From kmarsh at gdrs.com Wed Jan 2 15:35:08 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Wed, 2 Jan 2008 10:35:08 -0500 Subject: [Fedora-directory-users] Setting up 1.0.4-1 x86_64 on RHES5 64-bit In-Reply-To: <20071221170007.053747355E@hormel.redhat.com> References: <20071221170007.053747355E@hormel.redhat.com> Message-ID: <5AD9B0E562FEFB4E933861904D7135C5688671@gdrs-exchange.gdrs.com> Hi, Happy New Year's, everyone! Re: my 12/21 e-mail (Issue 35), does anyone have any clue as to the missing files in /opt/fedora-ds/admin-serv/modules , or where to set %%%module_dir%%% ? I need to get this server up and running. Thanks, Ken. From kirankmadala at hotmail.com Wed Jan 2 15:45:03 2008 From: kirankmadala at hotmail.com (kiran madala) Date: Wed, 2 Jan 2008 11:45:03 -0400 Subject: [Fedora-directory-users] Windows console Message-ID: Hi, The windows console for 1.1 server does not work it gives me this error F:\Program Files\Fedora Identity Management Console>echo off The Java Runtime Environment is installed on this machine, but the command java.exe is not in your PATH. You can either make sure java.exe is in the PATH, or edit this script to set JAVA to the full path of java.exe Press any key to continue . . . All my java programs work. The java in my class path and also in my registry . Any idea whats causing the problem? _________________________________________________________________ Introducing the City @ Live! Take a tour! http://getyourliveid.ca/?icid=LIVEIDENCA006 -------------- next part -------------- An HTML attachment was scrubbed... URL: From jazcek at scs.fsu.edu Wed Jan 2 16:36:25 2008 From: jazcek at scs.fsu.edu (Jazcek Braden) Date: Wed, 02 Jan 2008 11:36:25 -0500 Subject: [Fedora-directory-users] Setting up 1.0.4-1 x86_64 on RHES5 64-bit In-Reply-To: <5AD9B0E562FEFB4E933861904D7135C5688671@gdrs-exchange.gdrs.com> References: <20071221170007.053747355E@hormel.redhat.com> <5AD9B0E562FEFB4E933861904D7135C5688671@gdrs-exchange.gdrs.com> Message-ID: <477BBD89.2090906@scs.fsu.edu> It looks like that was a variable that was supposed to be replaced by rpm installer and failed for some reason I would just got to /opt/fedora-ds/admin-serv/config then type cat httpd.conf | sed s/'%%%module_dir%%%'/'modules'/ > httpd.conf.new Ken Marsh wrote: > Hi, > > Happy New Year's, everyone! > > Re: my 12/21 e-mail (Issue 35), does anyone have any clue as to the > missing files in /opt/fedora-ds/admin-serv/modules , or where to set > %%%module_dir%%% ? I need to get this server up and running. > > Thanks, > Ken. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- Jazcek Braden System Administrator 431 Dirac Science Library Florida State University Tallahassee, FL 32306-4120 Phone 850-644-6490 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From kmarsh at gdrs.com Wed Jan 2 19:11:56 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Wed, 2 Jan 2008 14:11:56 -0500 Subject: [Fedora-directory-users] Setting up 1.0.4-1 x86_64 on RHES5 64-bit In-Reply-To: <20080102170006.AE9F073715@hormel.redhat.com> References: <20080102170006.AE9F073715@hormel.redhat.com> Message-ID: <5AD9B0E562FEFB4E933861904D7135C56886A5@gdrs-exchange.gdrs.com> Jazcek, Thanks for your help. The sed I ended up with is: cd /opt/fedora-ds/admin-serv/config sed 's#%%%module_dir%%%#/opt/fedora-ds/admin-serv#' httpd.conf.unconfigured > httpd.conf This fixed the httpd.conf file, but I still don't have any http server modules. This is the start-admin error now: httpd.worker: Syntax error on line 128 of /opt/fedora-ds/admin-serv/config/httpd.conf: Cannot load /opt/fedora-ds/admin-serv/modules/mod_access.so into server: /opt/fedora-ds/admin-serv/modules/mod_access.so: cannot open shared object file: No such file or directory Indeed the modules directory is still empty. I did an rpm2cpio on the fedora-ds-1.0.4-1.FC6.x86_64.opt.rpm file, and there is no mod_access.so file (or other apache modules) inside. Is this an oversight, or are they generated during install and that part of the rpm failed, or am I supposed to acquire them elsewhere? Thanks, Ken. From jazcek at scs.fsu.edu Wed Jan 2 19:55:15 2008 From: jazcek at scs.fsu.edu (Jazcek Braden) Date: Wed, 02 Jan 2008 14:55:15 -0500 Subject: [Fedora-directory-users] Setting up 1.0.4-1 x86_64 on RHES5 64-bit In-Reply-To: <5AD9B0E562FEFB4E933861904D7135C56886A5@gdrs-exchange.gdrs.com> References: <20080102170006.AE9F073715@hormel.redhat.com> <5AD9B0E562FEFB4E933861904D7135C56886A5@gdrs-exchange.gdrs.com> Message-ID: <477BEC23.3030904@scs.fsu.edu> Well all that stuff is done via the setup script, those files are copied from your install of apache which is hopefully already installed and your specified correctly the location when asked. If not try reinstalling apache and then rerunning the setup script (/opt/fedora-ds/setup/setup) and specifying the location to the apache files. -- Jazcek Ken Marsh wrote: > Jazcek, > > Thanks for your help. > > The sed I ended up with is: > > cd /opt/fedora-ds/admin-serv/config > sed 's#%%%module_dir%%%#/opt/fedora-ds/admin-serv#' > httpd.conf.unconfigured > httpd.conf > > This fixed the httpd.conf file, but I still don't have any http server > modules. This is the start-admin error now: > > httpd.worker: Syntax error on line 128 of > /opt/fedora-ds/admin-serv/config/httpd.conf: Cannot load > /opt/fedora-ds/admin-serv/modules/mod_access.so into server: > /opt/fedora-ds/admin-serv/modules/mod_access.so: cannot open shared > object file: No such file or directory > > Indeed the modules directory is still empty. I did an rpm2cpio on the > fedora-ds-1.0.4-1.FC6.x86_64.opt.rpm file, and there is no mod_access.so > file (or other apache modules) inside. Is this an oversight, or are they > generated during install and that part of the rpm failed, or am I > supposed to acquire them elsewhere?rp > > Thanks, > Ken. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- Jazcek Braden System Administrator 431 Dirac Science Library Florida State University Tallahassee, FL 32306-4120 Phone 850-644-6490 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From wpfontenot at cox.net Wed Jan 2 21:06:39 2008 From: wpfontenot at cox.net (Paul Fontenot) Date: Wed, 02 Jan 2008 14:06:39 -0700 Subject: [Fedora-directory-users] getent? Message-ID: <1199307999.31506.8.camel@squid.fontenotshome.org.fontenotshome.org> Hi, I've searched hi and low and found a couple references to the problem I have but no solutions. If I issue 'getent passwd' I can see all the ldap users, if I issue a getent group I cannot see any of the ldap groups. When I log into one of my linux boxes I get 'id: cannot find name for group ID 500' (500 is an ldap group). What would cause this issue? I've been beating my head against it for a couple days and decided to turn to the experts. Thanks, Paul From abliss at brockport.edu Wed Jan 2 21:11:38 2008 From: abliss at brockport.edu (Aaron Bliss) Date: Wed, 02 Jan 2008 16:11:38 -0500 Subject: [Fedora-directory-users] getent? In-Reply-To: <1199307999.31506.8.camel@squid.fontenotshome.org.fontenotshome.org> References: <1199307999.31506.8.camel@squid.fontenotshome.org.fontenotshome.org> Message-ID: <477BFE0A.6030905@brockport.edu> Paul, You probably need to assign a gidnumber (posixgroup attribute) to your primary ldap group. I've noticed that linux boxes only recognize group memberships for groups that have gid's. Aaron Paul Fontenot wrote: > Hi, > > I've searched hi and low and found a couple references to the problem I > have but no solutions. > > If I issue 'getent passwd' I can see all the ldap users, if I issue a > getent group I cannot see any of the ldap groups. When I log into one of > my linux boxes I get 'id: cannot find name for group ID 500' (500 is an > ldap group). > > What would cause this issue? I've been beating my head against it for a > couple days and decided to turn to the experts. > > Thanks, > > Paul > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Aaron Bliss Systems Administrator SUNY Brockport (585) 395-2417 From wpfontenot at cox.net Wed Jan 2 21:21:38 2008 From: wpfontenot at cox.net (Paul Fontenot) Date: Wed, 02 Jan 2008 14:21:38 -0700 Subject: [Fedora-directory-users] getent? In-Reply-To: <477BFE0A.6030905@brockport.edu> References: <1199307999.31506.8.camel@squid.fontenotshome.org.fontenotshome.org> <477BFE0A.6030905@brockport.edu> Message-ID: <1199308898.3678.3.camel@squid.fontenotshome.org.fontenotshome.org> Thanks Aaron, That's what has me stumped, the GID is there (that's the 500). I guess what has me confused is I can't figure out how to tie that number to a group and have it show in the getent group query. -Paul On Wed, 2008-01-02 at 16:11 -0500, Aaron Bliss wrote: > Paul, > You probably need to assign a gidnumber (posixgroup attribute) to your > primary ldap group. I've noticed that linux boxes only recognize group > memberships for groups that have gid's. > > Aaron > > Paul Fontenot wrote: > > Hi, > > > > I've searched hi and low and found a couple references to the problem I > > have but no solutions. > > > > If I issue 'getent passwd' I can see all the ldap users, if I issue a > > getent group I cannot see any of the ldap groups. When I log into one of > > my linux boxes I get 'id: cannot find name for group ID 500' (500 is an > > ldap group). > > > > What would cause this issue? I've been beating my head against it for a > > couple days and decided to turn to the experts. > > > > Thanks, > > > > Paul > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > From abliss at brockport.edu Wed Jan 2 21:27:25 2008 From: abliss at brockport.edu (Aaron Bliss) Date: Wed, 02 Jan 2008 16:27:25 -0500 Subject: [Fedora-directory-users] getent? In-Reply-To: <1199308898.3678.3.camel@squid.fontenotshome.org.fontenotshome.org> References: <1199307999.31506.8.camel@squid.fontenotshome.org.fontenotshome.org> <477BFE0A.6030905@brockport.edu> <1199308898.3678.3.camel@squid.fontenotshome.org.fontenotshome.org> Message-ID: <477C01BD.1060405@brockport.edu> An HTML attachment was scrubbed... URL: From ian at ikel.id.au Wed Jan 2 21:29:42 2008 From: ian at ikel.id.au (Ian Blackwell) Date: Thu, 03 Jan 2008 07:59:42 +1030 Subject: [Fedora-directory-users] Windows console In-Reply-To: References: Message-ID: <477C0246.5090907@ikel.id.au> Hi, This happened to me as well. I think the installer can't cope with or doesn't look for Java in your "Program Files" area, which is where you will find the newer Javas 1.6. Edit the .bat file and set the Java variable yourself and it should work from then on. Regards, Ian kiran madala wrote: > Hi, > > The windows console for 1.1 server does not work it gives me this error > > F:\Program Files\Fedora Identity Management Console>echo off > The Java Runtime Environment is installed on this machine, but the > command java.exe is not in your PATH. You can either make sure java.exe > is in the PATH, or edit this script to set JAVA to the full path of > java.exe > Press any key to continue . . . > > > All my java programs work. The java in my class path and also in my > registry . Any idea whats causing the problem? > > > > > ------------------------------------------------------------------------ > HO HO HO, if you've been naughty this year, email Santa! Visit > asksanta.ca to learn more! > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From wpfontenot at cox.net Wed Jan 2 21:40:27 2008 From: wpfontenot at cox.net (Paul Fontenot) Date: Wed, 02 Jan 2008 14:40:27 -0700 Subject: [Fedora-directory-users] getent? In-Reply-To: <477C01BD.1060405@brockport.edu> References: <1199307999.31506.8.camel@squid.fontenotshome.org.fontenotshome.org> <477BFE0A.6030905@brockport.edu> <1199308898.3678.3.camel@squid.fontenotshome.org.fontenotshome.org> <477C01BD.1060405@brockport.edu> Message-ID: <1199310027.3678.8.camel@squid.fontenotshome.org.fontenotshome.org> I'm *assuming* you mean somewhere other than here (in the attached png file). When I go to create the group and attempt to add the posixgroup object class I do not see that option anywhere - lots of other things though. I will go back to hunting the information on the fedora site as well. Thanks for the help, -Paul On Wed, 2008-01-02 at 16:27 -0500, Aaron Bliss wrote: > Paul, > You have to create a group in ldap, then add the posixgroup object > class. If you do this thru the admin console, you will then see a > text box appear called gidnumber. In that box enter whatever gid you > wish to use. > > Aaron > > Paul Fontenot wrote: > > Thanks Aaron, > > > > That's what has me stumped, the GID is there (that's the 500). I guess > > what has me confused is I can't figure out how to tie that number to a > > group and have it show in the getent group query. > > > > -Paul > > > > On Wed, 2008-01-02 at 16:11 -0500, Aaron Bliss wrote: > > > > > Paul, > > > You probably need to assign a gidnumber (posixgroup attribute) to your > > > primary ldap group. I've noticed that linux boxes only recognize group > > > memberships for groups that have gid's. > > > > > > Aaron > > > > > > Paul Fontenot wrote: > > > > > > > Hi, > > > > > > > > I've searched hi and low and found a couple references to the problem I > > > > have but no solutions. > > > > > > > > If I issue 'getent passwd' I can see all the ldap users, if I issue a > > > > getent group I cannot see any of the ldap groups. When I log into one of > > > > my linux boxes I get 'id: cannot find name for group ID 500' (500 is an > > > > ldap group). > > > > > > > > What would cause this issue? I've been beating my head against it for a > > > > couple days and decided to turn to the experts. > > > > > > > > Thanks, > > > > > > > > Paul > > > > > > > > > > > > -- > > > > Fedora-directory-users mailing list > > > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Aaron Bliss > Systems Administrator > SUNY Brockport > (585) 395-2417 > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: Posix.png Type: image/png Size: 9747 bytes Desc: not available URL: From satish at suburbia.org.au Wed Jan 2 21:41:51 2008 From: satish at suburbia.org.au (Satish Chetty) Date: Wed, 02 Jan 2008 16:41:51 -0500 Subject: [Fedora-directory-users] getent? In-Reply-To: <1199307999.31506.8.camel@squid.fontenotshome.org.fontenotshome.org> References: <1199307999.31506.8.camel@squid.fontenotshome.org.fontenotshome.org> Message-ID: <477C051F.3010904@suburbia.org.au> Make sure you've added the objectclass 'posixgroup' to the ldap group. Also, you might also have to add the objectclass shadowAccount in case of AIX (forget which version). -Satish. Paul Fontenot wrote: > Hi, > > I've searched hi and low and found a couple references to the problem I > have but no solutions. > > If I issue 'getent passwd' I can see all the ldap users, if I issue a > getent group I cannot see any of the ldap groups. When I log into one of > my linux boxes I get 'id: cannot find name for group ID 500' (500 is an > ldap group). > > What would cause this issue? I've been beating my head against it for a > couple days and decided to turn to the experts. > > Thanks, > > Paul > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From satish at suburbia.org.au Wed Jan 2 21:44:14 2008 From: satish at suburbia.org.au (Satish Chetty) Date: Wed, 02 Jan 2008 16:44:14 -0500 Subject: [Fedora-directory-users] getent? In-Reply-To: <1199310027.3678.8.camel@squid.fontenotshome.org.fontenotshome.org> References: <1199307999.31506.8.camel@squid.fontenotshome.org.fontenotshome.org> <477BFE0A.6030905@brockport.edu> <1199308898.3678.3.camel@squid.fontenotshome.org.fontenotshome.org> <477C01BD.1060405@brockport.edu> <1199310027.3678.8.camel@squid.fontenotshome.org.fontenotshome.org> Message-ID: <477C05AE.9080606@suburbia.org.au> Paul, Go to the group entry. Right click and select 'Advanced properties'. Click on objectclass and click 'Add Value'. It should like all objectclasses you can add. -Satish. Paul Fontenot wrote: > I'm *assuming* you mean somewhere other than here (in the attached png > file). When I go to create the group and attempt to add the posixgroup > object class I do not see that option anywhere - lots of other things > though. I will go back to hunting the information on the fedora site as > well. > > Thanks for the help, > > -Paul > > On Wed, 2008-01-02 at 16:27 -0500, Aaron Bliss wrote: >> Paul, >> You have to create a group in ldap, then add the posixgroup object >> class. If you do this thru the admin console, you will then see a >> text box appear called gidnumber. In that box enter whatever gid you >> wish to use. >> >> Aaron >> >> Paul Fontenot wrote: >>> Thanks Aaron, >>> >>> That's what has me stumped, the GID is there (that's the 500). I guess >>> what has me confused is I can't figure out how to tie that number to a >>> group and have it show in the getent group query. >>> >>> -Paul >>> >>> On Wed, 2008-01-02 at 16:11 -0500, Aaron Bliss wrote: >>> >>>> Paul, >>>> You probably need to assign a gidnumber (posixgroup attribute) to your >>>> primary ldap group. I've noticed that linux boxes only recognize group >>>> memberships for groups that have gid's. >>>> >>>> Aaron >>>> >>>> Paul Fontenot wrote: >>>> >>>>> Hi, >>>>> >>>>> I've searched hi and low and found a couple references to the problem I >>>>> have but no solutions. >>>>> >>>>> If I issue 'getent passwd' I can see all the ldap users, if I issue a >>>>> getent group I cannot see any of the ldap groups. When I log into one of >>>>> my linux boxes I get 'id: cannot find name for group ID 500' (500 is an >>>>> ldap group). >>>>> >>>>> What would cause this issue? I've been beating my head against it for a >>>>> couple days and decided to turn to the experts. >>>>> >>>>> Thanks, >>>>> >>>>> Paul >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> -- >> Aaron Bliss >> Systems Administrator >> SUNY Brockport >> (585) 395-2417 >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> ------------------------------------------------------------------------ >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users From kirankmadala at hotmail.com Wed Jan 2 21:49:07 2008 From: kirankmadala at hotmail.com (kiran madala) Date: Wed, 2 Jan 2008 17:49:07 -0400 Subject: [Fedora-directory-users] Windows console In-Reply-To: <477C0246.5090907@ikel.id.au> References: <477C0246.5090907@ikel.id.au> Message-ID: Hi, Thanks for the reply. Where exactly do I need to set my java variable path? I set the java path in the .bat file its not working. I am not sure if i did it the right way. below is my .bat file with changes in bold. Thanks in advance rem rem This library is free software; you can redistribute it and/or rem modify it under the terms of the GNU Lesser General Public rem License as published by the Free Software Foundation version rem 2.1 of the License. rem rem This library is distributed in the hope that it will be useful, rem but WITHOUT ANY WARRANTY; without even the implied warranty of rem MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU rem Lesser General Public License for more details. rem rem You should have received a copy of the GNU Lesser General Public rem License along with this library; if not, write to the Free Software rem Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA rem END COPYRIGHT BLOCK rem set the JAVA to use here rem set JAVA=C:\Program Files\Java\jre1.6.0_03\bin\java if not "%JAVA%foo"=="foo" goto launch where java > nul 2>&1 || goto findjre set JAVA=java goto launch :findjre rem look for Java Runtime Environment in registry reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Runtime Environment" > nul 2>&1 || goto findjdk rem can we grab the java location from the registry? rem set JAVA=path\bin\java rem apparently not, in a batch file rem goto launch echo The Java Runtime Environment is installed on this machine, but the echo command java.exe is not in your PATH. You can either make sure java.exe echo is in the PATH, or edit this script to set JAVA to the full path of echo java.exe pause goto end :findjdk reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Development Kit" > nul 2>&1 || goto nojava rem can we grab the java location from the registry? rem set JAVA=path\bin\java rem goto launch echo The Java Development Kit is installed on this machine, but the echo command java.exe is not in your PATH. You can either make sure java.exe echo is in the PATH, or edit this script to set JAVA to the full path of echo java.exe pause goto end :nojava echo Java does not appear to be installed on this machine. Please download and install the Java Runtime Environment and make sure the java.exe command is in the PATH of this command. pause goto end :launch set BASEPATH=. set FIDMCONSOLEJARDIR=%BASEPATH% set CONSOLEJARDIR=%BASEPATH% set JSSDIR=%BASEPATH% set LDAPJARDIR=%BASEPATH% set PATH=%BASEPATH%;%PATH% rem rem Launch the Console rem echo on "%JAVA%" "-Djava.library.path=%JSSDIR%" -cp "%JSSDIR%/jss4.jar;%LDAPJARDIR%/ldapjdk.jar;%CONSOLEJARDIR%/idm-console-base.jar;%CONSOLEJARDIR%/idm-console-mcc.jar;%CONSOLEJARDIR%/idm-console-mcc_en.jar;%CONSOLEJARDIR%/idm-console-nmclf.jar;%CONSOLEJARDIR%/idm-console-nmclf_en.jar;%FIDMCONSOLEJARDIR%/fedora-idm-console_en.jar" -Djava.util.prefs.systemRoot=%HOME%/.fedora-idm-console -Djava.util.prefs.userRoot=%HOME%/.fedora-idm-console com.netscape.management.client.console.Console %* :end Date: Thu, 3 Jan 2008 07:59:42 +1030 From: ian at ikel.id.au To: fedora-directory-users at redhat.com Subject: Re: [Fedora-directory-users] Windows console Hi, This happened to me as well. I think the installer can't cope with or doesn't look for Java in your "Program Files" area, which is where you will find the newer Javas 1.6. Edit the .bat file and set the Java variable yourself and it should work from then on. Regards, Ian kiran madala wrote: Hi, The windows console for 1.1 server does not work it gives me this error F:\Program Files\Fedora Identity Management Console>echo off The Java Runtime Environment is installed on this machine, but the command java.exe is not in your PATH. You can either make sure java.exe is in the PATH, or edit this script to set JAVA to the full path of java.exe Press any key to continue . . . All my java programs work. The java in my class path and also in my registry . Any idea whats causing the problem? HO HO HO, if you've been naughty this year, email Santa! Visit asksanta.ca to learn more! -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users _________________________________________________________________ Use fowl language with Chicktionary. Click here to start playing! http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig -------------- next part -------------- An HTML attachment was scrubbed... URL: From kmarsh at gdrs.com Wed Jan 2 21:59:08 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Wed, 2 Jan 2008 16:59:08 -0500 Subject: [Fedora-directory-users] Fedora Directory Server not configuring admin server! In-Reply-To: <20080102170006.AE9F073715@hormel.redhat.com> References: <20080102170006.AE9F073715@hormel.redhat.com> Message-ID: <5AD9B0E562FEFB4E933861904D7135C56886C3@gdrs-exchange.gdrs.com> Hi, I wonder if you're running into what I'm running into: Apache 2.2 no longer includes mod_access.so, and the autogenerated (if you're lucky) httpd.conf file bombs out when it tries to include it. -Ken. From kjs.pub at gmail.com Wed Jan 2 22:01:32 2008 From: kjs.pub at gmail.com (Karl J South) Date: Wed, 2 Jan 2008 23:01:32 +0100 Subject: [Fedora-directory-users] Can't access DSGW In-Reply-To: <47748BEA.5080201@ikel.id.au> References: <47748BEA.5080201@ikel.id.au> Message-ID: Hi, I got the same problem, with the difference that I upgraded an 1.0.4 installation. Any hints are more then welcome. Thanks in advance, /kjs On Dec 28, 2007 6:38 AM, Ian Blackwell wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > I've just built a FC8 server and am trying now to > install/configure/use Fedora-DS 1.1. I've managed to get it working > to some degree, but I can't get access to the directory server > gateway. Several things appear to be wrong/missing at present, but > after many hours trying to find out what, I'm stumped - hence this email. > > Firstly when I browse to http://myserver:9830 the graphic images > aren't appearing. > > Next, when I click on the Directory Server Gateway > link I get > this error:- > "The requested URL /clients/dsgw/bin/lang was not found on this server." > This is from the admin-server error log:- > [Fri Dec 28 15:59:37 2007] [error] [client 192.168.2.254] File does > not exist: /usr/share/dirsrv/html/clients, referer: > http://myserver:9830/bin/admin/admin/bin/download > I can connect to Fedora Administration Express > > without any trouble, but it doesn't appear to offer anything > useful... Is there a RPM that I'm missing perhaps? Here's a list of > the relevant RPMs installed:- > fedora-ds-console-1.1.0-4 > fedora-ds-base-1.1.0-2.0.fc8 > fedora-ds-1.1.0-2.0.fc8 > fedora-ds-admin-1.1.0-1.15.fc8 > fedora-admin-console-1.1.0-3.fc6 > idm-console-framework-1.1.0-1 > fedora-idm-console-1.1.0-4 > > Finally, I've tried to use the Fedora IDM Console from Windows, but > can't get that working either. When I connect to it, it seems to fail > to connect to the ldap service and wants to restart it. > > Thanks to anyone that can point me in the right direction with this... > > Regards, > > Ian Blackwell > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFHdIvqLwWMnKQTL2sRAtrQAJ4kTTsXijvOpLXRhIa83avdhvL8mgCdFEUh > 0OVC7UAPln3DFXbh+PEkCYE= > =J7O1 > -----END PGP SIGNATURE----- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From kmarsh at gdrs.com Wed Jan 2 22:04:36 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Wed, 2 Jan 2008 17:04:36 -0500 Subject: [Fedora-directory-users] Setting up 1.0.4-1 x86_64 on RHES5 64-bit In-Reply-To: <20080102170006.AE9F073715@hormel.redhat.com> References: <20080102170006.AE9F073715@hormel.redhat.com> Message-ID: <5AD9B0E562FEFB4E933861904D7135C56886C4@gdrs-exchange.gdrs.com> Hello again, I've made progress- found most of the apache modules in /usr/lib64/httpd/modules , and linked them in. However, according to this post: http://lists.linuxcoding.com/rhl/2006/msg15719.html the mod_access.so module (and I'm guessing mod_auth.so as well) is no longer included in Apache 2.2. Commenting them out of httpd.conf, but allowing the rest of the modules to be loaded with LoadModule, I get the following error when trying to start the administration server: # ./start-admin Syntax error on line 255 of /opt/fedora-ds/admin-serv/config/httpd.conf: Invalid command 'Order', perhaps misspelled or defined by a module not included in the server configuration Is FDS fundamentally incompatible with Apache 2.2? Should I load an older Apache? -Ken. ------------------------------ Message: 3 Date: Wed, 2 Jan 2008 10:35:08 -0500 From: "Ken Marsh" Subject: [Fedora-directory-users] Setting up 1.0.4-1 x86_64 on RHES5 64-bit To: Message-ID: <5AD9B0E562FEFB4E933861904D7135C5688671 at gdrs-exchange.gdrs.com> Content-Type: text/plain; charset="us-ascii" Hi, Happy New Year's, everyone! Re: my 12/21 e-mail (Issue 35), does anyone have any clue as to the missing files in /opt/fedora-ds/admin-serv/modules , or where to set %%%module_dir%%% ? I need to get this server up and running. Thanks, Ken. ------------------------------ Message: 4 Date: Wed, 2 Jan 2008 11:45:03 -0400 From: kiran madala Subject: [Fedora-directory-users] Windows console To: Message-ID: Content-Type: text/plain; charset="iso-8859-1" Hi, The windows console for 1.1 server does not work it gives me this error F:\Program Files\Fedora Identity Management Console>echo off The Java Runtime Environment is installed on this machine, but the command java.exe is not in your PATH. You can either make sure java.exe is in the PATH, or edit this script to set JAVA to the full path of java.exe Press any key to continue . . . All my java programs work. The java in my class path and also in my registry . Any idea whats causing the problem? _________________________________________________________________ Introducing the City @ Live! Take a tour! http://getyourliveid.ca/?icid=LIVEIDENCA006 -------------- next part -------------- An HTML attachment was scrubbed... URL: https://www.redhat.com/archives/fedora-directory-users/attachments/20080 102/cc55a02b/attachment.html ------------------------------ Message: 5 Date: Wed, 02 Jan 2008 11:36:25 -0500 From: Jazcek Braden Subject: Re: [Fedora-directory-users] Setting up 1.0.4-1 x86_64 on RHES5 64-bit To: "General discussion list for the Fedora Directory server project." Message-ID: <477BBD89.2090906 at scs.fsu.edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed It looks like that was a variable that was supposed to be replaced by rpm installer and failed for some reason I would just got to /opt/fedora-ds/admin-serv/config then type cat httpd.conf | sed s/'%%%module_dir%%%'/'modules'/ > httpd.conf.new Ken Marsh wrote: > Hi, > > Happy New Year's, everyone! > > Re: my 12/21 e-mail (Issue 35), does anyone have any clue as to the > missing files in /opt/fedora-ds/admin-serv/modules , or where to set > %%%module_dir%%% ? I need to get this server up and running. > > Thanks, > Ken. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- Jazcek Braden System Administrator 431 Dirac Science Library Florida State University Tallahassee, FL 32306-4120 Phone 850-644-6490 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------ -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users End of Fedora-directory-users Digest, Vol 32, Issue 1 ***************************************************** From wpfontenot at cox.net Wed Jan 2 22:06:58 2008 From: wpfontenot at cox.net (Paul Fontenot) Date: Wed, 02 Jan 2008 15:06:58 -0700 Subject: [Fedora-directory-users] getent? In-Reply-To: <477C05AE.9080606@suburbia.org.au> References: <1199307999.31506.8.camel@squid.fontenotshome.org.fontenotshome.org> <477BFE0A.6030905@brockport.edu> <1199308898.3678.3.camel@squid.fontenotshome.org.fontenotshome.org> <477C01BD.1060405@brockport.edu> <1199310027.3678.8.camel@squid.fontenotshome.org.fontenotshome.org> <477C05AE.9080606@suburbia.org.au> Message-ID: <1199311618.7266.1.camel@squid.fontenotshome.org.fontenotshome.org> Thanks Satish, I have added all this (including the shadowAccount attribute). getent passwd / shadow work correctly but group still does not. I'm off to find documentation... Thanks, -Paul On Wed, 2008-01-02 at 16:44 -0500, Satish Chetty wrote: > Paul, > Go to the group entry. Right click and select 'Advanced properties'. > Click on objectclass and click 'Add Value'. It should like all > objectclasses you can add. > > -Satish. > > Paul Fontenot wrote: > > I'm *assuming* you mean somewhere other than here (in the attached png > > file). When I go to create the group and attempt to add the posixgroup > > object class I do not see that option anywhere - lots of other things > > though. I will go back to hunting the information on the fedora site as > > well. > > > > Thanks for the help, > > > > -Paul > > > > On Wed, 2008-01-02 at 16:27 -0500, Aaron Bliss wrote: > >> Paul, > >> You have to create a group in ldap, then add the posixgroup object > >> class. If you do this thru the admin console, you will then see a > >> text box appear called gidnumber. In that box enter whatever gid you > >> wish to use. > >> > >> Aaron > >> > >> Paul Fontenot wrote: > >>> Thanks Aaron, > >>> > >>> That's what has me stumped, the GID is there (that's the 500). I guess > >>> what has me confused is I can't figure out how to tie that number to a > >>> group and have it show in the getent group query. > >>> > >>> -Paul > >>> > >>> On Wed, 2008-01-02 at 16:11 -0500, Aaron Bliss wrote: > >>> > >>>> Paul, > >>>> You probably need to assign a gidnumber (posixgroup attribute) to your > >>>> primary ldap group. I've noticed that linux boxes only recognize group > >>>> memberships for groups that have gid's. > >>>> > >>>> Aaron > >>>> > >>>> Paul Fontenot wrote: > >>>> > >>>>> Hi, > >>>>> > >>>>> I've searched hi and low and found a couple references to the problem I > >>>>> have but no solutions. > >>>>> > >>>>> If I issue 'getent passwd' I can see all the ldap users, if I issue a > >>>>> getent group I cannot see any of the ldap groups. When I log into one of > >>>>> my linux boxes I get 'id: cannot find name for group ID 500' (500 is an > >>>>> ldap group). > >>>>> > >>>>> What would cause this issue? I've been beating my head against it for a > >>>>> couple days and decided to turn to the experts. > >>>>> > >>>>> Thanks, > >>>>> > >>>>> Paul > >>>>> > >>>>> > >>>>> -- > >>>>> Fedora-directory-users mailing list > >>>>> Fedora-directory-users at redhat.com > >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>>>> > >>>>> > >>> -- > >>> Fedora-directory-users mailing list > >>> Fedora-directory-users at redhat.com > >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>> > >> -- > >> Aaron Bliss > >> Systems Administrator > >> SUNY Brockport > >> (585) 395-2417 > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > >> ------------------------------------------------------------------------ > >> > >> > >> ------------------------------------------------------------------------ > >> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From satish at suburbia.org.au Wed Jan 2 22:11:42 2008 From: satish at suburbia.org.au (Satish Chetty) Date: Wed, 02 Jan 2008 17:11:42 -0500 Subject: [Fedora-directory-users] getent? In-Reply-To: <1199311618.7266.1.camel@squid.fontenotshome.org.fontenotshome.org> References: <1199307999.31506.8.camel@squid.fontenotshome.org.fontenotshome.org> <477BFE0A.6030905@brockport.edu> <1199308898.3678.3.camel@squid.fontenotshome.org.fontenotshome.org> <477C01BD.1060405@brockport.edu> <1199310027.3678.8.camel@squid.fontenotshome.org.fontenotshome.org> <477C05AE.9080606@suburbia.org.au> <1199311618.7266.1.camel@squid.fontenotshome.org.fontenotshome.org> Message-ID: <477C0C1E.5090708@suburbia.org.au> Paul, You can do few things to debug... * Check the server log to see what happens... * Do the same with ldapsearch and see if you get results. Ex. ldapsearch -h myhost -p 389 -b "dc=example, dc=com" "objectclass=posixgroup" etc... * Check /etc/nsswitch.conf to make sure the 'ldap' is included in the search order (if you use authconfig on Linux it will set it for you). -Satish. Paul Fontenot wrote: > Thanks Satish, > > I have added all this (including the shadowAccount attribute). getent > passwd / shadow work correctly but group still does not. I'm off to find > documentation... > > Thanks, > > -Paul > > On Wed, 2008-01-02 at 16:44 -0500, Satish Chetty wrote: >> Paul, >> Go to the group entry. Right click and select 'Advanced properties'. >> Click on objectclass and click 'Add Value'. It should like all >> objectclasses you can add. >> >> -Satish. >> >> Paul Fontenot wrote: >>> I'm *assuming* you mean somewhere other than here (in the attached png >>> file). When I go to create the group and attempt to add the posixgroup >>> object class I do not see that option anywhere - lots of other things >>> though. I will go back to hunting the information on the fedora site as >>> well. >>> >>> Thanks for the help, >>> >>> -Paul >>> >>> On Wed, 2008-01-02 at 16:27 -0500, Aaron Bliss wrote: >>>> Paul, >>>> You have to create a group in ldap, then add the posixgroup object >>>> class. If you do this thru the admin console, you will then see a >>>> text box appear called gidnumber. In that box enter whatever gid you >>>> wish to use. >>>> >>>> Aaron >>>> >>>> Paul Fontenot wrote: >>>>> Thanks Aaron, >>>>> >>>>> That's what has me stumped, the GID is there (that's the 500). I guess >>>>> what has me confused is I can't figure out how to tie that number to a >>>>> group and have it show in the getent group query. >>>>> >>>>> -Paul >>>>> >>>>> On Wed, 2008-01-02 at 16:11 -0500, Aaron Bliss wrote: >>>>> >>>>>> Paul, >>>>>> You probably need to assign a gidnumber (posixgroup attribute) to your >>>>>> primary ldap group. I've noticed that linux boxes only recognize group >>>>>> memberships for groups that have gid's. >>>>>> >>>>>> Aaron >>>>>> >>>>>> Paul Fontenot wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I've searched hi and low and found a couple references to the problem I >>>>>>> have but no solutions. >>>>>>> >>>>>>> If I issue 'getent passwd' I can see all the ldap users, if I issue a >>>>>>> getent group I cannot see any of the ldap groups. When I log into one of >>>>>>> my linux boxes I get 'id: cannot find name for group ID 500' (500 is an >>>>>>> ldap group). >>>>>>> >>>>>>> What would cause this issue? I've been beating my head against it for a >>>>>>> couple days and decided to turn to the experts. >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> Paul >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> >>>>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>> -- >>>> Aaron Bliss >>>> Systems Administrator >>>> SUNY Brockport >>>> (585) 395-2417 >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From wpfontenot at cox.net Wed Jan 2 22:31:49 2008 From: wpfontenot at cox.net (Paul Fontenot) Date: Wed, 02 Jan 2008 15:31:49 -0700 Subject: [Fedora-directory-users] getent? In-Reply-To: <477C0C1E.5090708@suburbia.org.au> References: <1199307999.31506.8.camel@squid.fontenotshome.org.fontenotshome.org> <477BFE0A.6030905@brockport.edu> <1199308898.3678.3.camel@squid.fontenotshome.org.fontenotshome.org> <477C01BD.1060405@brockport.edu> <1199310027.3678.8.camel@squid.fontenotshome.org.fontenotshome.org> <477C05AE.9080606@suburbia.org.au> <1199311618.7266.1.camel@squid.fontenotshome.org.fontenotshome.org> <477C0C1E.5090708@suburbia.org.au> Message-ID: <1199313109.7818.3.camel@squid.fontenotshome.org.fontenotshome.org> ldapsearch appears to be fine: [root at ldap bin]# ./ldapsearch -b "dc=fontenotshome,dc=org" "objectclass=posixgroup" version: 1 dn: cn=LinuxAdmins,ou=Groups, dc=fontenotshome,dc=org objectClass: top objectClass: groupofuniquenames objectClass: posixgroup cn: LinuxAdmins gidNumber: 750 uniqueMember: uid=fontenwp,ou=People, dc=fontenotshome,dc=org dn: cn=LinuxUsers,ou=Groups, dc=fontenotshome,dc=org objectClass: top objectClass: groupofuniquenames objectClass: posixgroup cn: LinuxUsers gidNumber: 500 uniqueMember: uid=fontenwp,ou=People, dc=fontenotshome,dc=org [root at ldap bin]# and the logs don't show any errors. Does this thing do caching and if so how can itbe cleared, reset, etc... On Wed, 2008-01-02 at 17:11 -0500, Satish Chetty wrote: > Paul, > You can do few things to debug... > > * Check the server log to see what happens... > * Do the same with ldapsearch and see if you get results. Ex. ldapsearch > -h myhost -p 389 -b "dc=example, dc=com" "objectclass=posixgroup" etc... > * Check /etc/nsswitch.conf to make sure the 'ldap' is included in the > search order (if you use authconfig on Linux it will set it for you). > > -Satish. > > Paul Fontenot wrote: > > Thanks Satish, > > > > I have added all this (including the shadowAccount attribute). getent > > passwd / shadow work correctly but group still does not. I'm off to find > > documentation... > > > > Thanks, > > > > -Paul > > > > On Wed, 2008-01-02 at 16:44 -0500, Satish Chetty wrote: > >> Paul, > >> Go to the group entry. Right click and select 'Advanced properties'. > >> Click on objectclass and click 'Add Value'. It should like all > >> objectclasses you can add. > >> > >> -Satish. > >> > >> Paul Fontenot wrote: > >>> I'm *assuming* you mean somewhere other than here (in the attached png > >>> file). When I go to create the group and attempt to add the posixgroup > >>> object class I do not see that option anywhere - lots of other things > >>> though. I will go back to hunting the information on the fedora site as > >>> well. > >>> > >>> Thanks for the help, > >>> > >>> -Paul > >>> > >>> On Wed, 2008-01-02 at 16:27 -0500, Aaron Bliss wrote: > >>>> Paul, > >>>> You have to create a group in ldap, then add the posixgroup object > >>>> class. If you do this thru the admin console, you will then see a > >>>> text box appear called gidnumber. In that box enter whatever gid you > >>>> wish to use. > >>>> > >>>> Aaron > >>>> > >>>> Paul Fontenot wrote: > >>>>> Thanks Aaron, > >>>>> > >>>>> That's what has me stumped, the GID is there (that's the 500). I guess > >>>>> what has me confused is I can't figure out how to tie that number to a > >>>>> group and have it show in the getent group query. > >>>>> > >>>>> -Paul > >>>>> > >>>>> On Wed, 2008-01-02 at 16:11 -0500, Aaron Bliss wrote: > >>>>> > >>>>>> Paul, > >>>>>> You probably need to assign a gidnumber (posixgroup attribute) to your > >>>>>> primary ldap group. I've noticed that linux boxes only recognize group > >>>>>> memberships for groups that have gid's. > >>>>>> > >>>>>> Aaron > >>>>>> > >>>>>> Paul Fontenot wrote: > >>>>>> > >>>>>>> Hi, > >>>>>>> > >>>>>>> I've searched hi and low and found a couple references to the problem I > >>>>>>> have but no solutions. > >>>>>>> > >>>>>>> If I issue 'getent passwd' I can see all the ldap users, if I issue a > >>>>>>> getent group I cannot see any of the ldap groups. When I log into one of > >>>>>>> my linux boxes I get 'id: cannot find name for group ID 500' (500 is an > >>>>>>> ldap group). > >>>>>>> > >>>>>>> What would cause this issue? I've been beating my head against it for a > >>>>>>> couple days and decided to turn to the experts. > >>>>>>> > >>>>>>> Thanks, > >>>>>>> > >>>>>>> Paul > >>>>>>> > >>>>>>> > >>>>>>> -- > >>>>>>> Fedora-directory-users mailing list > >>>>>>> Fedora-directory-users at redhat.com > >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>>>>>> > >>>>>>> > >>>>> -- > >>>>> Fedora-directory-users mailing list > >>>>> Fedora-directory-users at redhat.com > >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>>>> > >>>> -- > >>>> Aaron Bliss > >>>> Systems Administrator > >>>> SUNY Brockport > >>>> (585) 395-2417 > >>>> -- > >>>> Fedora-directory-users mailing list > >>>> Fedora-directory-users at redhat.com > >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>>> > >>>> ------------------------------------------------------------------------ > >>>> > >>>> > >>>> ------------------------------------------------------------------------ > >>>> > >>>> -- > >>>> Fedora-directory-users mailing list > >>>> Fedora-directory-users at redhat.com > >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From patrick.morris at hp.com Wed Jan 2 22:54:18 2008 From: patrick.morris at hp.com (Patrick Morris) Date: Wed, 2 Jan 2008 14:54:18 -0800 Subject: [Fedora-directory-users] getent? In-Reply-To: <1199313109.7818.3.camel@squid.fontenotshome.org.fontenotshome.org> References: <1199307999.31506.8.camel@squid.fontenotshome.org.fontenotshome.org> <477BFE0A.6030905@brockport.edu> <1199308898.3678.3.camel@squid.fontenotshome.org.fontenotshome.org> <477C01BD.1060405@brockport.edu> <1199310027.3678.8.camel@squid.fontenotshome.org.fontenotshome.org> <477C05AE.9080606@suburbia.org.au> <1199311618.7266.1.camel@squid.fontenotshome.org.fontenotshome.org> <477C0C1E.5090708@suburbia.org.au> <1199313109.7818.3.camel@squid.fontenotshome.org.fontenotshome.org> Message-ID: <20080102225418.GR8781@pmorris.usa.hp.com> Hi Paul! On Wed, 02 Jan 2008, Paul Fontenot wrote: > ldapsearch appears to be fine: > > [root at ldap bin]# ./ldapsearch -b "dc=fontenotshome,dc=org" > "objectclass=posixgroup" > version: 1 > dn: cn=LinuxAdmins,ou=Groups, dc=fontenotshome,dc=org > objectClass: top > objectClass: groupofuniquenames > objectClass: posixgroup > cn: LinuxAdmins > gidNumber: 750 > uniqueMember: uid=fontenwp,ou=People, dc=fontenotshome,dc=org > > dn: cn=LinuxUsers,ou=Groups, dc=fontenotshome,dc=org > objectClass: top > objectClass: groupofuniquenames > objectClass: posixgroup > cn: LinuxUsers > gidNumber: 500 > uniqueMember: uid=fontenwp,ou=People, dc=fontenotshome,dc=org > [root at ldap bin]# > > and the logs don't show any errors. Does this thing do caching and if so > how can itbe cleared, reset, etc... For Posix groups, most systems expect you to use "memberUid" rather than "uniqueMember" to specify group members, and to include uid names rather than DNs. From ian at ikel.id.au Wed Jan 2 23:00:53 2008 From: ian at ikel.id.au (Ian Blackwell) Date: Thu, 03 Jan 2008 09:30:53 +1030 Subject: [Fedora-directory-users] Windows console In-Reply-To: References: <477C0246.5090907@ikel.id.au> Message-ID: <477C17A5.2070102@ikel.id.au> Hi, Remove the "REM" at the start of the line which makes the line a "REM"ark rather than a command. Without the REM, the set command will assign the correct value to your JAVA variable. Cheers, Ian kiran madala wrote: > Hi, > > Thanks for the reply. Where exactly do I need to set my java variable > path? > > I set the java path in the .bat file its not working. I am not sure if > i did it the right way. below is my .bat file with changes in bold. > Thanks in advance > > > rem > rem This library is free software; you can redistribute it and/or > rem modify it under the terms of the GNU Lesser General Public > rem License as published by the Free Software Foundation version > rem 2.1 of the License. > rem > > rem This library is distributed in the hope that it will be useful, > rem but WITHOUT ANY WARRANTY; without even the implied warranty of > rem MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > rem Lesser General Public License for more details. > rem > > rem You should have received a copy of the GNU Lesser General Public > rem License along with this library; if not, write to the Free Software > rem Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA > 02110-1301 USA > rem END COPYRIGHT BLOCK > > rem set the JAVA to use here > rem set JAVA=C:\Program Files\Java\jre1.6.0_03\bin\java > > if not "%JAVA%foo"=="foo" goto launch > > where java > nul 2>&1 || goto findjre > > set JAVA=java > goto launch > > :findjre > rem look for Java Runtime Environment in registry > reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Runtime Environment" > nul 2>&1 > || goto findjdk > > rem can we grab the java location from the registry? > rem set JAVA=path\bin\java > rem apparently not, in a batch file > rem goto launch > echo The Java Runtime Environment is installed on this machine, but the > echo command java.exe is not in your PATH. You can either make sure > java.exe > echo is in the PATH, or edit this script to set JAVA to the full path of > echo java.exe > pause > goto end > > :findjdk > reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Development Kit" > nul 2>&1 || > goto nojava > > rem can we grab the java location from the registry? > rem set JAVA=path\bin\java > rem goto launch > echo The Java Development Kit is installed on this machine, but the > echo command java.exe is not in your PATH. You can either make sure > java.exe > echo is in the PATH, or edit this script to set JAVA to the full path of > echo java.exe > pause > goto end > > :nojava > echo Java does not appear to be installed on this machine. Please > download and install the Java Runtime Environment and make sure the > java.exe command is in the PATH of this command. > pause > goto end > > :launch > set BASEPATH=. > set FIDMCONSOLEJARDIR=%BASEPATH% > set CONSOLEJARDIR=%BASEPATH% > set JSSDIR=%BASEPATH% > set LDAPJARDIR=%BASEPATH% > > set PATH=%BASEPATH%;%PATH% > > rem > rem Launch the Console > rem > echo on > "%JAVA%" "-Djava.library.path=%JSSDIR%" -cp > "%JSSDIR%/jss4.jar;%LDAPJARDIR%/ldapjdk.jar;%CONSOLEJARDIR%/idm-console-base.jar;%CONSOLEJARDIR%/idm-console-mcc.jar;%CONSOLEJARDIR%/idm-console-mcc_en.jar;%CONSOLEJARDIR%/idm-console-nmclf.jar;%CONSOLEJARDIR%/idm-console-nmclf_en.jar;%FIDMCONSOLEJARDIR%/fedora-idm-console_en.jar" > -Djava.util.prefs.systemRoot=%HOME%/.fedora-idm-console > -Djava.util.prefs.userRoot=%HOME%/.fedora-idm-console > com.netscape.management.client.console.Console %* > > :end > > > > ------------------------------------------------------------------------ > Date: Thu, 3 Jan 2008 07:59:42 +1030 > From: ian at ikel.id.au > To: fedora-directory-users at redhat.com > Subject: Re: [Fedora-directory-users] Windows console > > Hi, > > This happened to me as well. I think the installer can't cope > with or doesn't look for Java in your "Program Files" area, which > is where you will find the newer Javas 1.6. Edit the .bat file > and set the Java variable yourself and it should work from then on. > > Regards, > > Ian > kiran madala wrote: > > Hi, > > The windows console for 1.1 server does not work it gives me > this error > > F:\Program Files\Fedora Identity Management Console>echo off > The Java Runtime Environment is installed on this machine, but the > command java.exe is not in your PATH. You can either make > sure java.exe > is in the PATH, or edit this script to set JAVA to the full > path of > java.exe > Press any key to continue . . . > > > All my java programs work. The java in my class path and also > in my registry . Any idea whats causing the problem? > > > > > ------------------------------------------------------------------------ > HO HO HO, if you've been naughty this year, email Santa! Visit > asksanta.ca to learn more! > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > ------------------------------------------------------------------------ > HO HO HO, if you've been nice this year, email Santa! Visit > asksanta.ca to learn more! > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ian at ikel.id.au Wed Jan 2 23:07:23 2008 From: ian at ikel.id.au (Ian Blackwell) Date: Thu, 03 Jan 2008 09:37:23 +1030 Subject: [Fedora-directory-users] Windows console In-Reply-To: References: <477C0246.5090907@ikel.id.au> Message-ID: <477C192B.8060106@ikel.id.au> Oh, I also forgot some other changes you'll need.... The space in the directory name means you need to enclose the whole thing in quotes. That also means you need to make changes at the bottom of the file as well. I'm at work now, but when I go home for lunch I'll send you my version of the BAT file (around midday in South Australia). Ian kiran madala wrote: > Hi, > > Thanks for the reply. Where exactly do I need to set my java variable > path? > > I set the java path in the .bat file its not working. I am not sure if > i did it the right way. below is my .bat file with changes in bold. > Thanks in advance > > > rem > rem This library is free software; you can redistribute it and/or > rem modify it under the terms of the GNU Lesser General Public > rem License as published by the Free Software Foundation version > rem 2.1 of the License. > rem > > rem This library is distributed in the hope that it will be useful, > rem but WITHOUT ANY WARRANTY; without even the implied warranty of > rem MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > rem Lesser General Public License for more details. > rem > > rem You should have received a copy of the GNU Lesser General Public > rem License along with this library; if not, write to the Free Software > rem Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA > 02110-1301 USA > rem END COPYRIGHT BLOCK > > rem set the JAVA to use here > rem set JAVA=C:\Program Files\Java\jre1.6.0_03\bin\java > > if not "%JAVA%foo"=="foo" goto launch > > where java > nul 2>&1 || goto findjre > > set JAVA=java > goto launch > > :findjre > rem look for Java Runtime Environment in registry > reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Runtime Environment" > nul 2>&1 > || goto findjdk > > rem can we grab the java location from the registry? > rem set JAVA=path\bin\java > rem apparently not, in a batch file > rem goto launch > echo The Java Runtime Environment is installed on this machine, but the > echo command java.exe is not in your PATH. You can either make sure > java.exe > echo is in the PATH, or edit this script to set JAVA to the full path of > echo java.exe > pause > goto end > > :findjdk > reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Development Kit" > nul 2>&1 || > goto nojava > > rem can we grab the java location from the registry? > rem set JAVA=path\bin\java > rem goto launch > echo The Java Development Kit is installed on this machine, but the > echo command java.exe is not in your PATH. You can either make sure > java.exe > echo is in the PATH, or edit this script to set JAVA to the full path of > echo java.exe > pause > goto end > > :nojava > echo Java does not appear to be installed on this machine. Please > download and install the Java Runtime Environment and make sure the > java.exe command is in the PATH of this command. > pause > goto end > > :launch > set BASEPATH=. > set FIDMCONSOLEJARDIR=%BASEPATH% > set CONSOLEJARDIR=%BASEPATH% > set JSSDIR=%BASEPATH% > set LDAPJARDIR=%BASEPATH% > > set PATH=%BASEPATH%;%PATH% > > rem > rem Launch the Console > rem > echo on > "%JAVA%" "-Djava.library.path=%JSSDIR%" -cp > "%JSSDIR%/jss4.jar;%LDAPJARDIR%/ldapjdk.jar;%CONSOLEJARDIR%/idm-console-base.jar;%CONSOLEJARDIR%/idm-console-mcc.jar;%CONSOLEJARDIR%/idm-console-mcc_en.jar;%CONSOLEJARDIR%/idm-console-nmclf.jar;%CONSOLEJARDIR%/idm-console-nmclf_en.jar;%FIDMCONSOLEJARDIR%/fedora-idm-console_en.jar" > -Djava.util.prefs.systemRoot=%HOME%/.fedora-idm-console > -Djava.util.prefs.userRoot=%HOME%/.fedora-idm-console > com.netscape.management.client.console.Console %* > > :end > > > > ------------------------------------------------------------------------ > Date: Thu, 3 Jan 2008 07:59:42 +1030 > From: ian at ikel.id.au > To: fedora-directory-users at redhat.com > Subject: Re: [Fedora-directory-users] Windows console > > Hi, > > This happened to me as well. I think the installer can't cope > with or doesn't look for Java in your "Program Files" area, which > is where you will find the newer Javas 1.6. Edit the .bat file > and set the Java variable yourself and it should work from then on. > > Regards, > > Ian > kiran madala wrote: > > Hi, > > The windows console for 1.1 server does not work it gives me > this error > > F:\Program Files\Fedora Identity Management Console>echo off > The Java Runtime Environment is installed on this machine, but the > command java.exe is not in your PATH. You can either make > sure java.exe > is in the PATH, or edit this script to set JAVA to the full > path of > java.exe > Press any key to continue . . . > > > All my java programs work. The java in my class path and also > in my registry . Any idea whats causing the problem? > > > > > ------------------------------------------------------------------------ > HO HO HO, if you've been naughty this year, email Santa! Visit > asksanta.ca to learn more! > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > ------------------------------------------------------------------------ > HO HO HO, if you've been nice this year, email Santa! Visit > asksanta.ca to learn more! > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From wpfontenot at cox.net Wed Jan 2 23:44:38 2008 From: wpfontenot at cox.net (Paul Fontenot) Date: Wed, 02 Jan 2008 16:44:38 -0700 Subject: [Fedora-directory-users] getent? In-Reply-To: <20080102225418.GR8781@pmorris.usa.hp.com> References: <1199307999.31506.8.camel@squid.fontenotshome.org.fontenotshome.org> <477BFE0A.6030905@brockport.edu> <1199308898.3678.3.camel@squid.fontenotshome.org.fontenotshome.org> <477C01BD.1060405@brockport.edu> <1199310027.3678.8.camel@squid.fontenotshome.org.fontenotshome.org> <477C05AE.9080606@suburbia.org.au> <1199311618.7266.1.camel@squid.fontenotshome.org.fontenotshome.org> <477C0C1E.5090708@suburbia.org.au> <1199313109.7818.3.camel@squid.fontenotshome.org.fontenotshome.org> <20080102225418.GR8781@pmorris.usa.hp.com> Message-ID: <1199317478.7818.10.camel@squid.fontenotshome.org.fontenotshome.org> Thanks Patrick, After some changes... I think I shall go and eat and come back later. Thanks for all the help :) > For Posix groups, most systems expect you to use "memberUid" rather > than "uniqueMember" to specify group members, and to include uid names > rather than DNs. I now have this: [fontenwp at ldap bin]$ ./ldapsearch -b "dc=fontenotshome,dc=org" "objectclass=posixgroup" version: 1 dn: cn=LinuxAdmins,ou=Groups, dc=fontenotshome,dc=org objectClass: top objectClass: groupofuniquenames objectClass: posixgroup cn: LinuxAdmins gidNumber: 750 memberUid: fontenwp dn: cn=LinuxUsers,ou=Groups, dc=fontenotshome,dc=org objectClass: top objectClass: groupofuniquenames objectClass: posixgroup cn: LinuxUsers gidNumber: 500 memberUid: fontenwp [fontenwp at ldap bin]$ I still have this: [fontenwp at ldap bin]$ id uid=500(fontenwp) gid=500 groups=500 [fontenwp at ldap bin]$ and the error "id: cannot find name for group ID 500" -------------------------------------------------------------- 16:44:17 up 2:00, 1 user, load average: 0.11, 0.05, 0.01 From wpfontenot at cox.net Thu Jan 3 00:33:12 2008 From: wpfontenot at cox.net (Paul Fontenot) Date: Wed, 02 Jan 2008 17:33:12 -0700 Subject: [Fedora-directory-users] getent? In-Reply-To: <1199307999.31506.8.camel@squid.fontenotshome.org.fontenotshome.org> References: <1199307999.31506.8.camel@squid.fontenotshome.org.fontenotshome.org> Message-ID: <1199320392.10190.3.camel@squid.fontenotshome.org.fontenotshome.org> All, Boy howdy I feel like an idiot, I do appreciate all the helpful tips and hints though. Here was my problem in the hopes this helps someone else :) In the /etc/ldap.conf on my client I fould the following... nss_base_group ou=Group,dc=fontenotshome,dc=org <-- * the culprit Should have been: nss_base_group ou=Groups,dc=fontenotshome,dc=org Thanks again, -Paul On Wed, 2008-01-02 at 14:06 -0700, Paul Fontenot wrote: > Hi, > > I've searched hi and low and found a couple references to the problem I > have but no solutions. > > If I issue 'getent passwd' I can see all the ldap users, if I issue a > getent group I cannot see any of the ldap groups. When I log into one of > my linux boxes I get 'id: cannot find name for group ID 500' (500 is an > ldap group). > > What would cause this issue? I've been beating my head against it for a > couple days and decided to turn to the experts. > > Thanks, > > Paul > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From ian at ikel.id.au Thu Jan 3 01:48:38 2008 From: ian at ikel.id.au (Ian Blackwell) Date: Thu, 03 Jan 2008 12:18:38 +1030 Subject: [Fedora-directory-users] Windows console In-Reply-To: References: <477C0246.5090907@ikel.id.au> Message-ID: <477C3EF6.1040105@ikel.id.au> On closer inspection at home, I see that I didn't set the JAVA value, I changed the PC so that the path to JAVA.EXE was in the environment. The script is able to detect this and then works. Try adding the path to your Java installation to your environment via the Windows Control Panel and System applet. Ian kiran madala wrote: > Hi, > > Thanks for the reply. Where exactly do I need to set my java variable > path? > > I set the java path in the .bat file its not working. I am not sure if > i did it the right way. below is my .bat file with changes in bold. > Thanks in advance > > > rem > rem This library is free software; you can redistribute it and/or > rem modify it under the terms of the GNU Lesser General Public > rem License as published by the Free Software Foundation version > rem 2.1 of the License. > rem > > rem This library is distributed in the hope that it will be useful, > rem but WITHOUT ANY WARRANTY; without even the implied warranty of > rem MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > rem Lesser General Public License for more details. > rem > > rem You should have received a copy of the GNU Lesser General Public > rem License along with this library; if not, write to the Free Software > rem Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA > 02110-1301 USA > rem END COPYRIGHT BLOCK > > rem set the JAVA to use here > rem set JAVA=C:\Program Files\Java\jre1.6.0_03\bin\java > > if not "%JAVA%foo"=="foo" goto launch > > where java > nul 2>&1 || goto findjre > > set JAVA=java > goto launch > > :findjre > rem look for Java Runtime Environment in registry > reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Runtime Environment" > nul 2>&1 > || goto findjdk > > rem can we grab the java location from the registry? > rem set JAVA=path\bin\java > rem apparently not, in a batch file > rem goto launch > echo The Java Runtime Environment is installed on this machine, but the > echo command java.exe is not in your PATH. You can either make sure > java.exe > echo is in the PATH, or edit this script to set JAVA to the full path of > echo java.exe > pause > goto end > > :findjdk > reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Development Kit" > nul 2>&1 || > goto nojava > > rem can we grab the java location from the registry? > rem set JAVA=path\bin\java > rem goto launch > echo The Java Development Kit is installed on this machine, but the > echo command java.exe is not in your PATH. You can either make sure > java.exe > echo is in the PATH, or edit this script to set JAVA to the full path of > echo java.exe > pause > goto end > > :nojava > echo Java does not appear to be installed on this machine. Please > download and install the Java Runtime Environment and make sure the > java.exe command is in the PATH of this command. > pause > goto end > > :launch > set BASEPATH=. > set FIDMCONSOLEJARDIR=%BASEPATH% > set CONSOLEJARDIR=%BASEPATH% > set JSSDIR=%BASEPATH% > set LDAPJARDIR=%BASEPATH% > > set PATH=%BASEPATH%;%PATH% > > rem > rem Launch the Console > rem > echo on > "%JAVA%" "-Djava.library.path=%JSSDIR%" -cp > "%JSSDIR%/jss4.jar;%LDAPJARDIR%/ldapjdk.jar;%CONSOLEJARDIR%/idm-console-base.jar;%CONSOLEJARDIR%/idm-console-mcc.jar;%CONSOLEJARDIR%/idm-console-mcc_en.jar;%CONSOLEJARDIR%/idm-console-nmclf.jar;%CONSOLEJARDIR%/idm-console-nmclf_en.jar;%FIDMCONSOLEJARDIR%/fedora-idm-console_en.jar" > -Djava.util.prefs.systemRoot=%HOME%/.fedora-idm-console > -Djava.util.prefs.userRoot=%HOME%/.fedora-idm-console > com.netscape.management.client.console.Console %* > > :end > > > > ------------------------------------------------------------------------ > Date: Thu, 3 Jan 2008 07:59:42 +1030 > From: ian at ikel.id.au > To: fedora-directory-users at redhat.com > Subject: Re: [Fedora-directory-users] Windows console > > Hi, > > This happened to me as well. I think the installer can't cope > with or doesn't look for Java in your "Program Files" area, which > is where you will find the newer Javas 1.6. Edit the .bat file > and set the Java variable yourself and it should work from then on. > > Regards, > > Ian > kiran madala wrote: > > Hi, > > The windows console for 1.1 server does not work it gives me > this error > > F:\Program Files\Fedora Identity Management Console>echo off > The Java Runtime Environment is installed on this machine, but the > command java.exe is not in your PATH. You can either make > sure java.exe > is in the PATH, or edit this script to set JAVA to the full > path of > java.exe > Press any key to continue . . . > > > All my java programs work. The java in my class path and also > in my registry . Any idea whats causing the problem? > > > > > ------------------------------------------------------------------------ > HO HO HO, if you've been naughty this year, email Santa! Visit > asksanta.ca to learn more! > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > ------------------------------------------------------------------------ > HO HO HO, if you've been nice this year, email Santa! Visit > asksanta.ca to learn more! > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From ian at ikel.id.au Thu Jan 3 01:56:44 2008 From: ian at ikel.id.au (Ian Blackwell) Date: Thu, 03 Jan 2008 12:26:44 +1030 Subject: [Fedora-directory-users] Windows console In-Reply-To: <477C3EF6.1040105@ikel.id.au> References: <477C0246.5090907@ikel.id.au> <477C3EF6.1040105@ikel.id.au> Message-ID: <477C40DC.3090300@ikel.id.au> Just for the record, here's my BAT file as well... echo off rem BEGIN COPYRIGHT BLOCK rem Copyright (C) 2005 Red Hat, Inc. rem All rights reserved. rem rem This library is free software; you can redistribute it and/or rem modify it under the terms of the GNU Lesser General Public rem License as published by the Free Software Foundation version rem 2.1 of the License. rem rem This library is distributed in the hope that it will be useful, rem but WITHOUT ANY WARRANTY; without even the implied warranty of rem MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU rem Lesser General Public License for more details. rem rem You should have received a copy of the GNU Lesser General Public rem License along with this library; if not, write to the Free Software rem Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA rem END COPYRIGHT BLOCK rem set the JAVA to use here rem set JAVA=C:\j2sdk1.4.2_15\bin\java if not "%JAVA%foo"=="foo" goto launch where java > nul 2>&1 || goto findjre set JAVA=java goto launch :findjre rem look for Java Runtime Environment in registry reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Runtime Environment" > nul 2>&1 || goto findjdk rem can we grab the java location from the registry? rem set JAVA=path\bin\java rem apparently not, in a batch file rem goto launch echo The Java Runtime Environment is installed on this machine, but the echo command java.exe is not in your PATH. You can either make sure java.exe echo is in the PATH, or edit this script to set JAVA to the full path of echo java.exe pause goto end :findjdk reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Development Kit" > nul 2>&1 || goto nojava rem can we grab the java location from the registry? rem set JAVA=path\bin\java rem goto launch echo The Java Development Kit is installed on this machine, but the echo command java.exe is not in your PATH. You can either make sure java.exe echo is in the PATH, or edit this script to set JAVA to the full path of echo java.exe pause goto end :nojava echo Java does not appear to be installed on this machine. Please download and install the Java Runtime Environment and make sure the java.exe command is in the PATH of this command. pause goto end :launch set BASEPATH=. set FIDMCONSOLEJARDIR=%BASEPATH% set CONSOLEJARDIR=%BASEPATH% set JSSDIR=%BASEPATH% set LDAPJARDIR=%BASEPATH% set PATH=%BASEPATH%;%PATH% rem rem Launch the Console rem echo on "%JAVA%" "-Djava.library.path=%JSSDIR%" -cp "%JSSDIR%/jss4.jar;%LDAPJARDIR%/ldapjdk.jar;%CONSOLEJARDIR%/idm-console-base.jar;%CONSOLEJARDIR%/idm-console-mcc.jar;%CONSOLEJARDIR%/idm-console-mcc_en.jar;%CONSOLEJARDIR%/idm-console-nmclf.jar;%CONSOLEJARDIR%/idm-console-nmclf_en.jar;%FIDMCONSOLEJARDIR%/fedora-idm-console_en.jar" -Djava.util.prefs.systemRoot=%HOME%/.fedora-idm-console -Djava.util.prefs.userRoot=%HOME%/.fedora-idm-console com.netscape.management.client.console.Console %* :end Ian Blackwell wrote: > On closer inspection at home, I see that I didn't set the JAVA value, I > changed the PC so that the path to JAVA.EXE was in the environment. The > script is able to detect this and then works. > > Try adding the path to your Java installation to your environment via > the Windows Control Panel and System applet. > > Ian > > kiran madala wrote: > >> Hi, >> >> Thanks for the reply. Where exactly do I need to set my java variable >> path? >> >> I set the java path in the .bat file its not working. I am not sure if >> i did it the right way. below is my .bat file with changes in bold. >> Thanks in advance >> >> >> rem >> rem This library is free software; you can redistribute it and/or >> rem modify it under the terms of the GNU Lesser General Public >> rem License as published by the Free Software Foundation version >> rem 2.1 of the License. >> rem >> >> rem This library is distributed in the hope that it will be useful, >> rem but WITHOUT ANY WARRANTY; without even the implied warranty of >> rem MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU >> rem Lesser General Public License for more details. >> rem >> >> rem You should have received a copy of the GNU Lesser General Public >> rem License along with this library; if not, write to the Free Software >> rem Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA >> 02110-1301 USA >> rem END COPYRIGHT BLOCK >> >> rem set the JAVA to use here >> rem set JAVA=C:\Program Files\Java\jre1.6.0_03\bin\java >> >> if not "%JAVA%foo"=="foo" goto launch >> >> where java > nul 2>&1 || goto findjre >> >> set JAVA=java >> goto launch >> >> :findjre >> rem look for Java Runtime Environment in registry >> reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Runtime Environment" > nul 2>&1 >> || goto findjdk >> >> rem can we grab the java location from the registry? >> rem set JAVA=path\bin\java >> rem apparently not, in a batch file >> rem goto launch >> echo The Java Runtime Environment is installed on this machine, but the >> echo command java.exe is not in your PATH. You can either make sure >> java.exe >> echo is in the PATH, or edit this script to set JAVA to the full path of >> echo java.exe >> pause >> goto end >> >> :findjdk >> reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Development Kit" > nul 2>&1 || >> goto nojava >> >> rem can we grab the java location from the registry? >> rem set JAVA=path\bin\java >> rem goto launch >> echo The Java Development Kit is installed on this machine, but the >> echo command java.exe is not in your PATH. You can either make sure >> java.exe >> echo is in the PATH, or edit this script to set JAVA to the full path of >> echo java.exe >> pause >> goto end >> >> :nojava >> echo Java does not appear to be installed on this machine. Please >> download and install the Java Runtime Environment and make sure the >> java.exe command is in the PATH of this command. >> pause >> goto end >> >> :launch >> set BASEPATH=. >> set FIDMCONSOLEJARDIR=%BASEPATH% >> set CONSOLEJARDIR=%BASEPATH% >> set JSSDIR=%BASEPATH% >> set LDAPJARDIR=%BASEPATH% >> >> set PATH=%BASEPATH%;%PATH% >> >> rem >> rem Launch the Console >> rem >> echo on >> "%JAVA%" "-Djava.library.path=%JSSDIR%" -cp >> "%JSSDIR%/jss4.jar;%LDAPJARDIR%/ldapjdk.jar;%CONSOLEJARDIR%/idm-console-base.jar;%CONSOLEJARDIR%/idm-console-mcc.jar;%CONSOLEJARDIR%/idm-console-mcc_en.jar;%CONSOLEJARDIR%/idm-console-nmclf.jar;%CONSOLEJARDIR%/idm-console-nmclf_en.jar;%FIDMCONSOLEJARDIR%/fedora-idm-console_en.jar" >> -Djava.util.prefs.systemRoot=%HOME%/.fedora-idm-console >> -Djava.util.prefs.userRoot=%HOME%/.fedora-idm-console >> com.netscape.management.client.console.Console %* >> >> :end >> >> >> >> ------------------------------------------------------------------------ >> Date: Thu, 3 Jan 2008 07:59:42 +1030 >> From: ian at ikel.id.au >> To: fedora-directory-users at redhat.com >> Subject: Re: [Fedora-directory-users] Windows console >> >> Hi, >> >> This happened to me as well. I think the installer can't cope >> with or doesn't look for Java in your "Program Files" area, which >> is where you will find the newer Javas 1.6. Edit the .bat file >> and set the Java variable yourself and it should work from then on. >> >> Regards, >> >> Ian >> kiran madala wrote: >> >> Hi, >> >> The windows console for 1.1 server does not work it gives me >> this error >> >> F:\Program Files\Fedora Identity Management Console>echo off >> The Java Runtime Environment is installed on this machine, but the >> command java.exe is not in your PATH. You can either make >> sure java.exe >> is in the PATH, or edit this script to set JAVA to the full >> path of >> java.exe >> Press any key to continue . . . >> >> >> All my java programs work. The java in my class path and also >> in my registry . Any idea whats causing the problem? >> >> >> >> >> ------------------------------------------------------------------------ >> HO HO HO, if you've been naughty this year, email Santa! Visit >> asksanta.ca to learn more! >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> >> ------------------------------------------------------------------------ >> HO HO HO, if you've been nice this year, email Santa! Visit >> asksanta.ca to learn more! >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From kirankmadala at hotmail.com Thu Jan 3 03:58:34 2008 From: kirankmadala at hotmail.com (kiran madala) Date: Wed, 2 Jan 2008 23:58:34 -0400 Subject: [Fedora-directory-users] Windows console In-Reply-To: <477C40DC.3090300@ikel.id.au> References: <477C0246.5090907@ikel.id.au> <477C3EF6.1040105@ikel.id.au> <477C40DC.3090300@ikel.id.au> Message-ID: Thanks again for the info. I got that fixed. I changed the set java variable removing the rem in the bat file. But now its is not connecting to my ds server. it connects from the local machine though. I am running the ds server on fedora 6 which on vmware virtual machine. I am using the ip address of the machine along with admin port to connect from windows host machine. I was wondering if you ever have got it running successfully? Thank you. > Date: Thu, 3 Jan 2008 12:26:44 +1030 > From: ian at ikel.id.au > To: fedora-directory-users at redhat.com > Subject: Re: [Fedora-directory-users] Windows console > > Just for the record, here's my BAT file as well... > echo off > rem BEGIN COPYRIGHT BLOCK > rem Copyright (C) 2005 Red Hat, Inc. > rem All rights reserved. > rem > rem This library is free software; you can redistribute it and/or > rem modify it under the terms of the GNU Lesser General Public > rem License as published by the Free Software Foundation version > rem 2.1 of the License. > rem > > rem This library is distributed in the hope that it will be useful, > rem but WITHOUT ANY WARRANTY; without even the implied warranty of > rem MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > rem Lesser General Public License for more details. > rem > > rem You should have received a copy of the GNU Lesser General Public > rem License along with this library; if not, write to the Free Software > rem Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA > 02110-1301 USA > rem END COPYRIGHT BLOCK > > rem set the JAVA to use here > rem set JAVA=C:\j2sdk1.4.2_15\bin\java > > if not "%JAVA%foo"=="foo" goto launch > > where java > nul 2>&1 || goto findjre > > set JAVA=java > goto launch > > :findjre > rem look for Java Runtime Environment in registry > reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Runtime Environment" > nul 2>&1 > || goto findjdk > > rem can we grab the java location from the registry? > rem set JAVA=path\bin\java > rem apparently not, in a batch file > rem goto launch > echo The Java Runtime Environment is installed on this machine, but the > echo command java.exe is not in your PATH. You can either make sure > java.exe > echo is in the PATH, or edit this script to set JAVA to the full path of > echo java.exe > pause > goto end > > :findjdk > reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Development Kit" > nul 2>&1 || > goto nojava > > rem can we grab the java location from the registry? > rem set JAVA=path\bin\java > rem goto launch > echo The Java Development Kit is installed on this machine, but the > echo command java.exe is not in your PATH. You can either make sure > java.exe > echo is in the PATH, or edit this script to set JAVA to the full path of > echo java.exe > pause > goto end > > :nojava > echo Java does not appear to be installed on this machine. Please > download and install the Java Runtime Environment and make sure the > java.exe command is in the PATH of this command. > pause > goto end > > :launch > set BASEPATH=. > set FIDMCONSOLEJARDIR=%BASEPATH% > set CONSOLEJARDIR=%BASEPATH% > set JSSDIR=%BASEPATH% > set LDAPJARDIR=%BASEPATH% > > set PATH=%BASEPATH%;%PATH% > > rem > rem Launch the Console > rem > echo on > "%JAVA%" "-Djava.library.path=%JSSDIR%" -cp > "%JSSDIR%/jss4.jar;%LDAPJARDIR%/ldapjdk.jar;%CONSOLEJARDIR%/idm-console-base.jar;%CONSOLEJARDIR%/idm-console-mcc.jar;%CONSOLEJARDIR%/idm-console-mcc_en.jar;%CONSOLEJARDIR%/idm-console-nmclf.jar;%CONSOLEJARDIR%/idm-console-nmclf_en.jar;%FIDMCONSOLEJARDIR%/fedora-idm-console_en.jar" > -Djava.util.prefs.systemRoot=%HOME%/.fedora-idm-console > -Djava.util.prefs.userRoot=%HOME%/.fedora-idm-console > com.netscape.management.client.console.Console %* > > :end > > > Ian Blackwell wrote: > > On closer inspection at home, I see that I didn't set the JAVA value, I > > changed the PC so that the path to JAVA.EXE was in the environment. The > > script is able to detect this and then works. > > > > Try adding the path to your Java installation to your environment via > > the Windows Control Panel and System applet. > > > > Ian > > > > kiran madala wrote: > > > >> Hi, > >> > >> Thanks for the reply. Where exactly do I need to set my java variable > >> path? > >> > >> I set the java path in the .bat file its not working. I am not sure if > >> i did it the right way. below is my .bat file with changes in bold. > >> Thanks in advance > >> > >> > >> rem > >> rem This library is free software; you can redistribute it and/or > >> rem modify it under the terms of the GNU Lesser General Public > >> rem License as published by the Free Software Foundation version > >> rem 2.1 of the License. > >> rem > >> > >> rem This library is distributed in the hope that it will be useful, > >> rem but WITHOUT ANY WARRANTY; without even the implied warranty of > >> rem MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > >> rem Lesser General Public License for more details. > >> rem > >> > >> rem You should have received a copy of the GNU Lesser General Public > >> rem License along with this library; if not, write to the Free Software > >> rem Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA > >> 02110-1301 USA > >> rem END COPYRIGHT BLOCK > >> > >> rem set the JAVA to use here > >> rem set JAVA=C:\Program Files\Java\jre1.6.0_03\bin\java > >> > >> if not "%JAVA%foo"=="foo" goto launch > >> > >> where java > nul 2>&1 || goto findjre > >> > >> set JAVA=java > >> goto launch > >> > >> :findjre > >> rem look for Java Runtime Environment in registry > >> reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Runtime Environment" > nul 2>&1 > >> || goto findjdk > >> > >> rem can we grab the java location from the registry? > >> rem set JAVA=path\bin\java > >> rem apparently not, in a batch file > >> rem goto launch > >> echo The Java Runtime Environment is installed on this machine, but the > >> echo command java.exe is not in your PATH. You can either make sure > >> java.exe > >> echo is in the PATH, or edit this script to set JAVA to the full path of > >> echo java.exe > >> pause > >> goto end > >> > >> :findjdk > >> reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Development Kit" > nul 2>&1 || > >> goto nojava > >> > >> rem can we grab the java location from the registry? > >> rem set JAVA=path\bin\java > >> rem goto launch > >> echo The Java Development Kit is installed on this machine, but the > >> echo command java.exe is not in your PATH. You can either make sure > >> java.exe > >> echo is in the PATH, or edit this script to set JAVA to the full path of > >> echo java.exe > >> pause > >> goto end > >> > >> :nojava > >> echo Java does not appear to be installed on this machine. Please > >> download and install the Java Runtime Environment and make sure the > >> java.exe command is in the PATH of this command. > >> pause > >> goto end > >> > >> :launch > >> set BASEPATH=. > >> set FIDMCONSOLEJARDIR=%BASEPATH% > >> set CONSOLEJARDIR=%BASEPATH% > >> set JSSDIR=%BASEPATH% > >> set LDAPJARDIR=%BASEPATH% > >> > >> set PATH=%BASEPATH%;%PATH% > >> > >> rem > >> rem Launch the Console > >> rem > >> echo on > >> "%JAVA%" "-Djava.library.path=%JSSDIR%" -cp > >> "%JSSDIR%/jss4.jar;%LDAPJARDIR%/ldapjdk.jar;%CONSOLEJARDIR%/idm-console-base.jar;%CONSOLEJARDIR%/idm-console-mcc.jar;%CONSOLEJARDIR%/idm-console-mcc_en.jar;%CONSOLEJARDIR%/idm-console-nmclf.jar;%CONSOLEJARDIR%/idm-console-nmclf_en.jar;%FIDMCONSOLEJARDIR%/fedora-idm-console_en.jar" > >> -Djava.util.prefs.systemRoot=%HOME%/.fedora-idm-console > >> -Djava.util.prefs.userRoot=%HOME%/.fedora-idm-console > >> com.netscape.management.client.console.Console %* > >> > >> :end > >> > >> > >> > >> ------------------------------------------------------------------------ > >> Date: Thu, 3 Jan 2008 07:59:42 +1030 > >> From: ian at ikel.id.au > >> To: fedora-directory-users at redhat.com > >> Subject: Re: [Fedora-directory-users] Windows console > >> > >> Hi, > >> > >> This happened to me as well. I think the installer can't cope > >> with or doesn't look for Java in your "Program Files" area, which > >> is where you will find the newer Javas 1.6. Edit the .bat file > >> and set the Java variable yourself and it should work from then on. > >> > >> Regards, > >> > >> Ian > >> kiran madala wrote: > >> > >> Hi, > >> > >> The windows console for 1.1 server does not work it gives me > >> this error > >> > >> F:\Program Files\Fedora Identity Management Console>echo off > >> The Java Runtime Environment is installed on this machine, but the > >> command java.exe is not in your PATH. You can either make > >> sure java.exe > >> is in the PATH, or edit this script to set JAVA to the full > >> path of > >> java.exe > >> Press any key to continue . . . > >> > >> > >> All my java programs work. The java in my class path and also > >> in my registry . Any idea whats causing the problem? > >> > >> > >> > >> > >> ------------------------------------------------------------------------ > >> HO HO HO, if you've been naughty this year, email Santa! Visit > >> asksanta.ca to learn more! > >> > >> > >> ------------------------------------------------------------------------ > >> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > >> > >> > >> > >> ------------------------------------------------------------------------ > >> HO HO HO, if you've been nice this year, email Santa! Visit > >> asksanta.ca to learn more! > >> ------------------------------------------------------------------------ > >> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > >> > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users _________________________________________________________________ Introducing the City @ Live! Take a tour! http://getyourliveid.ca/?icid=LIVEIDENCA006 -------------- next part -------------- An HTML attachment was scrubbed... URL: From ian at ikel.id.au Thu Jan 3 04:11:10 2008 From: ian at ikel.id.au (Ian Blackwell) Date: Thu, 03 Jan 2008 14:41:10 +1030 Subject: [Fedora-directory-users] Windows console In-Reply-To: References: <477C0246.5090907@ikel.id.au> <477C3EF6.1040105@ikel.id.au> <477C40DC.3090300@ikel.id.au> Message-ID: <477C605E.80605@ikel.id.au> Nope. I can get the console connection window where I enter my login details, but it won't connect. I've still got stacks of problems with my implementation that I'm trying to get resolved via this forum as well. To be frank, I'm not that impressed with the product, documentation, or anything else to do with Fedora-DS. Ian kiran madala wrote: > Thanks again for the info. I got that fixed. I changed the set java > variable removing the rem in the bat file. But now its is not > connecting to my ds server. it connects from the local machine though. > I am running the ds server on fedora 6 which on vmware virtual > machine. I am using the ip address of the machine along with admin > port to connect from windows host machine. > I was wondering if you ever have got it running successfully? > > Thank you. > > > > ------------------------------------------------------------------------ > > Date: Thu, 3 Jan 2008 12:26:44 +1030 > > From: ian at ikel.id.au > > To: fedora-directory-users at redhat.com > > Subject: Re: [Fedora-directory-users] Windows console > > > > Just for the record, here's my BAT file as well... > > echo off > > rem BEGIN COPYRIGHT BLOCK > > rem Copyright (C) 2005 Red Hat, Inc. > > rem All rights reserved. > > rem > > rem This library is free software; you