dc=org" -x -t "CT,," -m 1000 -v 120 -d . -k rsa -g 1024 -f pwdfile -P > slapd-ldap1 certutil -S -n "Server-Cert" -s "cn=ldap1.chip.org,cn=DS1" > -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -k rsa -g 1024 -f > ./pwdfile -P slapd-ldap1 certutil -d . -L -n "CA certificate" -a > > cacert.asc -P slapd-ldap1 > Why are you specifying -P? You should not need to do that anymore. Where in the instructions does it say to do that? > > Using the pk12util failed > > pk12util -d . -o ldap1.p12 -n Server-Cert1 -w ./pwdfile.txt -k > ./pwdfile.txt The error is: pk12util: find user certs from nickname > failed: security library: bad database. > You are missing the -P > > I've run these 2 programs multiple times and googled to no avail. > Could anyone help with this? > > Tom McManus > > System Manager II > > Research Computing > > Children?s Hospital Boston > > 300 Longfellow Ave., Enders 146.1 > > Boston MA 02115 > > Office: 617 919 2308 > > Mobile: 617 997 2665 > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Dec 2 15:37:12 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 02 Dec 2008 08:37:12 -0700 Subject: [Fedora-directory-users] DSGW problem - browser user tries to change password In-Reply-To: <1228004402.6407.64.camel@jaspav.missionsit.net.missionsit.net> References: <1228004402.6407.64.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <49355628.2030101@redhat.com> John A. Sullivan III wrote: > Hello, all. As explained in the last email, we do not allow anonymous > browsing but have a specific user with limited rights browsing the tree > to find users' identities for logging into DSGW. We also have a policy > that users must change their passwords after a reset. > > We have a test user sue.sutter. We reset her password and then had her > attempt to login to DSGW. Sure enough, she was told she needed to > changed her password and was given the option to do so. However, the > attempt failed with the below error messages: > > Editing sue.sutter... > Sending changes to the directory server... > > An error occurred while contacting the LDAP server. > (Insufficient access - Insufficient 'write' privilege to the > 'userPassword' attribute of entry > 'uid=sue.sutter,ou=users,o=a0000-0006,o=internal,dc=ssiservices,dc=biz'. ) > You do not have sufficient privileges to perform the operation. > > That seemed very strange because when we test changing passwords using > her posix account, it works just fine. We then gave the browsing user > (not sue.sutter) full rights to the tree and, lo and behold, it worked: > > Giving the directory browser user all rights allowed a successful > password change. > > It appears the browsing user is the one attempting to change the user's > password and not the user. Is that the way it's supposed to be? I > certainly would not want a browse only utility user able to change user > passwords. Perhaps I am missing something. Thanks - John > I suppose it is because you have configured the DSGW to use the browsing user. I'm not sure how to change the DSGW to use the browsing user for some operations but not others, or even if it is possible. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Dec 2 15:37:47 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 02 Dec 2008 08:37:47 -0700 Subject: [Fedora-directory-users] Passsync fails to update directory In-Reply-To: <9598680C8A333F49AC6A9B78095E4D4A2E014477@CPWPRX01N.inspinc.ad> References: <9598680C8A333F49AC6A9B78095E4D4A2E014477@CPWPRX01N.inspinc.ad> Message-ID: <4935564B.4040305@redhat.com> Jeff Williams wrote: > > Hello all, > > I?m unable to get the windows passsync service to provide password > updates to our ds. > What happens when a user changes his/her password in Windows? > > I can see it start, and it appears to be running. The resulting log > looks like this: > > 12/01/08 07:56:21: PassSync service started > > 12/01/08 07:56:21: Failed to load entries from file > > 12/01/08 07:58:39: Failed to load entries from file > > 12/01/08 07:58:39: PassSync service stopped > > 12/01/08 07:59:42: PassSync service started > > 12/01/08 07:59:42: Failed to load entries from file > > 12/01/08 08:05:42: Failed to load entries from file > > 12/01/08 08:05:42: PassSync service stopped > > 12/01/08 08:05:44: PassSync service started > > 12/01/08 08:05:44: Failed to load entries from file > > I?ve seen a previous thread that pointed at > c:\windows\system32\passhook.dat needing correct permissions, so I?ve > confirmed that any service or user has full read/write to write to the > this file > > Is there something I?m missing? > > Thanks, > > Jeff Williams > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Dec 2 15:39:49 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 02 Dec 2008 08:39:49 -0700 Subject: [Fedora-directory-users] Many DSGW authentication problems In-Reply-To: <1228004040.6407.55.camel@jaspav.missionsit.net.missionsit.net> References: <1228004040.6407.55.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <493556C5.3040309@redhat.com> John A. Sullivan III wrote: > I'm finding several weird issues with DSGW authentication which make it > very difficult for our users to use. Not to complain - great DS - but > we're experiencing some problems. > > We do not allow anonymous browsing of the tree. Each client has a user > who has rights to search only their portion of the tree for possible > DSGW logins. The ACI, place on the root, is thus: > > (target = > "ldap:///ou=Users,($dn),o=Internal,dc=ssiservices,dc=biz")(targetattr = > "uid || st || sn || ou || name || entrydn || dn || dc || objectClass || > cn || o || l || c || givenName") (version 3.0;acl "Client DSGW > Lister";allow (search,read)(userdn = > "ldap:///uid=*dsgwlister,[$dn],o=sysaccounts,dc=ssiservices,dc=biz");) > > We have an example test user named sue.sutter. The full dn is > uid=sue.sutter,ou=users,o=a0000-0006,o=internal,dc=ssiservices,dc=biz > > The first step is to go the authentication page where we read: > "The first step in authenticating to the directory is identifying > yourself." > This is why we created a user with rights to browse for other users and > defined it with a binddnfile entry. That part is working fine. > > If I enter sue.sutter, it does not find her directly but rather offers a > list with a single hyperlinked choice. That's the first problem (a > problem for anyone with a "." in their uid). The query has replaced the > "." with a space: > filter="(&(objectClass=person)(|(sn=sue sutter)(cn=sue sutter))) > I tried surrounding it with quotes and escaping it with a back slash but > the quote was interpreted literally and the back slash gave the same > results as the period alone. > > Is this a bug, a configuration error, or just the way it's supposed to > be? If the latter, this is very user unfriendly. A techie might > understand escape characters or special encoding but not an everyday > user. > Sounds like a bug. I have no idea why a "." would be replaced with a space. > It wouldn't be so bad if they could simply click on the hyperlink and be > allowed to login. However, the hyperlink does not work. Mousing over > gives: > javascript:authSubmit('uid%3Dsue.sutter%2Cou%3DUsers%2Co%3Da0000-0006% > 2Co%3DInternal%2Cdc%3Dssiservices%2Cdc%3Dbiz');%20onMouseOver= > > but it goes nowhere. A packet trace shows no packets coming from the > browser to the DS. What might we have configured incorrectly to cause > this? We see the same thing in Konqueror as we see in Firefox3 all > running on fully patched Ubuntu 8.0.4. > Sounds like another bug. Didn't you already file a bug about this issue? > Hmmm . . . this is getting long. I'll put the other problem into > another email. Thanks - John > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From lambam80 at hotmail.com Tue Dec 2 15:40:12 2008 From: lambam80 at hotmail.com (lambam80 at hotmail.com) Date: Tue, 2 Dec 2008 10:40:12 -0500 Subject: [Fedora-directory-users] 'Account Disabled' Windows Sync Directory Server red cross Message-ID: Firstly, please accept my apologies for a white lie.I'm, in fact, using CentOS but a colleague of mine recommended that I use this forum/mailing-list.Let me know if this white-lie is a problem.cat /etc/redhat-releaseCentOS release 5.2 (Final)/usr/sbin/ns-slapd -vCentOS-Directory/8.0.4 B2008.288.1513Windows 2003 Server Standard Edition R2I've 'successfully' configured Windows Sync and itworks in both directions.However, accounts that are synched from Centos Directory Server to Active Directory are created with the 'Account Disabled' checkbox selected.In the Windows account administration interfacethey also have the red cross next to them.Q1. Have other people seen this behavior with Windows Sync ?Q2. How can I change this behavior and have the windows-accounts enabled from the start ?Thanks for your time, cheers lambam80Active-Directory Active-Dir Active Dir Active Directory _________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: en-account-disabled.jpg Type: image/pjpeg Size: 11723 bytes Desc: not available URL: From rmeggins at redhat.com Tue Dec 2 15:51:08 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 02 Dec 2008 08:51:08 -0700 Subject: [Fedora-directory-users] 'Account Disabled' Windows Sync Directory Server red cross In-Reply-To: References: Message-ID: <4935596C.5050406@redhat.com> lambam80 at hotmail.com wrote: > Firstly, please accept my apologies for a white lie. > I'm, in fact, using CentOS but a colleague of mine recommended that I > use this forum/mailing-list. > > Let me know if this white-lie is a problem. > > cat /etc/redhat-release > CentOS release 5.2 (Final) > > /usr/sbin/ns-slapd -v > CentOS-Directory/8.0.4 B2008.288.1513 > > Windows 2003 Server Standard Edition R2 > > I've 'successfully' configured Windows Sync and it > works in both directions. > > However, accounts that are synched from Centos Directory Server to > Active Directory are > created with the 'Account Disabled' checkbox selected. > > In the Windows account administration interface > they also have the red cross next to them. > > Q1. Have other people seen this behavior with Windows Sync ? Yes, this appears to be a bug in windows sync > > Q2. How can I change this behavior and have the > windows-accounts enabled from the start ? Not sure. > > Thanks for your time, cheers lambam80 > Active-Directory Active-Dir Active Dir Active Directory > Edit/Delete Message > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jsullivan at opensourcedevel.com Tue Dec 2 15:54:15 2008 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Tue, 02 Dec 2008 10:54:15 -0500 Subject: [Fedora-directory-users] DSGW problem - browser user tries to change password In-Reply-To: <49355628.2030101@redhat.com> References: <1228004402.6407.64.camel@jaspav.missionsit.net.missionsit.net> <49355628.2030101@redhat.com> Message-ID: <1228233255.6464.33.camel@jaspav.missionsit.net.missionsit.net> On Tue, 2008-12-02 at 08:37 -0700, Rich Megginson wrote: > John A. Sullivan III wrote: > > Hello, all. As explained in the last email, we do not allow anonymous > > browsing but have a specific user with limited rights browsing the tree > > to find users' identities for logging into DSGW. We also have a policy > > that users must change their passwords after a reset. > > > > We have a test user sue.sutter. We reset her password and then had her > > attempt to login to DSGW. Sure enough, she was told she needed to > > changed her password and was given the option to do so. However, the > > attempt failed with the below error messages: > > > > Editing sue.sutter... > > Sending changes to the directory server... > > > > An error occurred while contacting the LDAP server. > > (Insufficient access - Insufficient 'write' privilege to the > > 'userPassword' attribute of entry > > 'uid=sue.sutter,ou=users,o=a0000-0006,o=internal,dc=ssiservices,dc=biz'. ) > > You do not have sufficient privileges to perform the operation. > > > > That seemed very strange because when we test changing passwords using > > her posix account, it works just fine. We then gave the browsing user > > (not sue.sutter) full rights to the tree and, lo and behold, it worked: > > > > Giving the directory browser user all rights allowed a successful > > password change. > > > > It appears the browsing user is the one attempting to change the user's > > password and not the user. Is that the way it's supposed to be? I > > certainly would not want a browse only utility user able to change user > > passwords. Perhaps I am missing something. Thanks - John > > > I suppose it is because you have configured the DSGW to use the browsing > user. I'm not sure how to change the DSGW to use the browsing user for > some operations but not others, or even if it is possible. I might be out of place to say this but I suspect it is a design flaw. Even if we allowed anonymous browsing, the last thing on Earth we want is for an anonymously browsing user to change passwords. I would think the code is not setting the user for the change password operation to the logged in user but rather whoever browsed which could be "ldap:///anyone". Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From alpalper2000 at yahoo.com Tue Dec 2 22:07:59 2008 From: alpalper2000 at yahoo.com (=?iso-8859-1?Q?alper_ku=FEkapan?=) Date: Tue, 2 Dec 2008 14:07:59 -0800 (PST) Subject: [Fedora-directory-users] Synchrinizing Active Directory and Directory server Message-ID: <999753.24691.qm@web111302.mail.gq1.yahoo.com> Hi everybody, I try to synchronize RH Directory Server and MS Directory Server. I applied RHDS 8.0 Administration Guide Chapter 19 step by step but Directory Server can't connect to Active Directory. I don't know AD, and directory server knowledge is weak. Have you ever did this? Do you have any hints, documents or knowledge specifif? Where may may mistake be? Any help will welcome? Thanks /Alper From rmeggins at redhat.com Tue Dec 2 22:45:59 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 02 Dec 2008 15:45:59 -0700 Subject: [Fedora-directory-users] Synchrinizing Active Directory and Directory server In-Reply-To: <999753.24691.qm@web111302.mail.gq1.yahoo.com> References: <999753.24691.qm@web111302.mail.gq1.yahoo.com> Message-ID: <4935BAA7.60404@redhat.com> alper ku?kapan wrote: > Hi everybody, > > I try to synchronize RH Directory Server and MS Directory Server. I applied RHDS 8.0 Administration Guide Chapter 19 step by step but Directory Server can't connect to Active Directory. > > I don't know AD, and directory server knowledge is weak. > > Have you ever did this? Do you have any hints, documents or knowledge specifif? Where may may mistake be? > What platform? What version of AD? What version of Fedora DS? What are the errors in your error log? > Any help will welcome? > > Thanks > > /Alper > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jsullivan at opensourcedevel.com Wed Dec 3 04:22:44 2008 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Tue, 02 Dec 2008 23:22:44 -0500 Subject: [Fedora-directory-users] Ubuntu not enforcing password policies In-Reply-To: <1228160210.7654.17.camel@jaspav.missionsit.net.missionsit.net> References: <1227851351.6618.47.camel@jaspav.missionsit.net.missionsit.net> <20081201183624.GA3220@redhat.com> <1228159985.7654.15.camel@jaspav.missionsit.net.missionsit.net> <1228160210.7654.17.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <1228278164.6493.38.camel@jaspav.missionsit.net.missionsit.net> On Mon, 2008-12-01 at 14:36 -0500, John A. Sullivan III wrote: > On Mon, 2008-12-01 at 14:33 -0500, John A. Sullivan III wrote: > > On Mon, 2008-12-01 at 13:36 -0500, Nalin Dahyabhai wrote: > > > On Fri, Nov 28, 2008 at 12:49:11AM -0500, John A. Sullivan III wrote: > > > > Hello, all. We're continuing to dive ever deeper into DS. Our thanks > > > > to the developers for such a powerful product. > > > > > > > > Our integration with the RedHat family has gone well but now we're > > > > working on Ubuntu. Most is working well but we are finding Ubuntu is > > > > not enforcing password policies. For example, we require a user to > > > > change their password after a reset. When a user logs into a RedHat > > > > system, they are prompted for the change. However, Ubuntu just lets > > > > them right in again and again with the same reset password. > > > > > > > > Any pointers on what to look for to fix this in our configuration before > > > > we scour the world for a solution? We've already done quite a bit of > > > > googling. > > > > > > > > We've tried enabling pam_lookup_policy but that didn't > > > > work. /etc/pam.d/common-password reads: > > > > > > > > password requisite pam_cracklib.so retry=3 minlen=8 difok=3 > > > > password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 > > > > password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass > > > > # here's the fallback if no module succeeds > > > > password requisite pam_deny.so > > > > > > > > # prime the stack with a positive return value if there isn't one already; > > > > # this avoids us returning an error just because nothing sets a success code > > > > # since the modules above will each just jump around > > > > password required pam_permit.so > > > > > > > > We've also tried disabling that last pam_permit.so. That didn't help. Where should we look? Thanks - John > > > > > > When using PAM, the calling application "knows" that the user's password > > > needs to be changed because the account management modules signal it, so > > > you'll want to check the "account" portions of the PAM configuration. > > > > > > Specifically, you want to ensure that pam_ldap.so is being used, and > > > that some other module isn't causing the account management function to > > > return a success code before pam_ldap.so gets a chance to check on the > > > user's account and return a password-needs-changing code. > > > > > > Just a guess, but going on what I get on my Fedora system, it might look > > > something like this: > > > > > > account required pam_unix.so > > > account sufficient pam_succeed_if.so uid < 500 quiet > > > account [[default=bad success=ok user_unknown=ignore] pam_ldap.so > > > account required pam_permit.so > > > > > > HTH, > > > > > > Nalin > > > > > > -- > > > > Thank you. That was it. It had autoconfigured with ldap first: > > > > account sufficient pam_ldap.so > > account required pam_unix.so > > > Oops! I spoke too soon. Now, after changing the password, I cannot log > in. If I change it back to the original order, I can. I'll have to dig > a little further - John Seem to have it now. The Ubuntu host did not like the settings copied in from Fedora. However, simply reversing the default Ubuntu settings so that they are now: account required pam_unix.so account sufficient pam_ldap.so seemed to do the trick. Thanks again - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From philipp.rusch at gw-world.com Wed Dec 3 09:27:00 2008 From: philipp.rusch at gw-world.com (Rusch Philipp pru09) Date: Wed, 3 Dec 2008 10:27:00 +0100 Subject: [Fedora-directory-users] Use multiple servers with TLS Message-ID: Hi, does no one of you use TLS to secure your connections? Cheers -------------- next part -------------- An HTML attachment was scrubbed... URL: From lambam80 at hotmail.com Wed Dec 3 13:45:49 2008 From: lambam80 at hotmail.com (lambam80 at hotmail.com) Date: Wed, 3 Dec 2008 08:45:49 -0500 Subject: [Fedora-directory-users] 'Account Disabled' Windows Sync Directory Server red cross In-Reply-To: <4935596C.5050406@redhat.com> References: <4935596C.5050406@redhat.com> Message-ID: Rich, hello and thanks for the quick reply. You write: < Yes, this appears to be a bug in windows sync How might I get further information - is there a BUG number/report ? Should I try and log a BUG ? If so, where ? Sorry, I'm new to Fedora/Redhat/Linux (migrating off Sun Solaris, so to speak). Anyway, I have the following work-around: - use the password sync mechanism from Redhat - I've yet to test this - next on my list - Use a script to do the following: -- create Directory Server user account -- create Active Directory account using ldapmodify and LDAPS -- set the Active Directory unicodePwd:: using ldapmodify and LDAPS -- set the Active Directory userAccountControl: 512 using ldapmodify and LDAPS. '512', I believe, 'enables' the account. Thanks again for your help, Dave (former employee of iPlanet :-) ------------> Date: Tue, 2 Dec 2008 08:51:08 -0700> From: rmeggins at redhat.com> To: fedora-directory-users at redhat.com> CC: lambam80 at hotmail.com> Subject: Re: [Fedora-directory-users] 'Account Disabled' Windows Sync Directory Server red cross> > lambam80 at hotmail.com wrote:> > Firstly, please accept my apologies for a white lie.> > I'm, in fact, using CentOS but a colleague of mine recommended that I > > use this forum/mailing-list.> >> > Let me know if this white-lie is a problem.> >> > cat /etc/redhat-release> > CentOS release 5.2 (Final)> >> > /usr/sbin/ns-slapd -v> > CentOS-Directory/8.0.4 B2008.288.1513> >> > Windows 2003 Server Standard Edition R2> >> > I've 'successfully' configured Windows Sync and it> > works in both directions.> >> > However, accounts that are synched from Centos Directory Server to > > Active Directory are> > created with the 'Account Disabled' checkbox selected.> >> > In the Windows account administration interface> > they also have the red cross next to them.> >> > Q1. Have other people seen this behavior with Windows Sync ?> Yes, this appears to be a bug in windows sync> >> > Q2. How can I change this behavior and have the> > windows-accounts enabled from the start ?> Not sure.> >> > Thanks for your time, cheers lambam80> > Active-Directory Active-Dir Active Dir Active Directory> > Edit/Delete Message > > > >> > ------------------------------------------------------------------------> >> > ------------------------------------------------------------------------> >> > ------------------------------------------------------------------------> >> > --> > Fedora-directory-users mailing list> > Fedora-directory-users at redhat.com> > https://www.redhat.com/mailman/listinfo/fedora-directory-users> > > _________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From cwaltham at bowdoin.edu Wed Dec 3 16:15:49 2008 From: cwaltham at bowdoin.edu (Christopher Waltham) Date: Wed, 3 Dec 2008 11:15:49 -0500 Subject: [Fedora-directory-users] Configuring replication and creating the supplier bind DN Message-ID: I'm having a little trouble creating a simple, master/slave replication configuring using FDS 1.1.3. I'm following the Red Hat documentation here: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Creating_the_Supplier_Bind_DN_Entry.html but am having trouble creating the supplier bind DN. This is what I'm appending to /etc/dirsrv/slapd-ldap/dse.ldif: dn: cn=replication manager,cn=config objectClass: inetorgperson objectClass: person objectClass: top cn: replication manager sn: RM userPassword: secretPassword passwordExpirationTime: 20380119031407Z However, as soon as I start the directory server back up, the changes I made to dse.ldif disappear. Am I missing something? Thanks! Chris From rmeggins at redhat.com Wed Dec 3 17:40:50 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 03 Dec 2008 10:40:50 -0700 Subject: [Fedora-directory-users] Configuring replication and creating the supplier bind DN In-Reply-To: References: Message-ID: <4936C4A2.8020409@redhat.com> Christopher Waltham wrote: > I'm having a little trouble creating a simple, master/slave > replication configuring using FDS 1.1.3. I'm following the Red Hat > documentation here: > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Creating_the_Supplier_Bind_DN_Entry.html but > am having trouble creating the supplier bind DN. > > This is what I'm appending to /etc/dirsrv/slapd-ldap/dse.ldif: > > dn: cn=replication manager,cn=config > objectClass: inetorgperson > objectClass: person > objectClass: top > cn: replication manager > sn: RM > userPassword: secretPassword > passwordExpirationTime: 20380119031407Z > > However, as soon as I start the directory server back up, the changes > I made to dse.ldif disappear. Am I missing something? Yes. You cannot edit dse.ldif while the server is running. If you really want to edit dse.ldif, you must shutdown the server first. If you did stop the server first, make sure there is a blank line before dn: cn=replication manager,cn=config - a blank line is the entry delimiter in LDIF - if there is no blank line, the server may just report a warning to the error log and continue. But you do not have to do that - you can just use ldapmodify -a to add this entry while the server is running > > Thanks! > > > Chris > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From cwaltham at bowdoin.edu Wed Dec 3 17:43:55 2008 From: cwaltham at bowdoin.edu (Christopher Waltham) Date: Wed, 3 Dec 2008 12:43:55 -0500 Subject: [Fedora-directory-users] Configuring replication and creating the supplier bind DN In-Reply-To: <4936C4A2.8020409@redhat.com> References: <4936C4A2.8020409@redhat.com> Message-ID: <97F211F8-377B-42B6-A0CC-6EB485C21970@bowdoin.edu> Hi Rich, On Dec 3, 2008, at 12:40 PM, Rich Megginson wrote: > Christopher Waltham wrote: >> I'm having a little trouble creating a simple, master/slave >> replication configuring using FDS 1.1.3. I'm following the Red Hat >> documentation here: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Creating_the_Supplier_Bind_DN_Entry.html >> but am having trouble creating the supplier bind DN. >> >> This is what I'm appending to /etc/dirsrv/slapd-ldap/dse.ldif: >> >> dn: cn=replication manager,cn=config >> objectClass: inetorgperson >> objectClass: person >> objectClass: top >> cn: replication manager >> sn: RM >> userPassword: secretPassword >> passwordExpirationTime: 20380119031407Z >> >> However, as soon as I start the directory server back up, the >> changes I made to dse.ldif disappear. Am I missing something? > Yes. You cannot edit dse.ldif while the server is running. If you > really want to edit dse.ldif, you must shutdown the server first. > > If you did stop the server first, make sure there is a blank line > before dn: cn=replication manager,cn=config - a blank line is the > entry delimiter in LDIF - if there is no blank line, the server may > just report a warning to the error log and continue. I definitely shut down the server first, and I thought I did have a blank line preceding the entry. Let me look again and see what's happening, in the end I just used the console :-) Chris > > > But you do not have to do that - you can just use ldapmodify -a to > add this entry while the server is running >> >> Thanks! >> >> >> Chris From rmeggins at redhat.com Wed Dec 3 17:56:30 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 03 Dec 2008 10:56:30 -0700 Subject: [Fedora-directory-users] 'Account Disabled' Windows Sync Directory Server red cross In-Reply-To: References: <4935596C.5050406@redhat.com> Message-ID: <4936C84E.4010903@redhat.com> lambam80 at hotmail.com wrote: > Rich, hello and thanks for the quick reply. > > You write: > > < Yes, this appears to be a bug in windows sync > > How might I get further information - is there a BUG number/report ? > Should I try and log a BUG ? If so, where ? https://bugzilla.redhat.com/show_bug.cgi?id=470224 > > Sorry, I'm new to Fedora/Redhat/Linux (migrating off Sun Solaris, so > to speak). > > Anyway, I have the following work-around: > - use the password sync mechanism from Redhat - I've yet to test this > - next on my list > - Use a script to do the following: > -- create Directory Server user account > -- create Active Directory account using ldapmodify and LDAPS > -- set the Active Directory unicodePwd:: using ldapmodify and LDAPS > -- set the Active Directory userAccountControl: 512 using ldapmodify > and LDAPS. '512', I believe, 'enables' the account. Yes. See also http://support.microsoft.com/kb/305144 But if you are using WinSync, you can configure it to automatically create accounts in AD when added to DS, and vice versa. So you might just use DirSync or sequence number to look for new AD accounts that are disabled, and enable them. See http://msdn.microsoft.com/en-us/library/ms677626(VS.85).aspx and http://support.microsoft.com/kb/891995 > > Thanks again for your help, > > Dave (former employee of iPlanet :-) My condolences :-) > ------------ > > > Date: Tue, 2 Dec 2008 08:51:08 -0700 > > From: rmeggins at redhat.com > > To: fedora-directory-users at redhat.com > > CC: lambam80 at hotmail.com > > Subject: Re: [Fedora-directory-users] 'Account Disabled' Windows > Sync Directory Server red cross > > > > lambam80 at hotmail.com wrote: > > > Firstly, please accept my apologies for a white lie. > > > I'm, in fact, using CentOS but a colleague of mine recommended that I > > > use this forum/mailing-list. > > > > > > Let me know if this white-lie is a problem. > > > > > > cat /etc/redhat-release > > > CentOS release 5.2 (Final) > > > > > > /usr/sbin/ns-slapd -v > > > CentOS-Directory/8.0.4 B2008.288.1513 > > > > > > Windows 2003 Server Standard Edition R2 > > > > > > I've 'successfully' configured Windows Sync and it > > > works in both directions. > > > > > > However, accounts that are synched from Centos Directory Server to > > > Active Directory are > > > created with the 'Account Disabled' checkbox selected. > > > > > > In the Windows account administration interface > > > they also have the red cross next to them. > > > > > > Q1. Have other people seen this behavior with Windows Sync ? > > Yes, this appears to be a bug in windows sync > > > > > > Q2. How can I change this behavior and have the > > > windows-accounts enabled from the start ? > > Not sure. > > > > > > Thanks for your time, cheers lambam80 > > > Active-Directory Active-Dir Active Dir Active Directory > > > Edit/Delete Message > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > ------------------------------------------------------------------------ > > > > > > > ------------------------------------------------------------------------ > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > ------------------------------------------------------------------------ > Win a trip with your 3 best buddies. Enter today. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From nalin at redhat.com Wed Dec 3 17:57:19 2008 From: nalin at redhat.com (Nalin Dahyabhai) Date: Wed, 3 Dec 2008 12:57:19 -0500 Subject: [Fedora-directory-users] Ubuntu not enforcing password policies In-Reply-To: <1228278164.6493.38.camel@jaspav.missionsit.net.missionsit.net> References: <1227851351.6618.47.camel@jaspav.missionsit.net.missionsit.net> <20081201183624.GA3220@redhat.com> <1228159985.7654.15.camel@jaspav.missionsit.net.missionsit.net> <1228160210.7654.17.camel@jaspav.missionsit.net.missionsit.net> <1228278164.6493.38.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <20081203175719.GE3202@redhat.com> On Tue, Dec 02, 2008 at 11:22:44PM -0500, John A. Sullivan III wrote: > Seem to have it now. The Ubuntu host did not like the settings copied > in from Fedora. However, simply reversing the default Ubuntu settings > so that they are now: > > account required pam_unix.so > account sufficient pam_ldap.so Please be careful about this. If this is the entire set of "account" modules, then I think the end-result when pam_ldap.so fails might be undefined (in particular, the user may be allowed access anyway, even if pam_ldap.so indicates that the user should not have access, because no "required" modules have indicated problems). Cheers, Nalin From cwaltham at bowdoin.edu Wed Dec 3 18:33:46 2008 From: cwaltham at bowdoin.edu (Christopher Waltham) Date: Wed, 3 Dec 2008 13:33:46 -0500 Subject: [Fedora-directory-users] Configuring replication and creating the supplier bind DN In-Reply-To: <4936C4A2.8020409@redhat.com> References: <4936C4A2.8020409@redhat.com> Message-ID: Is there a tutorial out there anywhere for setting up master/slave (as opposed to multi-master) replication? I'm having issues getting the replication agreement setup; I've created cn=replication manager inside of cn=config but I get error messages when trying to create the agreement. When I use cn=Directory Manager instead, it works -- so it's not a networking issue. I've tried various permutations of cn=replication manager inside the "Simple authentication" field on the "Source and Destination" tab of the replication agreement tab, but with no success. I've checked the FDS FAQ & Wiki and can't find a walk-through... Chris On Dec 3, 2008, at 12:40 PM, Rich Megginson wrote: > Christopher Waltham wrote: >> I'm having a little trouble creating a simple, master/slave >> replication configuring using FDS 1.1.3. I'm following the Red Hat >> documentation here: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Creating_the_Supplier_Bind_DN_Entry.html >> but am having trouble creating the supplier bind DN. >> >> This is what I'm appending to /etc/dirsrv/slapd-ldap/dse.ldif: >> >> dn: cn=replication manager,cn=config >> objectClass: inetorgperson >> objectClass: person >> objectClass: top >> cn: replication manager >> sn: RM >> userPassword: secretPassword >> passwordExpirationTime: 20380119031407Z >> >> However, as soon as I start the directory server back up, the >> changes I made to dse.ldif disappear. Am I missing something? > Yes. You cannot edit dse.ldif while the server is running. If you > really want to edit dse.ldif, you must shutdown the server first. > > If you did stop the server first, make sure there is a blank line > before dn: cn=replication manager,cn=config - a blank line is the > entry delimiter in LDIF - if there is no blank line, the server may > just report a warning to the error log and continue. > > But you do not have to do that - you can just use ldapmodify -a to > add this entry while the server is running >> >> Thanks! >> >> >> Chris From jsullivan at opensourcedevel.com Wed Dec 3 18:35:45 2008 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Wed, 03 Dec 2008 13:35:45 -0500 Subject: [Fedora-directory-users] Ubuntu not enforcing password policies In-Reply-To: <20081203175719.GE3202@redhat.com> References: <1227851351.6618.47.camel@jaspav.missionsit.net.missionsit.net> <20081201183624.GA3220@redhat.com> <1228159985.7654.15.camel@jaspav.missionsit.net.missionsit.net> <1228160210.7654.17.camel@jaspav.missionsit.net.missionsit.net> <1228278164.6493.38.camel@jaspav.missionsit.net.missionsit.net> <20081203175719.GE3202@redhat.com> Message-ID: <1228329345.6363.5.camel@jaspav.missionsit.net.missionsit.net> On Wed, 2008-12-03 at 12:57 -0500, Nalin Dahyabhai wrote: > On Tue, Dec 02, 2008 at 11:22:44PM -0500, John A. Sullivan III wrote: > > Seem to have it now. The Ubuntu host did not like the settings copied > > in from Fedora. However, simply reversing the default Ubuntu settings > > so that they are now: > > > > account required pam_unix.so > > account sufficient pam_ldap.so > > Please be careful about this. If this is the entire set of "account" > modules, then I think the end-result when pam_ldap.so fails might be > undefined (in particular, the user may be allowed access anyway, even if > pam_ldap.so indicates that the user should not have access, because no > "required" modules have indicated problems). > Thanks very much. I'm trusting the Ubuntu folks know what they're doing. This is part of an included pam file. However, I should double-check. Should pam_deny.so be at the end of the chain? - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From rmeggins at redhat.com Wed Dec 3 18:52:17 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 03 Dec 2008 11:52:17 -0700 Subject: [Fedora-directory-users] Configuring replication and creating the supplier bind DN In-Reply-To: References: <4936C4A2.8020409@redhat.com> Message-ID: <4936D561.7090605@redhat.com> Christopher Waltham wrote: > Is there a tutorial out there anywhere for setting up master/slave (as > opposed to multi-master) replication? Well, it's pretty similar. > I'm having issues getting the replication agreement setup; I've > created cn=replication manager inside of cn=config but I get error > messages when trying to create the agreement. What error messages? > When I use cn=Directory Manager instead, it works -- so it's not a > networking issue. > > I've tried various permutations of cn=replication manager inside the > "Simple authentication" field on the "Source and Destination" tab of > the replication agreement tab, but with no success. I've checked the > FDS FAQ & Wiki and can't find a walk-through... What error messages do you get? > > > Chris > > On Dec 3, 2008, at 12:40 PM, Rich Megginson wrote: > >> Christopher Waltham wrote: >>> I'm having a little trouble creating a simple, master/slave >>> replication configuring using FDS 1.1.3. I'm following the Red Hat >>> documentation here: >>> http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Creating_the_Supplier_Bind_DN_Entry.html but >>> am having trouble creating the supplier bind DN. >>> >>> This is what I'm appending to /etc/dirsrv/slapd-ldap/dse.ldif: >>> >>> dn: cn=replication manager,cn=config >>> objectClass: inetorgperson >>> objectClass: person >>> objectClass: top >>> cn: replication manager >>> sn: RM >>> userPassword: secretPassword >>> passwordExpirationTime: 20380119031407Z >>> >>> However, as soon as I start the directory server back up, the >>> changes I made to dse.ldif disappear. Am I missing something? >> Yes. You cannot edit dse.ldif while the server is running. If you >> really want to edit dse.ldif, you must shutdown the server first. >> >> If you did stop the server first, make sure there is a blank line >> before dn: cn=replication manager,cn=config - a blank line is the >> entry delimiter in LDIF - if there is no blank line, the server may >> just report a warning to the error log and continue. >> >> But you do not have to do that - you can just use ldapmodify -a to >> add this entry while the server is running >>> >>> Thanks! >>> >>> >>> Chris > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From cwaltham at bowdoin.edu Thu Dec 4 18:55:55 2008 From: cwaltham at bowdoin.edu (Christopher Waltham) Date: Thu, 4 Dec 2008 13:55:55 -0500 Subject: [Fedora-directory-users] Configuring replication and creating the supplier bind DN In-Reply-To: <4936D561.7090605@redhat.com> References: <4936C4A2.8020409@redhat.com> <4936D561.7090605@redhat.com> Message-ID: On Dec 3, 2008, at 1:52 PM, Rich Megginson wrote: > Christopher Waltham wrote: >> Is there a tutorial out there anywhere for setting up master/slave >> (as opposed to multi-master) replication? > Well, it's pretty similar. >> I'm having issues getting the replication agreement setup; I've >> created cn=replication manager inside of cn=config but I get error >> messages when trying to create the agreement. > What error messages? I think I somehow created the DN incorrectly; instead of showing me a hash for the usre's password it actually showed the password in plain text. I re-created the LDIF and re-imported it, and after that it worked fine. :-) Thanks for the reply! Chris > >> When I use cn=Directory Manager instead, it works -- so it's not a >> networking issue. >> >> I've tried various permutations of cn=replication manager inside >> the "Simple authentication" field on the "Source and Destination" >> tab of the replication agreement tab, but with no success. I've >> checked the FDS FAQ & Wiki and can't find a walk-through... > What error messages do you get? >> >> >> Chris >> >> On Dec 3, 2008, at 12:40 PM, Rich Megginson wrote: >> >>> Christopher Waltham wrote: >>>> I'm having a little trouble creating a simple, master/slave >>>> replication configuring using FDS 1.1.3. I'm following the Red >>>> Hat documentation here: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Creating_the_Supplier_Bind_DN_Entry.html >>>> but am having trouble creating the supplier bind DN. >>>> >>>> This is what I'm appending to /etc/dirsrv/slapd-ldap/dse.ldif: >>>> >>>> dn: cn=replication manager,cn=config >>>> objectClass: inetorgperson >>>> objectClass: person >>>> objectClass: top >>>> cn: replication manager >>>> sn: RM >>>> userPassword: secretPassword >>>> passwordExpirationTime: 20380119031407Z >>>> >>>> However, as soon as I start the directory server back up, the >>>> changes I made to dse.ldif disappear. Am I missing something? >>> Yes. You cannot edit dse.ldif while the server is running. If >>> you really want to edit dse.ldif, you must shutdown the server >>> first. >>> >>> If you did stop the server first, make sure there is a blank line >>> before dn: cn=replication manager,cn=config - a blank line is the >>> entry delimiter in LDIF - if there is no blank line, the server >>> may just report a warning to the error log and continue. >>> >>> But you do not have to do that - you can just use ldapmodify -a to >>> add this entry while the server is running >>>> >>>> Thanks! >>>> >>>> >>>> Chris >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From james.chavez at sanmina-sci.com Thu Dec 4 19:43:03 2008 From: james.chavez at sanmina-sci.com (James Chavez) Date: Thu, 4 Dec 2008 12:43:03 -0700 Subject: [Fedora-directory-users] Create client SSL certificates for Solaris boxes. Message-ID: <1228419783.6305.22.camel@PHX1AMUX269160.sanmina-sci.com> Hello, I am having a bit of difficulty creating SSL client certificates for my Solaris boxes or client boxes in general. What I am trying to accomplish is to use TLS with simple authentication i believe. I want to log into my Solaris boxes authenticating to FDS but have it done over a secure TLS/SSL connection so the passwords cannot be intercepted. I successfully created ther root CA certificate and Server cert on the FDS box using the beautiful setupSSL script. However I am new to SSL and I am having a difficult time understanding what needs to be done on the client side machines to get SSL working correctly. I know I need to import and trust the Root CA certificate on each client. But what about creating a client certificate for each of my Linux and Solaris clients? Can the client certificates be created and exported on the server that I created the Root CA cert on? And from there can I just import them into the clients? I have read the NSS tools links regarding PKI and SSL but I am still having a bit of difficulty. On the FDS wiki documentation site there are some good links but I am not sure how to go about this to use TLS:simple authentication. Thank you James CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. From gholbert at broadcom.com Thu Dec 4 19:49:14 2008 From: gholbert at broadcom.com (George Holbert) Date: Thu, 04 Dec 2008 11:49:14 -0800 Subject: [Fedora-directory-users] Create client SSL certificates for Solaris boxes. In-Reply-To: <1228419783.6305.22.camel@PHX1AMUX269160.sanmina-sci.com> References: <1228419783.6305.22.camel@PHX1AMUX269160.sanmina-sci.com> Message-ID: <4938343A.7010305@broadcom.com> > > But what about creating a client certificate for each of my > Linux and Solaris clients? If all you want is TLS with simple auth, you don't need these. Each client just needs to trust the CA which signed your directory server's certificate; sounds like you're already on top of this part. James Chavez wrote: > Hello, > > I am having a bit of difficulty creating SSL client certificates for my > Solaris boxes or client boxes in general. > > What I am trying to accomplish is to use TLS with simple authentication > i believe. I want to log into my Solaris boxes authenticating to FDS but > have it done over a secure TLS/SSL connection so the passwords cannot be > intercepted. I successfully created ther root CA certificate and Server > cert on the FDS box using the beautiful setupSSL script. > > However I am new to SSL and I am having a difficult time understanding > what needs to be done on the client side machines to get SSL working > correctly. I know I need to import and trust the Root CA certificate on > each client. But what about creating a client certificate for each of my > Linux and Solaris clients? Can the client certificates be created and > exported on the server that I created the Root CA cert on? And from > there can I just import them into the clients? I have read the NSS tools > links regarding PKI and SSL but I am still having a bit of difficulty. > > On the FDS wiki documentation site there are some good links but I am > not sure how to go about this to use TLS:simple authentication. > > Thank you > James > > CONFIDENTIALITY > This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From james.chavez at sanmina-sci.com Thu Dec 4 20:08:51 2008 From: james.chavez at sanmina-sci.com (James Chavez) Date: Thu, 4 Dec 2008 13:08:51 -0700 Subject: [Fedora-directory-users] Create client SSL certificates for Solaris boxes. In-Reply-To: <4938343A.7010305@broadcom.com> References: <1228419783.6305.22.camel@PHX1AMUX269160.sanmina-sci.com> <4938343A.7010305@broadcom.com> Message-ID: <1228421331.6305.34.camel@PHX1AMUX269160.sanmina-sci.com> Thank you for the reply. OK so the Root CA is self signed on the Directory server box. The setupSSL script already exported the cacert.asc file I believe. So my next step is to import it on each client that I want to use TLS:simple on if I am understanding. So I believe on each client I need to use certutil to create a cert database with ... certutil -N -d -f /passfile Does it matter where I create this? After this I just import the cacert.asc, is that accurate? Thank you James On Thu, 2008-12-04 at 11:49 -0800, George Holbert wrote: > > > > But what about creating a client certificate for each of my > > Linux and Solaris clients? > > If all you want is TLS with simple auth, you don't need these. > Each client just needs to trust the CA which signed your directory > server's certificate; sounds like you're already on top of this part. > > > James Chavez wrote: > > Hello, > > > > I am having a bit of difficulty creating SSL client certificates for my > > Solaris boxes or client boxes in general. > > > > What I am trying to accomplish is to use TLS with simple authentication > > i believe. I want to log into my Solaris boxes authenticating to FDS but > > have it done over a secure TLS/SSL connection so the passwords cannot be > > intercepted. I successfully created ther root CA certificate and Server > > cert on the FDS box using the beautiful setupSSL script. > > > > However I am new to SSL and I am having a difficult time understanding > > what needs to be done on the client side machines to get SSL working > > correctly. I know I need to import and trust the Root CA certificate on > > each client. But what about creating a client certificate for each of my > > Linux and Solaris clients? Can the client certificates be created and > > exported on the server that I created the Root CA cert on? And from > > there can I just import them into the clients? I have read the NSS tools > > links regarding PKI and SSL but I am still having a bit of difficulty. > > > > On the FDS wiki documentation site there are some good links but I am > > not sure how to go about this to use TLS:simple authentication. > > > > Thank you > > James > > > > CONFIDENTIALITY > > This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. > > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. From gholbert at broadcom.com Thu Dec 4 20:26:42 2008 From: gholbert at broadcom.com (George Holbert) Date: Thu, 04 Dec 2008 12:26:42 -0800 Subject: [Fedora-directory-users] Create client SSL certificates for Solaris boxes. In-Reply-To: <1228421331.6305.34.camel@PHX1AMUX269160.sanmina-sci.com> References: <1228419783.6305.22.camel@PHX1AMUX269160.sanmina-sci.com> <4938343A.7010305@broadcom.com> <1228421331.6305.34.camel@PHX1AMUX269160.sanmina-sci.com> Message-ID: <49383D02.7020106@broadcom.com> James Chavez wrote: > Thank you for the reply. > OK so the Root CA is self signed on the Directory server box. > The setupSSL script already exported the cacert.asc file I believe. > So my next step is to import it on each client that I want to use > TLS:simple on if I am understanding. > Yes. > So I believe on each client I need to use certutil to create a cert > database with ... > certutil -N -d -f /passfile > > Does it matter where I create this? > Yes. The details are specific to the client OS and its bundled SSL and LDAP libraries. For Solaris, you're on the right track with certutil. This Sun forum thread may be helpful: http://forums.sun.com/thread.jspa?threadID=5330016 For Linux, check your distribution's documentation. If you're using a RedHat variant, tls_cacertfile in /etc/ldap.conf is probably what you'll be most interested in. > After this I just import the cacert.asc, is that accurate? > > Thank you > James > > On Thu, 2008-12-04 at 11:49 -0800, George Holbert wrote: > >>> But what about creating a client certificate for each of my >>> Linux and Solaris clients? >>> >> If all you want is TLS with simple auth, you don't need these. >> Each client just needs to trust the CA which signed your directory >> server's certificate; sounds like you're already on top of this part. >> >> >> James Chavez wrote: >> >>> Hello, >>> >>> I am having a bit of difficulty creating SSL client certificates for my >>> Solaris boxes or client boxes in general. >>> >>> What I am trying to accomplish is to use TLS with simple authentication >>> i believe. I want to log into my Solaris boxes authenticating to FDS but >>> have it done over a secure TLS/SSL connection so the passwords cannot be >>> intercepted. I successfully created ther root CA certificate and Server >>> cert on the FDS box using the beautiful setupSSL script. >>> >>> However I am new to SSL and I am having a difficult time understanding >>> what needs to be done on the client side machines to get SSL working >>> correctly. I know I need to import and trust the Root CA certificate on >>> each client. But what about creating a client certificate for each of my >>> Linux and Solaris clients? Can the client certificates be created and >>> exported on the server that I created the Root CA cert on? And from >>> there can I just import them into the clients? I have read the NSS tools >>> links regarding PKI and SSL but I am still having a bit of difficulty. >>> >>> On the FDS wiki documentation site there are some good links but I am >>> not sure how to go about this to use TLS:simple authentication. >>> >>> Thank you >>> James >>> >>> CONFIDENTIALITY >>> This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. >>> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > CONFIDENTIALITY > This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From james.chavez at sanmina-sci.com Fri Dec 5 06:00:33 2008 From: james.chavez at sanmina-sci.com (James Chavez) Date: Thu, 4 Dec 2008 23:00:33 -0700 Subject: [Fedora-directory-users] Create client SSL certificates for Solaris boxes. In-Reply-To: <49383D02.7020106@broadcom.com> References: <1228419783.6305.22.camel@PHX1AMUX269160.sanmina-sci.com> <4938343A.7010305@broadcom.com> <1228421331.6305.34.camel@PHX1AMUX269160.sanmina-sci.com> <49383D02.7020106@broadcom.com> Message-ID: <1228456833.6305.73.camel@PHX1AMUX269160.sanmina-sci.com> George, Thank you much for the help with this. I read up on the links you sent and they seem to have helped. I have been struggling with a Solaris 8 box for the past few hours. It would not work at first, I was getting an end of file error in the access log. Then it just started working after I restarted the client services a few times and readded the box using the same profile. I have another question in regards to SSL for replication. I had MMR going between two servers, this one and another prior to enabling SSL on this server. I removed all the replication agreements because as I understand it they need to be recreated with SSL. I would appreciate the lists opinions on the following. The Admin guide states that there are 2 ways of replicating over SSL, I pasted them below. I would like to know the pros and cons of each and if a DNS PTR record is an absolute necessity on each MMR member. There are two ways to use SSL for replication: * * * Select SSL Client Authentication. * * With SSL client authentication, the supplier and consumer servers use certificates to authenticate to each other. * * Select Simple Authentication. * With simple authentication, the supplier and consumer servers use a bind DN and password to authenticate to each other I have the ability to register these boxes in DNS using the net utility but that does not create the inaddr-arpa reverse lookup PTR record. Is that absolutely necessary for SSL replication to work or can I get around it? This is my test environment so I would like to do without if possible for the time being. Thank you James * * > James Chavez wrote: > > Thank you for the reply. > > OK so the Root CA is self signed on the Directory server box. > > The setupSSL script already exported the cacert.asc file I believe. > > So my next step is to import it on each client that I want to use > > TLS:simple on if I am understanding. > > > Yes. > > > So I believe on each client I need to use certutil to create a cert > > database with ... > > certutil -N -d -f /passfile > > > > Does it matter where I create this? > > > Yes. > The details are specific to the client OS and its bundled SSL and LDAP > libraries. > For Solaris, you're on the right track with certutil. > This Sun forum thread may be helpful: > http://forums.sun.com/thread.jspa?threadID=5330016 > > For Linux, check your distribution's documentation. > > If you're using a RedHat variant, tls_cacertfile in /etc/ldap.conf is probably what you'll be most interested in. > > > > After this I just import the cacert.asc, is that accurate? > > > > Thank you > > James > > > > On Thu, 2008-12-04 at 11:49 -0800, George Holbert wrote: > > > >>> But what about creating a client certificate for each of my > >>> Linux and Solaris clients? > >>> > >> If all you want is TLS with simple auth, you don't need these. > >> Each client just needs to trust the CA which signed your directory > >> server's certificate; sounds like you're already on top of this part. > >> > >> > >> James Chavez wrote: > >> > >>> Hello, > >>> > >>> I am having a bit of difficulty creating SSL client certificates for my > >>> Solaris boxes or client boxes in general. > >>> > >>> What I am trying to accomplish is to use TLS with simple authentication > >>> i believe. I want to log into my Solaris boxes authenticating to FDS but > >>> have it done over a secure TLS/SSL connection so the passwords