can redistribute it and/or > > rem modify it under the terms of the GNU Lesser General Public > > rem License as published by the Free Software Foundation version > > rem 2.1 of the License. > > rem > > > > rem This library is distributed in the hope that it will be useful, > > rem but WITHOUT ANY WARRANTY; without even the implied warranty of > > rem MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > > rem Lesser General Public License for more details. > > rem > > > > rem You should have received a copy of the GNU Lesser General Public > > rem License along with this library; if not, write to the Free Software > > rem Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA > > 02110-1301 USA > > rem END COPYRIGHT BLOCK > > > > rem set the JAVA to use here > > rem set JAVA=C:\j2sdk1.4.2_15\bin\java > > > > if not "%JAVA%foo"=="foo" goto launch > > > > where java > nul 2>&1 || goto findjre > > > > set JAVA=java > > goto launch > > > > :findjre > > rem look for Java Runtime Environment in registry > > reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Runtime Environment" > nul 2>&1 > > || goto findjdk > > > > rem can we grab the java location from the registry? > > rem set JAVA=path\bin\java > > rem apparently not, in a batch file > > rem goto launch > > echo The Java Runtime Environment is installed on this machine, but the > > echo command java.exe is not in your PATH. You can either make sure > > java.exe > > echo is in the PATH, or edit this script to set JAVA to the full path of > > echo java.exe > > pause > > goto end > > > > :findjdk > > reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Development Kit" > nul 2>&1 || > > goto nojava > > > > rem can we grab the java location from the registry? > > rem set JAVA=path\bin\java > > rem goto launch > > echo The Java Development Kit is installed on this machine, but the > > echo command java.exe is not in your PATH. You can either make sure > > java.exe > > echo is in the PATH, or edit this script to set JAVA to the full path of > > echo java.exe > > pause > > goto end > > > > :nojava > > echo Java does not appear to be installed on this machine. Please > > download and install the Java Runtime Environment and make sure the > > java.exe command is in the PATH of this command. > > pause > > goto end > > > > :launch > > set BASEPATH=. > > set FIDMCONSOLEJARDIR=%BASEPATH% > > set CONSOLEJARDIR=%BASEPATH% > > set JSSDIR=%BASEPATH% > > set LDAPJARDIR=%BASEPATH% > > > > set PATH=%BASEPATH%;%PATH% > > > > rem > > rem Launch the Console > > rem > > echo on > > "%JAVA%" "-Djava.library.path=%JSSDIR%" -cp > > > "%JSSDIR%/jss4.jar;%LDAPJARDIR%/ldapjdk.jar;%CONSOLEJARDIR%/idm-console-base.jar;%CONSOLEJARDIR%/idm-console-mcc.jar;%CONSOLEJARDIR%/idm-console-mcc_en.jar;%CONSOLEJARDIR%/idm-console-nmclf.jar;%CONSOLEJARDIR%/idm-console-nmclf_en.jar;%FIDMCONSOLEJARDIR%/fedora-idm-console_en.jar" > > -Djava.util.prefs.systemRoot=%HOME%/.fedora-idm-console > > -Djava.util.prefs.userRoot=%HOME%/.fedora-idm-console > > com.netscape.management.client.console.Console %* > > > > :end > > > > > > Ian Blackwell wrote: > > > On closer inspection at home, I see that I didn't set the JAVA > value, I > > > changed the PC so that the path to JAVA.EXE was in the > environment. The > > > script is able to detect this and then works. > > > > > > Try adding the path to your Java installation to your environment via > > > the Windows Control Panel and System applet. > > > > > > Ian > > > > > > kiran madala wrote: > > > > > >> Hi, > > >> > > >> Thanks for the reply. Where exactly do I need to set my java variable > > >> path? > > >> > > >> I set the java path in the .bat file its not working. I am not > sure if > > >> i did it the right way. below is my .bat file with changes in bold. > > >> Thanks in advance > > >> > > >> > > >> rem > > >> rem This library is free software; you can redistribute it and/or > > >> rem modify it under the terms of the GNU Lesser General Public > > >> rem License as published by the Free Software Foundation version > > >> rem 2.1 of the License. > > >> rem > > >> > > >> rem This library is distributed in the hope that it will be useful, > > >> rem but WITHOUT ANY WARRANTY; without even the implied warranty of > > >> rem MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > > >> rem Lesser General Public License for more details. > > >> rem > > >> > > >> rem You should have received a copy of the GNU Lesser General Public > > >> rem License along with this library; if not, write to the Free > Software > > >> rem Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA > > >> 02110-1301 USA > > >> rem END COPYRIGHT BLOCK > > >> > > >> rem set the JAVA to use here > > >> rem set JAVA=C:\Program Files\Java\jre1.6.0_03\bin\java > > >> > > >> if not "%JAVA%foo"=="foo" goto launch > > >> > > >> where java > nul 2>&1 || goto findjre > > >> > > >> set JAVA=java > > >> goto launch > > >> > > >> :findjre > > >> rem look for Java Runtime Environment in registry > > >> reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Runtime Environment" > nul > 2>&1 > > >> || goto findjdk > > >> > > >> rem can we grab the java location from the registry? > > >> rem set JAVA=path\bin\java > > >> rem apparently not, in a batch file > > >> rem goto launch > > >> echo The Java Runtime Environment is installed on this machine, > but the > > >> echo command java.exe is not in your PATH. You can either make sure > > >> java.exe > > >> echo is in the PATH, or edit this script to set JAVA to the full > path of > > >> echo java.exe > > >> pause > > >> goto end > > >> > > >> :findjdk > > >> reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Development Kit" > nul 2>&1 || > > >> goto nojava > > >> > > >> rem can we grab the java location from the registry? > > >> rem set JAVA=path\bin\java > > >> rem goto launch > > >> echo The Java Development Kit is installed on this machine, but the > > >> echo command java.exe is not in your PATH. You can either make sure > > >> java.exe > > >> echo is in the PATH, or edit this script to set JAVA to the full > path of > > >> echo java.exe > > >> pause > > >> goto end > > >> > > >> :nojava > > >> echo Java does not appear to be installed on this machine. Please > > >> download and install the Java Runtime Environment and make sure the > > >> java.exe command is in the PATH of this command. > > >> pause > > >> goto end > > >> > > >> :launch > > >> set BASEPATH=. > > >> set FIDMCONSOLEJARDIR=%BASEPATH% > > >> set CONSOLEJARDIR=%BASEPATH% > > >> set JSSDIR=%BASEPATH% > > >> set LDAPJARDIR=%BASEPATH% > > >> > > >> set PATH=%BASEPATH%;%PATH% > > >> > > >> rem > > >> rem Launch the Console > > >> rem > > >> echo on > > >> "%JAVA%" "-Djava.library.path=%JSSDIR%" -cp > > >> > "%JSSDIR%/jss4.jar;%LDAPJARDIR%/ldapjdk.jar;%CONSOLEJARDIR%/idm-console-base.jar;%CONSOLEJARDIR%/idm-console-mcc.jar;%CONSOLEJARDIR%/idm-console-mcc_en.jar;%CONSOLEJARDIR%/idm-console-nmclf.jar;%CONSOLEJARDIR%/idm-console-nmclf_en.jar;%FIDMCONSOLEJARDIR%/fedora-idm-console_en.jar" > > >> -Djava.util.prefs.systemRoot=%HOME%/.fedora-idm-console > > >> -Djava.util.prefs.userRoot=%HOME%/.fedora-idm-console > > >> com.netscape.management.client.console.Console %* > > >> > > >> :end > > >> > > >> > > >> > > >> > ------------------------------------------------------------------------ > > >> Date: Thu, 3 Jan 2008 07:59:42 +1030 > > >> From: ian at ikel.id.au > > >> To: fedora-directory-users at redhat.com > > >> Subject: Re: [Fedora-directory-users] Windows console > > >> > > >> Hi, > > >> > > >> This happened to me as well. I think the installer can't cope > > >> with or doesn't look for Java in your "Program Files" area, which > > >> is where you will find the newer Javas 1.6. Edit the .bat file > > >> and set the Java variable yourself and it should work from then on. > > >> > > >> Regards, > > >> > > >> Ian > > >> kiran madala wrote: > > >> > > >> Hi, > > >> > > >> The windows console for 1.1 server does not work it gives me > > >> this error > > >> > > >> F:\Program Files\Fedora Identity Management Console>echo off > > >> The Java Runtime Environment is installed on this machine, but the > > >> command java.exe is not in your PATH. You can either make > > >> sure java.exe > > >> is in the PATH, or edit this script to set JAVA to the full > > >> path of > > >> java.exe > > >> Press any key to continue . . . > > >> > > >> > > >> All my java programs work. The java in my class path and also > > >> in my registry . Any idea whats causing the problem? > > >> > > >> > > >> > > >> > > >> > ------------------------------------------------------------------------ > > >> HO HO HO, if you've been naughty this year, email Santa! Visit > > >> asksanta.ca to learn more! > > >> > > >> > > >> > ------------------------------------------------------------------------ > > >> > > >> -- > > >> Fedora-directory-users mailing list > > >> Fedora-directory-users at redhat.com > > > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >> > > >> > > >> > > >> > > >> > ------------------------------------------------------------------------ > > >> HO HO HO, if you've been nice this year, email Santa! Visit > > >> asksanta.ca to learn more! > > >> > ------------------------------------------------------------------------ > > >> > > >> -- > > >> Fedora-directory-users mailing list > > >> Fedora-directory-users at redhat.com > > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >> > > >> > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > HO HO HO, if you've been naughty this year, email Santa! Visit > asksanta.ca to learn more! > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From audunroe at tihlde.org Thu Jan 3 11:18:11 2008 From: audunroe at tihlde.org (audunroe at tihlde.org) Date: Thu, 3 Jan 2008 12:18:11 +0100 (CET) Subject: [Fedora-directory-users] Class Loader In-Reply-To: <110286F0-0E61-4833-A278-11678B0006A7@mail.nih.gov> References: <146df21c0712190333j3831246fg6db257dee2a4b776@mail.gmail.com> <1278.195.18.161.2.1198074438.squirrel@tihlde.org> <110286F0-0E61-4833-A278-11678B0006A7@mail.nih.gov> Message-ID: <54425.195.18.161.2.1199359091.squirrel@tihlde.org> > Audun, > I connect to my Fedora6 FDS1.0.4 setup from my mac using an X11 > terminal over ssh with forwarding. ssh -XY blah.blah.gov. Then I > run the console from there and everything in terms of security is done > lcalhost on the ldap server, my session shows up on my mac tunneled > entirely through ssh. This gets through any firewall I've had to deal > with. > > I'm not clear on whether this works for you in your set up, but I > thought I'd add my 2 cents. Good luck. > > ED. This actually does work, although it's rather slow over ~200kb/s VPN. Still, beats no console at all. Thanks for the suggestion! An additional question, though: I've been using the wiki entry on http://directory.fedoraproject.org/wiki/Howto:WindowsConsole as a reference. Judging by the requirement to copy the ./lib folder and set paths/environment vars for it, java.library.path in particular, the console would seem to use JNI (ie: native calls, not pure/platform-independent Java) for some of its functionality. If so, how could it ever work on Windows? Simply copying the native libs as suggested by the wiki entry would, to the best of my knowledge, accomplish nothing. An older admin console MSI-installer package I came across actually included a handful of DLLs, to reinforce the impression that native calls are used/needed. On the other hand, people seem to have been able to make it work in Windows by simply following the instructions of the wiki, so I'm a bit puzzled. If this is the case, it would seem they're not needed. (To reiterate: I can run the console under Windows and I can connect to the adm server, but it's functionally crippled. Either due to a certain firewall that remains closed; JNI, something else entirely, or possibly all three. Hopefully I'll be able to at least rule out or identify the fw as the culprit by next week ;) -- Regards, Audun From j.barber at dundee.ac.uk Thu Jan 3 11:23:40 2008 From: j.barber at dundee.ac.uk (Jonathan Barber) Date: Thu, 3 Jan 2008 11:23:40 +0000 Subject: [Fedora-directory-users] Migrating RHEL users to Directory Server In-Reply-To: <8BED0ADCE0100241A8DD768706A2295C198084@EXCHDP3.ffx.jfh.com.au> References: <8BED0ADCE0100241A8DD768706A2295C0FA6@EXCHDP3.ffx.jfh.com.au> <20071224124857.GA10008@flea.lifesci.dundee.ac.uk> <8BED0ADCE0100241A8DD768706A2295C198084@EXCHDP3.ffx.jfh.com.au> Message-ID: <20080103112338.GA11941@flea.lifesci.dundee.ac.uk> On Mon, Dec 31, 2007 at 02:25:21PM +1100, Joel Heenan wrote: > Ok then so from my reading a bit more into how the Linux MD5 sum is > calculated it seems that because it includes a salt and is otherwise > mangled what I'm attempting to do is impossible and I'll need to get > users to set passwords manually. Is this correct? Yes. If you want to postpone having to get your users to reset their passwords, you could try the pam-passthru plugin: http://cvs.fedoraproject.org/viewcvs/ldapserver/ldap/servers/plugins/pam_passthru/README?root=dirsec&rev=1.6&view=auto > I was hoping that I could take the Linux PAM MD5 and plonk it inside > Directory Server but this doesn't seem possible. Unless there is some > plugin designed for this that understands Linux MD5? Not that I know of, but it shouldn't be that difficult to write using the existing pwdstorage plugins as a starting point. > Thanks > > Joel > > > -----Original Message----- > > From: fedora-directory-users-bounces at redhat.com > > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf > > Of Jonathan Barber > > Sent: Monday, 24 December 2007 11:49 PM > > To: General discussion list for the Fedora Directory server project. > > Subject: Re: [Fedora-directory-users] Migrating RHEL users to > > Directory Server > > > > On Fri, Dec 21, 2007 at 01:51:30PM +1100, Joel Heenan wrote: > > > Fedora Directory Users, > > > > > > I have a bunch of users currently using local RHEL 4 local > > unix user > > > accounts for their usernames and passwords and I would like > > to migrate > > > them to Directory Server. My question concerns the MD5 sum password. > > > > > > I tried adding a user joeltest with password joeltest and I > > got hash: > > > > > > JqBiQXU4$gnJeKmNzXy.kaXUaBIygs0 > > > > > > from RHEL but I got hash: > > > > > > WGvQgGYUH2UOX2ZA1IQeyQ== > > > > This value is the base64 encoded value of the md5 digest of > > the password, and is the same as the md5 digest of "joeltest": > > $ echo -n "joeltest" | openssl dgst -md5 -binary | openssl > > base64 WGvQgGYUH2UOX2ZA1IQeyQ== $ > > > > Regards. > > > > > >From Directory Server when I set the same password. > > > > > > I'm guessing this is to do with further encodings placed on the > > > password hash. Hoping someone has done this before and can > > point me in > > > the right direction? > > > > > > Thanks > > > > > > Joel > > > > -- > > Jonathan Barber > > High Performance Computing Analyst > > Tel. +44 (0) 1382 386389 > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > The information contained in this e-mail message and any accompanying files is or may be confidential. If you are not the intended recipient, any use, dissemination, reliance, forwarding, printing or copying of this e-mail or any attached files is unauthorised. This e-mail is subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If you have received this e-mail in error please advise the sender immediately by return e-mail or telephone and delete all copies. Fairfax does not guarantee the accuracy or completeness of any information contained in this e-mail or attached files. Internet communications are not secure, therefore Fairfax does not accept legal responsibility for the contents of this message or attached files. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389 From jazcek at scs.fsu.edu Thu Jan 3 14:23:00 2008 From: jazcek at scs.fsu.edu (Jazcek Braden) Date: Thu, 03 Jan 2008 09:23:00 -0500 Subject: [Fedora-directory-users] Setting up 1.0.4-1 x86_64 on RHES5 64-bit In-Reply-To: <5AD9B0E562FEFB4E933861904D7135C56886C4@gdrs-exchange.gdrs.com> References: <20080102170006.AE9F073715@hormel.redhat.com> <5AD9B0E562FEFB4E933861904D7135C56886C4@gdrs-exchange.gdrs.com> Message-ID: <477CEFC4.9020104@scs.fsu.edu> I am using it with Apache 2.2.9 on CentOS 5 and it works there. I looked at the httpd.conf file that FDS installed for me and I don't hve the mod_access.so or mod_auth.so lines in there. I believe these are actually part of the admin server installation. I again invite you to try to rerun the setup to get ns-config to rebuild the httpd.conf file for you and to setup all appropriate links. -- Jazcek Ken Marsh wrote: > Hello again, > > I've made progress- found most of the apache modules in > /usr/lib64/httpd/modules , and linked them in. However, according to > this post: > > http://lists.linuxcoding.com/rhl/2006/msg15719.html > > the mod_access.so module (and I'm guessing mod_auth.so as well) is no > longer included in Apache 2.2. Commenting them out of httpd.conf, but > allowing the rest of the modules to be loaded with LoadModule, I get the > following error when trying to start the administration server: > > # ./start-admin > Syntax error on line 255 of /opt/fedora-ds/admin-serv/config/httpd.conf: > Invalid command 'Order', perhaps misspelled or defined by a module not > included in the server configuration > > Is FDS fundamentally incompatible with Apache 2.2? Should I load an > older Apache? > > -Ken. > > > ------------------------------ > > Message: 3 > Date: Wed, 2 Jan 2008 10:35:08 -0500 > From: "Ken Marsh" > Subject: [Fedora-directory-users] Setting up 1.0.4-1 x86_64 on RHES5 > 64-bit > To: > Message-ID: > <5AD9B0E562FEFB4E933861904D7135C5688671 at gdrs-exchange.gdrs.com> > Content-Type: text/plain; charset="us-ascii" > > Hi, > > Happy New Year's, everyone! > > Re: my 12/21 e-mail (Issue 35), does anyone have any clue as to the > missing files in /opt/fedora-ds/admin-serv/modules , or where to set > %%%module_dir%%% ? I need to get this server up and running. > > Thanks, > Ken. > > > > > ------------------------------ > > Message: 4 > Date: Wed, 2 Jan 2008 11:45:03 -0400 > From: kiran madala > Subject: [Fedora-directory-users] Windows console > To: > Message-ID: > Content-Type: text/plain; charset="iso-8859-1" > > > Hi, > > The windows console for 1.1 server does not work it gives me this error > > F:\Program Files\Fedora Identity Management Console>echo off > The Java Runtime Environment is installed on this machine, but the > command java.exe is not in your PATH. You can either make sure java.exe > is in the PATH, or edit this script to set JAVA to the full path of > java.exe > Press any key to continue . . . > > > All my java programs work. The java in my class path and also in my > registry . Any idea whats causing the problem? > > > > > _________________________________________________________________ > Introducing the City @ Live! Take a tour! > http://getyourliveid.ca/?icid=LIVEIDENCA006 > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > https://www.redhat.com/archives/fedora-directory-users/attachments/20080 > 102/cc55a02b/attachment.html > > ------------------------------ > > Message: 5 > Date: Wed, 02 Jan 2008 11:36:25 -0500 > From: Jazcek Braden > Subject: Re: [Fedora-directory-users] Setting up 1.0.4-1 x86_64 on > RHES5 64-bit > To: "General discussion list for the Fedora Directory server project." > > Message-ID: <477BBD89.2090906 at scs.fsu.edu> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > It looks like that was a variable that was supposed to be replaced by > rpm installer and failed for some reason > > I would just got to /opt/fedora-ds/admin-serv/config > > then type > cat httpd.conf | sed s/'%%%module_dir%%%'/'modules'/ > httpd.conf.new > > > > Ken Marsh wrote: > >> Hi, >> >> Happy New Year's, everyone! >> >> Re: my 12/21 e-mail (Issue 35), does anyone have any clue as to the >> missing files in /opt/fedora-ds/admin-serv/modules , or where to set >> %%%module_dir%%% ? I need to get this server up and running. >> >> Thanks, >> Ken. >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> > > > -- Jazcek Braden System Administrator 431 Dirac Science Library Florida State University Tallahassee, FL 32306-4120 Phone 850-644-6490 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From bagyi at mail.fmkorhaz.hu Thu Jan 3 16:43:44 2008 From: bagyi at mail.fmkorhaz.hu (Tamas Bagyal) Date: Thu, 03 Jan 2008 17:43:44 +0100 Subject: [Fedora-directory-users] getent? In-Reply-To: <1199317478.7818.10.camel@squid.fontenotshome.org.fontenotshome.org> References: <1199307999.31506.8.camel@squid.fontenotshome.org.fontenotshome.org> <477BFE0A.6030905@brockport.edu> <1199308898.3678.3.camel@squid.fontenotshome.org.fontenotshome.org> <477C01BD.1060405@brockport.edu> <1199310027.3678.8.camel@squid.fontenotshome.org.fontenotshome.org> <477C05AE.9080606@suburbia.org.au> <1199311618.7266.1.camel@squid.fontenotshome.org.fontenotshome.org> <477C0C1E.5090708@suburbia.org.au> <1199313109.7818.3.camel@squid.fontenotshome.org.fontenotshome.org> <20080102225418.GR8781@pmorris.usa.hp.com> <1199317478.7818.10.camel@squid.fontenotshome.org.fontenotshome.org> Message-ID: <477D10C0.2040301@mail.fmkorhaz.hu> hello, First: sorry for my bad english. Your user must have a 'gidnumber' entry (from 'posixaccount' objectclass), this is the user's gid. Not require to write this username in the memberuid entry. If the group not the primary group of the user, require to write in the memberuid entry the username. ok, i know this is not too understandable. example: uid=500(fontenwp) gid=500(linuxusers) groups=750(linuxadmins),500(linuxusers) entrys: (only the important things) user: dn: cn=fontenwp, ou=People, dc=fontenotshome,dc=org objectclass: posixAccount gidNumber: 500 groups: dn: cn=LinuxUsers,ou=Groups, dc=fontenotshome,dc=org objectClass: posixgroup gidNumber: 500 memberUid: fontenwp <-- these not required dn: cn=LinuxAdmins,ou=Groups, dc=fontenotshome,dc=org objectClass: posixgroup gidNumber: 750 memberUid: fontenwp <-- this required and offcourse configure correct nsswitch & pam. the default group ou in the nsswitch-ldap conf is the: ou=Group but, as i can see, You use the ou=Group_s_. check this. I hope this help you. KeeF Paul Fontenot wrote: > I now have this: > > [fontenwp at ldap bin]$ ./ldapsearch -b "dc=fontenotshome,dc=org" > "objectclass=posixgroup" > version: 1 > dn: cn=LinuxAdmins,ou=Groups, dc=fontenotshome,dc=org > objectClass: top > objectClass: groupofuniquenames > objectClass: posixgroup > cn: LinuxAdmins > gidNumber: 750 > memberUid: fontenwp > > dn: cn=LinuxUsers,ou=Groups, dc=fontenotshome,dc=org > objectClass: top > objectClass: groupofuniquenames > objectClass: posixgroup > cn: LinuxUsers > gidNumber: 500 > memberUid: fontenwp > [fontenwp at ldap bin]$ > > I still have this: > > [fontenwp at ldap bin]$ id > uid=500(fontenwp) gid=500 groups=500 > [fontenwp at ldap bin]$ > > and the error > > "id: cannot find name for group ID 500" > > -------------------------------------------------------------- > 16:44:17 up 2:00, 1 user, load average: 0.11, 0.05, 0.01 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From rmeggins at redhat.com Thu Jan 3 19:32:44 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 03 Jan 2008 12:32:44 -0700 Subject: [Fedora-directory-users] Class Loader In-Reply-To: <1278.195.18.161.2.1198074438.squirrel@tihlde.org> References: <146df21c0712190333j3831246fg6db257dee2a4b776@mail.gmail.com> <1278.195.18.161.2.1198074438.squirrel@tihlde.org> Message-ID: <477D385C.5050008@redhat.com> audunroe at tihlde.org wrote: > The saga continues.. > > After finally getting the admin-server to run and just briefly verifying > that the console would run from my windows machine but not being able to > connect because of firewall issues, I'm now picking up the thread again. > > To briefly recap, there are firewall issues preventing me from connecting > easily with the admin server on the machine running fedora-ds. Iow: I can > reach the ldap port fine - but not the admin server. I have no control > over the firewall, and getting an opening poked in it is turning out to > be, if not difficult then at least time consuming. I've been trying to > sneak around the problem by using ssh-tunneling for now. I can use this to > successfully connect the client java console with the server. However, > that's pretty much as far as I've been able to get. > > The Fedora Management Console opens and connects nicely. In the console > view, I can see the rootnode of myldap.foo.com, as well as the ldap > instance just beneath it and its "Server Group" node. However, if I expand > this node and try to click on the "Administration Server" or "Directory > Server" leafs, I get a long pause and then an error dialog saying: "Class > Loader error: Failed to install a local copy of fedora-admserv-1.0.jar or > one of its supporting files: Can not connect to > http://myldap.foo.com:56789". > The console supports multiple versions of admin server and directory server. Each unique version of admin server and directory server has its own versioned jar file (e.g. fedora-admserv-1.0.jar, fedora-admserv-1.1.jar, etc.) These jar files are provided via http by the admin server and are downloaded into the ~/.fedora-console/jars (or ~/.fedora-idm-console/jars in 1.1) directory. The console looks for them in there. So one possible workaround would be to just grab those files from the server and copy them to this directory. > Initially,I was thrown off by the class loader heading, assuming I'd left > the jar out of the classpath. The jar it's requestion is indeed not not > the classpath, however, the jar in question is not included in the > original startconsole script either (meaning I have no idea how the client > would find it). In any case I get the exact same error when the jar's on > the cp as well. The client then goes on to try and download the jar - > which will not work as the windows machine I'm running it on does not have > open internet access - intranet only. > On windows, the jar file location is a little bit different. See http://directory.fedoraproject.org/wiki/Howto:WindowsConsole for more information. > However the errmsg also mentions connection problems, and there's a > lengthy delay when clicking the nodes in question consistent with a > connection attempt that's blocked by, say, a firewall. Right. There is a timeout - I can't remember how long. > I've since verified > with Ethereal that the console does indeed try to bypass my ssh tunnel and > instead hits the admin server directly, an attempt which is of course > blocked by the firewall. Right. Because once the console is started, it ignores the URL you provide in the login dialog box and instead reads the URL from the admin server configuration under o=netscaperoot in the configuration directory server. > In addition, connections to the ldap port are > also attempted, though this is not a problem as that port is actually > open. Maybe the reason why I can get this far in the first place. However, > could anyone confirm that the connection url (in my case ssh tunnel at > localhost:56789) is only used for the initial connect, and that later the > admin client may try to establish a direct link to the correct url of the > servernode? If so, is there any possible workaround for this, or will I > basically need a firewall-opening? Or could it be a dependency/classpath > problem after all? > The best bet is to either open the firewall, or to install the admin server to use a well known http port (e.g. port 80) that most firewalls will leave open by default. > -- > Regards, > Audun > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jan 3 19:35:36 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 03 Jan 2008 12:35:36 -0700 Subject: [Fedora-directory-users] Migrating RHEL users to Directory Server In-Reply-To: <20080103112338.GA11941@flea.lifesci.dundee.ac.uk> References: <8BED0ADCE0100241A8DD768706A2295C0FA6@EXCHDP3.ffx.jfh.com.au> <20071224124857.GA10008@flea.lifesci.dundee.ac.uk> <8BED0ADCE0100241A8DD768706A2295C198084@EXCHDP3.ffx.jfh.com.au> <20080103112338.GA11941@flea.lifesci.dundee.ac.uk> Message-ID: <477D3908.3000509@redhat.com> Jonathan Barber wrote: > On Mon, Dec 31, 2007 at 02:25:21PM +1100, Joel Heenan wrote: > >> Ok then so from my reading a bit more into how the Linux MD5 sum is >> calculated it seems that because it includes a salt and is otherwise >> mangled what I'm attempting to do is impossible and I'll need to get >> users to set passwords manually. Is this correct? >> > > Yes. > > If you want to postpone having to get your users to reset their > passwords, you could try the pam-passthru plugin: > http://cvs.fedoraproject.org/viewcvs/ldapserver/ldap/servers/plugins/pam_passthru/README?root=dirsec&rev=1.6&view=auto > > >> I was hoping that I could take the Linux PAM MD5 and plonk it inside >> Directory Server but this doesn't seem possible. Unless there is some >> plugin designed for this that understands Linux MD5? >> > > Not that I know of, but it shouldn't be that difficult to write using > the existing pwdstorage plugins as a starting point. > You might try the crypt format. On most linux platforms, system crypt uses MD5. > >> Thanks >> >> Joel >> >> >>> -----Original Message----- >>> From: fedora-directory-users-bounces at redhat.com >>> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf >>> Of Jonathan Barber >>> Sent: Monday, 24 December 2007 11:49 PM >>> To: General discussion list for the Fedora Directory server project. >>> Subject: Re: [Fedora-directory-users] Migrating RHEL users to >>> Directory Server >>> >>> On Fri, Dec 21, 2007 at 01:51:30PM +1100, Joel Heenan wrote: >>> >>>> Fedora Directory Users, >>>> >>>> I have a bunch of users currently using local RHEL 4 local >>>> >>> unix user >>> >>>> accounts for their usernames and passwords and I would like >>>> >>> to migrate >>> >>>> them to Directory Server. My question concerns the MD5 sum password. >>>> >>>> I tried adding a user joeltest with password joeltest and I >>>> >>> got hash: >>> >>>> JqBiQXU4$gnJeKmNzXy.kaXUaBIygs0 >>>> >>>> from RHEL but I got hash: >>>> >>>> WGvQgGYUH2UOX2ZA1IQeyQ== >>>> >>> This value is the base64 encoded value of the md5 digest of >>> the password, and is the same as the md5 digest of "joeltest": >>> $ echo -n "joeltest" | openssl dgst -md5 -binary | openssl >>> base64 WGvQgGYUH2UOX2ZA1IQeyQ== $ >>> >>> Regards. >>> >>> >>>> >From Directory Server when I set the same password. >>>> >>>> I'm guessing this is to do with further encodings placed on the >>>> password hash. Hoping someone has done this before and can >>>> >>> point me in >>> >>>> the right direction? >>>> >>>> Thanks >>>> >>>> Joel >>>> >>> -- >>> Jonathan Barber >>> High Performance Computing Analyst >>> Tel. +44 (0) 1382 386389 >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> The information contained in this e-mail message and any accompanying files is or may be confidential. If you are not the intended recipient, any use, dissemination, reliance, forwarding, printing or copying of this e-mail or any attached files is unauthorised. This e-mail is subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If you have received this e-mail in error please advise the sender immediately by return e-mail or telephone and delete all copies. Fairfax does not guarantee the accuracy or completeness of any information contained in this e-mail or attached files. Internet communications are not secure, therefore Fairfax does not accept legal responsibility for the contents of this message or attached files. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jan 3 19:36:56 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 03 Jan 2008 12:36:56 -0700 Subject: [Fedora-directory-users] Setting up 1.0.4-1 x86_64 on RHES5 64-bit In-Reply-To: <5AD9B0E562FEFB4E933861904D7135C5688620@gdrs-exchange.gdrs.com> References: <5AD9B0E562FEFB4E933861904D7135C5688620@gdrs-exchange.gdrs.com> Message-ID: <477D3958.9060604@redhat.com> Ken Marsh wrote: > > Hello again, > > Thanks for the previous help. As advised, I removed the FC5 binary and > went with FC6 on Red Hat Enterprise Server 5 x86_64 > Did you start from scratch, or did you just install the FC6 binary on top of the FC5 binary? > > I?ve now caught up with where I was before. The Directory Server is > running OK but I can?t get the admin server to start. The setup/setup > script failed with a message: > > Setting up Administration Server Instance... > > ERROR: Administration Server configuration failed. > > The console starts as advised, but there is no Admin server for it to > connect to. > > I can?t find specific directions for where I?m at now, I guess because > this stuff is supposed to ?just work?. Striking out on my own, I?ve > copied over the templates for start-admin and httpd.conf and edited > them. I am using /usr/sbin/http.worker for my web server. After > setting sroot and httpd, it seems to start up OK until it looks for > modules. > > Here is the error: > > [root at ansb16 fedora-ds]# ./start-admin > > httpd.worker: Syntax error on line 128 of > /opt/fedora-ds/admin-serv/config/httpd.conf: Cannot load > /opt/fedora-ds/admin-serv/%%%module_dir%%%/modules/mod_access.so into > server: > /opt/fedora-ds/admin-serv/%%%module_dir%%%/modules/mod_access.so: > cannot open shared object file: No such file or directory > > I?ve looked around. I don?t see the config file location to set > %%%module_dir%%%, and what is more, the > /opt/fedora-ds/admin-serv/modules directory is empty. I did some finds > on the system and cannot find mod_access.so anywhere. So, even if I > did set it, where do I point it to? > > Is there a preferred place to download these modules, or do I need > them at all? Or did I skip some part of the setup process? > > Thanks and Happy Holidays, > > Ken. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jan 3 19:43:45 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 03 Jan 2008 12:43:45 -0700 Subject: [Fedora-directory-users] Fedora Directory Server not configuring admin server! In-Reply-To: <000001c84acc$c9a66c10$5cf34430$@shea@comcast.net> References: <000001c84acc$c9a66c10$5cf34430$@shea@comcast.net> Message-ID: <477D3AF1.2010001@redhat.com> Dane Shea wrote: > > Hi, I am on the verge of creating a fedora directory server but I have > one more obstacle in my way. This is what happens when I try to set up > the Fedora Directory Server 1.0.4 in Fedora 8 > Which Fedora DS binary rpm are you attempting to use? The FC6 binary should work. > > > Please select the install mode: > 1 - Express - minimal questions > 2 - Typical - some customization (default) > 3 - Custom - lots of customization > > Please select 1, 2, or 3 (default: 2) 2 > > Hostname to use (default: localhost.localdomain) daneshea.com > Is this a valid hostname that resolves using both forward and reverse DNS? > > > Server user ID to use (default: nobody) SheaServer > > Server group ID to use (default: nobody) SheaServer > [slapd-daneshea]: starting up server ... > [slapd-daneshea]: Fedora-Directory/1.0.4 B2006.312.1539 > [slapd-daneshea]: daneshea.com:389 (/opt/fedora-ds/slapd-daneshea) > [slapd-daneshea]: > [slapd-daneshea]: [26/Dec/2007:11:17:31 -0600] - > Fedora-Directory/1.0.4 B2006.312.1539 starting up > [slapd-daneshea]: [26/Dec/2007:11:17:31 -0600] - slapd started. > Listening on All Interfaces port 389 for LDAP requests > Your new directory server has been started. > Created new Directory Server > Start Slapd Starting Slapd server configuration. > Success Slapd Added Directory Server information to Configuration Server. > Configuring Administration Server... > ERROR: Administration Server configuration failed. > Check the logs under /opt/fedora-ds/admin-serv/logs > > > You can now use the console. Here is the command to use to start the > console: > cd /opt/fedora-ds > ./startconsole -u admin -a http://daneshea.com:40814/ > > INFO Finished with setup, logfile is setup/setup.log > [root at daneshea ~]# > > > > > > > > If you curious this is what the log file says: > > > Continue? (yes/no) yes > Please select 1, 2, or 3 (default: 2) 2 > getFQDN: hostname = daneshea.com > getFQDN: host daneshea.com = daneshea.com > daneshea.com > daneshea.com > getFQDN: host daneshea.com has length 13 > getFQDN: new max host daneshea.com has length 13 > getFQDN: host daneshea.com has length 13 > getFQDN: host daneshea.com has length 13 > getFQDN: host daneshea.com has length 13 > getFQDN: host daneshea.com has length 13 > getFQDN: host daneshea has length 9 > getFQDN: host localhost.localdomain has length 22 > getFQDN: new max host localhost.localdomain has length 22 > getFQDN: host localhost has length 10 > getFQDN: host daneshea has length 9 > > Hostname to use (default: localhost.localdomain) daneshea.com > Server user ID to use (default: nobody) SheaServer > Server group ID to use (default: nobody) SheaServer > [slapd-daneshea]: starting up server ... > [slapd-daneshea]: Fedora-Directory/1.0.4 B2006.312.1539 > [slapd-daneshea]: daneshea.com:389 (/opt/fedora-ds/slapd-daneshea) > [slapd-daneshea]: > [slapd-daneshea]: [26/Dec/2007:11:17:31 -0600] - > Fedora-Directory/1.0.4 B2006.312.1539 starting up > [slapd-daneshea]: [26/Dec/2007:11:17:31 -0600] - slapd started. > Listening on All Interfaces port 389 for LDAP requests > Your new directory server has been started. > Created new Directory Server > Start Slapd Starting Slapd server configuration. > Success Slapd Added Directory Server information to Configuration Server. > Configuring Administration Server... > ERROR: Administration Server configuration failed. > You can now use the console. Here is the command to use to start the > console: > cd /opt/fedora-ds > ./startconsole -u admin -a http://daneshea.com:40814/ > INFO Finished with setup, logfile is setup/setup.log > > > > > Thanks in advance guys! > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jan 3 19:46:06 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 03 Jan 2008 12:46:06 -0700 Subject: [Fedora-directory-users] Can't access DSGW In-Reply-To: <47748BEA.5080201@ikel.id.au> References: <47748BEA.5080201@ikel.id.au> Message-ID: <477D3B7E.3000300@redhat.com> Ian Blackwell wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > I've just built a FC8 server and am trying now to > install/configure/use Fedora-DS 1.1. I've managed to get it working > to some degree, but I can't get access to the directory server > gateway. It is not included with Fedora DS 1.1. The links have been removed from the Fedora DS 1.1 final. I apologize that they were present in the Fedora DS 1.1 beta. > Several things appear to be wrong/missing at present, but > after many hours trying to find out what, I'm stumped - hence this email. > > Firstly when I browse to http://myserver:9830 the graphic images > aren't appearing. > > Next, when I click on the Directory Server Gateway > link I get > this error:- > "The requested URL /clients/dsgw/bin/lang was not found on this server." > This is from the admin-server error log:- > [Fri Dec 28 15:59:37 2007] [error] [client 192.168.2.254] File does > not exist: /usr/share/dirsrv/html/clients, referer: > http://myserver:9830/bin/admin/admin/bin/download > I can connect to Fedora Administration Express > > without any trouble, but it doesn't appear to offer anything > useful... Is there a RPM that I'm missing perhaps? Here's a list of > the relevant RPMs installed:- > fedora-ds-console-1.1.0-4 > fedora-ds-base-1.1.0-2.0.fc8 > fedora-ds-1.1.0-2.0.fc8 > fedora-ds-admin-1.1.0-1.15.fc8 > fedora-admin-console-1.1.0-3.fc6 > idm-console-framework-1.1.0-1 > fedora-idm-console-1.1.0-4 > > Finally, I've tried to use the Fedora IDM Console from Windows, but > can't get that working either. When I connect to it, it seems to fail > to connect to the ldap service and wants to restart it. > Did you use the new Windows package? Are there any DNS or firewall issues? You can edit the .bat file and add the -D 9 argument to the end of the console command line to get more debugging information. > Thanks to anyone that can point me in the right direction with this... > > Regards, > > Ian Blackwell > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFHdIvqLwWMnKQTL2sRAtrQAJ4kTTsXijvOpLXRhIa83avdhvL8mgCdFEUh > 0OVC7UAPln3DFXbh+PEkCYE= > =J7O1 > -----END PGP SIGNATURE----- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jan 3 19:49:13 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 03 Jan 2008 12:49:13 -0700 Subject: [Fedora-directory-users] Windows console In-Reply-To: <477C605E.80605@ikel.id.au> References: <477C0246.5090907@ikel.id.au> <477C3EF6.1040105@ikel.id.au> <477C40DC.3090300@ikel.id.au> <477C605E.80605@ikel.id.au> Message-ID: <477D3C39.9030800@redhat.com> Ian Blackwell wrote: > Nope. I can get the console connection window where I enter my login > details, but it won't connect. Please try adding the -D 9 arguments to the end of the command line. This will cause lots of debugging information to spew forth. > I've still got stacks of problems with my implementation that I'm > trying to get resolved via this forum as well. Most (if not all) of the developers have been on vacation from December 21 until now. > To be frank, I'm not that impressed with the product, documentation, > or anything else to do with Fedora-DS. Can you be more specific? > > Ian > > kiran madala wrote: >> Thanks again for the info. I got that fixed. I changed the set java >> variable removing the rem in the bat file. But now its is not >> connecting to my ds server. it connects from the local machine >> though. I am running the ds server on fedora 6 which on vmware >> virtual machine. I am using the ip address of the machine along with >> admin port to connect from windows host machine. >> I was wondering if you ever have got it running successfully? >> >> Thank you. >> >> >> >> ------------------------------------------------------------------------ >> > Date: Thu, 3 Jan 2008 12:26:44 +1030 >> > From: ian at ikel.id.au >> > To: fedora-directory-users at redhat.com >> > Subject: Re: [Fedora-directory-users] Windows console >> > >> > Just for the record, here's my BAT file as well... >> > echo off >> > rem BEGIN COPYRIGHT BLOCK >> > rem Copyright (C) 2005 Red Hat, Inc. >> > rem All rights reserved. >> > rem >> > rem This library is free software; you can redistribute it and/or >> > rem modify it under the terms of the GNU Lesser General Public >> > rem License as published by the Free Software Foundation version >> > rem 2.1 of the License. >> > rem >> > >> > rem This library is distributed in the hope that it will be useful, >> > rem but WITHOUT ANY WARRANTY; without even the implied warranty of >> > rem MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU >> > rem Lesser General Public License for more details. >> > rem >> > >> > rem You should have received a copy of the GNU Lesser General Public >> > rem License along with this library; if not, write to the Free >> Software >> > rem Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA >> > 02110-1301 USA >> > rem END COPYRIGHT BLOCK >> > >> > rem set the JAVA to use here >> > rem set JAVA=C:\j2sdk1.4.2_15\bin\java >> > >> > if not "%JAVA%foo"=="foo" goto launch >> > >> > where java > nul 2>&1 || goto findjre >> > >> > set JAVA=java >> > goto launch >> > >> > :findjre >> > rem look for Java Runtime Environment in registry >> > reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Runtime Environment" > nul 2>&1 >> > || goto findjdk >> > >> > rem can we grab the java location from the registry? >> > rem set JAVA=path\bin\java >> > rem apparently not, in a batch file >> > rem goto launch >> > echo The Java Runtime Environment is installed on this machine, but >> the >> > echo command java.exe is not in your PATH. You can either make sure >> > java.exe >> > echo is in the PATH, or edit this script to set JAVA to the full >> path of >> > echo java.exe >> > pause >> > goto end >> > >> > :findjdk >> > reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Development Kit" > nul 2>&1 || >> > goto nojava >> > >> > rem can we grab the java location from the registry? >> > rem set JAVA=path\bin\java >> > rem goto launch >> > echo The Java Development Kit is installed on this machine, but the >> > echo command java.exe is not in your PATH. You can either make sure >> > java.exe >> > echo is in the PATH, or edit this script to set JAVA to the full >> path of >> > echo java.exe >> > pause >> > goto end >> > >> > :nojava >> > echo Java does not appear to be installed on this machine. Please >> > download and install the Java Runtime Environment and make sure the >> > java.exe command is in the PATH of this command. >> > pause >> > goto end >> > >> > :launch >> > set BASEPATH=. >> > set FIDMCONSOLEJARDIR=%BASEPATH% >> > set CONSOLEJARDIR=%BASEPATH% >> > set JSSDIR=%BASEPATH% >> > set LDAPJARDIR=%BASEPATH% >> > >> > set PATH=%BASEPATH%;%PATH% >> > >> > rem >> > rem Launch the Console >> > rem >> > echo on >> > "%JAVA%" "-Djava.library.path=%JSSDIR%" -cp >> > >> "%JSSDIR%/jss4.jar;%LDAPJARDIR%/ldapjdk.jar;%CONSOLEJARDIR%/idm-console-base.jar;%CONSOLEJARDIR%/idm-console-mcc.jar;%CONSOLEJARDIR%/idm-console-mcc_en.jar;%CONSOLEJARDIR%/idm-console-nmclf.jar;%CONSOLEJARDIR%/idm-console-nmclf_en.jar;%FIDMCONSOLEJARDIR%/fedora-idm-console_en.jar" >> >> > -Djava.util.prefs.systemRoot=%HOME%/.fedora-idm-console >> > -Djava.util.prefs.userRoot=%HOME%/.fedora-idm-console >> > com.netscape.management.client.console.Console %* >> > >> > :end >> > >> > >> > Ian Blackwell wrote: >> > > On closer inspection at home, I see that I didn't set the JAVA >> value, I >> > > changed the PC so that the path to JAVA.EXE was in the >> environment. The >> > > script is able to detect this and then works. >> > > >> > > Try adding the path to your Java installation to your environment >> via >> > > the Windows Control Panel and System applet. >> > > >> > > Ian >> > > >> > > kiran madala wrote: >> > > >> > >> Hi, >> > >> >> > >> Thanks for the reply. Where exactly do I need to set my java >> variable >> > >> path? >> > >> >> > >> I set the java path in the .bat file its not working. I am not >> sure if >> > >> i did it the right way. below is my .bat file with changes in bold. >> > >> Thanks in advance >> > >> >> > >> >> > >> rem >> > >> rem This library is free software; you can redistribute it and/or >> > >> rem modify it under the terms of the GNU Lesser General Public >> > >> rem License as published by the Free Software Foundation version >> > >> rem 2.1 of the License. >> > >> rem >> > >> >> > >> rem This library is distributed in the hope that it will be useful, >> > >> rem but WITHOUT ANY WARRANTY; without even the implied warranty of >> > >> rem MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >> GNU >> > >> rem Lesser General Public License for more details. >> > >> rem >> > >> >> > >> rem You should have received a copy of the GNU Lesser General >> Public >> > >> rem License along with this library; if not, write to the Free >> Software >> > >> rem Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA >> > >> 02110-1301 USA >> > >> rem END COPYRIGHT BLOCK >> > >> >> > >> rem set the JAVA to use here >> > >> rem set JAVA=C:\Program Files\Java\jre1.6.0_03\bin\java >> > >> >> > >> if not "%JAVA%foo"=="foo" goto launch >> > >> >> > >> where java > nul 2>&1 || goto findjre >> > >> >> > >> set JAVA=java >> > >> goto launch >> > >> >> > >> :findjre >> > >> rem look for Java Runtime Environment in registry >> > >> reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Runtime Environment" > >> nul 2>&1 >> > >> || goto findjdk >> > >> >> > >> rem can we grab the java location from the registry? >> > >> rem set JAVA=path\bin\java >> > >> rem apparently not, in a batch file >> > >> rem goto launch >> > >> echo The Java Runtime Environment is installed on this machine, >> but the >> > >> echo command java.exe is not in your PATH. You can either make sure >> > >> java.exe >> > >> echo is in the PATH, or edit this script to set JAVA to the full >> path of >> > >> echo java.exe >> > >> pause >> > >> goto end >> > >> >> > >> :findjdk >> > >> reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Development Kit" > nul >> 2>&1 || >> > >> goto nojava >> > >> >> > >> rem can we grab the java location from the registry? >> > >> rem set JAVA=path\bin\java >> > >> rem goto launch >> > >> echo The Java Development Kit is installed on this machine, but the >> > >> echo command java.exe is not in your PATH. You can either make sure >> > >> java.exe >> > >> echo is in the PATH, or edit this script to set JAVA to the full >> path of >> > >> echo java.exe >> > >> pause >> > >> goto end >> > >> >> > >> :nojava >> > >> echo Java does not appear to be installed on this machine. Please >> > >> download and install the Java Runtime Environment and make sure the >> > >> java.exe command is in the PATH of this command. >> > >> pause >> > >> goto end >> > >> >> > >> :launch >> > >> set BASEPATH=. >> > >> set FIDMCONSOLEJARDIR=%BASEPATH% >> > >> set CONSOLEJARDIR=%BASEPATH% >> > >> set JSSDIR=%BASEPATH% >> > >> set LDAPJARDIR=%BASEPATH% >> > >> >> > >> set PATH=%BASEPATH%;%PATH% >> > >> >> > >> rem >> > >> rem Launch the Console >> > >> rem >> > >> echo on >> > >> "%JAVA%" "-Djava.library.path=%JSSDIR%" -cp >> > >> >> "%JSSDIR%/jss4.jar;%LDAPJARDIR%/ldapjdk.jar;%CONSOLEJARDIR%/idm-console-base.jar;%CONSOLEJARDIR%/idm-console-mcc.jar;%CONSOLEJARDIR%/idm-console-mcc_en.jar;%CONSOLEJARDIR%/idm-console-nmclf.jar;%CONSOLEJARDIR%/idm-console-nmclf_en.jar;%FIDMCONSOLEJARDIR%/fedora-idm-console_en.jar" >> >> > >> -Djava.util.prefs.systemRoot=%HOME%/.fedora-idm-console >> > >> -Djava.util.prefs.userRoot=%HOME%/.fedora-idm-console >> > >> com.netscape.management.client.console.Console %* >> > >> >> > >> :end >> > >> >> > >> >> > >> >> > >> >> ------------------------------------------------------------------------ >> > >> Date: Thu, 3 Jan 2008 07:59:42 +1030 >> > >> From: ian at ikel.id.au >> > >> To: fedora-directory-users at redhat.com >> > >> Subject: Re: [Fedora-directory-users] Windows console >> > >> >> > >> Hi, >> > >> >> > >> This happened to me as well. I think the installer can't cope >> > >> with or doesn't look for Java in your "Program Files" area, which >> > >> is where you will find the newer Javas 1.6. Edit the .bat file >> > >> and set the Java variable yourself and it should work from then on. >> > >> >> > >> Regards, >> > >> >> > >> Ian >> > >> kiran madala wrote: >> > >> >> > >> Hi, >> > >> >> > >> The windows console for 1.1 server does not work it gives me >> > >> this error >> > >> >> > >> F:\Program Files\Fedora Identity Management Console>echo off >> > >> The Java Runtime Environment is installed on this machine, but the >> > >> command java.exe is not in your PATH. You can either make >> > >> sure java.exe >> > >> is in the PATH, or edit this script to set JAVA to the full >> > >> path of >> > >> java.exe >> > >> Press any key to continue . . . >> > >> >> > >> >> > >> All my java programs work. The java in my class path and also >> > >> in my registry . Any idea whats causing the problem? >> > >> >> > >> >> > >> >> > >> >> > >> >> ------------------------------------------------------------------------ >> > >> HO HO HO, if you've been naughty this year, email Santa! Visit >> > >> asksanta.ca to learn more! >> > >> >> > >> >> > >> >> ------------------------------------------------------------------------ >> > >> >> > >> -- >> > >> Fedora-directory-users mailing list >> > >> Fedora-directory-users at redhat.com >> >> > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >> >> > >> >> > >> >> > >> >> > >> >> ------------------------------------------------------------------------ >> > >> HO HO HO, if you've been nice this year, email Santa! Visit >> > >> asksanta.ca to learn more! >> > >> >> ------------------------------------------------------------------------ >> > >> >> > >> -- >> > >> Fedora-directory-users mailing list >> > >> Fedora-directory-users at redhat.com >> > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >> >> > >> >> > > >> > > -- >> > > Fedora-directory-users mailing list >> > > Fedora-directory-users at redhat.com >> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > >> > > >> > >> > -- >> > Fedora-directory-users mailing list >> > Fedora-directory-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> ------------------------------------------------------------------------ >> HO HO HO, if you've been naughty this year, email Santa! Visit >> asksanta.ca to learn more! >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jan 3 19:59:52 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 03 Jan 2008 12:59:52 -0700 Subject: [Fedora-directory-users] problem with unique search on gidNumber In-Reply-To: <214687.87485.qm@web50910.mail.re2.yahoo.com> References: <214687.87485.qm@web50910.mail.re2.yahoo.com> Message-ID: <477D3EB8.8090206@redhat.com> Jason Beavers wrote: > All, > > Any thoughts about this? I know i'm missing something but so far i'm > still stumped. Can you post relevant excerpts from your access log showing the search request and results? Do you see any problems in your error log? Can you post your dse.ldif, making sure to first obscure any sensitive information? Or, better, use pastebin.com to paste the information and just post links here. > > ----- Original Message ---- > From: Jason Beavers > To: General discussion list for the Fedora Directory server project. > > Sent: Wednesday, December 19, 2007 5:22:10 PM > Subject: Re: [Fedora-directory-users] problem with unique search on > gidNumber > > that search returns ALL results with with ANY gidNumber value set, not > just those with "205" > > ----- Original Message ---- > From: Rich Megginson > To: General discussion list for the Fedora Directory server project. > > Sent: Friday, December 14, 2007 10:57:40 AM > Subject: Re: [Fedora-directory-users] problem with unique search on > gidNumber > > Jason Beavers wrote: > > Yep, "gidnumber.db4" is there. > So what does a search for "(gidNumber=205)" return? > > > > ----- Original Message ---- > > From: Rich Megginson > > > To: General discussion list for the Fedora Directory server project. > > > > > Sent: Friday, December 14, 2007 10:19:54 AM > > Subject: Re: [Fedora-directory-users] problem with unique search on > > gidNumber > > > > Jason Beavers wrote: > > > well i cheated (lazy :-) ) and edited the index configuration using > > > the Fedora console, which regenerated the indexes. > > You can check - look in /opt/fedora-ds/slapd-instancename/db/userRoot > > and see if you have a gidNumber.db4 file. > > > Or so i was lead to believe it would based on the documentation. > > > should i be forcing it by runing the perl scripts instead? > > > > > > ----- Original Message ---- > > > From: Rich Megginson >> > > > To: General discussion list for the Fedora Directory server project. > > > > > >> > > > Sent: Friday, December 14, 2007 8:08:24 AM > > > Subject: Re: [Fedora-directory-users] problem with unique search on > > > gidNumber > > > > > > Jason Beavers wrote: > > > > I'm trying to get unique searches working for "gidNumber." When > > > > trying a search as below: > > > > > > > > ./ldapsearch -b "dc=mydomain,dc=int" > > > > "(&(objectClass=groupOfNames)(gidNumber=205)(ou:dn:=Groups))" cn > > > gidNumber > > > > > > > > > > > > I'm getting results back with ALL entries with a gidNumber attribute > > > > set, instead of just the one entry that matches "gidNumber=205." > > > > I've tried adding the gidNumber attribute to the indexes, > > > What steps did you take? You created the index configuration? > Then ran > > > db2index to generate the index files? > > > > however i cannot seem to get it to respond with a unique result. > > > Have you tried just "(gidNumber=205)" - does that work? > > > > > > > > What am I missing? > > > > > > > > Thanks in advance. > > > > > > > > -j > > > > > > > > > > ------------------------------------------------------------------------ > > > > Never miss a thing. Make Yahoo your homepage. > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > -- > > > > Fedora-directory-users mailing list > > > > Fedora-directory-users at redhat.com > > > > > > > > > >> > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > Looking for last minute shopping deals? Find them fast with Yahoo! > > > Search. > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > ------------------------------------------------------------------------ > > Never miss a thing. Make Yahoo your homepage. > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > ------------------------------------------------------------------------ > Looking for last minute shopping deals? Find them fast with Yahoo! > Search. > > > > ------------------------------------------------------------------------ > Looking for last minute shopping deals? Find them fast with Yahoo! > Search. > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kmarsh at gdrs.com Fri Jan 4 00:34:09 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Thu, 3 Jan 2008 19:34:09 -0500 Subject: [Fedora-directory-users] Admin server startup errors 1.0.4-1 on RHEWS3 Message-ID: <5AD9B0E562FEFB4E933861904D7135C568872A@gdrs-exchange.gdrs.com> Hi all, I gave up on ES5 64 bit due to the FDS/Apache 2.2 httpd.conf conflicts. I guess I could craft my own httpd.conf, but I'm not feeling creative. :-) I've installed fedora-ds-1.0.4-1.RHEL3.i386.opt.rpm on RHEWS3 where it is much happier with the Apache 2.0 worker installed there. Once again the admin server configuration bombed out, and I can start a console but it finds on admin server to connect to. Once again, I hacked up the *.conf.tmpl templates, copied up start-admin script and linked the modules and the magic file in from their OS locations. Oh yeah, had to set LD_LIBRARY_PATH to /opt/fedora-ds/bin/slapd/lib . Now when I try to start the admin server, I get no stderr or stdout and an exit value of 1. In the admin-serv/logs/error is: [Thu Jan 03 18:19:53 2008] [error] (1)Operation not permitted: mod_mime_magic: can't read magic file /opt/fedora-ds/admin-serv/conf/magic [Thu Jan 03 18:19:54 2008] [crit] mod_admserv_post_config(): unable to create AdmldapInfo Configuration Failed! [Thu Jan 03 18:57:46 2008] [crit] mod_admserv_post_config(): unable to create AdmldapInfo Configuration Failed! When I try to check on the config information in the DS, I get this error: # ./ldapsearch -b o=netscaperoot -D "cn=directory manager" -w 'mypassword' "objectclass=nsAdminConfig" dn ldap_search: No such object Any ideas? It looked like the admin server setup script bombed out before it populated the directory server (which seems to be running). How do I duplicate what it was supposed to do? Perhaps a deeper question, why does the admin setup script bomb out on two very different architectures? Thanks, Ken. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Jan 4 01:05:02 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 03 Jan 2008 18:05:02 -0700 Subject: [Fedora-directory-users] Admin server startup errors 1.0.4-1 on RHEWS3 In-Reply-To: <5AD9B0E562FEFB4E933861904D7135C568872A@gdrs-exchange.gdrs.com> References: <5AD9B0E562FEFB4E933861904D7135C568872A@gdrs-exchange.gdrs.com> Message-ID: <477D863E.2010006@redhat.com> Ken Marsh wrote: > > Hi all, > > I gave up on ES5 64 bit due to the FDS/Apache 2.2 httpd.conf > conflicts. I guess I could craft my own httpd.conf, but I?m not > feeling creative. J > > I?ve installed fedora-ds-1.0.4-1.RHEL3.i386.opt.rpm on RHEWS3 where it > is much happier with the Apache 2.0 worker installed there. Once again > the admin server configuration bombed out, > This is the cause of all of your subsequent problems. If setup fails to configure the admin server, it will be practically impossible to do anything else with the admin server or console. So let's start there. What errors did you get during setup? > > and I can start a console but it finds on admin server to connect to. > Once again, I hacked up the *.conf.tmpl templates, copied up > start-admin script and linked the modules and the magic file in from > their OS locations. Oh yeah, had to set LD_LIBRARY_PATH to > /opt/fedora-ds/bin/slapd/lib . > > Now when I try to start the admin server, I get no stderr or stdout > and an exit value of 1. In the admin-serv/logs/error is: > > [Thu Jan 03 18:19:53 2008] [error] (1)Operation not permitted: > mod_mime_magic: can't read magic file /opt/fedora-ds/admin-serv/conf/magic > > [Thu Jan 03 18:19:54 2008] [crit] mod_admserv_post_config(): unable to > create AdmldapInfo > > Configuration Failed! > > [Thu Jan 03 18:57:46 2008] [crit] mod_admserv_post_config(): unable to > create AdmldapInfo > > Configuration Failed! > > When I try to check on the config information in the DS, I get this error: > > # ./ldapsearch -b o=netscaperoot -D "cn=directory manager" -w > 'mypassword' "objectclass=nsAdminConfig" dn > > ldap_search: No such object > > Any ideas? It looked like the admin server setup script bombed out > before it populated the directory server (which seems to be running). > How do I duplicate what it was supposed to do? > > Perhaps a deeper question, why does the admin setup script bomb out on > two very different architectures? > This usually has to do with hostname resolution i.e. the hostname you chose does not resolve to the configured IP address or vice versa. > > Thanks, > > Ken. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From chee.benny at gmail.com Fri Jan 4 07:45:58 2008 From: chee.benny at gmail.com (Benny Chee) Date: Fri, 4 Jan 2008 15:45:58 +0800 Subject: [Fedora-directory-users] Empty server list on Console when using remotely Message-ID: <700685de0801032345t325b2b3ag428176e5e5be1763@mail.gmail.com> Hi all, I installed FDS on FC8 using the rpms available: - fedora-ds-base - fedora-ds-base-devel - fedora-ds-admin - idm-console-framework - fedora-idm-console - fedora-ds-console - fedora-admin-console I use the "fedora-idm-console" command locally and was able to view my admin and directory servers. However, when i tried to access the console remotely using the jars files and startconsole scripts from FC6, i was able to authenticate into the console but was presented an empty list under "servers and applications". Anyone got any idea? benny -------------- next part -------------- An HTML attachment was scrubbed... URL: From ian at ikel.id.au Fri Jan 4 08:52:09 2008 From: ian at ikel.id.au (Ian Blackwell) Date: Fri, 04 Jan 2008 19:22:09 +1030 Subject: [Fedora-directory-users] Can't access DSGW In-Reply-To: <477D3B7E.3000300@redhat.com> References: <47748BEA.5080201@ikel.id.au> <477D3B7E.3000300@redhat.com> Message-ID: <477DF3B9.4040508@ikel.id.au> Hello Rich, I believe my problems with the Windows Console were firewall related and are now fixed (I can access my DS server now). Thanks, Ian Rich Megginson wrote: > Ian Blackwell wrote: > Hi, > > I've just built a FC8 server and am trying now to > install/configure/use Fedora-DS 1.1. I've managed to get it working > to some degree, but I can't get access to the directory server > gateway. > > It is not included with Fedora DS 1.1. The links have been removed > from the Fedora DS 1.1 final. I apologize that they were present in > the Fedora DS 1.1 beta. > Several things appear to be wrong/missing at present, but > after many hours trying to find out what, I'm stumped - hence this email. > > Firstly when I browse to http://myserver:9830 the graphic images > aren't appearing. > > Next, when I click on the Directory Server Gateway > link I get > this error:- > "The requested URL /clients/dsgw/bin/lang was not found on this server." > This is from the admin-server error log:- > [Fri Dec 28 15:59:37 2007] [error] [client 192.168.2.254] File does > not exist: /usr/share/dirsrv/html/clients, referer: > http://myserver:9830/bin/admin/admin/bin/download > I can connect to Fedora Administration Express > > without any trouble, but it doesn't appear to offer anything > useful... Is there a RPM that I'm missing perhaps? Here's a list of > the relevant RPMs installed:- > fedora-ds-console-1.1.0-4 > fedora-ds-base-1.1.0-2.0.fc8 > fedora-ds-1.1.0-2.0.fc8 > fedora-ds-admin-1.1.0-1.15.fc8 > fedora-admin-console-1.1.0-3.fc6 > idm-console-framework-1.1.0-1 > fedora-idm-console-1.1.0-4 > > Finally, I've tried to use the Fedora IDM Console from Windows, but > can't get that working either. When I connect to it, it seems to fail > to connect to the ldap service and wants to restart it. > > > Did you use the new Windows package? Are there any DNS or firewall > issues? You can edit the .bat file and add the -D 9 argument to the > end of the console command line to get more debugging information. > Thanks to anyone that can point me in the right direction with this... > > Regards, > > Ian Blackwell >> -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------- > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From ian at ikel.id.au Fri Jan 4 09:08:39 2008 From: ian at ikel.id.au (Ian Blackwell) Date: Fri, 04 Jan 2008 19:38:39 +1030 Subject: [Fedora-directory-users] Windows console In-Reply-To: <477D3C39.9030800@redhat.com> References: <477C0246.5090907@ikel.id.au> <477C3EF6.1040105@ikel.id.au> <477C40DC.3090300@ikel.id.au> <477C605E.80605@ikel.id.au> <477D3C39.9030800@redhat.com> Message-ID: <477DF797.7070109@ikel.id.au> Hi again, I've been using Red Hat and Fedora for almost 9 years now (just last month I decommissioned my oldest RH7.2 server). I've had LDAP servers working with FC5 and haven't had a problem. I'm a RH Technician and am hoping to gain Engineer qualifications next month, so I feel familiar with Fedora and RH products. In December I built a new server for my home network based on Fedora 8 and decided to use Fedora Directory Services as well. Perhaps the fresh install contributed to my jaundiced view of FDS, because I had more problems than I expected getting my new server working the way I wanted (Postfix/Cyrus issue predominately). Anyway, when I got to FDS it would be fair to say I was annoyed with F8. I even downloaded Ubuntu and almost got to the point of burning a DVD to see if it might be easier than F8. In this frame of mind I wasn't able to cope well with the frustration of trying to get FDS 1.1 working, using the documentation from the FDS website. I found it particularly unhelpful with respect to FDS 1.1 and F8. I found stacks of information about FC6 and 1.0.4, but had real trouble finding useful doco about F8 and FDS 1.1. The confusion about what was in and out of the release, the packaging changes, and having problems accessing the console just made be p---ed off. I also had trouble finding where the yum updates were, which was my fault for not reading properly the doco that was useful. Anyway, I'm back on track now and will persevere until I get it working. Yours and other posts to this forum have helped me to see how other users are working with FDS, and I am confident I'll have an operational server fairly soon. Now that I have console access, it all seems much easier... Regards, Ian Rich Megginson wrote: > Ian Blackwell wrote: >> Nope. I can get the console connection window where I enter my login >> details, but it won't connect. > Please try adding the -D 9 arguments to the end of the command line. > This will cause lots of debugging information to spew forth. >> I've still got stacks of problems with my implementation that I'm >> trying to get resolved via this forum as well. > Most (if not all) of the developers have been on vacation from > December 21 until now. >> To be frank, I'm not that impressed with the product, documentation, >> or anything else to do with Fedora-DS. > Can you be more specific? >> >> Ian >> >> kiran madala wrote: >>> Thanks again for the info. I got that fixed. I changed the set java >>> variable removing the rem in the bat file. But now its is not >>> connecting to my ds server. it connects from the local machine >>> though. I am running the ds server on fedora 6 which on vmware >>> virtual machine. I am using the ip address of the machine along with >>> admin port to connect from windows host machine. >>> I was wondering if you ever have got it running successfully? >>> >>> Thank you. >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> > Date: Thu, 3 Jan 2008 12:26:44 +1030 >>> > From: ian at ikel.id.au >>> > To: fedora-directory-users at redhat.com >>> > Subject: Re: [Fedora-directory-users] Windows console >>> > >>> > Just for the record, here's my BAT file as well... >>> > echo off >>> > rem BEGIN COPYRIGHT BLOCK >>> > rem Copyright (C) 2005 Red Hat, Inc. >>> > rem All rights reserved. >>> > rem >>> > rem This library is free software; you can redistribute it and/or >>> > rem modify it under the terms of the GNU Lesser General Public >>> > rem License as published by the Free Software Foundation version >>> > rem 2.1 of the License. >>> > rem >>> > >>> > rem This library is distributed in the hope that it will be useful, >>> > rem but WITHOUT ANY WARRANTY; without even the implied warranty of >>> > rem MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU >>> > rem Lesser General Public License for more details. >>> > rem >>> > >>> > rem You should have received a copy of the GNU Lesser General Public >>> > rem License along with this library; if not, write to the Free >>> Software >>> > rem Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA >>> > 02110-1301 USA >>> > rem END COPYRIGHT BLOCK >>> > >>> > rem set the JAVA to use here >>> > rem set JAVA=C:\j2sdk1.4.2_15\bin\java >>> > >>> > if not "%JAVA%foo"=="foo" goto launch >>> > >>> > where java > nul 2>&1 || goto findjre >>> > >>> > set JAVA=java >>> > goto launch >>> > >>> > :findjre >>> > rem look for Java Runtime Environment in registry >>> > reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Runtime Environment" > nul >>> 2>&1 >>> > || goto findjdk >>> > >>> > rem can we grab the java location from the registry? >>> > rem set JAVA=path\bin\java >>> > rem apparently not, in a batch file >>> > rem goto launch >>> > echo The Java Runtime Environment is installed on this machine, >>> but the >>> > echo command java.exe is not in your PATH. You can either make sure >>> > java.exe >>> > echo is in the PATH, or edit this script to set JAVA to the full >>> path of >>> > echo java.exe >>> > pause >>> > goto end >>> > >>> > :findjdk >>> > reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Development Kit" > nul 2>&1 || >>> > goto nojava >>> > >>> > rem can we grab the java location from the registry? >>> > rem set JAVA=path\bin\java >>> > rem goto launch >>> > echo The Java Development Kit is installed on this machine, but the >>> > echo command java.exe is not in your PATH. You can either make sure >>> > java.exe >>> > echo is in the PATH, or edit this script to set JAVA to the full >>> path of >>> > echo java.exe >>> > pause >>> > goto end >>> > >>> > :nojava >>> > echo Java does not appear to be installed on this machine. Please >>> > download and install the Java Runtime Environment and make sure the >>> > java.exe command is in the PATH of this command. >>> > pause >>> > goto end >>> > >>> > :launch >>> > set BASEPATH=. >>> > set FIDMCONSOLEJARDIR=%BASEPATH% >>> > set CONSOLEJARDIR=%BASEPATH% >>> > set JSSDIR=%BASEPATH% >>> > set LDAPJARDIR=%BASEPATH% >>> > >>> > set PATH=%BASEPATH%;%PATH% >>> > >>> > rem >>> > rem Launch the Console >>> > rem >>> > echo on >>> > "%JAVA%" "-Djava.library.path=%JSSDIR%" -cp >>> > >>> "%JSSDIR%/jss4.jar;%LDAPJARDIR%/ldapjdk.jar;%CONSOLEJARDIR%/idm-console-base.jar;%CONSOLEJARDIR%/idm-console-mcc.jar;%CONSOLEJARDIR%/idm-console-mcc_en.jar;%CONSOLEJARDIR%/idm-console-nmclf.jar;%CONSOLEJARDIR%/idm-console-nmclf_en.jar;%FIDMCONSOLEJARDIR%/fedora-idm-console_en.jar" >>> >>> > -Djava.util.prefs.systemRoot=%HOME%/.fedora-idm-console >>> > -Djava.util.prefs.userRoot=%HOME%/.fedora-idm-console >>> > com.netscape.management.client.console.Console %* >>> > >>> > :end >>> > >>> > >>> > Ian Blackwell wrote: >>> > > On closer inspection at home, I see that I didn't set the JAVA >>> value, I >>> > > changed the PC so that the path to JAVA.EXE was in the >>> environment. The >>> > > script is able to detect this and then works. >>> > > >>> > > Try adding the path to your Java installation to your >>> environment via >>> > > the Windows Control Panel and System applet. >>> > > >>> > > Ian >>> > > >>> > > kiran madala wrote: >>> > > >>> > >> Hi, >>> > >> >>> > >> Thanks for the reply. Where exactly do I need to set my java >>> variable >>> > >> path? >>> > >> >>> > >> I set the java path in the .bat file its not working. I am not >>> sure if >>> > >> i did it the right way. below is my .bat file with changes in >>> bold. >>> > >> Thanks in advance >>> > >> >>> > >> >>> > >> rem >>> > >> rem This library is free software; you can redistribute it and/or >>> > >> rem modify it under the terms of the GNU Lesser General Public >>> > >> rem License as published by the Free Software Foundation version >>> > >> rem 2.1 of the License. >>> > >> rem >>> > >> >>> > >> rem This library is distributed in the hope that it will be >>> useful, >>> > >> rem but WITHOUT ANY WARRANTY; without even the implied warranty of >>> > >> rem MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See >>> the GNU >>> > >> rem Lesser General Public License for more details. >>> > >> rem >>> > >> >>> > >> rem You should have received a copy of the GNU Lesser General >>> Public >>> > >> rem License along with this library; if not, write to the Free >>> Software >>> > >> rem Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA >>> > >> 02110-1301 USA >>> > >> rem END COPYRIGHT BLOCK >>> > >> >>> > >> rem set the JAVA to use here >>> > >> rem set JAVA=C:\Program Files\Java\jre1.6.0_03\bin\java >>> > >> >>> > >> if not "%JAVA%foo"=="foo" goto launch >>> > >> >>> > >> where java > nul 2>&1 || goto findjre >>> > >> >>> > >> set JAVA=java >>> > >> goto launch >>> > >> >>> > >> :findjre >>> > >> rem look for Java Runtime Environment in registry >>> > >> reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Runtime Environment" > >>> nul 2>&1 >>> > >> || goto findjdk >>> > >> >>> > >> rem can we grab the java location from the registry? >>> > >> rem set JAVA=path\bin\java >>> > >> rem apparently not, in a batch file >>> > >> rem goto launch >>> > >> echo The Java Runtime Environment is installed on this machine, >>> but the >>> > >> echo command java.exe is not in your PATH. You can either make >>> sure >>> > >> java.exe >>> > >> echo is in the PATH, or edit this script to set JAVA to the >>> full path of >>> > >> echo java.exe >>> > >> pause >>> > >> goto end >>> > >> >>> > >> :findjdk >>> > >> reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Development Kit" > nul >>> 2>&1 || >>> > >> goto nojava >>> > >> >>> > >> rem can we grab the java location from the registry? >>> > >> rem set JAVA=path\bin\java >>> > >> rem goto launch >>> > >> echo The Java Development Kit is installed on this machine, but >>> the >>> > >> echo command java.exe is not in your PATH. You can either make >>> sure >>> > >> java.exe >>> > >> echo is in the PATH, or edit this script to set JAVA to the >>> full path of >>> > >> echo java.exe >>> > >> pause >>> > >> goto end >>> > >> >>> > >> :nojava >>> > >> echo Java does not appear to be installed on this machine. Please >>> > >> download and install the Java Runtime Environment and make sure >>> the >>> > >> java.exe command is in the PATH of this command. >>> > >> pause >>> > >> goto end >>> > >> >>> > >> :launch >>> > >> set BASEPATH=. >>> > >> set FIDMCONSOLEJARDIR=%BASEPATH% >>> > >> set CONSOLEJARDIR=%BASEPATH% >>> > >> set JSSDIR=%BASEPATH% >>> > >> set LDAPJARDIR=%BASEPATH% >>> > >> >>> > >> set PATH=%BASEPATH%;%PATH% >>> > >> >>> > >> rem >>> > >> rem Launch the Console >>> > >> rem >>> > >> echo on >>> > >> "%JAVA%" "-Djava.library.path=%JSSDIR%" -cp >>> > >> >>> "%JSSDIR%/jss4.jar;%LDAPJARDIR%/ldapjdk.jar;%CONSOLEJARDIR%/idm-console-base.jar;%CONSOLEJARDIR%/idm-console-mcc.jar;%CONSOLEJARDIR%/idm-console-mcc_en.jar;%CONSOLEJARDIR%/idm-console-nmclf.jar;%CONSOLEJARDIR%/idm-console-nmclf_en.jar;%FIDMCONSOLEJARDIR%/fedora-idm-console_en.jar" >>> >>> > >> -Djava.util.prefs.systemRoot=%HOME%/.fedora-idm-console >>> > >> -Djava.util.prefs.userRoot=%HOME%/.fedora-idm-console >>> > >> com.netscape.management.client.console.Console %* >>> > >> >>> > >> :end >>> > >> >>> > >> >>> > >> >>> > >> >>> ------------------------------------------------------------------------ >>> >>> > >> Date: Thu, 3 Jan 2008 07:59:42 +1030 >>> > >> From: ian at ikel.id.au >>> > >> To: fedora-directory-users at redhat.com >>> > >> Subject: Re: [Fedora-directory-users] Windows console >>> > >> >>> > >> Hi, >>> > >> >>> > >> This happened to me as well. I think the installer can't cope >>> > >> with or doesn't look for Java in your "Program Files" area, which >>> > >> is where you will find the newer Javas 1.6. Edit the .bat file >>> > >> and set the Java variable yourself and it should work from then >>> on. >>> > >> >>> > >> Regards, >>> > >> >>> > >> Ian >>> > >> kiran madala wrote: >>> > >> >>> > >> Hi, >>> > >> >>> > >> The windows console for 1.1 server does not work it gives me >>> > >> this error >>> > >> >>> > >> F:\Program Files\Fedora Identity Management Console>echo off >>> > >> The Java Runtime Environment is installed on this machine, but the >>> > >> command java.exe is not in your PATH. You can either make >>> > >> sure java.exe >>> > >> is in the PATH, or edit this script to set JAVA to the full >>> > >> path of >>> > >> java.exe >>> > >> Press any key to continue . . . >>> > >> >>> > >> >>> > >> All my java programs work. The java in my class path and also >>> > >> in my registry . Any idea whats causing the problem? >>> > >> >>> > >> >>> > >> >>> > >> >>> > >> >>> ------------------------------------------------------------------------ >>> >>> > >> HO HO HO, if you've been naughty this year, email Santa! Visit >>> > >> asksanta.ca to learn more! >>> > >> >>> > >> >>> > >> >>> ------------------------------------------------------------------------ >>> >>> > >> >>> > >> -- >>> > >> Fedora-directory-users mailing list >>> > >> Fedora-directory-users at redhat.com >>> >>> > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> > >> >>> > >> >>> > >> >>> > >> >>> > >> >>> ------------------------------------------------------------------------ >>> >>> > >> HO HO HO, if you've been nice this year, email Santa! Visit >>> > >> asksanta.ca to learn more! >>> > >> >>> ------------------------------------------------------------------------ >>> >>> > >> >>> > >> -- >>> > >> Fedora-directory-users mailing list >>> > >> Fedora-directory-users at redhat.com >>> > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> > >> >>> > >> >>> > > >>> > > -- >>> > > Fedora-directory-users mailing list >>> > > Fedora-directory-users at redhat.com >>> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> > > >>> > > >>> > >>> > -- >>> > Fedora-directory-users mailing list >>> > Fedora-directory-users at redhat.com >>> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> ------------------------------------------------------------------------ >>> >>> HO HO HO, if you've been naughty this year, email Santa! Visit >>> asksanta.ca to learn more! >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Jan 4 13:39:39 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 04 Jan 2008 06:39:39 -0700 Subject: [Fedora-directory-users] Empty server list on Console when using remotely In-Reply-To: <700685de0801032345t325b2b3ag428176e5e5be1763@mail.gmail.com> References: <700685de0801032345t325b2b3ag428176e5e5be1763@mail.gmail.com> Message-ID: <477E371B.10608@redhat.com> Benny Chee wrote: > Hi all, > > I installed FDS on FC8 using the rpms available: > > * fedora-ds-base > * fedora-ds-base-devel > * fedora-ds-admin > * idm-console-framework > * fedora-idm-console > * fedora-ds-console > * fedora-admin-console > > I use the "fedora-idm-console" command locally and was able to view > my admin and directory servers. However, when i tried to access the > console remotely using the jars files and startconsole scripts from FC6, So these are the Fedora DS 1.0.4 scripts? I'm not sure if those will work with Fedora DS 1.1 - try startconsole -D 9 to see if there are any errors. The other way around should work - you should be able to use the Fedora DS 1.1 console to manage Fedora DS 1.0.4 servers. > i was able to authenticate into the console but was presented an empty > list under "servers and applications". Anyone got any idea? > > benny > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From dane.shea at comcast.net Fri Jan 4 05:41:44 2008 From: dane.shea at comcast.net (dane.shea at comcast.net) Date: Fri, 04 Jan 2008 05:41:44 +0000 Subject: [Fedora-directory-users] ERROR: Administration Server configuration failed. Not sure what the problem is Message-ID: <010420080541.26902.477DC7180008F26F0000691622058864420E0A089CD20A020E0B@comcast.net> Hi, I am trying to install this wonderful tool and I keep having the same problem! Continue? (yes/no) yes Please select the install mode: 1 - Express - minimal questions 2 - Typical - some customization (default) 3 - Custom - lots of customization Please select 1, 2, or 3 (default: 2) 2 Hostname to use (default: daneshea.com) Server user ID to use (default: nobody) fedorauser Server group ID to use (default: nobody) fedorauser [slapd-daneshea]: starting up server ... [slapd-daneshea]: Fedora-Directory/1.0.4 B2006.312.1539 [slapd-daneshea]: daneshea.com:59029 (/opt/fedora-ds/slapd-daneshea) [slapd-daneshea]: [slapd-daneshea]: [03/Jan/2008:23:40:50 -0600] - Fedora-Directory/1.0.4 B2006.312.1539 starting up [slapd-daneshea]: [03/Jan/2008:23:40:54 -0600] - slapd started. Listening on All Interfaces port 59029 for LDAP requests Your new directory server has been started. Created new Directory Server Start Slapd Starting Slapd server configuration. Success Slapd Added Directory Server information to Configuration Server. Configuring Administration Server... ERROR: Administration Server configuration failed. You can now use the console. Here is the command to use to start the console: cd /opt/fedora-ds ./startconsole -u admin -a http://daneshea.com:33334/ INFO Finished with setup, logfile is setup/setup.log [root at daneshea fedora-ds]# -- Thanks Dane Shea From rmeggins at redhat.com Fri Jan 4 15:15:12 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 04 Jan 2008 08:15:12 -0700 Subject: [Fedora-directory-users] ERROR: Administration Server configuration failed. Not sure what the problem is In-Reply-To: <010420080541.26902.477DC7180008F26F0000691622058864420E0A089CD20A020E0B@comcast.net> References: <010420080541.26902.477DC7180008F26F0000691622058864420E0A089CD20A020E0B@comcast.net> Message-ID: <477E4D80.4030505@redhat.com> dane.shea at comcast.net wrote: > Hi, I am trying to install this wonderful tool and I keep having the same problem! > Does daneshea.com resolve to an IP address? And does that IP address reverse resolve to daneshea.com? Is there any information in /opt/fedora-ds/admin-serv/logs/access or error? > > Continue? (yes/no) yes > > Please select the install mode: > 1 - Express - minimal questions > 2 - Typical - some customization (default) > 3 - Custom - lots of customization > > Please select 1, 2, or 3 (default: 2) 2 > > Hostname to use (default: daneshea.com) > > Server user ID to use (default: nobody) fedorauser > > Server group ID to use (default: nobody) fedorauser > [slapd-daneshea]: starting up server ... > [slapd-daneshea]: Fedora-Directory/1.0.4 B2006.312.1539 > [slapd-daneshea]: daneshea.com:59029 (/opt/fedora-ds/slapd-daneshea) > [slapd-daneshea]: > [slapd-daneshea]: [03/Jan/2008:23:40:50 -0600] - Fedora-Directory/1.0.4 B2006.312.1539 starting up > [slapd-daneshea]: [03/Jan/2008:23:40:54 -0600] - slapd started. Listening on All Interfaces port 59029 for LDAP requests > Your new directory server has been started. > Created new Directory Server > Start Slapd Starting Slapd server configuration. > Success Slapd Added Directory Server information to Configuration Server. > Configuring Administration Server... > ERROR: Administration Server configuration failed. > > You can now use the console. Here is the command to use to start the console: > cd /opt/fedora-ds > ./startconsole -u admin -a http://daneshea.com:33334/ > > INFO Finished with setup, logfile is setup/setup.log > [root at daneshea fedora-ds]# > > -- > Thanks > Dane Shea > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Jan 4 16:41:10 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 04 Jan 2008 09:41:10 -0700 Subject: [Fedora-directory-users] Windows console In-Reply-To: <477DF797.7070109@ikel.id.au> References: <477C0246.5090907@ikel.id.au> <477C3EF6.1040105@ikel.id.au> <477C40DC.3090300@ikel.id.au> <477C605E.80605@ikel.id.au> <477D3C39.9030800@redhat.com> <477DF797.7070109@ikel.id.au> Message-ID: <477E61A6.2090603@redhat.com> Ian Blackwell wrote: > Hi again, > > I've been using Red Hat and Fedora for almost 9 years now (just last > month I decommissioned my oldest RH7.2 server). I've had LDAP servers > working with FC5 and haven't had a problem. I'm a RH Technician and > am hoping to gain Engineer qualifications next month, so I feel > familiar with Fedora and RH products. > > In December I built a new server for my home network based on Fedora 8 > and decided to use Fedora Directory Services as well. Perhaps the > fresh install contributed to my jaundiced view of FDS, because I had > more problems than I expected getting my new server working the way I > wanted (Postfix/Cyrus issue predominately). If these are issues with Postfix/Cyrus integration with Fedora DS, I'd like to know what they are. > > Anyway, when I got to FDS it would be fair to say I was annoyed with > F8. I even downloaded Ubuntu and almost got to the point of burning a > DVD to see if it might be easier than F8. In this frame of mind I > wasn't able to cope well with the frustration of trying to get FDS 1.1 > working, using the documentation from the FDS website. I found it > particularly unhelpful with respect to FDS 1.1 and F8. I found stacks > of information about FC6 and 1.0.4, but had real trouble finding > useful doco about F8 and FDS 1.1. The confusion about what was in and > out of the release, the packaging changes, and having problems > accessing the console just made be p---ed off. I also had trouble > finding where the yum updates were, which was my fault for not reading > properly the doco that was useful. I've seen no problems reported with using the Fedora Core 6 bits of Fedora DS 1.0.4 on Fedora 7 and higher. What problems have you run into? Fedora DS 1.1 will fully support Fedora 7 and higher. I'm just waiting for the bits to be released and pushed out to the mirror sites - that's only holdup with the official final Fedora DS 1.1 release. Getting Fedora DS running on Ubuntu will be much harder than getting it running on Fedora. I would like this to change, provided someone with some time and Debian/Ubuntu expertise can help out the project. Now that everything is fully autotool-ized and FHS-ized (at least the Fedora DS bits) it should be easy to build it on platforms other than RHEL/Fedora. If you're interested, see http://directory.fedoraproject.org/wiki/Building > > Anyway, I'm back on track now and will persevere until I get it > working. Yours and other posts to this forum have helped me to see > how other users are working with FDS, and I am confident I'll have an > operational server fairly soon. Now that I have console access, it > all seems much easier... > > Regards, > > Ian > > Rich Megginson wrote: >> Ian Blackwell wrote: >>> Nope. I can get the console connection window where I enter my >>> login details, but it won't connect. >> Please try adding the -D 9 arguments to the end of the command line. >> This will cause lots of debugging information to spew forth. >>> I've still got stacks of problems with my implementation that I'm >>> trying to get resolved via this forum as well. >> Most (if not all) of the developers have been on vacation from >> December 21 until now. >>> To be frank, I'm not that impressed with the product, documentation, >>> or anything else to do with Fedora-DS. >> Can you be more specific? >>> >>> Ian >>> >>> kiran madala wrote: >>>> Thanks again for the info. I got that fixed. I changed the set >>>> java variable removing the rem in the bat file. But now its is not >>>> connecting to my ds server. it connects from the local machine >>>> though. I am running the ds server on fedora 6 which on vmware >>>> virtual machine. I am using the ip address of the machine along >>>> with admin port to connect from windows host machine. >>>> I was wondering if you ever have got it running successfully? >>>> >>>> Thank you. >>>> >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> > Date: Thu, 3 Jan 2008 12:26:44 +1030 >>>> > From: ian at ikel.id.au >>>> > To: fedora-directory-users at redhat.com >>>> > Subject: Re: [Fedora-directory-users] Windows console >>>> > >>>> > Just for the record, here's my BAT file as well... >>>> > echo off >>>> > rem BEGIN COPYRIGHT BLOCK >>>> > rem Copyright (C) 2005 Red Hat, Inc. >>>> > rem All rights reserved. >>>> > rem >>>> > rem This library is free software; you can redistribute it and/or >>>> > rem modify it under the terms of the GNU Lesser General Public >>>> > rem License as published by the Free Software Foundation version >>>> > rem 2.1 of the License. >>>> > rem >>>> > >>>> > rem This library is distributed in the hope that it will be useful, >>>> > rem but WITHOUT ANY WARRANTY; without even the implied warranty of >>>> > rem MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU >>>> > rem Lesser General Public License for more details. >>>> > rem >>>> > >>>> > rem You should have received a copy of the GNU Lesser General Public >>>> > rem License along with this library; if not, write to the Free >>>> Software >>>> > rem Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA >>>> > 02110-1301 USA >>>> > rem END COPYRIGHT BLOCK >>>> > >>>> > rem set the JAVA to use here >>>> > rem set JAVA=C:\j2sdk1.4.2_15\bin\java >>>> > >>>> > if not "%JAVA%foo"=="foo" goto launch >>>> > >>>> > where java > nul 2>&1 || goto findjre >>>> > >>>> > set JAVA=java >>>> > goto launch >>>> > >>>> > :findjre >>>> > rem look for Java Runtime Environment in registry >>>> > reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Runtime Environment" > nul >>>> 2>&1 >>>> > || goto findjdk >>>> > >>>> > rem can we grab the java location from the registry? >>>> > rem set JAVA=path\bin\java >>>> > rem apparently not, in a batch file >>>> > rem goto launch >>>> > echo The Java Runtime Environment is installed on this machine, >>>> but the >>>> > echo command java.exe is not in your PATH. You can either make sure >>>> > java.exe >>>> > echo is in the PATH, or edit this script to set JAVA to the full >>>> path of >>>> > echo java.exe >>>> > pause >>>> > goto end >>>> > >>>> > :findjdk >>>> > reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Development Kit" > nul >>>> 2>&1 || >>>> > goto nojava >>>> > >>>> > rem can we grab the java location from the registry? >>>> > rem set JAVA=path\bin\java >>>> > rem goto launch >>>> > echo The Java Development Kit is installed on this machine, but the >>>> > echo command java.exe is not in your PATH. You can either make sure >>>> > java.exe >>>> > echo is in the PATH, or edit this script to set JAVA to the full >>>> path of >>>> > echo java.exe >>>> > pause >>>> > goto end >>>> > >>>> > :nojava >>>> > echo Java does not appear to be installed on this machine. Please >>>> > download and install the Java Runtime Environment and make sure the >>>> > java.exe command is in the PATH of this command. >>>> > pause >>>> > goto end >>>> > >>>> > :launch >>>> > set BASEPATH=. >>>> > set FIDMCONSOLEJARDIR=%BASEPATH% >>>> > set CONSOLEJARDIR=%BASEPATH% >>>> > set JSSDIR=%BASEPATH% >>>> > set LDAPJARDIR=%BASEPATH% >>>> > >>>> > set PATH=%BASEPATH%;%PATH% >>>> > >>>> > rem >>>> > rem Launch the Console >>>> > rem >>>> > echo on >>>> > "%JAVA%" "-Djava.library.path=%JSSDIR%" -cp >>>> > >>>> "%JSSDIR%/jss4.jar;%LDAPJARDIR%/ldapjdk.jar;%CONSOLEJARDIR%/idm-console-base.jar;%CONSOLEJARDIR%/idm-console-mcc.jar;%CONSOLEJARDIR%/idm-console-mcc_en.jar;%CONSOLEJARDIR%/idm-console-nmclf.jar;%CONSOLEJARDIR%/idm-console-nmclf_en.jar;%FIDMCONSOLEJARDIR%/fedora-idm-console_en.jar" >>>> >>>> > -Djava.util.prefs.systemRoot=%HOME%/.fedora-idm-console >>>> > -Djava.util.prefs.userRoot=%HOME%/.fedora-idm-console >>>> > com.netscape.management.client.console.Console %* >>>> > >>>> > :end >>>> > >>>> > >>>> > Ian Blackwell wrote: >>>> > > On closer inspection at home, I see that I didn't set the JAVA >>>> value, I >>>> > > changed the PC so that the path to JAVA.EXE was in the >>>> environment. The >>>> > > script is able to detect this and then works. >>>> > > >>>> > > Try adding the path to your Java installation to your >>>> environment via >>>> > > the Windows Control Panel and System applet. >>>> > > >>>> > > Ian >>>> > > >>>> > > kiran madala wrote: >>>> > > >>>> > >> Hi, >>>> > >> >>>> > >> Thanks for the reply. Where exactly do I need to set my java >>>> variable >>>> > >> path? >>>> > >> >>>> > >> I set the java path in the .bat file its not working. I am not >>>> sure if >>>> > >> i did it the right way. below is my .bat file with changes in >>>> bold. >>>> > >> Thanks in advance >>>> > >> >>>> > >> >>>> > >> rem >>>> > >> rem This library is free software; you can redistribute it and/or >>>> > >> rem modify it under the terms of the GNU Lesser General Public >>>> > >> rem License as published by the Free Software Foundation version >>>> > >> rem 2.1 of the License. >>>> > >> rem >>>> > >> >>>> > >> rem This library is distributed in the hope that it will be >>>> useful, >>>> > >> rem but WITHOUT ANY WARRANTY; without even the implied >>>> warranty of >>>> > >> rem MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See >>>> the GNU >>>> > >> rem Lesser General Public License for more details. >>>> > >> rem >>>> > >> >>>> > >> rem You should have received a copy of the GNU Lesser General >>>> Public >>>> > >> rem License along with this library; if not, write to the Free >>>> Software >>>> > >> rem Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA >>>> > >> 02110-1301 USA >>>> > >> rem END COPYRIGHT BLOCK >>>> > >> >>>> > >> rem set the JAVA to use here >>>> > >> rem set JAVA=C:\Program Files\Java\jre1.6.0_03\bin\java >>>> > >> >>>> > >> if not "%JAVA%foo"=="foo" goto launch >>>> > >> >>>> > >> where java > nul 2>&1 || goto findjre >>>> > >> >>>> > >> set JAVA=java >>>> > >> goto launch >>>> > >> >>>> > >> :findjre >>>> > >> rem look for Java Runtime Environment in registry >>>> > >> reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Runtime Environment" > >>>> nul 2>&1 >>>> > >> || goto findjdk >>>> > >> >>>> > >> rem can we grab the java location from the registry? >>>> > >> rem set JAVA=path\bin\java >>>> > >> rem apparently not, in a batch file >>>> > >> rem goto launch >>>> > >> echo The Java Runtime Environment is installed on this >>>> machine, but the >>>> > >> echo command java.exe is not in your PATH. You can either make >>>> sure >>>> > >> java.exe >>>> > >> echo is in the PATH, or edit this script to set JAVA to the >>>> full path of >>>> > >> echo java.exe >>>> > >> pause >>>> > >> goto end >>>> > >> >>>> > >> :findjdk >>>> > >> reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Development Kit" > nul >>>> 2>&1 || >>>> > >> goto nojava >>>> > >> >>>> > >> rem can we grab the java location from the registry? >>>> > >> rem set JAVA=path\bin\java >>>> > >> rem goto launch >>>> > >> echo The Java Development Kit is installed on this machine, >>>> but the >>>> > >> echo command java.exe is not in your PATH. You can either make >>>> sure >>>> > >> java.exe >>>> > >> echo is in the PATH, or edit this script to set JAVA to the >>>> full path of >>>> > >> echo java.exe >>>> > >> pause >>>> > >> goto end >>>> > >> >>>> > >> :nojava >>>> > >> echo Java does not appear to be installed on this machine. Please >>>> > >> download and install the Java Runtime Environment and make >>>> sure the >>>> > >> java.exe command is in the PATH of this command. >>>> > >> pause >>>> > >> goto end >>>> > >> >>>> > >> :launch >>>> > >> set BASEPATH=. >>>> > >> set FIDMCONSOLEJARDIR=%BASEPATH% >>>> > >> set CONSOLEJARDIR=%BASEPATH% >>>> > >> set JSSDIR=%BASEPATH% >>>> > >> set LDAPJARDIR=%BASEPATH% >>>> > >> >>>> > >> set PATH=%BASEPATH%;%PATH% >>>> > >> >>>> > >> rem >>>> > >> rem Launch the Console >>>> > >> rem >>>> > >> echo on >>>> > >> "%JAVA%" "-Djava.library.path=%JSSDIR%" -cp >>>> > >> >>>> "%JSSDIR%/jss4.jar;%LDAPJARDIR%/ldapjdk.jar;%CONSOLEJARDIR%/idm-console-base.jar;%CONSOLEJARDIR%/idm-console-mcc.jar;%CONSOLEJARDIR%/idm-console-mcc_en.jar;%CONSOLEJARDIR%/idm-console-nmclf.jar;%CONSOLEJARDIR%/idm-console-nmclf_en.jar;%FIDMCONSOLEJARDIR%/fedora-idm-console_en.jar" >>>> >>>> > >> -Djava.util.prefs.systemRoot=%HOME%/.fedora-idm-console >>>> > >> -Djava.util.prefs.userRoot=%HOME%/.fedora-idm-console >>>> > >> com.netscape.management.client.console.Console %* >>>> > >> >>>> > >> :end >>>> > >> >>>> > >> >>>> > >> >>>> > >> >>>> ------------------------------------------------------------------------ >>>> >>>> > >> Date: Thu, 3 Jan 2008 07:59:42 +1030 >>>> > >> From: ian at ikel.id.au >>>> > >> To: fedora-directory-users at redhat.com >>>> > >> Subject: Re: [Fedora-directory-users] Windows console >>>> > >> >>>> > >> Hi, >>>> > >> >>>> > >> This happened to me as well. I think the installer can't cope >>>> > >> with or doesn't look for Java in your "Program Files" area, which >>>> > >> is where you will find the newer Javas 1.6. Edit the .bat file >>>> > >> and set the Java variable yourself and it should work from >>>> then on. >>>> > >> >>>> > >> Regards, >>>> > >> >>>> > >> Ian >>>> > >> kiran madala wrote: >>>> > >> >>>> > >> Hi, >>>> > >> >>>> > >> The windows console for 1.1 server does not work it gives me >>>> > >> this error >>>> > >> >>>> > >> F:\Program Files\Fedora Identity Management Console>echo off >>>> > >> The Java Runtime Environment is installed on this machine, but >>>> the >>>> > >> command java.exe is not in your PATH. You can either make >>>> > >> sure java.exe >>>> > >> is in the PATH, or edit this script to set JAVA to the full >>>> > >> path of >>>> > >> java.exe >>>> > >> Press any key to continue . . . >>>> > >> >>>> > >> >>>> > >> All my java programs work. The java in my class path and also >>>> > >> in my registry . Any idea whats causing the problem? >>>> > >> >>>> > >> >>>> > >> >>>> > >> >>>> > >> >>>> ------------------------------------------------------------------------ >>>> >>>> > >> HO HO HO, if you've been naughty this year, email Santa! Visit >>>> > >> asksanta.ca to learn more! >>>> > >> >>>> > >> >>>> > >> >>>> ------------------------------------------------------------------------ >>>> >>>> > >> >>>> > >> -- >>>> > >> Fedora-directory-users mailing list >>>> > >> Fedora-directory-users at redhat.com >>>> >>>> > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> > >> >>>> > >> >>>> > >> >>>> > >> >>>> > >> >>>> ------------------------------------------------------------------------ >>>> >>>> > >> HO HO HO, if you've been nice this year, email Santa! Visit >>>> > >> asksanta.ca to learn more! >>>> >>>> > >> >>>> ------------------------------------------------------------------------ >>>> >>>> > >> >>>> > >> -- >>>> > >> Fedora-directory-users mailing list >>>> > >> Fedora-directory-users at redhat.com >>>> > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> > >> >>>> > >> >>>> > > >>>> > > -- >>>> > > Fedora-directory-users mailing list >>>> > > Fedora-directory-users at redhat.com >>>> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> > > >>>> > > >>>> > >>>> > -- >>>> > Fedora-directory-users mailing list >>>> > Fedora-directory-users at redhat.com >>>> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> HO HO HO, if you've been naughty this year, email Santa! Visit >>>> asksanta.ca to learn more! >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From gm4rtin at gmail.com Fri Jan 4 20:37:32 2008 From: gm4rtin at gmail.com (Me) Date: Fri, 4 Jan 2008 15:37:32 -0500 Subject: [Fedora-directory-users] Problems configuring Samba PDC + FDS error "No privileges assigned to SID" Message-ID: <43806ba60801041237r21febe04wb929768fd24dc8e5@mail.gmail.com> I am having trouble getting samba-3.0.24-11 setup as a PDC with an ldap backend using FDS on a FC6 test box. I have installed the 1.0.4-1 version of the directory server accepting the defaults except for the server name with out any problems. I can query the directory server and it is populated with the proper objects. I am using the instructions in the Howto:Samba documentation on the FDS Wiki site . I am able to perform all of the tasks without any problems until I get to the part of the install that has me run the following command: net groupmap list [2008/01/04 14:07:31, 0] passdb/pdb_ldap.c:ldapsam_setsamgrent(3051) ldapsam_setsamgrent: LDAP search failed: No such object [2008/01/04 14:07:31, 0] passdb/pdb_ldap.c:ldapsam_enum_group_mapping(3123) ldapsam_enum_group_mapping: Unable to open passdb I can query the directory successfully with the following output: ldapsearch -b dc=test,dc=com -x 'Domain*' # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: Domain* # # test.com dn: dc=test,dc=com # Directory Administrators, test.com dn: cn=Directory Administrators, dc=test,dc=com # Groups, test.com dn: ou=Groups, dc=test,dc=com # People, test.com dn: ou=People, dc=test,dc=com # Special Users, test.com dn: ou=Special Users,dc=test,dc=com # Accounting Managers, groups, test.com dn: cn=Accounting Managers,ou=groups,dc=test,dc=com # HR Managers, groups, test.com dn: cn=HR Managers,ou=groups,dc=test,dc=com # QA Managers, groups, test.com dn: cn=QA Managers,ou=groups,dc=test,dc=com # PD Managers, groups, test.com dn: cn=PD Managers,ou=groups,dc=test,dc=com # DOMAIN, test.com dn: sambaDomainName=DOMAIN,dc=test,dc=com # Domain Admins, Groups, test.com dn: cn=Domain Admins,ou=Groups,dc=test,dc=com # Domain Users, Groups, test.com dn: cn=Domain Users,ou=Groups,dc=test,dc=com # Domain Guests, Groups, test.com dn: cn=Domain Guests,ou=Groups,dc=test,dc=com # Domain Computers, Groups, test.com dn: cn=Domain Computers,ou=Groups,dc=test,dc=com # IS, Groups, test.com dn: cn=IS,ou=Groups,dc=test,dc=com # search result search: 2 result: 0 Success # numResponses: 16 # numEntries: 15 If I start samba I get the "No privileges assigned to SID" message" I have attached a copy of the log below: [2008/01/04 14:52:07, 0] smbd/server.c:main(847) smbd version 3.0.24-11.fc6 started. Copyright Andrew Tridgell and the Samba Team 1992-2006 [2008/01/04 14:52:07, 2] param/loadparm.c:do_section(3713) Processing section "[homes]" [2008/01/04 14:52:07, 2] param/loadparm.c:do_section(3713) Processing section "[is]" [2008/01/04 14:52:07, 2] param/loadparm.c:do_section(3713) Processing section "[netlogon]" [2008/01/04 14:52:07, 2] param/loadparm.c:do_section(3713) Processing section "[profiles]" [2008/01/04 14:52:07, 2] param/loadparm.c:do_section(3713) Processing section "[public]" [2008/01/04 14:52:07, 3] param/loadparm.c:lp_add_ipc(2632) adding IPC service [2008/01/04 14:52:07, 3] printing/pcap.c:pcap_cache_reload(117) reloading printcap cache [2008/01/04 14:52:07, 3] printing/pcap.c:pcap_cache_reload(223) reload status: ok [2008/01/04 14:52:07, 3] printing/pcap.c:pcap_cache_reload(117) reloading printcap cache [2008/01/04 14:52:07, 3] printing/pcap.c:pcap_cache_reload(223) reload status: ok [2008/01/04 14:52:07, 2] lib/interface.c:add_interface(81) added interface ip=10.10.1.1 bcast=10.10.255.255 nmask=255.255.0.0 [2008/01/04 14:52:07, 3] smbd/server.c:main(877) loaded services [2008/01/04 14:52:07, 3] smbd/server.c:main(892) Becoming a daemon. [2008/01/04 14:52:07, 2] lib/tallocmsg.c:register_msg_pool_usage(61) Registered MSG_REQ_POOL_USAGE [2008/01/04 14:52:07, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71) Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED [2008/01/04 14:52:07, 2] lib/smbldap_util.c:smbldap_search_domain_info(219) smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAIN))] [2008/01/04 14:52:07, 2] lib/smbldap.c:smbldap_open_connection(788) smbldap_open_connection: connection opened [2008/01/04 14:52:07, 3] lib/smbldap.c:smbldap_connect_system(992) ldap_connect_system: succesful connection to the LDAP server [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2008/01/04 14:52:07, 3] smbd/uid.c:push_conn_ctx(353) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2008/01/04 14:52:07, 3] smbd/uid.c:push_conn_ctx(353) push_conn_ctx(0) : conn_ctx_stack_ndx = 1 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2008/01/04 14:52:07, 3] smbd/uid.c:push_conn_ctx(353) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2008/01/04 14:52:07, 3] smbd/uid.c:push_conn_ctx(353) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2008/01/04 14:52:07, 3] smbd/uid.c:push_conn_ctx(353) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/01/04 14:52:07, 3] lib/privileges.c:get_privileges(261) get_privileges: No privileges assigned to SID [S-1-22-1-0] [2008/01/04 14:52:07, 3] lib/privileges.c:get_privileges(261) get_privileges: No privileges assigned to SID [S-1-5-2] [2008/01/04 14:52:07, 3] lib/privileges.c:get_privileges(261) get_privileges: No privileges assigned to SID [S-1-5-11] [2008/01/04 14:52:07, 3] lib/util_seaccess.c:se_access_check(250) [2008/01/04 14:52:07, 3] lib/util_seaccess.c:se_access_check(251) se_access_check: user sid is S-1-22-1-0 se_access_check: also S-1-5-32-544 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 [2008/01/04 14:52:07, 3] lib/util_seaccess.c:se_access_check(250) [2008/01/04 14:52:07, 3] lib/util_seaccess.c:se_access_check(251) se_access_check: user sid is S-1-22-1-0 se_access_check: also S-1-5-32-544 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 [2008/01/04 14:52:07, 3] lib/util_seaccess.c:se_access_check(250) [2008/01/04 14:52:07, 3] lib/util_seaccess.c:se_access_check(251) se_access_check: user sid is S-1-22-1-0 se_access_check: also S-1-5-32-544 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 [2008/01/04 14:52:07, 3] lib/util_seaccess.c:se_access_check(250) [2008/01/04 14:52:07, 3] lib/util_seaccess.c:se_access_check(251) se_access_check: user sid is S-1-22-1-0 se_access_check: also S-1-5-32-544 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 [2008/01/04 14:52:07, 3] lib/util_seaccess.c:se_access_check(250) [2008/01/04 14:52:07, 3] lib/util_seaccess.c:se_access_check(251) se_access_check: user sid is S-1-22-1-0 se_access_check: also S-1-5-32-544 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 [2008/01/04 14:52:07, 3] lib/util_seaccess.c:se_access_check(250) [2008/01/04 14:52:07, 3] lib/util_seaccess.c:se_access_check(251) se_access_check: user sid is S-1-22-1-0 se_access_check: also S-1-5-32-544 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 [2008/01/04 14:52:07, 3] lib/util_seaccess.c:se_access_check(250) [2008/01/04 14:52:07, 3] lib/util_seaccess.c:se_access_check(251) se_access_check: user sid is S-1-22-1-0 se_access_check: also S-1-5-32-544 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 [2008/01/04 14:52:07, 3] lib/util_seaccess.c:se_access_check(250) [2008/01/04 14:52:07, 3] lib/util_seaccess.c:se_access_check(251) se_access_check: user sid is S-1-22-1-0 se_access_check: also S-1-5-32-544 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 [2008/01/04 14:52:07, 3] lib/util_seaccess.c:se_access_check(250) [2008/01/04 14:52:07, 3] lib/util_seaccess.c:se_access_check(251) se_access_check: user sid is S-1-22-1-0 se_access_check: also S-1-5-32-544 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2008/01/04 14:52:07, 3] smbd/uid.c:push_conn_ctx(353) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2008/01/04 14:52:07, 3] smbd/uid.c:push_conn_ctx(353) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2008/01/04 14:52:07, 3] smbd/uid.c:push_conn_ctx(353) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2008/01/04 14:52:07, 3] smbd/uid.c:push_conn_ctx(353) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2008/01/04 14:52:07, 3] smbd/uid.c:push_conn_ctx(353) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/01/04 14:52:07, 3] lib/privileges.c:get_privileges(261) get_privileges: No privileges assigned to SID [S-1-5-21-472181036-45513010-2561742549-501] [2008/01/04 14:52:07, 3] lib/privileges.c:get_privileges(261) get_privileges: No privileges assigned to SID [S-1-22-2-99] [2008/01/04 14:52:07, 3] lib/privileges.c:get_privileges(261) get_privileges: No privileges assigned to SID [S-1-5-2] [2008/01/04 14:52:07, 3] lib/privileges.c:get_privileges(261) get_privileges: No privileges assigned to SID [S-1-5-32-546] [2008/01/04 14:52:07, 3] lib/privileges.c:get_privileges(261) get_privileges: No privileges assigned to SID [S-1-22-2-2512] [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2008/01/04 14:52:07, 3] smbd/uid.c:push_conn_ctx(353) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2008/01/04 14:52:07, 3] smbd/uid.c:push_conn_ctx(353) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2008/01/04 14:52:07, 3] smbd/uid.c:push_conn_ctx(353) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2008/01/04 14:52:07, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/01/04 14:52:07, 3] printing/printing.c:start_background_queue(1386) start_background_queue: Starting background LPQ thread [2008/01/04 14:52:07, 2] smbd/server.c:open_sockets_smbd(384) waiting for a connection Here is a copy of my smb.conf: [global] workgroup = DOMAIN security = user passdb backend = ldapsam:ldap://vandread.test.com ldap admin dn = cn=Directory Manager ldap suffix = dc=test,dc=com ldap user suffix = ou=People ldap machine suffix = ou=People ldap group suffix = ou=Group log file = /var/log/samba/%m.log log level = 3 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 33 domain logons = yes domain master = yes local master = yes preferred master = yes wins support = yes logon home = \\%L\%u\profiles logon path = \\%L\profiles\%u logon drive = H: template shell = /bin/false winbind use default domain = no winbind nested groups = no enable privileges = yes #============================ Share Definitions ============================== [homes] comment = Home Directories browseable = no writable = yes [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon admin users = +sysadmin guest ok = no browseable = no writable = no [profiles] path = /var/lib/samba/profiles admin users = +sysadmin read only = no guest ok = no create mask =0600 directory mask = 0700 Any ideas what I am doing wrong? Thanks From ian at ikel.id.au Sat Jan 5 00:33:26 2008 From: ian at ikel.id.au (Ian Blackwell) Date: Sat, 05 Jan 2008 11:03:26 +1030 Subject: [Fedora-directory-users] Windows console In-Reply-To: <477E61A6.2090603@redhat.com> References: <477C0246.5090907@ikel.id.au> <477C3EF6.1040105@ikel.id.au> <477C40DC.3090300@ikel.id.au> <477C605E.80605@ikel.id.au> <477D3C39.9030800@redhat.com> <477DF797.7070109@ikel.id.au> <477E61A6.2090603@redhat.com> Message-ID: <477ED056.6030209@ikel.id.au> Hi Rich, My Postfix/Cyrus problems were before I started with Fedora-DS. My next task is to integrate the three products. Do you know of any good documentation around? I have seen Dovecot documentation on the FDS site, but nothing about Cyrus. I didn't use any FDS1.0.4 software because F8 installed 1.1 for me. Ubuntu didn't make it from download to DVD - it is still on my HDD as an ISO. Because I've solved my problems so far, I'll stick with F8. Thanks, Ian Rich Megginson wrote: > Ian Blackwell wrote: >> Hi again, >> >> I've been using Red Hat and Fedora for almost 9 years now (just last >> month I decommissioned my oldest RH7.2 server). I've had LDAP >> servers working with FC5 and haven't had a problem. I'm a RH >> Technician and am hoping to gain Engineer qualifications next month, >> so I feel familiar with Fedora and RH products. >> >> In December I built a new server for my home network based on Fedora >> 8 and decided to use Fedora Directory Services as well. Perhaps the >> fresh install contributed to my jaundiced view of FDS, because I had >> more problems than I expected getting my new server working the way I >> wanted (Postfix/Cyrus issue predominately). > If these are issues with Postfix/Cyrus integration with Fedora DS, I'd > like to know what they are. >> >> Anyway, when I got to FDS it would be fair to say I was annoyed with >> F8. I even downloaded Ubuntu and almost got to the point of burning >> a DVD to see if it might be easier than F8. In this frame of mind I >> wasn't able to cope well with the frustration of trying to get FDS >> 1.1 working, using the documentation from the FDS website. I found >> it particularly unhelpful with respect to FDS 1.1 and F8. I found >> stacks of information about FC6 and 1.0.4, but had real trouble >> finding useful doco about F8 and FDS 1.1. The confusion about what >> was in and out of the release, the packaging changes, and having >> problems accessing the console just made be p---ed off. I also had >> trouble finding where the yum updates were, which was my fault for >> not reading properly the doco that was useful. > I've seen no problems reported with using the Fedora Core 6 bits of > Fedora DS 1.0.4 on Fedora 7 and higher. What problems have you run into? > > Fedora DS 1.1 will fully support Fedora 7 and higher. I'm just > waiting for the bits to be released and pushed out to the mirror sites > - that's only holdup with the official final Fedora DS 1.1 release. > > Getting Fedora DS running on Ubuntu will be much harder than getting > it running on Fedora. I would like this to change, provided someone > with some time and Debian/Ubuntu expertise can help out the project. > Now that everything is fully autotool-ized and FHS-ized (at least the > Fedora DS bits) it should be easy to build it on platforms other than > RHEL/Fedora. If you're interested, see > http://directory.fedoraproject.org/wiki/Building >> >> Anyway, I'm back on track now and will persevere until I get it >> working. Yours and other posts to this forum have helped me to see >> how other users are working with FDS, and I am confident I'll have an >> operational server fairly soon. Now that I have console access, it >> all seems much easier... >> >> Regards, >> >> Ian >> >> Rich Megginson wrote: >>> Ian Blackwell wrote: >>>> Nope. I can get the console connection window where I enter my >>>> login details, but it won't connect. >>> Please try adding the -D 9 arguments to the end of the command >>> line. This will cause lots of debugging information to spew forth. >>>> I've still got stacks of problems with my implementation that I'm >>>> trying to get resolved via this forum as well. >>> Most (if not all) of the developers have been on vacation from >>> December 21 until now. >>>> To be frank, I'm not that impressed with the product, >>>> documentation, or anything else to do with Fedora-DS. >>> Can you be more specific? >>>> >>>> Ian >>>> >>>> kiran madala wrote: >>>>> Thanks again for the info. I got that fixed. I changed the set >>>>> java variable removing the rem in the bat file. But now its is >>>>> not connecting to my ds server. it connects from the local machine >>>>> though. I am running the ds server on fedora 6 which on vmware >>>>> virtual machine. I am using the ip address of the machine along >>>>> with admin port to connect from windows host machine. >>>>> I was wondering if you ever have got it running successfully? >>>>> >>>>> Thank you. >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------ >>>>> >>>>> > Date: Thu, 3 Jan 2008 12:26:44 +1030 >>>>> > From: ian at ikel.id.au >>>>> > To: fedora-directory-users at redhat.com >>>>> > Subject: Re: [Fedora-directory-users] Windows console >>>>> > >>>>> > Just for the record, here's my BAT file as well... >>>>> > echo off >>>>> > rem BEGIN COPYRIGHT BLOCK >>>>> > rem Copyright (C) 2005 Red Hat, Inc. >>>>> > rem All rights reserved. >>>>> > rem >>>>> > rem This library is free software; you can redistribute it and/or >>>>> > rem modify it under the terms of the GNU Lesser General Public >>>>> > rem License as published by the Free Software Foundation version >>>>> > rem 2.1 of the License. >>>>> > rem >>>>> > >>>>> > rem This library is distributed in the hope that it will be useful, >>>>> > rem but WITHOUT ANY WARRANTY; without even the implied warranty of >>>>> > rem MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >>>>> GNU >>>>> > rem Lesser General Public License for more details. >>>>> > rem >>>>> > >>>>> > rem You should have received a copy of the GNU Lesser General >>>>> Public >>>>> > rem License along with this library; if not, write to the Free >>>>> Software >>>>> > rem Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA >>>>> > 02110-1301 USA >>>>> > rem END COPYRIGHT BLOCK >>>>> > >>>>> > rem set the JAVA to use here >>>>> > rem set JAVA=C:\j2sdk1.4.2_15\bin\java >>>>> > >>>>> > if not "%JAVA%foo"=="foo" goto launch >>>>> > >>>>> > where java > nul 2>&1 || goto findjre >>>>> > >>>>> > set JAVA=java >>>>> > goto launch >>>>> > >>>>> > :findjre >>>>> > rem look for Java Runtime Environment in registry >>>>> > reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Runtime Environment" > >>>>> nul 2>&1 >>>>> > || goto findjdk >>>>> > >>>>> > rem can we grab the java location from the registry? >>>>> > rem set JAVA=path\bin\java >>>>> > rem apparently not, in a batch file >>>>> > rem goto launch >>>>> > echo The Java Runtime Environment is installed on this machine, >>>>> but the >>>>> > echo command java.exe is not in your PATH. You can either make sure >>>>> > java.exe >>>>> > echo is in the PATH, or edit this script to set JAVA to the full >>>>> path of >>>>> > echo java.exe >>>>> > pause >>>>> > goto end >>>>> > >>>>> > :findjdk >>>>> > reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Development Kit" > nul >>>>> 2>&1 || >>>>> > goto nojava >>>>> > >>>>> > rem can we grab the java location from the registry? >>>>> > rem set JAVA=path\bin\java >>>>> > rem goto launch >>>>> > echo The Java Development Kit is installed on this machine, but the >>>>> > echo command java.exe is not in your PATH. You can either make sure >>>>> > java.exe >>>>> > echo is in the PATH, or edit this script to set JAVA to the full >>>>> path of >>>>> > echo java.exe >>>>> > pause >>>>> > goto end >>>>> > >>>>> > :nojava >>>>> > echo Java does not appear to be installed on this machine. Please >>>>> > download and install the Java Runtime Environment and make sure the >>>>> > java.exe command is in the PATH of this command. >>>>> > pause >>>>> > goto end >>>>> > >>>>> > :launch >>>>> > set BASEPATH=. >>>>> > set FIDMCONSOLEJARDIR=%BASEPATH% >>>>> > set CONSOLEJARDIR=%BASEPATH% >>>>> > set JSSDIR=%BASEPATH% >>>>> > set LDAPJARDIR=%BASEPATH% >>>>> > >>>>> > set PATH=%BASEPATH%;%PATH% >>>>> > >>>>> > rem >>>>> > rem Launch the Console >>>>> > rem >>>>> > echo on >>>>> > "%JAVA%" "-Djava.library.path=%JSSDIR%" -cp >>>>> > >>>>> "%JSSDIR%/jss4.jar;%LDAPJARDIR%/ldapjdk.jar;%CONSOLEJARDIR%/idm-console-base.jar;%CONSOLEJARDIR%/idm-console-mcc.jar;%CONSOLEJARDIR%/idm-console-mcc_en.jar;%CONSOLEJARDIR%/idm-console-nmclf.jar;%CONSOLEJARDIR%/idm-console-nmclf_en.jar;%FIDMCONSOLEJARDIR%/fedora-idm-console_en.jar" >>>>> >>>>> > -Djava.util.prefs.systemRoot=%HOME%/.fedora-idm-console >>>>> > -Djava.util.prefs.userRoot=%HOME%/.fedora-idm-console >>>>> > com.netscape.management.client.console.Console %* >>>>> > >>>>> > :end >>>>> > >>>>> > >>>>> > Ian Blackwell wrote: >>>>> > > On closer inspection at home, I see that I didn't set the JAVA >>>>> value, I >>>>> > > changed the PC so that the path to JAVA.EXE was in the >>>>> environment. The >>>>> > > script is able to detect this and then works. >>>>> > > >>>>> > > Try adding the path to your Java installation to your >>>>> environment via >>>>> > > the Windows Control Panel and System applet. >>>>> > > >>>>> > > Ian >>>>> > > >>>>> > > kiran madala wrote: >>>>> > > >>>>> > >> Hi, >>>>> > >> >>>>> > >> Thanks for the reply. Where exactly do I need to set my java >>>>> variable >>>>> > >> path? >>>>> > >> >>>>> > >> I set the java path in the .bat file its not working. I am >>>>> not sure if >>>>> > >> i did it the right way. below is my .bat file with changes in >>>>> bold. >>>>> > >> Thanks in advance >>>>> > >> >>>>> > >> >>>>> > >> rem >>>>> > >> rem This library is free software; you can redistribute it >>>>> and/or >>>>> > >> rem modify it under the terms of the GNU Lesser General Public >>>>> > >> rem License as published by the Free Software Foundation version >>>>> > >> rem 2.1 of the License. >>>>> > >> rem >>>>> > >> >>>>> > >> rem This library is distributed in the hope that it will be >>>>> useful, >>>>> > >> rem but WITHOUT ANY WARRANTY; without even the implied >>>>> warranty of >>>>> > >> rem MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See >>>>> the GNU >>>>> > >> rem Lesser General Public License for more details. >>>>> > >> rem >>>>> > >> >>>>> > >> rem You should have received a copy of the GNU Lesser General >>>>> Public >>>>> > >> rem License along with this library; if not, write to the >>>>> Free Software >>>>> > >> rem Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA >>>>> > >> 02110-1301 USA >>>>> > >> rem END COPYRIGHT BLOCK >>>>> > >> >>>>> > >> rem set the JAVA to use here >>>>> > >> rem set JAVA=C:\Program Files\Java\jre1.6.0_03\bin\java >>>>> > >> >>>>> > >> if not "%JAVA%foo"=="foo" goto launch >>>>> > >> >>>>> > >> where java > nul 2>&1 || goto findjre >>>>> > >> >>>>> > >> set JAVA=java >>>>> > >> goto launch >>>>> > >> >>>>> > >> :findjre >>>>> > >> rem look for Java Runtime Environment in registry >>>>> > >> reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Runtime Environment" > >>>>> nul 2>&1 >>>>> > >> || goto findjdk >>>>> > >> >>>>> > >> rem can we grab the java location from the registry? >>>>> > >> rem set JAVA=path\bin\java >>>>> > >> rem apparently not, in a batch file >>>>> > >> rem goto launch >>>>> > >> echo The Java Runtime Environment is installed on this >>>>> machine, but the >>>>> > >> echo command java.exe is not in your PATH. You can either >>>>> make sure >>>>> > >> java.exe >>>>> > >> echo is in the PATH, or edit this script to set JAVA to the >>>>> full path of >>>>> > >> echo java.exe >>>>> > >> pause >>>>> > >> goto end >>>>> > >> >>>>> > >> :findjdk >>>>> > >> reg QUERY "HKLM\SOFTWARE\JavaSoft\Java Development Kit" > nul >>>>> 2>&1 || >>>>> > >> goto nojava >>>>> > >> >>>>> > >> rem can we grab the java location from the registry? >>>>> > >> rem set JAVA=path\bin\java >>>>> > >> rem goto launch >>>>> > >> echo The Java Development Kit is installed on this machine, >>>>> but the >>>>> > >> echo command java.exe is not in your PATH. You can either >>>>> make sure >>>>> > >> java.exe >>>>> > >> echo is in the PATH, or edit this script to set JAVA to the >>>>> full path of >>>>> > >> echo java.exe >>>>> > >> pause >>>>> > >> goto end >>>>> > >> >>>>> > >> :nojava >>>>> > >> echo Java does not appear to be installed on this machine. >>>>> Please >>>>> > >> download and install the Java Runtime Environment and make >>>>> sure the >>>>> > >> java.exe command is in the PATH of this command. >>>>> > >> pause >>>>> > >> goto end >>>>> > >> >>>>> > >> :launch >>>>> > >> set BASEPATH=. >>>>> > >> set FIDMCONSOLEJARDIR=%BASEPATH% >>>>> > >> set CONSOLEJARDIR=%BASEPATH% >>>>> > >> set JSSDIR=%BASEPATH% >>>>> > >> set LDAPJARDIR=%BASEPATH% >>>>> > >> >>>>> > >> set PATH=%BASEPATH%;%PATH% >>>>> > >> >>>>> > >> rem >>>>> > >> rem Launch the Console >>>>> > >> rem >>>>> > >> echo on >>>>> > >> "%JAVA%" "-Djava.library.path=%JSSDIR%" -cp >>>>> > >> >>>>> "%JSSDIR%/jss4.jar;%LDAPJARDIR%/ldapjdk.jar;%CONSOLEJARDIR%/idm-console-base.jar;%CONSOLEJARDIR%/idm-console-mcc.jar;%CONSOLEJARDIR%/idm-console-mcc_en.jar;%CONSOLEJARDIR%/idm-console-nmclf.jar;%CONSOLEJARDIR%/idm-console-nmclf_en.jar;%FIDMCONSOLEJARDIR%/fedora-idm-console_en.jar" >>>>> >>>>> > >> -Djava.util.prefs.systemRoot=%HOME%/.fedora-idm-console >>>>> > >> -Djava.util.prefs.userRoot=%HOME%/.fedora-idm-console >>>>> > >> com.netscape.management.client.console.Console %* >>>>> > >> >>>>> > >> :end >>>>> > >> >>>>> > >> >>>>> > >> >>>>> > >> >>>>> ------------------------------------------------------------------------ >>>>> >>>>> > >> Date: Thu, 3 Jan 2008 07:59:42 +1030 >>>>> > >> From: ian at ikel.id.au >>>>> > >> To: fedora-directory-users at redhat.com >>>>> > >> Subject: Re: [Fedora-directory-users] Windows console >>>>> > >> >>>>> > >> Hi, >>>>> > >> >>>>> > >> This happened to me as well. I think the installer can't cope >>>>> > >> with or doesn't look for Java in your "Program Files" area, >>>>> which >>>>> > >> is where you will find the newer Javas 1.6. Edit the .bat file >>>>> > >> and set the Java variable yourself and it should work from >>>>> then on. >>>>> > >> >>>>> > >> Regards, >>>>> > >> >>>>> > >> Ian >>>>> > >> kiran madala wrote: >>>>> > >> >>>>> > >> Hi, >>>>> > >> >>>>> > >> The windows console for 1.1 server does not work it gives me >>>>> > >> this error >>>>> > >> >>>>> > >> F:\Program Files\Fedora Identity Management Console>echo off >>>>> > >> The Java Runtime Environment is installed on this machine, >>>>> but the >>>>> > >> command java.exe is not in your PATH. You can either make >>>>> > >> sure java.exe >>>>> > >> is in the PATH, or edit this script to set JAVA to the full >>>>> > >> path of >>>>> > >> java.exe >>>>> > >> Press any key to continue . . . >>>>> > >> >>>>> > >> >>>>> > >> All my java programs work. The java in my class path and also >>>>> > >> in my registry . Any idea whats causing the problem? >>>>> > >> >>>>> > >> >>>>> > >> >>>>> > >> >>>>> > >> >>>>> ------------------------------------------------------------------------ >>>>> >>>>> > >> HO HO HO, if you've been naughty this year, email Santa! Visit >>>>> > >> asksanta.ca to learn more! >>>>> > >> >>>>> > >> >>>>> > >> >>>>> ------------------------------------------------------------------------ >>>>> >>>>> > >> >>>>> > >> -- >>>>> > >> Fedora-directory-users mailing list >>>>> > >> Fedora-directory-users at redhat.com >>>>> >>>>> > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> > >> >>>>> > >> >>>>> > >> >>>>> > >> >>>>> > >> >>>>> ------------------------------------------------------------------------ >>>>> >>>>> > >> HO HO HO, if you've been nice this year, email Santa! Visit >>>>> > >> asksanta.ca to learn more! >>>>> >>>>> > >> >>>>> ------------------------------------------------------------------------ >>>>> >>>>> > >> >>>>> > >> -- >>>>> > >> Fedora-directory-users mailing list >>>>> > >> Fedora-directory-users at redhat.com >>>>> > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> > >> >>>>> > >> >>>>> > > >>>>> > > -- >>>>> > > Fedora-directory-users mailing list >>>>> > > Fedora-directory-users at redhat.com >>>>> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> > > >>>>> > > >>>>> > >>>>> > -- >>>>> > Fedora-directory-users mailing list >>>>> > Fedora-directory-users at redhat.com >>>>> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> ------------------------------------------------------------------------ >>>>> >>>>> HO HO HO, if you've been naughty this year, email Santa! Visit >>>>> asksanta.ca to learn more! >>>>> ------------------------------------------------------------------------ >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nick.gushlow at gmail.com Sun Jan 6 21:54:21 2008 From: nick.gushlow at gmail.com (Nick Gushlow) Date: Sun, 6 Jan 2008 21:54:21 +0000 Subject: [Fedora-directory-users] pdbedit Username not found! Message-ID: <64b6db970801061354g62fd135dn12f59f6aa9424265@mail.gmail.com> Hi, I've followed the Howto:Samba to install fds/samba on a centos5.0 box. I keep coming across an error when I get to the pdbedit line of the howto: pdbedit -U $( net getlocalsid | sed 's/SID for domain skysedge.co.uk is: //' )-500 -u Administrator -r Username not found! I'm not sure what I've done wrong and going through the howtow I can't see where I've messed up. Wherever it is I've done it consistently because this is the second time I've tried. ldapsearch shows Administrator does exist: # extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (uid=Administrator) # requesting: ALL # # Administrator, People, skysedge.co.uk dn: uid=Administrator,ou=People,dc=skysedge,dc=co,dc=uk uid: Administrator cn: Samba Admin givenName: Samba sn: Admin mail: Administrator at skysedge.co.uk objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top loginShell: /bin/bash uidNumber: 0 gidNumber: 0 homeDirectory: /root gecos: Samba Admin # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Any ideas? Thanks, Nick -------------- next part -------------- An HTML attachment was scrubbed... URL: From niranjan.ashok at gmail.com Mon Jan 7 01:20:08 2008 From: niranjan.ashok at gmail.com (mallapadi niranjan) Date: Mon, 7 Jan 2008 06:50:08 +0530 Subject: [Fedora-directory-users] pdbedit Username not found! In-Reply-To: <64b6db970801061354g62fd135dn12f59f6aa9424265@mail.gmail.com> References: <64b6db970801061354g62fd135dn12f59f6aa9424265@mail.gmail.com> Message-ID: <73e979680801061720q15ab7300g347be8e68cea677b@mail.gmail.com> On Jan 7, 2008 3:24 AM, Nick Gushlow wrote: > Hi, > I've followed the Howto:Samba to install fds/samba on a centos5.0 box. > > I keep coming across an error when I get to the pdbedit line of the howto: > > > pdbedit -U $( net getlocalsid | sed 's/SID for domain skysedge.co.uk is: > //' )-500 -u Administrator -r > Username not found! > what does "pdbedit -Lv username" shows > I'm not sure what I've done wrong and going through the howtow I can't see > where I've messed up. Wherever it is I've done it consistently because this > is the second time I've tried. > > ldapsearch shows Administrator does exist: > > # extended LDIF > # > # LDAPv3 > # base <> with scope subtree > # filter: (uid=Administrator) > # requesting: ALL > # > > # Administrator, People, skysedge.co.uk > dn: uid=Administrator,ou=People,dc=skysedge,dc=co,dc=uk > uid: Administrator > cn: Samba Admin > givenName: Samba > sn: Admin > mail: Administrator at skysedge.co.uk > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: top > loginShell: /bin/bash > uidNumber: 0 > gidNumber: 0 > homeDirectory: /root > gecos: Samba Admin > I don't see any samba object classes included, If you have configured samba with LDAP backend (FDS), Your user's LDAP information would typically look like dn: uid=tom,ou=Users,dc=syroidmanor,dc=com objectClass: top objectClass: account objectClass: posixAccount objectClass: sambaAccount cn: tom uid: tom uidNumber: 500 gidNumber: 100 homeDirectory: /hometom loginShell: /bin/bash gecos: User description: User userPassword:: e1NTSEF9bWxBL1RHZFNoTkREEWlGTndZOFlCWUVUdWp3MGgrbTc= lmPassword: 552902031BEDE9EFAAD3B435B51404EE pwdCanChange: 0 pwdMustChange: 2147483647 ntPassword: 878D8014606CDA29677A44EFA1353FC7 pwdLastSet: 1010179230 > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > > Any ideas? > > Thanks, > > Nick > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From yinyang at eburg.com Mon Jan 7 05:53:01 2008 From: yinyang at eburg.com (Gordon Messmer) Date: Sun, 06 Jan 2008 21:53:01 -0800 Subject: [Fedora-directory-users] DS 1.1 silent install Message-ID: <4781BE3D.9040006@eburg.com> I noticed that what looks like the final release of 1.1 is available while I was working on a new directory setup today. I decided to update my configuration templates, and set up the new directory. I had a couple of notes... http://directory.fedoraproject.org/wiki/Release_Notes The release notes indicate that ldapjdk from FC6 should be installed, however, no URL is given, and the package from 5.1 (I'm using CentOS 5.1, so this may be different) seems to work fine. Should that package name be moved to the list of packages in the previous list item? After importing the GPG key indicated, I downloaded the adminutil and jss packages indicated, and tried to use "yum localinstall" to install them. Yum complained that the GPG key was not available. I think that the URL listed should be changed to: rpm --import http://download.fedora.redhat.com/pub/fedora/linux/extras/RPM-GPG-KEY-Fedora-Extras http://www.redhat.com/docs/manuals/dir-server/install/8.0/Installation_Guide-Advanced_Configuration-Silent-Install.html In the example provided for the "admin section, SysUser is specified as "root". If I attempt a silent install with a user other than the one specified for SuiteSpotUserID in the General section, including "root", the setup script complains that the pid directory is not writable by that user. I believe that this is a bug in the dirsrv-admin init script. On the other hand, I don't have any problem running admin server after using "ldap" as a user, so perhaps the documentation should simply reflect that the admin user must be the same as SuitSpotUserID (or the option should be dropped, and the same uid should be used). From nick.gushlow at gmail.com Mon Jan 7 07:21:47 2008 From: nick.gushlow at gmail.com (Nick Gushlow) Date: Mon, 7 Jan 2008 07:21:47 +0000 Subject: [Fedora-directory-users] pdbedit Username not found! In-Reply-To: <73e979680801061720q15ab7300g347be8e68cea677b@mail.gmail.com> References: <64b6db970801061354g62fd135dn12f59f6aa9424265@mail.gmail.com> <73e979680801061720q15ab7300g347be8e68cea677b@mail.gmail.com> Message-ID: <64b6db970801062321u34bfc7fuaf26fa76a32a68e0@mail.gmail.com> On 07/01/2008, mallapadi niranjan wrote: > > > what does "pdbedit -Lv username" shows > Username not found! I don't see any samba object classes included, If you have configured > samba with LDAP backend (FDS), Your user's LDAP information would typically > look like > > dn: uid=tom,ou=Users,dc=syroidmanor,dc=com > objectClass: top > objectClass: account > objectClass: posixAccount > objectClass: sambaAccount > cn: tom > uid: tom > uidNumber: 500 > gidNumber: 100 > homeDirectory: /hometom > loginShell: /bin/bash > gecos: User > description: User > userPassword:: e1NTSEF9bWxBL1RHZFNoTkREEWlGTndZOFlCWUVUdWp3MGgrbTc= > lmPassword: 552902031BEDE9EFAAD3B435B51404EE > pwdCanChange: 0 > pwdMustChange: 2147483647 > ntPassword: 878D8014606CDA29677A44EFA1353FC7 > pwdLastSet: 1010179230 > > > > Hmm that's odd, just looking at my ldap settings in smb.conf, I can't see what I've missed. passdb backend = ldapsam:ldap://192.168.1.21 # ldap details ldap admin dn = cn=Directory manager ldap suffix = dc=skysedge,dc=co,dc=uk ldap user suffix = ou=People ldap machine suffix = ou=Computers ldap group suffix = ou=Groups That looks the same as the howto shows to me. Nick -------------- next part -------------- An HTML attachment was scrubbed... URL: From j.barber at dundee.ac.uk Mon Jan 7 10:06:07 2008 From: j.barber at dundee.ac.uk (Jonathan Barber) Date: Mon, 7 Jan 2008 10:06:07 +0000 Subject: [Fedora-directory-users] Problems configuring Samba PDC + FDS error "No privileges assigned to SID" In-Reply-To: <43806ba60801041237r21febe04wb929768fd24dc8e5@mail.gmail.com> References: <43806ba60801041237r21febe04wb929768fd24dc8e5@mail.gmail.com> Message-ID: <20080107100606.GH11941@flea.lifesci.dundee.ac.uk> On Fri, Jan 04, 2008 at 03:37:32PM -0500, Me wrote: > I am having trouble getting samba-3.0.24-11 setup as a PDC with an > ldap backend using FDS on a FC6 test box. I have installed the > 1.0.4-1 version of the directory server accepting the defaults except > for the server name with out any problems. I can query the directory > server and it is populated with the proper objects. I am using the > instructions in the Howto:Samba documentation on the FDS Wiki site > . I am able to > perform all of the tasks without any problems until I get to the part > of the install that has me run the following command: > > net groupmap list [snip] Your smb.conf has the config: > ldap group suffix = ou=Group But the ldif you provided has: > dn: ou=Groups, dc=test,dc=com Note the additional "s". Cheers. -- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389 From andrew at dingman.org Mon Jan 7 08:26:40 2008 From: andrew at dingman.org (Andrew C. Dingman) Date: Mon, 07 Jan 2008 03:26:40 -0500 Subject: [Fedora-directory-users] Migrating RHEL users to Directory Server In-Reply-To: <477D3908.3000509@redhat.com> References: <8BED0ADCE0100241A8DD768706A2295C0FA6@EXCHDP3.ffx.jfh.com.au> <20071224124857.GA10008@flea.lifesci.dundee.ac.uk> <8BED0ADCE0100241A8DD768706A2295C198084@EXCHDP3.ffx.jfh.com.au> <20080103112338.GA11941@flea.lifesci.dundee.ac.uk> <477D3908.3000509@redhat.com> Message-ID: <1199694400.21150.11.camel@acd600.internal.dingman.org> On Thu, 2008-01-03 at 12:35 -0700, Rich Megginson wrote: > You might try the crypt format. On most linux platforms, system > crypt > uses MD5. This will work with hashes from /etc/shadow that start '$1$'. It should also work with the old-style DES hashes that you shouldn't be using anymore. For example, if you had a shadow line that read: username:$1$CxLcjTxD$IRuWOqGVHrXJkJsRdPYqq.:12345:0:99999:7::: Then the userpassword value would be '{crypt}$1$CxLcjTxD $IRuWOqGVHrXJkJsRdPYqq.' -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3551 bytes Desc: not available URL: From kirankmadala at hotmail.com Mon Jan 7 14:31:42 2008 From: kirankmadala at hotmail.com (kiran madala) Date: Mon, 7 Jan 2008 10:31:42 -0400 Subject: [Fedora-directory-users] Windows Active directory sync Message-ID: Hello, I am trying to synchronize the existing Active directory with fedora ds. I am very new to this kind of approach. Did any one perform the sync successfully?Can any one provide simple documentation to perform the sync. Right now the red-hat document is bit confusing. _________________________________________________________________ Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com! http://asksantaclaus.spaces.live.com/ From kirankmadala at hotmail.com Mon Jan 7 14:45:24 2008 From: kirankmadala at hotmail.com (kiran madala) Date: Mon, 7 Jan 2008 10:45:24 -0400 Subject: [Fedora-directory-users] Windows Active directory sync In-Reply-To: References: Message-ID: Also like to mention I only want to sync the Users and Groups in AD and not the passwords so is there any other simple method to achive this? ---------------------------------------- > From: kirankmadala at hotmail.com > To: fedora-directory-users at redhat.com > Date: Mon, 7 Jan 2008 10:31:42 -0400 > Subject: [Fedora-directory-users] Windows Active directory sync > > > Hello, > > I am trying to synchronize the existing Active directory with fedora ds. I am very new to this kind of approach. Did any one perform the sync successfully?Can any one provide simple documentation to perform the sync. Right now the red-hat document is bit confusing. > _________________________________________________________________ > Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com! > http://asksantaclaus.spaces.live.com/ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users _________________________________________________________________ Exercise your brain! Try Flexicon! http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig From rmeggins at redhat.com Mon Jan 7 16:58:44 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 07 Jan 2008 09:58:44 -0700 Subject: [Fedora-directory-users] Windows Active directory sync In-Reply-To: References: Message-ID: <47825A44.2070001@redhat.com> kiran madala wrote: > Also like to mention I only want to sync the Users and Groups in AD and not the passwords so is there any other simple method to achive this? > That's fine. You do not have to run the passsync agent on your Windows domain controller. The RHDS 8.0 beta docs might be better - http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync.html > ---------------------------------------- > >> From: kirankmadala at hotmail.com >> To: fedora-directory-users at redhat.com >> Date: Mon, 7 Jan 2008 10:31:42 -0400 >> Subject: [Fedora-directory-users] Windows Active directory sync >> >> >> Hello, >> >> I am trying to synchronize the existing Active directory with fedora ds. I am very new to this kind of approach. Did any one perform the sync successfully?Can any one provide simple documentation to perform the sync. Right now the red-hat document is bit confusing. >> _________________________________________________________________ >> Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com! >> http://asksantaclaus.spaces.live.com/ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > _________________________________________________________________ > Exercise your brain! Try Flexicon! > http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Jan 7 17:11:24 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 07 Jan 2008 10:11:24 -0700 Subject: [Fedora-directory-users] DS 1.1 silent install In-Reply-To: <4781BE3D.9040006@eburg.com> References: <4781BE3D.9040006@eburg.com> Message-ID: <47825D3C.1040304@redhat.com> Gordon Messmer wrote: > I noticed that what looks like the final release of 1.1 is available > while I was working on a new directory setup today. I decided to > update my configuration templates, and set up the new directory. Yeah, I'm just waiting for the Fedora bits to be pushed to the mirrors before making the official announcement. > > I had a couple of notes... > > http://directory.fedoraproject.org/wiki/Release_Notes > > The release notes indicate that ldapjdk from FC6 should be installed, > however, no URL is given, and the package from 5.1 (I'm using CentOS > 5.1, so this may be different) seems to work fine. I didn't know it was included with CentOS 5.1, that's good to know. > Should that package name be moved to the list of packages in the > previous list item? Yes, or we should just say "check your system first - if you can't find it anywhere, grab it from jpackage.org". > > After importing the GPG key indicated, I downloaded the adminutil and > jss packages indicated, and tried to use "yum localinstall" to install > them. Yum complained that the GPG key was not available. I think > that the URL listed should be changed to: > rpm --import > http://download.fedora.redhat.com/pub/fedora/linux/extras/RPM-GPG-KEY-Fedora-Extras > Ok. > > > http://www.redhat.com/docs/manuals/dir-server/install/8.0/Installation_Guide-Advanced_Configuration-Silent-Install.html > > > In the example provided for the "admin section, SysUser is specified > as "root". If I attempt a silent install with a user other than the > one specified for SuiteSpotUserID in the General section, including > "root", the setup script complains that the pid directory is not > writable by that user. I believe that this is a bug in the > dirsrv-admin init script. On the other hand, I don't have any problem > running admin server after using "ldap" as a user, so perhaps the > documentation should simply reflect that the admin user must be the > same as SuitSpotUserID (or the option should be dropped, and the same > uid should be used). Looks like at least 2 bugs here 1) The docs should not have SysUser= root - we want to strongly discourage people from running daemons as root 2) However, it should work to have SysUser = root The intention is that you may want to run your admin server and directory servers as different users. The admin server still needs access to all of the directory servers files and dirs in order to manage it, but the directory server needs no access to admin server specific files/dirs. So both the admin server user and the directory server user must belong to the same group (SuiteSpotGroup and SysGroup). If admin server is running as root, that shouldn't matter. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kirankmadala at hotmail.com Mon Jan 7 18:56:30 2008 From: kirankmadala at hotmail.com (kiran madala) Date: Mon, 7 Jan 2008 14:56:30 -0400 Subject: [Fedora-directory-users] DS Failed to start Message-ID: Hello, I was experimenting with fedora ds sync with active directory. In the process I installed a certificate on the DS. Then I restarted usign the remote admin console with out enabling ssl but the DS failed to restart. I have the error log below. It seems like the DS database got corrucpted how do i recover it? [07/Jan/2008:13:44:37 -0500] - slapd shutting down - signaling operation threads [07/Jan/2008:13:44:41 -0500] - slapd shutting down - waiting for 30 threads to terminate [07/Jan/2008:13:44:41 -0500] - slapd shutting down - closing down internal subsystems and plugins [07/Jan/2008:13:44:42 -0500] - Waiting for 4 database threads to stop [07/Jan/2008:13:44:42 -0500] - All database threads now stopped [07/Jan/2008:13:47:43 -0500] - Fedora-Directory/1.1.0 B2007.354.1236 starting up [07/Jan/2008:13:47:43 -0500] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [07/Jan/2008:13:47:45 -0500] - libdb: Improper file close at 1/1042383 [07/Jan/2008:13:47:54 -0500] - libdb: Recovery function for LSN 1 1042383 failed on forward pass [07/Jan/2008:13:47:55 -0500] - libdb: PANIC: Invalid argument [07/Jan/2008:13:47:55 -0500] - libdb: PANIC: fatal region error detected; run recovery [07/Jan/2008:13:47:55 -0500] - Database Recovery Process FAILED. The database is not recoverable. err=-30977: DB_RUNRECOVERY: Fatal error, run database recovery [07/Jan/2008:13:47:55 -0500] - Please make sure there is enough disk space for dbcache (10000000 bytes) and db region files [07/Jan/2008:13:47:55 -0500] - start: Failed to init database, err=-30977 DB_RUNRECOVERY: Fatal error, run database recovery [07/Jan/2008:13:47:55 -0500] - Failed to start database plugin ldbm database [07/Jan/2008:13:47:55 -0500] - WARNING: ldbm instance userRoot already exists [07/Jan/2008:13:47:55 -0500] - WARNING: ldbm instance NetscapeRoot already exists [07/Jan/2008:13:47:55 -0500] binder-based resource limits - nsLookThroughLimit: parameter error (slapi_reslimit_register() already registered) [07/Jan/2008:13:47:55 -0500] - start: Resource limit registration failed [07/Jan/2008:13:47:55 -0500] - Failed to start database plugin ldbm database [07/Jan/2008:13:47:55 -0500] - Error: Failed to resolve plugin dependencies [07/Jan/2008:13:47:55 -0500] - Error: preoperation plugin 7-bit check is not started [07/Jan/2008:13:47:55 -0500] - Error: accesscontrol plugin ACL Plugin is not started [07/Jan/2008:13:47:55 -0500] - Error: preoperation plugin ACL preoperation is not started [07/Jan/2008:13:47:55 -0500] - Error: object plugin Class of Service is not started [07/Jan/2008:13:47:55 -0500] - Error: preoperation plugin HTTP Client is not started [07/Jan/2008:13:47:55 -0500] - Error: database plugin ldbm database is not started [07/Jan/2008:13:47:55 -0500] - Error: object plugin Legacy Replication Plugin is not started [07/Jan/2008:13:47:55 -0500] - Error: object plugin Multimaster Replication Plugin is not started [07/Jan/2008:13:47:55 -0500] - Error: object plugin Roles Plugin is not started [07/Jan/2008:13:47:55 -0500] - Error: object plugin Views is not started [07/Jan/2008:13:48:14 -0500] - Fedora-Directory/1.1.0 B2007.354.1236 starting up [07/Jan/2008:13:48:14 -0500] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [07/Jan/2008:13:48:14 -0500] - libdb: Improper file close at 1/1042383 [07/Jan/2008:13:48:16 -0500] - libdb: Recovery function for LSN 1 1042383 failed on forward pass [07/Jan/2008:13:48:16 -0500] - libdb: PANIC: Invalid argument [07/Jan/2008:13:48:16 -0500] - libdb: PANIC: fatal region error detected; run recovery [07/Jan/2008:13:48:16 -0500] - Database Recovery Process FAILED. The database is not recoverable. err=-30977: DB_RUNRECOVERY: Fatal error, run database recovery [07/Jan/2008:13:48:16 -0500] - Please make sure there is enough disk space for dbcache (10000000 bytes) and db region files [07/Jan/2008:13:48:16 -0500] - start: Failed to init database, err=-30977 DB_RUNRECOVERY: Fatal error, run database recovery [07/Jan/2008:13:48:16 -0500] - Failed to start database plugin ldbm database [07/Jan/2008:13:48:16 -0500] - WARNING: ldbm instance userRoot already exists [07/Jan/2008:13:48:16 -0500] - WARNING: ldbm instance NetscapeRoot already exists [07/Jan/2008:13:48:16 -0500] binder-based resource limits - nsLookThroughLimit: parameter error (slapi_reslimit_register() already registered) [07/Jan/2008:13:48:16 -0500] - start: Resource limit registration failed [07/Jan/2008:13:48:16 -0500] - Failed to start database plugin ldbm database [07/Jan/2008:13:48:16 -0500] - Error: Failed to resolve plugin dependencies [07/Jan/2008:13:48:16 -0500] - Error: preoperation plugin 7-bit check is not started [07/Jan/2008:13:48:16 -0500] - Error: accesscontrol plugin ACL Plugin is not started [07/Jan/2008:13:48:16 -0500] - Error: preoperation plugin ACL preoperation is not started [07/Jan/2008:13:48:16 -0500] - Error: object plugin Class of Service is not started [07/Jan/2008:13:48:16 -0500] - Error: preoperation plugin HTTP Client is not started [07/Jan/2008:13:48:16 -0500] - Error: database plugin ldbm database is not started [07/Jan/2008:13:48:16 -0500] - Error: object plugin Legacy Replication Plugin is not started [07/Jan/2008:13:48:16 -0500] - Error: object plugin Multimaster Replication Plugin is not started [07/Jan/2008:13:48:16 -0500] - Error: object plugin Roles Plugin is not started [07/Jan/2008:13:48:16 -0500] - Error: object plugin Views is not started _________________________________________________________________ Discover new ways to stay in touch with Windows Live! Visit the City @ Live today! http://getyourliveid.ca/?icid=LIVEIDENCA006 From rmeggins at redhat.com Mon Jan 7 18:58:36 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 07 Jan 2008 11:58:36 -0700 Subject: [Fedora-directory-users] DS Failed to start In-Reply-To: References: Message-ID: <4782765C.70605@redhat.com> kiran madala wrote: > Hello, > I was experimenting with fedora ds sync with active directory. In the process I installed a certificate on the DS. Then I restarted usign the remote admin console with out enabling ssl but the DS failed to restart. I have the error log below. It seems like the DS database got corrucpted how do i recover it? > What platform? > [07/Jan/2008:13:44:37 -0500] - slapd shutting down - signaling operation threads > [07/Jan/2008:13:44:41 -0500] - slapd shutting down - waiting for 30 threads to terminate > [07/Jan/2008:13:44:41 -0500] - slapd shutting down - closing down internal subsystems and plugins > [07/Jan/2008:13:44:42 -0500] - Waiting for 4 database threads to stop > [07/Jan/2008:13:44:42 -0500] - All database threads now stopped > [07/Jan/2008:13:47:43 -0500] - Fedora-Directory/1.1.0 B2007.354.1236 starting up > [07/Jan/2008:13:47:43 -0500] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. > [07/Jan/2008:13:47:45 -0500] - libdb: Improper file close at 1/1042383 > [07/Jan/2008:13:47:54 -0500] - libdb: Recovery function for LSN 1 1042383 failed on forward pass > [07/Jan/2008:13:47:55 -0500] - libdb: PANIC: Invalid argument > [07/Jan/2008:13:47:55 -0500] - libdb: PANIC: fatal region error detected; run recovery > [07/Jan/2008:13:47:55 -0500] - Database Recovery Process FAILED. The database is not recoverable. err=-30977: DB_RUNRECOVERY: Fatal error, run database recovery > [07/Jan/2008:13:47:55 -0500] - Please make sure there is enough disk space for dbcache (10000000 bytes) and db region files > [07/Jan/2008:13:47:55 -0500] - start: Failed to init database, err=-30977 DB_RUNRECOVERY: Fatal error, run database recovery > [07/Jan/2008:13:47:55 -0500] - Failed to start database plugin ldbm database > [07/Jan/2008:13:47:55 -0500] - WARNING: ldbm instance userRoot already exists > [07/Jan/2008:13:47:55 -0500] - WARNING: ldbm instance NetscapeRoot already exists > [07/Jan/2008:13:47:55 -0500] binder-based resource limits - nsLookThroughLimit: parameter error (slapi_reslimit_register() already registered) > [07/Jan/2008:13:47:55 -0500] - start: Resource limit registration failed > [07/Jan/2008:13:47:55 -0500] - Failed to start database plugin ldbm database > [07/Jan/2008:13:47:55 -0500] - Error: Failed to resolve plugin dependencies > [07/Jan/2008:13:47:55 -0500] - Error: preoperation plugin 7-bit check is not started > [07/Jan/2008:13:47:55 -0500] - Error: accesscontrol plugin ACL Plugin is not started > [07/Jan/2008:13:47:55 -0500] - Error: preoperation plugin ACL preoperation is not started > [07/Jan/2008:13:47:55 -0500] - Error: object plugin Class of Service is not started > [07/Jan/2008:13:47:55 -0500] - Error: preoperation plugin HTTP Client is not started > [07/Jan/2008:13:47:55 -0500] - Error: database plugin ldbm database is not started > [07/Jan/2008:13:47:55 -0500] - Error: object plugin Legacy Replication Plugin is not started > [07/Jan/2008:13:47:55 -0500] - Error: object plugin Multimaster Replication Plugin is not started > [07/Jan/2008:13:47:55 -0500] - Error: object plugin Roles Plugin is not started > [07/Jan/2008:13:47:55 -0500] - Error: object plugin Views is not started > [07/Jan/2008:13:48:14 -0500] - Fedora-Directory/1.1.0 B2007.354.1236 starting up > [07/Jan/2008:13:48:14 -0500] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. > [07/Jan/2008:13:48:14 -0500] - libdb: Improper file close at 1/1042383 > [07/Jan/2008:13:48:16 -0500] - libdb: Recovery function for LSN 1 1042383 failed on forward pass > [07/Jan/2008:13:48:16 -0500] - libdb: PANIC: Invalid argument > [07/Jan/2008:13:48:16 -0500] - libdb: PANIC: fatal region error detected; run recovery > [07/Jan/2008:13:48:16 -0500] - Database Recovery Process FAILED. The database is not recoverable. err=-30977: DB_RUNRECOVERY: Fatal error, run database recovery > [07/Jan/2008:13:48:16 -0500] - Please make sure there is enough disk space for dbcache (10000000 bytes) and db region files > [07/Jan/2008:13:48:16 -0500] - start: Failed to init database, err=-30977 DB_RUNRECOVERY: Fatal error, run database recovery > [07/Jan/2008:13:48:16 -0500] - Failed to start database plugin ldbm database > [07/Jan/2008:13:48:16 -0500] - WARNING: ldbm instance userRoot already exists > [07/Jan/2008:13:48:16 -0500] - WARNING: ldbm instance NetscapeRoot already exists > [07/Jan/2008:13:48:16 -0500] binder-based resource limits - nsLookThroughLimit: parameter error (slapi_reslimit_register() already registered) > [07/Jan/2008:13:48:16 -0500] - start: Resource limit registration failed > [07/Jan/2008:13:48:16 -0500] - Failed to start database plugin ldbm database > [07/Jan/2008:13:48:16 -0500] - Error: Failed to resolve plugin dependencies > [07/Jan/2008:13:48:16 -0500] - Error: preoperation plugin 7-bit check is not started > [07/Jan/2008:13:48:16 -0500] - Error: accesscontrol plugin ACL Plugin is not started > [07/Jan/2008:13:48:16 -0500] - Error: preoperation plugin ACL preoperation is not started > [07/Jan/2008:13:48:16 -0500] - Error: object plugin Class of Service is not started > [07/Jan/2008:13:48:16 -0500] - Error: preoperation plugin HTTP Client is not started > [07/Jan/2008:13:48:16 -0500] - Error: database plugin ldbm database is not started > [07/Jan/2008:13:48:16 -0500] - Error: object plugin Legacy Replication Plugin is not started > [07/Jan/2008:13:48:16 -0500] - Error: object plugin Multimaster Replication Plugin is not started > [07/Jan/2008:13:48:16 -0500] - Error: object plugin Roles Plugin is not started > [07/Jan/2008:13:48:16 -0500] - Error: object plugin Views is not started > > > > _________________________________________________________________ > Discover new ways to stay in touch with Windows Live! Visit the City @ Live today! > http://getyourliveid.ca/?icid=LIVEIDENCA006 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kirankmadala at hotmail.com Mon Jan 7 19:12:39 2008 From: kirankmadala at hotmail.com (kiran madala) Date: Mon, 7 Jan 2008 15:12:39 -0400 Subject: [Fedora-directory-users] DS Failed to start In-Reply-To: <4782765C.70605@redhat.com> References: <4782765C.70605@redhat.com> Message-ID: I am using fedora 6 ---------------------------------------- > Date: Mon, 7 Jan 2008 11:58:36 -0700 > From: rmeggins at redhat.com > To: fedora-directory-users at redhat.com > Subject: Re: [Fedora-directory-users] DS Failed to start > > kiran madala wrote: >> Hello, >> I was experimenting with fedora ds sync with active directory. In the process I installed a certificate on the DS. Then I restarted usign the remote admin console with out enabling ssl but the DS failed to restart. I have the error log below. It seems like the DS database got corrucpted how do i recover it? >> > What platform? >> [07/Jan/2008:13:44:37 -0500] - slapd shutting down - signaling operation threads >> [07/Jan/2008:13:44:41 -0500] - slapd shutting down - waiting for 30 threads to terminate >> [07/Jan/2008:13:44:41 -0500] - slapd shutting down - closing down internal subsystems and plugins >> [07/Jan/2008:13:44:42 -0500] - Waiting for 4 database threads to stop >> [07/Jan/2008:13:44:42 -0500] - All database threads now stopped >> [07/Jan/2008:13:47:43 -0500] - Fedora-Directory/1.1.0 B2007.354.1236 starting up >> [07/Jan/2008:13:47:43 -0500] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. >> [07/Jan/2008:13:47:45 -0500] - libdb: Improper file close at 1/1042383 >> [07/Jan/2008:13:47:54 -0500] - libdb: Recovery function for LSN 1 1042383 failed on forward pass >> [07/Jan/2008:13:47:55 -0500] - libdb: PANIC: Invalid argument >> [07/Jan/2008:13:47:55 -0500] - libdb: PANIC: fatal region error detected; run recovery >> [07/Jan/2008:13:47:55 -0500] - Database Recovery Process FAILED. The database is not recoverable. err=-30977: DB_RUNRECOVERY: Fatal error, run database recovery >> [07/Jan/2008:13:47:55 -0500] - Please make sure there is enough disk space for dbcache (10000000 bytes) and db region files >> [07/Jan/2008:13:47:55 -0500] - start: Failed to init database, err=-30977 DB_RUNRECOVERY: Fatal error, run database recovery >> [07/Jan/2008:13:47:55 -0500] - Failed to start database plugin ldbm database >> [07/Jan/2008:13:47:55 -0500] - WARNING: ldbm instance userRoot already exists >> [07/Jan/2008:13:47:55 -0500] - WARNING: ldbm instance NetscapeRoot already exists >> [07/Jan/2008:13:47:55 -0500] binder-based resource limits - nsLookThroughLimit: parameter error (slapi_reslimit_register() already registered) >> [07/Jan/2008:13:47:55 -0500] - start: Resource limit registration failed >> [07/Jan/2008:13:47:55 -0500] - Failed to start database plugin ldbm database >> [07/Jan/2008:13:47:55 -0500] - Error: Failed to resolve plugin dependencies >> [07/Jan/2008:13:47:55 -0500] - Error: preoperation plugin 7-bit check is not started >> [07/Jan/2008:13:47:55 -0500] - Error: accesscontrol plugin ACL Plugin is not started >> [07/Jan/2008:13:47:55 -0500] - Error: preoperation plugin ACL preoperation is not started >> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Class of Service is not started >> [07/Jan/2008:13:47:55 -0500] - Error: preoperation plugin HTTP Client is not started >> [07/Jan/2008:13:47:55 -0500] - Error: database plugin ldbm database is not started >> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Legacy Replication Plugin is not started >> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Multimaster Replication Plugin is not started >> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Roles Plugin is not started >> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Views is not started >> [07/Jan/2008:13:48:14 -0500] - Fedora-Directory/1.1.0 B2007.354.1236 starting up >> [07/Jan/2008:13:48:14 -0500] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. >> [07/Jan/2008:13:48:14 -0500] - libdb: Improper file close at 1/1042383 >> [07/Jan/2008:13:48:16 -0500] - libdb: Recovery function for LSN 1 1042383 failed on forward pass >> [07/Jan/2008:13:48:16 -0500] - libdb: PANIC: Invalid argument >> [07/Jan/2008:13:48:16 -0500] - libdb: PANIC: fatal region error detected; run recovery >> [07/Jan/2008:13:48:16 -0500] - Database Recovery Process FAILED. The database is not recoverable. err=-30977: DB_RUNRECOVERY: Fatal error, run database recovery >> [07/Jan/2008:13:48:16 -0500] - Please make sure there is enough disk space for dbcache (10000000 bytes) and db region files >> [07/Jan/2008:13:48:16 -0500] - start: Failed to init database, err=-30977 DB_RUNRECOVERY: Fatal error, run database recovery >> [07/Jan/2008:13:48:16 -0500] - Failed to start database plugin ldbm database >> [07/Jan/2008:13:48:16 -0500] - WARNING: ldbm instance userRoot already exists >> [07/Jan/2008:13:48:16 -0500] - WARNING: ldbm instance NetscapeRoot already exists >> [07/Jan/2008:13:48:16 -0500] binder-based resource limits - nsLookThroughLimit: parameter error (slapi_reslimit_register() already registered) >> [07/Jan/2008:13:48:16 -0500] - start: Resource limit registration failed >> [07/Jan/2008:13:48:16 -0500] - Failed to start database plugin ldbm database >> [07/Jan/2008:13:48:16 -0500] - Error: Failed to resolve plugin dependencies >> [07/Jan/2008:13:48:16 -0500] - Error: preoperation plugin 7-bit check is not started >> [07/Jan/2008:13:48:16 -0500] - Error: accesscontrol plugin ACL Plugin is not started >> [07/Jan/2008:13:48:16 -0500] - Error: preoperation plugin ACL preoperation is not started >> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Class of Service is not started >> [07/Jan/2008:13:48:16 -0500] - Error: preoperation plugin HTTP Client is not started >> [07/Jan/2008:13:48:16 -0500] - Error: database plugin ldbm database is not started >> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Legacy Replication Plugin is not started >> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Multimaster Replication Plugin is not started >> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Roles Plugin is not started >> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Views is not started >> >> >> >> _________________________________________________________________ >> Discover new ways to stay in touch with Windows Live! Visit the City @ Live today! >> http://getyourliveid.ca/?icid=LIVEIDENCA006 >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > _________________________________________________________________ Exercise your brain! Try Flexicon! http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig From kirankmadala at hotmail.com Mon Jan 7 19:23:20 2008 From: kirankmadala at hotmail.com (kiran madala) Date: Mon, 7 Jan 2008 15:23:20 -0400 Subject: [Fedora-directory-users] DS Failed to start In-Reply-To: <4782765C.70605@redhat.com> References: <4782765C.70605@redhat.com> Message-ID: Its fedora ds 1.1 on fedora 6 on x86 machine. ---------------------------------------- > Date: Mon, 7 Jan 2008 11:58:36 -0700 > From: rmeggins at redhat.com > To: fedora-directory-users at redhat.com > Subject: Re: [Fedora-directory-users] DS Failed to start > > kiran madala wrote: >> Hello, >> I was experimenting with fedora ds sync with active directory. In the process I installed a certificate on the DS. Then I restarted usign the remote admin console with out enabling ssl but the DS failed to restart. I have the error log below. It seems like the DS database got corrucpted how do i recover it? >> > What platform? >> [07/Jan/2008:13:44:37 -0500] - slapd shutting down - signaling operation threads >> [07/Jan/2008:13:44:41 -0500] - slapd shutting down - waiting for 30 threads to terminate >> [07/Jan/2008:13:44:41 -0500] - slapd shutting down - closing down internal subsystems and plugins >> [07/Jan/2008:13:44:42 -0500] - Waiting for 4 database threads to stop >> [07/Jan/2008:13:44:42 -0500] - All database threads now stopped >> [07/Jan/2008:13:47:43 -0500] - Fedora-Directory/1.1.0 B2007.354.1236 starting up >> [07/Jan/2008:13:47:43 -0500] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. >> [07/Jan/2008:13:47:45 -0500] - libdb: Improper file close at 1/1042383 >> [07/Jan/2008:13:47:54 -0500] - libdb: Recovery function for LSN 1 1042383 failed on forward pass >> [07/Jan/2008:13:47:55 -0500] - libdb: PANIC: Invalid argument >> [07/Jan/2008:13:47:55 -0500] - libdb: PANIC: fatal region error detected; run recovery >> [07/Jan/2008:13:47:55 -0500] - Database Recovery Process FAILED. The database is not recoverable. err=-30977: DB_RUNRECOVERY: Fatal error, run database recovery >> [07/Jan/2008:13:47:55 -0500] - Please make sure there is enough disk space for dbcache (10000000 bytes) and db region files >> [07/Jan/2008:13:47:55 -0500] - start: Failed to init database, err=-30977 DB_RUNRECOVERY: Fatal error, run database recovery >> [07/Jan/2008:13:47:55 -0500] - Failed to start database plugin ldbm database >> [07/Jan/2008:13:47:55 -0500] - WARNING: ldbm instance userRoot already exists >> [07/Jan/2008:13:47:55 -0500] - WARNING: ldbm instance NetscapeRoot already exists >> [07/Jan/2008:13:47:55 -0500] binder-based resource limits - nsLookThroughLimit: parameter error (slapi_reslimit_register() already registered) >> [07/Jan/2008:13:47:55 -0500] - start: Resource limit registration failed >> [07/Jan/2008:13:47:55 -0500] - Failed to start database plugin ldbm database >> [07/Jan/2008:13:47:55 -0500] - Error: Failed to resolve plugin dependencies >> [07/Jan/2008:13:47:55 -0500] - Error: preoperation plugin 7-bit check is not started >> [07/Jan/2008:13:47:55 -0500] - Error: accesscontrol plugin ACL Plugin is not started >> [07/Jan/2008:13:47:55 -0500] - Error: preoperation plugin ACL preoperation is not started >> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Class of Service is not started >> [07/Jan/2008:13:47:55 -0500] - Error: preoperation plugin HTTP Client is not started >> [07/Jan/2008:13:47:55 -0500] - Error: database plugin ldbm database is not started >> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Legacy Replication Plugin is not started >> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Multimaster Replication Plugin is not started >> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Roles Plugin is not started >> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Views is not started >> [07/Jan/2008:13:48:14 -0500] - Fedora-Directory/1.1.0 B2007.354.1236 starting up >> [07/Jan/2008:13:48:14 -0500] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. >> [07/Jan/2008:13:48:14 -0500] - libdb: Improper file close at 1/1042383 >> [07/Jan/2008:13:48:16 -0500] - libdb: Recovery function for LSN 1 1042383 failed on forward pass >> [07/Jan/2008:13:48:16 -0500] - libdb: PANIC: Invalid argument >> [07/Jan/2008:13:48:16 -0500] - libdb: PANIC: fatal region error detected; run recovery >> [07/Jan/2008:13:48:16 -0500] - Database Recovery Process FAILED. The database is not recoverable. err=-30977: DB_RUNRECOVERY: Fatal error, run database recovery >> [07/Jan/2008:13:48:16 -0500] - Please make sure there is enough disk space for dbcache (10000000 bytes) and db region files >> [07/Jan/2008:13:48:16 -0500] - start: Failed to init database, err=-30977 DB_RUNRECOVERY: Fatal error, run database recovery >> [07/Jan/2008:13:48:16 -0500] - Failed to start database plugin ldbm database >> [07/Jan/2008:13:48:16 -0500] - WARNING: ldbm instance userRoot already exists >> [07/Jan/2008:13:48:16 -0500] - WARNING: ldbm instance NetscapeRoot already exists >> [07/Jan/2008:13:48:16 -0500] binder-based resource limits - nsLookThroughLimit: parameter error (slapi_reslimit_register() already registered) >> [07/Jan/2008:13:48:16 -0500] - start: Resource limit registration failed >> [07/Jan/2008:13:48:16 -0500] - Failed to start database plugin ldbm database >> [07/Jan/2008:13:48:16 -0500] - Error: Failed to resolve plugin dependencies >> [07/Jan/2008:13:48:16 -0500] - Error: preoperation plugin 7-bit check is not started >> [07/Jan/2008:13:48:16 -0500] - Error: accesscontrol plugin ACL Plugin is not started >> [07/Jan/2008:13:48:16 -0500] - Error: preoperation plugin ACL preoperation is not started >> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Class of Service is not started >> [07/Jan/2008:13:48:16 -0500] - Error: preoperation plugin HTTP Client is not started >> [07/Jan/2008:13:48:16 -0500] - Error: database plugin ldbm database is not started >> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Legacy Replication Plugin is not started >> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Multimaster Replication Plugin is not started >> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Roles Plugin is not started >> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Views is not started >> >> >> >> _________________________________________________________________ >> Discover new ways to stay in touch with Windows Live! Visit the City @ Live today! >> http://getyourliveid.ca/?icid=LIVEIDENCA006 >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > _________________________________________________________________ Discover new ways to stay in touch with Windows Live! Visit the City @ Live today! http://getyourliveid.ca/?icid=LIVEIDENCA006 From kirankmadala at hotmail.com Mon Jan 7 20:41:49 2008 From: kirankmadala at hotmail.com (kiran madala) Date: Mon, 7 Jan 2008 16:41:49 -0400 Subject: [Fedora-directory-users] DS Failed to start In-Reply-To: References: <4782765C.70605@redhat.com> Message-ID: I am not sure why this has to be made so difficult. I was able to restore to previous state because I am using VMWare. However when I enabled SSL and tried to restart manually. This is the error I got Enter PIN for Internal (Software) Token: [07/Jan/2008:14:43:00 -0500] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert server-cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - Peer's Certificate issuer is not recognized.) [07/Jan/2008:14:43:00 -0500] - SSL failure: None of the cipher are valid then I went to the configuration directory on /etc/dirsrv/slapd-248 and changed the names of cert8.db and key3.db to slapd-248-cert8.db and slapd-248- key3.db (slapd-248 is the instance name) and tried to change to .pfx file by executing the command pk12util -d , -P slapd-248- -o servercert.pfx -n Server-Cert Then this is the error I get pk12util: function failed: security library: bad database. I generated the certificate using windows 2003 CA service and installed it using the remote DS console. Again I am using fedora 1.1 ds on fedora 6 on x86 machine. Any Idea how do i proceed? Thank you. ---------------------------------------- > From: kirankmadala at hotmail.com > To: fedora-directory-users at redhat.com > Subject: RE: [Fedora-directory-users] DS Failed to start > Date: Mon, 7 Jan 2008 15:23:20 -0400 > > > Its fedora ds 1.1 on fedora 6 on x86 machine. > ---------------------------------------- >> Date: Mon, 7 Jan 2008 11:58:36 -0700 >> From: rmeggins at redhat.com >> To: fedora-directory-users at redhat.com >> Subject: Re: [Fedora-directory-users] DS Failed to start >> >> kiran madala wrote: >>> Hello, >>> I was experimenting with fedora ds sync with active directory. In the process I installed a certificate on the DS. Then I restarted usign the remote admin console with out enabling ssl but the DS failed to restart. I have the error log below. It seems like the DS database got corrucpted how do i recover it? >>> >> What platform? >>> [07/Jan/2008:13:44:37 -0500] - slapd shutting down - signaling operation threads >>> [07/Jan/2008:13:44:41 -0500] - slapd shutting down - waiting for 30 threads to terminate >>> [07/Jan/2008:13:44:41 -0500] - slapd shutting down - closing down internal subsystems and plugins >>> [07/Jan/2008:13:44:42 -0500] - Waiting for 4 database threads to stop >>> [07/Jan/2008:13:44:42 -0500] - All database threads now stopped >>> [07/Jan/2008:13:47:43 -0500] - Fedora-Directory/1.1.0 B2007.354.1236 starting up >>> [07/Jan/2008:13:47:43 -0500] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. >>> [07/Jan/2008:13:47:45 -0500] - libdb: Improper file close at 1/1042383 >>> [07/Jan/2008:13:47:54 -0500] - libdb: Recovery function for LSN 1 1042383 failed on forward pass >>> [07/Jan/2008:13:47:55 -0500] - libdb: PANIC: Invalid argument >>> [07/Jan/2008:13:47:55 -0500] - libdb: PANIC: fatal region error detected; run recovery >>> [07/Jan/2008:13:47:55 -0500] - Database Recovery Process FAILED. The database is not recoverable. err=-30977: DB_RUNRECOVERY: Fatal error, run database recovery >>> [07/Jan/2008:13:47:55 -0500] - Please make sure there is enough disk space for dbcache (10000000 bytes) and db region files >>> [07/Jan/2008:13:47:55 -0500] - start: Failed to init database, err=-30977 DB_RUNRECOVERY: Fatal error, run database recovery >>> [07/Jan/2008:13:47:55 -0500] - Failed to start database plugin ldbm database >>> [07/Jan/2008:13:47:55 -0500] - WARNING: ldbm instance userRoot already exists >>> [07/Jan/2008:13:47:55 -0500] - WARNING: ldbm instance NetscapeRoot already exists >>> [07/Jan/2008:13:47:55 -0500] binder-based resource limits - nsLookThroughLimit: parameter error (slapi_reslimit_register() already registered) >>> [07/Jan/2008:13:47:55 -0500] - start: Resource limit registration failed >>> [07/Jan/2008:13:47:55 -0500] - Failed to start database plugin ldbm database >>> [07/Jan/2008:13:47:55 -0500] - Error: Failed to resolve plugin dependencies >>> [07/Jan/2008:13:47:55 -0500] - Error: preoperation plugin 7-bit check is not started >>> [07/Jan/2008:13:47:55 -0500] - Error: accesscontrol plugin ACL Plugin is not started >>> [07/Jan/2008:13:47:55 -0500] - Error: preoperation plugin ACL preoperation is not started >>> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Class of Service is not started >>> [07/Jan/2008:13:47:55 -0500] - Error: preoperation plugin HTTP Client is not started >>> [07/Jan/2008:13:47:55 -0500] - Error: database plugin ldbm database is not started >>> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Legacy Replication Plugin is not started >>> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Multimaster Replication Plugin is not started >>> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Roles Plugin is not started >>> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Views is not started >>> [07/Jan/2008:13:48:14 -0500] - Fedora-Directory/1.1.0 B2007.354.1236 starting up >>> [07/Jan/2008:13:48:14 -0500] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. >>> [07/Jan/2008:13:48:14 -0500] - libdb: Improper file close at 1/1042383 >>> [07/Jan/2008:13:48:16 -0500] - libdb: Recovery function for LSN 1 1042383 failed on forward pass >>> [07/Jan/2008:13:48:16 -0500] - libdb: PANIC: Invalid argument >>> [07/Jan/2008:13:48:16 -0500] - libdb: PANIC: fatal region error detected; run recovery >>> [07/Jan/2008:13:48:16 -0500] - Database Recovery Process FAILED. The database is not recoverable. err=-30977: DB_RUNRECOVERY: Fatal error, run database recovery >>> [07/Jan/2008:13:48:16 -0500] - Please make sure there is enough disk space for dbcache (10000000 bytes) and db region files >>> [07/Jan/2008:13:48:16 -0500] - start: Failed to init database, err=-30977 DB_RUNRECOVERY: Fatal error, run database recovery >>> [07/Jan/2008:13:48:16 -0500] - Failed to start database plugin ldbm database >>> [07/Jan/2008:13:48:16 -0500] - WARNING: ldbm instance userRoot already exists >>> [07/Jan/2008:13:48:16 -0500] - WARNING: ldbm instance NetscapeRoot already exists >>> [07/Jan/2008:13:48:16 -0500] binder-based resource limits - nsLookThroughLimit: parameter error (slapi_reslimit_register() already registered) >>> [07/Jan/2008:13:48:16 -0500] - start: Resource limit registration failed >>> [07/Jan/2008:13:48:16 -0500] - Failed to start database plugin ldbm database >>> [07/Jan/2008:13:48:16 -0500] - Error: Failed to resolve plugin dependencies >>> [07/Jan/2008:13:48:16 -0500] - Error: preoperation plugin 7-bit check is not started >>> [07/Jan/2008:13:48:16 -0500] - Error: accesscontrol plugin ACL Plugin is not started >>> [07/Jan/2008:13:48:16 -0500] - Error: preoperation plugin ACL preoperation is not started >>> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Class of Service is not started >>> [07/Jan/2008:13:48:16 -0500] - Error: preoperation plugin HTTP Client is not started >>> [07/Jan/2008:13:48:16 -0500] - Error: database plugin ldbm database is not started >>> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Legacy Replication Plugin is not started >>> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Multimaster Replication Plugin is not started >>> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Roles Plugin is not started >>> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Views is not started >>> >>> >>> >>> _________________________________________________________________ >>> Discover new ways to stay in touch with Windows Live! Visit the City @ Live today! >>> http://getyourliveid.ca/?icid=LIVEIDENCA006 >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> > > _________________________________________________________________ > Discover new ways to stay in touch with Windows Live! Visit the City @ Live today! > http://getyourliveid.ca/?icid=LIVEIDENCA006 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users _________________________________________________________________ Introducing the City @ Live! Take a tour! http://getyourliveid.ca/?icid=LIVEIDENCA006 From gm4rtin at gmail.com Mon Jan 7 21:04:00 2008 From: gm4rtin at gmail.com (Me) Date: Mon, 7 Jan 2008 16:04:00 -0500 Subject: [Fedora-directory-users] Problems configuring Samba PDC + FDS error "No privileges assigned to SID" In-Reply-To: <20080107100606.GH11941@flea.lifesci.dundee.ac.uk> References: <43806ba60801041237r21febe04wb929768fd24dc8e5@mail.gmail.com> <20080107100606.GH11941@flea.lifesci.dundee.ac.uk> Message-ID: <43806ba60801071304s7eb5290ata6e3352c1ab180e1@mail.gmail.com> Thanks. That got me past that part, I can obtain the correct output from "net groupmap list" but now I get "Username not found!" when I run the following command: pdbedit -U S-1-5-21-3420770344-727635258-2597706457-500 -u Administrator -r smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAIN))] smbldap_open_connection: connection opened ldap_connect_system: succesful connection to the LDAP server smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAIN))] smbldap_open_connection: connection opened ldap_connect_system: succesful connection to the LDAP server Username not found! Yet ldapsearch shows: ldapsearch -b dc=test,dc=com -x 'Administrator' # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: Administrator # # test.com dn: dc=test,dc=com # Directory Administrators, test.com dn: cn=Directory Administrators, dc=test,dc=com # Groups, test.com dn: ou=Groups, dc=test,dc=com # People, test.com dn: ou=People, dc=test,dc=com # Special Users, test.com dn: ou=Special Users,dc=test,dc=com # Accounting Managers, groups, test.com dn: cn=Accounting Managers,ou=groups,dc=test,dc=com # HR Managers, groups, test.com dn: cn=HR Managers,ou=groups,dc=test,dc=com # QA Managers, groups, test.com dn: cn=QA Managers,ou=groups,dc=test,dc=com # PD Managers, groups, test.com dn: cn=PD Managers,ou=groups,dc=test,dc=com # DOMAIN, test.com dn: sambaDomainName=DOMAIN,dc=test,dc=com # Domain Admins, Groups, test.com dn: cn=Domain Admins,ou=Groups,dc=test,dc=com # Domain Users, Groups, test.com dn: cn=Domain Users,ou=Groups,dc=test,dc=com # Domain Guests, Groups, test.com dn: cn=Domain Guests,ou=Groups,dc=test,dc=com # Domain Computers, Groups, test.com dn: cn=Domain Computers,ou=Groups,dc=test,dc=com # IS, Groups, test.com dn: cn=IS,ou=Groups,dc=test,dc=com # Administrator, People, test.com dn: uid=Administrator,ou=People,dc=test,dc=com # search result search: 2 result: 0 Success # numResponses: 17 # numEntries: 16 I am sure that this is something I am doing wrong again but I can't find it. On Jan 7, 2008 5:06 AM, Jonathan Barber wrote: > On Fri, Jan 04, 2008 at 03:37:32PM -0500, Me wrote: > > I am having trouble getting samba-3.0.24-11 setup as a PDC with an > > ldap backend using FDS on a FC6 test box. I have installed the > > 1.0.4-1 version of the directory server accepting the defaults except > > for the server name with out any problems. I can query the directory > > server and it is populated with the proper objects. I am using the > > instructions in the Howto:Samba documentation on the FDS Wiki site > > . I am able to > > perform all of the tasks without any problems until I get to the part > > of the install that has me run the following command: > > > > net groupmap list > > [snip] > > Your smb.conf has the config: > > ldap group suffix = ou=Group > > But the ldif you provided has: > > dn: ou=Groups, dc=test,dc=com > > Note the additional "s". > > Cheers. > -- > Jonathan Barber > High Performance Computing Analyst > Tel. +44 (0) 1382 386389 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Mon Jan 7 21:33:21 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 07 Jan 2008 14:33:21 -0700 Subject: [Fedora-directory-users] DS Failed to start In-Reply-To: References: <4782765C.70605@redhat.com> Message-ID: <47829AA1.5040806@redhat.com> kiran madala wrote: > I am not sure why this has to be made so difficult. I was able to restore to previous state because I am using VMWare. However when I enabled SSL and tried to restart manually. This is the error I got > > Enter PIN for Internal (Software) Token: > [07/Jan/2008:14:43:00 -0500] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert server-cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - Peer's Certificate issuer is not recognized.) > [07/Jan/2008:14:43:00 -0500] - SSL failure: None of the cipher are valid > > then I went to the configuration directory on /etc/dirsrv/slapd-248 and changed the names of cert8.db and key3.db to slapd-248-cert8.db and slapd-248- key3.db (slapd-248 is the instance name) and tried to change to .pfx file by executing the command > > pk12util -d , -P slapd-248- -o servercert.pfx -n Server-Cert > > Then this is the error I get > > pk12util: function failed: security library: bad database. > > I generated the certificate using windows 2003 CA service and installed it using the remote DS console. Again I am using fedora 1.1 ds on fedora 6 on x86 machine. > > Any Idea how do i proceed? > What directions/instructions are you attempting to follow to set up SSL? Note that since you are using Fedora DS 1.1, the -P prefix argument is no longer used - since the key/cert db are in their own instance specific directory, they should just be called cert8.db and key3.db. The error suggests a problem with the CA cert. Try this cd /etc/dirsrv/slapd-248 certutil -L -d . Finally, I'm not sure what enabling SSL would have to do with making the database unrecoverable - were you previously running Fedora DS 1.0.4 on this system and did an in-place upgrade? > Thank you. > ---------------------------------------- > >> From: kirankmadala at hotmail.com >> To: fedora-directory-users at redhat.com >> Subject: RE: [Fedora-directory-users] DS Failed to start >> Date: Mon, 7 Jan 2008 15:23:20 -0400 >> >> >> Its fedora ds 1.1 on fedora 6 on x86 machine. >> ---------------------------------------- >> >>> Date: Mon, 7 Jan 2008 11:58:36 -0700 >>> From: rmeggins at redhat.com >>> To: fedora-directory-users at redhat.com >>> Subject: Re: [Fedora-directory-users] DS Failed to start >>> >>> kiran madala wrote: >>> >>>> Hello, >>>> I was experimenting with fedora ds sync with active directory. In the process I installed a certificate on the DS. Then I restarted usign the remote admin console with out enabling ssl but the DS failed to restart. I have the error log below. It seems like the DS database got corrucpted how do i recover it? >>>> >>>> >>> What platform? >>> >>>> [07/Jan/2008:13:44:37 -0500] - slapd shutting down - signaling operation threads >>>> [07/Jan/2008:13:44:41 -0500] - slapd shutting down - waiting for 30 threads to terminate >>>> [07/Jan/2008:13:44:41 -0500] - slapd shutting down - closing down internal subsystems and plugins >>>> [07/Jan/2008:13:44:42 -0500] - Waiting for 4 database threads to stop >>>> [07/Jan/2008:13:44:42 -0500] - All database threads now stopped >>>> [07/Jan/2008:13:47:43 -0500] - Fedora-Directory/1.1.0 B2007.354.1236 starting up >>>> [07/Jan/2008:13:47:43 -0500] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. >>>> [07/Jan/2008:13:47:45 -0500] - libdb: Improper file close at 1/1042383 >>>> [07/Jan/2008:13:47:54 -0500] - libdb: Recovery function for LSN 1 1042383 failed on forward pass >>>> [07/Jan/2008:13:47:55 -0500] - libdb: PANIC: Invalid argument >>>> [07/Jan/2008:13:47:55 -0500] - libdb: PANIC: fatal region error detected; run recovery >>>> [07/Jan/2008:13:47:55 -0500] - Database Recovery Process FAILED. The database is not recoverable. err=-30977: DB_RUNRECOVERY: Fatal error, run database recovery >>>> [07/Jan/2008:13:47:55 -0500] - Please make sure there is enough disk space for dbcache (10000000 bytes) and db region files >>>> [07/Jan/2008:13:47:55 -0500] - start: Failed to init database, err=-30977 DB_RUNRECOVERY: Fatal error, run database recovery >>>> [07/Jan/2008:13:47:55 -0500] - Failed to start database plugin ldbm database >>>> [07/Jan/2008:13:47:55 -0500] - WARNING: ldbm instance userRoot already exists >>>> [07/Jan/2008:13:47:55 -0500] - WARNING: ldbm instance NetscapeRoot already exists >>>> [07/Jan/2008:13:47:55 -0500] binder-based resource limits - nsLookThroughLimit: parameter error (slapi_reslimit_register() already registered) >>>> [07/Jan/2008:13:47:55 -0500] - start: Resource limit registration failed >>>> [07/Jan/2008:13:47:55 -0500] - Failed to start database plugin ldbm database >>>> [07/Jan/2008:13:47:55 -0500] - Error: Failed to resolve plugin dependencies >>>> [07/Jan/2008:13:47:55 -0500] - Error: preoperation plugin 7-bit check is not started >>>> [07/Jan/2008:13:47:55 -0500] - Error: accesscontrol plugin ACL Plugin is not started >>>> [07/Jan/2008:13:47:55 -0500] - Error: preoperation plugin ACL preoperation is not started >>>> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Class of Service is not started >>>> [07/Jan/2008:13:47:55 -0500] - Error: preoperation plugin HTTP Client is not started >>>> [07/Jan/2008:13:47:55 -0500] - Error: database plugin ldbm database is not started >>>> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Legacy Replication Plugin is not started >>>> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Multimaster Replication Plugin is not started >>>> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Roles Plugin is not started >>>> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Views is not started >>>> [07/Jan/2008:13:48:14 -0500] - Fedora-Directory/1.1.0 B2007.354.1236 starting up >>>> [07/Jan/2008:13:48:14 -0500] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. >>>> [07/Jan/2008:13:48:14 -0500] - libdb: Improper file close at 1/1042383 >>>> [07/Jan/2008:13:48:16 -0500] - libdb: Recovery function for LSN 1 1042383 failed on forward pass >>>> [07/Jan/2008:13:48:16 -0500] - libdb: PANIC: Invalid argument >>>> [07/Jan/2008:13:48:16 -0500] - libdb: PANIC: fatal region error detected; run recovery >>>> [07/Jan/2008:13:48:16 -0500] - Database Recovery Process FAILED. The database is not recoverable. err=-30977: DB_RUNRECOVERY: Fatal error, run database recovery >>>> [07/Jan/2008:13:48:16 -0500] - Please make sure there is enough disk space for dbcache (10000000 bytes) and db region files >>>> [07/Jan/2008:13:48:16 -0500] - start: Failed to init database, err=-30977 DB_RUNRECOVERY: Fatal error, run database recovery >>>> [07/Jan/2008:13:48:16 -0500] - Failed to start database plugin ldbm database >>>> [07/Jan/2008:13:48:16 -0500] - WARNING: ldbm instance userRoot already exists >>>> [07/Jan/2008:13:48:16 -0500] - WARNING: ldbm instance NetscapeRoot already exists >>>> [07/Jan/2008:13:48:16 -0500] binder-based resource limits - nsLookThroughLimit: parameter error (slapi_reslimit_register() already registered) >>>> [07/Jan/2008:13:48:16 -0500] - start: Resource limit registration failed >>>> [07/Jan/2008:13:48:16 -0500] - Failed to start database plugin ldbm database >>>> [07/Jan/2008:13:48:16 -0500] - Error: Failed to resolve plugin dependencies >>>> [07/Jan/2008:13:48:16 -0500] - Error: preoperation plugin 7-bit check is not started >>>> [07/Jan/2008:13:48:16 -0500] - Error: accesscontrol plugin ACL Plugin is not started >>>> [07/Jan/2008:13:48:16 -0500] - Error: preoperation plugin ACL preoperation is not started >>>> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Class of Service is not started >>>> [07/Jan/2008:13:48:16 -0500] - Error: preoperation plugin HTTP Client is not started >>>> [07/Jan/2008:13:48:16 -0500] - Error: database plugin ldbm database is not started >>>> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Legacy Replication Plugin is not started >>>> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Multimaster Replication Plugin is not started >>>> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Roles Plugin is not started >>>> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Views is not started >>>> >>>> >>>> >>>> _________________________________________________________________ >>>> Discover new ways to stay in touch with Windows Live! Visit the City @ Live today! >>>> http://getyourliveid.ca/?icid=LIVEIDENCA006 >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >> _________________________________________________________________ >> Discover new ways to stay in touch with Windows Live! Visit the City @ Live today! >> http://getyourliveid.ca/?icid=LIVEIDENCA006 >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > _________________________________________________________________ > Introducing the City @ Live! Take a tour! > http://getyourliveid.ca/?icid=LIVEIDENCA006 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kirankmadala at hotmail.com Mon Jan 7 22:25:56 2008 From: kirankmadala at hotmail.com (kiran madala) Date: Mon, 7 Jan 2008 18:25:56 -0400 Subject: [Fedora-directory-users] DS Failed to start In-Reply-To: <47829AA1.5040806@redhat.com> References: <4782765C.70605@redhat.com> <47829AA1.5040806@redhat.com> Message-ID: Thanks for the information I still have the same problem. I have this document for fedora 1.0.4 server http://www.csse.uwa.edu.au/~ashley/fedora-ds/fedora-ds-26072006.html to run on SSL is there any similar doc for 1.1 version?.. Also I have generated the certificates using windows 2003 CA service which produced .cert files. DO i need to convert them into different format using pk12utility? If yes then how would i do it. Thanks again. ---------------------------------------- > Date: Mon, 7 Jan 2008 14:33:21 -0700 > From: rmeggins at redhat.com > To: fedora-directory-users at redhat.com > Subject: Re: [Fedora-directory-users] DS Failed to start > > kiran madala wrote: >> I am not sure why this has to be made so difficult. I was able to restore to previous state because I am using VMWare. However when I enabled SSL and tried to restart manually. This is the error I got >> >> Enter PIN for Internal (Software) Token: >> [07/Jan/2008:14:43:00 -0500] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert server-cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - Peer's Certificate issuer is not recognized.) >> [07/Jan/2008:14:43:00 -0500] - SSL failure: None of the cipher are valid >> >> then I went to the configuration directory on /etc/dirsrv/slapd-248 and changed the names of cert8.db and key3.db to slapd-248-cert8.db and slapd-248- key3.db (slapd-248 is the instance name) and tried to change to .pfx file by executing the command >> >> pk12util -d , -P slapd-248- -o servercert.pfx -n Server-Cert >> >> Then this is the error I get >> >> pk12util: function failed: security library: bad database. >> >> I generated the certificate using windows 2003 CA service and installed it using the remote DS console. Again I am using fedora 1.1 ds on fedora 6 on x86 machine. >> >> Any Idea how do i proceed? >> > What directions/instructions are you attempting to follow to set up > SSL? Note that since you are using Fedora DS 1.1, the -P prefix > argument is no longer used - since the key/cert db are in their own > instance specific directory, they should just be called cert8.db and > key3.db. > > The error suggests a problem with the CA cert. Try this > cd /etc/dirsrv/slapd-248 > certutil -L -d . > > Finally, I'm not sure what enabling SSL would have to do with making the > database unrecoverable - were you previously running Fedora DS 1.0.4 on > this system and did an in-place upgrade? >> Thank you. >> ---------------------------------------- >> >>> From: kirankmadala at hotmail.com >>> To: fedora-directory-users at redhat.com >>> Subject: RE: [Fedora-directory-users] DS Failed to start >>> Date: Mon, 7 Jan 2008 15:23:20 -0400 >>> >>> >>> Its fedora ds 1.1 on fedora 6 on x86 machine. >>> ---------------------------------------- >>> >>>> Date: Mon, 7 Jan 2008 11:58:36 -0700 >>>> From: rmeggins at redhat.com >>>> To: fedora-directory-users at redhat.com >>>> Subject: Re: [Fedora-directory-users] DS Failed to start >>>> >>>> kiran madala wrote: >>>> >>>>> Hello, >>>>> I was experimenting with fedora ds sync with active directory. In the process I installed a certificate on the DS. Then I restarted usign the remote admin console with out enabling ssl but the DS failed to restart. I have the error log below. It seems like the DS database got corrucpted how do i recover it? >>>>> >>>>> >>>> What platform? >>>> >>>>> [07/Jan/2008:13:44:37 -0500] - slapd shutting down - signaling operation threads >>>>> [07/Jan/2008:13:44:41 -0500] - slapd shutting down - waiting for 30 threads to terminate >>>>> [07/Jan/2008:13:44:41 -0500] - slapd shutting down - closing down internal subsystems and plugins >>>>> [07/Jan/2008:13:44:42 -0500] - Waiting for 4 database threads to stop >>>>> [07/Jan/2008:13:44:42 -0500] - All database threads now stopped >>>>> [07/Jan/2008:13:47:43 -0500] - Fedora-Directory/1.1.0 B2007.354.1236 starting up >>>>> [07/Jan/2008:13:47:43 -0500] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. >>>>> [07/Jan/2008:13:47:45 -0500] - libdb: Improper file close at 1/1042383 >>>>> [07/Jan/2008:13:47:54 -0500] - libdb: Recovery function for LSN 1 1042383 failed on forward pass >>>>> [07/Jan/2008:13:47:55 -0500] - libdb: PANIC: Invalid argument >>>>> [07/Jan/2008:13:47:55 -0500] - libdb: PANIC: fatal region error detected; run recovery >>>>> [07/Jan/2008:13:47:55 -0500] - Database Recovery Process FAILED. The database is not recoverable. err=-30977: DB_RUNRECOVERY: Fatal error, run database recovery >>>>> [07/Jan/2008:13:47:55 -0500] - Please make sure there is enough disk space for dbcache (10000000 bytes) and db region files >>>>> [07/Jan/2008:13:47:55 -0500] - start: Failed to init database, err=-30977 DB_RUNRECOVERY: Fatal error, run database recovery >>>>> [07/Jan/2008:13:47:55 -0500] - Failed to start database plugin ldbm database >>>>> [07/Jan/2008:13:47:55 -0500] - WARNING: ldbm instance userRoot already exists >>>>> [07/Jan/2008:13:47:55 -0500] - WARNING: ldbm instance NetscapeRoot already exists >>>>> [07/Jan/2008:13:47:55 -0500] binder-based resource limits - nsLookThroughLimit: parameter error (slapi_reslimit_register() already registered) >>>>> [07/Jan/2008:13:47:55 -0500] - start: Resource limit registration failed >>>>> [07/Jan/2008:13:47:55 -0500] - Failed to start database plugin ldbm database >>>>> [07/Jan/2008:13:47:55 -0500] - Error: Failed to resolve plugin dependencies >>>>> [07/Jan/2008:13:47:55 -0500] - Error: preoperation plugin 7-bit check is not started >>>>> [07/Jan/2008:13:47:55 -0500] - Error: accesscontrol plugin ACL Plugin is not started >>>>> [07/Jan/2008:13:47:55 -0500] - Error: preoperation plugin ACL preoperation is not started >>>>> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Class of Service is not started >>>>> [07/Jan/2008:13:47:55 -0500] - Error: preoperation plugin HTTP Client is not started >>>>> [07/Jan/2008:13:47:55 -0500] - Error: database plugin ldbm database is not started >>>>> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Legacy Replication Plugin is not started >>>>> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Multimaster Replication Plugin is not started >>>>> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Roles Plugin is not started >>>>> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Views is not started >>>>> [07/Jan/2008:13:48:14 -0500] - Fedora-Directory/1.1.0 B2007.354.1236 starting up >>>>> [07/Jan/2008:13:48:14 -0500] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. >>>>> [07/Jan/2008:13:48:14 -0500] - libdb: Improper file close at 1/1042383 >>>>> [07/Jan/2008:13:48:16 -0500] - libdb: Recovery function for LSN 1 1042383 failed on forward pass >>>>> [07/Jan/2008:13:48:16 -0500] - libdb: PANIC: Invalid argument >>>>> [07/Jan/2008:13:48:16 -0500] - libdb: PANIC: fatal region error detected; run recovery >>>>> [07/Jan/2008:13:48:16 -0500] - Database Recovery Process FAILED. The database is not recoverable. err=-30977: DB_RUNRECOVERY: Fatal error, run database recovery >>>>> [07/Jan/2008:13:48:16 -0500] - Please make sure there is enough disk space for dbcache (10000000 bytes) and db region files >>>>> [07/Jan/2008:13:48:16 -0500] - start: Failed to init database, err=-30977 DB_RUNRECOVERY: Fatal error, run database recovery >>>>> [07/Jan/2008:13:48:16 -0500] - Failed to start database plugin ldbm database >>>>> [07/Jan/2008:13:48:16 -0500] - WARNING: ldbm instance userRoot already exists >>>>> [07/Jan/2008:13:48:16 -0500] - WARNING: ldbm instance NetscapeRoot already exists >>>>> [07/Jan/2008:13:48:16 -0500] binder-based resource limits - nsLookThroughLimit: parameter error (slapi_reslimit_register() already registered) >>>>> [07/Jan/2008:13:48:16 -0500] - start: Resource limit registration failed >>>>> [07/Jan/2008:13:48:16 -0500] - Failed to start database plugin ldbm database >>>>> [07/Jan/2008:13:48:16 -0500] - Error: Failed to resolve plugin dependencies >>>>> [07/Jan/2008:13:48:16 -0500] - Error: preoperation plugin 7-bit check is not started >>>>> [07/Jan/2008:13:48:16 -0500] - Error: accesscontrol plugin ACL Plugin is not started >>>>> [07/Jan/2008:13:48:16 -0500] - Error: preoperation plugin ACL preoperation is not started >>>>> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Class of Service is not started >>>>> [07/Jan/2008:13:48:16 -0500] - Error: preoperation plugin HTTP Client is not started >>>>> [07/Jan/2008:13:48:16 -0500] - Error: database plugin ldbm database is not started >>>>> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Legacy Replication Plugin is not started >>>>> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Multimaster Replication Plugin is not started >>>>> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Roles Plugin is not started >>>>> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Views is not started >>>>> >>>>> >>>>> >>>>> _________________________________________________________________ >>>>> Discover new ways to stay in touch with Windows Live! Visit the City @ Live today! >>>>> http://getyourliveid.ca/?icid=LIVEIDENCA006 >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>> _________________________________________________________________ >>> Discover new ways to stay in touch with Windows Live! Visit the City @ Live today! >>> http://getyourliveid.ca/?icid=LIVEIDENCA006 >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> _________________________________________________________________ >> Introducing the City @ Live! Take a tour! >> http://getyourliveid.ca/?icid=LIVEIDENCA006 >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > _________________________________________________________________ Introducing the City @ Live! Take a tour! http://getyourliveid.ca/?icid=LIVEIDENCA006 From rmeggins at redhat.com Mon Jan 7 22:37:00 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 07 Jan 2008 15:37:00 -0700 Subject: [Fedora-directory-users] DS Failed to start In-Reply-To: References: <4782765C.70605@redhat.com> <47829AA1.5040806@redhat.com> Message-ID: <4782A98C.2040206@redhat.com> kiran madala wrote: > Thanks for the information I still have the same problem. I have this document for fedora 1.0.4 server http://www.csse.uwa.edu.au/~ashley/fedora-ds/fedora-ds-26072006.html to run on SSL is there any similar doc for 1.1 version?.. > I just updated this page with the information for Fedora DS 1.1 - http://directory.fedoraproject.org/wiki/Howto:SSL See also the RHDS 8.0 beta docs - http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_SSL.html > Also I have generated the certificates using windows 2003 CA service which produced .cert files. DO i need to convert them into different format using pk12utility? If yes then how would i do it. > I don't know what format Windows .cert is. But if it is a standard key/cert file format, pk12util or certutil should be able to use them. Are they binary or ascii? > Thanks again. > ---------------------------------------- > >> Date: Mon, 7 Jan 2008 14:33:21 -0700 >> From: rmeggins at redhat.com >> To: fedora-directory-users at redhat.com >> Subject: Re: [Fedora-directory-users] DS Failed to start >> >> kiran madala wrote: >> >>> I am not sure why this has to be made so difficult. I was able to restore to previous state because I am using VMWare. However when I enabled SSL and tried to restart manually. This is the error I got >>> >>> Enter PIN for Internal (Software) Token: >>> [07/Jan/2008:14:43:00 -0500] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert server-cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - Peer's Certificate issuer is not recognized.) >>> [07/Jan/2008:14:43:00 -0500] - SSL failure: None of the cipher are valid >>> >>> then I went to the configuration directory on /etc/dirsrv/slapd-248 and changed the names of cert8.db and key3.db to slapd-248-cert8.db and slapd-248- key3.db (slapd-248 is the instance name) and tried to change to .pfx file by executing the command >>> >>> pk12util -d , -P slapd-248- -o servercert.pfx -n Server-Cert >>> >>> Then this is the error I get >>> >>> pk12util: function failed: security library: bad database. >>> >>> I generated the certificate using windows 2003 CA service and installed it using the remote DS console. Again I am using fedora 1.1 ds on fedora 6 on x86 machine. >>> >>> Any Idea how do i proceed? >>> >>> >> What directions/instructions are you attempting to follow to set up >> SSL? Note that since you are using Fedora DS 1.1, the -P prefix >> argument is no longer used - since the key/cert db are in their own >> instance specific directory, they should just be called cert8.db and >> key3.db. >> >> The error suggests a problem with the CA cert. Try this >> cd /etc/dirsrv/slapd-248 >> certutil -L -d . >> >> Finally, I'm not sure what enabling SSL would have to do with making the >> database unrecoverable - were you previously running Fedora DS 1.0.4 on >> this system and did an in-place upgrade? >> >>> Thank you. >>> ---------------------------------------- >>> >>> >>>> From: kirankmadala at hotmail.com >>>> To: fedora-directory-users at redhat.com >>>> Subject: RE: [Fedora-directory-users] DS Failed to start >>>> Date: Mon, 7 Jan 2008 15:23:20 -0400 >>>> >>>> >>>> Its fedora ds 1.1 on fedora 6 on x86 machine. >>>> ---------------------------------------- >>>> >>>> >>>>> Date: Mon, 7 Jan 2008 11:58:36 -0700 >>>>> From: rmeggins at redhat.com >>>>> To: fedora-directory-users at redhat.com >>>>> Subject: Re: [Fedora-directory-users] DS Failed to start >>>>> >>>>> kiran madala wrote: >>>>> >>>>> >>>>>> Hello, >>>>>> I was experimenting with fedora ds sync with active directory. In the process I installed a certificate on the DS. Then I restarted usign the remote admin console with out enabling ssl but the DS failed to restart. I have the error log below. It seems like the DS database got corrucpted how do i recover it? >>>>>> >>>>>> >>>>>> >>>>> What platform? >>>>> >>>>> >>>>>> [07/Jan/2008:13:44:37 -0500] - slapd shutting down - signaling operation threads >>>>>> [07/Jan/2008:13:44:41 -0500] - slapd shutting down - waiting for 30 threads to terminate >>>>>> [07/Jan/2008:13:44:41 -0500] - slapd shutting down - closing down internal subsystems and plugins >>>>>> [07/Jan/2008:13:44:42 -0500] - Waiting for 4 database threads to stop >>>>>> [07/Jan/2008:13:44:42 -0500] - All database threads now stopped >>>>>> [07/Jan/2008:13:47:43 -0500] - Fedora-Directory/1.1.0 B2007.354.1236 starting up >>>>>> [07/Jan/2008:13:47:43 -0500] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. >>>>>> [07/Jan/2008:13:47:45 -0500] - libdb: Improper file close at 1/1042383 >>>>>> [07/Jan/2008:13:47:54 -0500] - libdb: Recovery function for LSN 1 1042383 failed on forward pass >>>>>> [07/Jan/2008:13:47:55 -0500] - libdb: PANIC: Invalid argument >>>>>> [07/Jan/2008:13:47:55 -0500] - libdb: PANIC: fatal region error detected; run recovery >>>>>> [07/Jan/2008:13:47:55 -0500] - Database Recovery Process FAILED. The database is not recoverable. err=-30977: DB_RUNRECOVERY: Fatal error, run database recovery >>>>>> [07/Jan/2008:13:47:55 -0500] - Please make sure there is enough disk space for dbcache (10000000 bytes) and db region files >>>>>> [07/Jan/2008:13:47:55 -0500] - start: Failed to init database, err=-30977 DB_RUNRECOVERY: Fatal error, run database recovery >>>>>> [07/Jan/2008:13:47:55 -0500] - Failed to start database plugin ldbm database >>>>>> [07/Jan/2008:13:47:55 -0500] - WARNING: ldbm instance userRoot already exists >>>>>> [07/Jan/2008:13:47:55 -0500] - WARNING: ldbm instance NetscapeRoot already exists >>>>>> [07/Jan/2008:13:47:55 -0500] binder-based resource limits - nsLookThroughLimit: parameter error (slapi_reslimit_register() already registered) >>>>>> [07/Jan/2008:13:47:55 -0500] - start: Resource limit registration failed >>>>>> [07/Jan/2008:13:47:55 -0500] - Failed to start database plugin ldbm database >>>>>> [07/Jan/2008:13:47:55 -0500] - Error: Failed to resolve plugin dependencies >>>>>> [07/Jan/2008:13:47:55 -0500] - Error: preoperation plugin 7-bit check is not started >>>>>> [07/Jan/2008:13:47:55 -0500] - Error: accesscontrol plugin ACL Plugin is not started >>>>>> [07/Jan/2008:13:47:55 -0500] - Error: preoperation plugin ACL preoperation is not started >>>>>> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Class of Service is not started >>>>>> [07/Jan/2008:13:47:55 -0500] - Error: preoperation plugin HTTP Client is not started >>>>>> [07/Jan/2008:13:47:55 -0500] - Error: database plugin ldbm database is not started >>>>>> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Legacy Replication Plugin is not started >>>>>> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Multimaster Replication Plugin is not started >>>>>> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Roles Plugin is not started >>>>>> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Views is not started >>>>>> [07/Jan/2008:13:48:14 -0500] - Fedora-Directory/1.1.0 B2007.354.1236 starting up >>>>>> [07/Jan/2008:13:48:14 -0500] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. >>>>>> [07/Jan/2008:13:48:14 -0500] - libdb: Improper file close at 1/1042383 >>>>>> [07/Jan/2008:13:48:16 -0500] - libdb: Recovery function for LSN 1 1042383 failed on forward pass >>>>>> [07/Jan/2008:13:48:16 -0500] - libdb: PANIC: Invalid argument >>>>>> [07/Jan/2008:13:48:16 -0500] - libdb: PANIC: fatal region error detected; run recovery >>>>>> [07/Jan/2008:13:48:16 -0500] - Database Recovery Process FAILED. The database is not recoverable. err=-30977: DB_RUNRECOVERY: Fatal error, run database recovery >>>>>> [07/Jan/2008:13:48:16 -0500] - Please make sure there is enough disk space for dbcache (10000000 bytes) and db region files >>>>>> [07/Jan/2008:13:48:16 -0500] - start: Failed to init database, err=-30977 DB_RUNRECOVERY: Fatal error, run database recovery >>>>>> [07/Jan/2008:13:48:16 -0500] - Failed to start database plugin ldbm database >>>>>> [07/Jan/2008:13:48:16 -0500] - WARNING: ldbm instance userRoot already exists >>>>>> [07/Jan/2008:13:48:16 -0500] - WARNING: ldbm instance NetscapeRoot already exists >>>>>> [07/Jan/2008:13:48:16 -0500] binder-based resource limits - nsLookThroughLimit: parameter error (slapi_reslimit_register() already registered) >>>>>> [07/Jan/2008:13:48:16 -0500] - start: Resource limit registration failed >>>>>> [07/Jan/2008:13:48:16 -0500] - Failed to start database plugin ldbm database >>>>>> [07/Jan/2008:13:48:16 -0500] - Error: Failed to resolve plugin dependencies >>>>>> [07/Jan/2008:13:48:16 -0500] - Error: preoperation plugin 7-bit check is not started >>>>>> [07/Jan/2008:13:48:16 -0500] - Error: accesscontrol plugin ACL Plugin is not started >>>>>> [07/Jan/2008:13:48:16 -0500] - Error: preoperation plugin ACL preoperation is not started >>>>>> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Class of Service is not started >>>>>> [07/Jan/2008:13:48:16 -0500] - Error: preoperation plugin HTTP Client is not started >>>>>> [07/Jan/2008:13:48:16 -0500] - Error: database plugin ldbm database is not started >>>>>> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Legacy Replication Plugin is not started >>>>>> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Multimaster Replication Plugin is not started >>>>>> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Roles Plugin is not started >>>>>> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Views is not started >>>>>> >>>>>> >>>>>> >>>>>> _________________________________________________________________ >>>>>> Discover new ways to stay in touch with Windows Live! Visit the City @ Live today! >>>>>> http://getyourliveid.ca/?icid=LIVEIDENCA006 >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>>> >>>>>> >>>> _________________________________________________________________ >>>> Discover new ways to stay in touch with Windows Live! Visit the City @ Live today! >>>> http://getyourliveid.ca/?icid=LIVEIDENCA006 >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>> _________________________________________________________________ >>> Introducing the City @ Live! Take a tour! >>> http://getyourliveid.ca/?icid=LIVEIDENCA006 >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> > > _________________________________________________________________ > Introducing the City @ Live! Take a tour! > http://getyourliveid.ca/?icid=LIVEIDENCA006 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From tsagnimorte at elv.enic.fr Mon Jan 7 16:53:54 2008 From: tsagnimorte at elv.enic.fr (tsagnimorte at elv.enic.fr) Date: Mon, 7 Jan 2008 17:53:54 +0100 Subject: [Fedora-directory-users] Fedora dS Serv Admin on RHEL4 Message-ID: <380-22008117165354258@elv.enic.fr> Hi, I have installed a FDS 1.0.4 on my RHEL4. The slpad server is good, but I have a problem when I want to start the Admin Server. Here is wath I get in return of start-admin command: ERROR: ld.so: object '/opt/fedora-ds/bin/admin/lib/libssl3.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/opt/fedora-ds/bin/admin/lib/libldap60.so' from LD_PRELOAD cannot be preloaded: ignored. Syntax error on line 150 of /opt/fedora-ds/admin-serv/config/httpd.conf: Cannot load /opt/fedora-ds/bin/admin/lib/libmodrestartd.so into server: /opt/fedora-ds/bin/admin/lib/libmodrestartd.so: cannot open shared object file: No such file or directory What would cause this issue? I don't find any info on the web. Regards, Thomas From rmeggins at redhat.com Tue Jan 8 15:07:34 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 08 Jan 2008 08:07:34 -0700 Subject: [Fedora-directory-users] Fedora dS Serv Admin on RHEL4 In-Reply-To: <380-22008117165354258@elv.enic.fr> References: <380-22008117165354258@elv.enic.fr> Message-ID: <478391B6.4080005@redhat.com> tsagnimorte at elv.enic.fr wrote: > Hi, > > I have installed a FDS 1.0.4 on my RHEL4. I'm assuming you installed the FC3/RHEL4 binary rpm? > The slpad server is good, > but I have a problem when I want to start the Admin Server. > When you ran setup, did it complete successfully with no error messages? Check /opt/fedora-ds/admin-serv/logs for errors too. > Here is wath I get in return of start-admin command: > > ERROR: ld.so: object '/opt/fedora-ds/bin/admin/lib/libssl3.so' from > LD_PRELOAD cannot be preloaded: ignored. > ERROR: ld.so: object '/opt/fedora-ds/bin/admin/lib/libldap60.so' from > LD_PRELOAD cannot be preloaded: ignored. > Syntax error on line 150 of > /opt/fedora-ds/admin-serv/config/httpd.conf: > Cannot load /opt/fedora-ds/bin/admin/lib/libmodrestartd.so into > server: /opt/fedora-ds/bin/admin/lib/libmodrestartd.so: cannot open > shared object file: No such file or directory > > > What would cause this issue? I don't find any info on the web. > grep HTTPD start-admin Then, see if that executable exists - it should be /usr/sbin/httpd.worker Then, do ldd /usr/sbin/httpd.worker - do you see any libldap* in the output? do /opt/fedora-ds/bin/admin/lib/libssl3.so and /opt/fedora-ds/bin/admin/lib/libldap60.so exist? > Regards, > > Thomas > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From gm4rtin at gmail.com Tue Jan 8 15:36:41 2008 From: gm4rtin at gmail.com (Me) Date: Tue, 8 Jan 2008 10:36:41 -0500 Subject: [Fedora-directory-users] Problems configuring Samba PDC + FDS error "Username not found" Message-ID: <43806ba60801080736p72765b11id3ba2b6c99b4a763@mail.gmail.com> I am having trouble getting samba-3.0.24-11 setup as a PDC with an ldap backend using FDS on a FC6 test box. I have installed the 1.0.4-1 version of the directory server accepting the defaults except for the server name without any problems. I can query the directory server and it is populated with the proper objects. I am using the instructions in the Howto:Samba documentation on the FDS Wiki site . I am able to perform all of the tasks without any problems until I get to the part of the install that has me run the following command: pdbedit -U S-1-5-21-3420770344-727635258-2597706457-500 -u Administrator -r I receive the following error: smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAIN))] smbldap_open_connection: connection opened ldap_connect_system: succesful connection to the LDAP server smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAIN))] smbldap_open_connection: connection opened ldap_connect_system: succesful connection to the LDAP server Username not found! I can query the directory successfully with the following output: ldapsearch -b dc=test,dc=com -x 'Administrator' # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: Administrator # # test.com dn: dc=test,dc=com # Directory Administrators, test.com dn: cn=Directory Administrators, dc=test,dc=com # Groups, test.com dn: ou=Groups, dc=test,dc=com # People, test.com dn: ou=People, dc=test,dc=com # Special Users, test.com dn: ou=Special Users,dc=test,dc=com # Accounting Managers, groups, test.com dn: cn=Accounting Managers,ou=groups,dc=test,dc=com # HR Managers, groups, test.com dn: cn=HR Managers,ou=groups,dc=test,dc=com # QA Managers, groups, test.com dn: cn=QA Managers,ou=groups,dc=test,dc=com # PD Managers, groups, test.com dn: cn=PD Managers,ou=groups,dc=test,dc=com # DOMAIN, test.com dn: sambaDomainName=DOMAIN,dc=test,dc=com # Domain Admins, Groups, test.com dn: cn=Domain Admins,ou=Groups,dc=test,dc=com # Domain Users, Groups, test.com dn: cn=Domain Users,ou=Groups,dc=test,dc=com # Domain Guests, Groups, test.com dn: cn=Domain Guests,ou=Groups,dc=test,dc=com # Domain Computers, Groups, test.com dn: cn=Domain Computers,ou=Groups,dc=test,dc=com # IS, Groups, test.com dn: cn=IS,ou=Groups,dc=test,dc=com # Administrator, People, test.com dn: uid=Administrator,ou=People,dc=test,dc=com # search result search: 2 result: 0 Success # numResponses: 17 # numEntries: 16 Here is a copy of my smb.conf: [global] workgroup = DOMAIN security = user passdb backend = ldapsam:ldap://vandread.test.com ldap admin dn = cn=Directory Manager ldap suffix = dc=test,dc=com ldap user suffix = ou=People ldap machine suffix = ou=People ldap group suffix = ou=Groups log file = /var/log/samba/%m.log log level = 3 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 33 domain logons = yes domain master = yes local master = yes preferred master = yes wins support = yes logon home = \\%L\%u\profiles logon path = \\%L\profiles\%u logon drive = H: template shell = /bin/false winbind use default domain = no winbind nested groups = no enable privileges = yes #============================ Share Definitions ============================== [homes] comment = Home Directories browseable = no writable = yes [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon admin users = +sysadmin guest ok = no browseable = no writable = no [profiles] path = /var/lib/samba/profiles admin users = +sysadmin read only = no guest ok = no create mask =0600 directory mask = 0700 I am sure that there is something I am doing wrong but I can't find it. Nothing shows up in slapd-server/logs/access or errors or the samba log. From rmeggins at redhat.com Tue Jan 8 15:53:50 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 08 Jan 2008 08:53:50 -0700 Subject: [Fedora-directory-users] Announcing Fedora Directory Server 1.1.0 Message-ID: <47839C8E.3010408@redhat.com> Fedora Directory Server 1.1.0 is now available. See http://directory.fedoraproject.org/wiki/Release_Notes for details about new features and new installation procedures. What's new? * Auto UID and GID number generation with the libdna plugin - Distributed Numeric Assignment * Separate packages - each main component is in its own package - uses yum for installation * Filesystem Hierarchy Standard file/path layout (e.g. log files are under /var/log/dirsrv) * Init scripts! service dirsrv {start|stop|restart} [instance name] service dirsrv-admin {start|stop|restart} edit /etc/sysconfig/dirsrv or /etc/sysconfig/dirsrv-admin to set environment * Many of the components are now built into Fedora * The setup command is now /usr/sbin/setup-ds-admin.pl * startconsole is gone - use /usr/bin/fedora-idm-console instead * Migration from version 1.0 and earlier is fully supported by the /usr/sbin/migrate-ds-admin.pl script provided with the package * IcedTea Java runs the console on Fedora 8 and later - proprietary Java no longer required Known Issues * Binary packages are provided only for Fedora 6, 7, 8 and 9 - The Fedora 6 packages should run on EL5.1 (not 5.0) * Version 1.1 does not include the phonebook, gateway, or org chart web apps - those will be provided in a following release * Migration to Fedora 8 and later, and upgrading an existing Fedora DS on Fedora 8, requires LDIF files - binary database migration and upgrade from an earlier release to Fedora 8 or later does not work. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From tsagnimorte at elv.enic.fr Tue Jan 8 16:33:01 2008 From: tsagnimorte at elv.enic.fr (tsagnimorte at elv.enic.fr) Date: Tue, 8 Jan 2008 17:33:01 +0100 Subject: [Fedora-directory-users] Fedora dS Serv Admin on RHEL4 Message-ID: <380-2200812816331489@elv.enic.fr> Yes, I installed FC3/RHEL4 x86_64. At the end of the installation, I have just a message that said it can't start admin-serv (and the explaination is the same with libssl3.so and libldap60.so). I do grep HTTPD start-admin and I have HTTPD=/usr/sbin/httpd.worker /usr/bin/ldd $HTTPD 2>&1 | grep libldap > /dev/null 2>&1 && hasol=1 $HTTPD -k start -d $ADMSERV_ROOT -f $ADMSERV_ROOT/config/httpd.conf "$@" In ldd /usr/sbin/httpd.worker I find "libldap-2.2.so.7" /opt/fedora-ds/bin/admin/lib/libssl3.so and /opt/fedora-ds/bin/admin/lib/libldap60.so are present and it's the same for /opt/fedora-ds/bin/admin/lib/libmodrestartd.so Maybe it's a problem with 64bit and the lib? >tsagnimorte at elv.enic.fr wrote: >> Hi, >> >> I have installed a FDS 1.0.4 on my RHEL4. >I'm assuming you installed the FC3/RHEL4 binary rpm? >> The slpad server is good, >> but I have a problem when I want to start the Admin Server. >> >When you ran setup, did it complete successfully with no error >messages? Check /opt/fedora-ds/admin-serv/logs for errors too. >> Here is wath I get in return of start-admin command: >> >> ERROR: ld.so: object '/opt/fedora-ds/bin/admin/lib/libssl3.so' from >> LD_PRELOAD cannot be preloaded: ignored. >> ERROR: ld.so: object '/opt/fedora-ds/bin/admin/lib/libldap60.so' from >> LD_PRELOAD cannot be preloaded: ignored. >> Syntax error on line 150 of >> /opt/fedora-ds/admin-serv/config/httpd.conf: >> Cannot load /opt/fedora-ds/bin/admin/lib/libmodrestartd.so into >> server: /opt/fedora-ds/bin/admin/lib/libmodrestartd.so: cannot open >> shared object file: No such file or directory >> >> >> What would cause this issue? I don't find any info on the web. >> >grep HTTPD start-admin >Then, see if that executable exists - it should be /usr/sbin/httpd.worker >Then, do ldd /usr/sbin/httpd.worker - do you see any libldap* in the output? >do /opt/fedora-ds/bin/admin/lib/libssl3.so and >/opt/fedora-ds/bin/admin/lib/libldap60.so exist? >> Regards, >> >> Thomas >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> From j.barber at dundee.ac.uk Tue Jan 8 17:50:04 2008 From: j.barber at dundee.ac.uk (Jonathan Barber) Date: Tue, 8 Jan 2008 17:50:04 +0000 Subject: [Fedora-directory-users] Announcing Fedora Directory Server 1.1.0 In-Reply-To: <47839C8E.3010408@redhat.com> References: <47839C8E.3010408@redhat.com> Message-ID: <20080108175004.GT11941@flea.lifesci.dundee.ac.uk> On Tue, Jan 08, 2008 at 08:53:50AM -0700, Rich Megginson wrote: > Fedora Directory Server 1.1.0 is now available. Cool. > See http://directory.fedoraproject.org/wiki/Release_Notes for details > about new features and new installation procedures. > > What's new? > * Auto UID and GID number generation with the libdna plugin - > Distributed Numeric Assignment > * Separate packages - each main component is in its own package - uses > yum for installation > * Filesystem Hierarchy Standard file/path layout (e.g. log files are > under /var/log/dirsrv) > * Init scripts! > service dirsrv {start|stop|restart} [instance name] > service dirsrv-admin {start|stop|restart} > edit /etc/sysconfig/dirsrv or /etc/sysconfig/dirsrv-admin to set > environment > * Many of the components are now built into Fedora > * The setup command is now /usr/sbin/setup-ds-admin.pl > * startconsole is gone - use /usr/bin/fedora-idm-console instead > * Migration from version 1.0 and earlier is fully supported by the > /usr/sbin/migrate-ds-admin.pl script provided with the package > * IcedTea Java runs the console on Fedora 8 and later - proprietary Java > no longer required > > Known Issues > * Binary packages are provided only for Fedora 6, 7, 8 and 9 - The > Fedora 6 packages should run on EL5.1 (not 5.0) Are there any plans to support RHEL4? Cheers. -- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389 From kirankmadala at hotmail.com Tue Jan 8 17:51:04 2008 From: kirankmadala at hotmail.com (kiran madala) Date: Tue, 8 Jan 2008 13:51:04 -0400 Subject: [Fedora-directory-users] DS Failed to start In-Reply-To: <4782A98C.2040206@redhat.com> References: <4782765C.70605@redhat.com> <47829AA1.5040806@redhat.com> <4782A98C.2040206@redhat.com> Message-ID: Hi, It all worked well. Thanks for the information. I configured DS server for SSL support and restarted it succesfully. Now got another issue. I changed the DS URL in adm.conf file from usual ldap to ldaps and port 636. now when i restart my admin server this is the error i get. /usr/sbin/start-ds-admin: line 66: 3158 Segmentation fault $SELINUX_CMD $HTTPD $OMIT_DEFLATE -k start -f /etc/dirsrv/admin-serv/httpd.conf "$@" What could be the issue? Also I would like to know for windows sync is is enough to enable ssl for DS server or do i need to enable SSL on admin server as well? Can i connet to the SSL enabled DS with normal Admin server from remote console? Thanks you. ---------------------------------------- > Date: Mon, 7 Jan 2008 15:37:00 -0700 > From: rmeggins at redhat.com > To: fedora-directory-users at redhat.com > Subject: Re: [Fedora-directory-users] DS Failed to start > > kiran madala wrote: >> Thanks for the information I still have the same problem. I have this document for fedora 1.0.4 server http://www.csse.uwa.edu.au/~ashley/fedora-ds/fedora-ds-26072006.html to run on SSL is there any similar doc for 1.1 version?.. >> > I just updated this page with the information for Fedora DS 1.1 - > http://directory.fedoraproject.org/wiki/Howto:SSL > See also the RHDS 8.0 beta docs - > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_SSL.html >> Also I have generated the certificates using windows 2003 CA service which produced .cert files. DO i need to convert them into different format using pk12utility? If yes then how would i do it. >> > I don't know what format Windows .cert is. But if it is a standard > key/cert file format, pk12util or certutil should be able to use them. > Are they binary or ascii? >> Thanks again. >> ---------------------------------------- >> >>> Date: Mon, 7 Jan 2008 14:33:21 -0700 >>> From: rmeggins at redhat.com >>> To: fedora-directory-users at redhat.com >>> Subject: Re: [Fedora-directory-users] DS Failed to start >>> >>> kiran madala wrote: >>> >>>> I am not sure why this has to be made so difficult. I was able to restore to previous state because I am using VMWare. However when I enabled SSL and tried to restart manually. This is the error I got >>>> >>>> Enter PIN for Internal (Software) Token: >>>> [07/Jan/2008:14:43:00 -0500] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert server-cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - Peer's Certificate issuer is not recognized.) >>>> [07/Jan/2008:14:43:00 -0500] - SSL failure: None of the cipher are valid >>>> >>>> then I went to the configuration directory on /etc/dirsrv/slapd-248 and changed the names of cert8.db and key3.db to slapd-248-cert8.db and slapd-248- key3.db (slapd-248 is the instance name) and tried to change to .pfx file by executing the command >>>> >>>> pk12util -d , -P slapd-248- -o servercert.pfx -n Server-Cert >>>> >>>> Then this is the error I get >>>> >>>> pk12util: function failed: security library: bad database. >>>> >>>> I generated the certificate using windows 2003 CA service and installed it using the remote DS console. Again I am using fedora 1.1 ds on fedora 6 on x86 machine. >>>> >>>> Any Idea how do i proceed? >>>> >>>> >>> What directions/instructions are you attempting to follow to set up >>> SSL? Note that since you are using Fedora DS 1.1, the -P prefix >>> argument is no longer used - since the key/cert db are in their own >>> instance specific directory, they should just be called cert8.db and >>> key3.db. >>> >>> The error suggests a problem with the CA cert. Try this >>> cd /etc/dirsrv/slapd-248 >>> certutil -L -d . >>> >>> Finally, I'm not sure what enabling SSL would have to do with making the >>> database unrecoverable - were you previously running Fedora DS 1.0.4 on >>> this system and did an in-place upgrade? >>> >>>> Thank you. >>>> ---------------------------------------- >>>> >>>> >>>>> From: kirankmadala at hotmail.com >>>>> To: fedora-directory-users at redhat.com >>>>> Subject: RE: [Fedora-directory-users] DS Failed to start >>>>> Date: Mon, 7 Jan 2008 15:23:20 -0400 >>>>> >>>>> >>>>> Its fedora ds 1.1 on fedora 6 on x86 machine. >>>>> ---------------------------------------- >>>>> >>>>> >>>>>> Date: Mon, 7 Jan 2008 11:58:36 -0700 >>>>>> From: rmeggins at redhat.com >>>>>> To: fedora-directory-users at redhat.com >>>>>> Subject: Re: [Fedora-directory-users] DS Failed to start >>>>>> >>>>>> kiran madala wrote: >>>>>> >>>>>> >>>>>>> Hello, >>>>>>> I was experimenting with fedora ds sync with active directory. In the process I installed a certificate on the DS. Then I restarted usign the remote admin console with out enabling ssl but the DS failed to restart. I have the error log below. It seems like the DS database got corrucpted how do i recover it? >>>>>>> >>>>>>> >>>>>>> >>>>>> What platform? >>>>>> >>>>>> >>>>>>> [07/Jan/2008:13:44:37 -0500] - slapd shutting down - signaling operation threads >>>>>>> [07/Jan/2008:13:44:41 -0500] - slapd shutting down - waiting for 30 threads to terminate >>>>>>> [07/Jan/2008:13:44:41 -0500] - slapd shutting down - closing down internal subsystems and plugins >>>>>>> [07/Jan/2008:13:44:42 -0500] - Waiting for 4 database threads to stop >>>>>>> [07/Jan/2008:13:44:42 -0500] - All database threads now stopped >>>>>>> [07/Jan/2008:13:47:43 -0500] - Fedora-Directory/1.1.0 B2007.354.1236 starting up >>>>>>> [07/Jan/2008:13:47:43 -0500] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. >>>>>>> [07/Jan/2008:13:47:45 -0500] - libdb: Improper file close at 1/1042383 >>>>>>> [07/Jan/2008:13:47:54 -0500] - libdb: Recovery function for LSN 1 1042383 failed on forward pass >>>>>>> [07/Jan/2008:13:47:55 -0500] - libdb: PANIC: Invalid argument >>>>>>> [07/Jan/2008:13:47:55 -0500] - libdb: PANIC: fatal region error detected; run recovery >>>>>>> [07/Jan/2008:13:47:55 -0500] - Database Recovery Process FAILED. The database is not recoverable. err=-30977: DB_RUNRECOVERY: Fatal error, run database recovery >>>>>>> [07/Jan/2008:13:47:55 -0500] - Please make sure there is enough disk space for dbcache (10000000 bytes) and db region files >>>>>>> [07/Jan/2008:13:47:55 -0500] - start: Failed to init database, err=-30977 DB_RUNRECOVERY: Fatal error, run database recovery >>>>>>> [07/Jan/2008:13:47:55 -0500] - Failed to start database plugin ldbm database >>>>>>> [07/Jan/2008:13:47:55 -0500] - WARNING: ldbm instance userRoot already exists >>>>>>> [07/Jan/2008:13:47:55 -0500] - WARNING: ldbm instance NetscapeRoot already exists >>>>>>> [07/Jan/2008:13:47:55 -0500] binder-based resource limits - nsLookThroughLimit: parameter error (slapi_reslimit_register() already registered) >>>>>>> [07/Jan/2008:13:47:55 -0500] - start: Resource limit registration failed >>>>>>> [07/Jan/2008:13:47:55 -0500] - Failed to start database plugin ldbm database >>>>>>> [07/Jan/2008:13:47:55 -0500] - Error: Failed to resolve plugin dependencies >>>>>>> [07/Jan/2008:13:47:55 -0500] - Error: preoperation plugin 7-bit check is not started >>>>>>> [07/Jan/2008:13:47:55 -0500] - Error: accesscontrol plugin ACL Plugin is not started >>>>>>> [07/Jan/2008:13:47:55 -0500] - Error: preoperation plugin ACL preoperation is not started >>>>>>> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Class of Service is not started >>>>>>> [07/Jan/2008:13:47:55 -0500] - Error: preoperation plugin HTTP Client is not started >>>>>>> [07/Jan/2008:13:47:55 -0500] - Error: database plugin ldbm database is not started >>>>>>> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Legacy Replication Plugin is not started >>>>>>> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Multimaster Replication Plugin is not started >>>>>>> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Roles Plugin is not started >>>>>>> [07/Jan/2008:13:47:55 -0500] - Error: object plugin Views is not started >>>>>>> [07/Jan/2008:13:48:14 -0500] - Fedora-Directory/1.1.0 B2007.354.1236 starting up >>>>>>> [07/Jan/2008:13:48:14 -0500] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. >>>>>>> [07/Jan/2008:13:48:14 -0500] - libdb: Improper file close at 1/1042383 >>>>>>> [07/Jan/2008:13:48:16 -0500] - libdb: Recovery function for LSN 1 1042383 failed on forward pass >>>>>>> [07/Jan/2008:13:48:16 -0500] - libdb: PANIC: Invalid argument >>>>>>> [07/Jan/2008:13:48:16 -0500] - libdb: PANIC: fatal region error detected; run recovery >>>>>>> [07/Jan/2008:13:48:16 -0500] - Database Recovery Process FAILED. The database is not recoverable. err=-30977: DB_RUNRECOVERY: Fatal error, run database recovery >>>>>>> [07/Jan/2008:13:48:16 -0500] - Please make sure there is enough disk space for dbcache (10000000 bytes) and db region files >>>>>>> [07/Jan/2008:13:48:16 -0500] - start: Failed to init database, err=-30977 DB_RUNRECOVERY: Fatal error, run database recovery >>>>>>> [07/Jan/2008:13:48:16 -0500] - Failed to start database plugin ldbm database >>>>>>> [07/Jan/2008:13:48:16 -0500] - WARNING: ldbm instance userRoot already exists >>>>>>> [07/Jan/2008:13:48:16 -0500] - WARNING: ldbm instance NetscapeRoot already exists >>>>>>> [07/Jan/2008:13:48:16 -0500] binder-based resource limits - nsLookThroughLimit: parameter error (slapi_reslimit_register() already registered) >>>>>>> [07/Jan/2008:13:48:16 -0500] - start: Resource limit registration failed >>>>>>> [07/Jan/2008:13:48:16 -0500] - Failed to start database plugin ldbm database >>>>>>> [07/Jan/2008:13:48:16 -0500] - Error: Failed to resolve plugin dependencies >>>>>>> [07/Jan/2008:13:48:16 -0500] - Error: preoperation plugin 7-bit check is not started >>>>>>> [07/Jan/2008:13:48:16 -0500] - Error: accesscontrol plugin ACL Plugin is not started >>>>>>> [07/Jan/2008:13:48:16 -0500] - Error: preoperation plugin ACL preoperation is not started >>>>>>> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Class of Service is not started >>>>>>> [07/Jan/2008:13:48:16 -0500] - Error: preoperation plugin HTTP Client is not started >>>>>>> [07/Jan/2008:13:48:16 -0500] - Error: database plugin ldbm database is not started >>>>>>> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Legacy Replication Plugin is not started >>>>>>> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Multimaster Replication Plugin is not started >>>>>>> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Roles Plugin is not started >>>>>>> [07/Jan/2008:13:48:16 -0500] - Error: object plugin Views is not started >>>>>>> >>>>>>> >>>>>>> >>>>>>> _________________________________________________________________ >>>>>>> Discover new ways to stay in touch with Windows Live! Visit the City @ Live today! >>>>>>> http://getyourliveid.ca/?icid=LIVEIDENCA006 >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> >>>>>>> >>>>>>> >>>>> _________________________________________________________________ >>>>> Discover new ways to stay in touch with Windows Live! Visit the City @ Live today! >>>>> http://getyourliveid.ca/?icid=LIVEIDENCA006 >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>> _________________________________________________________________ >>>> Introducing the City @ Live! Take a tour! >>>> http://getyourliveid.ca/?icid=LIVEIDENCA006 >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >> >> _________________________________________________________________ >> Introducing the City @ Live! Take a tour! >> http://getyourliveid.ca/?icid=LIVEIDENCA006 >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > _________________________________________________________________ Use fowl language with Chicktionary. Click here to start playing! http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig From rmeggins at redhat.com Tue Jan 8 17:58:20 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 08 Jan 2008 10:58:20 -0700 Subject: [Fedora-directory-users] Fedora dS Serv Admin on RHEL4 In-Reply-To: <380-2200812816331489@elv.enic.fr> References: <380-2200812816331489@elv.enic.fr> Message-ID: <4783B9BC.5080202@redhat.com> tsagnimorte at elv.enic.fr wrote: > Yes, I installed FC3/RHEL4 x86_64. > > At the end of the installation, I have just a message that said it > can't start admin-serv (and the explaination is the same with > libssl3.so and libldap60.so). > > I do grep HTTPD start-admin and I have > HTTPD=/usr/sbin/httpd.worker > /usr/bin/ldd $HTTPD 2>&1 | grep libldap > /dev/null 2>&1 && > hasol=1 > $HTTPD -k start -d $ADMSERV_ROOT -f $ADMSERV_ROOT/config/httpd.conf > "$@" > > In ldd /usr/sbin/httpd.worker I find "libldap-2.2.so.7" > > /opt/fedora-ds/bin/admin/lib/libssl3.so and > /opt/fedora-ds/bin/admin/lib/libldap60.so are present and it's the > same for /opt/fedora-ds/bin/admin/lib/libmodrestartd.so > > Maybe it's a problem with 64bit and the lib? > I just don't know. I cannot reproduce this problem: 1) start with an up2date RHEL4 x86_64 system 2) Download http://directory.fedoraproject.org/download/fedora-ds-1.0.4-1.RHEL4.x86_64.opt.rpm and install 3) run setup The admin server starts fine - no errors - console works too. Do you have LD_LIBRARY_PATH set? Are there any non system paths in your ldconfig? Does anyone else have this problem? > > > >> tsagnimorte at elv.enic.fr wrote: >> >>> Hi, >>> >>> I have installed a FDS 1.0.4 on my RHEL4. >>> >> I'm assuming you installed the FC3/RHEL4 binary rpm? >> >>> The slpad server is good, >>> but I have a problem when I want to start the Admin Server. >>> >>> >> When you ran setup, did it complete successfully with no error >> messages? Check /opt/fedora-ds/admin-serv/logs for errors too. >> >>> Here is wath I get in return of start-admin command: >>> >>> ERROR: ld.so: object '/opt/fedora-ds/bin/admin/lib/libssl3.so' from >>> LD_PRELOAD cannot be preloaded: ignored. >>> ERROR: ld.so: object '/opt/fedora-ds/bin/admin/lib/libldap60.so' >>> > from > >>> LD_PRELOAD cannot be preloaded: ignored. >>> Syntax error on line 150 of >>> /opt/fedora-ds/admin-serv/config/httpd.conf: >>> Cannot load /opt/fedora-ds/bin/admin/lib/libmodrestartd.so into >>> server: /opt/fedora-ds/bin/admin/lib/libmodrestartd.so: cannot open >>> shared object file: No such file or directory >>> >>> >>> What would cause this issue? I don't find any info on the web. >>> >>> >> grep HTTPD start-admin >> Then, see if that executable exists - it should be >> > /usr/sbin/httpd.worker > >> Then, do ldd /usr/sbin/httpd.worker - do you see any libldap* in the >> > output? > >> do /opt/fedora-ds/bin/admin/lib/libssl3.so and >> /opt/fedora-ds/bin/admin/lib/libldap60.so exist? >> >>> Regards, >>> >>> Thomas >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From car at cespi.unlp.edu.ar Tue Jan 8 17:59:21 2008 From: car at cespi.unlp.edu.ar (Christian A. Rodriguez) Date: Tue, 08 Jan 2008 14:59:21 -0300 Subject: [Fedora-directory-users] Windows Syncronization inbound changes problem Message-ID: <20080108145921.yg18imny80o0sccw@163.10.0.84> First of all I have to mention that Windows Users & Groups were created before Fedora Directory was installed, so when FDS was installed I started up with replicated windows users in FDS without passwords being synchronized. Therefore, the scenario is a Windows tree with users (with passwords) & groups and FDS with users and groups replicated without their passwords. I am trying to define a mechanism to reset every password in both directories so they begin to work synchronized. Doing some tests, I realized that a change made in Windows is replicated into FDS binding as the users subject of change, so as the entry doesn't have it's password, the following lines are logged in FDS access log: [08/Jan/2008:15:51:35 -0300] conn=1033 op=0 BIND dn="uid=USERXXX,OU=People,ou=Active Directory,dc=example,dc=com" method=128 version=2 [08/Jan/2008:15:51:35 -0300] conn=1033 op=0 RESULT err=49 tag=97 nentries=0 etime=0 [08/Jan/2008:15:51:35 -0300] conn=1033 op=1 UNBIND [08/Jan/2008:15:51:35 -0300] conn=1033 op=1 fd=80 closed - U1 [08/Jan/2008:15:51:35 -0300] conn=1032 op=2 RESULT err=50 tag=103 nentries=0 etime=0 [08/Jan/2008:15:51:35 -0300] conn=1032 op=3 UNBIND I haven't found any documentation about inbound changes, specifically password change, being done as the same user subject of the change. Is this true? Thanks in advance, and sorry for my bad English -- Lic. Christian A. Rodriguez From rmeggins at redhat.com Tue Jan 8 17:59:34 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 08 Jan 2008 10:59:34 -0700 Subject: [Fedora-directory-users] Announcing Fedora Directory Server 1.1.0 In-Reply-To: <20080108175004.GT11941@flea.lifesci.dundee.ac.uk> References: <47839C8E.3010408@redhat.com> <20080108175004.GT11941@flea.lifesci.dundee.ac.uk> Message-ID: <4783BA06.3080706@redhat.com> Jonathan Barber wrote: > On Tue, Jan 08, 2008 at 08:53:50AM -0700, Rich Megginson wrote: > >> Fedora Directory Server 1.1.0 is now available. >> > > Cool. > > >> >> > > Are there any plans to support RHEL4? > No plans currently to provide binary RPMs, although I am working on updating dsbuild to allow you to build on RHEL4. > Cheers. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jan 8 18:04:42 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 08 Jan 2008 11:04:42 -0700 Subject: [Fedora-directory-users] DS Failed to start In-Reply-To: References: <4782765C.70605@redhat.com> <47829AA1.5040806@redhat.com> <4782A98C.2040206@redhat.com> Message-ID: <4783BB3A.5020001@redhat.com> kiran madala wrote: > Hi, > It all worked well. Thanks for the information. I configured DS server for SSL support and restarted it succesfully. Now got another issue. > > I changed the DS URL in adm.conf file from usual ldap to ldaps and port 636. now when i restart my admin server this is the error i get. > > /usr/sbin/start-ds-admin: line 66: 3158 Segmentation fault $SELINUX_CMD $HTTPD $OMIT_DEFLATE -k start -f /etc/dirsrv/admin-serv/httpd.conf "$@" > > What could be the issue? > Any errors in /var/log/dirsrv/admin-serv/error? You'll have to at least add the CA cert of the CA that issue the directory server cert to the cert database of the admin server in /etc/dirsrv/admin-serv - see http://directory.fedoraproject.org/wiki/Howto:SSL#Import_the_CA_cert_into_the_Admin_Server > Also I would like to know for windows sync is is enough to enable ssl for DS server or do i need to enable SSL on admin server as well? DS server only. > Can i connet to the SSL enabled DS with normal Admin server from remote console? > Yes, because the DS listens for both SSL and non-SSL connections by default. > > Thanks you. > ---------------------------------------- > >> Date: Mon, 7 Jan 2008 1 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ryan at videoegg.com Tue Jan 8 21:06:42 2008 From: ryan at videoegg.com (Ryan Mortensen) Date: Tue, 8 Jan 2008 13:06:42 -0800 Subject: [Fedora-directory-users] Documentation for libdna (auto uid/gid generation) ? Message-ID: Does anyone know where I might find documentation for the libdna plugin? I've got fds 1.1 installed on my system and I'd like to test out this feature but I'm not exactly sure how. I've enabled it in the plugin list (with no arguments). Anyone set this up yet? -------------- next part -------------- An HTML attachment was scrubbed... URL: From kmarsh at gdrs.com Tue Jan 8 21:35:13 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Tue, 8 Jan 2008 16:35:13 -0500 Subject: [Fedora-directory-users] Fedora dS Serv Admin on RHEL4 Message-ID: <5AD9B0E562FEFB4E933861904D7135C568887C@gdrs-exchange.gdrs.com> Rich wrote: >Does anyone else have this problem? Yes, I have the exact same problem, on both RHELWS3 64-bit and RHELS5/Xen 64-bit. If you view my other list contributions, not only does the Admin's Apache Worker not work, none of the Admin templates are copied or configured, and the admin attributes are not present in the DS database. -Ken. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jan 8 21:48:11 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 08 Jan 2008 14:48:11 -0700 Subject: [Fedora-directory-users] Fedora dS Serv Admin on RHEL4 In-Reply-To: <5AD9B0E562FEFB4E933861904D7135C568887C@gdrs-exchange.gdrs.com> References: <5AD9B0E562FEFB4E933861904D7135C568887C@gdrs-exchange.gdrs.com> Message-ID: <4783EF9B.5040300@redhat.com> Ken Marsh wrote: > > Rich wrote: > > >Does anyone else have this problem? > > Yes, I have the exact same problem, on both RHELWS3 64-bit > I don't think this - https://www.redhat.com/archives/fedora-directory-users/2008-January/msg00040.html - or this - https://www.redhat.com/archives/fedora-directory-users/2008-January/msg00014.html - are the same problem. There is no RHEL3 64-bit binary for Fedora DS. The RHEL3 32-bit binary for Fedora DS 1.0.4 will probably not work on a 64-bit system (e.g. attempts to load 32 bit perl modules into 64-bit /usr/bin/perl, Apache tries to load 32-bit modules into 64-bit /usr/sbin/httpd.worker, etc.) > > and RHELS5/Xen 64-bit. > I'm still not sure why the Fedora DS 1.0.4 FC6 x86_64 binary rpm doesn't work on EL5. I suppose you could try Fedora DS 1.1 - see http://directory.fedoraproject.org/wiki/Release_Notes and especially http://directory.fedoraproject.org/wiki/Download#Enterprise_Linux_5 > > If you view my other list contributions, not only does the Admin?s > Apache Worker not work, none of the Admin templates are copied or > configured, and the admin attributes are not present in the DS database. > I might be able to help you if you could answer my questions, in reply to your original posts: https://www.redhat.com/archives/fedora-directory-users/2008-January/msg00036.html https://www.redhat.com/archives/fedora-directory-users/2008-January/msg00035.html https://www.redhat.com/archives/fedora-directory-users/2008-January/msg00041.html https://www.redhat.com/archives/fedora-directory-users/2007-December/msg00026.html > > -Ken. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kmarsh at gdrs.com Tue Jan 8 22:06:27 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Tue, 8 Jan 2008 17:06:27 -0500 Subject: [Fedora-directory-users] Admin server startup errors 1.0.4-1 on RHEWS3 Message-ID: <5AD9B0E562FEFB4E933861904D7135C5688880@gdrs-exchange.gdrs.com> Rich, >From multiple install attempts, I've learned to set this before doing anything: export LD_LIBRARY_PATH="/opt/fedora-ds/bin/slapd/lib/:${LD_LIBRARY_PATH}" On ES5 the LD_LIBRARY_PATH is not previously set. On ES3 it is rich with developer libraries in /usr/local, but the DS path is now first. As for host names, nslookup and reverse lookup are both OK, for short name, FQDN and IP. The /etc/hosts file does not conflict with DNS. This is on Red Hat Enterprise Linux WS release 3 (Taroon Update 6) and ES5 Update 1 64 bit. I don't know if having the latest Update level matters. However I'm running out of Red Hat versions to install this on. They all have the same problem configuring the Admin server. >What errors did you get during setup? Pretty much the same behaviour on ES5/64bit end ES3/32bit. The startup script merely says the Admin server doesn't start. At that point, /opt/fedora-ds/admin-serv/logs/errors is empty. Later, after I manually hack up a bunch of httpd.worker config files, it has the AdmldapInfo error I already reported. The only real difference between the two is that I can later manually hack up Apache 2.0 configs on ES3/32, but it's hopeless on the Apache 2.2 of ES5/64, given the lack of mod_auth.so et al. It seems that in all cases, the Admin server startup script exits early and quietly. Looking at the list, it seems I am not the only one with this problem. This is very frustrating, I have NDS 6.3 I am heavily reliant on, and very badly need a backup DS so I can do an extended service on that server. Perhaps entering that server's info in the setup/setup script is part of the problem? -Ken. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Tue Jan 8 22:10:57 2008 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 9 Jan 2008 11:10:57 +1300 Subject: [Fedora-directory-users] Admin server startup errors 1.0.4-1 onRHEWS3 In-Reply-To: <5AD9B0E562FEFB4E933861904D7135C5688880@gdrs-exchange.gdrs.com> Message-ID: Hi, You are installing? I have FDS running fine on RHAS4-32, at the time I don't think RHAS5/ES5 was a supported platform and it would not install/run, is it now? AS3 is too obsolete to use IMHO. I would also avoid the 64bit versions of RHAS/ES due to compatibility issues with 3rd party software.... regards Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272 ________________________________ From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Ken Marsh Sent: Wednesday, 9 January 2008 11:06 a.m. To: fedora-directory-users at redhat.com Subject: [Fedora-directory-users] Admin server startup errors 1.0.4-1 onRHEWS3 Rich, >From multiple install attempts, I've learned to set this before doing anything: export LD_LIBRARY_PATH="/opt/fedora-ds/bin/slapd/lib/:${LD_LIBRARY_PATH}" On ES5 the LD_LIBRARY_PATH is not previously set. On ES3 it is rich with developer libraries in /usr/local, but the DS path is now first. As for host names, nslookup and reverse lookup are both OK, for short name, FQDN and IP. The /etc/hosts file does not conflict with DNS. This is on Red Hat Enterprise Linux WS release 3 (Taroon Update 6) and ES5 Update 1 64 bit. I don't know if having the latest Update level matters. However I'm running out of Red Hat versions to install this on. They all have the same problem configuring the Admin server. >What errors did you get during setup? Pretty much the same behaviour on ES5/64bit end ES3/32bit. The startup script merely says the Admin server doesn't start. At that point, /opt/fedora-ds/admin-serv/logs/errors is empty. Later, after I manually hack up a bunch of httpd.worker config files, it has the AdmldapInfo error I already reported. The only real difference between the two is that I can later manually hack up Apache 2.0 configs on ES3/32, but it's hopeless on the Apache 2.2 of ES5/64, given the lack of mod_auth.so et al. It seems that in all cases, the Admin server startup script exits early and quietly. Looking at the list, it seems I am not the only one with this problem. This is very frustrating, I have NDS 6.3 I am heavily reliant on, and very badly need a backup DS so I can do an extended service on that server. Perhaps entering that server's info in the setup/setup script is part of the problem? -Ken. -------------- next part -------------- An HTML attachment was scrubbed... URL: From kmarsh at gdrs.com Tue Jan 8 22:22:27 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Tue, 8 Jan 2008 17:22:27 -0500 Subject: [Fedora-directory-users] Re: Setting up 1.0.4-1 x86_64 on RHES5 64-bit Message-ID: <5AD9B0E562FEFB4E933861904D7135C5688882@gdrs-exchange.gdrs.com> Hi, Sorry for the spotty responses. I am not receiving all digests, but now I've found mail-archive web page and can now see all the responses. I have re-run the top level setup script (after rpm -e the DS, rm -fr /opt/fedora-ds , rpm -ivh, start over from scratch) and just the admin server startup script, multiple times each. In every case, it fails to set up anything. This is on a very new install of ES5, now updated to Update 1, 64 bit. FYI Running nslookup of short name, FQDN, and reverse lookup all work fine. The /etc/hosts file entries all agree with DNS. I would like some concrete debugging steps- a specific script to run in debug mode, for example. I guess I have been focusing on fixing the Admin setup gaps myself instead of fixing setup itself. I am Unix/Linux literate, so don't hold back. :-) -Ken. -------------- next part -------------- An HTML attachment was scrubbed... URL: From kmarsh at gdrs.com Tue Jan 8 22:43:29 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Tue, 8 Jan 2008 17:43:29 -0500 Subject: [Fedora-directory-users] Re: Fedora Directory Server not configuring admin server! Message-ID: <5AD9B0E562FEFB4E933861904D7135C5688884@gdrs-exchange.gdrs.com> Dane, I switched from FC5 to FC6. I did a rpm -e , followed by an rm -fr /opt/fedora-ds before installed the FC6 RPM. Hostnames on all servers resolve forwards, backwards, short name and FQDN, and agree with /etc/hosts. After running ./setup/setup, the errors log under /opt/fedora-ds/admin-serv/logs is empty. -Ken. -------------- next part -------------- An HTML attachment was scrubbed... URL: From kmarsh at gdrs.com Tue Jan 8 22:44:34 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Tue, 8 Jan 2008 17:44:34 -0500 Subject: [Fedora-directory-users] Re: Setting up 1.0.4-1 x86_64 on RHES5 64-bit Message-ID: <5AD9B0E562FEFB4E933861904D7135C5688885@gdrs-exchange.gdrs.com> Rich, I did an rpm -e of the FC5 package, an rm -fr of /opt/fedora-ds , then an rpm -ivh of the FC6 package. -Ken. -------------- next part -------------- An HTML attachment was scrubbed... URL: From kmarsh at gdrs.com Tue Jan 8 22:51:39 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Tue, 8 Jan 2008 17:51:39 -0500 Subject: [Fedora-directory-users] Re: Setting up second DS questions Message-ID: <5AD9B0E562FEFB4E933861904D7135C5688887@gdrs-exchange.gdrs.com> Rich, > Fedora DS or Red Hat DS? There is no NSDS afaik. My mistake. I started out with Netscape DS 6.3 some time ago, but I upgraded it to FDS 7.1 a couple of years ago. >For RHEL 5, use Fedora DS 1.0.4 for Fedora Core 6, not FC5. Thanks, I did. The behaviour of FC6 and FC5 installs on ES5/64 were the same, that is, the Admin portion fails quietly. >So, when you ran setup/setup, you told it to use your existing 7.1 configuration DS? Yes, when I install any of these packages, I give it the 7.1 DS server information. The new server then shows up on the Admin console of the old DS, but it's not really functional. >That might be too much - but you should be able to administer your 7.1 system from 1.0.4. I am hoping to Admin both from the newer console, at least to the point of setting up MultiMaster. Then I'll have the backup DS I need to upgrade 7.1 without down time. >Just setup multi-master replication between the two systems. I hope to get back to you on this soon! Thanks, Ken. -------------- next part -------------- An HTML attachment was scrubbed... URL: From kmarsh at gdrs.com Tue Jan 8 22:55:54 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Tue, 8 Jan 2008 17:55:54 -0500 Subject: [Fedora-directory-users] Re: Fedora dS Serv Admin on RHEL4 Message-ID: <5AD9B0E562FEFB4E933861904D7135C5688888@gdrs-exchange.gdrs.com> Rich, >I don't think this - - or this - are the same problem. Sorry. It all gets back to, the original Admin setup script doesn't work for me. All the rest is me casting about looking to do things manually. >I might be able to help you if you could answer my questions, in reply to your original posts: I'm sorry, I've been out a lot for the holidays and have realized the list digest e-mail delivery at my site is highly unreliable. I have since found the mail-archive web site and should be able to participate more coherently now. You should now find responses to all your questions in their respective threads. Thanks, Ken. -------------- next part -------------- An HTML attachment was scrubbed... URL: From kmarsh at gdrs.com Tue Jan 8 23:26:02 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Tue, 8 Jan 2008 18:26:02 -0500 Subject: [Fedora-directory-users] RE: Admin server startup errors 1.0.4-1 onRHEWS3 Message-ID: <5AD9B0E562FEFB4E933861904D7135C568888C@gdrs-exchange.gdrs.com> Steven, >You are installing? I have FDS running fine on RHAS4-32, at the time I >don't think RHAS5/ES5 was a supported platform and it would not >install/run, is it now? I'm already running 7.1 fine on ES4/64, for a couple of years now, but I want to leave that one alone while I build some redundant directory servers. Then I'll go back and update ES4/64 to the latest DS. >AS3 is too obsolete to use IMHO. An ES3 system happened to be handy, and after all the trouble installing to ES5/64, it seemed a safe choice. ES3/64 was just a typo. Sorry for the confusion. >I would also avoid the 64bit versions of RHAS/ES due to compatibility >issues with 3rd party software.... Well, the ES5/64 system was a handy system, and the 64 bits are required for our 3rd party software. :-) -Ken. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jan 8 23:30:43 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 08 Jan 2008 16:30:43 -0700 Subject: [Fedora-directory-users] Admin server startup errors 1.0.4-1 on RHEWS3 In-Reply-To: <5AD9B0E562FEFB4E933861904D7135C5688880@gdrs-exchange.gdrs.com> References: <5AD9B0E562FEFB4E933861904D7135C5688880@gdrs-exchange.gdrs.com> Message-ID: <478407A3.3060707@redhat.com> Ken Marsh wrote: > > Rich, > > From multiple install attempts, I?ve learned to set this before doing > anything: > > export LD_LIBRARY_PATH="/opt/fedora-ds/bin/slapd/lib/:${LD_LIBRARY_PATH}" > Really? That should definitely not be necessary. What happens if you do not do that? > > On ES5 the LD_LIBRARY_PATH is not previously set. On ES3 it is rich > with developer libraries in /usr/local, but the DS path is now first. > > As for host names, nslookup and reverse lookup are both OK, for short > name, FQDN and IP. The /etc/hosts file does not conflict with DNS. > > This is on Red Hat Enterprise Linux WS release 3 (Taroon Update 6) and > ES5 Update 1 64 bit. I don?t know if having the latest Update level > matters. However I?m running out of Red Hat versions to install this > on. They all have the same problem configuring the Admin server. > > >What errors did you get during setup? > > Pretty much the same behaviour on ES5/64bit end ES3/32bit. The startup > script merely says the Admin server doesn?t start. At that point, > /opt/fedora-ds/admin-serv/logs/errors is empty. Later, after I > manually hack up a bunch of httpd.worker config files, it has the > AdmldapInfo error I already reported. > > The only real difference between the two is that I can later manually > hack up Apache 2.0 configs on ES3/32, but it?s hopeless on the Apache > 2.2 of ES5/64, given the lack of mod_auth.so et al. > There are people on the list that have installed the Fedora DS 1.0.4 FC6 binary on RHEL5 and have it running. > > It seems that in all cases, the Admin server startup script exits > early and quietly. > > Looking at the list, it seems I am not the only one with this problem. > There are many people that do not have this problem. That's why I'm trying to figure out what could be different about your environment. The LD_LIBRARY_PATH is one thing. > > This is very frustrating, I have NDS 6.3 I am heavily reliant on, and > very badly need a backup DS so I can do an extended service on that > server. Perhaps entering that server?s info in the setup/setup script > is part of the problem? > Is that server running? > > -Ken. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From a_mk2003 at yahoo.com Wed Jan 9 07:11:33 2008 From: a_mk2003 at yahoo.com (muthu kumar) Date: Tue, 8 Jan 2008 23:11:33 -0800 (PST) Subject: [Fedora-directory-users] How to install and configure the fedora directory server in FC7 Message-ID: <282259.68397.qm@web32815.mail.mud.yahoo.com> Hi This muthu i have installed in fedora core7, i have 50 machine in windows xp and 12 for linux i have windows 2003 server i want change the directory server in Linux how to install and configure the fedora directory server in fc7 please Help me Thanks & Regards MUTHUKKUMAR.A Ph.9444421405 --------------------------------- Never miss a thing. Make Yahoo your homepage. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pletisan at gmail.com Wed Jan 9 07:17:37 2008 From: pletisan at gmail.com (Igor MILOVANOVIC) Date: Wed, 9 Jan 2008 08:17:37 +0100 Subject: [Fedora-directory-users] How to install and configure the fedora directory server in FC7 In-Reply-To: <282259.68397.qm@web32815.mail.mud.yahoo.com> References: <282259.68397.qm@web32815.mail.mud.yahoo.com> Message-ID: <241408730801082317g7adcbbp8258a161849b0472@mail.gmail.com> Hi, You can follow guide here: http://directory.fedoraproject.org/wiki/Install_Guide And please read links on this page: http://directory.fedoraproject.org/wiki/Documentation Then, if You happen to have a problem, ask on this list. Thanks, -- Igor Milovanovi? http://www.linkedin.com/in/igormilovanovic http://www.flickr.com/photos/f13o http://www.pletisan.rs.ba/f13o/blog/ "The greatest inefficiencies come from solving problems you will never have." -- Rasmus Lerdorf From kirankmadala at hotmail.com Wed Jan 9 14:35:00 2008 From: kirankmadala at hotmail.com (kiran madala) Date: Wed, 9 Jan 2008 10:35:00 -0400 Subject: [Fedora-directory-users] Windows Active Directory sync Help! Message-ID: Hello, I am trying to sync the DS with AD. Since I am new to AD and DS I have few questions. I want to synchronize only users and groups so Is it necessary to enable SSL on Active Directory and connect to Active directory through SSL? In the replica settings the supplier DN user need to be on both AD and DS with should be a Domain admin of the AD? When trying to synchronize with AD the bind DN (In screen shot) user should be in both AD and DS? I have attached the screen shot of my final DS agreement window. I believe currently it is defined to synchronize users what changes I need to make it synchronize groups aswell. Thanks in advance _________________________________________________________________ Exercise your brain! Try Flexicon! http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig -------------- next part -------------- A non-text attachment was scrubbed... Name: screen windows sync.JPG Type: image/jpeg Size: 44539 bytes Desc: not available URL: From bbaker at priefert.com Tue Jan 8 21:53:19 2008 From: bbaker at priefert.com (William Baker) Date: Tue, 08 Jan 2008 15:53:19 -0600 Subject: [Fedora-directory-users] DNS/BIND and DHCP integration Message-ID: <4783F0CF.2050001@priefert.com> Is there a reason that the BIND and DHCP integration HOWTO has never been written? I tried to do this a year ago and failed. I had difficulty finding and importing an acceptable schema to use. I tried to convert an OpenLDAP schema and failed. Perhaps I gave up too easily. I would like to try it again, especially since bind-9.5 has a couple of features I want to use. Does anyone have a schema to start with? Any words of advice? Any reason not to make a HOWTO? bbaker From kmarsh at gdrs.com Wed Jan 9 15:26:17 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Wed, 9 Jan 2008 10:26:17 -0500 Subject: [Fedora-directory-users] Admin server startup errors 1.0.4-1 on RHEWS3 In-Reply-To: <20080109143547.6DBD873349@hormel.redhat.com> References: <20080109143547.6DBD873349@hormel.redhat.com> Message-ID: <5AD9B0E562FEFB4E933861904D7135C56888B9@gdrs-exchange.gdrs.com> Message: 4 Date: Tue, 08 Jan 2008 16:30:43 -0700 From: Rich Megginson Subject: Re: [Fedora-directory-users] Admin server startup errors 1.0.4-1 on RHEWS3 To: "General discussion list for the Fedora Directory server project." Message-ID: <478407A3.3060707 at redhat.com> Content-Type: text/plain; charset="windows-1252" Rich wrote: >I wrote: >> This is very frustrating, I have NDS 6.3 (correction: FDS 7.1) I am heavily reliant on, and >> very badly need a backup DS so I can do an extended service on that >> server. Perhaps entering that server's info in the setup/setup script >> is part of the problem? As I suspected, THIS IS THE PROBLEM! I just rpm -e'd fedora 1.0.4-1, rm -fr'd the /opt/fedora-ds directory, and then reinstalled saying "No" to whether I had another DS and if there was another DS with configuration information. The Admin server configured and started up automatically! So, now we know 1.0.4-1's Admin setup is strongly adverse to using my 7.1 for config. >Is that server running? There is no crowd at my door, so, yes. :) I am going to re-run it again and say "No" to the first other-DS question and "Yes" to using it as a Config server and see what happens. Thanks, -Ken. From kirankmadala at hotmail.com Wed Jan 9 17:43:08 2008 From: kirankmadala at hotmail.com (kiran madala) Date: Wed, 9 Jan 2008 13:43:08 -0400 Subject: [Fedora-directory-users] Windows Active Directory sync Help! In-Reply-To: References: Message-ID: As far I understand by reading docs again that the user specified in the Syn agreement and Bind DN should be same and exist on Active directory with Domain Admin privileges. But I have other issues now. The DS server is unable to connect to my AD. I enabled SSL by copying the same root certificate into AD and also generating a server certificate and opened up ports in firewall. Am I missing something like allowing client Authentication on the AD machine? My currents certificates are as follows. DS has its own server certificate AD has its own server certificate ALL 3 servers AS,DS and AD have the same CA root certificate ---------------------------------------- > From: kirankmadala at hotmail.com > To: fedora-directory-users at redhat.com > Date: Wed, 9 Jan 2008 10:35:00 -0400 > Subject: [Fedora-directory-users] Windows Active Directory sync Help! > > > Hello, > > I am trying to sync the DS with AD. Since I am new to AD and DS I have few questions. > > I want to synchronize only users and groups so Is it necessary to enable SSL on Active Directory and connect to Active directory through SSL? > > In the replica settings the supplier DN user need to be on both AD and DS with should be a Domain admin of the AD? > > When trying to synchronize with AD the bind DN (In screen shot) user should be in both AD and DS? > > > I have attached the screen shot of my final DS agreement window. I believe currently it is defined to synchronize users what changes I need to make it synchronize groups aswell. > > Thanks in advance > _________________________________________________________________ > Exercise your brain! Try Flexicon! > http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig _________________________________________________________________ Use fowl language with Chicktionary. Click here to start playing! http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig From rmeggins at redhat.com Wed Jan 9 17:52:05 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 09 Jan 2008 10:52:05 -0700 Subject: [Fedora-directory-users] Windows Active Directory sync Help! In-Reply-To: References: Message-ID: <478509C5.1090804@redhat.com> kiran madala wrote: > As far I understand by reading docs again that the user specified in the Syn agreement and Bind DN should be same and exist on Active directory with Domain Admin privileges. But I have other issues now. > > The DS server is unable to connect to my AD. What error messages are you getting? Check the error log. You can also try using ldapsearch. Are you using Fedora DS 1.1 or 1.0.4? What OS? > I enabled SSL by copying the same root certificate into AD and also generating a server certificate and opened up ports in firewall. Am I missing something like allowing client Authentication on the AD machine? > You don't need to use cert based client auth. You can use regular username/password auth over TLS/SSL. > My currents certificates are as follows. > > DS has its own server certificate > AD has its own server certificate > ALL 3 servers AS,DS and AD have the same CA root certificate > > > > ---------------------------------------- > >> From: kirankmadala at hotmail.com >> To: fedora-directory-users at redhat.com >> Date: Wed, 9 Jan 2008 10:35:00 -0400 >> Subject: [Fedora-directory-users] Windows Active Directory sync Help! >> >> >> Hello, >> >> I am trying to sync the DS with AD. Since I am new to AD and DS I have few questions. >> >> I want to synchronize only users and groups so Is it necessary to enable SSL on Active Directory and connect to Active directory through SSL? >> >> In the replica settings the supplier DN user need to be on both AD and DS with should be a Domain admin of the AD? >> >> When trying to synchronize with AD the bind DN (In screen shot) user should be in both AD and DS? >> >> >> I have attached the screen shot of my final DS agreement window. I believe currently it is defined to synchronize users what changes I need to make it synchronize groups aswell. >> >> Thanks in advance >> _________________________________________________________________ >> Exercise your brain! Try Flexicon! >> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >> > > _________________________________________________________________ > Use fowl language with Chicktionary. Click here to start playing! > http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Jan 9 18:03:01 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 09 Jan 2008 11:03:01 -0700 Subject: [Fedora-directory-users] Admin server startup errors 1.0.4-1 on RHEWS3 In-Reply-To: <5AD9B0E562FEFB4E933861904D7135C56888B9@gdrs-exchange.gdrs.com> References: <20080109143547.6DBD873349@hormel.redhat.com> <5AD9B0E562FEFB4E933861904D7135C56888B9@gdrs-exchange.gdrs.com> Message-ID: <47850C55.8090106@redhat.com> Ken Marsh wrote: > Message: 4 > Date: Tue, 08 Jan 2008 16:30:43 -0700 > From: Rich Megginson > Subject: Re: [Fedora-directory-users] Admin server startup errors > 1.0.4-1 on RHEWS3 > To: "General discussion list for the Fedora Directory server project." > > Message-ID: <478407A3.3060707 at redhat.com> > Content-Type: text/plain; charset="windows-1252" > > Rich wrote: > >> I wrote: >> >>> This is very frustrating, I have NDS 6.3 (correction: FDS 7.1) I am >>> > heavily reliant on, and > >>> very badly need a backup DS so I can do an extended service on that >>> server. Perhaps entering that server's info in the setup/setup script >>> > > >>> is part of the problem? >>> > > As I suspected, THIS IS THE PROBLEM! > > I just rpm -e'd fedora 1.0.4-1, rm -fr'd the /opt/fedora-ds directory, > and then reinstalled saying "No" to whether I had another DS and if > there was another DS with configuration information. The Admin server > configured and started up automatically! > > So, now we know 1.0.4-1's Admin setup is strongly adverse to using my > 7.1 for config. > I just tried the following, using VMs: 1) install fedora ds 7.1 on rhel4 - use itself for config information 2) in another machine, install 1.0.4 on rhel4 - use 1) for the config information If I chose Typical setup mode, the install failed because Typical mode doesn't allow you to specify the AdminDomain. If I chose Custom mode, then it did allow me to specify the AdminDomain and everything worked. If I use the console on machine 1, I can see both servers and manage them. However, I cannot manage server 1 from the console running on server 2 - it shows up in the console, but I get a NullPointerException when I click on it. > >> Is that server running? >> > > There is no crowd at my door, so, yes. :) > > I am going to re-run it again and say "No" to the first other-DS > question and "Yes" to using it as a Config server and see what happens. > When you tried using your old server as the config DS for the new server, did you use Typical mode? Did you get any errors that said something about a domain or an admin domain? > Thanks, > -Ken. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kirankmadala at hotmail.com Wed Jan 9 18:03:44 2008 From: kirankmadala at hotmail.com (kiran madala) Date: Wed, 9 Jan 2008 14:03:44 -0400 Subject: [Fedora-directory-users] Windows Active Directory sync Help! In-Reply-To: <478509C5.1090804@redhat.com> References: <478509C5.1090804@redhat.com> Message-ID: I am using Fedora 1.1 on Fedora 6 x86 machine. When i fill in the entries and click next a message pops up saying "Unable to connet to Active Directory server, continue?". Also in the domain controller host field can I specify the IP address of the machine?. The error log for DS server is below. The IP is the windows xp machine on whcih I am runnign the remote DS console. [Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241 [Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241] admserv_check_authz(): passing [/admin-serv/authenticate] to the userauth handler [Wed Jan 09 09:15:28 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241 [Wed Jan 09 09:15:29 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241 [Wed Jan 09 09:15:35 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241 [Wed Jan 09 09:15:35 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241 [Wed Jan 09 09:15:43 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241 [Wed Jan 09 09:15:44 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241 ---------------------------------------- > Date: Wed, 9 Jan 2008 10:52:05 -0700 > From: rmeggins at redhat.com > To: fedora-directory-users at redhat.com > Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! > > kiran madala wrote: >> As far I understand by reading docs again that the user specified in the Syn agreement and Bind DN should be same and exist on Active directory with Domain Admin privileges. But I have other issues now. >> >> The DS server is unable to connect to my AD. > What error messages are you getting? Check the error log. > > You can also try using ldapsearch. Are you using Fedora DS 1.1 or > 1.0.4? What OS? >> I enabled SSL by copying the same root certificate into AD and also generating a server certificate and opened up ports in firewall. Am I missing something like allowing client Authentication on the AD machine? >> > You don't need to use cert based client auth. You can use regular > username/password auth over TLS/SSL. >> My currents certificates are as follows. >> >> DS has its own server certificate >> AD has its own server certificate >> ALL 3 servers AS,DS and AD have the same CA root certificate >> >> >> >> ---------------------------------------- >> >>> From: kirankmadala at hotmail.com >>> To: fedora-directory-users at redhat.com >>> Date: Wed, 9 Jan 2008 10:35:00 -0400 >>> Subject: [Fedora-directory-users] Windows Active Directory sync Help! >>> >>> >>> Hello, >>> >>> I am trying to sync the DS with AD. Since I am new to AD and DS I have few questions. >>> >>> I want to synchronize only users and groups so Is it necessary to enable SSL on Active Directory and connect to Active directory through SSL? >>> >>> In the replica settings the supplier DN user need to be on both AD and DS with should be a Domain admin of the AD? >>> >>> When trying to synchronize with AD the bind DN (In screen shot) user should be in both AD and DS? >>> >>> >>> I have attached the screen shot of my final DS agreement window. I believe currently it is defined to synchronize users what changes I need to make it synchronize groups aswell. >>> >>> Thanks in advance >>> _________________________________________________________________ >>> Exercise your brain! Try Flexicon! >>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >>> >> >> _________________________________________________________________ >> Use fowl language with Chicktionary. Click here to start playing! >> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > _________________________________________________________________ Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com! http://asksantaclaus.spaces.live.com/ From rmeggins at redhat.com Wed Jan 9 18:09:54 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 09 Jan 2008 11:09:54 -0700 Subject: [Fedora-directory-users] Windows Active Directory sync Help! In-Reply-To: References: <478509C5.1090804@redhat.com> Message-ID: <47850DF2.3000700@redhat.com> kiran madala wrote: > I am using Fedora 1.1 on Fedora 6 x86 machine. When i fill in the entries and click next a message pops up saying "Unable to connet to Active Directory server, continue?". Also in the domain controller host field can I specify the IP address of the machine?. > > The error log for DS server is below. The IP is the windows xp machine on whcih I am runnign the remote DS console. > > [Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241 > Actually, this is the error log for the admin server. The error log for the directory server is in /var/log/dirsrv/slapd-INSTANCE where instance is your instance name. The console might be failing to connect to AD because the console has a separate key/cert db under ~/.fedora-idm-console (in 1.1). You may need to add the CA cert in this directory too: certutil -A -d ~/.fedora-idm-console -n "CA certificate" -t "CT,," -a -i /path/to/cacert.asc > ---------------------------------------- > >> Date: Wed, 9 Jan 2008 10:52:05 -0700 >> From: rmeggins at redhat.com >> To: fedora-directory-users at redhat.com >> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >> >> kiran madala wrote: >> >>> As far I understand by reading docs again that the user specified in the Syn agreement and Bind DN should be same and exist on Active directory with Domain Admin privileges. But I have other issues now. >>> >>> The DS server is unable to connect to my AD. >>> >> What error messages are you getting? Check the error log. >> >> You can also try using ldapsearch. Are you using Fedora DS 1.1 or >> 1.0.4? What OS? >> >>> I enabled SSL by copying the same root certificate into AD and also generating a server certificate and opened up ports in firewall. Am I missing something like allowing client Authentication on the AD machine? >>> >>> >> You don't need to use cert based client auth. You can use regular >> username/password auth over TLS/SSL. >> >>> My currents certificates are as follows. >>> >>> DS has its own server certificate >>> AD has its own server certificate >>> ALL 3 servers AS,DS and AD have the same CA root certificate >>> >>> >>> >>> ---------------------------------------- >>> >>> >>>> From: kirankmadala at hotmail.com >>>> To: fedora-directory-users at redhat.com >>>> Date: Wed, 9 Jan 2008 10:35:00 -0400 >>>> Subject: [Fedora-directory-users] Windows Active Directory sync Help! >>>> >>>> >>>> Hello, >>>> >>>> I am trying to sync the DS with AD. Since I am new to AD and DS I have few questions. >>>> >>>> I want to synchronize only users and groups so Is it necessary to enable SSL on Active Directory and connect to Active directory through SSL? >>>> >>>> In the replica settings the supplier DN user need to be on both AD and DS with should be a Domain admin of the AD? >>>> >>>> When trying to synchronize with AD the bind DN (In screen shot) user should be in both AD and DS? >>>> >>>> >>>> I have attached the screen shot of my final DS agreement window. I believe currently it is defined to synchronize users what changes I need to make it synchronize groups aswell. >>>> >>>> Thanks in advance >>>> _________________________________________________________________ >>>> Exercise your brain! Try Flexicon! >>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >>>> >>>> >>> _________________________________________________________________ >>> Use fowl language with Chicktionary. Click here to start playing! >>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> > > _________________________________________________________________ > Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com! > http://asksantaclaus.spaces.live.com/ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Jan 9 18:12:43 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 09 Jan 2008 11:12:43 -0700 Subject: [Fedora-directory-users] Windows Active Directory sync Help! In-Reply-To: References: Message-ID: <47850E9B.4070203@redhat.com> kiran madala wrote: > Hello, > > I am trying to sync the DS with AD. Since I am new to AD and DS I have few questions. > > I want to synchronize only users and groups so Is it necessary to enable SSL on Active Directory and connect to Active directory through SSL? > No. TLS/SSL is only required for password sync. > In the replica settings the supplier DN user need to be on both AD and DS No, only on AD > with should be a Domain admin of the AD? > Domain admin is the easiest way to go - harder but safer would be to create a special user that has read/write access to the subtree only. > When trying to synchronize with AD the bind DN (In screen shot) user should be in both AD and DS? > > > I have attached the screen shot of my final DS agreement window. I believe currently it is defined to synchronize users what changes I need to make it synchronize groups aswell. > You should definitely not use o=NetscapeRoot. When you ran setup, it should have created a suffix for use with users and groups e.g. dc=netscaper,dc=com > Thanks in advance > _________________________________________________________________ > Exercise your brain! Try Flexicon! > http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Jan 9 18:15:01 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 09 Jan 2008 11:15:01 -0700 Subject: [Fedora-directory-users] DNS/BIND and DHCP integration In-Reply-To: <4783F0CF.2050001@priefert.com> References: <4783F0CF.2050001@priefert.com> Message-ID: <47850F25.2070708@redhat.com> William Baker wrote: > > Is there a reason that the BIND and DHCP integration HOWTO has never > been written? I tried to do this a year ago and failed. I had > difficulty finding and importing an acceptable schema to use. I tried > to convert an OpenLDAP schema and failed. Perhaps I gave up too easily. > > I would like to try it again, especially since bind-9.5 has a couple > of features I want to use. > > Does anyone have a schema to start with? The freeipa.org guys might have some schema for this. > Any words of advice? > Any reason not to make a HOWTO? This would make a nice howto since http://directory.fedoraproject.org/wiki/Howto:BIND is currently empty. > > bbaker > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kirankmadala at hotmail.com Wed Jan 9 18:36:32 2008 From: kirankmadala at hotmail.com (kiran madala) Date: Wed, 9 Jan 2008 14:36:32 -0400 Subject: [Fedora-directory-users] Windows Active Directory sync Help! In-Reply-To: <47850DF2.3000700@redhat.com> References: <478509C5.1090804@redhat.com> <47850DF2.3000700@redhat.com> Message-ID: Sorry here is the error log for DS server [09/Jan/2008:13:33:50 -0500] NSMMReplicationPlugin - agmt="cn=AD sync" (netsweep-41a75e:636): Simple bind failed, LDAP sdk error 91 (Can't connect to the LDAP server), Netscape Portable Runtime error -5987 (Invalid function argument.) It cannot connect to AD. I imported the CA certificate into the Installation folder of the console in the windows xp machine. ---------------------------------------- > Date: Wed, 9 Jan 2008 11:09:54 -0700 > From: rmeggins at redhat.com > To: fedora-directory-users at redhat.com > Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! > > kiran madala wrote: >> I am using Fedora 1.1 on Fedora 6 x86 machine. When i fill in the entries and click next a message pops up saying "Unable to connet to Active Directory server, continue?". Also in the domain controller host field can I specify the IP address of the machine?. >> >> The error log for DS server is below. The IP is the windows xp machine on whcih I am runnign the remote DS console. >> >> [Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241 >> > > Actually, this is the error log for the admin server. The error log for > the directory server is in /var/log/dirsrv/slapd-INSTANCE where instance > is your instance name. > > The console might be failing to connect to AD because the console has a > separate key/cert db under ~/.fedora-idm-console (in 1.1). You may need > to add the CA cert in this directory too: > > certutil -A -d ~/.fedora-idm-console -n "CA certificate" -t "CT,," -a -i /path/to/cacert.asc > >> ---------------------------------------- >> >>> Date: Wed, 9 Jan 2008 10:52:05 -0700 >>> From: rmeggins at redhat.com >>> To: fedora-directory-users at redhat.com >>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >>> >>> kiran madala wrote: >>> >>>> As far I understand by reading docs again that the user specified in the Syn agreement and Bind DN should be same and exist on Active directory with Domain Admin privileges. But I have other issues now. >>>> >>>> The DS server is unable to connect to my AD. >>>> >>> What error messages are you getting? Check the error log. >>> >>> You can also try using ldapsearch. Are you using Fedora DS 1.1 or >>> 1.0.4? What OS? >>> >>>> I enabled SSL by copying the same root certificate into AD and also generating a server certificate and opened up ports in firewall. Am I missing something like allowing client Authentication on the AD machine? >>>> >>>> >>> You don't need to use cert based client auth. You can use regular >>> username/password auth over TLS/SSL. >>> >>>> My currents certificates are as follows. >>>> >>>> DS has its own server certificate >>>> AD has its own server certificate >>>> ALL 3 servers AS,DS and AD have the same CA root certificate >>>> >>>> >>>> >>>> ---------------------------------------- >>>> >>>> >>>>> From: kirankmadala at hotmail.com >>>>> To: fedora-directory-users at redhat.com >>>>> Date: Wed, 9 Jan 2008 10:35:00 -0400 >>>>> Subject: [Fedora-directory-users] Windows Active Directory sync Help! >>>>> >>>>> >>>>> Hello, >>>>> >>>>> I am trying to sync the DS with AD. Since I am new to AD and DS I have few questions. >>>>> >>>>> I want to synchronize only users and groups so Is it necessary to enable SSL on Active Directory and connect to Active directory through SSL? >>>>> >>>>> In the replica settings the supplier DN user need to be on both AD and DS with should be a Domain admin of the AD? >>>>> >>>>> When trying to synchronize with AD the bind DN (In screen shot) user should be in both AD and DS? >>>>> >>>>> >>>>> I have attached the screen shot of my final DS agreement window. I believe currently it is defined to synchronize users what changes I need to make it synchronize groups aswell. >>>>> >>>>> Thanks in advance >>>>> _________________________________________________________________ >>>>> Exercise your brain! Try Flexicon! >>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >>>>> >>>>> >>>> _________________________________________________________________ >>>> Use fowl language with Chicktionary. Click here to start playing! >>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >> >> _________________________________________________________________ >> Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com! >> http://asksantaclaus.spaces.live.com/ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > _________________________________________________________________ Introducing the City @ Live! Take a tour! http://getyourliveid.ca/?icid=LIVEIDENCA006 From rmeggins at redhat.com Wed Jan 9 18:43:49 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 09 Jan 2008 11:43:49 -0700 Subject: [Fedora-directory-users] Windows Active Directory sync Help! In-Reply-To: References: <478509C5.1090804@redhat.com> <47850DF2.3000700@redhat.com> Message-ID: <478515E5.10406@redhat.com> kiran madala wrote: > Sorry here is the error log for DS server > > [09/Jan/2008:13:33:50 -0500] NSMMReplicationPlugin - agmt="cn=AD sync" (netsweep-41a75e:636): Simple bind failed, LDAP sdk error 91 (Can't connect to the LDAP server), Netscape Portable Runtime error -5987 (Invalid function argument.) > > It cannot connect to AD. I imported the CA certificate into the Installation folder of the console in the windows xp machine. > Did you configure the agreement to use SSL? Error 91 means some sort of connection problem, or invalid argument to the LDAP API e.g. you are attempting to use LDAP on the secure port instead of LDAPS. You can verify that TLS/SSL is working by using ldapsearch from the command line. On the directory server machine: /usr/lib/mozldap/ldapsearch -h ADhostname -p 638 -Z -P /etc/dirsrv/slapd-instancename -s base -b "" "objectclass=*" Or use /usr/lib64/mozldap/ldapsearch on a 64bit system. > > ---------------------------------------- > >> Date: Wed, 9 Jan 2008 11:09:54 -0700 >> From: rmeggins at redhat.com >> To: fedora-directory-users at redhat.com >> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >> >> kiran madala wrote: >> >>> I am using Fedora 1.1 on Fedora 6 x86 machine. When i fill in the entries and click next a message pops up saying "Unable to connet to Active Directory server, continue?". Also in the domain controller host field can I specify the IP address of the machine?. >>> >>> The error log for DS server is below. The IP is the windows xp machine on whcih I am runnign the remote DS console. >>> >>> [Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241 >>> >> >>> >> Actually, this is the error log for the admin server. The error log for >> the directory server is in /var/log/dirsrv/slapd-INSTANCE where instance >> is your instance name. >> >> The console might be failing to connect to AD because the console has a >> separate key/cert db under ~/.fedora-idm-console (in 1.1). You may need >> to add the CA cert in this directory too: >> >> certutil -A -d ~/.fedora-idm-console -n "CA certificate" -t "CT,," -a -i /path/to/cacert.asc >> >> >>> ---------------------------------------- >>> >>> >>>> Date: Wed, 9 Jan 2008 10:52:05 -0700 >>>> From: rmeggins at redhat.com >>>> To: fedora-directory-users at redhat.com >>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >>>> >>>> kiran madala wrote: >>>> >>>> >>>>> As far I understand by reading docs again that the user specified in the Syn agreement and Bind DN should be same and exist on Active directory with Domain Admin privileges. But I have other issues now. >>>>> >>>>> The DS server is unable to connect to my AD. >>>>> >>>>> >>>> What error messages are you getting? Check the error log. >>>> >>>> You can also try using ldapsearch. Are you using Fedora DS 1.1 or >>>> 1.0.4? What OS? >>>> >>>> >>>>> I enabled SSL by copying the same root certificate into AD and also generating a server certificate and opened up ports in firewall. Am I missing something like allowing client Authentication on the AD machine? >>>>> >>>>> >>>>> >>>> You don't need to use cert based client auth. You can use regular >>>> username/password auth over TLS/SSL. >>>> >>>> >>>>> My currents certificates are as follows. >>>>> >>>>> DS has its own server certificate >>>>> AD has its own server certificate >>>>> ALL 3 servers AS,DS and AD have the same CA root certificate >>>>> >>>>> >>>>> >>>>> ---------------------------------------- >>>>> >>>>> >>>>> >>>>>> From: kirankmadala at hotmail.com >>>>>> To: fedora-directory-users at redhat.com >>>>>> Date: Wed, 9 Jan 2008 10:35:00 -0400 >>>>>> Subject: [Fedora-directory-users] Windows Active Directory sync Help! >>>>>> >>>>>> >>>>>> Hello, >>>>>> >>>>>> I am trying to sync the DS with AD. Since I am new to AD and DS I have few questions. >>>>>> >>>>>> I want to synchronize only users and groups so Is it necessary to enable SSL on Active Directory and connect to Active directory through SSL? >>>>>> >>>>>> In the replica settings the supplier DN user need to be on both AD and DS with should be a Domain admin of the AD? >>>>>> >>>>>> When trying to synchronize with AD the bind DN (In screen shot) user should be in both AD and DS? >>>>>> >>>>>> >>>>>> I have attached the screen shot of my final DS agreement window. I believe currently it is defined to synchronize users what changes I need to make it synchronize groups aswell. >>>>>> >>>>>> Thanks in advance >>>>>> _________________________________________________________________ >>>>>> Exercise your brain! Try Flexicon! >>>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >>>>>> >>>>>> >>>>>> >>>>> _________________________________________________________________ >>>>> Use fowl language with Chicktionary. Click here to start playing! >>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>>> >>> _________________________________________________________________ >>> Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com! >>> http://asksantaclaus.spaces.live.com/ >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> > > _________________________________________________________________ > Introducing the City @ Live! Take a tour! > http://getyourliveid.ca/?icid=LIVEIDENCA006 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From gm4rtin at gmail.com Wed Jan 9 20:08:59 2008 From: gm4rtin at gmail.com (Gary Martin) Date: Wed, 9 Jan 2008 15:08:59 -0500 Subject: [Fedora-directory-users] Samba + FDS Problem adding Administrator account "Username not found" Message-ID: <43806ba60801091208oa032379k90414833ee77275e@mail.gmail.com> I am following the instructions in the Howto:Samba documentation on the FDS Wiki site. When I go to edit the Administrator account using the following command: pdbedit -U $( net getlocalsid | sed 's/SID for domain YOURWORKGROUP is: //' )-500 -u Administrator -r smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAIN))] smbldap_open_connection: connection opened ldap_connect_system: succesful connection to the LDAP server smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAIN))] smbldap_open_connection: connection opened ldap_connect_system: succesful connection to the LDAP server Username not found! I get the same "Username not found" error if I run "pdbedit -L -v -u Administrator" so it seems that the account doesn't exist, yet if run: ldapsearch -b dc=test,dc=com -x '(uid=Administrator)' # extended LDIF # # LDAPv3 # base with scope subtree # filter: (uid=Administrator) # requesting: ALL # # Administrator, People, test.com dn: uid=Administrator,ou=People,dc=test,dc=com uid: Administrator cn: Samba Admin givenName: Samba sn: Admin mail: Administrator at test.com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top loginShell: /bin/bash uidNumber: 0 gidNumber: 0 homeDirectory: /root gecos: Samba Admin # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Should this account have some Samba Domain info? What did I do wrong? Here is a copy of the sambaAdmin.ldif I used: dn: uid=Administrator,ou=People,dc=test,dc=com uid: Administrator cn: Samba Admin givenName: Samba sn: Admin mail: Administrator at test.com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top userPassword: {crypt}x loginShell: /bin/bash uidNumber: 0 gidNumber: 0 homeDirectory: /root gecos: Samba Admin And a copy of my smb.conf if it helps: [global] workgroup = DOMAIN security = user passdb backend = ldapsam:ldap://vandread.test.com ldap admin dn = cn=Directory Manager ldap suffix = dc=test,dc=com ldap user suffix = ou=People ldap machine suffix = ou=People ldap group suffix = ou=Groups log file = /var/log/samba/%m.log log level = 3 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 33 domain logons = yes domain master = yes local master = yes preferred master = yes wins support = yes logon home = \\%L\%u\profiles logon path = \\%L\profiles\%u logon drive = H: template shell = /bin/false winbind use default domain = no winbind nested groups = no enable privileges = yes Thanks. From kirankmadala at hotmail.com Wed Jan 9 21:03:18 2008 From: kirankmadala at hotmail.com (kiran madala) Date: Wed, 9 Jan 2008 17:03:18 -0400 Subject: [Fedora-directory-users] Windows Active Directory sync Help! In-Reply-To: <478515E5.10406@redhat.com> References: <478509C5.1090804@redhat.com> <47850DF2.3000700@redhat.com> <478515E5.10406@redhat.com> Message-ID: I keep getting these errors when trying to initiate sync [09/Jan/2008:16:00:12 -0500] - SSL alert: ldapssl_enable_clientauth(Server-Key, ds-server-cert) -1 (Netscape Portable Runtime error -5987 - Invalid function argument.) [09/Jan/2008:16:00:13 -0500] NSMMReplicationPlugin - agmt="cn=AD Sync" (netsweep-41a75e:636): Replication bind with SSL client authentication failed: LDAP error -1 (Unknown error) The LDAP search is not installed on my machine so i could not do a search ---------------------------------------- > Date: Wed, 9 Jan 2008 11:43:49 -0700 > From: rmeggins at redhat.com > To: fedora-directory-users at redhat.com > Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! > > kiran madala wrote: >> Sorry here is the error log for DS server >> >> [09/Jan/2008:13:33:50 -0500] NSMMReplicationPlugin - agmt="cn=AD sync" (netsweep-41a75e:636): Simple bind failed, LDAP sdk error 91 (Can't connect to the LDAP server), Netscape Portable Runtime error -5987 (Invalid function argument.) >> >> It cannot connect to AD. I imported the CA certificate into the Installation folder of the console in the windows xp machine. >> > Did you configure the agreement to use SSL? Error 91 means some sort of > connection problem, or invalid argument to the LDAP API e.g. you are > attempting to use LDAP on the secure port instead of LDAPS. > > You can verify that TLS/SSL is working by using ldapsearch from the > command line. On the directory server machine: > /usr/lib/mozldap/ldapsearch -h ADhostname -p 638 -Z -P > /etc/dirsrv/slapd-instancename -s base -b "" "objectclass=*" > > Or use /usr/lib64/mozldap/ldapsearch on a 64bit system. >> >> ---------------------------------------- >> >>> Date: Wed, 9 Jan 2008 11:09:54 -0700 >>> From: rmeggins at redhat.com >>> To: fedora-directory-users at redhat.com >>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >>> >>> kiran madala wrote: >>> >>>> I am using Fedora 1.1 on Fedora 6 x86 machine. When i fill in the entries and click next a message pops up saying "Unable to connet to Active Directory server, continue?". Also in the domain controller host field can I specify the IP address of the machine?. >>>> >>>> The error log for DS server is below. The IP is the windows xp machine on whcih I am runnign the remote DS console. >>>> >>>> [Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241 >>>> >>> >>>> >>> Actually, this is the error log for the admin server. The error log for >>> the directory server is in /var/log/dirsrv/slapd-INSTANCE where instance >>> is your instance name. >>> >>> The console might be failing to connect to AD because the console has a >>> separate key/cert db under ~/.fedora-idm-console (in 1.1). You may need >>> to add the CA cert in this directory too: >>> >>> certutil -A -d ~/.fedora-idm-console -n "CA certificate" -t "CT,," -a -i /path/to/cacert.asc >>> >>> >>>> ---------------------------------------- >>>> >>>> >>>>> Date: Wed, 9 Jan 2008 10:52:05 -0700 >>>>> From: rmeggins at redhat.com >>>>> To: fedora-directory-users at redhat.com >>>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >>>>> >>>>> kiran madala wrote: >>>>> >>>>> >>>>>> As far I understand by reading docs again that the user specified in the Syn agreement and Bind DN should be same and exist on Active directory with Domain Admin privileges. But I have other issues now. >>>>>> >>>>>> The DS server is unable to connect to my AD. >>>>>> >>>>>> >>>>> What error messages are you getting? Check the error log. >>>>> >>>>> You can also try using ldapsearch. Are you using Fedora DS 1.1 or >>>>> 1.0.4? What OS? >>>>> >>>>> >>>>>> I enabled SSL by copying the same root certificate into AD and also generating a server certificate and opened up ports in firewall. Am I missing something like allowing client Authentication on the AD machine? >>>>>> >>>>>> >>>>>> >>>>> You don't need to use cert based client auth. You can use regular >>>>> username/password auth over TLS/SSL. >>>>> >>>>> >>>>>> My currents certificates are as follows. >>>>>> >>>>>> DS has its own server certificate >>>>>> AD has its own server certificate >>>>>> ALL 3 servers AS,DS and AD have the same CA root certificate >>>>>> >>>>>> >>>>>> >>>>>> ---------------------------------------- >>>>>> >>>>>> >>>>>> >>>>>>> From: kirankmadala at hotmail.com >>>>>>> To: fedora-directory-users at redhat.com >>>>>>> Date: Wed, 9 Jan 2008 10:35:00 -0400 >>>>>>> Subject: [Fedora-directory-users] Windows Active Directory sync Help! >>>>>>> >>>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> I am trying to sync the DS with AD. Since I am new to AD and DS I have few questions. >>>>>>> >>>>>>> I want to synchronize only users and groups so Is it necessary to enable SSL on Active Directory and connect to Active directory through SSL? >>>>>>> >>>>>>> In the replica settings the supplier DN user need to be on both AD and DS with should be a Domain admin of the AD? >>>>>>> >>>>>>> When trying to synchronize with AD the bind DN (In screen shot) user should be in both AD and DS? >>>>>>> >>>>>>> >>>>>>> I have attached the screen shot of my final DS agreement window. I believe currently it is defined to synchronize users what changes I need to make it synchronize groups aswell. >>>>>>> >>>>>>> Thanks in advance >>>>>>> _________________________________________________________________ >>>>>>> Exercise your brain! Try Flexicon! >>>>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >>>>>>> >>>>>>> >>>>>>> >>>>>> _________________________________________________________________ >>>>>> Use fowl language with Chicktionary. Click here to start playing! >>>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>>> >>>>>> >>>> _________________________________________________________________ >>>> Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com! >>>> http://asksantaclaus.spaces.live.com/ >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >> >> _________________________________________________________________ >> Introducing the City @ Live! Take a tour! >> http://getyourliveid.ca/?icid=LIVEIDENCA006 >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From pub at cloatre.com Wed Jan 9 21:06:59 2008 From: pub at cloatre.com (Yann Cloatre) Date: Wed, 9 Jan 2008 16:06:59 -0500 Subject: [Fedora-directory-users] Error -8127 with hardware acceleration/Token Message-ID: <7273b1170801091306p1a30a760s9a93ce283437df7f@mail.gmail.com> Hello all, I use DS Fedora LDAP on Solaris 9. I try to use a crypto accelerator 4000 board (SUN) with Fedora. (FYI; http://www.sun.com/products/networking/sslaccel/suncryptoaccel4000/index.xml ) I've a certificate store on the board, with a certificates inside. User is define on the board to access this certificate store. I patched Fedora with a modified script from SUN to enabled this certificate store in Sun One server. It's work and i can see 3 certificates store in the window "Manage Certificate" : - Internal (Software) - Acceleration only (Sun Doc don't selected this one, FYI http://docs.sun.com/app/docs/coll/crypto-accel4000 mine is 1.1 for Solaris 9) - MYCERTIFICATESTORE In GUI, each time Fedora need to access inside MYCERTIFICATESTORE, ask me a password. It's the password define in the accelerator board. So, i enter in th password box ; "user:password" and Fedora display the related information. So everything is ok, i can enable encryption and select my certificate in MYCERTIFICATESTORE for LDAPs. But, when i try to restart Fedora ; [09/Jan/2008:19:34:55 +0000] - SSL alert: Security Initialization: Unable to find slot (Netscape Portable Runtime error -8127 - The security card or token does not exist, needs to be initialized, or has been removed.) [09/Jan/2008:19:34:55 +0000] - ERROR: SSL Initialization Failed I try to define password in the slapd-servname-pin.txt in alias directory with a format like ; Internal (Software) Token:password MYCERTIFICATESTORE:ldap-admin:password0 But nothing, impossible to restart. Perhaps, the problem is related to the password format (ldap-admin:password0), but i must provide username and password to Fedora if the application want access the token. It's work well in GUI interface and i don't understand why Fedora seems to not find my token at startup ? Help appreciate. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From kirankmadala at hotmail.com Wed Jan 9 21:23:14 2008 From: kirankmadala at hotmail.com (kiran madala) Date: Wed, 9 Jan 2008 17:23:14 -0400 Subject: [Fedora-directory-users] Windows Active Directory sync Help! In-Reply-To: References: <478509C5.1090804@redhat.com> <47850DF2.3000700@redhat.com> <478515E5.10406@redhat.com> Message-ID: Also the console give me thsi error when Icick on manage certificates on the DS server and never opens up. It works fine on AS server Exception during event dispatch: java.lang.NullPointerException at com.netscape.management.client.security.CertificateDialog.(Unknown Source) at com.netscape.management.client.security.CertificateDialog.(Unknown Source) at com.netscape.admin.dirserv.task.KeyCert.run(Unknown Source) at com.netscape.management.client.TaskModel.actionObjectRun(Unknown Source) at com.netscape.management.client.TaskPage$TaskList$ButtonMouseListener.mouseClicked(Unknown Source) at java.awt.AWTEventMulticaster.mouseClicked(libgcj.so.7rh) at java.awt.Component.processMouseEvent(libgcj.so.7rh) at java.awt.Component.processEvent(libgcj.so.7rh) at java.awt.Container.processEvent(libgcj.so.7rh) at java.awt.Component.dispatchEventImpl(libgcj.so.7rh) at java.awt.Container.dispatchEventImpl(libgcj.so.7rh) at java.awt.Component.dispatchEvent(libgcj.so.7rh) at java.awt.LightweightDispatcher.handleMouseEvent(libgcj.so.7rh) at java.awt.LightweightDispatcher.dispatchEvent(libgcj.so.7rh) at java.awt.Container.dispatchEventImpl(libgcj.so.7rh) at java.awt.Window.dispatchEventImpl(libgcj.so.7rh) at java.awt.Component.dispatchEvent(libgcj.so.7rh) at java.awt.EventQueue.dispatchEvent(libgcj.so.7rh) at java.awt.EventDispatchThread.run(libgcj.so.7rh) Exception in thread "http://248.8.168.192.in-addr.arpa.dev:9830/" java.lang.NullPointerException at com.netscape.management.client.comm.HttpChannel.run(Unknown Source) at java.lang.Thread.run(libgcj.so.7rh) Exception in thread "http://248.8.168.192.in-addr.arpa.dev:9830/" java.lang.NullPointerException at com.netscape.management.client.comm.HttpChannel.run(Unknown Source) at java.lang.Thread.run(libgcj.so.7rh) ---------------------------------------- > From: kirankmadala at hotmail.com > To: fedora-directory-users at redhat.com > Subject: RE: [Fedora-directory-users] Windows Active Directory sync Help! > Date: Wed, 9 Jan 2008 17:03:18 -0400 > > > I keep getting these errors when trying to initiate sync > > [09/Jan/2008:16:00:12 -0500] - SSL alert: ldapssl_enable_clientauth(Server-Key, ds-server-cert) -1 (Netscape Portable Runtime error -5987 - Invalid function argument.) > [09/Jan/2008:16:00:13 -0500] NSMMReplicationPlugin - agmt="cn=AD Sync" (netsweep-41a75e:636): Replication bind with SSL client authentication failed: LDAP error -1 (Unknown error) > > The LDAP search is not installed on my machine so i could not do a search > ---------------------------------------- >> Date: Wed, 9 Jan 2008 11:43:49 -0700 >> From: rmeggins at redhat.com >> To: fedora-directory-users at redhat.com >> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >> >> kiran madala wrote: >>> Sorry here is the error log for DS server >>> >>> [09/Jan/2008:13:33:50 -0500] NSMMReplicationPlugin - agmt="cn=AD sync" (netsweep-41a75e:636): Simple bind failed, LDAP sdk error 91 (Can't connect to the LDAP server), Netscape Portable Runtime error -5987 (Invalid function argument.) >>> >>> It cannot connect to AD. I imported the CA certificate into the Installation folder of the console in the windows xp machine. >>> >> Did you configure the agreement to use SSL? Error 91 means some sort of >> connection problem, or invalid argument to the LDAP API e.g. you are >> attempting to use LDAP on the secure port instead of LDAPS. >> >> You can verify that TLS/SSL is working by using ldapsearch from the >> command line. On the directory server machine: >> /usr/lib/mozldap/ldapsearch -h ADhostname -p 638 -Z -P >> /etc/dirsrv/slapd-instancename -s base -b "" "objectclass=*" >> >> Or use /usr/lib64/mozldap/ldapsearch on a 64bit system. >>> >>> ---------------------------------------- >>> >>>> Date: Wed, 9 Jan 2008 11:09:54 -0700 >>>> From: rmeggins at redhat.com >>>> To: fedora-directory-users at redhat.com >>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >>>> >>>> kiran madala wrote: >>>> >>>>> I am using Fedora 1.1 on Fedora 6 x86 machine. When i fill in the entries and click next a message pops up saying "Unable to connet to Active Directory server, continue?". Also in the domain controller host field can I specify the IP address of the machine?. >>>>> >>>>> The error log for DS server is below. The IP is the windows xp machine on whcih I am runnign the remote DS console. >>>>> >>>>> [Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241 >>>>> >>>> >>>>> >>>> Actually, this is the error log for the admin server. The error log for >>>> the directory server is in /var/log/dirsrv/slapd-INSTANCE where instance >>>> is your instance name. >>>> >>>> The console might be failing to connect to AD because the console has a >>>> separate key/cert db under ~/.fedora-idm-console (in 1.1). You may need >>>> to add the CA cert in this directory too: >>>> >>>> certutil -A -d ~/.fedora-idm-console -n "CA certificate" -t "CT,," -a -i /path/to/cacert.asc >>>> >>>> >>>>> ---------------------------------------- >>>>> >>>>> >>>>>> Date: Wed, 9 Jan 2008 10:52:05 -0700 >>>>>> From: rmeggins at redhat.com >>>>>> To: fedora-directory-users at redhat.com >>>>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >>>>>> >>>>>> kiran madala wrote: >>>>>> >>>>>> >>>>>>> As far I understand by reading docs again that the user specified in the Syn agreement and Bind DN should be same and exist on Active directory with Domain Admin privileges. But I have other issues now. >>>>>>> >>>>>>> The DS server is unable to connect to my AD. >>>>>>> >>>>>>> >>>>>> What error messages are you getting? Check the error log. >>>>>> >>>>>> You can also try using ldapsearch. Are you using Fedora DS 1.1 or >>>>>> 1.0.4? What OS? >>>>>> >>>>>> >>>>>>> I enabled SSL by copying the same root certificate into AD and also generating a server certificate and opened up ports in firewall. Am I missing something like allowing client Authentication on the AD machine? >>>>>>> >>>>>>> >>>>>>> >>>>>> You don't need to use cert based client auth. You can use regular >>>>>> username/password auth over TLS/SSL. >>>>>> >>>>>> >>>>>>> My currents certificates are as follows. >>>>>>> >>>>>>> DS has its own server certificate >>>>>>> AD has its own server certificate >>>>>>> ALL 3 servers AS,DS and AD have the same CA root certificate >>>>>>> >>>>>>> >>>>>>> >>>>>>> ---------------------------------------- >>>>>>> >>>>>>> >>>>>>> >>>>>>>> From: kirankmadala at hotmail.com >>>>>>>> To: fedora-directory-users at redhat.com >>>>>>>> Date: Wed, 9 Jan 2008 10:35:00 -0400 >>>>>>>> Subject: [Fedora-directory-users] Windows Active Directory sync Help! >>>>>>>> >>>>>>>> >>>>>>>> Hello, >>>>>>>> >>>>>>>> I am trying to sync the DS with AD. Since I am new to AD and DS I have few questions. >>>>>>>> >>>>>>>> I want to synchronize only users and groups so Is it necessary to enable SSL on Active Directory and connect to Active directory through SSL? >>>>>>>> >>>>>>>> In the replica settings the supplier DN user need to be on both AD and DS with should be a Domain admin of the AD? >>>>>>>> >>>>>>>> When trying to synchronize with AD the bind DN (In screen shot) user should be in both AD and DS? >>>>>>>> >>>>>>>> >>>>>>>> I have attached the screen shot of my final DS agreement window. I believe currently it is defined to synchronize users what changes I need to make it synchronize groups aswell. >>>>>>>> >>>>>>>> Thanks in advance >>>>>>>> _________________________________________________________________ >>>>>>>> Exercise your brain! Try Flexicon! >>>>>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> _________________________________________________________________ >>>>>>> Use fowl language with Chicktionary. Click here to start playing! >>>>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> >>>>>>> >>>>>>> >>>>> _________________________________________________________________ >>>>> Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com! >>>>> http://asksantaclaus.spaces.live.com/ >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>> >>> _________________________________________________________________ >>> Introducing the City @ Live! Take a tour! >>> http://getyourliveid.ca/?icid=LIVEIDENCA006 >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> > > _________________________________________________________________ > Express yourself instantly with MSN Messenger! Download today it's FREE! > http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users _________________________________________________________________ Exercise your brain! Try Flexicon! http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig From kmarsh at gdrs.com Wed Jan 9 21:39:07 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Wed, 9 Jan 2008 16:39:07 -0500 Subject: [Fedora-directory-users] Admin server startup errors 1.0.4-1 on RHEWS3 In-Reply-To: <20080109170006.D7DDC73431@hormel.redhat.com> References: <20080109170006.D7DDC73431@hormel.redhat.com> Message-ID: <5AD9B0E562FEFB4E933861904D7135C56888FC@gdrs-exchange.gdrs.com> Rich, Thanks for all your effort. I always chose "2", some customization, for all install efforts. Should I be choosing 3? No errors were logged anywhere, on either server, only the message from ./setup/setup that the Admin hadn't started. I also got to the point where the new server was recognized by the old server's admin, but when I tried to manage it, I just got an error that a .jar couldn't be downloaded. -Ken. From kmarsh at gdrs.com Wed Jan 9 22:07:10 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Wed, 9 Jan 2008 17:07:10 -0500 Subject: [Fedora-directory-users] Setting up Multi-Master replication between 7.1 and 1.0.1-4 Message-ID: <5AD9B0E562FEFB4E933861904D7135C56888FE@gdrs-exchange.gdrs.com> Hello, Thank you everyone for your patience. I was able to get 1.0.1-4 up and running with Admin working on ES5/64 bit by simply saying "No" to one of the questions about my 7.1 DS: Fedora configuration directory server? [No]: Saying "yes" to this question and entering my 7.1 DS data, causes the config of the 1.0.1-4 Admin server to fail. The next question, I can answer No or Yes, so I used Yes. Do you want to use another directory to store your data? [Yes]: So now I have a working DS with Admin, I'd like to set up Multi-Master. Using my 7.1 DS as host 1, I tried: /usr/local/src/mmr.pl --host1 server1.company.com --host2 server2.company.com --host1_id 1 --host2_id 2 --bindpw 'xxxx' --repmanpw 'xxxx' --create adding to string.gdrs.com -> cn=changelog5,cn=config adding to string.gdrs.com -> cn=repman,cn=config adding to string.gdrs.com -> cn=replica,cn="dc=company,dc=com",cn=mapping tree,cn=config adding to ansb16.gdrs.com -> cn=changelog5,cn=config adding to ansb16.gdrs.com -> cn=repman,cn=config adding to ansb16.gdrs.com -> cn=replica,cn="dc=company,dc=com",cn=mapping tree,cn=config failed to add replica entry: No such object at /usr/local/src/mmr.pl line 313, line 339. I tailed the error logs of both files as directed. Neither logged anything through the failure. I have some questions: Am I setting the Repository Manager password, or using it? If so, what is it? I have all my notes on the 7.1 install and don't recall that role being set up and passworded. Is it the same, or called something else? Also, any clues as to the failure? I have (I think) PERL::ldap installed. Besides that, how do I get one Admin to manage the other DS, given that I didn't allow the script to try? -Ken. -------------- next part -------------- An HTML attachment was scrubbed... URL: From kirankmadala at hotmail.com Wed Jan 9 22:52:23 2008 From: kirankmadala at hotmail.com (kiran madala) Date: Wed, 9 Jan 2008 18:52:23 -0400 Subject: [Fedora-directory-users] Windows Active Directory sync Help! In-Reply-To: References: <478509C5.1090804@redhat.com> <47850DF2.3000700@redhat.com> <478515E5.10406@redhat.com> Message-ID: I have few more questions There are 2 different ways to create and import certificates described in the document http://www.redhat.com/docs/manuals/dir-server/ag/8.0/index.html and described in fedora documentation using certutil which one should i be using. The cacert.asc should be in the configuration folders of both DS and AS server? I don't have it in neither of them now because I installed the CA from the console. The pupose of doing this is to get the groups and users information from Active Directory and store in our own database through Fedora DS. Is This possible? by editing script or anyways? Thank you. ---------------------------------------- > From: kirankmadala at hotmail.com > To: fedora-directory-users at redhat.com > Subject: RE: [Fedora-directory-users] Windows Active Directory sync Help! > Date: Wed, 9 Jan 2008 17:23:14 -0400 > > > Also the console give me thsi error when Icick on manage certificates on the DS server and never opens up. It works fine on AS server > > Exception during event dispatch: > java.lang.NullPointerException > at com.netscape.management.client.security.CertificateDialog.(Unknown Source) > at com.netscape.management.client.security.CertificateDialog.(Unknown Source) > at com.netscape.admin.dirserv.task.KeyCert.run(Unknown Source) > at com.netscape.management.client.TaskModel.actionObjectRun(Unknown Source) > at com.netscape.management.client.TaskPage$TaskList$ButtonMouseListener.mouseClicked(Unknown Source) > at java.awt.AWTEventMulticaster.mouseClicked(libgcj.so.7rh) > at java.awt.Component.processMouseEvent(libgcj.so.7rh) > at java.awt.Component.processEvent(libgcj.so.7rh) > at java.awt.Container.processEvent(libgcj.so.7rh) > at java.awt.Component.dispatchEventImpl(libgcj.so.7rh) > at java.awt.Container.dispatchEventImpl(libgcj.so.7rh) > at java.awt.Component.dispatchEvent(libgcj.so.7rh) > at java.awt.LightweightDispatcher.handleMouseEvent(libgcj.so.7rh) > at java.awt.LightweightDispatcher.dispatchEvent(libgcj.so.7rh) > at java.awt.Container.dispatchEventImpl(libgcj.so.7rh) > at java.awt.Window.dispatchEventImpl(libgcj.so.7rh) > at java.awt.Component.dispatchEvent(libgcj.so.7rh) > at java.awt.EventQueue.dispatchEvent(libgcj.so.7rh) > at java.awt.EventDispatchThread.run(libgcj.so.7rh) > Exception in thread "http://248.8.168.192.in-addr.arpa.dev:9830/" java.lang.NullPointerException > at com.netscape.management.client.comm.HttpChannel.run(Unknown Source) > at java.lang.Thread.run(libgcj.so.7rh) > Exception in thread "http://248.8.168.192.in-addr.arpa.dev:9830/" java.lang.NullPointerException > at com.netscape.management.client.comm.HttpChannel.run(Unknown Source) > at java.lang.Thread.run(libgcj.so.7rh) > > > > ---------------------------------------- >> From: kirankmadala at hotmail.com >> To: fedora-directory-users at redhat.com >> Subject: RE: [Fedora-directory-users] Windows Active Directory sync Help! >> Date: Wed, 9 Jan 2008 17:03:18 -0400 >> >> >> I keep getting these errors when trying to initiate sync >> >> [09/Jan/2008:16:00:12 -0500] - SSL alert: ldapssl_enable_clientauth(Server-Key, ds-server-cert) -1 (Netscape Portable Runtime error -5987 - Invalid function argument.) >> [09/Jan/2008:16:00:13 -0500] NSMMReplicationPlugin - agmt="cn=AD Sync" (netsweep-41a75e:636): Replication bind with SSL client authentication failed: LDAP error -1 (Unknown error) >> >> The LDAP search is not installed on my machine so i could not do a search >> ---------------------------------------- >>> Date: Wed, 9 Jan 2008 11:43:49 -0700 >>> From: rmeggins at redhat.com >>> To: fedora-directory-users at redhat.com >>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >>> >>> kiran madala wrote: >>>> Sorry here is the error log for DS server >>>> >>>> [09/Jan/2008:13:33:50 -0500] NSMMReplicationPlugin - agmt="cn=AD sync" (netsweep-41a75e:636): Simple bind failed, LDAP sdk error 91 (Can't connect to the LDAP server), Netscape Portable Runtime error -5987 (Invalid function argument.) >>>> >>>> It cannot connect to AD. I imported the CA certificate into the Installation folder of the console in the windows xp machine. >>>> >>> Did you configure the agreement to use SSL? Error 91 means some sort of >>> connection problem, or invalid argument to the LDAP API e.g. you are >>> attempting to use LDAP on the secure port instead of LDAPS. >>> >>> You can verify that TLS/SSL is working by using ldapsearch from the >>> command line. On the directory server machine: >>> /usr/lib/mozldap/ldapsearch -h ADhostname -p 638 -Z -P >>> /etc/dirsrv/slapd-instancename -s base -b "" "objectclass=*" >>> >>> Or use /usr/lib64/mozldap/ldapsearch on a 64bit system. >>>> >>>> ---------------------------------------- >>>> >>>>> Date: Wed, 9 Jan 2008 11:09:54 -0700 >>>>> From: rmeggins at redhat.com >>>>> To: fedora-directory-users at redhat.com >>>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >>>>> >>>>> kiran madala wrote: >>>>> >>>>>> I am using Fedora 1.1 on Fedora 6 x86 machine. When i fill in the entries and click next a message pops up saying "Unable to connet to Active Directory server, continue?". Also in the domain controller host field can I specify the IP address of the machine?. >>>>>> >>>>>> The error log for DS server is below. The IP is the windows xp machine on whcih I am runnign the remote DS console. >>>>>> >>>>>> [Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241 >>>>>> >>>>> >>>>>> >>>>> Actually, this is the error log for the admin server. The error log for >>>>> the directory server is in /var/log/dirsrv/slapd-INSTANCE where instance >>>>> is your instance name. >>>>> >>>>> The console might be failing to connect to AD because the console has a >>>>> separate key/cert db under ~/.fedora-idm-console (in 1.1). You may need >>>>> to add the CA cert in this directory too: >>>>> >>>>> certutil -A -d ~/.fedora-idm-console -n "CA certificate" -t "CT,," -a -i /path/to/cacert.asc >>>>> >>>>> >>>>>> ---------------------------------------- >>>>>> >>>>>> >>>>>>> Date: Wed, 9 Jan 2008 10:52:05 -0700 >>>>>>> From: rmeggins at redhat.com >>>>>>> To: fedora-directory-users at redhat.com >>>>>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >>>>>>> >>>>>>> kiran madala wrote: >>>>>>> >>>>>>> >>>>>>>> As far I understand by reading docs again that the user specified in the Syn agreement and Bind DN should be same and exist on Active directory with Domain Admin privileges. But I have other issues now. >>>>>>>> >>>>>>>> The DS server is unable to connect to my AD. >>>>>>>> >>>>>>>> >>>>>>> What error messages are you getting? Check the error log. >>>>>>> >>>>>>> You can also try using ldapsearch. Are you using Fedora DS 1.1 or >>>>>>> 1.0.4? What OS? >>>>>>> >>>>>>> >>>>>>>> I enabled SSL by copying the same root certificate into AD and also generating a server certificate and opened up ports in firewall. Am I missing something like allowing client Authentication on the AD machine? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> You don't need to use cert based client auth. You can use regular >>>>>>> username/password auth over TLS/SSL. >>>>>>> >>>>>>> >>>>>>>> My currents certificates are as follows. >>>>>>>> >>>>>>>> DS has its own server certificate >>>>>>>> AD has its own server certificate >>>>>>>> ALL 3 servers AS,DS and AD have the same CA root certificate >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> ---------------------------------------- >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> From: kirankmadala at hotmail.com >>>>>>>>> To: fedora-directory-users at redhat.com >>>>>>>>> Date: Wed, 9 Jan 2008 10:35:00 -0400 >>>>>>>>> Subject: [Fedora-directory-users] Windows Active Directory sync Help! >>>>>>>>> >>>>>>>>> >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> I am trying to sync the DS with AD. Since I am new to AD and DS I have few questions. >>>>>>>>> >>>>>>>>> I want to synchronize only users and groups so Is it necessary to enable SSL on Active Directory and connect to Active directory through SSL? >>>>>>>>> >>>>>>>>> In the replica settings the supplier DN user need to be on both AD and DS with should be a Domain admin of the AD? >>>>>>>>> >>>>>>>>> When trying to synchronize with AD the bind DN (In screen shot) user should be in both AD and DS? >>>>>>>>> >>>>>>>>> >>>>>>>>> I have attached the screen shot of my final DS agreement window. I believe currently it is defined to synchronize users what changes I need to make it synchronize groups aswell. >>>>>>>>> >>>>>>>>> Thanks in advance >>>>>>>>> _________________________________________________________________ >>>>>>>>> Exercise your brain! Try Flexicon! >>>>>>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> _________________________________________________________________ >>>>>>>> Use fowl language with Chicktionary. Click here to start playing! >>>>>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>> >>>>>>>> >>>>>>>> >>>>>> _________________________________________________________________ >>>>>> Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com! >>>>>> http://asksantaclaus.spaces.live.com/ >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>>> >>>> >>>> _________________________________________________________________ >>>> Introducing the City @ Live! Take a tour! >>>> http://getyourliveid.ca/?icid=LIVEIDENCA006 >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >> >> _________________________________________________________________ >> Express yourself instantly with MSN Messenger! Download today it's FREE! >> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > _________________________________________________________________ > Exercise your brain! Try Flexicon! > http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users _________________________________________________________________ Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com! http://asksantaclaus.spaces.live.com/ From ulf.weltman at hp.com Wed Jan 9 22:57:16 2008 From: ulf.weltman at hp.com (Ulf Weltman) Date: Wed, 09 Jan 2008 14:57:16 -0800 Subject: [Fedora-directory-users] Setting up Multi-Master replication between 7.1 and 1.0.1-4 In-Reply-To: <5AD9B0E562FEFB4E933861904D7135C56888FE@gdrs-exchange.gdrs.com> References: <5AD9B0E562FEFB4E933861904D7135C56888FE@gdrs-exchange.gdrs.com> Message-ID: <4785514C.4070101@hp.com> Ken Marsh wrote: > > Hello, > > > > Thank you everyone for your patience. I was able to get 1.0.1-4 up and > running with Admin working on ES5/64 bit by simply saying ?No? to one > of the questions about my 7.1 DS: > > > > Fedora configuration directory server? [No]: > > > > Saying ?yes? to this question and entering my 7.1 DS data, causes the > config of the 1.0.1-4 Admin server to fail. > > > > The next question, I can answer No or Yes, so I used Yes. > > > > Do you want to use another directory to store your data? [Yes]: > > > > So now I have a working DS with Admin, I?d like to set up > Multi-Master. Using my 7.1 DS as host 1, I tried: > > > > /usr/local/src/mmr.pl --host1 server1.company.com --host2 > server2.company.com --host1_id 1 --host2_id 2 --bindpw 'xxxx' > --repmanpw 'xxxx' --create > > > > adding to string.gdrs.com -> cn=changelog5,cn=config > > adding to string.gdrs.com -> cn=repman,cn=config > > adding to string.gdrs.com -> > cn=replica,cn="dc=company,dc=com",cn=mapping tree,cn=config > > adding to ansb16.gdrs.com -> cn=changelog5,cn=config > > adding to ansb16.gdrs.com -> cn=repman,cn=config > > adding to ansb16.gdrs.com -> > cn=replica,cn="dc=company,dc=com",cn=mapping tree,cn=config > > failed to add replica entry: No such object at /usr/local/src/mmr.pl > line 313, line 339. > Unless the script isn't reporting an operation between the error and the previous line, it is probably telling you that the entry cn="dc=company,dc=com",cn=mapping tree,cn=config doesn't exist. Check your 7.1 server's dse.ldif file, it could be something like cn="dc=company, dc=com",cn=mapping tree,cn=config where the extra space is actually significant because it's within a value, not separating DN components. > > > > I tailed the error logs of both files as directed. Neither logged > anything through the failure. > > > > I have some questions: > > > > Am I setting the Repository Manager password, or using it? If so, what > is it? I have all my notes on the 7.1 install and don?t recall that > role being set up and passworded. Is it the same, or called something > else? > I'm not familiar with the script but the replication manager entry is usually a normal person entry (with a userPassword) which gains a special role by its DN being specified in a replica configuration. Replication agreements use this identity to bind to peer replicas and send special extended operations to initiate replication sessions. > > > > Also, any clues as to the failure? I have (I think) PERL::ldap installed. > > > > Besides that, how do I get one Admin to manage the other DS, given > that I didn?t allow the script to try? > > > > -Ken. > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6097 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jan 10 01:25:47 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 09 Jan 2008 18:25:47 -0700 Subject: [Fedora-directory-users] Windows Active Directory sync Help! In-Reply-To: References: <478509C5.1090804@redhat.com> <47850DF2.3000700@redhat.com> <478515E5.10406@redhat.com> Message-ID: <4785741B.5040204@redhat.com> kiran madala wrote: > I keep getting these errors when trying to initiate sync > > [09/Jan/2008:16:00:12 -0500] - SSL alert: ldapssl_enable_clientauth(Server-Key, ds-server-cert) -1 (Netscape Portable Runtime error -5987 - Invalid function argument.) > [09/Jan/2008:16:00:13 -0500] NSMMReplicationPlugin - agmt="cn=AD Sync" (netsweep-41a75e:636): Replication bind with SSL client authentication failed: LDAP error -1 (Unknown error) > You have configured it to use SSL Client Auth. You should disable this and just use TLS/SSL with simple username/password bind. > The LDAP search is not installed on my machine so i could not do a search > yum install mozldap-tools > ---------------------------------------- > >> Date: Wed, 9 Jan 2008 11:43:49 -0700 >> From: rmeggins at redhat.com >> To: fedora-directory-users at redhat.com >> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >> >> kiran madala wrote: >> >>> Sorry here is the error log for DS server >>> >>> [09/Jan/2008:13:33:50 -0500] NSMMReplicationPlugin - agmt="cn=AD sync" (netsweep-41a75e:636): Simple bind failed, LDAP sdk error 91 (Can't connect to the LDAP server), Netscape Portable Runtime error -5987 (Invalid function argument.) >>> >>> It cannot connect to AD. I imported the CA certificate into the Installation folder of the console in the windows xp machine. >>> >>> >> Did you configure the agreement to use SSL? Error 91 means some sort of >> connection problem, or invalid argument to the LDAP API e.g. you are >> attempting to use LDAP on the secure port instead of LDAPS. >> >> You can verify that TLS/SSL is working by using ldapsearch from the >> command line. On the directory server machine: >> /usr/lib/mozldap/ldapsearch -h ADhostname -p 638 -Z -P >> /etc/dirsrv/slapd-instancename -s base -b "" "objectclass=*" >> >> Or use /usr/lib64/mozldap/ldapsearch on a 64bit system. >> >>> ---------------------------------------- >>> >>> >>>> Date: Wed, 9 Jan 2008 11:09:54 -0700 >>>> From: rmeggins at redhat.com >>>> To: fedora-directory-users at redhat.com >>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >>>> >>>> kiran madala wrote: >>>> >>>> >>>>> I am using Fedora 1.1 on Fedora 6 x86 machine. When i fill in the entries and click next a message pops up saying "Unable to connet to Active Directory server, continue?". Also in the domain controller host field can I specify the IP address of the machine?. >>>>> >>>>> The error log for DS server is below. The IP is the windows xp machine on whcih I am runnign the remote DS console. >>>>> >>>>> [Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241 >>>>> >>>> >>>>> >>>>> >>>> Actually, this is the error log for the admin server. The error log for >>>> the directory server is in /var/log/dirsrv/slapd-INSTANCE where instance >>>> is your instance name. >>>> >>>> The console might be failing to connect to AD because the console has a >>>> separate key/cert db under ~/.fedora-idm-console (in 1.1). You may need >>>> to add the CA cert in this directory too: >>>> >>>> certutil -A -d ~/.fedora-idm-console -n "CA certificate" -t "CT,," -a -i /path/to/cacert.asc >>>> >>>> >>>> >>>>> ---------------------------------------- >>>>> >>>>> >>>>> >>>>>> Date: Wed, 9 Jan 2008 10:52:05 -0700 >>>>>> From: rmeggins at redhat.com >>>>>> To: fedora-directory-users at redhat.com >>>>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >>>>>> >>>>>> kiran madala wrote: >>>>>> >>>>>> >>>>>> >>>>>>> As far I understand by reading docs again that the user specified in the Syn agreement and Bind DN should be same and exist on Active directory with Domain Admin privileges. But I have other issues now. >>>>>>> >>>>>>> The DS server is unable to connect to my AD. >>>>>>> >>>>>>> >>>>>>> >>>>>> What error messages are you getting? Check the error log. >>>>>> >>>>>> You can also try using ldapsearch. Are you using Fedora DS 1.1 or >>>>>> 1.0.4? What OS? >>>>>> >>>>>> >>>>>> >>>>>>> I enabled SSL by copying the same root certificate into AD and also generating a server certificate and opened up ports in firewall. Am I missing something like allowing client Authentication on the AD machine? >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> You don't need to use cert based client auth. You can use regular >>>>>> username/password auth over TLS/SSL. >>>>>> >>>>>> >>>>>> >>>>>>> My currents certificates are as follows. >>>>>>> >>>>>>> DS has its own server certificate >>>>>>> AD has its own server certificate >>>>>>> ALL 3 servers AS,DS and AD have the same CA root certificate >>>>>>> >>>>>>> >>>>>>> >>>>>>> ---------------------------------------- >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> From: kirankmadala at hotmail.com >>>>>>>> To: fedora-directory-users at redhat.com >>>>>>>> Date: Wed, 9 Jan 2008 10:35:00 -0400 >>>>>>>> Subject: [Fedora-directory-users] Windows Active Directory sync Help! >>>>>>>> >>>>>>>> >>>>>>>> Hello, >>>>>>>> >>>>>>>> I am trying to sync the DS with AD. Since I am new to AD and DS I have few questions. >>>>>>>> >>>>>>>> I want to synchronize only users and groups so Is it necessary to enable SSL on Active Directory and connect to Active directory through SSL? >>>>>>>> >>>>>>>> In the replica settings the supplier DN user need to be on both AD and DS with should be a Domain admin of the AD? >>>>>>>> >>>>>>>> When trying to synchronize with AD the bind DN (In screen shot) user should be in both AD and DS? >>>>>>>> >>>>>>>> >>>>>>>> I have attached the screen shot of my final DS agreement window. I believe currently it is defined to synchronize users what changes I need to make it synchronize groups aswell. >>>>>>>> >>>>>>>> Thanks in advance >>>>>>>> _________________________________________________________________ >>>>>>>> Exercise your brain! Try Flexicon! >>>>>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> _________________________________________________________________ >>>>>>> Use fowl language with Chicktionary. Click here to start playing! >>>>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>> _________________________________________________________________ >>>>> Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com! >>>>> http://asksantaclaus.spaces.live.com/ >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>>> >>> _________________________________________________________________ >>> Introducing the City @ Live! Take a tour! >>> http://getyourliveid.ca/?icid=LIVEIDENCA006 >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> > > _________________________________________________________________ > Express yourself instantly with MSN Messenger! Download today it's FREE! > http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jan 10 01:28:30 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 09 Jan 2008 18:28:30 -0700 Subject: [Fedora-directory-users] Admin server startup errors 1.0.4-1 on RHEWS3 In-Reply-To: <5AD9B0E562FEFB4E933861904D7135C56888FC@gdrs-exchange.gdrs.com> References: <20080109170006.D7DDC73431@hormel.redhat.com> <5AD9B0E562FEFB4E933861904D7135C56888FC@gdrs-exchange.gdrs.com> Message-ID: <478574BE.6080300@redhat.com> Ken Marsh wrote: > Rich, > > Thanks for all your effort. > > I always chose "2", some customization, for all install efforts. Should > I be choosing 3? > If it seems to have problems if you use 2, then use 3. > No errors were logged anywhere, on either server, only the message from > ./setup/setup that the Admin hadn't started. > Fedora DS 1.0.4 setup error logging is just bad. Fedora DS 1.1 is much, much better, and it's all in perl so if you are a perl hacker you can easily figure out what's going on. > I also got to the point where the new server was recognized by the old > server's admin, but when I tried to manage it, I just got an error that > a .jar couldn't be downloaded. > What was the exact error? You can use startconsole -D to get more information. > -Ken. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jan 10 01:31:40 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 09 Jan 2008 18:31:40 -0700 Subject: [Fedora-directory-users] Windows Active Directory sync Help! In-Reply-To: References: <478509C5.1090804@redhat.com> <47850DF2.3000700@redhat.com> <478515E5.10406@redhat.com> Message-ID: <4785757C.3040004@redhat.com> kiran madala wrote: > I have few more questions > > There are 2 different ways to create and import certificates described in the document http://www.redhat.com/docs/manuals/dir-server/ag/8.0/index.html and described in fedora documentation using certutil which one should i be using. > Use the console if you can, otherwise use the command line tools. The console really assumes you are in an enterprise environment which has a real CA, which you can actually submit cert requests to and receive certs from. > The cacert.asc should be in the configuration folders of both DS and AS server? I don't have it in neither of them now because I installed the CA from the console. > You can export the CA cert from the cert db using the console I think, and definitely using the command line. http://directory.fedoraproject.org/wiki/Howto:SSL#Export_the_CA_cert > The pupose of doing this is to get the groups and users information from Active Directory and store in our own database through Fedora DS. Is This possible? by editing script or anyways? > You do not have to use TLS/SSL with windows sync - only if you will be using the password sync component. > Thank you. > > > ---------------------------------------- > >> From: kirankmadala at hotmail.com >> To: fedora-directory-users at redhat.com >> Subject: RE: [Fedora-directory-users] Windows Active Directory sync Help! >> Date: Wed, 9 Jan 2008 17:23:14 -0400 >> >> >> Also the console give me thsi error when Icick on manage certificates on the DS server and never opens up. It works fine on AS server >> >> Exception during event dispatch: >> java.lang.NullPointerException >> at com.netscape.management.client.security.CertificateDialog.(Unknown Source) >> at com.netscape.management.client.security.CertificateDialog.(Unknown Source) >> at com.netscape.admin.dirserv.task.KeyCert.run(Unknown Source) >> at com.netscape.management.client.TaskModel.actionObjectRun(Unknown Source) >> at com.netscape.management.client.TaskPage$TaskList$ButtonMouseListener.mouseClicked(Unknown Source) >> at java.awt.AWTEventMulticaster.mouseClicked(libgcj.so.7rh) >> at java.awt.Component.processMouseEvent(libgcj.so.7rh) >> at java.awt.Component.processEvent(libgcj.so.7rh) >> at java.awt.Container.processEvent(libgcj.so.7rh) >> at java.awt.Component.dispatchEventImpl(libgcj.so.7rh) >> at java.awt.Container.dispatchEventImpl(libgcj.so.7rh) >> at java.awt.Component.dispatchEvent(libgcj.so.7rh) >> at java.awt.LightweightDispatcher.handleMouseEvent(libgcj.so.7rh) >> at java.awt.LightweightDispatcher.dispatchEvent(libgcj.so.7rh) >> at java.awt.Container.dispatchEventImpl(libgcj.so.7rh) >> at java.awt.Window.dispatchEventImpl(libgcj.so.7rh) >> at java.awt.Component.dispatchEvent(libgcj.so.7rh) >> at java.awt.EventQueue.dispatchEvent(libgcj.so.7rh) >> at java.awt.EventDispatchThread.run(libgcj.so.7rh) >> Exception in thread "http://248.8.168.192.in-addr.arpa.dev:9830/" java.lang.NullPointerException >> at com.netscape.management.client.comm.HttpChannel.run(Unknown Source) >> at java.lang.Thread.run(libgcj.so.7rh) >> Exception in thread "http://248.8.168.192.in-addr.arpa.dev:9830/" java.lang.NullPointerException >> at com.netscape.management.client.comm.HttpChannel.run(Unknown Source) >> at java.lang.Thread.run(libgcj.so.7rh) >> >> >> >> ---------------------------------------- >> >>> From: kirankmadala at hotmail.com >>> To: fedora-directory-users at redhat.com >>> Subject: RE: [Fedora-directory-users] Windows Active Directory sync Help! >>> Date: Wed, 9 Jan 2008 17:03:18 -0400 >>> >>> >>> I keep getting these errors when trying to initiate sync >>> >>> [09/Jan/2008:16:00:12 -0500] - SSL alert: ldapssl_enable_clientauth(Server-Key, ds-server-cert) -1 (Netscape Portable Runtime error -5987 - Invalid function argument.) >>> [09/Jan/2008:16:00:13 -0500] NSMMReplicationPlugin - agmt="cn=AD Sync" (netsweep-41a75e:636): Replication bind with SSL client authentication failed: LDAP error -1 (Unknown error) >>> >>> The LDAP search is not installed on my machine so i could not do a search >>> ---------------------------------------- >>> >>>> Date: Wed, 9 Jan 2008 11:43:49 -0700 >>>> From: rmeggins at redhat.com >>>> To: fedora-directory-users at redhat.com >>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >>>> >>>> kiran madala wrote: >>>> >>>>> Sorry here is the error log for DS server >>>>> >>>>> [09/Jan/2008:13:33:50 -0500] NSMMReplicationPlugin - agmt="cn=AD sync" (netsweep-41a75e:636): Simple bind failed, LDAP sdk error 91 (Can't connect to the LDAP server), Netscape Portable Runtime error -5987 (Invalid function argument.) >>>>> >>>>> It cannot connect to AD. I imported the CA certificate into the Installation folder of the console in the windows xp machine. >>>>> >>>>> >>>> Did you configure the agreement to use SSL? Error 91 means some sort of >>>> connection problem, or invalid argument to the LDAP API e.g. you are >>>> attempting to use LDAP on the secure port instead of LDAPS. >>>> >>>> You can verify that TLS/SSL is working by using ldapsearch from the >>>> command line. On the directory server machine: >>>> /usr/lib/mozldap/ldapsearch -h ADhostname -p 638 -Z -P >>>> /etc/dirsrv/slapd-instancename -s base -b "" "objectclass=*" >>>> >>>> Or use /usr/lib64/mozldap/ldapsearch on a 64bit system. >>>> >>>>> ---------------------------------------- >>>>> >>>>> >>>>>> Date: Wed, 9 Jan 2008 11:09:54 -0700 >>>>>> From: rmeggins at redhat.com >>>>>> To: fedora-directory-users at redhat.com >>>>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >>>>>> >>>>>> kiran madala wrote: >>>>>> >>>>>> >>>>>>> I am using Fedora 1.1 on Fedora 6 x86 machine. When i fill in the entries and click next a message pops up saying "Unable to connet to Active Directory server, continue?". Also in the domain controller host field can I specify the IP address of the machine?. >>>>>>> >>>>>>> The error log for DS server is below. The IP is the windows xp machine on whcih I am runnign the remote DS console. >>>>>>> >>>>>>> [Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241 >>>>>>> >>>>>> >>>>>>> >>>>>>> >>>>>> Actually, this is the error log for the admin server. The error log for >>>>>> the directory server is in /var/log/dirsrv/slapd-INSTANCE where instance >>>>>> is your instance name. >>>>>> >>>>>> The console might be failing to connect to AD because the console has a >>>>>> separate key/cert db under ~/.fedora-idm-console (in 1.1). You may need >>>>>> to add the CA cert in this directory too: >>>>>> >>>>>> certutil -A -d ~/.fedora-idm-console -n "CA certificate" -t "CT,," -a -i /path/to/cacert.asc >>>>>> >>>>>> >>>>>> >>>>>>> ---------------------------------------- >>>>>>> >>>>>>> >>>>>>> >>>>>>>> Date: Wed, 9 Jan 2008 10:52:05 -0700 >>>>>>>> From: rmeggins at redhat.com >>>>>>>> To: fedora-directory-users at redhat.com >>>>>>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >>>>>>>> >>>>>>>> kiran madala wrote: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> As far I understand by reading docs again that the user specified in the Syn agreement and Bind DN should be same and exist on Active directory with Domain Admin privileges. But I have other issues now. >>>>>>>>> >>>>>>>>> The DS server is unable to connect to my AD. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> What error messages are you getting? Check the error log. >>>>>>>> >>>>>>>> You can also try using ldapsearch. Are you using Fedora DS 1.1 or >>>>>>>> 1.0.4? What OS? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> I enabled SSL by copying the same root certificate into AD and also generating a server certificate and opened up ports in firewall. Am I missing something like allowing client Authentication on the AD machine? >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> You don't need to use cert based client auth. You can use regular >>>>>>>> username/password auth over TLS/SSL. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> My currents certificates are as follows. >>>>>>>>> >>>>>>>>> DS has its own server certificate >>>>>>>>> AD has its own server certificate >>>>>>>>> ALL 3 servers AS,DS and AD have the same CA root certificate >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> ---------------------------------------- >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> From: kirankmadala at hotmail.com >>>>>>>>>> To: fedora-directory-users at redhat.com >>>>>>>>>> Date: Wed, 9 Jan 2008 10:35:00 -0400 >>>>>>>>>> Subject: [Fedora-directory-users] Windows Active Directory sync Help! >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Hello, >>>>>>>>>> >>>>>>>>>> I am trying to sync the DS with AD. Since I am new to AD and DS I have few questions. >>>>>>>>>> >>>>>>>>>> I want to synchronize only users and groups so Is it necessary to enable SSL on Active Directory and connect to Active directory through SSL? >>>>>>>>>> >>>>>>>>>> In the replica settings the supplier DN user need to be on both AD and DS with should be a Domain admin of the AD? >>>>>>>>>> >>>>>>>>>> When trying to synchronize with AD the bind DN (In screen shot) user should be in both AD and DS? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I have attached the screen shot of my final DS agreement window. I believe currently it is defined to synchronize users what changes I need to make it synchronize groups aswell. >>>>>>>>>> >>>>>>>>>> Thanks in advance >>>>>>>>>> _________________________________________________________________ >>>>>>>>>> Exercise your brain! Try Flexicon! >>>>>>>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> _________________________________________________________________ >>>>>>>>> Use fowl language with Chicktionary. Click here to start playing! >>>>>>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Fedora-directory-users mailing list >>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>> _________________________________________________________________ >>>>>>> Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com! >>>>>>> http://asksantaclaus.spaces.live.com/ >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> >>>>>>> >>>>>>> >>>>> _________________________________________________________________ >>>>> Introducing the City @ Live! Take a tour! >>>>> http://getyourliveid.ca/?icid=LIVEIDENCA006 >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>> _________________________________________________________________ >>> Express yourself instantly with MSN Messenger! Download today it's FREE! >>> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> _________________________________________________________________ >> Exercise your brain! Try Flexicon! >> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > _________________________________________________________________ > Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com! > http://asksantaclaus.spaces.live.com/ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jan 10 01:33:47 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 09 Jan 2008 18:33:47 -0700 Subject: [Fedora-directory-users] Windows Active Directory sync Help! In-Reply-To: References: <478509C5.1090804@redhat.com> <47850DF2.3000700@redhat.com> <478515E5.10406@redhat.com> Message-ID: <478575FB.9000504@redhat.com> kiran madala wrote: > Also the console give me thsi error when Icick on manage certificates on the DS server and never opens up. It works fine on AS server > Looks like a bug. Are you using the IcedTea java on Fedora 8? > Exception during event dispatch: > java.lang.NullPointerException > at com.netscape.management.client.security.CertificateDialog.(Unknown Source) > at com.netscape.management.client.security.CertificateDialog.(Unknown Source) > at com.netscape.admin.dirserv.task.KeyCert.run(Unknown Source) > at com.netscape.management.client.TaskModel.actionObjectRun(Unknown Source) > at com.netscape.management.client.TaskPage$TaskList$ButtonMouseListener.mouseClicked(Unknown Source) > at java.awt.AWTEventMulticaster.mouseClicked(libgcj.so.7rh) > at java.awt.Component.processMouseEvent(libgcj.so.7rh) > at java.awt.Component.processEvent(libgcj.so.7rh) > at java.awt.Container.processEvent(libgcj.so.7rh) > at java.awt.Component.dispatchEventImpl(libgcj.so.7rh) > at java.awt.Container.dispatchEventImpl(libgcj.so.7rh) > at java.awt.Component.dispatchEvent(libgcj.so.7rh) > at java.awt.LightweightDispatcher.handleMouseEvent(libgcj.so.7rh) > at java.awt.LightweightDispatcher.dispatchEvent(libgcj.so.7rh) > at java.awt.Container.dispatchEventImpl(libgcj.so.7rh) > at java.awt.Window.dispatchEventImpl(libgcj.so.7rh) > at java.awt.Component.dispatchEvent(libgcj.so.7rh) > at java.awt.EventQueue.dispatchEvent(libgcj.so.7rh) > at java.awt.EventDispatchThread.run(libgcj.so.7rh) > Exception in thread "http://248.8.168.192.in-addr.arpa.dev:9830/" java.lang.NullPointerException > at com.netscape.management.client.comm.HttpChannel.run(Unknown Source) > at java.lang.Thread.run(libgcj.so.7rh) > Exception in thread "http://248.8.168.192.in-addr.arpa.dev:9830/" java.lang.NullPointerException > at com.netscape.management.client.comm.HttpChannel.run(Unknown Source) > at java.lang.Thread.run(libgcj.so.7rh) > > > > ---------------------------------------- > >> From: kirankmadala at hotmail.com >> To: fedora-directory-users at redhat.com >> Subject: RE: [Fedora-directory-users] Windows Active Directory sync Help! >> Date: Wed, 9 Jan 2008 17:03:18 -0400 >> >> >> I keep getting these errors when trying to initiate sync >> >> [09/Jan/2008:16:00:12 -0500] - SSL alert: ldapssl_enable_clientauth(Server-Key, ds-server-cert) -1 (Netscape Portable Runtime error -5987 - Invalid function argument.) >> [09/Jan/2008:16:00:13 -0500] NSMMReplicationPlugin - agmt="cn=AD Sync" (netsweep-41a75e:636): Replication bind with SSL client authentication failed: LDAP error -1 (Unknown error) >> >> The LDAP search is not installed on my machine so i could not do a search >> ---------------------------------------- >> >>> Date: Wed, 9 Jan 2008 11:43:49 -0700 >>> From: rmeggins at redhat.com >>> To: fedora-directory-users at redhat.com >>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >>> >>> kiran madala wrote: >>> >>>> Sorry here is the error log for DS server >>>> >>>> [09/Jan/2008:13:33:50 -0500] NSMMReplicationPlugin - agmt="cn=AD sync" (netsweep-41a75e:636): Simple bind failed, LDAP sdk error 91 (Can't connect to the LDAP server), Netscape Portable Runtime error -5987 (Invalid function argument.) >>>> >>>> It cannot connect to AD. I imported the CA certificate into the Installation folder of the console in the windows xp machine. >>>> >>>> >>> Did you configure the agreement to use SSL? Error 91 means some sort of >>> connection problem, or invalid argument to the LDAP API e.g. you are >>> attempting to use LDAP on the secure port instead of LDAPS. >>> >>> You can verify that TLS/SSL is working by using ldapsearch from the >>> command line. On the directory server machine: >>> /usr/lib/mozldap/ldapsearch -h ADhostname -p 638 -Z -P >>> /etc/dirsrv/slapd-instancename -s base -b "" "objectclass=*" >>> >>> Or use /usr/lib64/mozldap/ldapsearch on a 64bit system. >>> >>>> ---------------------------------------- >>>> >>>> >>>>> Date: Wed, 9 Jan 2008 11:09:54 -0700 >>>>> From: rmeggins at redhat.com >>>>> To: fedora-directory-users at redhat.com >>>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >>>>> >>>>> kiran madala wrote: >>>>> >>>>> >>>>>> I am using Fedora 1.1 on Fedora 6 x86 machine. When i fill in the entries and click next a message pops up saying "Unable to connet to Active Directory server, continue?". Also in the domain controller host field can I specify the IP address of the machine?. >>>>>> >>>>>> The error log for DS server is below. The IP is the windows xp machine on whcih I am runnign the remote DS console. >>>>>> >>>>>> [Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241 >>>>>> >>>>> >>>>>> >>>>>> >>>>> Actually, this is the error log for the admin server. The error log for >>>>> the directory server is in /var/log/dirsrv/slapd-INSTANCE where instance >>>>> is your instance name. >>>>> >>>>> The console might be failing to connect to AD because the console has a >>>>> separate key/cert db under ~/.fedora-idm-console (in 1.1). You may need >>>>> to add the CA cert in this directory too: >>>>> >>>>> certutil -A -d ~/.fedora-idm-console -n "CA certificate" -t "CT,," -a -i /path/to/cacert.asc >>>>> >>>>> >>>>> >>>>>> ---------------------------------------- >>>>>> >>>>>> >>>>>> >>>>>>> Date: Wed, 9 Jan 2008 10:52:05 -0700 >>>>>>> From: rmeggins at redhat.com >>>>>>> To: fedora-directory-users at redhat.com >>>>>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >>>>>>> >>>>>>> kiran madala wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>>> As far I understand by reading docs again that the user specified in the Syn agreement and Bind DN should be same and exist on Active directory with Domain Admin privileges. But I have other issues now. >>>>>>>> >>>>>>>> The DS server is unable to connect to my AD. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> What error messages are you getting? Check the error log. >>>>>>> >>>>>>> You can also try using ldapsearch. Are you using Fedora DS 1.1 or >>>>>>> 1.0.4? What OS? >>>>>>> >>>>>>> >>>>>>> >>>>>>>> I enabled SSL by copying the same root certificate into AD and also generating a server certificate and opened up ports in firewall. Am I missing something like allowing client Authentication on the AD machine? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> You don't need to use cert based client auth. You can use regular >>>>>>> username/password auth over TLS/SSL. >>>>>>> >>>>>>> >>>>>>> >>>>>>>> My currents certificates are as follows. >>>>>>>> >>>>>>>> DS has its own server certificate >>>>>>>> AD has its own server certificate >>>>>>>> ALL 3 servers AS,DS and AD have the same CA root certificate >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> ---------------------------------------- >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> From: kirankmadala at hotmail.com >>>>>>>>> To: fedora-directory-users at redhat.com >>>>>>>>> Date: Wed, 9 Jan 2008 10:35:00 -0400 >>>>>>>>> Subject: [Fedora-directory-users] Windows Active Directory sync Help! >>>>>>>>> >>>>>>>>> >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> I am trying to sync the DS with AD. Since I am new to AD and DS I have few questions. >>>>>>>>> >>>>>>>>> I want to synchronize only users and groups so Is it necessary to enable SSL on Active Directory and connect to Active directory through SSL? >>>>>>>>> >>>>>>>>> In the replica settings the supplier DN user need to be on both AD and DS with should be a Domain admin of the AD? >>>>>>>>> >>>>>>>>> When trying to synchronize with AD the bind DN (In screen shot) user should be in both AD and DS? >>>>>>>>> >>>>>>>>> >>>>>>>>> I have attached the screen shot of my final DS agreement window. I believe currently it is defined to synchronize users what changes I need to make it synchronize groups aswell. >>>>>>>>> >>>>>>>>> Thanks in advance >>>>>>>>> _________________________________________________________________ >>>>>>>>> Exercise your brain! Try Flexicon! >>>>>>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> _________________________________________________________________ >>>>>>>> Use fowl language with Chicktionary. Click here to start playing! >>>>>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>> _________________________________________________________________ >>>>>> Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com! >>>>>> http://asksantaclaus.spaces.live.com/ >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>>> >>>>>> >>>> _________________________________________________________________ >>>> Introducing the City @ Live! Take a tour! >>>> http://getyourliveid.ca/?icid=LIVEIDENCA006 >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >> _________________________________________________________________ >> Express yourself instantly with MSN Messenger! Download today it's FREE! >> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > _________________________________________________________________ > Exercise your brain! Try Flexicon! > http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jan 10 01:35:29 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 09 Jan 2008 18:35:29 -0700 Subject: [Fedora-directory-users] Windows Syncronization inbound changes problem In-Reply-To: <20080108145921.yg18imny80o0sccw@163.10.0.84> References: <20080108145921.yg18imny80o0sccw@163.10.0.84> Message-ID: <47857661.2080208@redhat.com> Christian A. Rodriguez wrote: > First of all I have to mention that Windows Users & Groups were > created before Fedora Directory was installed, so when FDS was > installed I started up with replicated windows users in FDS without > passwords being synchronized. Therefore, the scenario is a Windows > tree with users (with passwords) & groups and FDS with users and > groups replicated without their passwords. > > I am trying to define a mechanism to reset every password in both > directories so they begin to work synchronized. > > Doing some tests, I realized that a change made in Windows is > replicated into FDS binding as the users subject of change, so as the > entry doesn't have it's password, the following lines are logged in > FDS access log: > > [08/Jan/2008:15:51:35 -0300] conn=1033 op=0 BIND > dn="uid=USERXXX,OU=People,ou=Active Directory,dc=example,dc=com" > method=128 version=2 > [08/Jan/2008:15:51:35 -0300] conn=1033 op=0 RESULT err=49 tag=97 > nentries=0 etime=0 > [08/Jan/2008:15:51:35 -0300] conn=1033 op=1 UNBIND > [08/Jan/2008:15:51:35 -0300] conn=1033 op=1 fd=80 closed - U1 > [08/Jan/2008:15:51:35 -0300] conn=1032 op=2 RESULT err=50 tag=103 > nentries=0 etime=0 > [08/Jan/2008:15:51:35 -0300] conn=1032 op=3 UNBIND > > I haven't found any documentation about inbound changes, specifically > password change, being done as the same user subject of the change. Is > this true? Yes. That's how it verifies the new password is valid. > > Thanks in advance, and sorry for my bad English > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From car at cespi.unlp.edu.ar Thu Jan 10 02:54:19 2008 From: car at cespi.unlp.edu.ar (Christian A. Rodriguez) Date: Thu, 10 Jan 2008 00:54:19 -0200 Subject: [Fedora-directory-users] Windows Syncronization inbound changes problem In-Reply-To: <47857661.2080208@redhat.com> References: <20080108145921.yg18imny80o0sccw@163.10.0.84> <47857661.2080208@redhat.com> Message-ID: <478588DB.5020003@cespi.unlp.edu.ar> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rich Megginson escribi?: > Christian A. Rodriguez wrote: >> First of all I have to mention that Windows Users & Groups were >> created before Fedora Directory was installed, so when FDS was >> installed I started up with replicated windows users in FDS without >> passwords being synchronized. Therefore, the scenario is a Windows >> tree with users (with passwords) & groups and FDS with users and >> groups replicated without their passwords. >> >> I am trying to define a mechanism to reset every password in both >> directories so they begin to work synchronized. >> >> Doing some tests, I realized that a change made in Windows is >> replicated into FDS binding as the users subject of change, so as the >> entry doesn't have it's password, the following lines are logged in >> FDS access log: >> >> [08/Jan/2008:15:51:35 -0300] conn=1033 op=0 BIND >> dn="uid=USERXXX,OU=People,ou=Active Directory,dc=example,dc=com" >> method=128 version=2 >> [08/Jan/2008:15:51:35 -0300] conn=1033 op=0 RESULT err=49 tag=97 >> nentries=0 etime=0 >> [08/Jan/2008:15:51:35 -0300] conn=1033 op=1 UNBIND >> [08/Jan/2008:15:51:35 -0300] conn=1033 op=1 fd=80 closed - U1 >> [08/Jan/2008:15:51:35 -0300] conn=1032 op=2 RESULT err=50 tag=103 >> nentries=0 etime=0 >> [08/Jan/2008:15:51:35 -0300] conn=1032 op=3 UNBIND >> >> I haven't found any documentation about inbound changes, specifically >> password change, being done as the same user subject of the change. Is >> this true? > Yes. That's how it verifies the new password is valid. So, how can I do to define a procedure for initializing both directories? Are there any tips? Thanks >> >> Thanks in advance, and sorry for my bad English >> > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users - -- Lic. Christian A. Rodriguez -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHhYjaLiwwyzG4Y1QRAp8YAJ4lJEr2/lFBEDIF5m2Ck6Z8tEd2UQCfVBUu xen2FPcuKSep8a3xj5kfQf4= =ji/K -----END PGP SIGNATURE----- From jyl087 at gmail.com Thu Jan 10 05:21:58 2008 From: jyl087 at gmail.com (Jim Y Li) Date: Wed, 9 Jan 2008 21:21:58 -0800 Subject: [Fedora-directory-users] FDS replication client installation Message-ID: <4672a0830801092121xc89ac2fk86d8a6d6287c6136@mail.gmail.com> Sorry for the newbie question. I've installed a master FDS server using setup-ds-admin.pl. I want to install a second server to act as secondary master (i.e. read-write also). Do I use setup-ds-admin.pl to install the 2nd machine? Or do I just use setup-ds.pl? Does each machine have it's own independent o=netscaperoot database, or do they share that too? I would guess that you'd want all of your servers to share one netscape root tree. Is there a document that talks about how to do this? Thanks in advance /Jim -- Halloo Communications - WebCall, Make Free Phone Calls - www.halloo.com From useless at mail.bg Thu Jan 10 09:59:34 2008 From: useless at mail.bg (useless at mail.bg) Date: Thu, 10 Jan 2008 11:59:34 +0200 Subject: [Fedora-directory-users] Fedora Directory Server 1.1 : Cannot log in the Managent Console Message-ID: <20080110115934.fy70cycys0g88g4c@mail.bg> Hello! Several days ago I downloaded and installed Fedora Directory Server 1.1. The problem is that I cannot log in the Management Console (fedora-idm-console)- every time when I try to log in it( http://img181.imageshack.us/my.php?image=snapshot1bx4.png ), I get the following error : http://img108.imageshack.us/my.php?image=snapshot2fi1.png and I find the following messages in the /var/log/httpd dir: /var/log/httpd/access_log : 127.0.0.1 - - [08/Jan/2008:19:45:26 +0200] "GET /admin-serv/authenticate HTTP/1.0" 400 294 "-" "Fedora-Management-Console/1.1.0" /var/log/httpd/error_log : [Tue Jan 08 19:45:26 2008] [error] [client 127.0.0.1] Client sent malformed Host header The dirsrv, dirsrv-admin and httpd deamons are running. I have no problem with opening localhost:9830 and localhost:9830/admin-serv/authenticate in my browser. Here are the settings that I entered during the install (setup-ds-admin.pl): ------------------------------------------------------ ------------------------------------------------------ [08/01/07:23:14:17] - [Setup] Info This program will set up the Fedora Directory and Administration Servers. It is recommended that you have "root" privilege to set up the software. Tips for using this program: - Press "Enter" to choose the default and go to the next screen - Type "Control-B" then "Enter" to go back to the previous screen - Type "Control-C" to cancel the setup program [08/01/07:23:14:17] - [Setup] Info Would you like to continue with set up? [08/01/07:23:14:20] - [Setup] Info yes [08/01/07:23:14:20] - [Setup] Info BY SETTING UP AND USING THIS SOFTWARE YOU ARE CONSENTING TO BE BOUND BY AND ARE BECOMING A PARTY TO THE AGREEMENT FOUND IN THE LICENSE.TXT FILE. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, PLEASE DO NOT SET UP OR USE THIS SOFTWARE. [08/01/07:23:14:20] - [Setup] Info Do you agree to the license terms? [08/01/07:23:14:22] - [Setup] Info yes [08/01/07:23:14:22] - [Setup] Info Your system has been scanned for potential problems, missing patches, etc. The following output is a report of the items found that need to be addressed before running this software in a production environment. Fedora Directory Server system tuning analysis version 10-AUGUST-2007. NOTICE : System is i686-unknown-linux2.6.23.9-85.fc8 (1 processor). WARNING: 503MB of physical memory is available on the system. 1024MB is recommended for best performance on large production system. NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds (120 minutes). This may cause temporary server congestion from lost client connections. WARNING: There are only 1024 file descriptors (hard limit) available, which limit the number of simultaneous connections. WARNING: There are only 1024 file descriptors (soft limit) available, which limit the number of simultaneous connections. [08/01/07:23:14:22] - [Setup] Info Would you like to continue? [08/01/07:23:14:23] - [Setup] Info yes [08/01/07:23:14:23] - [Setup] Info Choose a setup type: 1. Express Allows you to quickly set up the servers using the most common options and pre-defined defaults. Useful for quick evaluation of the products. 2. Typical Allows you to specify common defaults and options. 3. Custom Allows you to specify more advanced options. This is recommended for experienced server administrators only. To accept the default shown in brackets, press the Enter key. [08/01/07:23:14:23] - [Setup] Info Choose a setup type [08/01/07:23:14:25] - [Setup] Info 2 [08/01/07:23:14:25] - [Setup] Info Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form . Example: eros.example.com. To accept the default shown in brackets, press the Enter key. [08/01/07:23:14:25] - [Setup] Info Computer name [08/01/07:23:14:26] - [Setup] Info localhost.localdomain [08/01/07:23:14:26] - [Setup] Info The servers must run as a specific user in a specific group. It is strongly recommended that this user should have no privileges on the computer (i.e. a non-root user). The setup procedure will give this user/group some permissions in specific paths/files to perform server-specific operations. If you have not yet created a user and group for the servers, create this user and group using your native operating system utilities. [08/01/07:23:14:29] - [Setup] Info System User [08/01/07:23:14:34] - [Setup] Info fdsuser [08/01/07:23:14:34] - [Setup] Info System Group [08/01/07:23:14:37] - [Setup] Info fdsuser [08/01/07:23:14:37] - [Setup] Info Server information is stored in the configuration directory server. This information is used by the console and administration server to configure and manage your servers. If you have already set up a configuration directory server, you should register any servers you set up or create with the configuration server. To do so, the following information about the configuration server is required: the fully qualified host name of the form .(e.g. hostname.example.com), the port number (default 389), the suffix, the DN and password of a user having permission to write the configuration information, usually the configuration directory administrator, and if you are using security (TLS/SSL). If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port number (default 636) instead of the regular LDAP port number, and provide the CA certificate (in PEM/ASCII format). If you do not yet have a configuration directory server, enter 'No' to be prompted to set up one. [08/01/07:23:14:37] - [Setup] Info Do you want to register this software with an existing configuration directory server? [08/01/07:23:14:39] - [Setup] Info no [08/01/07:23:14:39] - [Setup] Info Please enter the administrator ID for the configuration directory server. This is the ID typically used to log in to the console. You will also be prompted for the password. [08/01/07:23:14:39] - [Setup] Info Configuration directory server administrator ID [08/01/07:23:14:40] - [Setup] Info admin [08/01/07:23:14:40] - [Setup] Info Password [08/01/07:23:14:44] - [Setup] Info Password (confirm) [08/01/07:23:14:45] - [Setup] Info The information stored in the configuration directory server can be separated into different Administration Domains. If you are managing multiple software releases at the same time, or managing information about multiple domains, you may use the Administration Domain to keep them separate. If you are not using administrative domains, press Enter to select the default. Otherwise, enter some descriptive, unique name for the administration domain, such as the name of the organization responsible for managing the domain. [08/01/07:23:14:45] - [Setup] Info Administration Domain [08/01/07:23:14:46] - [Setup] Info localdomain [08/01/07:23:14:46] - [Setup] Info The standard directory server network port number is 389. However, if you are not logged as the superuser, or port 389 is in use, the default value will be a random unused port number greater than 1024. If you want to use port 389, make sure that you are logged in as the superuser, that port 389 is not in use. [08/01/07:23:14:46] - [Setup] Info Directory server network port [08/01/07:23:14:47] - [Setup] Info 389 [08/01/07:23:14:47] - [Setup] Info Each instance of a directory server requires a unique identifier. This identifier is used to name the various instance specific files and directories in the file system, as well as for other uses as a server instance identifier. [08/01/07:23:14:47] - [Setup] Info Directory server identifier [08/01/07:23:14:48] - [Setup] Info localhost [08/01/07:23:14:48] - [Setup] Info The suffix is the root of your directory tree. The suffix must be a valid DN. It is recommended that you use the dc=domaincomponent suffix convention. For example, if your domain is example.com, you should use dc=example,dc=com for your suffix. Setup will create this initial suffix for you, but you may have more than one suffix. Use the directory server utilities to create additional suffixes. [08/01/07:23:14:48] - [Setup] Info Suffix [08/01/07:23:14:52] - [Setup] Info dc=localdomain [08/01/07:23:14:52] - [Setup] Info Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and typically has a bind Distinguished Name (DN) of cn=Directory Manager. You will also be prompted for the password for this user. The password must be at least 8 characters long, and contain no spaces. [08/01/07:23:14:52] - [Setup] Info Directory Manager DN [08/01/07:23:14:53] - [Setup] Info cn=Directory Manager [08/01/07:23:14:53] - [Setup] Info Password [08/01/07:23:15:02] - [Setup] Info Password (confirm) [08/01/07:23:15:05] - [Setup] Info The Administration Server is separate from any of your web or application servers since it listens to a different port and access to it is restricted. Pick a port number between 1024 and 65535 to run your Administration Server on. You should NOT use a port number which you plan to run a web or application server on, rather, select a number which you will remember and which will not be used for anything else. [08/01/07:23:15:05] - [Setup] Info Administration port [08/01/07:23:15:06] - [Setup] Info 9830 [08/01/07:23:15:06] - [Setup] Info The interactive phase is complete. The script will now set up your servers. Enter No or go Back if you want to change something. [08/01/07:23:15:06] - [Setup] Info Are you ready to set up your servers? [08/01/07:23:15:10] - [Setup] Info yes [08/01/07:23:15:10] - [Setup] Info Creating directory server . . . [08/01/07:23:15:13] - [Setup] Info Your new DS instance 'localhost' was successfully created. [08/01/07:23:15:13] - [Setup] Info Creating the configuration directory server . . . [08/01/07:23:15:15] - [Setup] Info Beginning Admin Server creation . . . [08/01/07:23:15:15] - [Setup] Info Creating Admin Server files and directories . . . [08/01/07:23:15:15] - [Setup] Info Updating adm.conf . . . [08/01/07:23:15:15] - [Setup] Info Updating admpw . . . [08/01/07:23:15:15] - [Setup] Info Registering admin server with the configuration directory server . . . [08/01/07:23:15:15] - [Setup] Info Updating adm.conf with information from configuration directory server . . . [08/01/07:23:15:15] - [Setup] Info Updating the configuration for the httpd engine . . . [08/01/07:23:15:15] - [Setup] Info Starting admin server . . . [08/01/07:23:15:16] - [Setup] Info The admin server was successfully started. [08/01/07:23:15:16] - [Setup] Info Admin server was successfully created, configured, and started. [08/01/07:23:15:16] - [Setup] Success Exiting . . . Log file is '/tmp/setupIqi3Gn.log' ------------------------------------------------------ ------------------------------------------------------ [General] AdminDomain = localdomain SuiteSpotGroup = fdsuser ConfigDirectoryLdapURL = ldap://localhost.localdomain:389/o=NetscapeRoot ConfigDirectoryAdminID = admin SuiteSpotUserID = fdsuser ConfigDirectoryAdminPwd = FullMachineName = localhost.localdomain [admin] ServerAdminID = admin ServerAdminPwd = SysUser = fdsuser Port = 9830 [slapd] InstallLdifFile = suggest ServerIdentifier = localhost ServerPort = 389 AddOrgEntries = Yes RootDN = cn=Directory Manager RootDNPwd = SlapdConfigForMC = yes Suffix = dc=localdomain UseExistingMC = 0 AddSampleEntries = No ------------------------------------------------------ ------------------------------------------------------ Any ideas why I cannot log in the Management Console? Thanks in advance! ------------------------------------- Sportingbet.com ?????? ?? ???? ?? ?????? ????? ?? ?????????? ????! http://bg.sportingbet.com/t/index.aspx?affiliate=mailbg10 From j.barber at dundee.ac.uk Thu Jan 10 10:01:52 2008 From: j.barber at dundee.ac.uk (Jonathan Barber) Date: Thu, 10 Jan 2008 10:01:52 +0000 Subject: [Fedora-directory-users] Samba + FDS Problem adding Administrator account "Username not found" In-Reply-To: <43806ba60801091208oa032379k90414833ee77275e@mail.gmail.com> References: <43806ba60801091208oa032379k90414833ee77275e@mail.gmail.com> Message-ID: <20080110100151.GB15404@flea.lifesci.dundee.ac.uk> On Wed, Jan 09, 2008 at 03:08:59PM -0500, Gary Martin wrote: > I am following the instructions in the Howto:Samba documentation on > the FDS Wiki site. When I go to edit the Administrator account using > the following command: [snip] > # Administrator, People, test.com > dn: uid=Administrator,ou=People,dc=test,dc=com > uid: Administrator > cn: Samba Admin > givenName: Samba > sn: Admin > mail: Administrator at test.com > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: top > loginShell: /bin/bash > uidNumber: 0 > gidNumber: 0 > homeDirectory: /root > gecos: Samba Admin Did you add this user with smbpasswd? AFAIK it should have the sambaSamAccount objectclass with the various attributes that samba creates (which is dependant upon your version of samba). The HOWTO specifies using the command: $ smbpasswd -a Administrator -w The ldap filter samba uses (3.0.25 at least) is of the form: (&(uid=USERNAME)(objectClass=sambaSamAccount)) So if you haven't added the user via samba (or added the attributes manually) the filter won't match and samba won't find the user. Cheers. > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > Should this account have some Samba Domain info? What did I do wrong? > Here is a copy of the sambaAdmin.ldif I used: > > dn: uid=Administrator,ou=People,dc=test,dc=com > uid: Administrator > cn: Samba Admin > givenName: Samba > sn: Admin > mail: Administrator at test.com > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: top > userPassword: {crypt}x > loginShell: /bin/bash > uidNumber: 0 > gidNumber: 0 > homeDirectory: /root > gecos: Samba Admin > > And a copy of my smb.conf if it helps: > > [global] > workgroup = DOMAIN > security = user > passdb backend = ldapsam:ldap://vandread.test.com > ldap admin dn = cn=Directory Manager > ldap suffix = dc=test,dc=com > ldap user suffix = ou=People > ldap machine suffix = ou=People > ldap group suffix = ou=Groups > log file = /var/log/samba/%m.log > log level = 3 > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > os level = 33 > domain logons = yes > domain master = yes > local master = yes > preferred master = yes > wins support = yes > logon home = \\%L\%u\profiles > logon path = \\%L\profiles\%u > logon drive = H: > template shell = /bin/false > winbind use default domain = no > > winbind nested groups = no > enable privileges = yes > > > Thanks. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389 From gm4rtin at gmail.com Thu Jan 10 14:01:44 2008 From: gm4rtin at gmail.com (Gary Martin) Date: Thu, 10 Jan 2008 09:01:44 -0500 Subject: [Fedora-directory-users] Samba + FDS Problem adding Administrator account "Username not found" In-Reply-To: <20080110100151.GB15404@flea.lifesci.dundee.ac.uk> References: <43806ba60801091208oa032379k90414833ee77275e@mail.gmail.com> <20080110100151.GB15404@flea.lifesci.dundee.ac.uk> Message-ID: <43806ba60801100601p5b7df90br94547593dd7fcf5@mail.gmail.com> On Jan 10, 2008 5:01 AM, Jonathan Barber wrote: > On Wed, Jan 09, 2008 at 03:08:59PM -0500, Gary Martin wrote: > > I am following the instructions in the Howto:Samba documentation on > > the FDS Wiki site. When I go to edit the Administrator account using > > the following command: > > [snip] > > > # Administrator, People, test.com > > dn: uid=Administrator,ou=People,dc=test,dc=com > > uid: Administrator > > cn: Samba Admin > > givenName: Samba > > sn: Admin > > mail: Administrator at test.com > > objectClass: person > > objectClass: organizationalPerson > > objectClass: inetOrgPerson > > objectClass: posixAccount > > objectClass: top > > loginShell: /bin/bash > > uidNumber: 0 > > gidNumber: 0 > > homeDirectory: /root > > gecos: Samba Admin > > Did you add this user with smbpasswd? Yes > AFAIK it should have the > sambaSamAccount objectclass with the various attributes that samba > creates (which is dependant upon your version of samba). I am using FC6 with Samba version 3.0.24-11. > > The HOWTO specifies using the command: > $ smbpasswd -a Administrator -w This is the command I used. > > The ldap filter samba uses (3.0.25 at least) is of the form: > (&(uid=USERNAME)(objectClass=sambaSamAccount)) > > So if you haven't added the user via samba (or added the attributes > manually) the filter won't match and samba won't find the user. How do I add these manually since samba did not do it for me. > > Cheers. From kirankmadala at hotmail.com Thu Jan 10 14:38:44 2008 From: kirankmadala at hotmail.com (kiran madala) Date: Thu, 10 Jan 2008 10:38:44 -0400 Subject: [Fedora-directory-users] Windows Active Directory sync Help! In-Reply-To: <478575FB.9000504@redhat.com> References: <478509C5.1090804@redhat.com> <47850DF2.3000700@redhat.com> <478515E5.10406@redhat.com> <478575FB.9000504@redhat.com> Message-ID: I am using Java 1.4 on Fedora 6 with fedora ds1.1 ---------------------------------------- > Date: Wed, 9 Jan 2008 18:33:47 -0700 > From: rmeggins at redhat.com > To: fedora-directory-users at redhat.com > Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! > > kiran madala wrote: >> Also the console give me thsi error when Icick on manage certificates on the DS server and never opens up. It works fine on AS server >> > Looks like a bug. Are you using the IcedTea java on Fedora 8? >> Exception during event dispatch: >> java.lang.NullPointerException >> at com.netscape.management.client.security.CertificateDialog.(Unknown Source) >> at com.netscape.management.client.security.CertificateDialog.(Unknown Source) >> at com.netscape.admin.dirserv.task.KeyCert.run(Unknown Source) >> at com.netscape.management.client.TaskModel.actionObjectRun(Unknown Source) >> at com.netscape.management.client.TaskPage$TaskList$ButtonMouseListener.mouseClicked(Unknown Source) >> at java.awt.AWTEventMulticaster.mouseClicked(libgcj.so.7rh) >> at java.awt.Component.processMouseEvent(libgcj.so.7rh) >> at java.awt.Component.processEvent(libgcj.so.7rh) >> at java.awt.Container.processEvent(libgcj.so.7rh) >> at java.awt.Component.dispatchEventImpl(libgcj.so.7rh) >> at java.awt.Container.dispatchEventImpl(libgcj.so.7rh) >> at java.awt.Component.dispatchEvent(libgcj.so.7rh) >> at java.awt.LightweightDispatcher.handleMouseEvent(libgcj.so.7rh) >> at java.awt.LightweightDispatcher.dispatchEvent(libgcj.so.7rh) >> at java.awt.Container.dispatchEventImpl(libgcj.so.7rh) >> at java.awt.Window.dispatchEventImpl(libgcj.so.7rh) >> at java.awt.Component.dispatchEvent(libgcj.so.7rh) >> at java.awt.EventQueue.dispatchEvent(libgcj.so.7rh) >> at java.awt.EventDispatchThread.run(libgcj.so.7rh) >> Exception in thread "http://248.8.168.192.in-addr.arpa.dev:9830/" java.lang.NullPointerException >> at com.netscape.management.client.comm.HttpChannel.run(Unknown Source) >> at java.lang.Thread.run(libgcj.so.7rh) >> Exception in thread "http://248.8.168.192.in-addr.arpa.dev:9830/" java.lang.NullPointerException >> at com.netscape.management.client.comm.HttpChannel.run(Unknown Source) >> at java.lang.Thread.run(libgcj.so.7rh) >> >> >> >> ---------------------------------------- >> >>> From: kirankmadala at hotmail.com >>> To: fedora-directory-users at redhat.com >>> Subject: RE: [Fedora-directory-users] Windows Active Directory sync Help! >>> Date: Wed, 9 Jan 2008 17:03:18 -0400 >>> >>> >>> I keep getting these errors when trying to initiate sync >>> >>> [09/Jan/2008:16:00:12 -0500] - SSL alert: ldapssl_enable_clientauth(Server-Key, ds-server-cert) -1 (Netscape Portable Runtime error -5987 - Invalid function argument.) >>> [09/Jan/2008:16:00:13 -0500] NSMMReplicationPlugin - agmt="cn=AD Sync" (netsweep-41a75e:636): Replication bind with SSL client authentication failed: LDAP error -1 (Unknown error) >>> >>> The LDAP search is not installed on my machine so i could not do a search >>> ---------------------------------------- >>> >>>> Date: Wed, 9 Jan 2008 11:43:49 -0700 >>>> From: rmeggins at redhat.com >>>> To: fedora-directory-users at redhat.com >>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >>>> >>>> kiran madala wrote: >>>> >>>>> Sorry here is the error log for DS server >>>>> >>>>> [09/Jan/2008:13:33:50 -0500] NSMMReplicationPlugin - agmt="cn=AD sync" (netsweep-41a75e:636): Simple bind failed, LDAP sdk error 91 (Can't connect to the LDAP server), Netscape Portable Runtime error -5987 (Invalid function argument.) >>>>> >>>>> It cannot connect to AD. I imported the CA certificate into the Installation folder of the console in the windows xp machine. >>>>> >>>>> >>>> Did you configure the agreement to use SSL? Error 91 means some sort of >>>> connection problem, or invalid argument to the LDAP API e.g. you are >>>> attempting to use LDAP on the secure port instead of LDAPS. >>>> >>>> You can verify that TLS/SSL is working by using ldapsearch from the >>>> command line. On the directory server machine: >>>> /usr/lib/mozldap/ldapsearch -h ADhostname -p 638 -Z -P >>>> /etc/dirsrv/slapd-instancename -s base -b "" "objectclass=*" >>>> >>>> Or use /usr/lib64/mozldap/ldapsearch on a 64bit system. >>>> >>>>> ---------------------------------------- >>>>> >>>>> >>>>>> Date: Wed, 9 Jan 2008 11:09:54 -0700 >>>>>> From: rmeggins at redhat.com >>>>>> To: fedora-directory-users at redhat.com >>>>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >>>>>> >>>>>> kiran madala wrote: >>>>>> >>>>>> >>>>>>> I am using Fedora 1.1 on Fedora 6 x86 machine. When i fill in the entries and click next a message pops up saying "Unable to connet to Active Directory server, continue?". Also in the domain controller host field can I specify the IP address of the machine?. >>>>>>> >>>>>>> The error log for DS server is below. The IP is the windows xp machine on whcih I am runnign the remote DS console. >>>>>>> >>>>>>> [Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241 >>>>>>> >>>>>> >>>>>>> >>>>>>> >>>>>> Actually, this is the error log for the admin server. The error log for >>>>>> the directory server is in /var/log/dirsrv/slapd-INSTANCE where instance >>>>>> is your instance name. >>>>>> >>>>>> The console might be failing to connect to AD because the console has a >>>>>> separate key/cert db under ~/.fedora-idm-console (in 1.1). You may need >>>>>> to add the CA cert in this directory too: >>>>>> >>>>>> certutil -A -d ~/.fedora-idm-console -n "CA certificate" -t "CT,," -a -i /path/to/cacert.asc >>>>>> >>>>>> >>>>>> >>>>>>> ---------------------------------------- >>>>>>> >>>>>>> >>>>>>> >>>>>>>> Date: Wed, 9 Jan 2008 10:52:05 -0700 >>>>>>>> From: rmeggins at redhat.com >>>>>>>> To: fedora-directory-users at redhat.com >>>>>>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >>>>>>>> >>>>>>>> kiran madala wrote: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> As far I understand by reading docs again that the user specified in the Syn agreement and Bind DN should be same and exist on Active directory with Domain Admin privileges. But I have other issues now. >>>>>>>>> >>>>>>>>> The DS server is unable to connect to my AD. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> What error messages are you getting? Check the error log. >>>>>>>> >>>>>>>> You can also try using ldapsearch. Are you using Fedora DS 1.1 or >>>>>>>> 1.0.4? What OS? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> I enabled SSL by copying the same root certificate into AD and also generating a server certificate and opened up ports in firewall. Am I missing something like allowing client Authentication on the AD machine? >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> You don't need to use cert based client auth. You can use regular >>>>>>>> username/password auth over TLS/SSL. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> My currents certificates are as follows. >>>>>>>>> >>>>>>>>> DS has its own server certificate >>>>>>>>> AD has its own server certificate >>>>>>>>> ALL 3 servers AS,DS and AD have the same CA root certificate >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> ---------------------------------------- >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> From: kirankmadala at hotmail.com >>>>>>>>>> To: fedora-directory-users at redhat.com >>>>>>>>>> Date: Wed, 9 Jan 2008 10:35:00 -0400 >>>>>>>>>> Subject: [Fedora-directory-users] Windows Active Directory sync Help! >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Hello, >>>>>>>>>> >>>>>>>>>> I am trying to sync the DS with AD. Since I am new to AD and DS I have few questions. >>>>>>>>>> >>>>>>>>>> I want to synchronize only users and groups so Is it necessary to enable SSL on Active Directory and connect to Active directory through SSL? >>>>>>>>>> >>>>>>>>>> In the replica settings the supplier DN user need to be on both AD and DS with should be a Domain admin of the AD? >>>>>>>>>> >>>>>>>>>> When trying to synchronize with AD the bind DN (In screen shot) user should be in both AD and DS? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I have attached the screen shot of my final DS agreement window. I believe currently it is defined to synchronize users what changes I need to make it synchronize groups aswell. >>>>>>>>>> >>>>>>>>>> Thanks in advance >>>>>>>>>> _________________________________________________________________ >>>>>>>>>> Exercise your brain! Try Flexicon! >>>>>>>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> _________________________________________________________________ >>>>>>>>> Use fowl language with Chicktionary. Click here to start playing! >>>>>>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Fedora-directory-users mailing list >>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>> _________________________________________________________________ >>>>>>> Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com! >>>>>>> http://asksantaclaus.spaces.live.com/ >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> >>>>>>> >>>>>>> >>>>> _________________________________________________________________ >>>>> Introducing the City @ Live! Take a tour! >>>>> http://getyourliveid.ca/?icid=LIVEIDENCA006 >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>> _________________________________________________________________ >>> Express yourself instantly with MSN Messenger! Download today it's FREE! >>> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> _________________________________________________________________ >> Exercise your brain! Try Flexicon! >> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > _________________________________________________________________ Discover new ways to stay in touch with Windows Live! Visit the City @ Live today! http://getyourliveid.ca/?icid=LIVEIDENCA006 From kirankmadala at hotmail.com Thu Jan 10 14:42:11 2008 From: kirankmadala at hotmail.com (kiran madala) Date: Thu, 10 Jan 2008 10:42:11 -0400 Subject: [Fedora-directory-users] Windows Active Directory sync Help! In-Reply-To: <4785757C.3040004@redhat.com> References: <478509C5.1090804@redhat.com> <47850DF2.3000700@redhat.com> <478515E5.10406@redhat.com> <4785757C.3040004@redhat.com> Message-ID: Thank you the sync works fine. My actual task is to store the AD users and groups in our company database through the fedora-ds. I was wondering if this is possible, Like AD-->FDS-->Own database IS this a possibility?. If it is then how would I do it? ---------------------------------------- > Date: Wed, 9 Jan 2008 18:31:40 -0700 > From: rmeggins at redhat.com > To: fedora-directory-users at redhat.com > Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! > > kiran madala wrote: >> I have few more questions >> >> There are 2 different ways to create and import certificates described in the document http://www.redhat.com/docs/manuals/dir-server/ag/8.0/index.html and described in fedora documentation using certutil which one should i be using. >> > Use the console if you can, otherwise use the command line tools. The > console really assumes you are in an enterprise environment which has a > real CA, which you can actually submit cert requests to and receive > certs from. >> The cacert.asc should be in the configuration folders of both DS and AS server? I don't have it in neither of them now because I installed the CA from the console. >> > You can export the CA cert from the cert db using the console I think, > and definitely using the command line. > http://directory.fedoraproject.org/wiki/Howto:SSL#Export_the_CA_cert >> The pupose of doing this is to get the groups and users information from Active Directory and store in our own database through Fedora DS. Is This possible? by editing script or anyways? >> > You do not have to use TLS/SSL with windows sync - only if you will be > using the password sync component. >> Thank you. >> >> >> ---------------------------------------- >> >>> From: kirankmadala at hotmail.com >>> To: fedora-directory-users at redhat.com >>> Subject: RE: [Fedora-directory-users] Windows Active Directory sync Help! >>> Date: Wed, 9 Jan 2008 17:23:14 -0400 >>> >>> >>> Also the console give me thsi error when Icick on manage certificates on the DS server and never opens up. It works fine on AS server >>> >>> Exception during event dispatch: >>> java.lang.NullPointerException >>> at com.netscape.management.client.security.CertificateDialog.(Unknown Source) >>> at com.netscape.management.client.security.CertificateDialog.(Unknown Source) >>> at com.netscape.admin.dirserv.task.KeyCert.run(Unknown Source) >>> at com.netscape.management.client.TaskModel.actionObjectRun(Unknown Source) >>> at com.netscape.management.client.TaskPage$TaskList$ButtonMouseListener.mouseClicked(Unknown Source) >>> at java.awt.AWTEventMulticaster.mouseClicked(libgcj.so.7rh) >>> at java.awt.Component.processMouseEvent(libgcj.so.7rh) >>> at java.awt.Component.processEvent(libgcj.so.7rh) >>> at java.awt.Container.processEvent(libgcj.so.7rh) >>> at java.awt.Component.dispatchEventImpl(libgcj.so.7rh) >>> at java.awt.Container.dispatchEventImpl(libgcj.so.7rh) >>> at java.awt.Component.dispatchEvent(libgcj.so.7rh) >>> at java.awt.LightweightDispatcher.handleMouseEvent(libgcj.so.7rh) >>> at java.awt.LightweightDispatcher.dispatchEvent(libgcj.so.7rh) >>> at java.awt.Container.dispatchEventImpl(libgcj.so.7rh) >>> at java.awt.Window.dispatchEventImpl(libgcj.so.7rh) >>> at java.awt.Component.dispatchEvent(libgcj.so.7rh) >>> at java.awt.EventQueue.dispatchEvent(libgcj.so.7rh) >>> at java.awt.EventDispatchThread.run(libgcj.so.7rh) >>> Exception in thread "http://248.8.168.192.in-addr.arpa.dev:9830/" java.lang.NullPointerException >>> at com.netscape.management.client.comm.HttpChannel.run(Unknown Source) >>> at java.lang.Thread.run(libgcj.so.7rh) >>> Exception in thread "http://248.8.168.192.in-addr.arpa.dev:9830/" java.lang.NullPointerException >>> at com.netscape.management.client.comm.HttpChannel.run(Unknown Source) >>> at java.lang.Thread.run(libgcj.so.7rh) >>> >>> >>> >>> ---------------------------------------- >>> >>>> From: kirankmadala at hotmail.com >>>> To: fedora-directory-users at redhat.com >>>> Subject: RE: [Fedora-directory-users] Windows Active Directory sync Help! >>>> Date: Wed, 9 Jan 2008 17:03:18 -0400 >>>> >>>> >>>> I keep getting these errors when trying to initiate sync >>>> >>>> [09/Jan/2008:16:00:12 -0500] - SSL alert: ldapssl_enable_clientauth(Server-Key, ds-server-cert) -1 (Netscape Portable Runtime error -5987 - Invalid function argument.) >>>> [09/Jan/2008:16:00:13 -0500] NSMMReplicationPlugin - agmt="cn=AD Sync" (netsweep-41a75e:636): Replication bind with SSL client authentication failed: LDAP error -1 (Unknown error) >>>> >>>> The LDAP search is not installed on my machine so i could not do a search >>>> ---------------------------------------- >>>> >>>>> Date: Wed, 9 Jan 2008 11:43:49 -0700 >>>>> From: rmeggins at redhat.com >>>>> To: fedora-directory-users at redhat.com >>>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >>>>> >>>>> kiran madala wrote: >>>>> >>>>>> Sorry here is the error log for DS server >>>>>> >>>>>> [09/Jan/2008:13:33:50 -0500] NSMMReplicationPlugin - agmt="cn=AD sync" (netsweep-41a75e:636): Simple bind failed, LDAP sdk error 91 (Can't connect to the LDAP server), Netscape Portable Runtime error -5987 (Invalid function argument.) >>>>>> >>>>>> It cannot connect to AD. I imported the CA certificate into the Installation folder of the console in the windows xp machine. >>>>>> >>>>>> >>>>> Did you configure the agreement to use SSL? Error 91 means some sort of >>>>> connection problem, or invalid argument to the LDAP API e.g. you are >>>>> attempting to use LDAP on the secure port instead of LDAPS. >>>>> >>>>> You can verify that TLS/SSL is working by using ldapsearch from the >>>>> command line. On the directory server machine: >>>>> /usr/lib/mozldap/ldapsearch -h ADhostname -p 638 -Z -P >>>>> /etc/dirsrv/slapd-instancename -s base -b "" "objectclass=*" >>>>> >>>>> Or use /usr/lib64/mozldap/ldapsearch on a 64bit system. >>>>> >>>>>> ---------------------------------------- >>>>>> >>>>>> >>>>>>> Date: Wed, 9 Jan 2008 11:09:54 -0700 >>>>>>> From: rmeggins at redhat.com >>>>>>> To: fedora-directory-users at redhat.com >>>>>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >>>>>>> >>>>>>> kiran madala wrote: >>>>>>> >>>>>>> >>>>>>>> I am using Fedora 1.1 on Fedora 6 x86 machine. When i fill in the entries and click next a message pops up saying "Unable to connet to Active Directory server, continue?". Also in the domain controller host field can I specify the IP address of the machine?. >>>>>>>> >>>>>>>> The error log for DS server is below. The IP is the windows xp machine on whcih I am runnign the remote DS console. >>>>>>>> >>>>>>>> [Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241 >>>>>>>> >>>>>>> >>>>>>>> >>>>>>>> >>>>>>> Actually, this is the error log for the admin server. The error log for >>>>>>> the directory server is in /var/log/dirsrv/slapd-INSTANCE where instance >>>>>>> is your instance name. >>>>>>> >>>>>>> The console might be failing to connect to AD because the console has a >>>>>>> separate key/cert db under ~/.fedora-idm-console (in 1.1). You may need >>>>>>> to add the CA cert in this directory too: >>>>>>> >>>>>>> certutil -A -d ~/.fedora-idm-console -n "CA certificate" -t "CT,," -a -i /path/to/cacert.asc >>>>>>> >>>>>>> >>>>>>> >>>>>>>> ---------------------------------------- >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> Date: Wed, 9 Jan 2008 10:52:05 -0700 >>>>>>>>> From: rmeggins at redhat.com >>>>>>>>> To: fedora-directory-users at redhat.com >>>>>>>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >>>>>>>>> >>>>>>>>> kiran madala wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> As far I understand by reading docs again that the user specified in the Syn agreement and Bind DN should be same and exist on Active directory with Domain Admin privileges. But I have other issues now. >>>>>>>>>> >>>>>>>>>> The DS server is unable to connect to my AD. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> What error messages are you getting? Check the error log. >>>>>>>>> >>>>>>>>> You can also try using ldapsearch. Are you using Fedora DS 1.1 or >>>>>>>>> 1.0.4? What OS? >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> I enabled SSL by copying the same root certificate into AD and also generating a server certificate and opened up ports in firewall. Am I missing something like allowing client Authentication on the AD machine? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> You don't need to use cert based client auth. You can use regular >>>>>>>>> username/password auth over TLS/SSL. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> My currents certificates are as follows. >>>>>>>>>> >>>>>>>>>> DS has its own server certificate >>>>>>>>>> AD has its own server certificate >>>>>>>>>> ALL 3 servers AS,DS and AD have the same CA root certificate >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ---------------------------------------- >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> From: kirankmadala at hotmail.com >>>>>>>>>>> To: fedora-directory-users at redhat.com >>>>>>>>>>> Date: Wed, 9 Jan 2008 10:35:00 -0400 >>>>>>>>>>> Subject: [Fedora-directory-users] Windows Active Directory sync Help! >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Hello, >>>>>>>>>>> >>>>>>>>>>> I am trying to sync the DS with AD. Since I am new to AD and DS I have few questions. >>>>>>>>>>> >>>>>>>>>>> I want to synchronize only users and groups so Is it necessary to enable SSL on Active Directory and connect to Active directory through SSL? >>>>>>>>>>> >>>>>>>>>>> In the replica settings the supplier DN user need to be on both AD and DS with should be a Domain admin of the AD? >>>>>>>>>>> >>>>>>>>>>> When trying to synchronize with AD the bind DN (In screen shot) user should be in both AD and DS? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> I have attached the screen shot of my final DS agreement window. I believe currently it is defined to synchronize users what changes I need to make it synchronize groups aswell. >>>>>>>>>>> >>>>>>>>>>> Thanks in advance >>>>>>>>>>> _________________________________________________________________ >>>>>>>>>>> Exercise your brain! Try Flexicon! >>>>>>>>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> _________________________________________________________________ >>>>>>>>>> Use fowl language with Chicktionary. Click here to start playing! >>>>>>>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>> _________________________________________________________________ >>>>>>>> Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com! >>>>>>>> http://asksantaclaus.spaces.live.com/ >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>> >>>>>>>> >>>>>>>> >>>>>> _________________________________________________________________ >>>>>> Introducing the City @ Live! Take a tour! >>>>>> http://getyourliveid.ca/?icid=LIVEIDENCA006 >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>>> >>>> _________________________________________________________________ >>>> Express yourself instantly with MSN Messenger! Download today it's FREE! >>>> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> _________________________________________________________________ >>> Exercise your brain! Try Flexicon! >>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> _________________________________________________________________ >> Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com! >> http://asksantaclaus.spaces.live.com/ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > _________________________________________________________________ Introducing the City @ Live! Take a tour! http://getyourliveid.ca/?icid=LIVEIDENCA006 From kmarsh at gdrs.com Thu Jan 10 14:50:05 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Thu, 10 Jan 2008 09:50:05 -0500 Subject: [Fedora-directory-users] Setting up Multi-Master replication between 7.1 and 1.0.1-4 Message-ID: <5AD9B0E562FEFB4E933861904D7135C568892B@gdrs-exchange.gdrs.com> Ulf, Thanks, you gave me some things to look at. The spacing seems to be OK, and the same code worked to do the Replica object insertion into the 7.1 server. I think the problem is that when I configured the 1.0.1-4 server, I had it store the config data in the 7.1 server. As a result, the "mapping tree" part of config does not have a subordinate named "dc=company,dc=com". So, when the mmr.pl script goes to insert the Replica object, it fails. I wonder if this is because I had the setup script store config information for 1.0.1-4 in 7.1. Perhaps if it was stored locally I could start multi-master? -Ken. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Enrico.M.V.Fasanelli at le.infn.it Thu Jan 10 15:48:53 2008 From: Enrico.M.V.Fasanelli at le.infn.it (Enrico M. V. Fasanelli) Date: Thu, 10 Jan 2008 16:48:53 +0100 Subject: [Fedora-directory-users] Massive database creation Message-ID: <47863E65.4000901@le.infn.it> Dear all, we need to create a lot of databases and replication confgurations on our test environment (4 FDS servers configured in Multi Master) Is there any way to do this via script (ldapmodify or any other utility) or the only way is via the Fedora Management Console? Thanks in advance, Ciao, Enrico -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2954 bytes Desc: S/MIME Cryptographic Signature URL: From kirankmadala at hotmail.com Thu Jan 10 16:23:17 2008 From: kirankmadala at hotmail.com (kiran madala) Date: Thu, 10 Jan 2008 12:23:17 -0400 Subject: [Fedora-directory-users] Fedora 1.0.4 and remote console Message-ID: Hi, I think this question might have been asked before. I installed fedora 1.0.4 ds and admin on CentOS 5. The servers run fine and I am using remote console to view the contents. The console connects fine but the servers are not visible. I only have the command line on CentOS so I wanted to use remote admin console. Alternatively can I use fedora 1.1 ds on CenOS 5? Thanks in advance _________________________________________________________________ Use fowl language with Chicktionary. Click here to start playing! http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig From rmeggins at redhat.com Thu Jan 10 17:14:26 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 10 Jan 2008 10:14:26 -0700 Subject: [Fedora-directory-users] Fedora 1.0.4 and remote console In-Reply-To: References: Message-ID: <47865272.7080209@redhat.com> kiran madala wrote: > Hi, > > I think this question might have been asked before. I installed fedora 1.0.4 ds and admin on CentOS 5. The servers run fine and I am using remote console to view the contents. The console connects fine but the servers are not visible. > > I only have the command line on CentOS so I wanted to use remote admin console. Alternatively can I use fedora 1.1 ds on CenOS 5? > Yes you can install Fedora DS 1.1 on CentOS 5 http://directory.fedoraproject.org/wiki/Release_Notes and http://directory.fedoraproject.org/wiki/Download#Enterprise_Linux_5 > Thanks in advance > _________________________________________________________________ > Use fowl language with Chicktionary. Click here to start playing! > http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jan 10 17:21:47 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 10 Jan 2008 10:21:47 -0700 Subject: [Fedora-directory-users] Massive database creation In-Reply-To: <47863E65.4000901@le.infn.it> References: <47863E65.4000901@le.infn.it> Message-ID: <4786542B.4070707@redhat.com> Enrico M. V. Fasanelli wrote: > > Dear all, > > we need to create a lot of databases and replication confgurations on > our test environment (4 FDS servers configured in Multi Master) > > > Is there any way to do this via script (ldapmodify or any other > utility) or the only way is via the Fedora Management Console? Yes. Everything that can be done in the console can also be done via scripts. The Red Hat DS 7.1 documentation lists many of these except for the glaring omission of replication, which will be added in the RHDS 8.0 docs, available very, very soon. In the meantime, the 7.1 documentation lists how to create databases, suffixes, etc. http://www.redhat.com/docs/manuals/dir-server/ag/7.1/adminTOC.html There are a couple of scripts which you can use to set up replication https://www.redhat.com/archives/fedora-directory-users/2007-December/msg00141.html was recently posted http://directory.fedoraproject.org/wiki/Howto:MultiMasterReplication has been around for a while If you prefer python, the freeipa.org project has a number of python scripts for setting up directory servers, including databases and replication - see www.freeipa.org > > Thanks in advance, > > Ciao, > Enrico > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jan 10 17:25:55 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 10 Jan 2008 10:25:55 -0700 Subject: [Fedora-directory-users] Windows Active Directory sync Help! In-Reply-To: References: <478509C5.1090804@redhat.com> <47850DF2.3000700@redhat.com> <478515E5.10406@redhat.com> <478575FB.9000504@redhat.com> Message-ID: <47865523.7080805@redhat.com> kiran madala wrote: > I am using Java 1.4 on Fedora 6 with fedora ds1.1 > The stack trace below shows (libgcj.so.7rh) which means it is using the gcj free java. You must install a proprietary Java in order to run the console if you are not using Fedora 8. See http://directory.fedoraproject.org/wiki/Install_Guide#Java_is_required_for_the_console > ---------------------------------------- > >> Date: Wed, 9 Jan 2008 18:33:47 -0700 >> From: rmeggins at redhat.com >> To: fedora-directory-users at redhat.com >> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >> >> kiran madala wrote: >> >>> Also the console give me thsi error when Icick on manage certificates on the DS server and never opens up. It works fine on AS server >>> >>> >> Looks like a bug. Are you using the IcedTea java on Fedora 8? >> >>> Exception during event dispatch: >>> java.lang.NullPointerException >>> at com.netscape.management.client.security.CertificateDialog.(Unknown Source) >>> at com.netscape.management.client.security.CertificateDialog.(Unknown Source) >>> at com.netscape.admin.dirserv.task.KeyCert.run(Unknown Source) >>> at com.netscape.management.client.TaskModel.actionObjectRun(Unknown Source) >>> at com.netscape.management.client.TaskPage$TaskList$ButtonMouseListener.mouseClicked(Unknown Source) >>> at java.awt.AWTEventMulticaster.mouseClicked(libgcj.so.7rh) >>> at java.awt.Component.processMouseEvent(libgcj.so.7rh) >>> at java.awt.Component.processEvent(libgcj.so.7rh) >>> at java.awt.Container.processEvent(libgcj.so.7rh) >>> at java.awt.Component.dispatchEventImpl(libgcj.so.7rh) >>> at java.awt.Container.dispatchEventImpl(libgcj.so.7rh) >>> at java.awt.Component.dispatchEvent(libgcj.so.7rh) >>> at java.awt.LightweightDispatcher.handleMouseEvent(libgcj.so.7rh) >>> at java.awt.LightweightDispatcher.dispatchEvent(libgcj.so.7rh) >>> at java.awt.Container.dispatchEventImpl(libgcj.so.7rh) >>> at java.awt.Window.dispatchEventImpl(libgcj.so.7rh) >>> at java.awt.Component.dispatchEvent(libgcj.so.7rh) >>> at java.awt.EventQueue.dispatchEvent(libgcj.so.7rh) >>> at java.awt.EventDispatchThread.run(libgcj.so.7rh) >>> Exception in thread "http://248.8.168.192.in-addr.arpa.dev:9830/" java.lang.NullPointerException >>> at com.netscape.management.client.comm.HttpChannel.run(Unknown Source) >>> at java.lang.Thread.run(libgcj.so.7rh) >>> Exception in thread "http://248.8.168.192.in-addr.arpa.dev:9830/" java.lang.NullPointerException >>> at com.netscape.management.client.comm.HttpChannel.run(Unknown Source) >>> at java.lang.Thread.run(libgcj.so.7rh) >>> >>> >>> >>> ---------------------------------------- >>> >>> >>>> From: kirankmadala at hotmail.com >>>> To: fedora-directory-users at redhat.com >>>> Subject: RE: [Fedora-directory-users] Windows Active Directory sync Help! >>>> Date: Wed, 9 Jan 2008 17:03:18 -0400 >>>> >>>> >>>> I keep getting these errors when trying to initiate sync >>>> >>>> [09/Jan/2008:16:00:12 -0500] - SSL alert: ldapssl_enable_clientauth(Server-Key, ds-server-cert) -1 (Netscape Portable Runtime error -5987 - Invalid function argument.) >>>> [09/Jan/2008:16:00:13 -0500] NSMMReplicationPlugin - agmt="cn=AD Sync" (netsweep-41a75e:636): Replication bind with SSL client authentication failed: LDAP error -1 (Unknown error) >>>> >>>> The LDAP search is not installed on my machine so i could not do a search >>>> ---------------------------------------- >>>> >>>> >>>>> Date: Wed, 9 Jan 2008 11:43:49 -0700 >>>>> From: rmeggins at redhat.com >>>>> To: fedora-directory-users at redhat.com >>>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >>>>> >>>>> kiran madala wrote: >>>>> >>>>> >>>>>> Sorry here is the error log for DS server >>>>>> >>>>>> [09/Jan/2008:13:33:50 -0500] NSMMReplicationPlugin - agmt="cn=AD sync" (netsweep-41a75e:636): Simple bind failed, LDAP sdk error 91 (Can't connect to the LDAP server), Netscape Portable Runtime error -5987 (Invalid function argument.) >>>>>> >>>>>> It cannot connect to AD. I imported the CA certificate into the Installation folder of the console in the windows xp machine. >>>>>> >>>>>> >>>>>> >>>>> Did you configure the agreement to use SSL? Error 91 means some sort of >>>>> connection problem, or invalid argument to the LDAP API e.g. you are >>>>> attempting to use LDAP on the secure port instead of LDAPS. >>>>> >>>>> You can verify that TLS/SSL is working by using ldapsearch from the >>>>> command line. On the directory server machine: >>>>> /usr/lib/mozldap/ldapsearch -h ADhostname -p 638 -Z -P >>>>> /etc/dirsrv/slapd-instancename -s base -b "" "objectclass=*" >>>>> >>>>> Or use /usr/lib64/mozldap/ldapsearch on a 64bit system. >>>>> >>>>> >>>>>> ---------------------------------------- >>>>>> >>>>>> >>>>>> >>>>>>> Date: Wed, 9 Jan 2008 11:09:54 -0700 >>>>>>> From: rmeggins at redhat.com >>>>>>> To: fedora-directory-users at redhat.com >>>>>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >>>>>>> >>>>>>> kiran madala wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>>> I am using Fedora 1.1 on Fedora 6 x86 machine. When i fill in the entries and click next a message pops up saying "Unable to connet to Active Directory server, continue?". Also in the domain controller host field can I specify the IP address of the machine?. >>>>>>>> >>>>>>>> The error log for DS server is below. The IP is the windows xp machine on whcih I am runnign the remote DS console. >>>>>>>> >>>>>>>> [Wed Jan 09 09:15:08 2008] [notice] [client 192.168.8.241] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.8.241 >>>>>>>> >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> Actually, this is the error log for the admin server. The error log for >>>>>>> the directory server is in /var/log/dirsrv/slapd-INSTANCE where instance >>>>>>> is your instance name. >>>>>>> >>>>>>> The console might be failing to connect to AD because the console has a >>>>>>> separate key/cert db under ~/.fedora-idm-console (in 1.1). You may need >>>>>>> to add the CA cert in this directory too: >>>>>>> >>>>>>> certutil -A -d ~/.fedora-idm-console -n "CA certificate" -t "CT,," -a -i /path/to/cacert.asc >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> ---------------------------------------- >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> Date: Wed, 9 Jan 2008 10:52:05 -0700 >>>>>>>>> From: rmeggins at redhat.com >>>>>>>>> To: fedora-directory-users at redhat.com >>>>>>>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >>>>>>>>> >>>>>>>>> kiran madala wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> As far I understand by reading docs again that the user specified in the Syn agreement and Bind DN should be same and exist on Active directory with Domain Admin privileges. But I have other issues now. >>>>>>>>>> >>>>>>>>>> The DS server is unable to connect to my AD. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> What error messages are you getting? Check the error log. >>>>>>>>> >>>>>>>>> You can also try using ldapsearch. Are you using Fedora DS 1.1 or >>>>>>>>> 1.0.4? What OS? >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> I enabled SSL by copying the same root certificate into AD and also generating a server certificate and opened up ports in firewall. Am I missing something like allowing client Authentication on the AD machine? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> You don't need to use cert based client auth. You can use regular >>>>>>>>> username/password auth over TLS/SSL. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> My currents certificates are as follows. >>>>>>>>>> >>>>>>>>>> DS has its own server certificate >>>>>>>>>> AD has its own server certificate >>>>>>>>>> ALL 3 servers AS,DS and AD have the same CA root certificate >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ---------------------------------------- >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> From: kirankmadala at hotmail.com >>>>>>>>>>> To: fedora-directory-users at redhat.com >>>>>>>>>>> Date: Wed, 9 Jan 2008 10:35:00 -0400 >>>>>>>>>>> Subject: [Fedora-directory-users] Windows Active Directory sync Help! >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Hello, >>>>>>>>>>> >>>>>>>>>>> I am trying to sync the DS with AD. Since I am new to AD and DS I have few questions. >>>>>>>>>>> >>>>>>>>>>> I want to synchronize only users and groups so Is it necessary to enable SSL on Active Directory and connect to Active directory through SSL? >>>>>>>>>>> >>>>>>>>>>> In the replica settings the supplier DN user need to be on both AD and DS with should be a Domain admin of the AD? >>>>>>>>>>> >>>>>>>>>>> When trying to synchronize with AD the bind DN (In screen shot) user should be in both AD and DS? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> I have attached the screen shot of my final DS agreement window. I believe currently it is defined to synchronize users what changes I need to make it synchronize groups aswell. >>>>>>>>>>> >>>>>>>>>>> Thanks in advance >>>>>>>>>>> _________________________________________________________________ >>>>>>>>>>> Exercise your brain! Try Flexicon! >>>>>>>>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> _________________________________________________________________ >>>>>>>>>> Use fowl language with Chicktionary. Click here to start playing! >>>>>>>>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>> _________________________________________________________________ >>>>>>>> Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com! >>>>>>>> http://asksantaclaus.spaces.live.com/ >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>> _________________________________________________________________ >>>>>> Introducing the City @ Live! Take a tour! >>>>>> http://getyourliveid.ca/?icid=LIVEIDENCA006 >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>>> >>>>>> >>>> _________________________________________________________________ >>>> Express yourself instantly with MSN Messenger! Download today it's FREE! >>>> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>> _________________________________________________________________ >>> Exercise your brain! Try Flexicon! >>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> > > _________________________________________________________________ > Discover new ways to stay in touch with Windows Live! Visit the City @ Live today! > http://getyourliveid.ca/?icid=LIVEIDENCA006 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kmarsh at gdrs.com Thu Jan 10 17:27:23 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Thu, 10 Jan 2008 12:27:23 -0500 Subject: [Fedora-directory-users] Announcing Fedora Directory Server 1.1.0 Message-ID: <5AD9B0E562FEFB4E933861904D7135C568894C@gdrs-exchange.gdrs.com> Rich, >Fedora Directory Server 1.1.0 is now available. Congratulations! >See http://directory.fedoraproject.org/wiki/Release_Notes for details about new features and new >installation procedures. I seem to be having some repository issues on my ES5.1/64-bit system. I did a "yum upgrade" and then, following the Release_Notes page: cd /etc/yum.repos.d wget http://directory.fedoraproject.org/sources/idmcommon.repo wget http://directory.fedoraproject.org/sources/dirsrv.repo Which ran OK, and then: # yum install fedora-ds Loading "rhnplugin" plugin Loading "installonlyn" plugin Setting up Install Process Setting up repositories rhel-x86_64-server-5 100% |=========================| 1.4 kB 00:00 http://directory.fedoraproject.org/yum/dirsrv/fedora/5Server/noarch/RPMS /repodata/repomd.xml: [Errno 14] HTTP Error 404: Not Found Trying other mirror. Error: Cannot open/read repomd.xml file for repository: dirsrv-noarch # uname -a Linux server2.company.com 2.6.18-53.el5xen #1 SMP Wed Oct 10 16:48:44 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux Is the problem that I have 64 bit? Do you have the binaries on kernel.org mirrors like the Beta? Thanks, -Ken. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Jan 10 17:33:27 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 10 Jan 2008 10:33:27 -0700 Subject: [Fedora-directory-users] Fedora Directory Server 1.1 : Cannot log in the Managent Console In-Reply-To: <20080110115934.fy70cycys0g88g4c@mail.bg> References: <20080110115934.fy70cycys0g88g4c@mail.bg> Message-ID: <478656E7.4010606@redhat.com> useless at mail.bg wrote: > Hello! > > Several days ago I downloaded and installed Fedora Directory Server 1.1. What platform? Which Java are you using? fedora-idm-console -D 9 -f console.log may provide more information. > The problem is that I cannot log in the Management Console > (fedora-idm-console)- every time when I try to log in it( > http://img181.imageshack.us/my.php?image=snapshot1bx4.png ), I get the > following error : > > http://img108.imageshack.us/my.php?image=snapshot2fi1.png > > and I find the following messages in the /var/log/httpd dir: > > /var/log/httpd/access_log : > 127.0.0.1 - - [08/Jan/2008:19:45:26 +0200] "GET > /admin-serv/authenticate HTTP/1.0" 400 294 "-" > "Fedora-Management-Console/1.1.0" > > /var/log/httpd/error_log : > [Tue Jan 08 19:45:26 2008] [error] [client 127.0.0.1] Client sent > malformed Host header This is very strange. The admin server should be using /var/log/dirsrv/admin-serv for its logs. You should not have the operating system apache running and listening to the same port number (9830) as the admin server, if you have them both running at the same time. grep Listen /etc/httpd/conf/httpd.conf grep Listen /etc/dirsrv/admin-serv/console.conf The console cannot talk to standard apache - the admin server has special configuration and a special apache module that allows it to communicate with the console. > > The dirsrv, dirsrv-admin and httpd deamons are running. I have no > problem with opening localhost:9830 and > localhost:9830/admin-serv/authenticate in my browser. Does "localhost" resolve to the same thing as "localhost.localdomain"? Try doing fedora-idm-console -A http://localhost:9830/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jan 10 17:35:37 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 10 Jan 2008 10:35:37 -0700 Subject: [Fedora-directory-users] Windows Syncronization inbound changes problem In-Reply-To: <478588DB.5020003@cespi.unlp.edu.ar> References: <20080108145921.yg18imny80o0sccw@163.10.0.84> <47857661.2080208@redhat.com> <478588DB.5020003@cespi.unlp.edu.ar> Message-ID: <47865769.7090104@redhat.com> Christian A. Rodriguez wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Rich Megginson escribi?: > >> Christian A. Rodriguez wrote: >> >>> First of all I have to mention that Windows Users & Groups were >>> created before Fedora Directory was installed, so when FDS was >>> installed I started up with replicated windows users in FDS without >>> passwords being synchronized. Therefore, the scenario is a Windows >>> tree with users (with passwords) & groups and FDS with users and >>> groups replicated without their passwords. >>> >>> I am trying to define a mechanism to reset every password in both >>> directories so they begin to work synchronized. >>> >>> Doing some tests, I realized that a change made in Windows is >>> replicated into FDS binding as the users subject of change, so as the >>> entry doesn't have it's password, the following lines are logged in >>> FDS access log: >>> >>> [08/Jan/2008:15:51:35 -0300] conn=1033 op=0 BIND >>> dn="uid=USERXXX,OU=People,ou=Active Directory,dc=example,dc=com" >>> method=128 version=2 >>> [08/Jan/2008:15:51:35 -0300] conn=1033 op=0 RESULT err=49 tag=97 >>> nentries=0 etime=0 >>> [08/Jan/2008:15:51:35 -0300] conn=1033 op=1 UNBIND >>> [08/Jan/2008:15:51:35 -0300] conn=1033 op=1 fd=80 closed - U1 >>> [08/Jan/2008:15:51:35 -0300] conn=1032 op=2 RESULT err=50 tag=103 >>> nentries=0 etime=0 >>> [08/Jan/2008:15:51:35 -0300] conn=1032 op=3 UNBIND >>> >>> I haven't found any documentation about inbound changes, specifically >>> password change, being done as the same user subject of the change. Is >>> this true? >>> >> Yes. That's how it verifies the new password is valid. >> > > So, how can I do to define a procedure for initializing both > directories? I'm not sure what you mean. For passwords, you just need to set/reset the clear text password on either side, either the AD side or the Fedora DS side. Assuming you have windows sync and password sync configured correctly, setting/resetting the clear text password on AD will sync it to Fedora DS, and vice versa. > Are there any tips? > > Thanks > > >>> Thanks in advance, and sorry for my bad English >>> >>> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > - -- > Lic. Christian A. Rodriguez > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFHhYjaLiwwyzG4Y1QRAp8YAJ4lJEr2/lFBEDIF5m2Ck6Z8tEd2UQCfVBUu > xen2FPcuKSep8a3xj5kfQf4= > =ji/K > -----END PGP SIGNATURE----- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jan 10 17:40:19 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 10 Jan 2008 10:40:19 -0700 Subject: [Fedora-directory-users] Windows Active Directory sync Help! In-Reply-To: References: <478509C5.1090804@redhat.com> <47850DF2.3000700@redhat.com> <478515E5.10406@redhat.com> <4785757C.3040004@redhat.com> Message-ID: <47865883.1000805@redhat.com> kiran madala wrote: > Thank you the sync works fine. My actual task is to store the AD users and groups in our company database through the fedora-ds. I was wondering if this is possible, > > Like AD-->FDS-->Own database > > IS this a possibility?. If it is then how would I do it? > The usual way to do this is to write a script to use ldapsearch to pull changes from Fedora DS and write them to your database. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jan 10 17:43:13 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 10 Jan 2008 10:43:13 -0700 Subject: [Fedora-directory-users] Announcing Fedora Directory Server 1.1.0 In-Reply-To: <5AD9B0E562FEFB4E933861904D7135C568894C@gdrs-exchange.gdrs.com> References: <5AD9B0E562FEFB4E933861904D7135C568894C@gdrs-exchange.gdrs.com> Message-ID: <47865931.1030400@redhat.com> Ken Marsh wrote: > Rich, > > >Fedora Directory Server 1.1.0 is now available. > > Congratulations! > > >See http://directory.fedoraproject.org/wiki/Release_Notes for details about new features and new >installation procedures. > > I seem to be having some repository issues on my ES5.1/64-bit system. I did a ?yum upgrade? and then, following the Release_Notes page: > > > cd /etc/yum.repos.d > wget http://directory.fedoraproject.org/sources/idmcommon.repo > wget http://directory.fedoraproject.org/sources/dirsrv.repo > > Which ran OK, and then: > > > # yum install fedora-ds > > Loading "rhnplugin" plugin > > Loading "installonlyn" plugin > > Setting up Install Process > > Setting up repositories > > rhel-x86_64-server-5 100% |=========================| 1.4 kB 00:00 > > http://directory.fedoraproject.org/yum/dirsrv/fedora/5Server/noarch/RPMS/repodata/repomd.xml: > [Errno 14] HTTP Error 404: Not Found > > Trying other mirror. > > Error: Cannot open/read repomd.xml file for repository: dirsrv-noarch > > # uname -a > > Linux server2.company.com 2.6.18-53.el5xen #1 SMP Wed Oct 10 16:48:44 > EDT 2007 x86_64 x86_64 x86_64 GNU/Linux > > Is the problem that I have 64 bit? Do you have the binaries on kernel.org mirrors like the Beta? Note the url contains "5Server" not "6" - see http://directory.fedoraproject.org/wiki/Download#Enterprise_Linux_5 > > Thanks, > -Ken. > > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From car at cespi.unlp.edu.ar Thu Jan 10 17:53:24 2008 From: car at cespi.unlp.edu.ar (Christian A. Rodriguez) Date: Thu, 10 Jan 2008 14:53:24 -0300 Subject: [Fedora-directory-users] Windows Syncronization inbound changes problem In-Reply-To: <47865769.7090104@redhat.com> References: <20080108145921.yg18imny80o0sccw@163.10.0.84> <47857661.2080208@redhat.com> <478588DB.5020003@cespi.unlp.edu.ar> <47865769.7090104@redhat.com> Message-ID: <20080110145324.h7moiugm80oks08g@163.10.0.84> Quoting Rich Megginson : > Christian A. Rodriguez wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Rich Megginson escribi?: >> >>> Christian A. Rodriguez wrote: >>> >>>> First of all I have to mention that Windows Users & Groups were >>>> created before Fedora Directory was installed, so when FDS was >>>> installed I started up with replicated windows users in FDS without >>>> passwords being synchronized. Therefore, the scenario is a Windows >>>> tree with users (with passwords) & groups and FDS with users and >>>> groups replicated without their passwords. >>>> >>>> I am trying to define a mechanism to reset every password in both >>>> directories so they begin to work synchronized. >>>> >>>> Doing some tests, I realized that a change made in Windows is >>>> replicated into FDS binding as the users subject of change, so as the >>>> entry doesn't have it's password, the following lines are logged in >>>> FDS access log: >>>> >>>> [08/Jan/2008:15:51:35 -0300] conn=1033 op=0 BIND >>>> dn="uid=USERXXX,OU=People,ou=Active Directory,dc=example,dc=com" >>>> method=128 version=2 >>>> [08/Jan/2008:15:51:35 -0300] conn=1033 op=0 RESULT err=49 tag=97 >>>> nentries=0 etime=0 >>>> [08/Jan/2008:15:51:35 -0300] conn=1033 op=1 UNBIND >>>> [08/Jan/2008:15:51:35 -0300] conn=1033 op=1 fd=80 closed - U1 >>>> [08/Jan/2008:15:51:35 -0300] conn=1032 op=2 RESULT err=50 tag=103 >>>> nentries=0 etime=0 >>>> [08/Jan/2008:15:51:35 -0300] conn=1032 op=3 UNBIND >>>> >>>> I haven't found any documentation about inbound changes, specifically >>>> password change, being done as the same user subject of the change. Is >>>> this true? >>>> >>> Yes. That's how it verifies the new password is valid. >>> >> >> So, how can I do to define a procedure for initializing both >> directories? > I'm not sure what you mean. For passwords, you just need to set/reset > the clear text password on either side, either the AD side or the > Fedora DS side. Assuming you have windows sync and password sync > configured correctly, setting/resetting the clear text password on AD > will sync it to Fedora DS, and vice versa. The problem is that Active Directory Passwords were setted before FDS was installed. So, the initial synchronization of passwords didn't set FDS passwords, so changing the passwords in Active Directory will not update FDS passwords because of its way to sync passwords, ie binding to FDS as the user whose password is changed. The only way to change passwords in both directories for users synchronized in Active Directory is resetting their passwords only in FDS, not in Windows because of the binding issue I mentioned. Thanks > >> Are there any tips? >> >> Thanks >> >> >>>> Thanks in advance, and sorry for my bad English >>>> >>>> >>> ------------------------------------------------------------------------ >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> >> - -- >> Lic. Christian A. Rodriguez >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.6 (GNU/Linux) >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org >> >> iD8DBQFHhYjaLiwwyzG4Y1QRAp8YAJ4lJEr2/lFBEDIF5m2Ck6Z8tEd2UQCfVBUu >> xen2FPcuKSep8a3xj5kfQf4= >> =ji/K >> -----END PGP SIGNATURE----- >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> -- Lic. Christian A. Rodriguez From rmeggins at redhat.com Thu Jan 10 18:23:10 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 10 Jan 2008 11:23:10 -0700 Subject: [Fedora-directory-users] FDS replication client installation In-Reply-To: <4672a0830801092121xc89ac2fk86d8a6d6287c6136@mail.gmail.com> References: <4672a0830801092121xc89ac2fk86d8a6d6287c6136@mail.gmail.com> Message-ID: <4786628E.9060304@redhat.com> Jim Y Li wrote: > Sorry for the newbie question. I've installed a master FDS server > using setup-ds-admin.pl. I want to install a second server to act as > secondary master (i.e. read-write also). Do I use setup-ds-admin.pl to > install the 2nd machine? Or do I just use setup-ds.pl? > I think you can use either one - if you use setup-ds.pl, you'll have to then use register-ds-admin.pl to set up the admin server stuff. > Does each machine have it's own independent o=netscaperoot database, > Yes - each master has to have a read/write o=NetscapeRoot > or do they share that too? No. > I would guess that you'd want all of your > servers to share one netscape root tree. Yes, if you don't want to have the read-write secondary master. > Is there a document that > talks about how to do this? > Not yet, but there will be something about this in the Red Hat DS 8.0 docs. > Thanks in advance > /Jim > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kirankmadala at hotmail.com Thu Jan 10 18:43:12 2008 From: kirankmadala at hotmail.com (kiran madala) Date: Thu, 10 Jan 2008 14:43:12 -0400 Subject: [Fedora-directory-users] Windows Active Directory sync Help! In-Reply-To: <47865883.1000805@redhat.com> References: <478509C5.1090804@redhat.com> <47850DF2.3000700@redhat.com> <478515E5.10406@redhat.com> <4785757C.3040004@redhat.com> <47865883.1000805@redhat.com> Message-ID: But isn't it how the fedora ds does the AD sync?. I mean can I just write the script to connect to AD directly and do ldapsearch for updates? Alternatively can I do a script to search for the user against his/her group from the updates obtained by Fedora-ds from AD? IF so what are the docs and packages i should be looking at? Thanks in advance ---------------------------------------- > Date: Thu, 10 Jan 2008 10:40:19 -0700 > From: rmeggins at redhat.com > To: fedora-directory-users at redhat.com > Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! > > kiran madala wrote: >> Thank you the sync works fine. My actual task is to store the AD users and groups in our company database through the fedora-ds. I was wondering if this is possible, >> >> Like AD-->FDS-->Own database >> >> IS this a possibility?. If it is then how would I do it? >> > The usual way to do this is to write a script to use ldapsearch to pull > changes from Fedora DS and write them to your database. _________________________________________________________________ Introducing the City @ Live! Take a tour! http://getyourliveid.ca/?icid=LIVEIDENCA006 From rmeggins at redhat.com Thu Jan 10 18:48:00 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 10 Jan 2008 11:48:00 -0700 Subject: [Fedora-directory-users] Windows Active Directory sync Help! In-Reply-To: References: <478509C5.1090804@redhat.com> <47850DF2.3000700@redhat.com> <478515E5.10406@redhat.com> <4785757C.3040004@redhat.com> <47865883.1000805@redhat.com> Message-ID: <47866860.2090501@redhat.com> kiran madala wrote: > But isn't it how the fedora ds does the AD sync?. I mean can I just write the script to connect to AD directly and do ldapsearch for updates? Yes. The thing is that Fedora DS will not automatically send changes to a database. You'd have to write a plugin for that. It's much simpler to just script it - most scripting languages have ODBC/SQL support as well as LDAP support. > Alternatively can I do a script to search for the user against his/her group from the updates obtained by Fedora-ds from AD? I'm not sure what you mean by "against his/her group". > IF so what are the docs and packages i should be looking at? > > Thanks in advance > ---------------------------------------- > >> Date: Thu, 10 Jan 2008 10:40:19 -0700 >> From: rmeggins at redhat.com >> To: fedora-directory-users at redhat.com >> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >> >> kiran madala wrote: >> >>> Thank you the sync works fine. My actual task is to store the AD users and groups in our company database through the fedora-ds. I was wondering if this is possible, >>> >>> Like AD-->FDS-->Own database >>> >>> IS this a possibility?. If it is then how would I do it? >>> >>> >> The usual way to do this is to write a script to use ldapsearch to pull >> changes from Fedora DS and write them to your database. >> > > _________________________________________________________________ > Introducing the City @ Live! Take a tour! > http://getyourliveid.ca/?icid=LIVEIDENCA006 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kirankmadala at hotmail.com Thu Jan 10 19:26:47 2008 From: kirankmadala at hotmail.com (kiran madala) Date: Thu, 10 Jan 2008 15:26:47 -0400 Subject: [Fedora-directory-users] Windows Active Directory sync Help! In-Reply-To: <47866860.2090501@redhat.com> References: <478509C5.1090804@redhat.com> <47850DF2.3000700@redhat.com> <478515E5.10406@redhat.com> <4785757C.3040004@redhat.com> <47865883.1000805@redhat.com> <47866860.2090501@redhat.com> Message-ID: May be i will just try to write a script to store the sync values from Fedora Where can I find the documentation as to how the fedora performs the sync and where does it store? I mean development wise ---------------------------------------- > Date: Thu, 10 Jan 2008 11:48:00 -0700 > From: rmeggins at redhat.com > To: fedora-directory-users at redhat.com > Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! > > kiran madala wrote: >> But isn't it how the fedora ds does the AD sync?. I mean can I just write the script to connect to AD directly and do ldapsearch for updates? > Yes. The thing is that Fedora DS will not automatically send changes to > a database. You'd have to write a plugin for that. It's much simpler > to just script it - most scripting languages have ODBC/SQL support as > well as LDAP support. >> Alternatively can I do a script to search for the user against his/her group from the updates obtained by Fedora-ds from AD? > I'm not sure what you mean by "against his/her group". >> IF so what are the docs and packages i should be looking at? >> >> Thanks in advance >> ---------------------------------------- >> >>> Date: Thu, 10 Jan 2008 10:40:19 -0700 >>> From: rmeggins at redhat.com >>> To: fedora-directory-users at redhat.com >>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >>> >>> kiran madala wrote: >>> >>>> Thank you the sync works fine. My actual task is to store the AD users and groups in our company database through the fedora-ds. I was wondering if this is possible, >>>> >>>> Like AD-->FDS-->Own database >>>> >>>> IS this a possibility?. If it is then how would I do it? >>>> >>>> >>> The usual way to do this is to write a script to use ldapsearch to pull >>> changes from Fedora DS and write them to your database. >>> >> >> _________________________________________________________________ >> Introducing the City @ Live! Take a tour! >> http://getyourliveid.ca/?icid=LIVEIDENCA006 >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > _________________________________________________________________ Exercise your brain! Try Flexicon! http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig From ulf.weltman at hp.com Thu Jan 10 19:30:39 2008 From: ulf.weltman at hp.com (Ulf Weltman) Date: Thu, 10 Jan 2008 11:30:39 -0800 Subject: [Fedora-directory-users] Setting up Multi-Master replication between 7.1 and 1.0.1-4 In-Reply-To: <5AD9B0E562FEFB4E933861904D7135C568892B@gdrs-exchange.gdrs.com> References: <5AD9B0E562FEFB4E933861904D7135C568892B@gdrs-exchange.gdrs.com> Message-ID: <4786725F.2060104@hp.com> The configuration the installer talks about storing when selecting a configuration directory is for the Administration Server, not for the local Directory Server configuration, so the suffix mapping can't have ended up in the wrong instance, it's always local. When you installed 7.1 it should have asked what suffix you want to use as your default suffix. Look again in your dse.ldif for the mapping tree entry with "nsslapd-backend: userRoot", what is the cn of it? If you entered "dc=company,dc=com" at installation time, the cn of this mapping tree node would match that. Ulf Ken Marsh wrote: > > Ulf, > > > > Thanks, you gave me some things to look at. The spacing seems to be > OK, and the same code worked to do the Replica object insertion into > the 7.1 server. > > > > I think the problem is that when I configured the 1.0.1-4 server, I > had it store the config data in the 7.1 server. As a result, the > ?mapping tree? part of config does not have a subordinate named > ?dc=company,dc=com?. So, when the mmr.pl script goes to insert the > Replica object, it fails. > > > > I wonder if this is because I had the setup script store config > information for 1.0.1-4 in 7.1. Perhaps if it was stored locally I > could start multi-master? > > > > -Ken. > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6097 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jan 10 19:48:04 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 10 Jan 2008 12:48:04 -0700 Subject: [Fedora-directory-users] Windows Active Directory sync Help! In-Reply-To: References: <478509C5.1090804@redhat.com> <47850DF2.3000700@redhat.com> <478515E5.10406@redhat.com> <4785757C.3040004@redhat.com> <47865883.1000805@redhat.com> <47866860.2090501@redhat.com> Message-ID: <47867674.2060106@redhat.com> kiran madala wrote: > May be i will just try to write a script to store the sync values from Fedora Where can I find the documentation as to how the fedora performs the sync and where does it store? I mean development wise > There are a number of ways to do it, depending on what you are actually trying to do. If you just need to pull changes from AD, one direction only, you could use the AD DirSync control. This is essentially what Fedora DS uses to pull changes from AD. I don't know if there are any *nix clients with built-in DirSync support, but you could create your own with Net::LDAP and the ASN.1 creator/parser and BER codec. There are a number of ways to get changes from Fedora DS. 1) ldapsearch ... (modifyTimestamp>=somevalue) 2) enable audit logging then parse the audit log file 3) enable the Retro changelog and search cn=changelog These can be used with or without persistent search provided by the mozldap ldapsearch command line tool. > ---------------------------------------- > >> Date: Thu, 10 Jan 2008 11:48:00 -0700 >> From: rmeggins at redhat.com >> To: fedora-directory-users at redhat.com >> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >> >> kiran madala wrote: >> >>> But isn't it how the fedora ds does the AD sync?. I mean can I just write the script to connect to AD directly and do ldapsearch for updates? >>> >> Yes. The thing is that Fedora DS will not automatically send changes to >> a database. You'd have to write a plugin for that. It's much simpler >> to just script it - most scripting languages have ODBC/SQL support as >> well as LDAP support. >> >>> Alternatively can I do a script to search for the user against his/her group from the updates obtained by Fedora-ds from AD? >>> >> I'm not sure what you mean by "against his/her group". >> >>> IF so what are the docs and packages i should be looking at? >>> >>> Thanks in advance >>> ---------------------------------------- >>> >>> >>>> Date: Thu, 10 Jan 2008 10:40:19 -0700 >>>> From: rmeggins at redhat.com >>>> To: fedora-directory-users at redhat.com >>>> Subject: Re: [Fedora-directory-users] Windows Active Directory sync Help! >>>> >>>> kiran madala wrote: >>>> >>>> >>>>> Thank you the sync works fine. My actual task is to store the AD users and groups in our company database through the fedora-ds. I was wondering if this is possible, >>>>> >>>>> Like AD-->FDS-->Own database >>>>> >>>>> IS this a possibility?. If it is then how would I do it? >>>>> >>>>> >>>>> >>>> The usual way to do this is to write a script to use ldapsearch to pull >>>> changes from Fedora DS and write them to your database. >>>> >>>> >>> _________________________________________________________________ >>> Introducing the City @ Live! Take a tour! >>> http://getyourliveid.ca/?icid=LIVEIDENCA006 >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> > > _________________________________________________________________ > Exercise your brain! Try Flexicon! > http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kirankmadala at hotmail.com Thu Jan 10 19:48:30 2008 From: kirankmadala at hotmail.com (kiran madala) Date: Thu, 10 Jan 2008 15:48:30 -0400 Subject: [Fedora-directory-users] Fedora 1.0.4 and remote console In-Reply-To: <47865272.7080209@redhat.com> References: <47865272.7080209@redhat.com> Message-ID: Thanks that worked ---------------------------------------- > Date: Thu, 10 Jan 2008 10:14:26 -0700 > From: rmeggins at redhat.com > To: fedora-directory-users at redhat.com > Subject: Re: [Fedora-directory-users] Fedora 1.0.4 and remote console > > kiran madala wrote: >> Hi, >> >> I think this question might have been asked before. I installed fedora 1.0.4 ds and admin on CentOS 5. The servers run fine and I am using remote console to view the contents. The console connects fine but the servers are not visible. >> >> I only have the command line on CentOS so I wanted to use remote admin console. Alternatively can I use fedora 1.1 ds on CenOS 5? >> > Yes you can install Fedora DS 1.1 on CentOS 5 > http://directory.fedoraproject.org/wiki/Release_Notes > and > http://directory.fedoraproject.org/wiki/Download#Enterprise_Linux_5 >> Thanks in advance >> _________________________________________________________________ >> Use fowl language with Chicktionary. Click here to start playing! >> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > _________________________________________________________________ Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com! http://asksantaclaus.spaces.live.com/ From kmarsh at gdrs.com Thu Jan 10 20:24:49 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Thu, 10 Jan 2008 15:24:49 -0500 Subject: [Fedora-directory-users] Setting up Multi-Master replication between 7.1 and 1.0.1-4 Message-ID: <5AD9B0E562FEFB4E933861904D7135C568896B@gdrs-exchange.gdrs.com> Ulf, Thanks for that info. I have a lot to learn. I just got around the issue by re-installing 1.0.1-4 and having telling the setup script to save both sets of config data locally. Then the mmr.pl script ran flawlessly. You helped by helping me sort out the repman issues. I now have a second DS with multi-master replication! Woohoo! No more single point of failure. There are some other things I'd like to setup, I think I'll start a new thread, though. -Ken. -------------- next part -------------- An HTML attachment was scrubbed... URL: From cbruiz at gmail.com Thu Jan 10 20:37:54 2008 From: cbruiz at gmail.com (Carlos Barrales Ruiz) Date: Thu, 10 Jan 2008 21:37:54 +0100 Subject: [Fedora-directory-users] DS Failed to start In-Reply-To: References: <4782765C.70605@redhat.com> <47829AA1.5040806@redhat.com> <4782A98C.2040206@redhat.com> Message-ID: <62FFD2D1-ADC0-4996-B23E-D4462BD67817@gmail.com> El 08/01/2008, a las 18:51, kiran madala escribi?: > > /usr/sbin/start-ds-admin: line 66: 3158 Segmentation fault > $SELINUX_CMD $HTTPD $OMIT_DEFLATE -k start -f /etc/dirsrv/admin-serv/ > httpd.conf "$@" > > What could be the issue? I had the same problem with 1.1 beta on Centos 5 (it "should be" like fedora 6). It finally worked after upgrading from scratch to Centos 5.1 and installing the 1.1 release. I don't know the reason of the fault. Try to upgrade. If it still not working maybe i/we can assist you in the SSL Cert deployment. Regards. -- Carlos From useless at mail.bg Thu Jan 10 20:40:41 2008 From: useless at mail.bg (useless at mail.bg) Date: Thu, 10 Jan 2008 22:40:41 +0200 Subject: [Fedora-directory-users] Fedora Directory Server 1.1 : Cannot log in the Management Console In-Reply-To: <478656E7.4010606@redhat.com> References: <20080110115934.fy70cycys0g88g4c@mail.bg> <478656E7.4010606@redhat.com> Message-ID: <20080110224041.ydtrno104ookk0ok@mail.bg> I am running Fedora 8. The version of java is 1.5.0. I am sorry for not mentioning that. This is the output of the command /FEDORA-IDM-CONSOLE -D 9 -F CONSOLE.LOG :/ (the file /console.log/ is empty after quiting the Managment Console Log-in window) ------------------------- java.util.prefs.userRoot=/root/.fedora-idm-console path.separator=: java.vm.name=GNU libgcj java.vm.specification.name=Java(tm) Virtual Machine Specification java.runtime.version=1.5.0 java.util.prefs.systemRoot=/root/.fedora-idm-console java.home=/usr/lib/jvm/java-1.5.0-gcj-1.5.0.0/jre java.vm.specification.version=1.0 line.separator= java.vm.specification.vendor=Sun Microsystems Inc. gnu.classpath.home.url=file:///usr/lib gnu.gcj.progname=com.netscape.management.client.console.Console gnu.classpath.version=0.93 java.specification.version=1.5 gnu.java.util.zoneinfo.dir=/usr/share/zoneinfo java.library.path=/usr/lib gnu.classpath.vm.shortname=libgcj java.class.version=49.0 java.specification.name=Java(tm) Platform API Specification os.version=2.6.23.9-85.fc8 gnu.classpath.home=/usr user.home=/root file.encoding=UTF-8 os.name=Linux user.name=root java.class.path=/usr/lib/java/jss4.jar:/usr/share/java/ldapjdk.jar:/usr/share/java/idm-console-base.jar:/usr/share/java/idm-console-mcc.jar:/usr/share/java/idm-console-mcc_en.jar:/usr/share/java/idm-console-nmclf.jar:/usr/share/java/idm-console-nmclf_en.jar:/usr/share/java/fedora-idm-console-1.1.0_en.jar java.io.tmpdir=/tmp os.arch=i386 java.fullversion=GNU libgcj 4.1.2 20070925 (Red Hat 4.1.2-33) user.language=bg java.specification.vendor=Sun Microsystems Inc. user.dir=/root java.vm.info=GNU libgcj 4.1.2 20070925 (Red Hat 4.1.2-33) java.version=1.5.0 java.ext.dirs=/usr/share/java/ext sun.boot.class.path=/usr/lib/jvm/java-1.5.0-gcj-1.5.0.0/jre/lib/rt.jar gnu.gcj.user.realname=root java.vm.vendor=Free Software Foundation, Inc. java.vendor.url=http://gcc.gnu.org/java/ java.vendor=Free Software Foundation, Inc. file.separator=/ java.vm.version=4.1.2 20070925 (Red Hat 4.1.2-33) http.agent=gnu-classpath/0.93 (libgcj/4.1.2 20070925 (Red Hat 4.1.2-33)) gnu.gcj.precompiled.db.path=/usr/lib/gcj-4.1.2/classmap.db gnu.cpu.endian=little user.region=BG gnu.gcj.runtime.endorsed.dirs=/usr/share/java/gcj-endorsed Fedora-Management-Console/1.1.0 B2007.354.1015 RemoteImage: NOT found in cache loader368512:com/netscape/management/nmclf/icons/Error.gif RemoteImage: Create RemoteImage cache for loader368512 RemoteImage: NOT found in cache loader368512:com/netscape/management/nmclf/icons/Inform.gif RemoteImage: NOT found in cache loader368512:com/netscape/management/nmclf/icons/Warn.gif RemoteImage: NOT found in cache loader368512:com/netscape/management/nmclf/icons/Question.gif ResourceSet: NOT found in cache loader368512:com.netscape.management.client.components.components RemoteImage: NOT found in cache loader368512:com/netscape/management/client/theme/images/logo16.gif RemoteImage: NOT found in cache loader368512:com/netscape/management/client/theme/images/login.gif ResourceSet: NOT found in cache loader368512:com.netscape.management.client.util.default ResourceSet: found in cache loader368512:com.netscape.management.client.util.default ResourceSet: found in cache loader368512:com.netscape.management.client.util.default HERE I ENTER USERID, PASSWORD AND ADMINISTRATION URL. CommManager> New CommRecord (http:/admin-serv/authenticate) ResourceSet: found in cache loader368512:com.netscape.management.client.theme.theme http://:80/[0:0] open> Ready http://:80/[0:0] accept> http:/admin-serv/authenticate http://:80/[0:0] send> GET http://:80/[0:0] send> /admin-serv/authenticate http://:80/[0:0] send> HTTP/1.0 http://:80/[0:0] send> Host: :80 http://:80/[0:0] send> Connection: Keep-Alive http://:80/[0:0] send> User-Agent: Fedora-Management-Console/1.1.0 http://:80/[0:0] send> Accept-Language: en http://:80/[0:0] send> Authorization: Basic http://:80/[0:0] send> YWRtaW46ZmVkMHJh http://:80/[0:0] send> http://:80/[0:0] send> http://:80/[0:0] recv> HTTP/1.1 400 Bad Request http://:80/[0:0] error> HttpException: Response: HTTP/1.1 400 Bad Request Status: 400 URL: http:/admin-serv/authenticate http://:80/[0:0] close> Closed ------------------------- // // / GREP LISTEN /ETC/HTTPD/CONF/HTTPD.CONF/ returns Listen 80 / GREP LISTEN /ETC/DIRSRV/ADMIN-SERV/CONSOLE.CONF/ returns # Listen: Allows you to bind Apache to specific IP addresses and/or # Change this to Listen on specific IP addresses as shown below to # e.g. "Listen 12.34.56.78:80" # To allow connections to IPv6 addresses add "Listen [::]:80" Listen 0.0.0.0:9830 "localhost" resolves to the same thing as "localhost.localdomain" - 127.0.0.1 When I run the command /FEDORA-IDM-CONSOLE -A HTTP://LOCALHOST:9830// , the situation is absolutely the same as when I excecute only /FEDORA-IDM-CONSOLE/ - the same error message appear when I click on the "OK" button ( http://img108.imageshack.us/my.php?image=snapshot2fi1.png[1] ). Thank you for the time spent to help me! Links: ------ [1] http://img108.imageshack.us/my.php?image=snapshot2fi1.png ------------------------------------- Sportingbet.com ?????? ?? ???? ?? ?????? ????? ?? ?????????? ????! http://bg.sportingbet.com/t/index.aspx?affiliate=mailbg10 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Jan 10 20:51:45 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 10 Jan 2008 13:51:45 -0700 Subject: [Fedora-directory-users] Fedora Directory Server 1.1 : Cannot log in the Management Console In-Reply-To: <20080110224041.ydtrno104ookk0ok@mail.bg> References: <20080110115934.fy70cycys0g88g4c@mail.bg> <478656E7.4010606@redhat.com> <20080110224041.ydtrno104ookk0ok@mail.bg> Message-ID: <47868561.4050809@redhat.com> useless at mail.bg wrote: > I am running Fedora 8. The version of java is 1.5.0. I am sorry for > not mentioning that. This will not work. You must use the IcedTea Java on Fedora 8. yum install java-1.7.0-icedtea Then use java -version to confirm that is the correct one. > > This is the output of the command */fedora-idm-console -D 9 -f > console.log :/* (the file /console.log/ is empty after quiting the > Managment Console Log-in window) > > ------------------------------------------------------------------------ > > /java.util.prefs.userRoot=/root/.fedora-idm-console > path.separator=: > java.vm.name=GNU libgcj > java.vm.specification.name=Java(tm) Virtual Machine Specification > java.runtime.version=1.5.0 > java.util.prefs.systemRoot=/root/.fedora-idm-console > java.home=/usr/lib/jvm/java-1.5.0-gcj-1.5.0.0/jre > / > This means you're using gcj 1.5, not icedtea java. > > /java.vm.specification.version=1.0 > line.separator= > > / > > > /http://:80/[0:0] send> Host: :80 > / > This looks like some sort of bug in the gcj url parser - it should be localhost:9830, not ":80". icedtea java should not have this problem. > > /http://:80/[0:0] send> Connection: Keep-Alive > http://:80/[0:0] send> User-Agent: Fedora-Management-Console/1.1.0 > http://:80/[0:0] send> Accept-Language: en > http://:80/[0:0] send> Authorization: Basic > http://:80/[0:0] send> YWRtaW46ZmVkMHJh > http://:80/[0:0] send> > http://:80/[0:0] send> > http://:80/[0:0] recv> HTTP/1.1 400 Bad Request > http://:80/[0:0] error> HttpException: > Response: HTTP/1.1 400 Bad Request > Status: 400 > URL: http:/admin-serv/authenticate > http://:80/[0:0] close> Closed/ > > ------------------------------------------------------------------------ > > /*grep Listen /etc/httpd/conf/httpd.conf*/ returns/ > Listen 80/ > > /*grep Listen /etc/dirsrv/admin-serv/console.conf*/ returns > /# Listen: Allows you to bind Apache to specific IP addresses and/or > # Change this to Listen on specific IP addresses as shown below to > # e.g. "Listen 12.34.56.78:80" > # To allow connections to IPv6 addresses add "Listen [::]:80" > Listen 0.0.0.0:9830/ > > "localhost" resolves to the same thing as "localhost.localdomain" - > 127.0.0.1 > > When I run the command */fedora-idm-console -A > http://localhost:9830//* , the situation is absolutely the same as > when I excecute only */fedora-idm-console/* - the same error message > appear when I click on the "OK" button ( > http://img108.imageshack.us/my.php?image=snapshot2fi1.png ). > > Thank you for the time spent to help me! > > > > ------------------------------------- > Sportingbet.com > ?????? ?? ???? ?? ?????? ????? ?? ?????????? ????! > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From myacc at roundbox.com Thu Jan 10 21:37:06 2008 From: myacc at roundbox.com (Raj Seenivasan) Date: Thu, 10 Jan 2008 16:37:06 -0500 Subject: [Fedora-directory-users] Admin server startup errors 1.0.4-1 on RHEWS3 In-Reply-To: <477D863E.2010006@redhat.com> References: <5AD9B0E562FEFB4E933861904D7135C568872A@gdrs-exchange.gdrs.com> <477D863E.2010006@redhat.com> Message-ID: <9B5524B7-046F-4E76-B3E7-84B0489D4C8E@roundbox.com> I have a similar problem with the migration from 1.0.4 to 1.1 Please HELP! Below are the steps I followed and the error msgs. After doing "yum install fedora-ds" ran the migration script. [root at ldap log]# migrate-ds.pl -f /tmp/diradm.inf Beginning migration of directory server instances in /opt/fedora- ds . . . Your new DS instance 'slapd-ldap' was successfully created. Directory server migration is complete. Please check output and log files for details. Exiting . . . Log file is '/tmp/migrateIOChXC.log' [root at ldap log]# cat /tmp/migrateIOChXC.log [08/01/10:15:24:02] - [Migration] Info Beginning migration of directory server instances in /opt/fedora-ds . . . [08/01/10:15:24:04] - [Migration] Info Your new DS instance 'slapd- ldap' was successfully created. [08/01/10:15:24:11] - [Migration] Info Copying /opt/fedora-ds/alias/ slapd-ldap-cert8.db to /etc/dirsrv/slapd-ldap/cert8.db [08/01/10:15:24:11] - [Migration] Info Copying /opt/fedora-ds/alias/ slapd-ldap-key3.db to /etc/dirsrv/slapd-ldap/key3.db [08/01/10:15:24:11] - [Migration] Info Copying /opt/fedora-ds/alias/ secmod.db to /etc/dirsrv/slapd-ldap/secmod.db [08/01/10:15:24:11] - [Migration] Info Copying /opt/fedora-ds/alias/ slapd-ldap-pin.txt to /etc/dirsrv/slapd-ldap/pin.txt [08/01/10:15:24:11] - [Migration] Info Copying /opt/fedora-ds/shared/ config/certmap.conf to /etc/dirsrv/slapd-ldap/certmap.conf [08/01/10:15:24:13] - [Migration] Info Directory server migration is complete. Please check output and log files for details. [08/01/10:15:24:13] - [Migration] Success Exiting . . . Log file is '/tmp/migrateIOChXC.log' [root at ldap log]# /etc/init.d/dirsrv status dirsrv ldap (pid 3971) is running... slapd starts fine but the admin server has some issues... [root at ldap log]# /etc/init.d/dirsrv-admin status dirsrv-admin is stopped [root at ldap log]# /etc/init.d/dirsrv-admin start Starting dirsrv-admin: grep: /etc/dirsrv/admin-serv/adm.conf: No such file or directory /var/run/dirsrv is not writable for [FAILED] I tried to run the migarte-ds-admin after doing migrate-ds and below is the error. [root at ldap /]# migrate-ds-admin.pl -f /tmp/diradm.inf Beginning migration of Directory and Administration servers from /opt/ fedora-ds . . . Beginning migration of directory server instances in /opt/fedora- ds . . . The target directory server instance already exists at /etc/dirsrv/ slapd-ldap/dse.ldif. Skipping migration. Note that if you want to migrate the old instance you will have to first remove the new one of the same name. Beginning migration of Administration server from /opt/fedora-ds . . . Creating Admin Server files and directories . . . The server 'ldaps://ldap.test.com:636/o=NetscapeRoot' is not reachable. Error: unknown error Exiting . . . Log file is '/tmp/migraterXVtnt.log' [root at ldap /]# cat /var/log/dirsrv/admin-serv/error [Thu Jan 10 16:15:18 2008] [crit] mod_admserv_post_config(): unable to create AdmldapInfo Configuration Failed Also tried to run migrate-ds-admin.pl after a fresh install of 1.1 without executing migrate-ds.pl and the same error showed up. Please note that I don't have any issues starting/stopping my old instance of fedora-ds and my old instance was completely stopped while performing the above steps. Thanks. On Jan 3, 2008, at 8:05 PM, Rich Megginson wrote: > Ken Marsh wrote: >> >> Hi all, >> >> I gave up on ES5 64 bit due to the FDS/Apache 2.2 httpd.conf >> conflicts. I guess I could craft my own httpd.conf, but I?m not >> feeling creative. J >> >> I?ve installed fedora-ds-1.0.4-1.RHEL3.i386.opt.rpm on RHEWS3 where >> it is much happier with the Apache 2.0 worker installed there. Once >> again the admin server configuration bombed out, >> > This is the cause of all of your subsequent problems. If setup fails > to configure the admin server, it will be practically impossible to > do anything else with the admin server or console. So let's start > there. What errors did you get during setup? >> >> and I can start a console but it finds on admin server to connect >> to. Once again, I hacked up the *.conf.tmpl templates, copied up >> start-admin script and linked the modules and the magic file in >> from their OS locations. Oh yeah, had to set LD_LIBRARY_PATH to / >> opt/fedora-ds/bin/slapd/lib . >> >> Now when I try to start the admin server, I get no stderr or stdout >> and an exit value of 1. In the admin-serv/logs/error is: >> >> [Thu Jan 03 18:19:53 2008] [error] (1)Operation not permitted: >> mod_mime_magic: can't read magic file /opt/fedora-ds/admin-serv/ >> conf/magic >> >> [Thu Jan 03 18:19:54 2008] [crit] mod_admserv_post_config(): unable >> to create AdmldapInfo >> >> Configuration Failed! >> >> [Thu Jan 03 18:57:46 2008] [crit] mod_admserv_post_config(): unable >> to create AdmldapInfo >> >> Configuration Failed! >> >> When I try to check on the config information in the DS, I get this >> error: >> >> # ./ldapsearch -b o=netscaperoot -D "cn=directory manager" -w >> 'mypassword' "objectclass=nsAdminConfig" dn >> >> ldap_search: No such object >> >> Any ideas? It looked like the admin server setup script bombed out >> before it populated the directory server (which seems to be >> running). How do I duplicate what it was supposed to do? >> >> Perhaps a deeper question, why does the admin setup script bomb out >> on two very different architectures? >> > This usually has to do with hostname resolution i.e. the hostname > you chose does not resolve to the configured IP address or vice versa. >> >> Thanks, >> >> Ken. >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Jan 10 22:14:21 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 10 Jan 2008 15:14:21 -0700 Subject: [Fedora-directory-users] Admin server startup errors 1.0.4-1 on RHEWS3 In-Reply-To: <9B5524B7-046F-4E76-B3E7-84B0489D4C8E@roundbox.com> References: <5AD9B0E562FEFB4E933861904D7135C568872A@gdrs-exchange.gdrs.com> <477D863E.2010006@redhat.com> <9B5524B7-046F-4E76-B3E7-84B0489D4C8E@roundbox.com> Message-ID: <478698BD.6060905@redhat.com> Raj Seenivasan wrote: > I have a similar problem with the migration from 1.0.4 to 1.1 > Please HELP! > > Below are the steps I followed and the error msgs. > > After doing "yum install fedora-ds" ran the migration script. > > *[root at ldap log]# migrate-ds.pl -f /tmp/diradm.inf * > Right. migrate-ds.pl will migrate the directory servers only. Not any of the console or admin server information. > I tried to run the migarte-ds-admin after doing migrate-ds and below > is the error. > > *[root at ldap /]# migrate-ds-admin.pl -f /tmp/diradm.inf * > Beginning migration of Directory and Administration servers from > /opt/fedora-ds . . . > Beginning migration of directory server instances in /opt/fedora-ds . . . > The target directory server instance already exists at > /etc/dirsrv/slapd-ldap/dse.ldif. Skipping migration. Note that if > you want to migrate the old instance you will have to first remove the > new one of the same name. > > Beginning migration of Administration server from /opt/fedora-ds . . . > Creating Admin Server files and directories . . . > The server 'ldaps://ldap.test.com:636/o=NetscapeRoot' is not > reachable. Error: unknown error > > Exiting . . . > Log file is '/tmp/migraterXVtnt.log' > > > *[root at ldap /]# cat /var/log/dirsrv/admin-serv/error * > [Thu Jan 10 16:15:18 2008] [crit] mod_admserv_post_config(): unable to > create AdmldapInfo > Configuration Failed > > *Also tried to run migrate-ds-admin.pl after a fresh install of 1.1 > without executing migrate-ds.pl and the same error showed up.* > > Please note that I don't have any issues starting/stopping my old > instance of fedora-ds and my old instance was completely stopped while > performing the above steps. Take a look at your directory server access log - /var/log/dirsrv/slapd-ldap/access - do you see any SSL connection attempts from around the time of the "The server 'ldaps://ldap.test.com:636/o=NetscapeRoot' is not reachable. Error: unknown error" message? ls -al /etc/dirsrv/admin-serv /usr/lib/mozldap/ldapsearch -h ldap.test.com -p 636 -Z -P /etc/dirsrv/admin-serv -s base -b "" "objectclass=*" > > Thanks. > > > On Jan 3, 2008, at 8:05 PM, Rich Megginson wrote: > >> Ken Marsh wrote: >>> >>> Hi all, >>> >>> I gave up on ES5 64 bit due to the FDS/Apache 2.2 httpd.conf >>> conflicts. I guess I could craft my own httpd.conf, but I?m not >>> feeling creative. J >>> >>> I?ve installed fedora-ds-1.0.4-1.RHEL3.i386.opt.rpm on RHEWS3 where >>> it is much happier with the Apache 2.0 worker installed there. Once >>> again the admin server configuration bombed out, >>> >> This is the cause of all of your subsequent problems. If setup fails >> to configure the admin server, it will be practically impossible to >> do anything else with the admin server or console. So let's start >> there. What errors did you get during setup? >>> >>> and I can start a console but it finds on admin server to connect >>> to. Once again, I hacked up the *.conf.tmpl templates, copied up >>> start-admin script and linked the modules and the magic file in from >>> their OS locations. Oh yeah, had to set LD_LIBRARY_PATH to >>> /opt/fedora-ds/bin/slapd/lib . >>> >>> Now when I try to start the admin server, I get no stderr or stdout >>> and an exit value of 1. In the admin-serv/logs/error is: >>> >>> [Thu Jan 03 18:19:53 2008] [error] (1)Operation not permitted: >>> mod_mime_magic: can't read magic file >>> /opt/fedora-ds/admin-serv/conf/magic >>> >>> [Thu Jan 03 18:19:54 2008] [crit] mod_admserv_post_config(): unable >>> to create AdmldapInfo >>> >>> Configuration Failed! >>> >>> [Thu Jan 03 18:57:46 2008] [crit] mod_admserv_post_config(): unable >>> to create AdmldapInfo >>> >>> Configuration Failed! >>> >>> When I try to check on the config information in the DS, I get this >>> error: >>> >>> # ./ldapsearch -b o=netscaperoot -D "cn=directory manager" -w >>> 'mypassword' "objectclass=nsAdminConfig" dn >>> >>> ldap_search: No such object >>> >>> Any ideas? It looked like the admin server setup script bombed out >>> before it populated the directory server (which seems to be >>> running). How do I duplicate what it was supposed to do? >>> >>> Perhaps a deeper question, why does the admin setup script bomb out >>> on two very different architectures? >>> >> This usually has to do with hostname resolution i.e. the hostname you >> chose does not resolve to the configured IP address or vice versa. >>> >>> Thanks, >>> >>> Ken. >>> >>> ------------------------------------------------------------------------ >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From useless at mail.bg Thu Jan 10 22:20:45 2008 From: useless at mail.bg (useless at mail.bg) Date: Fri, 11 Jan 2008 00:20:45 +0200 Subject: [Fedora-directory-users] Fedora Directory Server 1.1 : Cannot log in the Management Console (Solved) In-Reply-To: <47868561.4050809@redhat.com> References: <20080110115934.fy70cycys0g88g4c@mail.bg> <478656E7.4010606@redhat.com> <20080110224041.ydtrno104ookk0ok@mail.bg> <47868561.4050809@redhat.com> Message-ID: <20080111002045.w8yb6yrackkk0008@mail.bg> > This will not work.? You must use the IcedTea Java on Fedora 8. > yum install java-1.7.0-icedtea > Then use java -version to confirm that is the correct one. This solved the problem! Thanks a lot! ------------------------------------- Powered by Mail.BG - http://mail.bg -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Jan 10 23:15:48 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 10 Jan 2008 16:15:48 -0700 Subject: [Fedora-directory-users] Error -8127 with hardware acceleration/Token In-Reply-To: <7273b1170801091306p1a30a760s9a93ce283437df7f@mail.gmail.com> References: <7273b1170801091306p1a30a760s9a93ce283437df7f@mail.gmail.com> Message-ID: <4786A724.1090001@redhat.com> Yann Cloatre wrote: > Hello all, > > I use DS Fedora LDAP on Solaris 9. > I try to use a crypto accelerator 4000 board (SUN) with Fedora. > (FYI; > http://www.sun.com/products/networking/sslaccel/suncryptoaccel4000/index.xml > ) > > I've a certificate store on the board, with a certificates inside. > User is define on the board to access this certificate store. > > I patched Fedora with a modified script from SUN to enabled this > certificate store in Sun One server. > It's work and i can see 3 certificates store in the window "Manage > Certificate" : > - Internal (Software) > - Acceleration only (Sun Doc don't selected this one, FYI > http://docs.sun.com/app/docs/coll/crypto-accel4000 mine is 1.1 for > Solaris 9) > - MYCERTIFICATESTORE > > In GUI, each time Fedora need to access inside MYCERTIFICATESTORE, ask > me a password. It's the password define in the accelerator board. So, > i enter in th password box ; "user:password" and Fedora display the > related information. > > So everything is ok, i can enable encryption and select my certificate > in MYCERTIFICATESTORE for LDAPs. > > But, when i try to restart Fedora ; > > [09/Jan/2008:19:34:55 +0000] - SSL alert: Security Initialization: > Unable to find slot (Netscape Portable Runtime error -8127 - The > security card or token does not exist, needs to be initialized, or has > been removed.) > [09/Jan/2008:19:34:55 +0000] - ERROR: SSL Initialization Failed > > I try to define password in the slapd-servname-pin.txt in alias > directory with a format like ; > Internal (Software) Token:password > MYCERTIFICATESTORE:ldap-admin:password0 > > But nothing, impossible to restart. Perhaps, the problem is related to > the password format (ldap-admin:password0), but i must provide > username and password to Fedora if the application want access the token. > It's work well in GUI interface and i don't understand why Fedora > seems to not find my token at startup ? Did you try just using MYCERTIFICATESTORE:password ? > > Help appreciate. > > Thank you. > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From chee.benny at gmail.com Fri Jan 11 10:39:49 2008 From: chee.benny at gmail.com (Benny Chee) Date: Fri, 11 Jan 2008 18:39:49 +0800 Subject: [Fedora-directory-users] Replace userPassword using crypt() Message-ID: <700685de0801110239x17a03a16va83ea6a937f8ea99@mail.gmail.com> Hi, I m writing a script to synchronize my user's password inside LDAP with a unix passwd file. Is there a way to insert the crypt passwd inside the unix passwd file directly into LDAP using ldapmodify userPassword: {crypt}"whatever appears inside /etc/passwd" ? dn:uid=roger,ou=abc.com,dc=foo,dc=com givenName: rico objectClass: top person organizationalPerson inetorgperson sn: rico cn: rico uid: roger userPassword: {crypt}HU1bbqwvbXJUY -- benny -------------- next part -------------- An HTML attachment was scrubbed... URL: From cbruiz at gmail.com Fri Jan 11 11:26:25 2008 From: cbruiz at gmail.com (Carlos Barrales Ruiz) Date: Fri, 11 Jan 2008 12:26:25 +0100 Subject: [Fedora-directory-users] DS Failed to start [Solved] In-Reply-To: References: <4782765C.70605@redhat.com> <47829AA1.5040806@redhat.com> <4782A98C.2040206@redhat.com> Message-ID: El 08/01/2008, a las 18:51, kiran madala escribi?: > > I changed the DS URL in adm.conf file from usual ldap to ldaps and > port 636. now when i restart my admin server this is the error i get. > > /usr/sbin/start-ds-admin: line 66: 3158 Segmentation fault > $SELINUX_CMD $HTTPD $OMIT_DEFLATE -k start -f /etc/dirsrv/admin-serv/ > httpd.conf "$@" > > What could be the issue? We had the problem again so this time we diff our package versions and after inspecting then, the problem seems to be originated by glibc, so: Upgrade glibc to at least 2.5.18 last available release. In our case: glibc-2.5-18.el5_1.1 We also upgraded selinux-policies, mozldap and mozldap-tools to .5 revision. (6.0.5) I hope it works for you. Regards. -- Carlos From j.barber at dundee.ac.uk Fri Jan 11 13:49:24 2008 From: j.barber at dundee.ac.uk (Jonathan Barber) Date: Fri, 11 Jan 2008 13:49:24 +0000 Subject: [Fedora-directory-users] Samba + FDS Problem adding Administrator account "Username not found" In-Reply-To: <43806ba60801100601p5b7df90br94547593dd7fcf5@mail.gmail.com> References: <43806ba60801091208oa032379k90414833ee77275e@mail.gmail.com> <20080110100151.GB15404@flea.lifesci.dundee.ac.uk> <43806ba60801100601p5b7df90br94547593dd7fcf5@mail.gmail.com> Message-ID: <20080111134923.GF8451@flea.lifesci.dundee.ac.uk> On Thu, Jan 10, 2008 at 09:01:44AM -0500, Gary Martin wrote: > On Jan 10, 2008 5:01 AM, Jonathan Barber wrote: > > On Wed, Jan 09, 2008 at 03:08:59PM -0500, Gary Martin wrote: > > > I am following the instructions in the Howto:Samba documentation on > > > the FDS Wiki site. When I go to edit the Administrator account using > > > the following command: > > > > [snip] [snip] > How do I add these manually since samba did not do it for me. This is an example of a user that works with Samba 3.0.25b (on RHEL4): dn: cn=jbarber,ou=edir,ou=people,ou=lifesci,o=dundee objectClass: sambasamaccount objectClass: posixaccount objectClass: top objectClass: inetorgperson objectClass: organizationalperson objectClass: person cn: jbarber sn: Barber uidNumber: 5023 gidNumber: 1011 loginShell: /bin/bash uid: jbarber uid: jon homeDirectory: /homes/jon sambaPwdCanChange: 1194276885 sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000 00000000 sambaPwdMustChange: 2147483647 sambaSID: S-1-5-21-1279830386-3947966166-4038294555-11046 sambaPwdLastSet: 1197029450 sambaAcctFlags: [UX ] -- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389 From kmarsh at gdrs.com Fri Jan 11 14:19:53 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Fri, 11 Jan 2008 09:19:53 -0500 Subject: [Fedora-directory-users] Announcing Fedora Directory Server 1.1.0 Message-ID: <5AD9B0E562FEFB4E933861904D7135C56889AE@gdrs-exchange.gdrs.com> Rich wrote: >Note the url contains "5Server" not "6" - see >http://directory.fedoraproject.org/wiki/Download#Enterprise_Linux_5 Thanks, I missed that. -Ken. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pub at cloatre.com Fri Jan 11 14:29:40 2008 From: pub at cloatre.com (Yann Cloatre) Date: Fri, 11 Jan 2008 09:29:40 -0500 Subject: [Fedora-directory-users] Error -8127 with hardware acceleration/Token Message-ID: <7273b1170801110629q41717daeue8232c55c4c81289@mail.gmail.com> > > Did you try just using > MYCERTIFICATESTORE:password > ? > Yes, i tried. Same error at startup. It doesn't work, and can't work, because the board doesn't provide access to the certificate store if you don't pass the couple username:password. Like i can do in the GUI... -------------- next part -------------- An HTML attachment was scrubbed... URL: From kmarsh at gdrs.com Fri Jan 11 14:29:46 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Fri, 11 Jan 2008 09:29:46 -0500 Subject: [Fedora-directory-users] Admin server startup errors 1.0.4-1 on RHEWS3 Message-ID: <5AD9B0E562FEFB4E933861904D7135C56889B1@gdrs-exchange.gdrs.com> Rich, At this point I have three working multi-master'ed servers (the original 7.1, an ES5.1/64bit and a EWS3/32bit), and am already using them as fallbacks for authentication, so I don't really want to reinstall again just to the error message again. Sorry. Suffice it to say that while installing 1.0.4-1 on any of my systems, answering "yes" to either question (register admin to the 7.1 Admin Server or storing configs in the 7.1 DS) causes an early and complete failure to config the Admin on the 1.0.4-1 system. Since I am sure this works for others, I must have a "poison pill" in my 7.1 DS somewhere. -Ken. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Jan 11 16:29:46 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 11 Jan 2008 09:29:46 -0700 Subject: [Fedora-directory-users] Admin server startup errors 1.0.4-1 on RHEWS3 In-Reply-To: <5AD9B0E562FEFB4E933861904D7135C56889B1@gdrs-exchange.gdrs.com> References: <5AD9B0E562FEFB4E933861904D7135C56889B1@gdrs-exchange.gdrs.com> Message-ID: <4787997A.6010000@redhat.com> Ken Marsh wrote: > > Rich, > > At this point I have three working multi-master?ed servers (the > original 7.1, an ES5.1/64bit and a EWS3/32bit), and am already using > them as fallbacks for authentication, so I don?t really want to > reinstall again just to the error message again. Sorry. > > Suffice it to say that while installing 1.0.4-1 on any of my systems, > answering ?yes? to either question (register admin to the 7.1 Admin > Server or storing configs in the 7.1 DS) causes an early and complete > failure to config the Admin on the 1.0.4-1 system. Since I am sure > this works for others, I must have a ?poison pill? in my 7.1 DS somewhere. > I've tried this and the main thing I see is the inability to specify the AdminDomain using Typical mode. If you see this again, please let me know. > > -Ken. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kirankmadala at hotmail.com Fri Jan 11 20:36:50 2008 From: kirankmadala at hotmail.com (kiran madala) Date: Fri, 11 Jan 2008 16:36:50 -0400 Subject: [Fedora-directory-users] Fedora 1.1 source Message-ID: Hi, Where can I get the source for FDS 1.1? I am particularly looking at the Windows Sync module _________________________________________________________________ Use fowl language with Chicktionary. Click here to start playing! http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig From rmeggins at redhat.com Fri Jan 11 21:03:49 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 11 Jan 2008 14:03:49 -0700 Subject: [Fedora-directory-users] Fedora 1.1 source In-Reply-To: References: Message-ID: <4787D9B5.20609@redhat.com> kiran madala wrote: > Hi, > > Where can I get the source for FDS 1.1? I am particularly looking at the Windows Sync module > tarballs and cvs information - http://directory.fedoraproject.org/wiki/Source - the fedora-ds-base module or http://cvs.fedoraproject.org/viewcvs/ldapserver/ldap/servers/plugins/replication/?root=dirsec The windows sync code is part of the replication code - just look for files beginning with "windows" > _________________________________________________________________ > Use fowl language with Chicktionary. Click here to start playing! > http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From glenn.prigent at capgemini.com Mon Jan 14 09:59:20 2008 From: glenn.prigent at capgemini.com (Prigent, Glenn) Date: Mon, 14 Jan 2008 10:59:20 +0100 Subject: [Fedora-directory-users] Trouble installing fds on debian 4 Message-ID: <1D2F19921E260A42A154AFBA3C5C20869083F2@CORPMAIL33.corp.capgemini.com> Hello, I have trouble installing fds on a debian 4. The installation complete well but when I start fds I have a exception. ../startconsole -u admin -a http://localhost:64233/ java.lang.ExceptionInInitializerError caused by java/lang/ArrayIndexOutOfBoundsException: at com.netscape.management.client.util.ResourceSet$StackLookup.getLoader (source file unknown:line unknown, pc 0x85bc45e) at com.netscape.management.client.util.ResourceSet. (source file unknown:line unknown, pc 0x85bf0e2) at com.netscape.management.client.util.ResourceSet. (source file unknown:line unknown, pc 0x8589a68) at com.netscape.management.client.console.Console. (source file unknown:line unknown, pc 0x85ba276) caused by: java.lang.ArrayIndexOutOfBoundsException at com.netscape.management.client.util.ResourceSet$StackLookup.getLoader (source file unknown:line unknown, pc 0x85bc45e) at com.netscape.management.client.util.ResourceSet. (source file unknown:line unknown, pc 0x85bf0e2) at com.netscape.management.client.util.ResourceSet. (source file unknown:line unknown, pc 0x8589a68) at com.netscape.management.client.console.Console. (source file unknown:line unknown, pc 0x85ba276) java.lang.ArrayIndexOutOfBoundsException at com.netscape.management.client.util.ResourceSet$StackLookup.getLoader (source file unknown:line unknown, pc 0x85bc45e) at com.netscape.management.client.util.ResourceSet. (source file unknown:line unknown, pc 0x85bf0e2) at com.netscape.management.client.util.ResourceSet. (source file unknown:line unknown, pc 0x8589a68) at com.netscape.management.client.console.Console. (source file unknown:line unknown, pc 0x85ba276) Is anyone succeeded installing fds on debian ? Can anyone help me ? Thank you. Glenn Prigent This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. -------------- next part -------------- An HTML attachment was scrubbed... URL: From kirankmadala at hotmail.com Mon Jan 14 14:53:54 2008 From: kirankmadala at hotmail.com (kiran madala) Date: Mon, 14 Jan 2008 10:53:54 -0400 Subject: [Fedora-directory-users] Fedora 1.1 source In-Reply-To: <4787D9B5.20609@redhat.com> References: <4787D9B5.20609@redhat.com> Message-ID: Thanks a lot I got that. Got another question where can I find the code that stores the values obtained from Active Directory in Fedora database? and also how are the values stored like the database tables and design. Thanks ---------------------------------------- > Date: Fri, 11 Jan 2008 14:03:49 -0700 > From: rmeggins at redhat.com > To: fedora-directory-users at redhat.com > Subject: Re: [Fedora-directory-users] Fedora 1.1 source > > kiran madala wrote: >> Hi, >> >> Where can I get the source for FDS 1.1? I am particularly looking at the Windows Sync module >> > tarballs and cvs information - > http://directory.fedoraproject.org/wiki/Source - the fedora-ds-base module > or > http://cvs.fedoraproject.org/viewcvs/ldapserver/ldap/servers/plugins/replication/?root=dirsec > The windows sync code is part of the replication code - just look for > files beginning with "windows" >> _________________________________________________________________ >> Use fowl language with Chicktionary. Click here to start playing! >> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > _________________________________________________________________ Use fowl language with Chicktionary. Click here to start playing! http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig From rmeggins at redhat.com Mon Jan 14 15:11:37 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 14 Jan 2008 08:11:37 -0700 Subject: [Fedora-directory-users] Fedora 1.1 source In-Reply-To: References: <4787D9B5.20609@redhat.com> Message-ID: <478B7BA9.4080703@redhat.com> kiran madala wrote: > Thanks a lot I got that. Got another question where can I find the code that stores the values obtained from Active Directory in Fedora database? http://cvs.fedoraproject.org/viewcvs/ldapserver/ldap/servers/plugins/replication/?root=dirsec The windows sync code is part of the replication code - just look for files beginning with "windows" > and also how are the values stored like the database tables and design. > The windows sync code does this: 1) issues an LDAP search request with the DirSync control 2) reads and parses the results 3) uses internal SLAPI calls to write the data into the Fedora DS data store It's all there in the code above. > Thanks > ---------------------------------------- > >> Date: Fri, 11 Jan 2008 14:03:49 -0700 >> From: rmeggins at redhat.com >> To: fedora-directory-users at redhat.com >> Subject: Re: [Fedora-directory-users] Fedora 1.1 source >> >> kiran madala wrote: >> >>> Hi, >>> >>> Where can I get the source for FDS 1.1? I am particularly looking at the Windows Sync module >>> >>> >> tarballs and cvs information - >> http://directory.fedoraproject.org/wiki/Source - the fedora-ds-base module >> or >> http://cvs.fedoraproject.org/viewcvs/ldapserver/ldap/servers/plugins/replication/?root=dirsec >> The windows sync code is part of the replication code - just look for >> files beginning with "windows" >> >>> _________________________________________________________________ >>> Use fowl language with Chicktionary. Click here to start playing! >>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> > > _________________________________________________________________ > Use fowl language with Chicktionary. Click here to start playing! > http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From gene.poole at macys.com Mon Jan 14 18:19:49 2008 From: gene.poole at macys.com (Gene Poole) Date: Mon, 14 Jan 2008 13:19:49 -0500 Subject: [Fedora-directory-users] Fedora DS 1.1 on Fedora 8 Message-ID: Is it mandatory to install Fedora DS 1.1 via RPM on Fedora 8? Does the RPM install it in /opt/fedora-ds? I attempted to use an older version for Fedora Core 6 and although it would install, it was unusable as it wouldn't work with Apache HTTPD 2.2.6. What are your suggestions? Thanks, Gene Poole From rmeggins at redhat.com Mon Jan 14 18:28:29 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 14 Jan 2008 11:28:29 -0700 Subject: [Fedora-directory-users] Fedora DS 1.1 on Fedora 8 In-Reply-To: References: Message-ID: <478BA9CD.2080509@redhat.com> Gene Poole wrote: > Is it mandatory to install Fedora DS 1.1 via RPM on Fedora 8? It will be difficult to install all of the separate RPMs. Better to use "yum install fedora-ds" instead. http://directory.fedoraproject.org/wiki/Release_Notes > Does the RPM > install it in /opt/fedora-ds? No - it now installs in the usual FHS places - see http://directory.fedoraproject.org/wiki/FHS_Packaging > I attempted to use an older version for > Fedora Core 6 and although it would install, it was unusable as it wouldn't > work with Apache HTTPD 2.2.6. What were the errors you encountered? The Fedora DS 1.0.4 for FC6 should work with Apache 2.2, unless F8 has an updated 2.2 that is not compatible with the Apache 2.2 included with FC6. > What are your suggestions? > Fedora DS 1.1, installed via yum > Thanks, > Gene Poole > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ankur_agwal at yahoo.com Mon Jan 14 21:53:09 2008 From: ankur_agwal at yahoo.com (Ankur Agarwal) Date: Mon, 14 Jan 2008 13:53:09 -0800 (PST) Subject: [Fedora-directory-users] Migrate users from Netscape LDAP to Red Hat DS Message-ID: <996941.64244.qm@web54106.mail.re2.yahoo.com> Hi, We want to migrate users from Netscape LDAP to RedHat DS. On RedHat we have created a similar schema (as existing on netscape) and now plan to export LDIF from Netscape and import that into RedHat DS. This should work fine but what will happen to the user passwords since in the export they will be hashed. Will they get successfully imported into RedHat or will they get rehashed during the import thus sopiling the migration. Please advise how should we plan user migration using some simple mechanism. regards, Ankur --------------------------------- Looking for last minute shopping deals? Find them fast with Yahoo! Search. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Jan 14 21:55:04 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 14 Jan 2008 14:55:04 -0700 Subject: [Fedora-directory-users] Migrate users from Netscape LDAP to Red Hat DS In-Reply-To: <996941.64244.qm@web54106.mail.re2.yahoo.com> References: <996941.64244.qm@web54106.mail.re2.yahoo.com> Message-ID: <478BDA38.4000803@redhat.com> Ankur Agarwal wrote: > Hi, > > We want to migrate users from Netscape LDAP to RedHat DS. On RedHat we > have created a similar schema (as existing on netscape) and now plan > to export LDIF from Netscape and import that into RedHat DS. This > should work fine but what will happen to the user passwords since in > the export they will be hashed. Will they get successfully imported > into RedHat or will they get rehashed during the import thus sopiling > the migration. They will be migrated. Red Hat DS should support all of the password hashing schemes used by Netscape DS (unless you are using crypt or a custom scheme). > > Please advise how should we plan user migration using some simple > mechanism. > > regards, > Ankur > > ------------------------------------------------------------------------ > Looking for last minute shopping deals? Find them fast with Yahoo! > Search. > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ankur_agwal at yahoo.com Mon Jan 14 22:00:10 2008 From: ankur_agwal at yahoo.com (Ankur Agarwal) Date: Mon, 14 Jan 2008 14:00:10 -0800 (PST) Subject: [Fedora-directory-users] Migrate users from Netscape LDAP to Red Hat DS In-Reply-To: <478BDA38.4000803@redhat.com> Message-ID: <174111.66022.qm@web54110.mail.re2.yahoo.com> Thanks Richard! But how does Red Hat DS know that it need not rehash the password? e.g. Suppose I create a ldif file saying: userPassword=testppassword and export another ldif: userPassword=xyzRR$#== First one is in plain english since I create that and second one is in hashed format because I have exported an existing user. Now if i import these 2 to another Red Hat instance how will that new instance know that second one is already hashed? regards, Ankur Rich Megginson wrote: Ankur Agarwal wrote: > Hi, > > We want to migrate users from Netscape LDAP to RedHat DS. On RedHat we > have created a similar schema (as existing on netscape) and now plan > to export LDIF from Netscape and import that into RedHat DS. This > should work fine but what will happen to the user passwords since in > the export they will be hashed. Will they get successfully imported > into RedHat or will they get rehashed during the import thus sopiling > the migration. They will be migrated. Red Hat DS should support all of the password hashing schemes used by Netscape DS (unless you are using crypt or a custom scheme). > > Please advise how should we plan user migration using some simple > mechanism. > > regards, > Ankur > > ------------------------------------------------------------------------ > Looking for last minute shopping deals? Find them fast with Yahoo! > Search. > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users --------------------------------- Looking for last minute shopping deals? Find them fast with Yahoo! Search. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Jan 14 22:20:02 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 14 Jan 2008 15:20:02 -0700 Subject: [Fedora-directory-users] Migrate users from Netscape LDAP to Red Hat DS In-Reply-To: <174111.66022.qm@web54110.mail.re2.yahoo.com> References: <174111.66022.qm@web54110.mail.re2.yahoo.com> Message-ID: <478BE012.7030806@redhat.com> Ankur Agarwal wrote: > Thanks Richard! > > But how does Red Hat DS know that it need not rehash the password? Bec > > e.g. Suppose I create a ldif file saying: > userPassword=testppassword > > and export another ldif: > userPassword=xyzRR$#== > > First one is in plain english since I create that and second one is in > hashed format because I have exported an existing user. Now if i > import these 2 to another Red Hat instance how will that new instance > know that second one is already hashed? Usually when you export entries using db2ldif you will get LDIF like this: dn: uid=scarter,.... .... userPassword: {SSHA}ls089x08sd090808sd08= ... If you import this into RHDS, RHDS will see that userPassword is already hashed using SSHA and will just use the value. If you are getting the userPassword values some other way, you can just set the value to {scheme}base64password e.g. {SSHA}lsdf098asdf8z908023lj= > > regards, > Ankur > > > */Rich Megginson /* wrote: > > Ankur Agarwal wrote: > > Hi, > > > > We want to migrate users from Netscape LDAP to RedHat DS. On > RedHat we > > have created a similar schema (as existing on netscape) and now > plan > > to export LDIF from Netscape and import that into RedHat DS. This > > should work fine but what will happen to the user passwords > since in > > the export they will be hashed. Will they get successfully imported > > into RedHat or will they get rehashed during the import thus > sopiling > > the migration. > They will be migrated. Red Hat DS should support all of the password > hashing schemes used by Netscape DS (unless you are using crypt or a > custom scheme). > > > > Please advise how should we plan user migration using some simple > > mechanism. > > > > regards, > > Ankur > > > > > ------------------------------------------------------------------------ > > Looking for last minute shopping deals? Find them fast with Yahoo! > > Search. > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > Looking for last minute shopping deals? Find them fast with Yahoo! > Search. > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Steven.Jones at vuw.ac.nz Tue Jan 15 00:34:55 2008 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 15 Jan 2008 13:34:55 +1300 Subject: [Fedora-directory-users] Restarting fds on a new IP address In-Reply-To: <9ee13d4f0712181449q4fb5da6mdd028c1716f4c6da@mail.gmail.com> Message-ID: Hi, I have just restarted the fds server on its new production subnet and now the fds console (admin server) cannot be connected to.... What do I have to do to get it to run on the new IP? >From the error logs I have, ========= [15/Jan/2008:13:25:35 +1300] - Fedora-Directory/1.0.4 B2006.312.435 starting up [15/Jan/2008:13:25:35 +1300] - attrcrypt_unwrap_key: failed to unwrap key for cipher AES [15/Jan/2008:13:25:35 +1300] - Failed to retrieve key for cipher AES in attrcrypt_cipher_init [15/Jan/2008:13:25:35 +1300] - Failed to initialize cipher AES in attrcrypt_init [15/Jan/2008:13:25:35 +1300] - attrcrypt_unwrap_key: failed to unwrap key for cipher AES [15/Jan/2008:13:25:35 +1300] - Failed to retrieve key for cipher AES in attrcrypt_cipher_init [15/Jan/2008:13:25:35 +1300] - Failed to initialize cipher AES in attrcrypt_init [15/Jan/2008:13:25:35 +1300] - slapd started. Listening on All Interfaces port 389 for LDAP requests [15/Jan/2008:13:25:35 +1300] - Listening on All Interfaces port 636 for LDAPS requests ======== regards Steven Jones From Steven.Jones at vuw.ac.nz Tue Jan 15 00:50:28 2008 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 15 Jan 2008 13:50:28 +1300 Subject: [Fedora-directory-users] Restarting fds on a new IP address In-Reply-To: Message-ID: Scratch that....iptables blocking :/ Doh regards Steven Jones -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Steven Jones Sent: Tuesday, 15 January 2008 1:35 p.m. To: General discussion list for the Fedora Directory server project. Subject: [Fedora-directory-users] Restarting fds on a new IP address Hi, I have just restarted the fds server on its new production subnet and now the fds console (admin server) cannot be connected to.... What do I have to do to get it to run on the new IP? >From the error logs I have, ========= [15/Jan/2008:13:25:35 +1300] - Fedora-Directory/1.0.4 B2006.312.435 starting up [15/Jan/2008:13:25:35 +1300] - attrcrypt_unwrap_key: failed to unwrap key for cipher AES [15/Jan/2008:13:25:35 +1300] - Failed to retrieve key for cipher AES in attrcrypt_cipher_init [15/Jan/2008:13:25:35 +1300] - Failed to initialize cipher AES in attrcrypt_init [15/Jan/2008:13:25:35 +1300] - attrcrypt_unwrap_key: failed to unwrap key for cipher AES [15/Jan/2008:13:25:35 +1300] - Failed to retrieve key for cipher AES in attrcrypt_cipher_init [15/Jan/2008:13:25:35 +1300] - Failed to initialize cipher AES in attrcrypt_init [15/Jan/2008:13:25:35 +1300] - slapd started. Listening on All Interfaces port 389 for LDAP requests [15/Jan/2008:13:25:35 +1300] - Listening on All Interfaces port 636 for LDAPS requests ======== regards Steven Jones -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From yinyang at eburg.com Tue Jan 15 03:00:21 2008 From: yinyang at eburg.com (Gordon Messmer) Date: Mon, 14 Jan 2008 19:00:21 -0800 Subject: [Fedora-directory-users] ConfigFile for silent install Message-ID: <478C21C5.2060003@eburg.com> The documentation doesn't seem to be very clear about the expected contents of files specified via ConfigFile in the inf files used for silent installs. For example, I want to change the aci on the VLV feature, so if I try this in a ConfigFile: dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 2.16.840.1.113730.3.4.9 cn: VLV Request Control aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control"; allow( read, search, compare, proxy ) userdn = "ldap:///anyone";) ...the server setup fails. I get this output: Error adding entry 'oid=2.16.840.1.113730.3.4.9,cn=features,cn=config'. Error: No such object Error: Could not create directory server instance 'master1'. Exiting . . . If, instead, I use a format suitable for ldapmodify, like this: dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config changetype: modify replace: aci aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control"; allow( read, search, compare, proxy ) userdn = "ldap:///anyone";) The server doesn't complain, but it appears to have no effect at all. What should the ConfigFile look like? From abnormaliti at clivepeeters.com.au Tue Jan 15 06:58:06 2008 From: abnormaliti at clivepeeters.com.au (Ben) Date: Tue, 15 Jan 2008 17:58:06 +1100 Subject: [Fedora-directory-users] Paged Results support? Message-ID: <478C597E.8070701@clivepeeters.com.au> Does FDS support Paged Results? I ask this because with FDS configured with "nsslapd-sizelimit: 2000" and a client search configured to return 1000 results per page it appears that 2000 results are returned and a "Sizelimit exceeded" error is returned by the server. Attached is a perl snippet to test paged results. Thanks, Ben -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: perl_ldap_search.txt URL: From chee.benny at gmail.com Tue Jan 15 09:22:01 2008 From: chee.benny at gmail.com (Benny Chee) Date: Tue, 15 Jan 2008 17:22:01 +0800 Subject: [Fedora-directory-users] Create a duplicate cn=directory manager Message-ID: <700685de0801150122o55a9dde2g75c47da62272b0f5@mail.gmail.com> Hi, Is it possible to create a direct replica (separately named) of "cn=directory manager" on the FDS? I want to differentiate different admin getting into the system. Howdo i do it? benny -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jan 15 15:17:02 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 15 Jan 2008 08:17:02 -0700 Subject: [Fedora-directory-users] Create a duplicate cn=directory manager In-Reply-To: <700685de0801150122o55a9dde2g75c47da62272b0f5@mail.gmail.com> References: <700685de0801150122o55a9dde2g75c47da62272b0f5@mail.gmail.com> Message-ID: <478CCE6E.9000002@redhat.com> Benny Chee wrote: > Hi, > > Is it possible to create a direct replica (separately named) of > "cn=directory manager" on the FDS? I want to differentiate different > admin getting into the system. Howdo i do it? You'll have to use ACIs. There is only 1 directory manager user. For examples, see how the ACIs are set up to allow access to the console admin user, who mostly has root privileges on the directory server. > > benny > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jan 15 15:18:02 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 15 Jan 2008 08:18:02 -0700 Subject: [Fedora-directory-users] Paged Results support? In-Reply-To: <478C597E.8070701@clivepeeters.com.au> References: <478C597E.8070701@clivepeeters.com.au> Message-ID: <478CCEAA.6000208@redhat.com> Ben wrote: > Does FDS support Paged Results? > > I ask this because with FDS configured with "nsslapd-sizelimit: 2000" > and a client search configured to return 1000 results per page it > appears that 2000 results are returned and a "Sizelimit exceeded" > error is returned by the server. Fedora DS does not support the LDAPv3 Paged Results feature. Fedora DS does support VLV (Virtual List View) which can be used to page through many entries. This is what the console refers to as a "Browsing Index". > > Attached is a perl snippet to test paged results. > > Thanks, > > Ben > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jan 15 15:21:14 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 15 Jan 2008 08:21:14 -0700 Subject: [Fedora-directory-users] ConfigFile for silent install In-Reply-To: <478C21C5.2060003@eburg.com> References: <478C21C5.2060003@eburg.com> Message-ID: <478CCF6A.3020709@redhat.com> Gordon Messmer wrote: > The documentation doesn't seem to be very clear about the expected > contents of files specified via ConfigFile in the inf files used for > silent installs. > > For example, I want to change the aci on the VLV feature, so if I try > this in a ConfigFile: > > dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config > objectClass: top > objectClass: directoryServerFeature > oid: 2.16.840.1.113730.3.4.9 > cn: VLV Request Control > aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control"; > allow( read, search, compare, proxy ) userdn = "ldap:///anyone";) > > ...the server setup fails. I get this output: > > Error adding entry > 'oid=2.16.840.1.113730.3.4.9,cn=features,cn=config'. Error: No such > object > Error: Could not create directory server instance 'master1'. > Exiting . . . I think that entry is added dynamically at server startup. You may have to add the cn=features entry first in your LDIF file. Even then it may not work if the server is not expecting that entry to be there. So in your LDIF file: dn: cn=features, cn=config objectclass: top objectclass: nsContainer cn: features dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config ... If that still doesn't work, then it is a bug. > > If, instead, I use a format suitable for ldapmodify, like this: > > dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config > changetype: modify > replace: aci > aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control"; > allow( read, search, compare, proxy ) userdn = "ldap:///anyone";) > > The server doesn't complain, but it appears to have no effect at all. > > What should the ConfigFile look like? > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From garcia_juafer at gva.es Tue Jan 15 15:28:48 2008 From: garcia_juafer at gva.es (Alberto) Date: Tue, 15 Jan 2008 16:28:48 +0100 Subject: [Fedora-directory-users] Replication Master Hub Message-ID: <032b01c8578b$53391660$0661a8c0@nt.tra.gva.es> The problem is the following, in our organization we have a master servant and other in mode Hub, we have some classrooms of objects created with his attributes, example classroom of object CBSPERSONAL, with attributes apellido1, apellido2, name, mail, telephone. When reply brings into existence a user in the teacher itself perfectly and in the hub I can modify his attributes, the problem comes when in the teacher I create a classroom's object CBSPERSONAL, and one answers back well in the hub, but when I attempt modifying this object in the hub he gives me the following message: LDAP server is unwilling to perform; Cannot update referral. If in the hub I modify any object that he not come from a classroom of object created it works correctly. The two servants share the same card index 99user.ldif -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrey.ivanov at polytechnique.fr Tue Jan 15 18:04:34 2008 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Tue, 15 Jan 2008 19:04:34 +0100 Subject: [Fedora-directory-users] Replication Master Hub In-Reply-To: <032b01c8578b$53391660$0661a8c0@nt.tra.gva.es> References: <032b01c8578b$53391660$0661a8c0@nt.tra.gva.es> Message-ID: <1601b8650801151004r10d34922ydbef139a62afd8fd@mail.gmail.com> I was looking through the wishlist ( http://directory.fedoraproject.org/wiki/Wishlist) and I haven't found the feature that would be rather useful: ModifyDN with new superior, in other words rename/move entry outside the current ou. It would be rather useful for the management of people entering and leaving the organisation. For example, a student during his studies is in the "ou=Students, ou=People,..." and when he/she leaves we need to move his/her entry to "ou=Alumni,ou=People,...". As for now, we have to make a script that reads all the attributes, deletes the original entry and then adds a new entry in the new "ou". So this feature would greatly simplify our life :) Thank you Andrey Ivanov tel +33-(0)1-69-33-99-24 fax +33-(0)1-69-33-99-55 Direction des Systemes d'Information Ecole Polytechnique 91128 Palaiseau CEDEX France -------------- next part -------------- An HTML attachment was scrubbed... URL: From garcia_juafer at gva.es Tue Jan 15 18:48:40 2008 From: garcia_juafer at gva.es (Alberto) Date: Tue, 15 Jan 2008 19:48:40 +0100 Subject: [Fedora-directory-users] Multimasters Message-ID: <03bf01c857a7$3eb05e80$0661a8c0@nt.tra.gva.es> In my organization I have 2 multi-teachers brought into existence with the scritp mmr.pl, I have the need to add another, as I can accomplish it. Can the mmr.pl bring into existence with the script 4 multi-teachers itself? Does he eat is able to to him crar 4 multi-teachers? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jan 15 19:07:49 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 15 Jan 2008 12:07:49 -0700 Subject: [Fedora-directory-users] Replication Master Hub In-Reply-To: <032b01c8578b$53391660$0661a8c0@nt.tra.gva.es> References: <032b01c8578b$53391660$0661a8c0@nt.tra.gva.es> Message-ID: <478D0485.7030601@redhat.com> Alberto wrote: > > The problem is the following, in our organization we have a master > servant and other in mode Hub, we have some classrooms of objects > created with his attributes, example classroom of object CBSPERSONAL, > with attributes apellido1, apellido2, name, mail, telephone. > > When reply brings into existence a user in the teacher itself > perfectly and in the hub I can modify his attributes, the problem > comes when in the teacher I create a classroom's object CBSPERSONAL, > and one answers back well in the hub, but when I attempt modifying > this object in the hub he gives me the following message: > > LDAP server is unwilling to perform; Cannot update referral. > What application are you using to edit the entries on the hub? The hub will send back a referral to a master if you attempt to modify a replicated entry on the hub. The client must be able to follow the referral. > > If in the hub I modify any object that he not come from a classroom of > object created it works correctly. > That is, the client gets the referral and handles it correctly? > > The two servants share the same card index 99user.ldif > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jan 15 19:46:25 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 15 Jan 2008 12:46:25 -0700 Subject: [Fedora-directory-users] Announcing the availability of updated documentation Message-ID: <478D0D91.9010308@redhat.com> The Red Hat Directory Server 8.0 docs are now available at http://www.redhat.com/docs/manuals/dir-server/ Among the changes: * Refers to the new packaging formats and FHS pathnames * Command line replication management is fully documented * Updated SSL and SASL configuration * New configuration entries and attributes documented These docs are applicable to Fedora Directory Server 1.1. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Steven.Jones at vuw.ac.nz Tue Jan 15 20:55:14 2008 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 16 Jan 2008 09:55:14 +1300 Subject: [Fedora-directory-users] Restarting fds on a new IP address In-Reply-To: Message-ID: Trying to set a replication agreement.... " 4. On the next screen, fill in the consumer hostname and port. Unless you have more than one instance of Directory Server configured, by default, there are no consumers available in the drop-down menu. Also, select the bind method for replication. If you have enabled SSL on your servers, you may select "Using encrypted SSL connection" radio button and use SSL client authentication. Otherwise, fill in the supplier bind DN and password." What is the supplier bind DN? (and the syntax) regards Steven Jones From rmeggins at redhat.com Tue Jan 15 21:05:50 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 15 Jan 2008 14:05:50 -0700 Subject: [Fedora-directory-users] Restarting fds on a new IP address In-Reply-To: References: Message-ID: <478D202E.2050005@redhat.com> Steven Jones wrote: > Trying to set a replication agreement.... > > " 4. On the next screen, fill in the consumer hostname and port. > Unless you have more than one instance of Directory Server configured, > by default, there are no consumers available in the drop-down menu. > > Also, select the bind method for replication. If you have enabled SSL on > your servers, you may select "Using encrypted SSL connection" radio > button and use SSL client authentication. Otherwise, fill in the > supplier bind DN and password." > > What is the supplier bind DN? (and the syntax) > The syntax is standard DN syntax e.g. cn=Replication Manager, cn=config See - http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Replication_Overview-Replication_Identity.html http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Configuring_Single_Master_Replication-Configuring_the_Read_Only_Replica_on_the_Consumer_Server.html http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Creating_the_Supplier_Bind_DN_Entry.html > regards > > Steven Jones > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Steven.Jones at vuw.ac.nz Tue Jan 15 21:52:56 2008 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 16 Jan 2008 10:52:56 +1300 Subject: [Fedora-directory-users] Restarting fds on a new IP address In-Reply-To: <478D202E.2050005@redhat.com> Message-ID: > What is the supplier bind DN? (and the syntax) > The syntax is standard DN syntax e.g. cn=Replication Manager, cn=config See - http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Replication_Overvie w-Replication_Identity.html Neat all I could find was 7.1, this 8.0 documentation is a huge improvement.... regards Steven Jones From abnormaliti at clivepeeters.com.au Tue Jan 15 22:45:00 2008 From: abnormaliti at clivepeeters.com.au (Ben) Date: Wed, 16 Jan 2008 09:45:00 +1100 Subject: [Fedora-directory-users] Paged Results support? In-Reply-To: <478CCEAA.6000208@redhat.com> References: <478C597E.8070701@clivepeeters.com.au> Message-ID: <478D376C.6010609@clivepeeters.com.au> Rich Megginson wrote: > Ben wrote: >> Does FDS support Paged Results? > Fedora DS does not support the LDAPv3 Paged Results feature. Fedora > DS does support VLV (Virtual List View) which can be used to page > through many entries. This is what the console refers to as a > "Browsing Index". Thanks for the info. OK, so how would i go about using VLV in 'perl' and 'php'? And how does that affect 'nss_ldap' with "nss_paged_results yes" and "pagesize 1000" set? Ben From rmeggins at redhat.com Tue Jan 15 22:59:31 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 15 Jan 2008 15:59:31 -0700 Subject: [Fedora-directory-users] Paged Results support? In-Reply-To: <478D376C.6010609@clivepeeters.com.au> References: <478C597E.8070701@clivepeeters.com.au> <478D376C.6010609@clivepeeters.com.au> Message-ID: <478D3AD3.1000003@redhat.com> Ben wrote: > Rich Megginson wrote: >> Ben wrote: >>> Does FDS support Paged Results? >> Fedora DS does not support the LDAPv3 Paged Results feature. Fedora >> DS does support VLV (Virtual List View) which can be used to page >> through many entries. This is what the console refers to as a >> "Browsing Index". > Thanks for the info. > > OK, so how would i go about using VLV in 'perl' and 'php'? You can use Net::LDAP to create and parse the VLV controls using the Convert::ASN1 package. Not sure about php. > And how does that affect 'nss_ldap' with "nss_paged_results yes" and > "pagesize 1000" set? If the paged results control is not marked critical, fedora ds will ignore it. So it will have no effect. > > Ben > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From abnormaliti at clivepeeters.com.au Tue Jan 15 23:42:07 2008 From: abnormaliti at clivepeeters.com.au (Ben) Date: Wed, 16 Jan 2008 10:42:07 +1100 Subject: [Fedora-directory-users] Paged Results support? In-Reply-To: <478D3AD3.1000003@redhat.com> References: <478C597E.8070701@clivepeeters.com.au> Message-ID: <478D44CF.6090801@clivepeeters.com.au> Rich Megginson wrote: > Ben wrote: >> Rich Megginson wrote: >>> Ben wrote: >>>> Does FDS support Paged Results? >>> Fedora DS does not support the LDAPv3 Paged Results feature. Fedora >>> DS does support VLV (Virtual List View) which can be used to page >>> through many entries. This is what the console refers to as a >>> "Browsing Index". >> Thanks for the info. >> >> OK, so how would i go about using VLV in 'perl' and 'php'? > You can use Net::LDAP to create and parse the VLV controls using the > Convert::ASN1 package. Not sure about php. There is a "Net::LDAP::Control::VLV" perl module. i have not been able to get it work. Is there some preparation that needs to be done on the FDS server to allow/support it? >> And how does that affect 'nss_ldap' with "nss_paged_results yes" and >> "pagesize 1000" set? > If the paged results control is not marked critical, fedora ds will > ignore it. So it will have no effect. I assume you mean in bugzilla? Ben From Steven.Jones at vuw.ac.nz Wed Jan 16 00:34:48 2008 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 16 Jan 2008 13:34:48 +1300 Subject: [Fedora-directory-users] getting linux clients to authenicate off any FDS LDAP server In-Reply-To: <478D44CF.6090801@clivepeeters.com.au> Message-ID: Hi, How would this be set at the client end? Ie it seems a bit silly to have ldap.conf like this, ====== URI ldap://vuwunicvfdsm001.vuw.ac.nz/ BASE dc=vuw,dc=ac,dc=nz TLS_CACERTDIR /etc/openldap/cacerts ssl start_tls ====== As if I lose the master (I assume) the slave (vuwunicvfdss001) wont be queried.... Regards Steven Jones From rmeggins at redhat.com Wed Jan 16 01:30:22 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 15 Jan 2008 18:30:22 -0700 Subject: [Fedora-directory-users] Paged Results support? In-Reply-To: <478D44CF.6090801@clivepeeters.com.au> References: <478C597E.8070701@clivepeeters.com.au> <478D44CF.6090801@clivepeeters.com.au> Message-ID: <478D5E2E.10208@redhat.com> Ben wrote: > Rich Megginson wrote: >> Ben wrote: >>> Rich Megginson wrote: >>>> Ben wrote: >>>>> Does FDS support Paged Results? >>>> Fedora DS does not support the LDAPv3 Paged Results feature. >>>> Fedora DS does support VLV (Virtual List View) which can be used to >>>> page through many entries. This is what the console refers to as a >>>> "Browsing Index". >>> Thanks for the info. >>> >>> OK, so how would i go about using VLV in 'perl' and 'php'? >> You can use Net::LDAP to create and parse the VLV controls using the >> Convert::ASN1 package. Not sure about php. > There is a "Net::LDAP::Control::VLV" perl module. i have not been > able to get it work. Is there some preparation that needs to be done > on the FDS server to allow/support it? Yes. Check the documentation. Not sure where it is documented though. You have to configure it then use the db_index command to create the index. >>> And how does that affect 'nss_ldap' with "nss_paged_results yes" and >>> "pagesize 1000" set? >> If the paged results control is not marked critical, fedora ds will >> ignore it. So it will have no effect. > I assume you mean in bugzilla? ? bugzilla ? > > Ben > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From abnormaliti at clivepeeters.com.au Wed Jan 16 01:56:49 2008 From: abnormaliti at clivepeeters.com.au (Ben) Date: Wed, 16 Jan 2008 12:56:49 +1100 Subject: [Fedora-directory-users] Paged Results support? In-Reply-To: <478D5E2E.10208@redhat.com> References: <478C597E.8070701@clivepeeters.com.au> Message-ID: <478D6461.7070904@clivepeeters.com.au> Rich Megginson wrote: > Ben wrote: >> Rich Megginson wrote: >>> Ben wrote: >>>> Rich Megginson wrote: >>>>> Ben wrote: >>>>>> Does FDS support Paged Results? >>>>> Fedora DS does not support the LDAPv3 Paged Results feature. >>>>> Fedora DS does support VLV (Virtual List View) which can be used >>>>> to page through many entries. This is what the console refers to >>>>> as a "Browsing Index". >>>> Thanks for the info. >>>> >>>> OK, so how would i go about using VLV in 'perl' and 'php'? >>> You can use Net::LDAP to create and parse the VLV controls using the >>> Convert::ASN1 package. Not sure about php. >> There is a "Net::LDAP::Control::VLV" perl module. i have not been >> able to get it work. Is there some preparation that needs to be done >> on the FDS server to allow/support it? > Yes. Check the documentation. Not sure where it is documented > though. You have to configure it then use the db_index command to > create the index. >>>> And how does that affect 'nss_ldap' with "nss_paged_results yes" >>>> and "pagesize 1000" set? >>> If the paged results control is not marked critical, fedora ds will >>> ignore it. So it will have no effect. >> I assume you mean in bugzilla? > ? bugzilla ? Sorry i thought you were referring to getting paged support added to FDS, what do you mean "If the paged results control is not marked critical, fedora ds will ignore it." with reference to 'nss_ldap'? Ben From rmeggins at redhat.com Wed Jan 16 02:46:05 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 15 Jan 2008 19:46:05 -0700 Subject: [Fedora-directory-users] Paged Results support? In-Reply-To: <478D6461.7070904@clivepeeters.com.au> References: <478C597E.8070701@clivepeeters.com.au> <478D6461.7070904@clivepeeters.com.au> Message-ID: <478D6FED.7080401@redhat.com> Ben wrote: > Rich Megginson wrote: >> Ben wrote: >>> Rich Megginson wrote: >>>> Ben wrote: >>>>> Rich Megginson wrote: >>>>>> Ben wrote: >>>>>>> Does FDS support Paged Results? >>>>>> Fedora DS does not support the LDAPv3 Paged Results feature. >>>>>> Fedora DS does support VLV (Virtual List View) which can be used >>>>>> to page through many entries. This is what the console refers to >>>>>> as a "Browsing Index". >>>>> Thanks for the info. >>>>> >>>>> OK, so how would i go about using VLV in 'perl' and 'php'? >>>> You can use Net::LDAP to create and parse the VLV controls using >>>> the Convert::ASN1 package. Not sure about php. >>> There is a "Net::LDAP::Control::VLV" perl module. i have not been >>> able to get it work. Is there some preparation that needs to be >>> done on the FDS server to allow/support it? >> Yes. Check the documentation. Not sure where it is documented >> though. You have to configure it then use the db_index command to >> create the index. >>>>> And how does that affect 'nss_ldap' with "nss_paged_results yes" >>>>> and "pagesize 1000" set? >>>> If the paged results control is not marked critical, fedora ds will >>>> ignore it. So it will have no effect. >>> I assume you mean in bugzilla? >> ? bugzilla ? > > Sorry i thought you were referring to getting paged support added to > FDS, what do you mean "If the paged results control is not marked > critical, fedora ds will ignore it." with reference to 'nss_ldap'? Sorry, that's LDAP-speak. Paged Results is an LDAPv3 Control that is added to the LDAP Search Request. Controls can be marked as Critical or not. If a control is marked as Critical, the server will return an error if unsupported, otherwise the server will ignore it. If you want to file a bugzilla requesting that Fedora DS should support the Paged Results control, please do. > > Ben > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From taruishi at redhat.com Wed Jan 16 03:09:10 2008 From: taruishi at redhat.com (Masato Taruishi) Date: Wed, 16 Jan 2008 12:09:10 +0900 Subject: [Fedora-directory-users] Paged Results support? In-Reply-To: <478D6461.7070904@clivepeeters.com.au> References: <478C597E.8070701@clivepeeters.com.au> <478D6461.7070904@clivepeeters.com.au> Message-ID: <1200452950.18498.17.camel@localhost.localdomain> > Rich Megginson wrote: > > Ben wrote: > >> Rich Megginson wrote: > >>> Ben wrote: > >>>> Rich Megginson wrote: > >>>>> Ben wrote: > >>>>>> Does FDS support Paged Results? > >>>>> Fedora DS does not support the LDAPv3 Paged Results feature. > >>>>> Fedora DS does support VLV (Virtual List View) which can be used > >>>>> to page through many entries. This is what the console refers to > >>>>> as a "Browsing Index". > >>>> Thanks for the info. > >>>> > >>>> OK, so how would i go about using VLV in 'perl' and 'php'? > >>> You can use Net::LDAP to create and parse the VLV controls using the > >>> Convert::ASN1 package. Not sure about php. > >> There is a "Net::LDAP::Control::VLV" perl module. i have not been > >> able to get it work. Is there some preparation that needs to be done > >> on the FDS server to allow/support it? > > Yes. Check the documentation. Not sure where it is documented > > though. You have to configure it then use the db_index command to > > create the index. > >>>> And how does that affect 'nss_ldap' with "nss_paged_results yes" > >>>> and "pagesize 1000" set? > >>> If the paged results control is not marked critical, fedora ds will > >>> ignore it. So it will have no effect. > >> I assume you mean in bugzilla? > > ? bugzilla ? > > Sorry i thought you were referring to getting paged support added to > FDS, what do you mean "If the paged results control is not marked > critical, fedora ds will ignore it." with reference to 'nss_ldap'? nss_ldap doesn't seem to set the criticality of the paged result control: rc = ldap_carete_page_control(__session.ls_conn, __session.ls_config->ldc_pagesize, NULL, 0, &serverCtrls[0]); which means fedora-ds just ignore the control. From jtharp at esri.com Wed Jan 16 04:38:21 2008 From: jtharp at esri.com (Jeff Tharp) Date: Tue, 15 Jan 2008 20:38:21 -0800 Subject: [Fedora-directory-users] Contemplating an upgrade to Fedora DS 1.1 Message-ID: I am looking into the feasibility of upgrading the LDAP backend used for authentication on many of our web sites (roughly 300K users). Currently we are using FedoraDS 1.0.2 running on RHEL 4 in a multi-master configuration of two nodes configured as a high-availability cluster using Heartbeat from the Linux-HA project. My underlying database is Berkeley DB 4.2.52. My goal would be to upgrade to FedoraDS 1.1 running on RHEL 5.1. I have managed to complete the initial installation on my test system and so I'm now digging into the details of the migration. Some questions that have come up: 1. RHEL5.1 ships with Berkeley DB 4.3 and I noticed a note that this has been found subpar for production use in large environments. Should I consider reverting back to Berkeley DB 4.2.52 or should I look into installing Berkeley DB 4.5 or 4.6? If I installed the FedoraDS 1.1 fc6 binary packages, do I need to be worried that these were built against a specific Berkeley DB version? 2. Most of the migration notes I see on the site mention migrating from 1.0.4 to 1.1. Is it necessary to migrate our current 1.0.2 install to 1.0.4 as an intermediate step to upgrading to 1.1? Or should the 1.0.4 migration steps be sufficient? 3. Previously, we had separate physical filesystems for / and /opt, so that the directory server files were separated from the system files. I understand that in FedoraDS 1.1 the decision has been to standardize the pathing so this is no longer feasible. If I still wanted at least the instance-specific files (or at least the instance-specific database files) to be in a separate filesystem, say /data, what would be the recommended way of accomplishing this? Or should I just go crazy with symbolic links to accomplish the structure I want? :-) I greatly appreciate any advice you can provide regarding these questions. I must say that we originally deployed FedoraDS 1.0.2 two years ago to replace a much older OpenLDAP 2.0 implementation and have generally been happy with both its performance and stability. Thanks, Jeff Tharp System Administrator ESRI - Redlands, CA http://www.esri.com From ando at sys-net.it Wed Jan 16 07:38:23 2008 From: ando at sys-net.it (Pierangelo Masarati) Date: Wed, 16 Jan 2008 08:38:23 +0100 Subject: [Fedora-directory-users] Paged Results support? In-Reply-To: <1200452950.18498.17.camel@localhost.localdomain> References: <478C597E.8070701@clivepeeters.com.au> <478D6461.7070904@clivepeeters.com.au> <1200452950.18498.17.camel@localhost.localdomain> Message-ID: <478DB46F.8010302@sys-net.it> Masato Taruishi wrote: >> Rich Megginson wrote: >>> Ben wrote: >>>> Rich Megginson wrote: >>>>> Ben wrote: >>>>>> Rich Megginson wrote: >>>>>>> Ben wrote: >>>>>>>> Does FDS support Paged Results? >>>>>>> Fedora DS does not support the LDAPv3 Paged Results feature. >>>>>>> Fedora DS does support VLV (Virtual List View) which can be used >>>>>>> to page through many entries. This is what the console refers to >>>>>>> as a "Browsing Index". >>>>>> Thanks for the info. >>>>>> >>>>>> OK, so how would i go about using VLV in 'perl' and 'php'? >>>>> You can use Net::LDAP to create and parse the VLV controls using the >>>>> Convert::ASN1 package. Not sure about php. >>>> There is a "Net::LDAP::Control::VLV" perl module. i have not been >>>> able to get it work. Is there some preparation that needs to be done >>>> on the FDS server to allow/support it? >>> Yes. Check the documentation. Not sure where it is documented >>> though. You have to configure it then use the db_index command to >>> create the index. >>>>>> And how does that affect 'nss_ldap' with "nss_paged_results yes" >>>>>> and "pagesize 1000" set? >>>>> If the paged results control is not marked critical, fedora ds will >>>>> ignore it. So it will have no effect. >>>> I assume you mean in bugzilla? >>> ? bugzilla ? >> Sorry i thought you were referring to getting paged support added to >> FDS, what do you mean "If the paged results control is not marked >> critical, fedora ds will ignore it." with reference to 'nss_ldap'? > > nss_ldap doesn't seem to set the criticality of the paged result > control: > > rc = ldap_carete_page_control(__session.ls_conn, > __session.ls_config->ldc_pagesize, > NULL, 0, &serverCtrls[0]); > > which means fedora-ds just ignore the control. I don't think any client really needs that control. The only reason many were forced into at least __knowing__ about it is that Active Directory returns pagedResults response even if not requested, in blatant violation of LDAPv3. So both the users and the developers of FDS can safely ignore its existence. Only client developers need to know about it if they want their clients to be able to interoperate with AD. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati at sys-net.it --------------------------------------- From ajeet.singh.raina at logicacmg.com Wed Jan 16 05:08:08 2008 From: ajeet.singh.raina at logicacmg.com (Singh Raina, Ajeet) Date: Wed, 16 Jan 2008 10:38:08 +0530 Subject: [Fedora-directory-users] Setting Up Fedora DS Client on HP Unix ??? Message-ID: <0139539A634FD04A99C9B8880AB70CB2075B35EB@in-ex004.groupinfra.com> Hello Guys, I have been installing fedora DS on RHEL and configuring different clients like Solaris 10,9,8 and they seem to work fine. But I couldn't get docs related to Setting Up Fedora DS on HP-Unix.Can you please let me how we can go for it?? Thanks in Advance, Ajeet This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Jan 16 15:36:59 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 16 Jan 2008 08:36:59 -0700 Subject: [Fedora-directory-users] Contemplating an upgrade to Fedora DS 1.1 In-Reply-To: References: Message-ID: <478E249B.6080100@redhat.com> Jeff Tharp wrote: > I am looking into the feasibility of upgrading the LDAP backend used for > authentication on many of our web sites (roughly 300K users). Currently > we are using FedoraDS 1.0.2 running on RHEL 4 in a multi-master > configuration of two nodes configured as a high-availability cluster > using Heartbeat from the Linux-HA project. My underlying database is > Berkeley DB 4.2.52. My goal would be to upgrade to FedoraDS 1.1 running > on RHEL 5.1. I have managed to complete the initial installation on my > test system and so I'm now digging into the details of the migration. > > Some questions that have come up: > 1. RHEL5.1 ships with Berkeley DB 4.3 and I noticed a note that this has > been found subpar for production use in large environments. Should I > consider reverting back to Berkeley DB 4.2.52 or should I look into > installing Berkeley DB 4.5 or 4.6? If I installed the FedoraDS 1.1 fc6 > binary packages, do I need to be worried that these were built against a > specific Berkeley DB version? > Can you be more specific about your planned deployment? Number of entries? Average entry size? Search rate? Update rate? Number of masters? Total number of replicas? Number and type of clients? > 2. Most of the migration notes I see on the site mention migrating from > 1.0.4 to 1.1. Is it necessary to migrate our current 1.0.2 install to > 1.0.4 as an intermediate step to upgrading to 1.1? Or should the 1.0.4 > migration steps be sufficient? > The migration script in 1.1 will migrate from 7.1 and 1.0.x. You do not need any intermediate migration steps. The migration script should also work for even earlier versions (e.g. Netscape 6.x). > 3. Previously, we had separate physical filesystems for / and /opt, so > that the directory server files were separated from the system files. I > understand that in FedoraDS 1.1 the decision has been to standardize the > pathing so this is no longer feasible. If I still wanted at least the > instance-specific files (or at least the instance-specific database > files) to be in a separate filesystem, say /data, what would be the > recommended way of accomplishing this? Or should I just go crazy with > symbolic links to accomplish the structure I want? :-) > The main directory you would want to put on a separate partition is /var/lib/dirsrv/db - where the transaction logs and database index files go. These directories can be changed post setup, so you could just install Fedora DS 1.1 normally, then set those directories. For maximum performance, you should put the software on one physical device, the index files on another separate physical device, and the transaction logs on another separate physical device. See http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Tuning_Database_Performance-Changing_the_Location_of_the_Database_Transaction_Log.html > I greatly appreciate any advice you can provide regarding these > questions. I must say that we originally deployed FedoraDS 1.0.2 two > years ago to replace a much older OpenLDAP 2.0 implementation and have > generally been happy with both its performance and stability. > > Thanks, > Jeff Tharp > System Administrator > ESRI - Redlands, CA > http://www.esri.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jtharp at esri.com Wed Jan 16 19:08:42 2008 From: jtharp at esri.com (Jeff Tharp) Date: Wed, 16 Jan 2008 11:08:42 -0800 Subject: [Fedora-directory-users] RE: Contemplating an upgrade to Fedora DS 1.1 In-Reply-To: References: Message-ID: >Rich Megginson wrote: >Can you be more specific about your planned deployment? Number of entries? Average entry size? Search rate? >Update rate? Number of masters? Total number of replicas? Number and type of clients? Sorry, I have my list subscription set to digest mode, but I saw that you sent this question, so I thought I'd respond ahead of actually receiving the email :-) Let's see...number of entries = 529,809 (I was a little off in my estimate earlier, it's been a while since I checked the exact count). Average entry size...not sure exactly how to calculate this, if you mean by memory size. We maintain 45 attributes per entry. My particular entry (which could be considered average, I suppose) is ~4 KB when exported to LDIF. I'll run some performance monitoring today as far as the number of search and update operations. We only have two masters, no other replicas. One master is active and gets all the load, the other is on standby (via Heartbeat) ready to take over if the first fails. All requests come from two front-end application servers and one back-end administration web application. The authentication application always bind's as the admin user then does a compare on the password hash of a particular user. In case you're wondering, current production hardware is a pair of Dell PowerEdge 2850's, each with 1x3.2 GHz CPU, 2 GB RAM, single RAID 10 array with 15K RPM disks. One other consideration I want to look into is enabling Berkeley DB transaction logging--last year we had a power outage that caused the servers to go down hard (our generator was on the fritz :-P). The database on both masters was corrupted and had to be restored. I do nightly backups but lost all the account creations/updates for the day of the outage. I'd like to setup transaction logs and write these off to tape or another server so that we can recover to within 30 min to 1 hour of an outage. I looked into this with our current setup, but I wasn't able to get more than 1 transaction log written per day, which doesn't help much beyond our current nightly backups. Thanks for your help, Jeff Tharp System Administrator ESRI - Redlands, CA http://www.esri.com > -----Original Message----- > From: Jeff Tharp > Sent: Tuesday, January 15, 2008 8:38 PM > To: 'Fedora-directory-users at redhat.com' > Subject: Contemplating an upgrade to Fedora DS 1.1 > > I am looking into the feasibility of upgrading the LDAP > backend used for authentication on many of our web sites > (roughly 300K users). Currently we are using FedoraDS 1.0.2 > running on RHEL 4 in a multi-master configuration of two > nodes configured as a high-availability cluster using > Heartbeat from the Linux-HA project. My underlying database > is Berkeley DB 4.2.52. My goal would be to upgrade to > FedoraDS 1.1 running on RHEL 5.1. I have managed to complete > the initial installation on my test system and so I'm now > digging into the details of the migration. > > Some questions that have come up: > 1. RHEL5.1 ships with Berkeley DB 4.3 and I noticed a note > that this has been found subpar for production use in large > environments. Should I consider reverting back to Berkeley > DB 4.2.52 or should I look into installing Berkeley DB 4.5 or > 4.6? If I installed the FedoraDS 1.1 fc6 binary packages, do > I need to be worried that these were built against a specific > Berkeley DB version? > > 2. Most of the migration notes I see on the site mention > migrating from 1.0.4 to 1.1. Is it necessary to migrate our > current 1.0.2 install to 1.0.4 as an intermediate step to > upgrading to 1.1? Or should the 1.0.4 migration steps be sufficient? > > 3. Previously, we had separate physical filesystems for / and > /opt, so that the directory server files were separated from > the system files. I understand that in FedoraDS 1.1 the > decision has been to standardize the pathing so this is no > longer feasible. If I still wanted at least the > instance-specific files (or at least the instance-specific > database files) to be in a separate filesystem, say /data, > what would be the recommended way of accomplishing this? Or > should I just go crazy with symbolic links to accomplish the > structure I want? :-) > > I greatly appreciate any advice you can provide regarding > these questions. I must say that we originally deployed > FedoraDS 1.0.2 two years ago to replace a much older OpenLDAP > 2.0 implementation and have generally been happy with both > its performance and stability. > > Thanks, > Jeff Tharp > System Administrator > ESRI - Redlands, CA > http://www.esri.com From rmeggins at redhat.com Wed Jan 16 22:44:23 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 16 Jan 2008 15:44:23 -0700 Subject: [Fedora-directory-users] RE: Contemplating an upgrade to Fedora DS 1.1 In-Reply-To: References: Message-ID: <478E88C7.9070503@redhat.com> Jeff Tharp wrote: >> Rich Megginson wrote: >> > > >> Can you be more specific about your planned deployment? Number of >> > entries? Average entry size? Search rate? >Update rate? Number of > masters? Total number of replicas? Number and type of clients? > > Sorry, I have my list subscription set to digest mode, but I saw that > you sent this question, so I thought I'd respond ahead of actually > receiving the email :-) Let's see...number of entries = 529,809 (I was > a little off in my estimate earlier, it's been a while since I checked > the exact count). Average entry size...not sure exactly how to > calculate this, if you mean by memory size. We maintain 45 attributes > per entry. My particular entry (which could be considered average, I > suppose) is ~4 KB when exported to LDIF. > We have performed several stress tests with several million entries each on RHEL5.1 using the standard bdb 4.3 that is included with RHEL5.1. There was no data loss, corruption, or other such problems. > I'll run some performance monitoring today as far as the number of > search and update operations. We only have two masters, no other > replicas. One master is active and gets all the load, the other is on > standby (via Heartbeat) ready to take over if the first fails. All > requests come from two front-end application servers and one back-end > administration web application. The authentication application always > bind's as the admin user then does a compare on the password hash of a > particular user. > > In case you're wondering, current production hardware is a pair of Dell > PowerEdge 2850's, each with 1x3.2 GHz CPU, 2 GB RAM, single RAID 10 > array with 15K RPM disks. > > One other consideration I want to look into is enabling Berkeley DB > transaction logging--last year we had a power outage that caused the > servers to go down hard (our generator was on the fritz :-P). The > database on both masters was corrupted and had to be restored. I do > nightly backups but lost all the account creations/updates for the day > of the outage. I'd like to setup transaction logs and write these off > to tape or another server so that we can recover to within 30 min to 1 > hour of an outage. I looked into this with our current setup, but I > wasn't able to get more than 1 transaction log written per day, which > doesn't help much beyond our current nightly backups. > These settings are available, but not exposed in the console. See http://www.redhat.com/docs/manuals/dir-server/cli/8.0/Configuration_Command_File_Reference-Plug_in_Implemented_Server_Functionality_Reference-Database_Plug_in_Attributes.html for more information. > Thanks for your help, > Jeff Tharp > System Administrator > ESRI - Redlands, CA > http://www.esri.com > > > >> -----Original Message----- >> From: Jeff Tharp >> Sent: Tuesday, January 15, 2008 8:38 PM >> To: 'Fedora-directory-users at redhat.com' >> Subject: Contemplating an upgrade to Fedora DS 1.1 >> >> I am looking into the feasibility of upgrading the LDAP >> backend used for authentication on many of our web sites >> (roughly 300K users). Currently we are using FedoraDS 1.0.2 >> running on RHEL 4 in a multi-master configuration of two >> nodes configured as a high-availability cluster using >> Heartbeat from the Linux-HA project. My underlying database >> is Berkeley DB 4.2.52. My goal would be to upgrade to >> FedoraDS 1.1 running on RHEL 5.1. I have managed to complete >> the initial installation on my test system and so I'm now >> digging into the details of the migration. >> >> Some questions that have come up: >> 1. RHEL5.1 ships with Berkeley DB 4.3 and I noticed a note >> that this has been found subpar for production use in large >> environments. Should I consider reverting back to Berkeley >> DB 4.2.52 or should I look into installing Berkeley DB 4.5 or >> 4.6? If I installed the FedoraDS 1.1 fc6 binary packages, do >> I need to be worried that these were built against a specific >> Berkeley DB version? >> >> 2. Most of the migration notes I see on the site mention >> migrating from 1.0.4 to 1.1. Is it necessary to migrate our >> current 1.0.2 install to 1.0.4 as an intermediate step to >> upgrading to 1.1? Or should the 1.0.4 migration steps be sufficient? >> >> 3. Previously, we had separate physical filesystems for / and >> /opt, so that the directory server files were separated from >> the system files. I understand that in FedoraDS 1.1 the >> decision has been to standardize the pathing so this is no >> longer feasible. If I still wanted at least the >> instance-specific files (or at least the instance-specific >> database files) to be in a separate filesystem, say /data, >> what would be the recommended way of accomplishing this? Or >> should I just go crazy with symbolic links to accomplish the >> structure I want? :-) >> >> I greatly appreciate any advice you can provide regarding >> these questions. I must say that we originally deployed >> FedoraDS 1.0.2 two years ago to replace a much older OpenLDAP >> 2.0 implementation and have generally been happy with both >> its performance and stability. >> >> Thanks, >> Jeff Tharp >> System Administrator >> ESRI - Redlands, CA >> http://www.esri.com >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From todd.hammer at us.atlascopco.com Wed Jan 16 22:55:26 2008 From: todd.hammer at us.atlascopco.com (todd.hammer at us.atlascopco.com) Date: Wed, 16 Jan 2008 16:55:26 -0600 Subject: [Fedora-directory-users] Can't open fedora ds with ldapeditor Message-ID: I have fedora ds running on Redhat 5 and it works great..... as long as I use the fedora admin tool. I can't use any other tools to modify the ldap data. For example, the following will not run: ldapadd -h 12.34.56.789 -x -D "cn=manager,dc=example,dc=com" -W -f /tmp /user.ldif (modified actual IP and dn for security) After giving the correct password, all I get is this: ldap_bind: No such object (32) matched DN: dc=acds,dc=com Any ideas what I've done? This used to work in openldap. Thanks in advance. Todd Hammer Technical Support Analyst -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Jan 16 22:59:03 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 16 Jan 2008 15:59:03 -0700 Subject: [Fedora-directory-users] Can't open fedora ds with ldapeditor In-Reply-To: References: Message-ID: <478E8C37.8040501@redhat.com> todd.hammer at us.atlascopco.com wrote: > > I have fedora ds running on Redhat 5 and it works great..... as long > as I use the fedora admin tool. > > I can't use any other tools to modify the ldap data. > > For example, the following will not run: > ldapadd -h 12.34.56.789 -x -D "cn=manager,dc=example,dc=com" -W -f > /tmp/user.ldif (modified actual IP and dn for security) > > After giving the correct password, all I get is this: > ldap_bind: No such object (32) > matched DN: dc=acds,dc=com > > > Any ideas what I've done? This used to work in openldap. Openldap uses a directory manager in the data tree - Fedora DS uses a directory manager that is a "pseudo" entry - cn=directory manager by default. > > > Thanks in advance. > > * > Todd Hammer* > Technical Support Analyst > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From abnormaliti at clivepeeters.com.au Thu Jan 17 00:51:31 2008 From: abnormaliti at clivepeeters.com.au (Ben) Date: Thu, 17 Jan 2008 11:51:31 +1100 Subject: [Fedora-directory-users] Paged Results support? In-Reply-To: <478DB46F.8010302@sys-net.it> References: <478C597E.8070701@clivepeeters.com.au> Message-ID: <478EA693.604@clivepeeters.com.au> Pierangelo Masarati wrote: > Masato Taruishi wrote: > >>> Rich Megginson wrote: >>> >>>> Ben wrote: >>>> >>>>> Rich Megginson wrote: >>>>> >>>>>> Ben wrote: >>>>>> >>>>>>> Rich Megginson wrote: >>>>>>> >>>>>>>> Ben wrote: >>>>>>>> >>>>>>>>> Does FDS support Paged Results? >>>>>>>>> >>>>>>>> Fedora DS does not support the LDAPv3 Paged Results feature. >>>>>>>> Fedora DS does support VLV (Virtual List View) which can be used >>>>>>>> to page through many entries. This is what the console refers to >>>>>>>> as a "Browsing Index". >>>>>>>> >>>>>>> Thanks for the info. >>>>>>> >>>>>>> OK, so how would i go about using VLV in 'perl' and 'php'? >>>>>>> >>>>>> You can use Net::LDAP to create and parse the VLV controls using the >>>>>> Convert::ASN1 package. Not sure about php. >>>>>> >>>>> There is a "Net::LDAP::Control::VLV" perl module. i have not been >>>>> able to get it work. Is there some preparation that needs to be done >>>>> on the FDS server to allow/support it? >>>>> >>>> Yes. Check the documentation. Not sure where it is documented >>>> though. You have to configure it then use the db_index command to >>>> create the index. >>>> >>>>>>> And how does that affect 'nss_ldap' with "nss_paged_results yes" >>>>>>> and "pagesize 1000" set? >>>>>>> >>>>>> If the paged results control is not marked critical, fedora ds will >>>>>> ignore it. So it will have no effect. >>>>>> >>>>> I assume you mean in bugzilla? >>>>> >>>> ? bugzilla ? >>>> >>> Sorry i thought you were referring to getting paged support added to >>> FDS, what do you mean "If the paged results control is not marked >>> critical, fedora ds will ignore it." with reference to 'nss_ldap'? >>> >> nss_ldap doesn't seem to set the criticality of the paged result >> control: >> >> rc = ldap_carete_page_control(__session.ls_conn, >> __session.ls_config->ldc_pagesize, >> NULL, 0, &serverCtrls[0]); >> >> which means fedora-ds just ignore the control. >> > > I don't think any client really needs that control. The only reason > many were forced into at least __knowing__ about it is that Active > Directory returns pagedResults response even if not requested, in > blatant violation of LDAPv3. So both the users and the developers of > FDS can safely ignore its existence. Only client developers need to > know about it if they want their clients to be able to interoperate with AD. > > p. > If i recall correctly the reason i started using paged results was to exceed the 'sizelimit' restriction when i was using OpenLDAP. i.e. if "sizelimit = 100" you could get 300 results using paged results. So in relation to 'nss_ldap' isn't that what the "nss_paged_results yes" and "pagesize 1000" options are good for? So with a directory of >2000 users nss_ldap could get them all when the server has sizelimit set to say 1000. Ben From richzendy at gmail.com Thu Jan 17 02:01:24 2008 From: richzendy at gmail.com (Edwind Richzendy Contreras Soto) Date: Thu, 17 Jan 2008 21:31:24 +1930 Subject: Fwd: [Fedora-directory-users] Trouble installing fds on debian 4 In-Reply-To: <1D2F19921E260A42A154AFBA3C5C20869083F2@CORPMAIL33.corp.capgemini.com> References: <1D2F19921E260A42A154AFBA3C5C20869083F2@CORPMAIL33.corp.capgemini.com> Message-ID: <90ba020d0801161801q3e3d1825pfe71786b6e21f89d@mail.gmail.com> ---------- Forwarded message ---------- From: Prigent, Glenn Date: 15-ene-2008 5:29 Subject: [Fedora-directory-users] Trouble installing fds on debian 4 To: fedora-directory-users at redhat.com Hello, I have trouble installing fds on a debian 4. The installation complete well but when I start fds I have a exception. ./startconsole -u admin -a http://localhost:64233/ java.lang.ExceptionInInitializerError caused by java/lang/ArrayIndexOutOfBoundsException: at com.netscape.management.client.util.ResourceSet$StackLookup.getLoader(source file unknown:line unknown, pc 0x85bc45e) at com.netscape.management.client.util.ResourceSet. (source file unknown:line unknown, pc 0x85bf0e2) at com.netscape.management.client.util.ResourceSet. (source file unknown:line unknown, pc 0x8589a68) at com.netscape.management.client.console.Console. (source file unknown:line unknown, pc 0x85ba276) caused by: java.lang.ArrayIndexOutOfBoundsException at com.netscape.management.client.util.ResourceSet$StackLookup.getLoader(source file unknown:line unknown, pc 0x85bc45e) at com.netscape.management.client.util.ResourceSet. (source file unknown:line unknown, pc 0x85bf0e2) at com.netscape.management.client.util.ResourceSet. (source file unknown:line unknown, pc 0x8589a68) at com.netscape.management.client.console.Console. (source file unknown:line unknown, pc 0x85ba276) java.lang.ArrayIndexOutOfBoundsException at com.netscape.management.client.util.ResourceSet$StackLookup.getLoader(source file unknown:line unknown, pc 0x85bc45e) at com.netscape.management.client.util.ResourceSet. (source file unknown:line unknown, pc 0x85bf0e2) at com.netscape.management.client.util.ResourceSet. (source file unknown:line unknown, pc 0x8589a68) at com.netscape.management.client.console.Console. (source file unknown:line unknown, pc 0x85ba276) Is anyone succeeded installing fds on debian ? Can anyone help me ? Thank you. you need a java virtual machine, i recommend iced-tea ( use a free software ), but you can install anywere how sun java VM. Glenn Prigent -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From ando at sys-net.it Thu Jan 17 07:01:39 2008 From: ando at sys-net.it (Pierangelo Masarati) Date: Thu, 17 Jan 2008 08:01:39 +0100 Subject: [Fedora-directory-users] Paged Results support? In-Reply-To: <478EA693.604@clivepeeters.com.au> References: <478C597E.8070701@clivepeeters.com.au> <478EA693.604@clivepeeters.com.au> Message-ID: <478EFD53.1080508@sys-net.it> Ben wrote: > If i recall correctly the reason i started using paged results was to > exceed the 'sizelimit' restriction when i was using OpenLDAP. i.e. if > "sizelimit = 100" you could get 300 results using paged results. > > So in relation to 'nss_ldap' isn't that what the "nss_paged_results yes" > and "pagesize 1000" options are good for? So with a directory of >2000 > users nss_ldap could get them all when the server has sizelimit set to > say 1000. That would work with AD, not with OL. With OL, the sizelimit refers to the total amount of entries returned by a search, no matter what fraction is returned in each page. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati at sys-net.it --------------------------------------- From ando at sys-net.it Thu Jan 17 07:04:13 2008 From: ando at sys-net.it (Pierangelo Masarati) Date: Thu, 17 Jan 2008 08:04:13 +0100 Subject: [Fedora-directory-users] Can't open fedora ds with ldapeditor In-Reply-To: <478E8C37.8040501@redhat.com> References: <478E8C37.8040501@redhat.com> Message-ID: <478EFDED.2080202@sys-net.it> Rich Megginson wrote: >> Any ideas what I've done? This used to work in openldap. > Openldap uses a directory manager in the data tree - Fedora DS uses a > directory manager that is a "pseudo" entry - cn=directory manager by > default. Just for the records: OpenLDAP allows to define a wide variety of names for the directory manager, including the name of actual entries in the database, a name in the naming context, or names outside the naming context, at the admin's discretion. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati at sys-net.it --------------------------------------- From chymes at hymerfania.com Thu Jan 17 17:46:42 2008 From: chymes at hymerfania.com (Charles Hymes) Date: Thu, 17 Jan 2008 09:46:42 -0800 Subject: [Fedora-directory-users] FDS config problem with GSSAPI: No such file or directory Message-ID: <004401c85930$ecd89ba0$1100a8c0@hymesruzicka.org> Hi folks, I'm having a real hard time debugging this. I'm trying to do a new Fedora Directory Server+kerberos install , on a new Fedora 7 box. I can kinit, but I can't get ldapsearch or ldapwhoami to work locally. I thought it was a read problem with the keytab files, but I tried setting KRB5_KTNAME to a keytab file I knew ware readable by slapd, and that did not help. I also checked permissions on my certificates, and that seems OK too. ldapsearch -x does work, but ldapsearch -Y GSSAPI does not. I tried running strace on ldapwhoami, slapd and krb5kdc, but strace does not show which resource is not accessible. Actually I'm surprised that strace does not show any attempts to open the keytabs or anything in /etc/openldap/cacerts... I tried making briefly making /etc/krb5.keytab world readable, it did not change the "No such file" error. The logs I check are /var/log/messages, slapd and krb5kdc.log. The logs do not show the ldap client error. I DID see some SELINUX errors for krb5kdc_rcache and krb5.conf, but I ran restorecon and fixed those. This did not stop the error. I guess I'll try turning SELINUX off, and see if that makes any difference. Any help would be greatly appreciated :) ******************************************* ******************************************* [installer at trixter ~]$ ldapwhoami -V -Y GSSAPI ldapwhoami: @(#) $OpenLDAP: ldapwhoami 2.3.34 (Nov 2 2007 08:16:20) $ [email]kojibuilder at xenbuilder2.fedora.redhat.com[/email]:/builddir/build/BUI LD/openldap-2.3.34/openldap-2.3.34/build-clients/clients/tools (LDAP library: OpenLDAP 20333) SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No such file or directory) ******************************************* ******************************************* [installer at trixter ~]$ klist Ticket cache: FILE:/tmp/krb5cc_500 Default principal: [email]installer at HYMESRUZICKA.ORG[/email] Valid starting Expires Service principal 01/15/08 13:11:43 01/16/08 13:11:43 krbtgt/HYMESRUZICKA.ORG at HYMESRUZICKA.ORG 01/15/08 13:12:35 01/16/08 13:11:43 ldap/trixter.hymesruzicka.org at HYMESRUZICKA.ORG Kerberos 4 ticket cache: /tmp/tkt500 klist: You have no tickets cached ******************************************* ******************************************* [installer at trixter ~]$ cat /etc/openldap/ldap.conf # # LDAP Defaults # # This file should be world readable but not world writable. BASE dc=hymesruzicka,dc=org URI ldap://trixter.hymesruzicka.org:11562 ldaps://trixter.hymesruzicka.org:636 TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow #SIZELIMIT 12 TIMELIMIT 5 #DEREF never ******************************************* ******************************************* [root at trixter ~]# find / -iname "*keytab*" -ls 49547109 8 -rw-r--r-- 1 root root 712 Jan 15 13:00 /etc/krb5.keytab 49610949 8 -rw-r--r-- 1 fdirsvr fdirsvr 712 Jan 15 13:00 /etc/dirsrv/slapd-trixter/dirsrv.keytab 22746332 8 -rw------- 1 root root 454 Jan 13 10:26 /var/kerberos/krb5kdc/kadm5.keytab ******************************************* ******************************************* BTW: Here's the command with debug on: [installer at trixter ~]$ ldapwhoami -V -d 1 -Y GSSAPI ldapwhoami: @(#) $OpenLDAP: ldapwhoami 2.3.34 (Nov 2 2007 08:16:20) $ [email]kojibuilder at xenbuilder2.fedora.redhat.com[/email]:/builddir/build/BUI LD/openldap-2.3.34/openldap-2.3.34/build-clients/clients/tools (LDAP library: OpenLDAP 20333) ldap_create ldap_sasl_interactive_bind_s: user selected: GSSAPI ldap_int_sasl_bind: GSSAPI ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP trixter.hymesruzicka.org:11562 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.0.3:11562 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_int_sasl_open: host=trixter.hymesruzicka.org SASL/GSSAPI authentication started ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush: 589 bytes to sd 3 ldap_result ld 0x8d82038 msgid 1 ldap_chkResponseList ld 0x8d82038 msgid 1 all 1 ldap_chkResponseList returns ld 0x8d82038 NULL wait4msg ld 0x8d82038 msgid 1 (infinite timeout) wait4msg continue ld 0x8d82038 msgid 1 all 1 ** ld 0x8d82038 Connections: * host: trixter.hymesruzicka.org port: 11562 (default) refcnt: 2 status: Connected last used: Wed Jan 16 10:11:11 2008 ** ld 0x8d82038 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x8d82038 Response Queue: Empty ldap_chkResponseList ld 0x8d82038 msgid 1 all 1 ldap_chkResponseList returns ld 0x8d82038 NULL ldap_int_select read1msg: ld 0x8d82038 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 148 contents: read1msg: ld 0x8d82038 msgid 1 message type bind ber_scanf fmt ({eaa) ber: read1msg: ld 0x8d82038 0 new referrals read1msg: mark request completed, ld 0x8d82038 msgid 1 request done: ld 0x8d82038 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_sasl_bind_result ber_scanf fmt ({eaa) ber: ldap_msgfree ldap_perror ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No such file or directory) From rcritten at redhat.com Thu Jan 17 17:53:39 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 17 Jan 2008 12:53:39 -0500 Subject: [Fedora-directory-users] FDS config problem with GSSAPI: No such file or directory In-Reply-To: <004401c85930$ecd89ba0$1100a8c0@hymesruzicka.org> References: <004401c85930$ecd89ba0$1100a8c0@hymesruzicka.org> Message-ID: <478F9623.2000808@redhat.com> Charles Hymes wrote: > Hi folks, > I'm having a real hard time debugging this. > I'm trying to do a new Fedora Directory Server+kerberos install , on a new > Fedora 7 box. I can kinit, but I can't get ldapsearch or ldapwhoami to work > locally. I thought it was a read problem with the keytab files, but I tried > setting KRB5_KTNAME to a keytab file I knew ware readable by slapd, and that > did not help. I also checked permissions on my certificates, and that seems > OK too. ldapsearch -x does work, but ldapsearch -Y GSSAPI does not. > > I tried running strace on ldapwhoami, slapd and krb5kdc, but strace does not > show which resource is not accessible. Actually I'm surprised that strace > does not show any attempts to open the keytabs or anything in > /etc/openldap/cacerts... > > I tried making briefly making /etc/krb5.keytab world readable, it did not > change the "No such file" error. > The logs I check are /var/log/messages, slapd and krb5kdc.log. The logs do > not show the ldap client error. I DID see some SELINUX errors for > krb5kdc_rcache and krb5.conf, but I ran restorecon and fixed those. This did > not stop the error. I guess I'll try turning SELINUX off, and see if that > makes any difference. > > Any help would be greatly appreciated :) > It depends on what version of FDS you are running. I believe that the 1.1 init file include support for using /etc/sysconfig/dirsrv for configuration. If you are running 1.1 add this to /etc/sysconfig/dirsrv: export KRB5_KTNAME=/path/to/fds.keytab where fds.keytab holds the ldap/FQDN at REALM key. If you are running 1.0 you'll need to update /etc/init.d/dirsrv and add something like this at the top: [ -r /etc/sysconfig/dirsrv ] && . /etc/sysconfig/dirsrv rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From listbox at hymerfania.com Thu Jan 17 18:41:55 2008 From: listbox at hymerfania.com (Listbox) Date: Thu, 17 Jan 2008 10:41:55 -0800 Subject: [Fedora-directory-users] FDS config problem with GSSAPI: No suchfile or directory In-Reply-To: <478F9623.2000808@redhat.com> References: <004401c85930$ecd89ba0$1100a8c0@hymesruzicka.org> <478F9623.2000808@redhat.com> Message-ID: <004b01c85938$a38bfc00$1100a8c0@hymesruzicka.org> That was it! Thanks So Much! I have FDS 1.1 , and "KRB5_KTNAME=/var/kerberos/krb5kdc/fdirsrv.keytab ; export KRB5_KTNAME" was already in /etc/sysconfig/dirsrv. Unfortunately, I was trying to put "export KRB5_KTNAME=/etc/dirsrv/slapd-trixter/fdirsrv.keytab" in my dirsrv startup script, and that was where the keytab actually was. But I moved it, and cleaned up the startup script, and it worked. I don't understand why this did not show up in any of the dirsrv logs, but I'll take the solution. Now krb5kdc is reporting a "Clock skew too great" error, which is very strange, everthing is on the same host: kr5kcd, dirserv, and ldap client. C. -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rob Crittenden Sent: Thursday, January 17, 2008 9:54 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] FDS config problem with GSSAPI: No suchfile or directory Charles Hymes wrote: > Hi folks, > I'm having a real hard time debugging this. > I'm trying to do a new Fedora Directory Server+kerberos install , on a > new Fedora 7 box. I can kinit, but I can't get ldapsearch or > ldapwhoami to work locally. I thought it was a read problem with the > keytab files, but I tried setting KRB5_KTNAME to a keytab file I knew > ware readable by slapd, and that did not help. I also checked > permissions on my certificates, and that seems OK too. ldapsearch -x does work, but ldapsearch -Y GSSAPI does not. > > I tried running strace on ldapwhoami, slapd and krb5kdc, but strace > does not show which resource is not accessible. Actually I'm surprised > that strace does not show any attempts to open the keytabs or anything > in /etc/openldap/cacerts... > > I tried making briefly making /etc/krb5.keytab world readable, it did > not change the "No such file" error. > The logs I check are /var/log/messages, slapd and krb5kdc.log. The > logs do not show the ldap client error. I DID see some SELINUX errors > for krb5kdc_rcache and krb5.conf, but I ran restorecon and fixed > those. This did not stop the error. I guess I'll try turning SELINUX > off, and see if that makes any difference. > > Any help would be greatly appreciated :) > It depends on what version of FDS you are running. I believe that the 1.1 init file include support for using /etc/sysconfig/dirsrv for configuration. If you are running 1.1 add this to /etc/sysconfig/dirsrv: export KRB5_KTNAME=/path/to/fds.keytab where fds.keytab holds the ldap/FQDN at REALM key. If you are running 1.0 you'll need to update /etc/init.d/dirsrv and add something like this at the top: [ -r /etc/sysconfig/dirsrv ] && . /etc/sysconfig/dirsrv rob From gm4rtin at gmail.com Thu Jan 17 21:47:22 2008 From: gm4rtin at gmail.com (Gary Martin) Date: Thu, 17 Jan 2008 16:47:22 -0500 Subject: [Fedora-directory-users] "Add machine scripts" for Samba with FDS backend Message-ID: <43806ba60801171347j61eab770xf03859ffce3d376f@mail.gmail.com> Does anyone have some "add machine scripts" that they would like to share? I am having trouble getting any of the examples I find to work, I am using FDS 1.1 on Fedora 8 with Samba 3.0.28. I could use all the useradd and groupadd scripts as well. Thanks. From yinyang at eburg.com Fri Jan 18 07:20:37 2008 From: yinyang at eburg.com (Gordon Messmer) Date: Thu, 17 Jan 2008 23:20:37 -0800 Subject: [Fedora-directory-users] ConfigFile for silent install In-Reply-To: <478CCF6A.3020709@redhat.com> References: <478C21C5.2060003@eburg.com> <478CCF6A.3020709@redhat.com> Message-ID: <47905345.5020802@eburg.com> Rich Megginson wrote: > I think that entry is added dynamically at server startup. You may > have to add the cn=features entry first in your LDIF file. Even then > it may not work if the server is not expecting that entry to be > there. So in your LDIF file: > > dn: cn=features, cn=config > objectclass: top > objectclass: nsContainer > cn: features > > dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config > ... > > > If that still doesn't work, then it is a bug. It did work, mostly, except that I end up with both the aci that I wanted, and the default. I'm not sure yet what effect that will have. Would this be considered a bug? From gm4rtin at gmail.com Fri Jan 18 21:45:05 2008 From: gm4rtin at gmail.com (Gary Martin) Date: Fri, 18 Jan 2008 16:45:05 -0500 Subject: [Fedora-directory-users] So I have a Samba PDC + FDS, What now? Message-ID: <43806ba60801181345x706b8b9bk426ea48439015c7d@mail.gmail.com> I have successfully completed the Howto:Samba documentation. I think I have a working Samba PDC with a FDS backend. I can add users with smbpasswd -a. The problem I have is connecting a windows workstation to the domain. The connection fails complaining about the user name or password. What user should I be using to add workstations to the domain, a member of the 'Domain Admins' or the Administrator user? I have tried both and neither seem to work. Thanks. From prjctgeek at gmail.com Fri Jan 18 22:59:54 2008 From: prjctgeek at gmail.com (Doug Chapman) Date: Fri, 18 Jan 2008 14:59:54 -0800 Subject: [Fedora-directory-users] autofs schema Message-ID: So I just installed fds 1.1.0 on a fedora 8 box and have been trying to add the automount schema (mentioned here: http://directory.fedoraproject.org/wiki/Howto:Automount) but it's not loading after a server restart, or erroring out. Are there any new steps not in the above wiki ? I put the schema into a file called /etc/dirsrv/slapd-[hostname]/schema/75autofs.ldif tia -------------- next part -------------- An HTML attachment was scrubbed... URL: From leonhardt at hawaii.rr.com Sat Jan 19 02:41:48 2008 From: leonhardt at hawaii.rr.com (leonhardt at hawaii.rr.com) Date: Sat, 19 Jan 2008 2:41:48 +0000 Subject: [Fedora-directory-users] Difficulties with fedora-idm-console Message-ID: <8201283.105261200710508995.JavaMail.root@hrndva-web22-z01> Hi everyone...I'm new to LDAP and FDS, so please bear with me. I just install FDS 1.1 on a clean F8 box. I got through the setup scripts but when I launch fedora-idm-console, and enter my login info I keep getting an Error 400 response. My login looks like this: User ID: cn=Directory Manager Password: ******** Administration URL: http://localhost:9830 I've tried all kinds of variations, username w/o the "cn=", logging in as "admin", and every variation of IP/partially/fully-qualified domain name I could think of for the box. I've also tried running with '-a' (it didn't recognize the -d option, recommended to me by someone in the #fedora-ds room). This is my error, no matter what I do: Can't logon because of an incorrect User ID, Incorrect password or Directory problem. HttpException: Response: HTTP/1.1 400 Bad Request Status: 400 URL: http:/admin-serv/authenticate This last line bothers me...it looks as if the console is not even trying to pass the login info to a valid URL! If I just point my browser at http://localhost:9830/ I get the HTML back-end and can authenticate there to get into the "Adminsitration Express" tool, so I'm fairly convinced I'm using the correct login info... I's confused... Matt From chee.benny at gmail.com Sat Jan 19 04:05:43 2008 From: chee.benny at gmail.com (Benny Chee) Date: Sat, 19 Jan 2008 12:05:43 +0800 Subject: [Fedora-directory-users] Difficulties with fedora-idm-console In-Reply-To: <8201283.105261200710508995.JavaMail.root@hrndva-web22-z01> References: <8201283.105261200710508995.JavaMail.root@hrndva-web22-z01> Message-ID: <700685de0801182005g6cf482ccka84ad9b2145d781c@mail.gmail.com> hi, Login username should be "admin". What hostname was given to your ldap directory server? Try putting a hostname to your interface IP address inside /etc/hosts and try again. benny On 19/01/2008, leonhardt at hawaii.rr.com wrote: > > Hi everyone...I'm new to LDAP and FDS, so please bear with me. > > I just install FDS 1.1 on a clean F8 box. I got through the setup scripts > but when I launch fedora-idm-console, and enter my login info I keep getting > an Error 400 response. My login looks like this: > > User ID: cn=Directory Manager > Password: ******** > Administration URL: http://localhost:9830 > > I've tried all kinds of variations, username w/o the "cn=", logging in as > "admin", and every variation of IP/partially/fully-qualified domain name I > could think of for the box. I've also tried running with '-a' (it didn't > recognize the -d option, recommended to me by someone in the #fedora-ds > room). This is my error, no matter what I do: > > Can't logon because of an incorrect User ID, > Incorrect password or Directory problem. > HttpException: > Response: HTTP/1.1 400 Bad Request > Status: 400 > URL: http:/admin-serv/authenticate > > This last line bothers me...it looks as if the console is not even trying > to pass the login info to a valid URL! If I just point my browser at > http://localhost:9830/ I get the HTML back-end and can authenticate there > to get into the "Adminsitration Express" tool, so I'm fairly convinced I'm > using the correct login info... > > I's confused... > > Matt > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From leonhardt at hawaii.rr.com Sat Jan 19 09:42:30 2008 From: leonhardt at hawaii.rr.com (leonhardt at hawaii.rr.com) Date: Sat, 19 Jan 2008 9:42:30 +0000 Subject: [Fedora-directory-users] Difficulties with fedora-idm-console Message-ID: <29018057.118521200735750977.JavaMail.root@hrndva-web22-z01> Hi Benny, thanks for responding ---- Benny Chee wrote: > hi, > Login username should be "admin". Tried that first, actually...then tried the cn=Directory Manager after reading this: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Introduction_to_RHDS-Binding_to_the_Directory_from_RHI_Console.html What hostname was given to your ldap > directory server? should be 'server'. hostname returns "server.leonhardt.lan" I'm running my own DNS on this box... Try putting a hostname to your interface IP address inside > /etc/hosts and try again. I'm attaching my /etc/hosts, below are the contents of my install log (sorry crappy rr webmail wouldn't attach): Thanks again for helping me with this. Matt [root at server tmp]# cat setupIx15Y1.log [08/01/16:20:21:47] - [Setup] Info This program will set up the Fedora Directory and Administration Servers. It is recommended that you have "root" privilege to set up the software. Tips for using this program: - Press "Enter" to choose the default and go to the next screen - Type "Control-B" then "Enter" to go back to the previous screen - Type "Control-C" to cancel the setup program [08/01/16:20:21:47] - [Setup] Info Would you like to continue with set up? [08/01/16:20:21:47] - [Setup] Info yes [08/01/16:20:21:47] - [Setup] Info BY SETTING UP AND USING THIS SOFTWARE YOU ARE CONSENTING TO BE BOUND BY AND ARE BECOMING A PARTY TO THE AGREEMENT FOUND IN THE LICENSE.TXT FILE. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, PLEASE DO NOT SET UP OR USE THIS SOFTWARE. [08/01/16:20:21:47] - [Setup] Info Do you agree to the license terms? [08/01/16:20:21:51] - [Setup] Info yes [08/01/16:20:21:51] - [Setup] Info Your system has been scanned for potential problems, missing patches, etc. The following output is a report of the items found that need to be addressed before running this software in a production environment. Fedora Directory Server system tuning analysis version 10-AUGUST-2007. NOTICE : System is i686-unknown-linux2.6.23.9-85.fc8 (1 processor). WARNING: 503MB of physical memory is available on the system. 1024MB is recommended for best performance on large production system. NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds (120 minutes). This may cause temporary server congestion from lost client connections. WARNING: There are only 1024 file descriptors (hard limit) available, which limit the number of simultaneous connections. WARNING: There are only 1024 file descriptors (soft limit) available, which limit the number of simultaneous connections. [08/01/16:20:21:51] - [Setup] Info Would you like to continue? [08/01/16:20:21:53] - [Setup] Info yes [08/01/16:20:21:53] - [Setup] Info Choose a setup type: 1. Express Allows you to quickly set up the servers using the most common options and pre-defined defaults. Useful for quick evaluation of the products. 2. Typical Allows you to specify common defaults and options. 3. Custom Allows you to specify more advanced options. This is recommended for experienced server administrators only. To accept the default shown in brackets, press the Enter key. [08/01/16:20:21:53] - [Setup] Info Choose a setup type [08/01/16:20:21:55] - [Setup] Info 2 [08/01/16:20:21:55] - [Setup] Info Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form . Example: eros.example.com. To accept the default shown in brackets, press the Enter key. [08/01/16:20:21:55] - [Setup] Info Computer name [08/01/16:20:22:05] - [Setup] Info server.leonhardt.lan [08/01/16:20:22:05] - [Setup] Info The servers must run as a specific user in a specific group. It is strongly recommended that this user should have no privileges on the computer (i.e. a non-root user). The setup procedure will give this user/group some permissions in specific paths/files to perform server-specific operations. If you have not yet created a user and group for the servers, create this user and group using your native operating system utilities. [08/01/16:20:22:05] - [Setup] Info System User [08/01/16:20:22:07] - [Setup] Info nobody [08/01/16:20:22:07] - [Setup] Info System Group [08/01/16:20:22:07] - [Setup] Info nobody [08/01/16:20:22:07] - [Setup] Info Server information is stored in the configuration directory server. This information is used by the console and administration server to configure and manage your servers. If you have already set up a configuration directory server, you should register any servers you set up or create with the configuration server. To do so, the following information about the configuration server is required: the fully qualified host name of the form .(e.g. hostname.example.com), the port number (default 389), the suffix, the DN and password of a user having permission to write the configuration information, usually the configuration directory administrator, and if you are using security (TLS/SSL). If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port number (default 636) instead of the regular LDAP port number, and provide the CA certificate (in PEM/ASCII format). If you do not yet have a configuration directory server, enter 'No' to be prompted to set up one. [08/01/16:20:22:07] - [Setup] Info Do you want to register this software with an existing configuration directory server? [08/01/16:20:22:14] - [Setup] Info no [08/01/16:20:22:14] - [Setup] Info Please enter the administrator ID for the configuration directory server. This is the ID typically used to log in to the console. You will also be prompted for the password. [08/01/16:20:22:14] - [Setup] Info Configuration directory server administrator ID [08/01/16:20:22:15] - [Setup] Info admin [08/01/16:20:22:15] - [Setup] Info Password [08/01/16:20:22:18] - [Setup] Info Password (confirm) [08/01/16:20:22:20] - [Setup] Info The information stored in the configuration directory server can be separated into different Administration Domains. If you are managing multiple software releases at the same time, or managing information about multiple domains, you may use the Administration Domain to keep them separate. If you are not using administrative domains, press Enter to select the default. Otherwise, enter some descriptive, unique name for the administration domain, such as the name of the organization responsible for managing the domain. [08/01/16:20:22:20] - [Setup] Info Administration Domain [08/01/16:20:22:30] - [Setup] Info leonhardt.lan [08/01/16:20:22:30] - [Setup] Info The standard directory server network port number is 389. However, if you are not logged as the superuser, or port 389 is in use, the default value will be a random unused port number greater than 1024. If you want to use port 389, make sure that you are logged in as the superuser, that port 389 is not in use. [08/01/16:20:22:30] - [Setup] Info Directory server network port [08/01/16:20:22:31] - [Setup] Info 389 [08/01/16:20:22:31] - [Setup] Info Each instance of a directory server requires a unique identifier. This identifier is used to name the various instance specific files and directories in the file system, as well as for other uses as a server instance identifier. [08/01/16:20:22:31] - [Setup] Info Directory server identifier [08/01/16:20:22:36] - [Setup] Info server [08/01/16:20:22:36] - [Setup] Info The suffix is the root of your directory tree. The suffix must be a valid DN. It is recommended that you use the dc=domaincomponent suffix convention. For example, if your domain is example.com, you should use dc=example,dc=com for your suffix. Setup will create this initial suffix for you, but you may have more than one suffix. Use the directory server utilities to create additional suffixes. [08/01/16:20:22:36] - [Setup] Info Suffix [08/01/16:20:22:45] - [Setup] Info dc=leonhardt, dc=lan [08/01/16:20:22:45] - [Setup] Info Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and typically has a bind Distinguished Name (DN) of cn=Directory Manager. You will also be prompted for the password for this user. The password must be at least 8 characters long, and contain no spaces. [08/01/16:20:22:45] - [Setup] Info Directory Manager DN [08/01/16:20:22:54] - [Setup] Info cn=Directory Manager [08/01/16:20:22:54] - [Setup] Info Password [08/01/16:20:22:59] - [Setup] Warning The password contains invalid characters. Please choose another one. [08/01/16:20:22:59] - [Setup] Info Password [08/01/16:20:23:02] - [Setup] Info Password (confirm) [08/01/16:20:23:05] - [Setup] Info The Administration Server is separate from any of your web or application servers since it listens to a different port and access to it is restricted. Pick a port number between 1024 and 65535 to run your Administration Server on. You should NOT use a port number which you plan to run a web or application server on, rather, select a number which you will remember and which will not be used for anything else. [08/01/16:20:23:05] - [Setup] Info Administration port [08/01/16:20:23:08] - [Setup] Info 9830 [08/01/16:20:23:08] - [Setup] Info The interactive phase is complete. The script will now set up your servers. Enter No or go Back if you want to change something. [08/01/16:20:23:08] - [Setup] Info Are you ready to set up your servers? [08/01/16:20:23:12] - [Setup] Info yes [08/01/16:20:23:12] - [Setup] Info Creating directory server . . . [08/01/16:20:23:18] - [Setup] Info Your new DS instance 'server' was successfully created. [08/01/16:20:23:18] - [Setup] Info Creating the configuration directory server . . . [08/01/16:20:23:21] - [Setup] Info Beginning Admin Server creation . . . [08/01/16:20:23:21] - [Setup] Info Creating Admin Server files and directories . . . [08/01/16:20:23:21] - [Setup] Info Updating adm.conf . . . [08/01/16:20:23:21] - [Setup] Info Updating admpw . . . [08/01/16:20:23:21] - [Setup] Info Registering admin server with the configuration directory server . . . [08/01/16:20:23:22] - [Setup] Info Updating adm.conf with information from configuration directory server . . . [08/01/16:20:23:22] - [Setup] Info Updating the configuration for the httpd engine . . . [08/01/16:20:23:22] - [Setup] Info Starting admin server . . . [08/01/16:20:23:23] - [Setup] Info The admin server was successfully started. [08/01/16:20:23:23] - [Setup] Info Admin server was successfully created, configured, and started. [08/01/16:20:23:23] - [Setup] Success Exiting . . . Log file is '/tmp/setupIx15Y1.log' > benny > > On 19/01/2008, leonhardt at hawaii.rr.com wrote: > > > > Hi everyone...I'm new to LDAP and FDS, so please bear with me. > > > > I just install FDS 1.1 on a clean F8 box. I got through the setup scripts > > but when I launch fedora-idm-console, and enter my login info I keep getting > > an Error 400 response. My login looks like this: > > > > User ID: cn=Directory Manager > > Password: ******** > > Administration URL: http://localhost:9830 > > > > I've tried all kinds of variations, username w/o the "cn=", logging in as > > "admin", and every variation of IP/partially/fully-qualified domain name I > > could think of for the box. I've also tried running with '-a' (it didn't > > recognize the -d option, recommended to me by someone in the #fedora-ds > > room). This is my error, no matter what I do: > > > > Can't logon because of an incorrect User ID, > > Incorrect password or Directory problem. > > HttpException: > > Response: HTTP/1.1 400 Bad Request > > Status: 400 > > URL: http:/admin-serv/authenticate > > > > This last line bothers me...it looks as if the console is not even trying > > to pass the login info to a valid URL! If I just point my browser at > > http://localhost:9830/ I get the HTML back-end and can authenticate there > > to get into the "Adminsitration Express" tool, so I'm fairly convinced I'm > > using the correct login info... > > > > I's confused... > > > > Matt > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: hosts Type: application/octet-stream Size: 224 bytes Desc: not available URL: From prjctgeek at gmail.com Sat Jan 19 19:14:14 2008 From: prjctgeek at gmail.com (Doug Chapman) Date: Sat, 19 Jan 2008 11:14:14 -0800 Subject: [Fedora-directory-users] Difficulties with fedora-idm-console In-Reply-To: <8201283.105261200710508995.JavaMail.root@hrndva-web22-z01> References: <8201283.105261200710508995.JavaMail.root@hrndva-web22-z01> Message-ID: I had this same same issue until I changed the JAVA variable in the fedora-idm-console script (or you could fix your PATH so the correct jre came first, it's just doing `which java`). On Jan 18, 2008 6:41 PM, wrote: > Hi everyone...I'm new to LDAP and FDS, so please bear with me. > > I just install FDS 1.1 on a clean F8 box. I got through the setup scripts > but when I launch fedora-idm-console, and enter my login info I keep getting > an Error 400 response. My login looks like this: > > User ID: cn=Directory Manager > Password: ******** > Administration URL: http://localhost:9830 > > I've tried all kinds of variations, username w/o the "cn=", logging in as > "admin", and every variation of IP/partially/fully-qualified domain name I > could think of for the box. I've also tried running with '-a' (it didn't > recognize the -d option, recommended to me by someone in the #fedora-ds > room). This is my error, no matter what I do: > > Can't logon because of an incorrect User ID, > Incorrect password or Directory problem. > HttpException: > Response: HTTP/1.1 400 Bad Request > Status: 400 > URL: http:/admin-serv/authenticate > > This last line bothers me...it looks as if the console is not even trying > to pass the login info to a valid URL! If I just point my browser at > http://localhost:9830/ I get the HTML back-end and can authenticate there > to get into the "Adminsitration Express" tool, so I'm fairly convinced I'm > using the correct login info... > > I's confused... > > Matt > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From leonhardt at hawaii.rr.com Sat Jan 19 20:32:19 2008 From: leonhardt at hawaii.rr.com (leonhardt at hawaii.rr.com) Date: Sat, 19 Jan 2008 20:32:19 +0000 Subject: [Fedora-directory-users] Difficulties with fedora-idm-console Message-ID: <12310589.150171200774739669.JavaMail.root@hrndva-web22-z01> Thanks Doug...that did the trick. Matt ---- Doug Chapman wrote: > I had this same same issue until I changed the JAVA variable in the > fedora-idm-console script (or you could fix your PATH so the correct jre > came first, it's just doing `which java`). > > On Jan 18, 2008 6:41 PM, wrote: > > > Hi everyone...I'm new to LDAP and FDS, so please bear with me. > > > > I just install FDS 1.1 on a clean F8 box. I got through the setup scripts > > but when I launch fedora-idm-console, and enter my login info I keep getting > > an Error 400 response. My login looks like this: > > > > User ID: cn=Directory Manager > > Password: ******** > > Administration URL: http://localhost:9830 > > > > I've tried all kinds of variations, username w/o the "cn=", logging in as > > "admin", and every variation of IP/partially/fully-qualified domain name I > > could think of for the box. I've also tried running with '-a' (it didn't > > recognize the -d option, recommended to me by someone in the #fedora-ds > > room). This is my error, no matter what I do: > > > > Can't logon because of an incorrect User ID, > > Incorrect password or Directory problem. > > HttpException: > > Response: HTTP/1.1 400 Bad Request > > Status: 400 > > URL: http:/admin-serv/authenticate > > > > This last line bothers me...it looks as if the console is not even trying > > to pass the login info to a valid URL! If I just point my browser at > > http://localhost:9830/ I get the HTML back-end and can authenticate there > > to get into the "Adminsitration Express" tool, so I'm fairly convinced I'm > > using the correct login info... > > > > I's confused... > > > > Matt > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From listbox at hymerfania.com Sat Jan 19 21:42:07 2008 From: listbox at hymerfania.com (Listbox) Date: Sat, 19 Jan 2008 13:42:07 -0800 Subject: [Fedora-directory-users] Can't add users with admin console, perhaps because I have no users in "Directory Administrators" group. Message-ID: <004d01c85ae4$25532b30$1100a8c0@hymesruzicka.org> Hi folks, I've got a bootstrap puzzle using the DS console to create my first users. I can't create Directory Administrators for my domain unless I am logged in as a Directory Administrator for that domain. I'm sure this is really simple, but I know a minimum about ldap management, and I cannot find the relevant docs on what exactly to do. This is a brand new installation of FDS 1.1 with a brand new MIT Kerberos setup on a fresh Fedora 7 install. There are no "people" in the LDAP directory. There aren't even any end users in the /etc/passwd file. When I try to use the FDS console to create a user in the "People" directory, I get this error dialog after I close the new user form" netscape.ldap.LDAPException: error result (50); Insufficient 'add' privilege to the 'userPassword' attribute I think my slapd error log is telling me that there is no-one in the "Directory Administrators" 'group' for my "hymesruzicka" 'directory'. Thanks for any help! ******************************************* ******************************************* [19/Jan/2008:11:16:39 -0800] NSACLPlugin - Processed attr:userpassword for entry:uid=installer,ou=people,dc=hymesruzicka,dc=org [19/Jan/2008:11:16:39 -0800] NSACLPlugin - 1. Evaluating ALLOW aci(4) " "Directory Administrators Group"" [19/Jan/2008:11:16:39 -0800] NSACLPlugin - Evaluating user uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot in group cn=Directory Administrators,dc=hymesruzicka,dc=org? [19/Jan/2008:11:16:39 -0800] NSACLPlugin - -- In cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot [19/Jan/2008:11:16:39 -0800] NSACLPlugin - -- Not in cn=Directory Administrators,dc=hymesruzicka,dc=org [19/Jan/2008:11:16:39 -0800] NSACLPlugin - Evaluated ACL_FALSE [19/Jan/2008:11:16:39 -0800] NSACLPlugin - conn=14 op=22 (main): Deny add on entry(uid=installer,ou=people,dc=hymesruzicka,dc=org).attr(userpassword) to uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot: no aci matched the subject by aci(4): aciname= "Directory Administrators Group", acidn="dc=hymesruzicka,dc=org" ******************************************* ******************************************* I got a similar error in the log when I tried to create a new ACI for the "hymesruzicka" 'directory' with a user from the "netscaperoot" directory: ******************************************* ******************************************* [19/Jan/2008:13:05:02 -0800] NSACLPlugin - acl_init_userGroup: found in cache for dn:uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot [19/Jan/2008:13:05:02 -0800] NSACLPlugin - #### conn=14 op=142 binddn="uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot" [19/Jan/2008:13:05:02 -0800] NSACLPlugin - Searching AVL tree for update:dc=hymesruzicka,dc=org: container:1 [19/Jan/2008:13:05:02 -0800] NSACLPlugin - Searching AVL tree for update:dc=org: container:-1 [19/Jan/2008:13:05:02 -0800] NSACLPlugin - ************ RESOURCE INFO STARTS ********* [19/Jan/2008:13:05:02 -0800] NSACLPlugin - Client DN: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot [19/Jan/2008:13:05:02 -0800] NSACLPlugin - resource type:256(write target_DN ) [19/Jan/2008:13:05:02 -0800] NSACLPlugin - Slapi_Entry DN: dc=hymesruzicka,dc=org [19/Jan/2008:13:05:02 -0800] NSACLPlugin - ATTR: aci [19/Jan/2008:13:05:02 -0800] NSACLPlugin - rights:write [19/Jan/2008:13:05:02 -0800] NSACLPlugin - ************ RESOURCE INFO ENDS ********* [19/Jan/2008:13:05:02 -0800] NSACLPlugin - Using ACL Cointainer:0 for evaluation [19/Jan/2008:13:05:02 -0800] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory Administrators Group"]*** [19/Jan/2008:13:05:02 -0800] NSACLPlugin - ACL Index:4 ACL_ELEVEL:6 [19/Jan/2008:13:05:02 -0800] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [19/Jan/2008:13:05:02 -0800] NSACLPlugin - ACI RULE type:(groupdn ) [19/Jan/2008:13:05:02 -0800] NSACLPlugin - Slapi_Entry DN:dc=hymesruzicka,dc=org [19/Jan/2008:13:05:02 -0800] NSACLPlugin - ***END ACL INFO***************************** [19/Jan/2008:13:05:02 -0800] NSACLPlugin - Num of ALLOW Handles:1, DENY handles:0 [19/Jan/2008:13:05:02 -0800] NSACLPlugin - Processed attr:aci for entry:dc=hymesruzicka,dc=org [19/Jan/2008:13:05:02 -0800] NSACLPlugin - 1. Evaluating ALLOW aci(4) " "Directory Administrators Group"" [19/Jan/2008:13:05:02 -0800] NSACLPlugin - Evaluating user uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot in group cn=Directory Administrators,dc=hymesruzicka,dc=org