cannot be > >>> intercepted. I successfully created ther root CA certificate and Server > >>> cert on the FDS box using the beautiful setupSSL script. > >>> > >>> However I am new to SSL and I am having a difficult time understanding > >>> what needs to be done on the client side machines to get SSL working > >>> correctly. I know I need to import and trust the Root CA certificate on > >>> each client. But what about creating a client certificate for each of my > >>> Linux and Solaris clients? Can the client certificates be created and > >>> exported on the server that I created the Root CA cert on? And from > >>> there can I just import them into the clients? I have read the NSS tools > >>> links regarding PKI and SSL but I am still having a bit of difficulty. > >>> > >>> On the FDS wiki documentation site there are some good links but I am > >>> not sure how to go about this to use TLS:simple authentication. > >>> > >>> Thank you > >>> James > >>> > >>> CONFIDENTIALITY > >>> This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. > >>> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. > >>> > >>> -- > >>> Fedora-directory-users mailing list > >>> Fedora-directory-users at redhat.com > >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>> > >>> > >>> > >> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > > > > CONFIDENTIALITY > > This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. > > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. From gholbert at broadcom.com Fri Dec 5 07:03:24 2008 From: gholbert at broadcom.com (George Holbert) Date: Thu, 04 Dec 2008 23:03:24 -0800 Subject: [Fedora-directory-users] Create client SSL certificates for Solaris boxes. In-Reply-To: <1228456833.6305.73.camel@PHX1AMUX269160.sanmina-sci.com> References: <1228419783.6305.22.camel@PHX1AMUX269160.sanmina-sci.com> <4938343A.7010305@broadcom.com> <1228421331.6305.34.camel@PHX1AMUX269160.sanmina-sci.com> <49383D02.7020106@broadcom.com> <1228456833.6305.73.camel@PHX1AMUX269160.sanmina-sci.com> Message-ID: <4938D23C.3000200@broadcom.com> James Chavez wrote: > George, > Thank you much for the help with this. I read up on the links you sent > and they seem to have helped. I have been struggling with a Solaris 8 > box for the past few hours. It would not work at first, I was getting an > end of file error in the access log. Then it just started working after > I restarted the client services a few times and readded the box using > the same profile. > > I have another question in regards to SSL for replication. > I had MMR going between two servers, this one and another prior to > enabling SSL on this server. I removed all the replication agreements > because as I understand it they need to be recreated with SSL. I would > appreciate the lists opinions on the following. The Admin guide states > that there are 2 ways of replicating over SSL, I pasted them below. I > would like to know the pros and cons of each and if a DNS PTR record is > an absolute necessity on each MMR member. > The end result with both SSL replication flavors is the same. Both encrypt the replication traffic between your directory servers. The client cert method, when properly implemented, will make life more challenging for a prospective attacker who would like to impersonate your replication manager identity. In that sense, it is more secure than simple auth with SSL. > There are two ways to use SSL for replication: > * > * > * Select SSL Client Authentication. > * > * With SSL client authentication, the supplier and consumer > servers use certificates to authenticate to each other. > * > * Select Simple Authentication. > * With simple authentication, the supplier and consumer servers > use a bind DN and password to authenticate to each other > > > I have the ability to register these boxes in DNS using the net utility > but that does not create the inaddr-arpa reverse lookup PTR record. Is > that absolutely necessary for SSL replication to work or can I get > around it? This is my test environment so I would like to do without if > possible for the time being. > > Thank you > James > * > * > > > >> James Chavez wrote: >> >>> Thank you for the reply. >>> OK so the Root CA is self signed on the Directory server box. >>> The setupSSL script already exported the cacert.asc file I believe. >>> So my next step is to import it on each client that I want to use >>> TLS:simple on if I am understanding. >>> >>> >> Yes. >> >> >>> So I believe on each client I need to use certutil to create a cert >>> database with ... >>> certutil -N -d -f /passfile >>> >>> Does it matter where I create this? >>> >>> >> Yes. >> The details are specific to the client OS and its bundled SSL and LDAP >> libraries. >> For Solaris, you're on the right track with certutil. >> This Sun forum thread may be helpful: >> http://forums.sun.com/thread.jspa?threadID=5330016 >> >> For Linux, check your distribution's documentation. >> >> If you're using a RedHat variant, tls_cacertfile in /etc/ldap.conf is probably what you'll be most interested in. >> >> >> >>> After this I just import the cacert.asc, is that accurate? >>> >>> Thank you >>> James >>> >>> On Thu, 2008-12-04 at 11:49 -0800, George Holbert wrote: >>> >>> >>>>> But what about creating a client certificate for each of my >>>>> Linux and Solaris clients? >>>>> >>>>> >>>> If all you want is TLS with simple auth, you don't need these. >>>> Each client just needs to trust the CA which signed your directory >>>> server's certificate; sounds like you're already on top of this part. >>>> >>>> >>>> James Chavez wrote: >>>> >>>> >>>>> Hello, >>>>> >>>>> I am having a bit of difficulty creating SSL client certificates for my >>>>> Solaris boxes or client boxes in general. >>>>> >>>>> What I am trying to accomplish is to use TLS with simple authentication >>>>> i believe. I want to log into my Solaris boxes authenticating to FDS but >>>>> have it done over a secure TLS/SSL connection so the passwords cannot be >>>>> intercepted. I successfully created ther root CA certificate and Server >>>>> cert on the FDS box using the beautiful setupSSL script. >>>>> >>>>> However I am new to SSL and I am having a difficult time understanding >>>>> what needs to be done on the client side machines to get SSL working >>>>> correctly. I know I need to import and trust the Root CA certificate on >>>>> each client. But what about creating a client certificate for each of my >>>>> Linux and Solaris clients? Can the client certificates be created and >>>>> exported on the server that I created the Root CA cert on? And from >>>>> there can I just import them into the clients? I have read the NSS tools >>>>> links regarding PKI and SSL but I am still having a bit of difficulty. >>>>> >>>>> On the FDS wiki documentation site there are some good links but I am >>>>> not sure how to go about this to use TLS:simple authentication. >>>>> >>>>> Thank you >>>>> James >>>>> >>>>> CONFIDENTIALITY >>>>> This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. >>>>> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>>> >>>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> From james.chavez at sanmina-sci.com Fri Dec 5 19:44:59 2008 From: james.chavez at sanmina-sci.com (Chavez, James R.) Date: Fri, 5 Dec 2008 11:44:59 -0800 Subject: [Fedora-directory-users] (no subject) Message-ID: <19A4A238A352AD40B65B3D88780DDBC6BEC78F@sjc1amfpew04.am.sanm.corp> Hello again, Thanks for the reply. My Solaris 10 and 8 clients are working against SSL now, thanks! For my Linx clients clients I am trying to follow the FDS wiki: How to:SSL. I am having a problem importing the root CA certificate on my Fedora boxes. The Howto SSL link says to run this command to import the cacert.asc file. "cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noot -hash -in cacert.asc`.0" However that responds with the below error. Anybody familiar with this error? Also I see Fedora has the certutil utility, can I use this to import the ca root certificate like I did for the Solaris clients? 'Error opening Certificate cacert.asc 2312:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('cacert.asc','r') 2312:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354: Many Thanks James -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of George Holbert Sent: Friday, December 05, 2008 12:03 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Create client SSL certificates forSolaris boxes. James Chavez wrote: > George, > Thank you much for the help with this. I read up on the links you sent > and they seem to have helped. I have been struggling with a Solaris 8 > box for the past few hours. It would not work at first, I was getting > an end of file error in the access log. Then it just started working > after I restarted the client services a few times and readded the box > using the same profile. > > I have another question in regards to SSL for replication. > I had MMR going between two servers, this one and another prior to > enabling SSL on this server. I removed all the replication agreements > because as I understand it they need to be recreated with SSL. I would > appreciate the lists opinions on the following. The Admin guide states > that there are 2 ways of replicating over SSL, I pasted them below. I > would like to know the pros and cons of each and if a DNS PTR record > is an absolute necessity on each MMR member. > The end result with both SSL replication flavors is the same. Both encrypt the replication traffic between your directory servers. The client cert method, when properly implemented, will make life more challenging for a prospective attacker who would like to impersonate your replication manager identity. In that sense, it is more secure than simple auth with SSL. CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. From gholbert at broadcom.com Fri Dec 5 19:56:12 2008 From: gholbert at broadcom.com (George Holbert) Date: Fri, 05 Dec 2008 11:56:12 -0800 Subject: [Fedora-directory-users] (no subject) In-Reply-To: <19A4A238A352AD40B65B3D88780DDBC6BEC78F@sjc1amfpew04.am.sanm.corp> References: <19A4A238A352AD40B65B3D88780DDBC6BEC78F@sjc1amfpew04.am.sanm.corp> Message-ID: <4939875C.6040707@broadcom.com> Chavez, James R. wrote: > Hello again, Thanks for the reply. > My Solaris 10 and 8 clients are working against SSL now, thanks! > For my Linx clients clients I am trying to follow the FDS wiki: How > to:SSL. > > I am having a problem importing the root CA certificate on my Fedora > boxes. > The Howto SSL link says to run this command to import the cacert.asc > file. > > "cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noot -hash -in > cacert.asc`.0" > > However that responds with the below error. Anybody familiar with this > error? > Also I see Fedora has the certutil utility, can I use this to import the > ca root certificate like I did for the Solaris clients? > I believe the nss_ldap and pam_ldap libraries on Fedora use OpenSSL, not Mozilla's NSS (of which certutil is a component). So certutil won't do you any good in this area. > 'Error opening Certificate cacert.asc > 2312:error:02001002:system library:fopen:No such file or > directory:bss_file.c:352:fopen('cacert.asc','r') > 2312:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354: > Try giving an absolute path to cacert.asc... looks like it's just not finding that file. e.g. "cp /path/to/cacert.asc /etc/openldap/cacerts/`openssl x509 -noout -hash -in /path/to/cacert.asc`.0" > Many Thanks > James > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of George > Holbert > Sent: Friday, December 05, 2008 12:03 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Create client SSL certificates > forSolaris boxes. > > James Chavez wrote: > >> George, >> Thank you much for the help with this. I read up on the links you sent >> > > >> and they seem to have helped. I have been struggling with a Solaris 8 >> box for the past few hours. It would not work at first, I was getting >> an end of file error in the access log. Then it just started working >> after I restarted the client services a few times and readded the box >> using the same profile. >> >> I have another question in regards to SSL for replication. >> I had MMR going between two servers, this one and another prior to >> enabling SSL on this server. I removed all the replication agreements >> because as I understand it they need to be recreated with SSL. I would >> > > >> appreciate the lists opinions on the following. The Admin guide states >> > > >> that there are 2 ways of replicating over SSL, I pasted them below. I >> would like to know the pros and cons of each and if a DNS PTR record >> is an absolute necessity on each MMR member. >> >> > > The end result with both SSL replication flavors is the same. > Both encrypt the replication traffic between your directory servers. > The client cert method, when properly implemented, will make life more > challenging for a prospective attacker who would like to impersonate > your replication manager identity. In that sense, it is more secure > than simple auth with SSL. > > > CONFIDENTIALITY > This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From bbahar3 at gmail.com Sun Dec 7 08:19:30 2008 From: bbahar3 at gmail.com (Eric) Date: Sun, 7 Dec 2008 11:49:30 +0330 Subject: [Fedora-directory-users] upgarding fedora core6 Message-ID: <38a27c8c0812070019o5a7f514fp274c45ad86bfa565@mail.gmail.com> I now have fedora-ds-1.1.2-1.fc6 on fedora core 6. does upgrading os make any problem on fedora-ds? I should first upgrade fedora-ds or os? -------------- next part -------------- An HTML attachment was scrubbed... URL: From james.chavez at sanmina-sci.com Mon Dec 8 03:24:00 2008 From: james.chavez at sanmina-sci.com (James Chavez) Date: Sun, 7 Dec 2008 20:24:00 -0700 Subject: [Fedora-directory-users] MMR over SSL In-Reply-To: <4939875C.6040707@broadcom.com> References: <19A4A238A352AD40B65B3D88780DDBC6BEC78F@sjc1amfpew04.am.sanm.corp> <4939875C.6040707@broadcom.com> Message-ID: <1228706640.4099.40.camel@PHX1AMUX269160.sanmina-sci.com> George, I have the clients Solaris 8 and 10, Suse, and Fedora connecting over SSL properly to my FDS server using TLS:simple. Works great thank you. For MMR over SSL I have read the FDS Walkthrough MultimasterSSL. I want to use simple authentication over SSL for MMR. I still have a few questions. For the secondary MMR server running Fedora Core 9 do I use the Mozilla certutil tool to create the certificate database or is it necessary? Do I need to import the CA cert with certutil or openssl? And I believe I must generate the server certificate for this second MMR server on the root CA correct? And from there export it from the root CA and import it on the second server. Where do I import that certificate into? /etc/openldap/cacerts or /etc/dirsrv/slapd-hostname? Thank you James On Fri, 2008-12-05 at 11:56 -0800, George Holbert wrote: > Chavez, James R. wrote: > > Hello again, Thanks for the reply. > > My Solaris 10 and 8 clients are working against SSL now, thanks! > > For my Linx clients clients I am trying to follow the FDS wiki: How > > to:SSL. > > > > I am having a problem importing the root CA certificate on my Fedora > > boxes. > > The Howto SSL link says to run this command to import the cacert.asc > > file. > > > > "cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noot -hash -in > > cacert.asc`.0" > > > > However that responds with the below error. Anybody familiar with this > > error? > > Also I see Fedora has the certutil utility, can I use this to import the > > ca root certificate like I did for the Solaris clients? > > > > I believe the nss_ldap and pam_ldap libraries on Fedora use OpenSSL, not > Mozilla's NSS (of which certutil is a component). > So certutil won't do you any good in this area. > > > 'Error opening Certificate cacert.asc > > 2312:error:02001002:system library:fopen:No such file or > > directory:bss_file.c:352:fopen('cacert.asc','r') > > 2312:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354: > > > > Try giving an absolute path to cacert.asc... looks like it's just not > finding that file. > e.g. > > "cp /path/to/cacert.asc /etc/openldap/cacerts/`openssl x509 -noout -hash -in > /path/to/cacert.asc`.0" > > > > Many Thanks > > James > > > > -----Original Message----- > > From: fedora-directory-users-bounces at redhat.com > > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of George > > Holbert > > Sent: Friday, December 05, 2008 12:03 AM > > To: General discussion list for the Fedora Directory server project. > > Subject: Re: [Fedora-directory-users] Create client SSL certificates > > forSolaris boxes. > > > > James Chavez wrote: > > > >> George, > >> Thank you much for the help with this. I read up on the links you sent > >> > > > > > >> and they seem to have helped. I have been struggling with a Solaris 8 > >> box for the past few hours. It would not work at first, I was getting > >> an end of file error in the access log. Then it just started working > >> after I restarted the client services a few times and readded the box > >> using the same profile. > >> > >> I have another question in regards to SSL for replication. > >> I had MMR going between two servers, this one and another prior to > >> enabling SSL on this server. I removed all the replication agreements > >> because as I understand it they need to be recreated with SSL. I would > >> > > > > > >> appreciate the lists opinions on the following. The Admin guide states > >> > > > > > >> that there are 2 ways of replicating over SSL, I pasted them below. I > >> would like to know the pros and cons of each and if a DNS PTR record > >> is an absolute necessity on each MMR member. > >> > >> > > > > The end result with both SSL replication flavors is the same. > > Both encrypt the replication traffic between your directory servers. > > The client cert method, when properly implemented, will make life more > > challenging for a prospective attacker who would like to impersonate > > your replication manager identity. In that sense, it is more secure > > than simple auth with SSL. > > > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. From lambam80 at hotmail.com Mon Dec 8 15:01:44 2008 From: lambam80 at hotmail.com (lambam80 at hotmail.com) Date: Mon, 8 Dec 2008 10:01:44 -0500 Subject: [Fedora-directory-users] 'Account Disabled' Windows Sync - only sync passwords In-Reply-To: <4936C84E.4010903@redhat.com> References: <4935596C.5050406@redhat.com> <4936C84E.4010903@redhat.com> Message-ID: Rich, hello again and thanks for all your help. This Email related to password VS account synchronization. We'll use my script to create/delete accounts thereby having an identical user base in both RedHat LDAP and Windows. Therefore, we'd like to use only the 'password' mechanism of 'Windows SYNC'. I can see, clearly on the RedHat LDAP server how to disable account/group SYNC on the windows side: - Launch console | Directory Server Configuration TAB | click on replication agreement | uncheck both New Windows Users Sync and New Windows Groups Sync And from the document I can read how to disable account/group SYNC on the LDAP side: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Using_Windows_Sync.html#Using_Windows_Sync-Synchronizing_Users < Setting ntUserCreateNewAccount and ntUserDeleteNewAccount on Directory Server entries < allows the Directory Manager fine-grained control over which users within the < synchronized subtree will be synched on Active Directory Is that all I need to do to disable account/group sync but retain password sync ? Thanks again for your help, Dave ----------> Date: Wed, 3 Dec 2008 10:56:30 -0700> From: rmeggins at redhat.com> To: lambam80 at hotmail.com> CC: fedora-directory-users at redhat.com> Subject: Re: [Fedora-directory-users] 'Account Disabled' Windows Sync Directory Server red cross> > lambam80 at hotmail.com wrote:> > Rich, hello and thanks for the quick reply.> > > > You write:> > > > < Yes, this appears to be a bug in windows sync> > > > How might I get further information - is there a BUG number/report ?> > Should I try and log a BUG ? If so, where ?> https://bugzilla.redhat.com/show_bug.cgi?id=470224> > > > Sorry, I'm new to Fedora/Redhat/Linux (migrating off Sun Solaris, so > > to speak).> > > > Anyway, I have the following work-around:> > - use the password sync mechanism from Redhat - I've yet to test this > > - next on my list> > - Use a script to do the following:> > -- create Directory Server user account> > -- create Active Directory account using ldapmodify and LDAPS> > -- set the Active Directory unicodePwd:: using ldapmodify and LDAPS> > -- set the Active Directory userAccountControl: 512 using ldapmodify > > and LDAPS. '512', I believe, 'enables' the account.> Yes. See also http://support.microsoft.com/kb/305144> > But if you are using WinSync, you can configure it to automatically > create accounts in AD when added to DS, and vice versa. So you might > just use> DirSync or sequence number to look for new AD accounts that are > disabled, and enable them. See > http://msdn.microsoft.com/en-us/library/ms677626(VS.85).aspx and > http://support.microsoft.com/kb/891995> >> > Thanks again for your help,> > > > Dave (former employee of iPlanet :-)> My condolences :-)> > ------------> >> > > Date: Tue, 2 Dec 2008 08:51:08 -0700> > > From: rmeggins at redhat.com> > > To: fedora-directory-users at redhat.com> > > CC: lambam80 at hotmail.com> > > Subject: Re: [Fedora-directory-users] 'Account Disabled' Windows > > Sync Directory Server red cross> > >> > > lambam80 at hotmail.com wrote:> > > > Firstly, please accept my apologies for a white lie.> > > > I'm, in fact, using CentOS but a colleague of mine recommended that I> > > > use this forum/mailing-list.> > > >> > > > Let me know if this white-lie is a problem.> > > >> > > > cat /etc/redhat-release> > > > CentOS release 5.2 (Final)> > > >> > > > /usr/sbin/ns-slapd -v> > > > CentOS-Directory/8.0.4 B2008.288.1513> > > >> > > > Windows 2003 Server Standard Edition R2> > > >> > > > I've 'successfully' configured Windows Sync and it> > > > works in both directions.> > > >> > > > However, accounts that are synched from Centos Directory Server to> > > > Active Directory are> > > > created with the 'Account Disabled' checkbox selected.> > > >> > > > In the Windows account administration interface> > > > they also have the red cross next to them.> > > >> > > > Q1. Have other people seen this behavior with Windows Sync ?> > > Yes, this appears to be a bug in windows sync> > > >> > > > Q2. How can I change this behavior and have the> > > > windows-accounts enabled from the start ?> > > Not sure.> > > >> > > > Thanks for your time, cheers lambam80> > > > Active-Directory Active-Dir Active Dir Active Directory> > > > Edit/Delete Message> > > > > > > >> > > > > > ------------------------------------------------------------------------> > > >> > > > > > ------------------------------------------------------------------------> > > >> > > > > > ------------------------------------------------------------------------> > > >> > > > --> > > > Fedora-directory-users mailing list> > > > Fedora-directory-users at redhat.com> > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users> > > >> > >> >> >> > ------------------------------------------------------------------------> > Win a trip with your 3 best buddies. Enter today. > > > _________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Dec 8 15:07:50 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 08 Dec 2008 08:07:50 -0700 Subject: [Fedora-directory-users] 'Account Disabled' Windows Sync - only sync passwords In-Reply-To: References: <4935596C.5050406@redhat.com> <4936C84E.4010903@redhat.com> Message-ID: <493D3846.6000708@redhat.com> lambam80 at hotmail.com wrote: > Rich, hello again and thanks for all your help. > > This Email related to password VS account synchronization. > > We'll use my script to create/delete accounts thereby having an > identical user base in > both RedHat LDAP and Windows. > > Therefore, we'd like to use only the 'password' mechanism of 'Windows > SYNC'. > > I can see, clearly on the RedHat LDAP server how to disable > account/group SYNC on the windows side: > > - Launch console | Directory Server Configuration TAB | click on > replication agreement | uncheck both > New Windows Users Sync and > New Windows Groups Sync > > And from the document I can read how to disable account/group SYNC on > the LDAP side: > > _http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Using_Windows_Sync.html#Using_Windows_Sync-Synchronizing_Users_ > > < Setting |ntUserCreateNewAccount| and |ntUserDeleteNewAccount| on > Directory Server entries > < allows the Directory Manager fine-grained control over which users > within the > < synchronized subtree will be synched on Active Directory > > Is that all I need to do to disable account/group sync but retain > password sync ? Yes, I believe so. > > Thanks again for your help, Dave > ---------- > > > Date: Wed, 3 Dec 2008 10:56:30 -0700 > > From: rmeggins at redhat.com > > To: lambam80 at hotmail.com > > CC: fedora-directory-users at redhat.com > > Subject: Re: [Fedora-directory-users] 'Account Disabled' Windows > Sync Directory Server red cross > > > > lambam80 at hotmail.com wrote: > > > Rich, hello and thanks for the quick reply. > > > > > > You write: > > > > > > < Yes, this appears to be a bug in windows sync > > > > > > How might I get further information - is there a BUG number/report ? > > > Should I try and log a BUG ? If so, where ? > > https://bugzilla.redhat.com/show_bug.cgi?id=470224 > > > > > > Sorry, I'm new to Fedora/Redhat/Linux (migrating off Sun Solaris, so > > > to speak). > > > > > > Anyway, I have the following work-around: > > > - use the password sync mechanism from Redhat - I've yet to test this > > > - next on my list > > > - Use a script to do the following: > > > -- create Directory Server user account > > > -- create Active Directory account using ldapmodify and LDAPS > > > -- set the Active Directory unicodePwd:: using ldapmodify and LDAPS > > > -- set the Active Directory userAccountControl: 512 using ldapmodify > > > and LDAPS. '512', I believe, 'enables' the account. > > Yes. See also http://support.microsoft.com/kb/305144 > > > > But if you are using WinSync, you can configure it to automatically > > create accounts in AD when added to DS, and vice versa. So you might > > just use > > DirSync or sequence number to look for new AD accounts that are > > disabled, and enable them. See > > http://msdn.microsoft.com/en-us/library/ms677626(VS.85).aspx and > > http://support.microsoft.com/kb/891995 > > > > > > Thanks again for your help, > > > > > > Dave (former employee of iPlanet :-) > > My condolences :-) > > > ------------ > > > > > > > Date: Tue, 2 Dec 2008 08:51:08 -0700 > > > > From: rmeggins at redhat.com > > > > To: fedora-directory-users at redhat.com > > > > CC: lambam80 at hotmail.com > > > > Subject: Re: [Fedora-directory-users] 'Account Disabled' Windows > > > Sync Directory Server red cross > > > > > > > > lambam80 at hotmail.com wrote: > > > > > Firstly, please accept my apologies for a white lie. > > > > > I'm, in fact, using CentOS but a colleague of mine recommended > that I > > > > > use this forum/mailing-list. > > > > > > > > > > Let me know if this white-lie is a problem. > > > > > > > > > > cat /etc/redhat-release > > > > > CentOS release 5.2 (Final) > > > > > > > > > > /usr/sbin/ns-slapd -v > > > > > CentOS-Directory/8.0.4 B2008.288.1513 > > > > > > > > > > Windows 2003 Server Standard Edition R2 > > > > > > > > > > I've 'successfully' configured Windows Sync and it > > > > > works in both directions. > > > > > > > > > > However, accounts that are synched from Centos Directory Server to > > > > > Active Directory are > > > > > created with the 'Account Disabled' checkbox selected. > > > > > > > > > > In the Windows account administration interface > > > > > they also have the red cross next to them. > > > > > > > > > > Q1. Have other people seen this behavior with Windows Sync ? > > > > Yes, this appears to be a bug in windows sync > > > > > > > > > > Q2. How can I change this behavior and have the > > > > > windows-accounts enabled from the start ? > > > > Not sure. > > > > > > > > > > Thanks for your time, cheers lambam80 > > > > > Active-Directory Active-Dir Active Dir Active Directory > > > > > Edit/Delete Message > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > -- > > > > > Fedora-directory-users mailing list > > > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > Win a trip with your 3 best buddies. Enter today. > > > > > > > > ------------------------------------------------------------------------ > Visit messengerbuddies.ca to find out how you could win. Enter today. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Dec 8 15:36:18 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 08 Dec 2008 08:36:18 -0700 Subject: [Fedora-directory-users] upgarding fedora core6 In-Reply-To: <38a27c8c0812070019o5a7f514fp274c45ad86bfa565@mail.gmail.com> References: <38a27c8c0812070019o5a7f514fp274c45ad86bfa565@mail.gmail.com> Message-ID: <493D3EF2.1020001@redhat.com> Eric wrote: > I now have fedora-ds-1.1.2-1.fc6 on fedora core 6. does upgrading os > make any problem on fedora-ds? > I should first upgrade fedora-ds or os? It depends. What exactly do you want to do? To which version of Fedora DS and which version of the Fedora OS are you planning to upgrade to? > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From gene.poole at macys.com Mon Dec 8 18:51:29 2008 From: gene.poole at macys.com (Gene Poole) Date: Mon, 8 Dec 2008 13:51:29 -0500 Subject: [Fedora-directory-users] Is There A HowTo? Message-ID: Is there or does anyone know of a 'end-to-end' howto for Fedora Directory Service? I'm trying to teach myself how this works. TIA, Gene Poole -------------- next part -------------- An HTML attachment was scrubbed... URL: From jsullivan at opensourcedevel.com Mon Dec 8 19:38:11 2008 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Mon, 08 Dec 2008 14:38:11 -0500 Subject: [Fedora-directory-users] Is There A HowTo? In-Reply-To: References: Message-ID: <1228765091.12360.2.camel@jaspav.missionsit.net.missionsit.net> On Mon, 2008-12-08 at 13:51 -0500, Gene Poole wrote: > > Is there or does anyone know of a 'end-to-end' howto for Fedora > Directory Service? I'm trying to teach myself how this works. I'm not quite sure what you are seeking but we built our using information at: http://directory.fedoraproject.org/wiki/Documentation http://www.redhat.com/docs/manuals/dir-server/ag/8.0/index.html There's also information at: http://www.linux.com/feature/58731 http://www.linuxjournal.com/article/9517 https://help.ubuntu.com/community/FedoraDirectoryServerClientHowto Hope this helps - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From lambam80 at hotmail.com Tue Dec 9 12:42:34 2008 From: lambam80 at hotmail.com (lambam80 at hotmail.com) Date: Tue, 9 Dec 2008 07:42:34 -0500 Subject: [Fedora-directory-users] 'Account Disabled' Windows Sync - only sync passwords In-Reply-To: <493D3846.6000708@redhat.com> References: <4935596C.5050406@redhat.com> <4936C84E.4010903@redhat.com> <493D3846.6000708@redhat.com> Message-ID: Rich hello and thanks for your support. One last question for an former redhat colleague of yours: 'Do we know when this BUG will be fixed' ? Thanks again, Dave ----------> Date: Mon, 8 Dec 2008 08:07:50 -0700> From: rmeggins at redhat.com> To: lambam80 at hotmail.com> CC: fedora-directory-users at redhat.com> Subject: Re: [Fedora-directory-users] 'Account Disabled' Windows Sync - only sync passwords> > lambam80 at hotmail.com wrote:> > Rich, hello again and thanks for all your help.> > > > This Email related to password VS account synchronization.> > > > We'll use my script to create/delete accounts thereby having an > > identical user base in> > both RedHat LDAP and Windows.> > > > Therefore, we'd like to use only the 'password' mechanism of 'Windows > > SYNC'.> > > > I can see, clearly on the RedHat LDAP server how to disable > > account/group SYNC on the windows side:> > > > - Launch console | Directory Server Configuration TAB | click on > > replication agreement | uncheck both> > New Windows Users Sync and> > New Windows Groups Sync> > > > And from the document I can read how to disable account/group SYNC on > > the LDAP side:> > > > _http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Using_Windows_Sync.html#Using_Windows_Sync-Synchronizing_Users_> > > > < Setting |ntUserCreateNewAccount| and |ntUserDeleteNewAccount| on > > Directory Server entries> > < allows the Directory Manager fine-grained control over which users > > within the> > < synchronized subtree will be synched on Active Directory> > > > Is that all I need to do to disable account/group sync but retain > > password sync ?> Yes, I believe so.> > > > Thanks again for your help, Dave> > ----------> >> > > Date: Wed, 3 Dec 2008 10:56:30 -0700> > > From: rmeggins at redhat.com> > > To: lambam80 at hotmail.com> > > CC: fedora-directory-users at redhat.com> > > Subject: Re: [Fedora-directory-users] 'Account Disabled' Windows > > Sync Directory Server red cross> > >> > > lambam80 at hotmail.com wrote:> > > > Rich, hello and thanks for the quick reply.> > > >> > > > You write:> > > >> > > > < Yes, this appears to be a bug in windows sync> > > >> > > > How might I get further information - is there a BUG number/report ?> > > > Should I try and log a BUG ? If so, where ?> > > https://bugzilla.redhat.com/show_bug.cgi?id=470224> > > >> > > > Sorry, I'm new to Fedora/Redhat/Linux (migrating off Sun Solaris, so> > > > to speak).> > > >> > > > Anyway, I have the following work-around:> > > > - use the password sync mechanism from Redhat - I've yet to test this> > > > - next on my list> > > > - Use a script to do the following:> > > > -- create Directory Server user account> > > > -- create Active Directory account using ldapmodify and LDAPS> > > > -- set the Active Directory unicodePwd:: using ldapmodify and LDAPS> > > > -- set the Active Directory userAccountControl: 512 using ldapmodify> > > > and LDAPS. '512', I believe, 'enables' the account.> > > Yes. See also http://support.microsoft.com/kb/305144> > >> > > But if you are using WinSync, you can configure it to automatically> > > create accounts in AD when added to DS, and vice versa. So you might> > > just use> > > DirSync or sequence number to look for new AD accounts that are> > > disabled, and enable them. See> > > http://msdn.microsoft.com/en-us/library/ms677626(VS.85).aspx and> > > http://support.microsoft.com/kb/891995> > > >> > > > Thanks again for your help,> > > >> > > > Dave (former employee of iPlanet :-)> > > My condolences :-)> > > > ------------> > > >> > > > > Date: Tue, 2 Dec 2008 08:51:08 -0700> > > > > From: rmeggins at redhat.com> > > > > To: fedora-directory-users at redhat.com> > > > > CC: lambam80 at hotmail.com> > > > > Subject: Re: [Fedora-directory-users] 'Account Disabled' Windows> > > > Sync Directory Server red cross> > > > >> > > > > lambam80 at hotmail.com wrote:> > > > > > Firstly, please accept my apologies for a white lie.> > > > > > I'm, in fact, using CentOS but a colleague of mine recommended > > that I> > > > > > use this forum/mailing-list.> > > > > >> > > > > > Let me know if this white-lie is a problem.> > > > > >> > > > > > cat /etc/redhat-release> > > > > > CentOS release 5.2 (Final)> > > > > >> > > > > > /usr/sbin/ns-slapd -v> > > > > > CentOS-Directory/8.0.4 B2008.288.1513> > > > > >> > > > > > Windows 2003 Server Standard Edition R2> > > > > >> > > > > > I've 'successfully' configured Windows Sync and it> > > > > > works in both directions.> > > > > >> > > > > > However, accounts that are synched from Centos Directory Server to> > > > > > Active Directory are> > > > > > created with the 'Account Disabled' checkbox selected.> > > > > >> > > > > > In the Windows account administration interface> > > > > > they also have the red cross next to them.> > > > > >> > > > > > Q1. Have other people seen this behavior with Windows Sync ?> > > > > Yes, this appears to be a bug in windows sync> > > > > >> > > > > > Q2. How can I change this behavior and have the> > > > > > windows-accounts enabled from the start ?> > > > > Not sure.> > > > > >> > > > > > Thanks for your time, cheers lambam80> > > > > > Active-Directory Active-Dir Active Dir Active Directory> > > > > > Edit/Delete Message> > > > > > > > > > > >> > > > > >> > > > > > ------------------------------------------------------------------------> > > > > >> > > > > >> > > > > > ------------------------------------------------------------------------> > > > > >> > > > > >> > > > > > ------------------------------------------------------------------------> > > > > >> > > > > > --> > > > > > Fedora-directory-users mailing list> > > > > > Fedora-directory-users at redhat.com> > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users> > > > > >> > > > >> > > >> > > >> > > > > > ------------------------------------------------------------------------> > > > Win a trip with your 3 best buddies. Enter today.> > > > > > >> >> >> > ------------------------------------------------------------------------> > Visit messengerbuddies.ca to find out how you could win. Enter today. > > > _________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From Andrey.Ivanov at polytechnique.fr Tue Dec 9 13:51:57 2008 From: Andrey.Ivanov at polytechnique.fr (Andrey Ivanov) Date: Tue, 9 Dec 2008 14:51:57 +0100 Subject: [Fedora-directory-users] An index for the server-side sort functionality Message-ID: <839276831.20081209145157@polytechnique.edu> Hi, There is a special type of indexing for the VLV sort searches but I have not found what sort of index I should create to make the server-side sort on a certain attribute optimized. Thank you Andrey Ivanov tel +33-(0)1-69-33-99-24 fax +33-(0)1-69-33-99-55 Direction des Systemes d'Information Ecole Polytechnique 91128 Palaiseau CEDEX France From rmeggins at redhat.com Tue Dec 9 15:18:03 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 09 Dec 2008 08:18:03 -0700 Subject: [Fedora-directory-users] 'Account Disabled' Windows Sync - only sync passwords In-Reply-To: References: <4935596C.5050406@redhat.com> <4936C84E.4010903@redhat.com> <493D3846.6000708@redhat.com> Message-ID: <493E8C2B.3030402@redhat.com> lambam80 at hotmail.com wrote: > Rich hello and thanks for your support. > > One last question for an former redhat colleague of yours: > > 'Do we know when this BUG will be fixed' ? Soon. > > Thanks again, Dave > ---------- > > > Date: Mon, 8 Dec 2008 08:07:50 -0700 > > From: rmeggins at redhat.com > > To: lambam80 at hotmail.com > > CC: fedora-directory-users at redhat.com > > Subject: Re: [Fedora-directory-users] 'Account Disabled' Windows > Sync - only sync passwords > > > > lambam80 at hotmail.com wrote: > > > Rich, hello again and thanks for all your help. > > > > > > This Email related to password VS account synchronization. > > > > > > We'll use my script to create/delete accounts thereby having an > > > identical user base in > > > both RedHat LDAP and Windows. > > > > > > Therefore, we'd like to use only the 'password' mechanism of 'Windows > > > SYNC'. > > > > > > I can see, clearly on the RedHat LDAP server how to disable > > > account/group SYNC on the windows side: > > > > > > - Launch console | Directory Server Configuration TAB | click on > > > replication agreement | uncheck both > > > New Windows Users Sync and > > > New Windows Groups Sync > > > > > > And from the document I can read how to disable account/group SYNC on > > > the LDAP side: > > > > > > > _http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Using_Windows_Sync.html#Using_Windows_Sync-Synchronizing_Users_ > > > > > > < Setting |ntUserCreateNewAccount| and |ntUserDeleteNewAccount| on > > > Directory Server entries > > > < allows the Directory Manager fine-grained control over which users > > > within the > > > < synchronized subtree will be synched on Active Directory > > > > > > Is that all I need to do to disable account/group sync but retain > > > password sync ? > > Yes, I believe so. > > > > > > Thanks again for your help, Dave > > > ---------- > > > > > > > Date: Wed, 3 Dec 2008 10:56:30 -0700 > > > > From: rmeggins at redhat.com > > > > To: lambam80 at hotmail.com > > > > CC: fedora-directory-users at redhat.com > > > > Subject: Re: [Fedora-directory-users] 'Account Disabled' Windows > > > Sync Directory Server red cross > > > > > > > > lambam80 at hotmail.com wrote: > > > > > Rich, hello and thanks for the quick reply. > > > > > > > > > > You write: > > > > > > > > > > < Yes, this appears to be a bug in windows sync > > > > > > > > > > How might I get further information - is there a BUG > number/report ? > > > > > Should I try and log a BUG ? If so, where ? > > > > https://bugzilla.redhat.com/show_bug.cgi?id=470224 > > > > > > > > > > Sorry, I'm new to Fedora/Redhat/Linux (migrating off Sun > Solaris, so > > > > > to speak). > > > > > > > > > > Anyway, I have the following work-around: > > > > > - use the password sync mechanism from Redhat - I've yet to > test this > > > > > - next on my list > > > > > - Use a script to do the following: > > > > > -- create Directory Server user account > > > > > -- create Active Directory account using ldapmodify and LDAPS > > > > > -- set the Active Directory unicodePwd:: using ldapmodify and > LDAPS > > > > > -- set the Active Directory userAccountControl: 512 using > ldapmodify > > > > > and LDAPS. '512', I believe, 'enables' the account. > > > > Yes. See also http://support.microsoft.com/kb/305144 > > > > > > > > But if you are using WinSync, you can configure it to automatically > > > > create accounts in AD when added to DS, and vice versa. So you might > > > > just use > > > > DirSync or sequence number to look for new AD accounts that are > > > > disabled, and enable them. See > > > > http://msdn.microsoft.com/en-us/library/ms677626(VS.85).aspx and > > > > http://support.microsoft.com/kb/891995 > > > > > > > > > > Thanks again for your help, > > > > > > > > > > Dave (former employee of iPlanet :-) > > > > My condolences :-) > > > > > ------------ > > > > > > > > > > > Date: Tue, 2 Dec 2008 08:51:08 -0700 > > > > > > From: rmeggins at redhat.com > > > > > > To: fedora-directory-users at redhat.com > > > > > > CC: lambam80 at hotmail.com > > > > > > Subject: Re: [Fedora-directory-users] 'Account Disabled' Windows > > > > > Sync Directory Server red cross > > > > > > > > > > > > lambam80 at hotmail.com wrote: > > > > > > > Firstly, please accept my apologies for a white lie. > > > > > > > I'm, in fact, using CentOS but a colleague of mine > recommended > > > that I > > > > > > > use this forum/mailing-list. > > > > > > > > > > > > > > Let me know if this white-lie is a problem. > > > > > > > > > > > > > > cat /etc/redhat-release > > > > > > > CentOS release 5.2 (Final) > > > > > > > > > > > > > > /usr/sbin/ns-slapd -v > > > > > > > CentOS-Directory/8.0.4 B2008.288.1513 > > > > > > > > > > > > > > Windows 2003 Server Standard Edition R2 > > > > > > > > > > > > > > I've 'successfully' configured Windows Sync and it > > > > > > > works in both directions. > > > > > > > > > > > > > > However, accounts that are synched from Centos Directory > Server to > > > > > > > Active Directory are > > > > > > > created with the 'Account Disabled' checkbox selected. > > > > > > > > > > > > > > In the Windows account administration interface > > > > > > > they also have the red cross next to them. > > > > > > > > > > > > > > Q1. Have other people seen this behavior with Windows Sync ? > > > > > > Yes, this appears to be a bug in windows sync > > > > > > > > > > > > > > Q2. How can I change this behavior and have the > > > > > > > windows-accounts enabled from the start ? > > > > > > Not sure. > > > > > > > > > > > > > > Thanks for your time, cheers lambam80 > > > > > > > Active-Directory Active-Dir Active Dir Active Directory > > > > > > > Edit/Delete Message > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > -- > > > > > > > Fedora-directory-users mailing list > > > > > > > Fedora-directory-users at redhat.com > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > Win a trip with your 3 best buddies. Enter today. > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > Visit messengerbuddies.ca to find out how you could win. Enter today. > > > > > > > > ------------------------------------------------------------------------ > Messenger wants to send you on a trip. Enter today. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Dec 9 15:26:08 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 09 Dec 2008 08:26:08 -0700 Subject: [Fedora-directory-users] An index for the server-side sort functionality In-Reply-To: <839276831.20081209145157@polytechnique.edu> References: <839276831.20081209145157@polytechnique.edu> Message-ID: <493E8E10.4020705@redhat.com> Andrey Ivanov wrote: > Hi, > > > There is a special type of indexing for the VLV sort searches but I have > not found what sort of index I should create to make the server-side sort > on a certain attribute optimized. > I think each attribute you want to sort by must be indexed for equality. > > Thank you > > > Andrey Ivanov > tel +33-(0)1-69-33-99-24 > fax +33-(0)1-69-33-99-55 > > Direction des Systemes d'Information > Ecole Polytechnique > 91128 Palaiseau CEDEX > France > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From Andrey.Ivanov at polytechnique.fr Tue Dec 9 15:42:54 2008 From: Andrey.Ivanov at polytechnique.fr (Andrey Ivanov) Date: Tue, 9 Dec 2008 16:42:54 +0100 Subject: [Fedora-directory-users] An index for the server-side sort functionality In-Reply-To: <493E8E10.4020705@redhat.com> References: <839276831.20081209145157@polytechnique.edu> <493E8E10.4020705@redhat.com> Message-ID: <1863049602.20081209164254@polytechnique.edu> Tuesday, December 9, 2008, 4:26:08 PM, you wrote: RM> Andrey Ivanov wrote: >> There is a special type of indexing for the VLV sort searches but I have >> not found what sort of index I should create to make the server-side sort >> on a certain attribute optimized. >> RM> I think each attribute you want to sort by must be indexed for equality. No, it does not seem to be sufficient. I have activated all the indexes for the attribute (sn), the logs still show "notes=U" : [09/Dec/2008:16:36:38 +0100] conn=3817 op=3 RESULT err=0 tag=101 nentries=40 etime=0.004000 notes=U ... Maybe there is a special type of index for server-side sorting like the one for the VLV? Andrey Ivanov tel +33-(0)1-69-33-99-24 fax +33-(0)1-69-33-99-55 Direction des Systemes d'Information Ecole Polytechnique 91128 Palaiseau CEDEX France From rmeggins at redhat.com Tue Dec 9 15:46:30 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 09 Dec 2008 08:46:30 -0700 Subject: [Fedora-directory-users] An index for the server-side sort functionality In-Reply-To: <1863049602.20081209164254@polytechnique.edu> References: <839276831.20081209145157@polytechnique.edu> <493E8E10.4020705@redhat.com> <1863049602.20081209164254@polytechnique.edu> Message-ID: <493E92D6.5020801@redhat.com> Andrey Ivanov wrote: > Tuesday, December 9, 2008, 4:26:08 PM, you wrote: > > RM> Andrey Ivanov wrote: > >>> There is a special type of indexing for the VLV sort searches but I have >>> not found what sort of index I should create to make the server-side sort >>> on a certain attribute optimized. >>> >>> > RM> I think each attribute you want to sort by must be indexed for equality. > No, it does not seem to be sufficient. I have activated all the > indexes for the attribute (sn), the logs still show "notes=U" : > > [09/Dec/2008:16:36:38 +0100] conn=3817 op=3 RESULT err=0 tag=101 nentries=40 etime=0.004000 notes=U > > ... > > Maybe there is a special type of index for server-side sorting like > the one for the VLV? > No. Do you have any problems if you search on those attributes without server side sorting? > Andrey Ivanov > tel +33-(0)1-69-33-99-24 > fax +33-(0)1-69-33-99-55 > > Direction des Systemes d'Information > Ecole Polytechnique > 91128 Palaiseau CEDEX > France > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From andrey.ivanov at polytechnique.fr Tue Dec 9 15:51:11 2008 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Tue, 9 Dec 2008 16:51:11 +0100 Subject: [Fedora-directory-users] An index for the server-side sort functionality In-Reply-To: <493E92D6.5020801@redhat.com> References: <839276831.20081209145157@polytechnique.edu> <493E8E10.4020705@redhat.com> <1863049602.20081209164254@polytechnique.edu> <493E92D6.5020801@redhat.com> Message-ID: <1601b8650812090751i6b48b71aw3989229a66e52b5d@mail.gmail.com> 2008/12/9 Rich Megginson > Andrey Ivanov wrote: > >> Tuesday, December 9, 2008, 4:26:08 PM, you wrote: >> >> RM> Andrey Ivanov wrote: >> >> >>> There is a special type of indexing for the VLV sort searches but I have >>>> not found what sort of index I should create to make the server-side >>>> sort >>>> on a certain attribute optimized. >>>> >>>> >>> RM> I think each attribute you want to sort by must be indexed for >> equality. >> No, it does not seem to be sufficient. I have activated all the >> indexes for the attribute (sn), the logs still show "notes=U" : >> >> [09/Dec/2008:16:36:38 +0100] conn=3817 op=3 RESULT err=0 tag=101 >> nentries=40 etime=0.004000 notes=U >> >> ... >> >> Maybe there is a special type of index for server-side sorting like >> the one for the VLV? >> >> > No. > Do you have any problems if you search on those attributes without server > side sorting? No, not really. It's more a request from our developers to simplify user sorting in their web applications. If i make the same search without the sorting the result is shown as indexed (no "notes=U") and takes two times less time : [09/Dec/2008:16:48:58 +0100] conn=3821 op=3 RESULT err=0 tag=101 nentries=40 etime=0.002000 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Dec 9 15:54:32 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 09 Dec 2008 08:54:32 -0700 Subject: [Fedora-directory-users] An index for the server-side sort functionality In-Reply-To: <1601b8650812090751i6b48b71aw3989229a66e52b5d@mail.gmail.com> References: <839276831.20081209145157@polytechnique.edu> <493E8E10.4020705@redhat.com> <1863049602.20081209164254@polytechnique.edu> <493E92D6.5020801@redhat.com> <1601b8650812090751i6b48b71aw3989229a66e52b5d@mail.gmail.com> Message-ID: <493E94B8.5000103@redhat.com> Andrey Ivanov wrote: > > > 2008/12/9 Rich Megginson > > > Andrey Ivanov wrote: > > Tuesday, December 9, 2008, 4:26:08 PM, you wrote: > > RM> Andrey Ivanov wrote: > > > There is a special type of indexing for the VLV sort > searches but I have > not found what sort of index I should create to make > the server-side sort > on a certain attribute optimized. > > > RM> I think each attribute you want to sort by must be indexed > for equality. > No, it does not seem to be sufficient. I have activated all the > indexes for the attribute (sn), the logs still show "notes=U" : > > [09/Dec/2008:16:36:38 +0100] conn=3817 op=3 RESULT err=0 > tag=101 nentries=40 etime=0.004000 notes=U > > ... > > Maybe there is a special type of index for server-side sorting > like > the one for the VLV? > > > No. > Do you have any problems if you search on those attributes without > server side sorting? > > > No, not really. It's more a request from our developers to simplify > user sorting in their web applications. > > If i make the same search without the sorting the result is shown as > indexed (no "notes=U") and takes two times less time : > > [09/Dec/2008:16:48:58 +0100] conn=3821 op=3 RESULT err=0 tag=101 > nentries=40 etime=0.002000 It's exactly the same search? Same base, scope, and filter? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From Andrey.Ivanov at polytechnique.fr Tue Dec 9 15:58:31 2008 From: Andrey.Ivanov at polytechnique.fr (Andrey Ivanov) Date: Tue, 9 Dec 2008 16:58:31 +0100 Subject: [Fedora-directory-users] An index for the server-side sort functionality In-Reply-To: <493E94B8.5000103@redhat.com> References: <839276831.20081209145157@polytechnique.edu> <493E8E10.4020705@redhat.com> <1863049602.20081209164254@polytechnique.edu> <493E92D6.5020801@redhat.com> <1601b8650812090751i6b48b71aw3989229a66e52b5d@mail.gmail.com> <493E94B8.5000103@redhat.com> Message-ID: <636977865.20081209165831@polytechnique.edu> Bonjour Rich, Tuesday, December 9, 2008, 4:54:32 PM, you wrote: >> >> There is a special type of indexing for the VLV sort >> searches but I have >> not found what sort of index I should create to make >> the server-side sort >> on a certain attribute optimized. >> >> >> RM> I think each attribute you want to sort by must be indexed >> for equality. >> No, it does not seem to be sufficient. I have activated all the >> indexes for the attribute (sn), the logs still show "notes=U" : >> >> [09/Dec/2008:16:36:38 +0100] conn=3817 op=3 RESULT err=0 >> tag=101 nentries=40 etime=0.004000 notes=U >> >> ... >> >> Maybe there is a special type of index for server-side sorting >> like >> the one for the VLV? >> >> >> No. >> Do you have any problems if you search on those attributes without >> server side sorting? >> >> >> No, not really. It's more a request from our developers to simplify >> user sorting in their web applications. >> >> If i make the same search without the sorting the result is shown as >> indexed (no "notes=U") and takes two times less time : >> >> [09/Dec/2008:16:48:58 +0100] conn=3821 op=3 RESULT err=0 tag=101 >> nentries=40 etime=0.002000 RM> It's exactly the same search? Same base, scope, and filter? Yes. Exactly the same. The only difference is the search control for server-side sorting over sn. With this control : [09/Dec/2008:16:55:59 +0100] conn=3826 op=3 SORT sn;2.16.840.1.113730.3.3.2.11.1 (59) [09/Dec/2008:16:55:59 +0100] conn=3826 op=3 RESULT err=0 tag=101 nentries=40 etime=0.004000 notes=U Andrey Ivanov tel +33-(0)1-69-33-99-24 fax +33-(0)1-69-33-99-55 Direction des Systemes d'Information Ecole Polytechnique 91128 Palaiseau CEDEX France From rmeggins at redhat.com Tue Dec 9 16:00:22 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 09 Dec 2008 09:00:22 -0700 Subject: [Fedora-directory-users] An index for the server-side sort functionality In-Reply-To: <636977865.20081209165831@polytechnique.edu> References: <839276831.20081209145157@polytechnique.edu> <493E8E10.4020705@redhat.com> <1863049602.20081209164254@polytechnique.edu> <493E92D6.5020801@redhat.com> <1601b8650812090751i6b48b71aw3989229a66e52b5d@mail.gmail.com> <493E94B8.5000103@redhat.com> <636977865.20081209165831@polytechnique.edu> Message-ID: <493E9616.70902@redhat.com> Andrey Ivanov wrote: > Bonjour Rich, > > Tuesday, December 9, 2008, 4:54:32 PM, you wrote: > > > >>> There is a special type of indexing for the VLV sort >>> searches but I have >>> not found what sort of index I should create to make >>> the server-side sort >>> on a certain attribute optimized. >>> >>> >>> RM> I think each attribute you want to sort by must be indexed >>> for equality. >>> No, it does not seem to be sufficient. I have activated all the >>> indexes for the attribute (sn), the logs still show "notes=U" : >>> >>> [09/Dec/2008:16:36:38 +0100] conn=3817 op=3 RESULT err=0 >>> tag=101 nentries=40 etime=0.004000 notes=U >>> >>> ... >>> >>> Maybe there is a special type of index for server-side sorting >>> like >>> the one for the VLV? >>> >>> >>> No. >>> Do you have any problems if you search on those attributes without >>> server side sorting? >>> >>> >>> No, not really. It's more a request from our developers to simplify >>> user sorting in their web applications. >>> >>> If i make the same search without the sorting the result is shown as >>> indexed (no "notes=U") and takes two times less time : >>> >>> [09/Dec/2008:16:48:58 +0100] conn=3821 op=3 RESULT err=0 tag=101 >>> nentries=40 etime=0.002000 >>> > RM> It's exactly the same search? Same base, scope, and filter? > > Yes. Exactly the same. The only difference is the search control for server-side > sorting over sn. With this control : > [09/Dec/2008:16:55:59 +0100] conn=3826 op=3 SORT sn;2.16.840.1.113730.3.3.2.11.1 (59) > [09/Dec/2008:16:55:59 +0100] conn=3826 op=3 RESULT err=0 tag=101 nentries=40 etime=0.004000 notes=U > Ok. I'm not sure what's going on then. > > Andrey Ivanov > tel +33-(0)1-69-33-99-24 > fax +33-(0)1-69-33-99-55 > > Direction des Systemes d'Information > Ecole Polytechnique > 91128 Palaiseau CEDEX > France > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From james_roman at ssaihq.com Tue Dec 9 16:50:33 2008 From: james_roman at ssaihq.com (James Roman) Date: Tue, 09 Dec 2008 11:50:33 -0500 Subject: [Fedora-directory-users] AD Sync Port Requirements Message-ID: <1228841433.18101.7.camel@ssai-01815.ssai-2.com> Anyone have a list of ports that would need to be opened between the FDS and an Active Directory Server? I am primarily concerned with traffic in the direction of FDS->ADS. I know that default AD->AD communication can require everything above 1024, unless limited in the registry. Does the AD->FDS sync have the same requirements? -- James D. Roman IT Network Administration Terranet Inc.On contract to: Science Systems and Applications, Inc. From rmeggins at redhat.com Tue Dec 9 16:55:28 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 09 Dec 2008 09:55:28 -0700 Subject: [Fedora-directory-users] AD Sync Port Requirements In-Reply-To: <1228841433.18101.7.camel@ssai-01815.ssai-2.com> References: <1228841433.18101.7.camel@ssai-01815.ssai-2.com> Message-ID: <493EA300.1030004@redhat.com> James Roman wrote: > Anyone have a list of ports that would need to be opened between the FDS > and an Active Directory Server? I am primarily concerned with traffic in > the direction of FDS->ADS. I know that default AD->AD communication can > require everything above 1024, unless limited in the registry. Does the > AD->FDS sync have the same requirements? > AFAIK, just 389 and 636 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From james.chavez at sanmina-sci.com Tue Dec 9 21:59:07 2008 From: james.chavez at sanmina-sci.com (James Chavez) Date: Tue, 9 Dec 2008 14:59:07 -0700 Subject: [Fedora-directory-users] Error starting SSL enabled Admin-Server Segmentation fault (11) Message-ID: <1228859947.5840.42.camel@PHX1AMUX269160.sanmina-sci.com> Hello, I have 2 servers running FDS. I have setup My directory servers to use SSL for the directory server and Admin server. For my problem server I generated both the directory server cert and admin server cert on the directory server acting as the CA. I exported the Server-Cert2, server-cert2 in .p12 format and I imported them as well as the CA cert into both the admin server and directory server. I am able to establish SSL client sessions to the directory server but I cannot login to the admin server through the GUI. I was able to login fine before enabling SSL...Unlike on this server, the server acting as the root CA everything works fine. I get the following error at the GUI login screen. authenticating User ID "cn=Directory Manager" java.io.InterruptedIOException: HTTP response timeout In the error log I have this. The directory server that I can log into I get the same messages but not the segmentation fault. [notice] caught SIGTERM, shutting down [notice] Access Host filter is: *.fedora [notice] Access Address filter is: * [notice] Access Host filter is: *.fedora [notice] Access Address filter is: * [error] SSL_InheritMPServerSIDCache failed [error] SSL Library Error: -8191 Library Failure [notice] Apache/2.2.8 (Unix) configured -- resuming normal operations [notice] child pid 3284 exit signal Segmentation fault (11) Here are my Cert data bases [root at scooby ~]# certutil -L -d /etc/dirsrv/admin-serv/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA certificate CT,, server-cert2 u,u,u [root at scooby ~]# certutil -L -d /etc/dirsrv/slapd-scooby/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA certificate CT,, Server-Cert2 u,u,u Any ideas. Thanks James CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. From rmeggins at redhat.com Tue Dec 9 22:05:48 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 09 Dec 2008 15:05:48 -0700 Subject: [Fedora-directory-users] Error starting SSL enabled Admin-Server Segmentation fault (11) In-Reply-To: <1228859947.5840.42.camel@PHX1AMUX269160.sanmina-sci.com> References: <1228859947.5840.42.camel@PHX1AMUX269160.sanmina-sci.com> Message-ID: <493EEBBC.2060906@redhat.com> James Chavez wrote: > Hello, > I have 2 servers running FDS. > I have setup My directory servers to use SSL for the directory server > and Admin server. For my problem server I generated both the directory > server cert and admin server cert on the directory server acting as the > CA. I exported the Server-Cert2, server-cert2 in .p12 format and I > imported them as well as the CA cert into both the admin server and > directory server. I am able to establish SSL client sessions to the > directory server but I cannot login to the admin server through the > GUI. > I was able to login fine before enabling SSL...Unlike on this server, > the server acting as the root CA everything works fine. > > I get the following error at the GUI login screen. > authenticating User ID "cn=Directory Manager" > java.io.InterruptedIOException: HTTP response timeout > > In the error log I have this. The directory server that I can log into I > get the same messages but not the segmentation fault. > > > [notice] caught SIGTERM, shutting down > [notice] Access Host filter is: *.fedora > [notice] Access Address filter is: * > [notice] Access Host filter is: *.fedora > [notice] Access Address filter is: * > [error] SSL_InheritMPServerSIDCache failed > [error] SSL Library Error: -8191 Library Failure > [notice] Apache/2.2.8 (Unix) configured -- resuming normal operations > [notice] child pid 3284 exit signal Segmentation fault (11) > What platform? What version of fedora-ds-admin? rpm -qi fedora-ds-admin > Here are my Cert data bases > > [root at scooby ~]# certutil -L -d /etc/dirsrv/admin-serv/ > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > CA certificate CT,, > server-cert2 u,u,u > [root at scooby ~]# certutil -L -d /etc/dirsrv/slapd-scooby/ > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > CA certificate CT,, > Server-Cert2 u,u,u > > > > > > > Any ideas. > > Thanks > James > > CONFIDENTIALITY > This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From james.chavez at sanmina-sci.com Tue Dec 9 22:10:14 2008 From: james.chavez at sanmina-sci.com (James Chavez) Date: Tue, 9 Dec 2008 15:10:14 -0700 Subject: [Fedora-directory-users] Error starting SSL enabled Admin-Server Segmentation fault (11) In-Reply-To: <493EEBBC.2060906@redhat.com> References: <1228859947.5840.42.camel@PHX1AMUX269160.sanmina-sci.com> <493EEBBC.2060906@redhat.com> Message-ID: <1228860614.5840.46.camel@PHX1AMUX269160.sanmina-sci.com> Thank you, I am running Fedora Core 9 on both of the Servers. Here is the output of rpm -qi Name : fedora-ds-admin Relocations: (not relocatable) Version : 1.1.4 Vendor: Fedora Project Release : 1.fc9 Build Date: Tue 15 Apr 2008 10:31:42 AM MST Install Date: Tue 07 Oct 2008 10:15:03 PM MST Build Host: xenbuilder4.fedora.phx.redhat.com Group : System Environment/Daemons Source RPM: fedora-ds-admin-1.1.4-1.fc9.src.rpm James On Tue, 2008-12-09 at 15:05 -0700, Rich Megginson wrote: > James Chavez wrote: > > Hello, > > I have 2 servers running FDS. > > I have setup My directory servers to use SSL for the directory server > > and Admin server. For my problem server I generated both the directory > > server cert and admin server cert on the directory server acting as the > > CA. I exported the Server-Cert2, server-cert2 in .p12 format and I > > imported them as well as the CA cert into both the admin server and > > directory server. I am able to establish SSL client sessions to the > > directory server but I cannot login to the admin server through the > > GUI. > > I was able to login fine before enabling SSL...Unlike on this server, > > the server acting as the root CA everything works fine. > > > > I get the following error at the GUI login screen. > > authenticating User ID "cn=Directory Manager" > > java.io.InterruptedIOException: HTTP response timeout > > > > In the error log I have this. The directory server that I can log into I > > get the same messages but not the segmentation fault. > > > > > > [notice] caught SIGTERM, shutting down > > [notice] Access Host filter is: *.fedora > > [notice] Access Address filter is: * > > [notice] Access Host filter is: *.fedora > > [notice] Access Address filter is: * > > [error] SSL_InheritMPServerSIDCache failed > > [error] SSL Library Error: -8191 Library Failure > > [notice] Apache/2.2.8 (Unix) configured -- resuming normal operations > > [notice] child pid 3284 exit signal Segmentation fault (11) > > > What platform? What version of fedora-ds-admin? > rpm -qi fedora-ds-admin > > Here are my Cert data bases > > > > [root at scooby ~]# certutil -L -d /etc/dirsrv/admin-serv/ > > > > Certificate Nickname Trust > > Attributes > > > > SSL,S/MIME,JAR/XPI > > > > CA certificate CT,, > > server-cert2 u,u,u > > [root at scooby ~]# certutil -L -d /etc/dirsrv/slapd-scooby/ > > > > Certificate Nickname Trust > > Attributes > > > > SSL,S/MIME,JAR/XPI > > > > CA certificate CT,, > > Server-Cert2 u,u,u > > > > > > > > > > > > > > Any ideas. > > > > Thanks > > James > > > > CONFIDENTIALITY > > This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. > > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. From rmeggins at redhat.com Tue Dec 9 22:14:34 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 09 Dec 2008 15:14:34 -0700 Subject: [Fedora-directory-users] Error starting SSL enabled Admin-Server Segmentation fault (11) In-Reply-To: <1228860614.5840.46.camel@PHX1AMUX269160.sanmina-sci.com> References: <1228859947.5840.42.camel@PHX1AMUX269160.sanmina-sci.com> <493EEBBC.2060906@redhat.com> <1228860614.5840.46.camel@PHX1AMUX269160.sanmina-sci.com> Message-ID: <493EEDCA.5060600@redhat.com> James Chavez wrote: > Thank you, > I am running Fedora Core 9 on both of the Servers. > > Here is the output of rpm -qi > > Name : fedora-ds-admin Relocations: (not > relocatable) > Version : 1.1.4 Vendor: Fedora Project > Release : 1.fc9 Build Date: Tue 15 Apr 2008 > 10:31:42 AM MST > Install Date: Tue 07 Oct 2008 10:15:03 PM MST Build Host: > xenbuilder4.fedora.phx.redhat.com > Group : System Environment/Daemons Source RPM: > fedora-ds-admin-1.1.4-1.fc9.src.rpm > The current version is 1.1.6. Most likely you need to do a yum upgrade in order to pull the latest version from the fedora-updates-newkey repo > James > > > > On Tue, 2008-12-09 at 15:05 -0700, Rich Megginson wrote: > >> James Chavez wrote: >> >>> Hello, >>> I have 2 servers running FDS. >>> I have setup My directory servers to use SSL for the directory server >>> and Admin server. For my problem server I generated both the directory >>> server cert and admin server cert on the directory server acting as the >>> CA. I exported the Server-Cert2, server-cert2 in .p12 format and I >>> imported them as well as the CA cert into both the admin server and >>> directory server. I am able to establish SSL client sessions to the >>> directory server but I cannot login to the admin server through the >>> GUI. >>> I was able to login fine before enabling SSL...Unlike on this server, >>> the server acting as the root CA everything works fine. >>> >>> I get the following error at the GUI login screen. >>> authenticating User ID "cn=Directory Manager" >>> java.io.InterruptedIOException: HTTP response timeout >>> >>> In the error log I have this. The directory server that I can log into I >>> get the same messages but not the segmentation fault. >>> >>> >>> [notice] caught SIGTERM, shutting down >>> [notice] Access Host filter is: *.fedora >>> [notice] Access Address filter is: * >>> [notice] Access Host filter is: *.fedora >>> [notice] Access Address filter is: * >>> [error] SSL_InheritMPServerSIDCache failed >>> [error] SSL Library Error: -8191 Library Failure >>> [notice] Apache/2.2.8 (Unix) configured -- resuming normal operations >>> [notice] child pid 3284 exit signal Segmentation fault (11) >>> >>> >> What platform? What version of fedora-ds-admin? >> rpm -qi fedora-ds-admin >> >>> Here are my Cert data bases >>> >>> [root at scooby ~]# certutil -L -d /etc/dirsrv/admin-serv/ >>> >>> Certificate Nickname Trust >>> Attributes >>> >>> SSL,S/MIME,JAR/XPI >>> >>> CA certificate CT,, >>> server-cert2 u,u,u >>> [root at scooby ~]# certutil -L -d /etc/dirsrv/slapd-scooby/ >>> >>> Certificate Nickname Trust >>> Attributes >>> >>> SSL,S/MIME,JAR/XPI >>> >>> CA certificate CT,, >>> Server-Cert2 u,u,u >>> >>> >>> >>> >>> >>> >>> Any ideas. >>> >>> Thanks >>> James >>> >>> CONFIDENTIALITY >>> This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. >>> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> > > CONFIDENTIALITY > This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rnappert at juniper.net Thu Dec 11 21:56:14 2008 From: rnappert at juniper.net (Reinhard Nappert) Date: Thu, 11 Dec 2008 16:56:14 -0500 Subject: [Fedora-directory-users] MMR: Get identical Reolica ID. Message-ID: <3525C9833C09ED418C6FD6CD9514668C0546A81C@emailwf1.jnpr.net> Hi, I ran across a strange issue. I have a working MMR setup. One master uses Replica ID 1 and the other 2. At some time and point (I don't know when or why this happened), both directories are complaining about the same ID: [11/Dec/2008:16:01:38 -0500] NSMMReplicationPlugin - agmt="cn=m1tom2" (m2:389): Incremental update failed and requires administrat or action [11/Dec/2008:16:02:38 -0500] NSMMReplicationPlugin - agmt="cn=m1tom2" (m2:389): Unable to aquire replica: the replica has the same Replica ID as this one. Replication is aborting. I did check the configuration and they were not identical (otherwise, it would not have worked in the first place). To recover is not that easy anymore. I disabled replication and set it up from scratch. Still, I run into the same error message. Did anyone experience a similar thing? Thanks, -Reinhard -------------- next part -------------- An HTML attachment was scrubbed... URL: From orion at cora.nwra.com Thu Dec 11 23:38:55 2008 From: orion at cora.nwra.com (Orion Poplawski) Date: Thu, 11 Dec 2008 16:38:55 -0700 Subject: [Fedora-directory-users] Allow root to change user's passwords Message-ID: <4941A48F.2050604@cora.nwra.com> I'm used to being able to change user's passwords as root using the "passwd" command on my main server (this was with NIS and the master shadow file kept on the server). Now with FDS, I get: # passwd orion Changing password for user orion. Enter login(LDAP) password: and I must enter the password for the user "orion". This gets tricky when the user has forgotten their password. Is there a way to avoid this first check and allow root to force a change of the password? -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA/CoRA Division FAX: 303-415-9702 3380 Mitchell Lane orion at cora.nwra.com Boulder, CO 80301 http://www.cora.nwra.com From ryan.manikowski at 2ergo.com Thu Dec 11 23:46:53 2008 From: ryan.manikowski at 2ergo.com (Ryan Manikowski) Date: Thu, 11 Dec 2008 18:46:53 -0500 Subject: [Fedora-directory-users] Allow root to change user's passwords In-Reply-To: <4941A48F.2050604@cora.nwra.com> References: <4941A48F.2050604@cora.nwra.com> Message-ID: <4941A66D.70908@2ergo.com> I use a program called LDAP Administration Tool (available in debian apt repo, name = 'lat') which is a gtk app that allows LDAP administration. Simply connect as 'directory manager' and you can change passwords through the interface without needing to know the previous password. Ryan Manikowski System Administrator 2ergo Americas Inc. :703.677.8499: www.2ergo.com Arlington, Virginia This message (including attachments) is confidential and may be legally privileged. The content and views expressed are those of the sender and not necessarily the 2ergo Group. If you are not the intended recipient, you must not disclose, copy or use any part of it. Please delete all copies immediately and notify the sender. 2ergo Americas Inc. was formerly known as Proteus Inc. Orion Poplawski wrote: > I'm used to being able to change user's passwords as root using the > "passwd" command on my main server (this was with NIS and the master > shadow file kept on the server). Now with FDS, I get: > > # passwd orion > Changing password for user orion. > Enter login(LDAP) password: > > and I must enter the password for the user "orion". This gets tricky > when the user has forgotten their password. > > Is there a way to avoid this first check and allow root to force a > change of the password? > From rmeggins at redhat.com Thu Dec 11 23:53:21 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 11 Dec 2008 16:53:21 -0700 Subject: [Fedora-directory-users] Allow root to change user's passwords In-Reply-To: <4941A48F.2050604@cora.nwra.com> References: <4941A48F.2050604@cora.nwra.com> Message-ID: <4941A7F1.4050406@redhat.com> Orion Poplawski wrote: > I'm used to being able to change user's passwords as root using the > "passwd" command on my main server (this was with NIS and the master > shadow file kept on the server). Now with FDS, I get: > > # passwd orion > Changing password for user orion. > Enter login(LDAP) password: > > and I must enter the password for the user "orion". This gets tricky > when the user has forgotten their password. > > Is there a way to avoid this first check and allow root to force a > change of the password? I don't think so. "root" usually does not exist in LDAP, only in /etc/passwd, so "root" is not really an LDAP user. I suppose you could use ldappasswd and bind as "cn=directory manager" instead if you know the user is an LDAP user. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From lambam80 at hotmail.com Fri Dec 12 08:24:45 2008 From: lambam80 at hotmail.com (lambam80 at hotmail.com) Date: Fri, 12 Dec 2008 03:24:45 -0500 Subject: [Fedora-directory-users] Allow root to change user's passwords In-Reply-To: <4941A7F1.4050406@redhat.com> References: <4941A48F.2050604@cora.nwra.com> <4941A7F1.4050406@redhat.com> Message-ID: You could also use the console (export $DISPLAY etc.) http://directory.fedoraproject.org/ '... Graphical console for all facets of user, group, and server management ...' It's been a while since I've looked at it, but, you may want to investigate the Directory Server Gateway DSGW http://www.directory.fedora.redhat.com/wiki/DSGW_Install_Guide Lastly, does anyone have an interesting application that allows users to request a new password via a Web interface and a subsequent Email ? Cheers, Dave --------> Date: Thu, 11 Dec 2008 16:53:21 -0700> From: rmeggins at redhat.com> To: fedora-directory-users at redhat.com> Subject: Re: [Fedora-directory-users] Allow root to change user's passwords> > Orion Poplawski wrote:> > I'm used to being able to change user's passwords as root using the > > "passwd" command on my main server (this was with NIS and the master > > shadow file kept on the server). Now with FDS, I get:> >> > # passwd orion> > Changing password for user orion.> > Enter login(LDAP) password:> >> > and I must enter the password for the user "orion". This gets tricky > > when the user has forgotten their password.> >> > Is there a way to avoid this first check and allow root to force a > > change of the password?> I don't think so. "root" usually does not exist in LDAP, only in > /etc/passwd, so "root" is not really an LDAP user. I suppose you could > use ldappasswd and bind as "cn=directory manager" instead if you know > the user is an LDAP user. _________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From ryan.braun at ec.gc.ca Fri Dec 12 15:01:24 2008 From: ryan.braun at ec.gc.ca (Ryan Braun [ADS]) Date: Fri, 12 Dec 2008 15:01:24 +0000 Subject: [Fedora-directory-users] Allow root to change user's passwords In-Reply-To: <4941A48F.2050604@cora.nwra.com> References: <4941A48F.2050604@cora.nwra.com> Message-ID: <200812121501.24783.ryan.braun@ec.gc.ca> On Thursday 11 December 2008 23:38, Orion Poplawski wrote: > I'm used to being able to change user's passwords as root using the > "passwd" command on my main server (this was with NIS and the master > shadow file kept on the server). Now with FDS, I get: > > # passwd orion > Changing password for user orion. > Enter login(LDAP) password: > > and I must enter the password for the user "orion". This gets tricky > when the user has forgotten their password. > > Is there a way to avoid this first check and allow root to force a > change of the password? I know it's possible, here is the way my setup (etch) works. It's likely a PAM issue. xxxfcst2:~# passwd ryantest New password: Re-enter new password: LDAP password information changed for ryantest passwd: password updated successfully xxxfcst2:~# grep ryantest /etc/passwd xxxfcst2:~# getent passwd|grep ryan ryantest:x:10058:5000:cfwx Account:/tmp/ryantest:/bin/bash ytrfcst2:/etc/pam.d# grep -v ^# common* common-account:account sufficient pam_ldap.so common-account:account required pam_unix.so common-auth:auth sufficient pam_ldap.so common-auth:auth required pam_unix.so nullok_secure use_first_pass common-password: common-password: common-password:password sufficient pam_ldap.so ignore_unknown_user common-password:password required pam_unix.so nullok obscure min=4 max=8 md5 common-password: common-password: common-session:session required pam_unix.so common-session:session optional pam_ldap.so xxxfcst2:/etc/pam.d# grep -v ^# passwd @include common-password xxxfcst2:/etc/pam.d# And lastly pam_ldap.conf xxxfcst2:/etc# grep -v ^# pam_ldap.conf |strings @(#)$Id: ldap.conf,v 2.47 2006/05/15 08:13:44 lukeh Exp $ base dc=xxx,dc=ec,dc=gc,dc=ca uri ldap://xxxoff.isb.ec.gc.ca uri ldap://xxxoff0.isb.ec.gc.ca uri ldap://xxxoff1.isb.ec.gc.ca ldap_version 3 rootbinddn cn=directory manager pam_check_host_attr yes pam_password exop ssl start_tls tls_cacertdir /etc/ldap/cacerts From christopher.barry at qlogic.com Fri Dec 12 17:39:59 2008 From: christopher.barry at qlogic.com (Christopher Barry) Date: Fri, 12 Dec 2008 11:39:59 -0600 Subject: [Fedora-directory-users] AD Password Sync Question Message-ID: <0F3ACA1C9E6FCA4BBABFC2B45BF279343AF0E74DFB@MNEXMB1.qlogic.org> Greetings, After reading chapter 19 of the RH docs about AD integration, I have a question regarding the 'lifetime' and locality of the plaintext password, and how this actually gets captured and sync'd. In a multi-site AD Enterprise, with a lot of DCs, would the password sync service need to run on every DC, with a partnership to the one master master Directory Server? I'm wondering how if a user in Texas changes their password, it gets placed into the Directory Server Master in Pennsylvania. Thanks, -C From daniel.cruz at sc.senai.br Fri Dec 12 17:39:59 2008 From: daniel.cruz at sc.senai.br (DANIEL CRISTIAN CRUZ) Date: Fri, 12 Dec 2008 15:39:59 -0200 Subject: [Fedora-directory-users] nsaccountlock compare error Message-ID: <338cde6b9a7ac791a31b6d8c8a12fa01@intranet.sc.senai.br> Hi All, Trying to figure out if an account is or isn't locked, I've tryied: (Python shell) >>> server.compare_s("uid=zaza.zozo.zozo,ou=UnitA,o=MyOrg", 'nsAccountLock', 'true') Traceback (most recent call last): ? File "", line 1, in ? File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 255, in compare_s ??? return self.compare_ext_s(dn,attr,value,None,None) ? File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 244, in compare_ext_s ??? self.result(msgid,all=1,timeout=self.timeout) ? File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 428, in result ??? res_type,res_data,res_msgid = self.result2(msgid,all,timeout) ? File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 432, in result2 ??? res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout) ? File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 438, in result3 ??? ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout) ? File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 96, in _ldap_call ??? result = func(*args,**kwargs) ldap.NO_SUCH_ATTRIBUTE: {'desc': 'No such attribute'} I got the same code using PHP, there must be something with server configuration or is it a "bad feature"? I had many servers here, all with the same problem. Kind regards, -- Daniel Cristian Cruz Administrador de Banco de Dados Dire??o Regional?- N?cleo de Tecnologia da Informa??o SENAI - SC Telefone: 48-3239-1422 (ramal 1422) -------------- next part -------------- An HTML attachment was scrubbed... URL: From Jeff.Williams at infospace.com Fri Dec 12 18:04:10 2008 From: Jeff.Williams at infospace.com (Jeff Williams) Date: Fri, 12 Dec 2008 10:04:10 -0800 Subject: [Fedora-directory-users] Syncing sambaLMPassword and sambaNTPassword with userPassword Message-ID: <9598680C8A333F49AC6A9B78095E4D4A2E0144DB@CPWPRX01N.inspinc.ad> Hello all, I am trying to set up a samba share that will use a ldap read-only consumer in such a fashion: [windows active directory] -> [fedora-ds-MMR] -> [fedora-ds-RO] -> [samba share] Note the singular direction, I am trying to not send updates back upstream. I use the PassSync to provide an updated password to the MMR, but I am at a loss of how to update sambaNTPassword and sambaLMPassword, without using smbpasswd. Is there an alternative? I've seen talk in the archives of people intending to write plugins for this task, where they ever written? Am I missing something simple? Thanks, Jeff Williams -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Dec 12 18:11:08 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 12 Dec 2008 11:11:08 -0700 Subject: [Fedora-directory-users] AD Password Sync Question In-Reply-To: <0F3ACA1C9E6FCA4BBABFC2B45BF279343AF0E74DFB@MNEXMB1.qlogic.org> References: <0F3ACA1C9E6FCA4BBABFC2B45BF279343AF0E74DFB@MNEXMB1.qlogic.org> Message-ID: <4942A93C.3020902@redhat.com> Christopher Barry wrote: > Greetings, > > After reading chapter 19 of the RH docs about AD integration, I have a question regarding the 'lifetime' and locality of the plaintext password, and how this actually gets captured and sync'd. > > In a multi-site AD Enterprise, with a lot of DCs, would the password sync service need to run on every DC, Yes. > with a partnership to the one master master Directory Server? Yes, that's the best way. You can point passsync at any master anywhere, as long as you are prepared to deal with latency issues (e.g. if you add a user then immediately change the password, you may have to wait for that new user to show up on your local replica first). > I'm wondering how if a user in Texas changes their password, it gets placed into the Directory Server Master in Pennsylvania. > The DS MMR protocol will update the password on all other DS servers. > > Thanks, > -C > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Dec 12 18:11:59 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 12 Dec 2008 11:11:59 -0700 Subject: [Fedora-directory-users] Syncing sambaLMPassword and sambaNTPassword with userPassword In-Reply-To: <9598680C8A333F49AC6A9B78095E4D4A2E0144DB@CPWPRX01N.inspinc.ad> References: <9598680C8A333F49AC6A9B78095E4D4A2E0144DB@CPWPRX01N.inspinc.ad> Message-ID: <4942A96F.7030605@redhat.com> Jeff Williams wrote: > > Hello all, > > I am trying to set up a samba share that will use a ldap read-only > consumer in such a fashion: > > [windows active directory] -> [fedora-ds-MMR] -> [fedora-ds-RO] -> > [samba share] > > Note the singular direction, I am trying to not send updates back > upstream. I use the PassSync to provide an updated password to the > MMR, but I am at a loss of how to update sambaNTPassword and > sambaLMPassword, without using smbpasswd. Is there an alternative? > I?ve seen talk in the archives of people intending to write plugins > for this task, where they ever written? > freeipa has such a plugin. > > Am I missing something simple? > > Thanks, > > Jeff Williams > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Dec 12 18:12:59 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 12 Dec 2008 11:12:59 -0700 Subject: [Fedora-directory-users] nsaccountlock compare error In-Reply-To: <338cde6b9a7ac791a31b6d8c8a12fa01@intranet.sc.senai.br> References: <338cde6b9a7ac791a31b6d8c8a12fa01@intranet.sc.senai.br> Message-ID: <4942A9AB.6070900@redhat.com> DANIEL CRISTIAN CRUZ wrote: > > Hi All, > > Trying to figure out if an account is or isn't locked, I've tryied: > > (Python shell) > >>> server.compare_s("uid=zaza.zozo.zozo,ou=UnitA,o=MyOrg", > 'nsAccountLock', 'true') > Traceback (most recent call last): > File "", line 1, in > File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line > 255, in compare_s > return self.compare_ext_s(dn,attr,value,None,None) > File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line > 244, in compare_ext_s > self.result(msgid,all=1,timeout=self.timeout) > File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line > 428, in result > res_type,res_data,res_msgid = self.result2(msgid,all,timeout) > File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line > 432, in result2 > res_type, res_data, res_msgid, srv_ctrls = > self.result3(msgid,all,timeout) > File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line > 438, in result3 > ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout) > File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 96, > in _ldap_call > result = func(*args,**kwargs) > ldap.NO_SUCH_ATTRIBUTE: {'desc': 'No such attribute'} > > I got the same code using PHP, there must be something with server > configuration or is it a "bad feature"? > If there is no such attribute, then the account is enabled. The account is only disabled if the attribute is present AND set to true. > > I had many servers here, all with the same problem. > > Kind regards, > > ------------------------------------------------------------------------ > > *Daniel Cristian Cruz* > *Administrador de Banco de Dados > *Dire??o Regional - *N?cleo de Tecnologia da Informa??o > SENAI - SC > Telefone: 48-3239-1422 (ramal 1422)* > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From daniel.cruz at sc.senai.br Fri Dec 12 18:32:45 2008 From: daniel.cruz at sc.senai.br (DANIEL CRISTIAN CRUZ) Date: Fri, 12 Dec 2008 16:32:45 -0200 Subject: [Fedora-directory-users] nsaccountlock compare error In-Reply-To: <4942A9AB.6070900@redhat.com> Message-ID: <3666931c44112b0f732d6d9f494f883b@intranet.sc.senai.br> "Rich Megginson" escreveu: > DANIEL CRISTIAN CRUZ wrote: >> Trying to figure out if an account is or isn't locked, I've tryied: >> >> (Python shell) >> >>> server.compare_s("uid=zaza.zozo.zozo,ou=UnitA,o=MyOrg", >> 'nsAccountLock', 'true') >> ldap.NO_SUCH_ATTRIBUTE: {'desc': 'No such attribute'} >> >> I got the same code using PHP, there must be something with server >> configuration or is it a "bad feature"? >> > If there is no such attribute, then the account is enabled. The account > is only disabled if the attribute is present AND set to true. Yes, but it's there, with 'true' value assigned. Got to fetch the object and compare at language level: >>> server.modify_s('uid=zaza.zozo.zozo,ou=UnitA,o=MyOrg', [((ldap.MOD_ADD, 'nsaccountlock', 'true'))]) (103, []) >>> server.search_s('uid=zaza.zozo.zozo,ou=UnitA,o=MyOrg', ldap.SCOPE_BASE, attrlist=['nsaccountlock']) [('uid=zaza.zozo.zozo,ou=UnitA,o=MyOrg', {'nsaccountlock': ['true']})] >>> server.compare_s('uid=zaza.zozo.zozo,ou=UnitA,o=MyOrg', 'nsaccountlock', 'true') Traceback (most recent call last): File "", line 1, in File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 255, in compare_s return self.compare_ext_s(dn,attr,value,None,None) File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 244, in compare_ext_s self.result(msgid,all=1,timeout=self.timeout) File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 428, in result res_type,res_data,res_msgid = self.result2(msgid,all,timeout) File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 432, in result2 res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout) File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 438, in result3 ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout) File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 96, in _ldap_call result = func(*args,**kwargs) ldap.NO_SUCH_ATTRIBUTE: {'desc': 'No such attribute'} I've search for some compare ACI, but there isn't any revoking the privilege (it's an account in Administrators Group). Regards, -- Daniel Cristian Cruz Administrador de Banco de Dados Dire??o Regional?- N?cleo de Tecnologia da Informa??o SENAI - SC Telefone: 48-3239-1422 (ramal 1422) From christopher.barry at qlogic.com Fri Dec 12 18:29:48 2008 From: christopher.barry at qlogic.com (Christopher Barry) Date: Fri, 12 Dec 2008 12:29:48 -0600 Subject: [Fedora-directory-users] AD Password Sync Question In-Reply-To: <4942A93C.3020902@redhat.com> References: <0F3ACA1C9E6FCA4BBABFC2B45BF279343AF0E74DFB@MNEXMB1.qlogic.org> <4942A93C.3020902@redhat.com> Message-ID: <0F3ACA1C9E6FCA4BBABFC2B45BF279343AF0E74E02@MNEXMB1.qlogic.org> > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf > Of Rich Megginson > Sent: Friday, December 12, 2008 1:11 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] AD Password Sync Question > > Christopher Barry wrote: > > Greetings, > > > > After reading chapter 19 of the RH docs about AD > integration, I have a question regarding the 'lifetime' and > locality of the plaintext password, and how this actually > gets captured and sync'd. > > > > In a multi-site AD Enterprise, with a lot of DCs, would the > password sync service need to run on every DC, > Yes. > > with a partnership to the one master master Directory Server? > Yes, that's the best way. You can point passsync at any master > anywhere, as long as you are prepared to deal with latency > issues (e.g. > if you add a user then immediately change the password, you > may have to > wait for that new user to show up on your local replica first). > > I'm wondering how if a user in Texas changes their > password, it gets placed into the Directory Server Master in > Pennsylvania. > > > The DS MMR protocol will update the password on all other DS servers. > > > > Thanks, > > -C > > Thanks Rich for your quick response. I think you're saying that unlike user/group sync, where you need a single MMDS to be the master interface to AD for all MMDSes, the passsync service can point to any replicated MMDS. Since most user adds are needed locally first, would it be better to do the local DC -> local MMDS passsync first as a rule? Also, and this is no doubt in the docs too somewhere, but while I've got your ear, is there a limit on the number of MMDSes? e.g. can I have a MMDS at every site paired with a DC? Thanks a lot, -C From rmeggins at redhat.com Fri Dec 12 18:41:24 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 12 Dec 2008 11:41:24 -0700 Subject: [Fedora-directory-users] AD Password Sync Question In-Reply-To: <0F3ACA1C9E6FCA4BBABFC2B45BF279343AF0E74E02@MNEXMB1.qlogic.org> References: <0F3ACA1C9E6FCA4BBABFC2B45BF279343AF0E74DFB@MNEXMB1.qlogic.org> <4942A93C.3020902@redhat.com> <0F3ACA1C9E6FCA4BBABFC2B45BF279343AF0E74E02@MNEXMB1.qlogic.org> Message-ID: <4942B054.3000106@redhat.com> Christopher Barry wrote: >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf >> Of Rich Megginson >> Sent: Friday, December 12, 2008 1:11 PM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: [Fedora-directory-users] AD Password Sync Question >> >> Christopher Barry wrote: >> >>> Greetings, >>> >>> After reading chapter 19 of the RH docs about AD >>> >> integration, I have a question regarding the 'lifetime' and >> locality of the plaintext password, and how this actually >> gets captured and sync'd. >> >>> In a multi-site AD Enterprise, with a lot of DCs, would the >>> >> password sync service need to run on every DC, >> Yes. >> >>> with a partnership to the one master master Directory Server? >>> >> Yes, that's the best way. You can point passsync at any master >> anywhere, as long as you are prepared to deal with latency >> issues (e.g. >> if you add a user then immediately change the password, you >> may have to >> wait for that new user to show up on your local replica first). >> >>> I'm wondering how if a user in Texas changes their >>> >> password, it gets placed into the Directory Server Master in >> Pennsylvania. >> >>> >>> >> The DS MMR protocol will update the password on all other DS servers. >> >>> Thanks, >>> -C >>> >>> > > Thanks Rich for your quick response. > I think you're saying that unlike user/group sync, where you need a single MMDS to be the master interface to AD for all MMDSes, the passsync service can point to any replicated MMDS. > Yes. > Since most user adds are needed locally first, would it be better to do the local DC -> local MMDS passsync first as a rule? > Yes. > Also, and this is no doubt in the docs too somewhere, but while I've got your ear, is there a limit on the number of MMDSes? e.g. can I have a MMDS at every site paired with a DC? > There is no limit per se - but we have only done extensive testing with 4 masters. The protocol will support many thousands of masters. > Thanks a lot, > -C > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Dec 12 18:42:40 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 12 Dec 2008 11:42:40 -0700 Subject: [Fedora-directory-users] nsaccountlock compare error In-Reply-To: <3666931c44112b0f732d6d9f494f883b@intranet.sc.senai.br> References: <3666931c44112b0f732d6d9f494f883b@intranet.sc.senai.br> Message-ID: <4942B0A0.8000702@redhat.com> DANIEL CRISTIAN CRUZ wrote: > "Rich Megginson" escreveu: > >> DANIEL CRISTIAN CRUZ wrote: >> >>> Trying to figure out if an account is or isn't locked, I've tryied: >>> >>> (Python shell) >>> >>>>>> server.compare_s("uid=zaza.zozo.zozo,ou=UnitA,o=MyOrg", >>>>>> >>> 'nsAccountLock', 'true') >>> ldap.NO_SUCH_ATTRIBUTE: {'desc': 'No such attribute'} >>> >>> I got the same code using PHP, there must be something with server >>> configuration or is it a "bad feature"? >>> >>> >> If there is no such attribute, then the account is enabled. The account >> is only disabled if the attribute is present AND set to true. >> > > Yes, but it's there, with 'true' value assigned. > > Got to fetch the object and compare at language level: > > >>>> server.modify_s('uid=zaza.zozo.zozo,ou=UnitA,o=MyOrg', [((ldap.MOD_ADD, >>>> > 'nsaccountlock', 'true'))]) > (103, []) > >>>> server.search_s('uid=zaza.zozo.zozo,ou=UnitA,o=MyOrg', ldap.SCOPE_BASE, >>>> > attrlist=['nsaccountlock']) > [('uid=zaza.zozo.zozo,ou=UnitA,o=MyOrg', {'nsaccountlock': ['true']})] > >>>> server.compare_s('uid=zaza.zozo.zozo,ou=UnitA,o=MyOrg', 'nsaccountlock', >>>> > 'true') > Traceback (most recent call last): > File "", line 1, in > File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 255, in > compare_s > return self.compare_ext_s(dn,attr,value,None,None) > File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 244, in > compare_ext_s > self.result(msgid,all=1,timeout=self.timeout) > File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 428, in > result > res_type,res_data,res_msgid = self.result2(msgid,all,timeout) > File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 432, in > result2 > res_type, res_data, res_msgid, srv_ctrls = > self.result3(msgid,all,timeout) > File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 438, in > result3 > ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout) > File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 96, in > _ldap_call > result = func(*args,**kwargs) > ldap.NO_SUCH_ATTRIBUTE: {'desc': 'No such attribute'} > > I've search for some compare ACI, but there isn't any revoking the privilege > (it's an account in Administrators Group). > I would say, based on this data, that there is a bug in the server compare processing. Does compare work with regular attributes (e.g. in the schema of the user)? Note that nsAccountLock is an operational attribute. > Regards, > -- > Daniel Cristian Cruz > Administrador de Banco de Dados > Dire??o Regional - N?cleo de Tecnologia da Informa??o > SENAI - SC > Telefone: 48-3239-1422 (ramal 1422) > > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From daniel.cruz at sc.senai.br Fri Dec 12 18:52:55 2008 From: daniel.cruz at sc.senai.br (DANIEL CRISTIAN CRUZ) Date: Fri, 12 Dec 2008 16:52:55 -0200 Subject: [Fedora-directory-users] nsaccountlock compare error In-Reply-To: <4942B0A0.8000702@redhat.com> Message-ID: <187e7d4eaf2e44998fe95f9e0a3abd05@intranet.sc.senai.br> "Rich Megginson" escreveu: > I would say, based on this data, that there is a bug in the server > compare processing. Does compare work with regular attributes (e.g. in > the schema of the user)? Note that nsAccountLock is an operational > attribute. Unfortunatelly, yes, it works: >>> server.compare_s('uid=zaza.zozo.zozo,ou=UnitA,o=MyOrg', 'uid', 'zaza.zozo.zozo') 1 >>> server.compare_s('uid=zaza.zozo.zozo,ou=UnitA,o=MyOrg', 'uid', 'zaza.zozo.zuzu') 0 Regards, -- Daniel Cristian Cruz Administrador de Banco de Dados Dire??o Regional?- N?cleo de Tecnologia da Informa??o SENAI - SC Telefone: 48-3239-1422 (ramal 1422) From rmeggins at redhat.com Fri Dec 12 19:05:44 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 12 Dec 2008 12:05:44 -0700 Subject: [Fedora-directory-users] nsaccountlock compare error In-Reply-To: <187e7d4eaf2e44998fe95f9e0a3abd05@intranet.sc.senai.br> References: <187e7d4eaf2e44998fe95f9e0a3abd05@intranet.sc.senai.br> Message-ID: <4942B608.3020407@redhat.com> DANIEL CRISTIAN CRUZ wrote: > "Rich Megginson" escreveu: > >> I would say, based on this data, that there is a bug in the server >> compare processing. Does compare work with regular attributes (e.g. in >> the schema of the user)? Note that nsAccountLock is an operational >> attribute. >> > > Unfortunatelly, yes, it works: > Please file a bug. In the meantime, you'll have to just use search instead of compare. > >>>> server.compare_s('uid=zaza.zozo.zozo,ou=UnitA,o=MyOrg', 'uid', >>>> > 'zaza.zozo.zozo') > 1 > >>>> server.compare_s('uid=zaza.zozo.zozo,ou=UnitA,o=MyOrg', 'uid', >>>> > 'zaza.zozo.zuzu') > 0 > > Regards, > -- > Daniel Cristian Cruz > Administrador de Banco de Dados > Dire??o Regional - N?cleo de Tecnologia da Informa??o > SENAI - SC > Telefone: 48-3239-1422 (ramal 1422) > > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From bbahar3 at gmail.com Sat Dec 13 06:09:16 2008 From: bbahar3 at gmail.com (Eric) Date: Sat, 13 Dec 2008 09:39:16 +0330 Subject: [Fedora-directory-users] upgarding fedora core6 Message-ID: <38a27c8c0812122209y4ae38b0bva1fed0e92b1585b3@mail.gmail.com> I want to use: #yum upgrate for upgrating os. If this has problem with fedora ds ? If has problem, how can I upgrade from fedora core6 without problem? > > Message: 4 > Date: Mon, 08 Dec 2008 08:36:18 -0700 > From: Rich Megginson > Subject: Re: [Fedora-directory-users] upgarding fedora core6 > To: "General discussion list for the Fedora Directory server project." > > Message-ID: <493D3EF2.1020001 at redhat.com> > Content-Type: text/plain; charset="iso-8859-1" > > Eric wrote: > > I now have fedora-ds-1.1.2-1.fc6 on fedora core 6. does upgrading os > > make any problem on fedora-ds? > > I should first upgrade fedora-ds or os? > It depends. What exactly do you want to do? To which version of Fedora > DS and which version of the Fedora OS are you planning to upgrade to? > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/x-pkcs7-signature > Size: 3258 bytes > Desc: S/MIME Cryptographic Signature > Url : > https://www.redhat.com/archives/fedora-directory-users/attachments/20081208/c529539b/smime.bin > > ------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > End of Fedora-directory-users Digest, Vol 43, Issue 11 > ****************************************************** > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abdellah.alaoui2006 at gmail.com Mon Dec 15 11:17:17 2008 From: abdellah.alaoui2006 at gmail.com (Abdellah Alaoui Ismaili) Date: Mon, 15 Dec 2008 11:17:17 +0000 Subject: [Fedora-directory-users] upgarding fedora core6 In-Reply-To: <493D3EF2.1020001@redhat.com> References: <38a27c8c0812070019o5a7f514fp274c45ad86bfa565@mail.gmail.com> <493D3EF2.1020001@redhat.com> Message-ID: <69c6e0a70812150317n10870882lb1fe21b430062358@mail.gmail.com> I can not synchronize FDS with ADs IN ADs I get this error: 12/15/08 11:59:33: PassSync service stopped 12/15/08 11:59:34: PassSync service started 12/15/08 11:59:34: Failed to load entries from file 12/15/08 11:59:34: LDAP bind error in Connect 81: Can not contact LDAP server 12/15/08 11:59:34: Can not connect to ldap server in SyncPasswords 12/15/08 11:59:34: Password list is empty. Waiting for passhook event and In FDS I get this error: LDAP error: Can not contact LDAP server.error code: 81 you can help me Plz -------------- next part -------------- An HTML attachment was scrubbed... URL: From abdellah.alaoui2006 at gmail.com Mon Dec 15 12:45:05 2008 From: abdellah.alaoui2006 at gmail.com (Abdellah Alaoui Ismaili) Date: Mon, 15 Dec 2008 12:45:05 +0000 Subject: [Fedora-directory-users] Windows synch Message-ID: <69c6e0a70812150445n6e492a00y906a92809418af39@mail.gmail.com> I can not synchronize FDS with ADs IN ADs I get this error: 12/15/08 11:59:33: PassSync service stopped 12/15/08 11:59:34: PassSync service started 12/15/08 11:59:34: Failed to load entries from file 12/15/08 11:59:34: LDAP bind error in Connect 81: Can not contact LDAP server 12/15/08 11:59:34: Can not connect to ldap server in SyncPasswords 12/15/08 11:59:34: Password list is empty. Waiting for passhook event and In FDS I get this error: LDAP error: Can not contact LDAP server.error code: 81 I use 2003 server as ADs and Fedora Core 9 for FDS you can help me Plz -------------- next part -------------- An HTML attachment was scrubbed... URL: From christopher.barry at qlogic.com Mon Dec 15 15:46:33 2008 From: christopher.barry at qlogic.com (Christopher Barry) Date: Mon, 15 Dec 2008 09:46:33 -0600 Subject: [Fedora-directory-users] upgarding fedora core6 In-Reply-To: <69c6e0a70812150317n10870882lb1fe21b430062358@mail.gmail.com> References: <38a27c8c0812070019o5a7f514fp274c45ad86bfa565@mail.gmail.com> <493D3EF2.1020001@redhat.com>, <69c6e0a70812150317n10870882lb1fe21b430062358@mail.gmail.com> Message-ID: <0F3ACA1C9E6FCA4BBABFC2B45BF279343AF0E770CD@MNEXMB1.qlogic.org> _______________________________________ From: fedora-directory-users-bounces at redhat.com [fedora-directory-users-bounces at redhat.com] On Behalf Of Abdellah Alaoui Ismaili [abdellah.alaoui2006 at gmail.com] Sent: Monday, December 15, 2008 6:17 AM To: fedora-directory-users at redhat.com Subject: Re: [Fedora-directory-users] upgarding fedora core6 I can not synchronize FDS with ADs IN ADs I get this error: 12/15/08 11:59:33: PassSync service stopped 12/15/08 11:59:34: PassSync service started 12/15/08 11:59:34: Failed to load entries from file 12/15/08 11:59:34: LDAP bind error in Connect 81: Can not contact LDAP server 12/15/08 11:59:34: Can not connect to ldap server in SyncPasswords 12/15/08 11:59:34: Password list is empty. Waiting for passhook event and In FDS I get this error: LDAP error: Can not contact LDAP server.error code: 81 you can help me Plz Sounds like a name resolution issue. Verify your domain name service is functional. You should have hosts file entries on both nodes for the partner as well, if you do not already. -C From rmeggins at redhat.com Mon Dec 15 16:03:14 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 15 Dec 2008 09:03:14 -0700 Subject: [Fedora-directory-users] upgarding fedora core6 In-Reply-To: <38a27c8c0812122209y4ae38b0bva1fed0e92b1585b3@mail.gmail.com> References: <38a27c8c0812122209y4ae38b0bva1fed0e92b1585b3@mail.gmail.com> Message-ID: <49467FC2.2090502@redhat.com> Eric wrote: > I want to use: > #yum upgrate > for upgrating os. If this has problem with fedora ds ? If has problem, > how can I upgrade from fedora core6 without problem? I don't know in general if this will work to upgrade the OS. It will definitely update fedora ds. If the OS upgrade is successful, then it will also update fedora ds to the latest version for your new OS. > > > > Message: 4 > Date: Mon, 08 Dec 2008 08:36:18 -0700 > From: Rich Megginson > > Subject: Re: [Fedora-directory-users] upgarding fedora core6 > To: "General discussion list for the Fedora Directory server project." > > > Message-ID: <493D3EF2.1020001 at redhat.com > > > Content-Type: text/plain; charset="iso-8859-1" > > Eric wrote: > > I now have fedora-ds-1.1.2-1.fc6 on fedora core 6. does upgrading os > > make any problem on fedora-ds? > > I should first upgrade fedora-ds or os? > It depends. What exactly do you want to do? To which version of > Fedora > DS and which version of the Fedora OS are you planning to upgrade to? > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/x-pkcs7-signature > Size: 3258 bytes > Desc: S/MIME Cryptographic Signature > Url : > https://www.redhat.com/archives/fedora-directory-users/attachments/20081208/c529539b/smime.bin > > ------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > End of Fedora-directory-users Digest, Vol 43, Issue 11 > ****************************************************** > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From bbahar3 at gmail.com Tue Dec 16 10:51:31 2008 From: bbahar3 at gmail.com (Eric) Date: Tue, 16 Dec 2008 14:21:31 +0330 Subject: [Fedora-directory-users] Re: upgarding fedora core6 Message-ID: <38a27c8c0812160251u5048d9e1j4ff5ddb658013c8c@mail.gmail.com> In wich way I can upgrade fedora os 6 that I would be certain fedora ds will have no problem? > Message: 4 > Date: Mon, 15 Dec 2008 09:03:14 -0700 > From: Rich Megginson > Subject: Re: [Fedora-directory-users] upgarding fedora core6 > To: "General discussion list for the Fedora Directory server project." > > Message-ID: <49467FC2.2090502 at redhat.com> > Content-Type: text/plain; charset="iso-8859-1" > > Eric wrote: > > I want to use: > > #yum upgrate > > for upgrating os. If this has problem with fedora ds ? If has problem, > > how can I upgrade from fedora core6 without problem? > I don't know in general if this will work to upgrade the OS. It will > definitely update fedora ds. If the OS upgrade is successful, then it > will also update fedora ds to the latest version for your new OS. > > > > > > > > Message: 4 > > Date: Mon, 08 Dec 2008 08:36:18 -0700 > > From: Rich Megginson > > > > Subject: Re: [Fedora-directory-users] upgarding fedora core6 > > To: "General discussion list for the Fedora Directory server > project." > > > > > > Message-ID: <493D3EF2.1020001 at redhat.com > > > > > Content-Type: text/plain; charset="iso-8859-1" > > > > Eric wrote: > > > I now have fedora-ds-1.1.2-1.fc6 on fedora core 6. does upgrading > os > > > make any problem on fedora-ds? > > > I should first upgrade fedora-ds or os? > > It depends. What exactly do you want to do? To which version of > > Fedora > > DS and which version of the Fedora OS are you planning to upgrade to? > > > > > > ------------------------------------------------------------------------ > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -------------- next part -------------- > > A non-text attachment was scrubbed... > > Name: smime.p7s > > Type: application/x-pkcs7-signature > > Size: 3258 bytes > > Desc: S/MIME Cryptographic Signature > > Url : > > > https://www.redhat.com/archives/fedora-directory-users/attachments/20081208/c529539b/smime.bin > > > > ------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > End of Fedora-directory-users Digest, Vol 43, Issue 11 > > ****************************************************** > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/x-pkcs7-signature > Size: 3258 bytes > Desc: S/MIME Cryptographic Signature > Url : > https://www.redhat.com/archives/fedora-directory-users/attachments/20081215/3a15faf2/smime.bin > > ------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > End of Fedora-directory-users Digest, Vol 43, Issue 18 > ****************************************************** > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Dec 16 15:37:36 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 16 Dec 2008 08:37:36 -0700 Subject: [Fedora-directory-users] Re: upgarding fedora core6 In-Reply-To: <38a27c8c0812160251u5048d9e1j4ff5ddb658013c8c@mail.gmail.com> References: <38a27c8c0812160251u5048d9e1j4ff5ddb658013c8c@mail.gmail.com> Message-ID: <4947CB40.5000004@redhat.com> Eric wrote: > In wich way I can upgrade fedora os 6 that I would be certain fedora > ds will have no problem? I don't know - I've never upgraded from one Fedora to another on a machine that has Fedora DS on it. > > > Message: 4 > Date: Mon, 15 Dec 2008 09:03:14 -0700 > From: Rich Megginson > > Subject: Re: [Fedora-directory-users] upgarding fedora core6 > To: "General discussion list for the Fedora Directory server project." > > > Message-ID: <49467FC2.2090502 at redhat.com > > > Content-Type: text/plain; charset="iso-8859-1" > > Eric wrote: > > I want to use: > > #yum upgrate > > for upgrating os. If this has problem with fedora ds ? If has > problem, > > how can I upgrade from fedora core6 without problem? > I don't know in general if this will work to upgrade the OS. It will > definitely update fedora ds. If the OS upgrade is successful, then it > will also update fedora ds to the latest version for your new OS. > > > > > > > > Message: 4 > > Date: Mon, 08 Dec 2008 08:36:18 -0700 > > From: Rich Megginson > > >> > > Subject: Re: [Fedora-directory-users] upgarding fedora core6 > > To: "General discussion list for the Fedora Directory server > project." > > > > >> > > Message-ID: <493D3EF2.1020001 at redhat.com > > > >> > > Content-Type: text/plain; charset="iso-8859-1" > > > > Eric wrote: > > > I now have fedora-ds-1.1.2-1.fc6 on fedora core 6. does > upgrading os > > > make any problem on fedora-ds? > > > I should first upgrade fedora-ds or os? > > It depends. What exactly do you want to do? To which > version of > > Fedora > > DS and which version of the Fedora OS are you planning to > upgrade to? > > > > > > ------------------------------------------------------------------------ > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -------------- next part -------------- > > A non-text attachment was scrubbed... > > Name: smime.p7s > > Type: application/x-pkcs7-signature > > Size: 3258 bytes > > Desc: S/MIME Cryptographic Signature > > Url : > > > https://www.redhat.com/archives/fedora-directory-users/attachments/20081208/c529539b/smime.bin > > > > ------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > End of Fedora-directory-users Digest, Vol 43, Issue 11 > > ****************************************************** > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/x-pkcs7-signature > Size: 3258 bytes > Desc: S/MIME Cryptographic Signature > Url : > https://www.redhat.com/archives/fedora-directory-users/attachments/20081215/3a15faf2/smime.bin > > ------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > End of Fedora-directory-users Digest, Vol 43, Issue 18 > ****************************************************** > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From zach.casper at envieta.com Tue Dec 16 15:59:40 2008 From: zach.casper at envieta.com (Zach Casper) Date: Tue, 16 Dec 2008 10:59:40 -0500 Subject: [Fedora-directory-users] LDAP Authentication Message-ID: <001401c95f97$50da6440$f28f2cc0$@casper@envieta.com> We have followed all steps to install/run Fedora Dogtag/FDS using default settings. We have also added users/certificates from within the CA/RA subsystems. We are now to the point we need to format and enroll some smart cards, however, the LDAP Authentication dialog appears and no combination of LDAP User ID/Password work. We've tried cn=Directory Manager, Admin, pkiuser.all without luck. I know we must have users already in FDS but this documentation seems not to exist. How do we either add users in FDS so that we can continue to format and enroll smart cards? Are we missing something? -- Zach Casper Envieta LLC -------------- next part -------------- An HTML attachment was scrubbed... URL: From Julius.Adewumi at gdc4s.com Tue Dec 16 16:47:01 2008 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Tue, 16 Dec 2008 09:47:01 -0700 Subject: [Fedora-directory-users] RE: [Pki-users] LDAP Authentication In-Reply-To: <001401c95f97$50da6440$f28f2cc0$@casper@envieta.com> References: <001401c95f97$50da6440$f28f2cc0$@casper@envieta.com> Message-ID: <150446754087724BA4B8F287083846B203746E7B@AZ25EXM04.gddsi.com> I ran into some thing like this when I also first began to configure CA etc. Not enough documentation for beginners. I had to get Wireshark and trace what network packets are sent across from client to server and see the LDAP credentials searched for and then I acted accordingly. i.e when I see that the search was for uid=abc, o=TokenUser then I setup such in the Directory Server. Only because I had access to both client and server. Wireshark helped me a lot! From: Julius Adewumi @GDC4S.com Ph:480-441-6768 Contract Corp:MTSI ________________________________ From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Zach Casper Sent: Tuesday, December 16, 2008 9:00 AM To: pki-users at redhat.com; 'General discussion list for the Fedora Directory server project.' Subject: [Pki-users] LDAP Authentication We have followed all steps to install/run Fedora Dogtag/FDS using default settings. We have also added users/certificates from within the CA/RA subsystems. We are now to the point we need to format and enroll some smart cards, however, the LDAP Authentication dialog appears and no combination of LDAP User ID/Password work. We've tried cn=Directory Manager, Admin, pkiuser...all without luck. I know we must have users already in FDS but this documentation seems not to exist. How do we either add users in FDS so that we can continue to format and enroll smart cards? Are we missing something? -- Zach Casper Envieta LLC -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Tue Dec 16 17:20:55 2008 From: cfu at redhat.com (Christina Fu) Date: Tue, 16 Dec 2008 09:20:55 -0800 Subject: [Fedora-directory-users] Re: [Pki-users] LDAP Authentication In-Reply-To: <001401c95f97$50da6440$f28f2cc0$@casper@envieta.com> References: <001401c95f97$50da6440$f28f2cc0$@casper@envieta.com> Message-ID: <4947E377.1090808@redhat.com> One of the panels during post-installation configuration for TPS asks you to set up your authentication ldap system. I usually just point it to an existing ldap system I have. The end result of the panel, when I take the defaults, is usually like the following in my CS.cfg file (I'm only listing the ones matters most to me): ... auth.instance.0.authId=ldap1 auth.instance.0.baseDN=dc=sjc,dc=redhat,dc=com auth.instance.0.hostport=localhost:389 ... op.enroll.userKey.auth.id=ldap1 I then need to add an user to the specified ldap system. I use the following ldap modify file, ldapModAddUser.txt: dn: uid=cfu,ou=People,dc=sjc,dc=redhat,dc=com changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson uid: cfu cn: Christina Fu sn: Fu givenName: Christina userPassword: xxxusrpwdxxx then I run ldapmodify: ldapmodify -h localhost -p 389 -D "cn=Directory Manager" -w xxxDMpwdxxx -x -f ldapModAddUser.txt then I'm ready to use uid "cfu" and password "xxxusrpwdxxx" to enroll. Christina Zach Casper wrote: > > We have followed all steps to install/run Fedora Dogtag/FDS using > default settings. > > We have also added users/certificates from within the CA/RA subsystems. > > We are now to the point we need to format and enroll some smart cards, > however, the LDAP Authentication dialog appears and no combination of > LDAP User ID/Password work. > > We?ve tried cn=Directory Manager, Admin, pkiuser?all without luck. > > I know we must have users already in FDS but this documentation seems > not to exist. > > How do we either add users in FDS so that we can continue to format > and enroll smart cards? Are we missing something? > > -- > > Zach Casper > > Envieta LLC > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From Steve.Fletcher at noaa.gov Tue Dec 16 20:32:13 2008 From: Steve.Fletcher at noaa.gov (Steve Fletcher) Date: Tue, 16 Dec 2008 14:32:13 -0600 Subject: [Fedora-directory-users] fedora-idm-console problem Message-ID: <4948104D.5030905@noaa.gov> I'm having problems with fedora-idm-console after updateing a redhat 5 machine and would appreciate any help you guys can offer. These are the versions after updating: fedora-ds-1.1.2-1.fc6.x86_64.rpm fedora-ds-admin-1.1.6-1.fc6.x86_64.rpm fedora-ds-admin-console-1.1.2-1.fc6.noarch.rpm fedora-ds-base-1.1.3-2.fc6.x86_64.rpm fedora-ds-console-1.1.2-1.fc6.noarch.rpm fedora-ds-dsgw-1.1.1-1.fc6.x86_64.rpm fedora-idm-console-1.1.1-1.fc6.x86_64.rpm These were the versions before updating: fedora-admin-console-1.1.0-4.fc6.noarch.rpm fedora-ds-1.1.0-3.fc6.x86_64.rpm fedora-ds-admin-1.1.2-2.fc6.x86_64.rpm fedora-ds-base-1.1.1-1.fc6.x86_64.rpm fedora-ds-console-1.1.1-2.fc6.noarch.rpm fedora-idm-console-1.1.1-1.fc6.x86_64.rpm The error message I get when logging into the console is: Cannot connect to the directory server. netscape.ldap.LDAPException: error result (32); No such object When I run fedora-idm-console -D I get: Fedora-Management-Console/1.1.2 B2008.248.1527 CommManager> New CommRecord (http://localhost:9830/admin-serv/authenticate) http://localhost:9830/[0:0] open> Ready http://localhost:9830/[0:0] accept> http://localhost:9830/admin-serv/authenticate http://localhost:9830/[0:0] send> GET \ http://localhost:9830/[0:0] send> /admin-serv/authenticate \ http://localhost:9830/[0:0] send> HTTP/1.0 http://localhost:9830/[0:0] send> Host: localhost:9830 http://localhost:9830/[0:0] send> Connection: Keep-Alive http://localhost:9830/[0:0] send> User-Agent: Fedora-Management-Console/1.1.2 http://localhost:9830/[0:0] send> Accept-Language: en http://localhost:9830/[0:0] send> Authorization: Basic \ http://localhost:9830/[0:0] send> YWRtaW46QjBndXNMZEBw \ http://localhost:9830/[0:0] send> http://localhost:9830/[0:0] send> http://localhost:9830/[0:0] recv> HTTP/1.1 200 OK http://localhost:9830/[0:0] recv> Date: Tue, 16 Dec 2008 19:38:34 GMT http://localhost:9830/[0:0] recv> Server: Apache/2.2 HttpChannel.invoke: admin version = 2.2 http://localhost:9830/[0:0] recv> Admin-Server: Fedora-Administrator/1.1.6 HttpChannel.invoke: admin version = 1.1.6 http://localhost:9830/[0:0] recv> Content-Length: 281 http://localhost:9830/[0:0] recv> Connection: close http://localhost:9830/[0:0] recv> Content-Type: text/html http://localhost:9830/[0:0] recv> http://localhost:9830/[0:0] recv> Reading 281 bytes... http://localhost:9830/[0:0] recv> 281 bytes read Console.replyHandler: adminVersion = 1.1.6 http://localhost:9830/[0:0] close> Closed I hope this is enough information for some to help me. Thanks for looking into it!! Steve From rmeggins at redhat.com Tue Dec 16 22:29:59 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 16 Dec 2008 15:29:59 -0700 Subject: [Fedora-directory-users] fedora-idm-console problem In-Reply-To: <4948104D.5030905@noaa.gov> References: <4948104D.5030905@noaa.gov> Message-ID: <49482BE7.2030708@redhat.com> Steve Fletcher wrote: > I'm having problems with fedora-idm-console after updateing a redhat > 5 machine and > would appreciate any help you guys can offer. > > These are the versions after updating: > fedora-ds-1.1.2-1.fc6.x86_64.rpm > fedora-ds-admin-1.1.6-1.fc6.x86_64.rpm > fedora-ds-admin-console-1.1.2-1.fc6.noarch.rpm > fedora-ds-base-1.1.3-2.fc6.x86_64.rpm > fedora-ds-console-1.1.2-1.fc6.noarch.rpm > fedora-ds-dsgw-1.1.1-1.fc6.x86_64.rpm > fedora-idm-console-1.1.1-1.fc6.x86_64.rpm > > These were the versions before updating: > fedora-admin-console-1.1.0-4.fc6.noarch.rpm > fedora-ds-1.1.0-3.fc6.x86_64.rpm > fedora-ds-admin-1.1.2-2.fc6.x86_64.rpm > fedora-ds-base-1.1.1-1.fc6.x86_64.rpm > fedora-ds-console-1.1.1-2.fc6.noarch.rpm > fedora-idm-console-1.1.1-1.fc6.x86_64.rpm > > The error message I get when logging into the console is: > Cannot connect to the directory server. > netscape.ldap.LDAPException: error result (32); No such object > > When I run fedora-idm-console -D I get: > Fedora-Management-Console/1.1.2 B2008.248.1527 > CommManager> New CommRecord > (http://localhost:9830/admin-serv/authenticate) > http://localhost:9830/[0:0] open> Ready > http://localhost:9830/[0:0] accept> > http://localhost:9830/admin-serv/authenticate > http://localhost:9830/[0:0] send> GET \ > http://localhost:9830/[0:0] send> /admin-serv/authenticate \ > http://localhost:9830/[0:0] send> HTTP/1.0 > http://localhost:9830/[0:0] send> Host: localhost:9830 > http://localhost:9830/[0:0] send> Connection: Keep-Alive > http://localhost:9830/[0:0] send> User-Agent: > Fedora-Management-Console/1.1.2 > http://localhost:9830/[0:0] send> Accept-Language: en > http://localhost:9830/[0:0] send> Authorization: Basic \ > http://localhost:9830/[0:0] send> YWRtaW46QjBndXNMZEBw \ > http://localhost:9830/[0:0] send> > http://localhost:9830/[0:0] send> > http://localhost:9830/[0:0] recv> HTTP/1.1 200 OK > http://localhost:9830/[0:0] recv> Date: Tue, 16 Dec 2008 19:38:34 GMT > http://localhost:9830/[0:0] recv> Server: Apache/2.2 > HttpChannel.invoke: admin version = 2.2 > http://localhost:9830/[0:0] recv> Admin-Server: > Fedora-Administrator/1.1.6 > HttpChannel.invoke: admin version = 1.1.6 > http://localhost:9830/[0:0] recv> Content-Length: 281 > http://localhost:9830/[0:0] recv> Connection: close > http://localhost:9830/[0:0] recv> Content-Type: text/html > http://localhost:9830/[0:0] recv> > http://localhost:9830/[0:0] recv> Reading 281 bytes... > http://localhost:9830/[0:0] recv> 281 bytes read > Console.replyHandler: adminVersion = 1.1.6 > http://localhost:9830/[0:0] close> Closed > > I hope this is enough information for some to help me. > Thanks for looking into it!! Try running setup-ds-admin.pl -u > > Steve > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From LACY_S at mercer.edu Wed Dec 17 13:49:47 2008 From: LACY_S at mercer.edu (Scott Lacy) Date: Wed, 17 Dec 2008 08:49:47 -0500 Subject: [Fedora-directory-users] SSL cert problem v1.0.4 Message-ID: <9BF995BC0E47744E9673A41486E24EE218693DBAB9@MERCERMAIL.MercerU.local> I have a server which has an old and renewed SSL cert on it, but the server will not start due to the old cert still being on it. I have not had any success deleting the old cert or setting the server to start with the new one (if that is configurable). I've gone through the documentation with no success. I guess what I need is a quick-and-dirty lesson on how to locate the old cert and delete it. Thanks in advance from a sheepish SA... ---------------------- Scott Lacy Unix Systems Manager, Systems and Networks Mercer University 478 301 5509 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Dec 17 15:21:49 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 17 Dec 2008 08:21:49 -0700 Subject: [Fedora-directory-users] Wiki edits have been disabled Message-ID: <4949190D.5080501@redhat.com> Due to a large number of spammers hitting directory.fedoraproject.org, wiki editing has been disabled. The edits will most likely be disabled until the first week of the new year. If you need to add or edit something, please contact the list. Sorry for any inconvenience. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From Steve.Fletcher at noaa.gov Wed Dec 17 18:13:32 2008 From: Steve.Fletcher at noaa.gov (Steve Fletcher) Date: Wed, 17 Dec 2008 12:13:32 -0600 Subject: [Fedora-directory-users] fedora-idm-console problem In-Reply-To: <49482BE7.2030708@redhat.com> References: <4948104D.5030905@noaa.gov> <49482BE7.2030708@redhat.com> Message-ID: <4949414C.8070505@noaa.gov> I did this and it gave me an invalid credentials error. So I command line changed the admin password and it now says: Could not find the admin domain which shows up fine in ldapsearch as nsAdminDomainName: protect.nssl After changing the admin password the fedora-idm-console comes up, but with no directory servers in it. Any suggestions? Thanks! Steve Rich Megginson wrote > Try running setup-ds-admin.pl -u >> >> Steve >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Wed Dec 17 18:21:07 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 17 Dec 2008 11:21:07 -0700 Subject: [Fedora-directory-users] fedora-idm-console problem In-Reply-To: <4949414C.8070505@noaa.gov> References: <4948104D.5030905@noaa.gov> <49482BE7.2030708@redhat.com> <4949414C.8070505@noaa.gov> Message-ID: <49494313.6000001@redhat.com> Steve Fletcher wrote: > I did this and it gave me an invalid credentials error. So I command > line changed > the admin password and it now says: > Could not find the admin domain which shows up fine in > ldapsearch as > nsAdminDomainName: protect.nssl What is the admin domain in /etc/dirsrv/admin-serv/adm.conf? > After changing the admin password the fedora-idm-console comes up, > but with no directory servers in it. > Any suggestions? > Thanks! Steve > Rich Megginson wrote >> Try running setup-ds-admin.pl -u >>> >>> Steve >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From Steve.Fletcher at noaa.gov Wed Dec 17 19:57:03 2008 From: Steve.Fletcher at noaa.gov (Steve Fletcher) Date: Wed, 17 Dec 2008 13:57:03 -0600 Subject: [Fedora-directory-users] fedora-idm-console problem In-Reply-To: <49494313.6000001@redhat.com> References: <4948104D.5030905@noaa.gov> <49482BE7.2030708@redhat.com> <4949414C.8070505@noaa.gov> <49494313.6000001@redhat.com> Message-ID: <4949598F.1030401@noaa.gov> It's the same AdminDomain: protect.nssl Rich Megginson wrote: > Steve Fletcher wrote: >> I did this and it gave me an invalid credentials error. So I command >> line changed >> the admin password and it now says: >> Could not find the admin domain which shows up fine in >> ldapsearch as >> nsAdminDomainName: protect.nssl > What is the admin domain in /etc/dirsrv/admin-serv/adm.conf? >> After changing the admin password the fedora-idm-console comes up, >> but with no directory servers in it. >> Any suggestions? >> Thanks! Steve >> Rich Megginson wrote >>> Try running setup-ds-admin.pl -u >>>> >>>> Steve >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> > From rmeggins at redhat.com Wed Dec 17 20:17:51 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 17 Dec 2008 13:17:51 -0700 Subject: [Fedora-directory-users] fedora-idm-console problem In-Reply-To: <4949598F.1030401@noaa.gov> References: <4948104D.5030905@noaa.gov> <49482BE7.2030708@redhat.com> <4949414C.8070505@noaa.gov> <49494313.6000001@redhat.com> <4949598F.1030401@noaa.gov> Message-ID: <49495E6F.2030708@redhat.com> Steve Fletcher wrote: > It's the same > AdminDomain: protect.nssl What is the output of fedora-idm-console -D 9 -f console.log? > > > Rich Megginson wrote: >> Steve Fletcher wrote: >>> I did this and it gave me an invalid credentials error. So I >>> command line changed >>> the admin password and it now says: >>> Could not find the admin domain which shows up fine in >>> ldapsearch as >>> nsAdminDomainName: protect.nssl >> What is the admin domain in /etc/dirsrv/admin-serv/adm.conf? >>> After changing the admin password the fedora-idm-console comes up, >>> but with no directory servers in it. >>> Any suggestions? >>> Thanks! Steve >>> Rich Megginson wrote >>>> Try running setup-ds-admin.pl -u >>>>> >>>>> Steve >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >> > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Dec 17 20:21:20 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 17 Dec 2008 13:21:20 -0700 Subject: [Fedora-directory-users] SSL cert problem v1.0.4 In-Reply-To: <9BF995BC0E47744E9673A41486E24EE218693DBAB9@MERCERMAIL.MercerU.local> References: <9BF995BC0E47744E9673A41486E24EE218693DBAB9@MERCERMAIL.MercerU.local> Message-ID: <49495F40.2050804@redhat.com> Scott Lacy wrote: > > I have a server which has an old and renewed SSL cert on it, but the > server will not start due to the old cert still being on it. I have > not had any success deleting the old cert or setting the server to > start with the new one (if that is configurable). I?ve gone through > the documentation with no success. I guess what I need is a > quick-and-dirty lesson on how to locate the old cert and delete it. > Use the certutil command http://directory.fedoraproject.org/wiki/Howto:SSL has some examples cd /opt/fedora-ds/alias ../shared/bin/certutil -L -d . -P slapd-yourinstancename- Use certutil -H for help certutil -D will delete a cert I would strongly encourage you to make a backup of your expired cert and key first: cd /opt/fedora-ds/alias ../shared/bin/pk12util -d . -P slapd-yourinstancename- -o saved.p12 -n "old cert name" ... Use pk12util -H for help > > Thanks in advance from a sheepish SA? > > ---------------------- > > Scott Lacy > > Unix Systems Manager, Systems and Networks > > Mercer University > > 478 301 5509 > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From Steve.Fletcher at noaa.gov Wed Dec 17 22:30:18 2008 From: Steve.Fletcher at noaa.gov (Steve Fletcher) Date: Wed, 17 Dec 2008 16:30:18 -0600 Subject: [Fedora-directory-users] fedora-idm-console problem In-Reply-To: <49497722.5030205@redhat.com> References: <4948104D.5030905@noaa.gov> <49482BE7.2030708@redhat.com> <4949414C.8070505@noaa.gov> <49494313.6000001@redhat.com> <4949598F.1030401@noaa.gov> <49495E6F.2030708@redhat.com> <49496281.6080308@noaa.gov> <49496522.8010202@redhat.com> <4949762D.8080209@noaa.gov> <49497722.5030205@redhat.com> Message-ID: <49497D7A.9030902@noaa.gov> That gives me: [root at rome fdsldap]# /usr/lib64/mozldap/ldapsearch -h rome.protect.nssl -D "uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" -w "Mypassword" -s base -b "" "objectclass=*" ldapsearch: Password will expire in 0 seconds ldapsearch: Password has been reset by an administrator; you must change it. ldap_search: DSA is unwilling to perform That is likely because I reset the password to get past the invalid credentials problem when trying to run setup-ds-admin.pl -u For the ldapsearch below and to reset the adm password I used -D "cn=Directory Manager". So for the next question: How do I change it or unset the password expiration stuff which I never intended to be applied to the admin server by command line. Rich Megginson wrote: > Steve Fletcher wrote: >> Yes I can query these using ldapsearch. >> dn: cn=user, cn=defaultObjectClassesContainer, ou=1.1, ou=Admin, >> ou=Global Pre >> ferences, ou=protect.nssl, o=NetscapeRoot ... >> >> Using fedora-idm-console -D ldap I get: >> Ldap Connection rome.protect.nssl:389 >> 15:07:49.301 ldc=0 Connected to ldap://rome.protect.nssl:389 >> 15:07:49.318 ldc=0 op=1 BindRequest {version=3, name=uid=admin, >> ou=Administrators, ou=TopologyManagement, o=NetscapeRoot, >> authentication=********} >> 15:07:49.340 ldc=0 op=1 BindResponse {resultCode=0} >> {PasswordExpiredCtrl: isCritical=false msg=0} {PasswordExpiringCtrl: >> isCritical=false msg=0} >> Ldap Connection (null):389 ... >> >> and adm.conf has: >> ldapurl: ldap://rome.protect.nssl:389/o=NetscapeRoot >> >> On several following entries I saw: >> 15:49:04.089 ldc=0 op=2 SearchRequest {baseObject=cn=user, >> cn=DefaultObjectClassesContainer,ou=1.1, ou=admin, ou=Global >> Preferences, ou=protect.nssl, o=NetscapeRoot, scope=0, >> derefAliases=0,sizeLimit=1000, timeLimit=0, attrsOnly=false, >> filter=(|(objectclass=*)(objectclass=ldapsubentry)), attributes=null} >> 15:49:04.093 ldc=0 op=2 SearchResult {resultCode=53} >> {PasswordExpiredCtrl: isCritical=false msg=0} >> Is this telling me a password has expired? > Yes, I believe so. What happens if you do > /usr/lib/mozldap/ldapsearch -h rome.protect.nssl -D "uid=admin, > ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" -w > yourpassword -s base -b "" "objectclass=*" > ? >> >> >> Rich Megginson wrote: >>>> >>>> Console: cannot connect to the user database >>>> Console: Cannot open: cn=user, >>>> cn=DefaultObjectClassesContainer,ou=1.1, ou=admin, ou=Global >>>> Preferences, ou=protect.nssl, o=NetscapeRoot >>>> Console: Cannot open cn=group, >>>> cn=DefaultObjectClassesContainer,ou=1.1, ou=admin, ou=Global >>>> Preferences, ou=protect.nssl, o=NetscapeRoot >>>> Console: Cannot open cn=OU, >>>> cn=DefaultObjectClassesContainer,ou=1.1, ou=admin, ou=Global >>>> Preferences, ou=protect.nssl, o=NetscapeRoot >>> Why can't it find these entries? Is it connecting to the wrong LDAP >>> server? Can you query these entries using ldapsearch? >>> >>> Use fedora-idm-console -D ldap to see what LDAP connections it is >>> making. >>> >>> It should be trying to use the server from ldapurl in >>> /etc/dirsrv/admin-serv/adm.conf >>>> Console: Cannot open cn=ResourceEditorExtension,ou=1.1, ou=admin, >>>> ou=Global Preferences, ou=protect.nssl, o=NetscapeRoot >>>> >>> >> > From rmeggins at redhat.com Wed Dec 17 22:36:53 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 17 Dec 2008 15:36:53 -0700 Subject: [Fedora-directory-users] fedora-idm-console problem In-Reply-To: <49497D7A.9030902@noaa.gov> References: <4948104D.5030905@noaa.gov> <49482BE7.2030708@redhat.com> <4949414C.8070505@noaa.gov> <49494313.6000001@redhat.com> <4949598F.1030401@noaa.gov> <49495E6F.2030708@redhat.com> <49496281.6080308@noaa.gov> <49496522.8010202@redhat.com> <4949762D.8080209@noaa.gov> <49497722.5030205@redhat.com> <49497D7A.9030902@noaa.gov> Message-ID: <49497F05.7060403@redhat.com> Steve Fletcher wrote: > That gives me: > [root at rome fdsldap]# /usr/lib64/mozldap/ldapsearch -h > rome.protect.nssl -D "uid=admin, ou=Administrators, > ou=TopologyManagement, o=NetscapeRoot" -w "Mypassword" -s base -b "" > "objectclass=*" > ldapsearch: Password will expire in 0 seconds > ldapsearch: Password has been reset by an administrator; you must > change it. > ldap_search: DSA is unwilling to perform > > That is likely because I reset the password to get past the invalid > credentials problem when trying to run setup-ds-admin.pl -u > For the ldapsearch below and to reset the adm password I used -D > "cn=Directory Manager". So for the next question: How do I change it or > unset the password expiration stuff which I never intended to be > applied to the admin server by command line. Change the passwordExpirationTime in that entry: ldapmodify -x -h rome.protect.nssl -D "cn=directory manager" -w thepassword dn: uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot changetype: modify replace: passwordExpirationTime passwordExpirationTime: 20380101000000Z Will change the password so that it expires in 2038 > > Rich Megginson wrote: >> Steve Fletcher wrote: >>> Yes I can query these using ldapsearch. >>> dn: cn=user, cn=defaultObjectClassesContainer, ou=1.1, ou=Admin, >>> ou=Global Pre >>> ferences, ou=protect.nssl, o=NetscapeRoot ... >>> >>> Using fedora-idm-console -D ldap I get: >>> Ldap Connection rome.protect.nssl:389 >>> 15:07:49.301 ldc=0 Connected to ldap://rome.protect.nssl:389 >>> 15:07:49.318 ldc=0 op=1 BindRequest {version=3, name=uid=admin, >>> ou=Administrators, ou=TopologyManagement, o=NetscapeRoot, >>> authentication=********} >>> 15:07:49.340 ldc=0 op=1 BindResponse {resultCode=0} >>> {PasswordExpiredCtrl: isCritical=false msg=0} {PasswordExpiringCtrl: >>> isCritical=false msg=0} >>> Ldap Connection (null):389 ... >>> >>> and adm.conf has: >>> ldapurl: ldap://rome.protect.nssl:389/o=NetscapeRoot >>> >>> On several following entries I saw: >>> 15:49:04.089 ldc=0 op=2 SearchRequest {baseObject=cn=user, >>> cn=DefaultObjectClassesContainer,ou=1.1, ou=admin, ou=Global >>> Preferences, ou=protect.nssl, o=NetscapeRoot, scope=0, >>> derefAliases=0,sizeLimit=1000, timeLimit=0, attrsOnly=false, >>> filter=(|(objectclass=*)(objectclass=ldapsubentry)), attributes=null} >>> 15:49:04.093 ldc=0 op=2 SearchResult {resultCode=53} >>> {PasswordExpiredCtrl: isCritical=false msg=0} >>> Is this telling me a password has expired? >> Yes, I believe so. What happens if you do >> /usr/lib/mozldap/ldapsearch -h rome.protect.nssl -D "uid=admin, >> ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" -w >> yourpassword -s base -b "" "objectclass=*" >> ? >>> >>> >>> Rich Megginson wrote: >>>>> >>>>> Console: cannot connect to the user database >>>>> Console: Cannot open: cn=user, >>>>> cn=DefaultObjectClassesContainer,ou=1.1, ou=admin, ou=Global >>>>> Preferences, ou=protect.nssl, o=NetscapeRoot >>>>> Console: Cannot open cn=group, >>>>> cn=DefaultObjectClassesContainer,ou=1.1, ou=admin, ou=Global >>>>> Preferences, ou=protect.nssl, o=NetscapeRoot >>>>> Console: Cannot open cn=OU, >>>>> cn=DefaultObjectClassesContainer,ou=1.1, ou=admin, ou=Global >>>>> Preferences, ou=protect.nssl, o=NetscapeRoot >>>> Why can't it find these entries? Is it connecting to the wrong >>>> LDAP server? Can you query these entries using ldapsearch? >>>> >>>> Use fedora-idm-console -D ldap to see what LDAP connections it is >>>> making. >>>> >>>> It should be trying to use the server from ldapurl in >>>> /etc/dirsrv/admin-serv/adm.conf >>>>> Console: Cannot open cn=ResourceEditorExtension,ou=1.1, ou=admin, >>>>> ou=Global Preferences, ou=protect.nssl, o=NetscapeRoot >>>>> >>>> >>> >> > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From Steve.Fletcher at noaa.gov Wed Dec 17 23:02:26 2008 From: Steve.Fletcher at noaa.gov (Steve Fletcher) Date: Wed, 17 Dec 2008 17:02:26 -0600 Subject: [Fedora-directory-users] fedora-idm-console problem In-Reply-To: <49497F05.7060403@redhat.com> References: <4948104D.5030905@noaa.gov> <49482BE7.2030708@redhat.com> <4949414C.8070505@noaa.gov> <49494313.6000001@redhat.com> <4949598F.1030401@noaa.gov> <49495E6F.2030708@redhat.com> <49496281.6080308@noaa.gov> <49496522.8010202@redhat.com> <4949762D.8080209@noaa.gov> <49497722.5030205@redhat.com> <49497D7A.9030902@noaa.gov> <49497F05.7060403@redhat.com> Message-ID: <49498502.5040002@noaa.gov> OK. That removed the expiration. Which allowed me to run the setup-ds-admin.pl -u which fixed the origional problem with fedora-idm-console. Thanks much for all your help and patience!! Steve Rich Megginson wrote: > Steve Fletcher wrote: >> That gives me: >> [root at rome fdsldap]# /usr/lib64/mozldap/ldapsearch -h >> rome.protect.nssl -D "uid=admin, ou=Administrators, >> ou=TopologyManagement, o=NetscapeRoot" -w "Mypassword" -s base -b "" >> "objectclass=*" >> ldapsearch: Password will expire in 0 seconds >> ldapsearch: Password has been reset by an administrator; you must >> change it. >> ldap_search: DSA is unwilling to perform >> >> That is likely because I reset the password to get past the invalid >> credentials problem when trying to run setup-ds-admin.pl -u >> For the ldapsearch below and to reset the adm password I used -D >> "cn=Directory Manager". So for the next question: How do I change it or >> unset the password expiration stuff which I never intended to be >> applied to the admin server by command line. > Change the passwordExpirationTime in that entry: > ldapmodify -x -h rome.protect.nssl -D "cn=directory manager" -w > thepassword > dn: uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot > changetype: modify > replace: passwordExpirationTime > passwordExpirationTime: 20380101000000Z > > Will change the password so that it expires in 2038 >> >> Rich Megginson wrote: >>> Steve Fletcher wrote: >>>> Yes I can query these using ldapsearch. >>>> dn: cn=user, cn=defaultObjectClassesContainer, ou=1.1, ou=Admin, >>>> ou=Global Pre >>>> ferences, ou=protect.nssl, o=NetscapeRoot ... >>>> >>>> Using fedora-idm-console -D ldap I get: >>>> Ldap Connection rome.protect.nssl:389 >>>> 15:07:49.301 ldc=0 Connected to ldap://rome.protect.nssl:389 >>>> 15:07:49.318 ldc=0 op=1 BindRequest {version=3, name=uid=admin, >>>> ou=Administrators, ou=TopologyManagement, o=NetscapeRoot, >>>> authentication=********} >>>> 15:07:49.340 ldc=0 op=1 BindResponse {resultCode=0} >>>> {PasswordExpiredCtrl: isCritical=false msg=0} >>>> {PasswordExpiringCtrl: isCritical=false msg=0} >>>> Ldap Connection (null):389 ... >>>> >>>> and adm.conf has: >>>> ldapurl: ldap://rome.protect.nssl:389/o=NetscapeRoot >>>> >>>> On several following entries I saw: >>>> 15:49:04.089 ldc=0 op=2 SearchRequest {baseObject=cn=user, >>>> cn=DefaultObjectClassesContainer,ou=1.1, ou=admin, ou=Global >>>> Preferences, ou=protect.nssl, o=NetscapeRoot, scope=0, >>>> derefAliases=0,sizeLimit=1000, timeLimit=0, attrsOnly=false, >>>> filter=(|(objectclass=*)(objectclass=ldapsubentry)), attributes=null} >>>> 15:49:04.093 ldc=0 op=2 SearchResult {resultCode=53} >>>> {PasswordExpiredCtrl: isCritical=false msg=0} >>>> Is this telling me a password has expired? >>> Yes, I believe so. What happens if you do >>> /usr/lib/mozldap/ldapsearch -h rome.protect.nssl -D "uid=admin, >>> ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" -w >>> yourpassword -s base -b "" "objectclass=*" >>> ? >>>> >>>> >>>> Rich Megginson wrote: >>>>>> >>>>>> Console: cannot connect to the user database >>>>>> Console: Cannot open: cn=user, >>>>>> cn=DefaultObjectClassesContainer,ou=1.1, ou=admin, ou=Global >>>>>> Preferences, ou=protect.nssl, o=NetscapeRoot >>>>>> Console: Cannot open cn=group, >>>>>> cn=DefaultObjectClassesContainer,ou=1.1, ou=admin, ou=Global >>>>>> Preferences, ou=protect.nssl, o=NetscapeRoot >>>>>> Console: Cannot open cn=OU, >>>>>> cn=DefaultObjectClassesContainer,ou=1.1, ou=admin, ou=Global >>>>>> Preferences, ou=protect.nssl, o=NetscapeRoot >>>>> Why can't it find these entries? Is it connecting to the wrong >>>>> LDAP server? Can you query these entries using ldapsearch? >>>>> >>>>> Use fedora-idm-console -D ldap to see what LDAP connections it is >>>>> making. >>>>> >>>>> It should be trying to use the server from ldapurl in >>>>> /etc/dirsrv/admin-serv/adm.conf >>>>>> Console: Cannot open cn=ResourceEditorExtension,ou=1.1, ou=admin, >>>>>> ou=Global Preferences, ou=protect.nssl, o=NetscapeRoot >>>>>> >>>>> >>>> >>> >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From g.digiambelardini at fabaris.it Thu Dec 18 15:00:54 2008 From: g.digiambelardini at fabaris.it (Gabriele Di Giambelardini) Date: Thu, 18 Dec 2008 16:00:54 +0100 Subject: [Fedora-directory-users] big problem with password length Message-ID: <71603E84EF22B548B5DFA20DB0420B0022315FECB9@exch-srv.fabaris.lan> I to all, I have a big problem with my fedora-ds-1.0.4-1.RHEL4, my passwords are "CRYPT" the problem: when I change the password an one user es 123456789 the fedara-ds register only the fiirst 8 character. so If I try to login is sufficient write the password 12345678 the last character isn't necessary.. How I can force fedora-ds to register oll my password characters? thanks.... From rlarson at usgs.gov Thu Dec 18 15:09:06 2008 From: rlarson at usgs.gov (Richard Larson) Date: Thu, 18 Dec 2008 09:09:06 -0600 Subject: [Fedora-directory-users] multi-master ports Message-ID: Guy's; I'll proffer this question, knowing the answer is staring me right in the face somewhere. How do you get multi-masters to monitor the same port ie 389 or 636 for SSL Every time I try to change the port on the second server to 389 it will not start stating that the port is already in use? Thanks in advance Rich Larson Do not wait to strike till the iron is hot; but make it hot by striking. -- William B. Sprague -------------- next part -------------- An HTML attachment was scrubbed... URL: From pengle at rice.edu Thu Dec 18 17:30:59 2008 From: pengle at rice.edu (Paul Engle) Date: Thu, 18 Dec 2008 11:30:59 -0600 Subject: [Fedora-directory-users] big problem with password length In-Reply-To: <71603E84EF22B548B5DFA20DB0420B0022315FECB9@exch-srv.fabaris.lan> References: <71603E84EF22B548B5DFA20DB0420B0022315FECB9@exch-srv.fabaris.lan> Message-ID: <53060BB92DB4E78569D44932@[10.67.48.173]> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Thursday, December 18, 2008 4:00 PM +0100 Gabriele Di Giambelardini wrote: > I to all, > I have a big problem with my fedora-ds-1.0.4-1.RHEL4, my passwords are "CRYPT" > > the problem: > > when I change the password an one user es 123456789 the fedara-ds register only the fiirst 8 character. so If I try to login is sufficient write the password 12345678 the last character isn't necessary.. > > How I can force fedora-ds to register oll my password characters? > > > thanks.... > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > Traditional unix CRYPT limits password length to 8 characters. In order to use longer passwords, you have to use a different encryption algorithm. -paul - -- Paul D. Engle | Rice University Sr. Systems Adminstrator, RHCE | Information Technology - MS119 713-348-4702 | PO Box 1892 pengle at rice.edu | Houston, TX 77251-1892 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFJSojTCpkISWtyHNsRAtc6AKD1NPgUthGf36uWvRDUkYn4/LM6WwCfcaaS cRABxE2WEJAMlmdboC9JgSs= =VECu -----END PGP SIGNATURE----- From gholbert at broadcom.com Thu Dec 18 18:17:17 2008 From: gholbert at broadcom.com (George Holbert) Date: Thu, 18 Dec 2008 10:17:17 -0800 Subject: [Fedora-directory-users] multi-master ports In-Reply-To: References: Message-ID: <494A93AD.6030306@broadcom.com> > > Every time I try to change the port on the second server to 389 it > will not start stating that the port is already in use? Do you mean you're trying to set the secure (LDAPS) port to 389? That won't work unless you first set your standard LDAP port to something other than 389, and restart the server. But, I don't think you'd want to do that. What are you trying to do? Richard Larson wrote: > > Guy's; I'll proffer this question, knowing the answer is staring me > right in the face somewhere. > > How do you get multi-masters to monitor the same port ie 389 or 636 > for SSL > > Every time I try to change the port on the second server to 389 it > will not start stating that the port is already in use? > > Thanks in advance > > Rich Larson > > Do not wait to strike till the iron is hot; but make it hot by > striking. -- William B. Sprague > From abdellah.alaoui2006 at gmail.com Thu Dec 25 12:22:58 2008 From: abdellah.alaoui2006 at gmail.com (Abdellah Alaoui Ismaili) Date: Thu, 25 Dec 2008 12:22:58 +0000 Subject: [Fedora-directory-users] config of SSL on ADs and FDS Message-ID: <69c6e0a70812250422n32ec4e8cu7c4cc5a951aa9390@mail.gmail.com> is that someone can provide me with detailed documents sharing certificates between MS. Active Directory and Fedora Directory Server, because the connection via port 636 do not want to walk. I have this error log file in windows sync. 12/25/08 11:48:28: Backoff time expired. Attempting sync 12/25/08 11:48:28: Password list has 6 entries 12/25/08 11:48:28: Ldap bind error in Connect 81: Can't contact LDAP server 12/25/08 11:48:28: Can not connect to ldap server in SyncPasswords 12/25/08 11:48:28: Backing off for 16000ms but with the ports 389 synchronizes this information, but the password does not want to be synchronized. you can help me plz. -------------- next part -------------- An HTML attachment was scrubbed... URL: From tscherf at redhat.com Thu Dec 25 14:47:34 2008 From: tscherf at redhat.com (Thorsten Scherf) Date: Thu, 25 Dec 2008 15:47:34 +0100 Subject: [Fedora-directory-users] config of SSL on ADs and FDS In-Reply-To: <69c6e0a70812250422n32ec4e8cu7c4cc5a951aa9390@mail.gmail.com> References: <69c6e0a70812250422n32ec4e8cu7c4cc5a951aa9390@mail.gmail.com> Message-ID: <49539D06.60604@redhat.com> Abdellah Alaoui Ismaili wrote: > is that someone can provide me with detailed documents sharing > certificates between MS. Active Directory and Fedora Directory Server, > because the connection via port 636 do not want to walk. > I have this error log file in windows sync. Have you enabled TLS on FDS and ADS? PasswordSync without TLS doesn't work. From abdellah.alaoui2006 at gmail.com Thu Dec 25 16:27:47 2008 From: abdellah.alaoui2006 at gmail.com (Abdellah Alaoui Ismaili) Date: Thu, 25 Dec 2008 16:27:47 +0000 Subject: [Fedora-directory-users] config of SSL on ADs and FDS In-Reply-To: <49539D06.60604@redhat.com> References: <69c6e0a70812250422n32ec4e8cu7c4cc5a951aa9390@mail.gmail.com> <49539D06.60604@redhat.com> Message-ID: <69c6e0a70812250827m33372bf6h28b588e3de2623a9@mail.gmail.com> for the configuration of SSL in SDS I followed this link ' http://www.csse.uwa.edu.au/ ~ ashley/fedora-ds/fedora-ds-26072006.html', and the configuration of ADs I followed the paper redhat directory server ... I do not know how to share the same certificate for both directory. and with an LDAP browser I can check the contents of the directory via the port 636. -------------- next part -------------- An HTML attachment was scrubbed... URL: From cw-news at gmx.de Sat Dec 27 13:13:04 2008 From: cw-news at gmx.de (cw-news) Date: Sat, 27 Dec 2008 14:13:04 +0100 Subject: [Fedora-directory-users] Windows Sync and UserprincipalName Message-ID: <495629E0.4050407@gmx.de> Hi, at the moment I am playing with the windows Sync feature. I would like to sync users from AD -> FDS. Is it possible to change the existing mapping? I would like to use the Userprincipalname in fds? Thanks for any hint or input carsten From bbahar3 at gmail.com Sun Dec 28 07:27:10 2008 From: bbahar3 at gmail.com (Eric) Date: Sun, 28 Dec 2008 10:57:10 +0330 Subject: [Fedora-directory-users] users multiaccess Message-ID: <38a27c8c0812272327o6846c448j4c86df326556d588@mail.gmail.com> Hi. there is a Radius server that uses fedora ds for authenticate and authorization of its vpn users. In fedora ds user's access attribute is set to 1; but users can have multi access. how ldap checks multi access? is there another thing that affects this attribute? -------------- next part -------------- An HTML attachment was scrubbed... URL: From abdellah.alaoui2006 at gmail.com Sun Dec 28 09:51:55 2008 From: abdellah.alaoui2006 at gmail.com (Abdellah Alaoui Ismaili) Date: Sun, 28 Dec 2008 09:51:55 +0000 Subject: Fwd: [Fedora-directory-users] config of SSL on ADs and FDS In-Reply-To: <69c6e0a70812250827m33372bf6h28b588e3de2623a9@mail.gmail.com> References: <69c6e0a70812250422n32ec4e8cu7c4cc5a951aa9390@mail.gmail.com> <49539D06.60604@redhat.com> <69c6e0a70812250827m33372bf6h28b588e3de2623a9@mail.gmail.com> Message-ID: <69c6e0a70812280151k1e4be396o5bd5c30d3e97c597@mail.gmail.com> ---------- Forwarded message ---------- From: Abdellah Alaoui Ismaili Date: 2008/12/25 Subject: Re: [Fedora-directory-users] config of SSL on ADs and FDS To: fedora-directory-users at redhat.com for the configuration of SSL in FDS I followed this link ' http://www.csse.uwa.edu.au/~ashley/fedora-ds/fedora-ds-26072006.html', and the configuration of ADs I followed the paper redhat directory server ... I do not know how to share the same certificate for both directory. and with an LDAP browser I can check the contents of the directory via the port 636. -------------- next part -------------- An HTML attachment was scrubbed... URL: From tscherf at redhat.com Sun Dec 28 10:04:45 2008 From: tscherf at redhat.com (Thorsten Scherf) Date: Sun, 28 Dec 2008 11:04:45 +0100 Subject: Fwd: [Fedora-directory-users] config of SSL on ADs and FDS In-Reply-To: <69c6e0a70812280151k1e4be396o5bd5c30d3e97c597@mail.gmail.com> References: <69c6e0a70812250422n32ec4e8cu7c4cc5a951aa9390@mail.gmail.com> <49539D06.60604@redhat.com> <69c6e0a70812250827m33372bf6h28b588e3de2623a9@mail.gmail.com> <69c6e0a70812280151k1e4be396o5bd5c30d3e97c597@mail.gmail.com> Message-ID: <49574F3D.6010200@redhat.com> Abdellah Alaoui Ismaili wrote: > for the configuration of SSL in FDS I followed this link > 'http://www.csse.uwa.edu.au/~ashley/fedora-ds/fedora-ds-26072006.html > ', > and the configuration of ADs I followed the paper redhat directory > server ... > I do not know how to share the same certificate for both directory. > and with an LDAP browser I can check the contents of the directory via > the port 636. you find all relevant information on this page: http://directory.fedoraproject.org/wiki/Howto:SSL From morenisco at noc-root.net Sun Dec 28 19:12:41 2008 From: morenisco at noc-root.net (Morenisco) Date: Sun, 28 Dec 2008 16:12:41 -0300 Subject: [Fedora-directory-users] FDS 1.1 is not starting on CentOS 5 Message-ID: <4957CFA9.1010809@noc-root.net> Hi, I was able to install and configure FDS 1.1 on CentOS 5, but in the latest step of the configuration, the service doesn't start. 1) I saw the following messages in the last part of the installation: Are you ready to set up your servers? [yes]: Creating directory server . . . Server failed to start !!! Please check errors log for problems Could not start the directory server using command '/usr/lib/dirsrv/slapd-dirserver1/start-slapd'. The last line from the error log was '[28/Dec/2008:11:18:14 -0300] - Fedora-Directory/1.1.3 B2008.269.157 starting up '. Error: Unknown error 256 Error: Could not create directory server instance 'dirserver1'. Exiting . . . Log file is '/tmp/setupRikE7Y.log' 2 ) The error log just says the following: [28/Dec/2008:12:41:07 -0300] - Fedora-Directory/1.1.3 B2008.269.157 starting up 3) The log file /tmp/setupRikE7Y.log says the following: [08/12/28:11:13:10] - [Setup] Info Are you ready to set up your servers? [08/12/28:11:13:16] - [Setup] Info yes [08/12/28:11:13:16] - [Setup] Info Creating directory server . . . [08/12/28:11:23:18] - [Setup] Info Could not start the directory server using command '/usr/lib/dirsrv/slapd-dirserver1/start-slapd'. The last line from the error log was '[28/Dec/2008:11:18:14 -0300] - Fedora-Directory/1.1.3 B2008.269.157 starting up '. Error: Unknown error 256 [08/12/28:11:23:18] - [Setup] Fatal Error: Could not create directory server instance 'dirserver1'. [08/12/28:11:23:18] - [Setup] Fatal Exiting . . . Well, I'm using the user 'nobody' and group 'nobody'. 4) When I try to run the command by hand as root, I get the same: [root at dirserver1 slapd-dirserver1]# pwd /usr/lib/dirsrv/slapd-dirserver1 [root at dirserver1 slapd-dirserver1]# ./start-slapd Server failed to start !!! Please check errors log for problems 5) Running the command with sh -x, I got the line that it not starting the command: + cd /usr/sbin + ./ns-slapd -D /etc/dirsrv/slapd-dirserver1 -i /var/run/dirsrv/slapd-dirserver1.pid -w /var/run/dirsrv/slapd-dirserver1.startpid 6) Running the last command by hand: [root at dirserver1 sbin]# ./ns-slapd -D /etc/dirsrv/slapd-dirserver1 -i /var/run/dirsrv/slapd-dirserver1.pid -w /var/run/dirsrv/slapd-dirserver1.startpid [root at dirserver1 sbin]# [root at dirserver1 sbin]# ps -fea | grep slapd root 6893 6729 0 12:55 pts/3 00:00:00 grep slapd ==> this is not starting. 7) Trying the same, but with trace level: ./ns-slapd -d 1 -D /etc/dirsrv/slapd-dirserver1 -i /var/run/dirsrv/slapd-dirserver1.pid -w /var/run/dirsrv/slapd-dirserver1.startpid [28/Dec/2008:12:58:18 -0300] - <= send_ldap_result [28/Dec/2008:12:58:18 -0300] - Fedora-Directory/1.1.3 B2008.269.157 starting up Failed to open stats file (/var/run/dirsrv/slapd-dirserver1.stats) (error 1). Then, the binary ns-slapd is not creating the file /var/run/dirsrv/slapd-dirserver1.stats (I think). 8) Some details of the binary and my kernel version: [root at dirserver1 sbin]# file ns-slapd ns-slapd: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.9, dynamically linked (uses shared libs), for GNU/Linux 2.6.9, stripped [root at dirserver1 sbin]# [root at dirserver1 sbin]# uname -a Linux dirserver1.cdsl.cl 2.6.18-92.el5 #1 SMP Tue Jun 10 18:49:47 EDT 2008 i686 i686 i386 GNU/Linux Could it be related to the difference of the kernel version? Thanks! -- Morenisco. Centro de Difusi?n del Software Libre. http://www.cdsl.cl http://santiago.flisol.cl Blog: http://morenisco.belvil.eu From morenisco at noc-root.net Sun Dec 28 22:48:05 2008 From: morenisco at noc-root.net (Morenisco) Date: Sun, 28 Dec 2008 19:48:05 -0300 Subject: [Fedora-directory-users] FDS 1.1 is not starting on Fedora 10 Message-ID: <49580225.2030502@noc-root.net> Hi, I tried with Fedora 10 and FDS 1.1, but appears that I'm experiencing the same problem described in my last email. The installation looks good, but in the last part, when trying to start the server, it fails: The interactive phase is complete. The script will now set up your servers. Enter No or go Back if you want to change something. Are you ready to set up your servers? [yes]: Creating directory server . . . Server failed to start !!! Please check errors log for problems And the error log doesn't contains any error: [...] [28/Dec/2008:16:43:21 -0300] - import userRoot: Import complete. Processed 9 entries in 1 seconds. (9.00 entries/sec) [28/Dec/2008:16:43:21 -0300] - Fedora-Directory/1.1.3 B2008.289.115 starting up Some know what can be failing please? Regards. -- Morenisco. Centro de Difusi?n del Software Libre. http://www.cdsl.cl http://santiago.flisol.cl Blog: http://morenisco.belvil.eu From cw-news at gmx.de Tue Dec 30 16:17:57 2008 From: cw-news at gmx.de (cw-news) Date: Tue, 30 Dec 2008 17:17:57 +0100 Subject: [Fedora-directory-users] FDS 1.1 is not starting on Fedora 10 In-Reply-To: <49580225.2030502@noc-root.net> References: <49580225.2030502@noc-root.net> Message-ID: <495A49B5.3060903@gmx.de> Morenisco schrieb: > Hi, > > I tried with Fedora 10 and FDS 1.1, but appears that I'm experiencing > the same problem described in my last email. > > The installation looks good, but in the last part, when trying to > start the server, it fails: > > The interactive phase is complete. The script will now set up your > servers. Enter No or go Back if you want to change something. > > Are you ready to set up your servers? [yes]: > Creating directory server . . . > Server failed to start !!! Please check errors log for problems > > And the error log doesn't contains any error: > > [...] > > [28/Dec/2008:16:43:21 -0300] - import userRoot: Import complete. > Processed 9 entries in 1 seconds. (9.00 entries/sec) > [28/Dec/2008:16:43:21 -0300] - Fedora-Directory/1.1.3 B2008.289.115 > starting up > > Some know what can be failing please? > > Regards. > Hi, i have installed 1.1 on Centos 5 64bit. I had some equal. My error was that the system tried to load wrong sasl libs. I had in /var/log/messages wrong elf version. After i fixed it, the setup works perfectly. Could you please check? regards carsten From morenisco at noc-root.net Wed Dec 31 02:37:25 2008 From: morenisco at noc-root.net (Morenisco) Date: Tue, 30 Dec 2008 23:37:25 -0300 Subject: [Fedora-directory-users] FDS 1.1 is not starting on Fedora 10 In-Reply-To: <495A49B5.3060903@gmx.de> References: <49580225.2030502@noc-root.net> <495A49B5.3060903@gmx.de> Message-ID: <495ADAE5.8050906@noc-root.net> cw-news wrote: [...] > Hi, > > i have installed 1.1 on Centos 5 64bit. I had some equal. My error was > that the system tried to load wrong sasl libs. I had in > /var/log/messages wrong elf version. > > After i fixed it, the setup works perfectly. > > Could you please check? > regards > carsten Hi, Unfortunatelly I don't receive the same message in the /var/log/message log file, I don't get nothing there. What package/version did you installed to fix the issue please? Thanks. -- Morenisco. Centro de Difusi?n del Software Libre. http://www.cdsl.cl http://santiago.flisol.cl Blog: http://morenisco.belvil.eu From morenisco at noc-root.net Wed Dec 31 02:37:25 2008 From: morenisco at noc-root.net (Morenisco) Date: Tue, 30 Dec 2008 23:37:25 -0300 Subject: [Fedora-directory-users] FDS 1.1 is not starting on Fedora 10 In-Reply-To: <495A49B5.3060903@gmx.de> References: <49580225.2030502@noc-root.net> <495A49B5.3060903@gmx.de> Message-ID: <495ADAE5.8050906@noc-root.net> cw-news wrote: [...] > Hi, > > i have installed 1.1 on Centos 5 64bit. I had some equal. My error was > that the system tried to load wrong sasl libs. I had in > /var/log/messages wrong elf version. > > After i fixed it, the setup works perfectly. > > Could you please check? > regards > carsten Hi, Unfortunatelly I don't receive the same message in the /var/log/message log file, I don't get nothing there. What package/version did you installed to fix the issue please? Thanks. -- Morenisco. Centro de Difusi?n del Software Libre. http://www.cdsl.cl http://santiago.flisol.cl Blog: http://morenisco.belvil.eu From jared.griffith at tech-corps.com Wed Dec 31 06:58:42 2008 From: jared.griffith at tech-corps.com (Jared B. Griffith) Date: Tue, 30 Dec 2008 22:58:42 -0800 (PST) Subject: [Fedora-directory-users] Import Existing Wildcard SSL Cert for FDS Message-ID: <31621809.25691230706722207.JavaMail.root@zimbra1.farheap.com> How would one import an existing wildcard SSL certificate for use with FDS 1.0.4? -- - Thank you, - Jared B. Griffith - Tech Corps - Lead Systems Administrator - Email - jared.griffith at tech-corps.com - Phone 1 - 949.417.1500 ext. 48547 - Phone 2 - 949.417.3700 ext. 48547 - Cell Phone - 949.910.6542 - Fax: 949.271.3647 -------------- next part -------------- An HTML attachment was scrubbed... URL: From cw-news at gmx.de Wed Dec 31 10:37:59 2008 From: cw-news at gmx.de (cw-news) Date: Wed, 31 Dec 2008 11:37:59 +0100 Subject: [Fedora-directory-users] FDS 1.1 is not starting on Fedora 10 In-Reply-To: <495ADAE5.8050906@noc-root.net> References: <49580225.2030502@noc-root.net> <495A49B5.3060903@gmx.de> <495ADAE5.8050906@noc-root.net> Message-ID: <495B4B87.1060002@gmx.de> Morenisco schrieb: > cw-news wrote: > > [...] >> Hi, >> >> i have installed 1.1 on Centos 5 64bit. I had some equal. My error >> was that the system tried to load wrong sasl libs. I had in >> /var/log/messages wrong elf version. >> >> After i fixed it, the setup works perfectly. >> >> Could you please check? >> regards >> carsten > Hi, > > Unfortunatelly I don't receive the same message in the > /var/log/message log file, I don't get nothing there. > What package/version did you installed to fix the issue please? > > Thanks. > Hi, I had entries like this: ----------------- messages.1:Dec 25 13:08:33 fds1 ns-slapd: unable to dlopen /usr/lib/sasl/liblogin.so.2: /usr/lib/sasl/liblogin.so.2: wrong ELF class: ELFCLASS32 messages.1:Dec 25 13:08:33 fds1 ns-slapd: unable to dlopen /usr/lib/sasl/libplain.so.2: /usr/lib/sasl/libplain.so.2: wrong ELF class: ELFCLASS32 messages.1:Dec 25 13:08:33 fds1 ns-slapd: unable to dlopen /usr/lib/sasl/libanonymous.so.2: /usr/lib/sasl/libanonymous.so.2: wrong ELF class: ELFCLASS32 ------------------------ I had installed - why ever - cyrus-sasl-plain-2.1.22.i386 cyrus-sasl-lib-2.1.22.i386 cyrus-sasl-plain-2.1.22.x86_64 cyrus-sasl-lib-2.1.22.x86_64 In /usr/lib/sasl/ where the i386 version, i removed the complete folder and it works perfectly. I have installed the following fds pakets: fedora-idm-console-1.1.1.x86_64 fedora-ds-1.1.2.x86_64 fedora-ds-console-1.1.2.noarch fedora-ds-admin-1.1.6.x86_64 fedora-ds-admin-console-1.1.2.noarch fedora-ds-base-1.1.3.x86_64 fedora-ds-dsgw-1.1.1.x86_64 I hope that helps. regards carsten From jared.griffith at tech-corps.com Tue Dec 30 00:52:17 2008 From: jared.griffith at tech-corps.com (Jared Griffith) Date: Mon, 29 Dec 2008 16:52:17 -0800 Subject: [Fedora-directory-users] Import Existing Wildcart Cert Message-ID: <495970C1.80706@tech-corps.com> How would one import an existing wildcard SSL certificate for use with FDS 1.0.4? -- - Thank you, - Jared B. Griffith - Tech Corps - Lead Systems Administrator - Email - jared.griffith at tech-corps.com - Phone 1 - 949.417.1500 ext. 48547 - Phone 2 - 949.417.3700 ext. 48547 - Cell Phone - 949.910.6542 - Fax: 949.271.3647 -------------- next part -------------- An HTML attachment was scrubbed... URL: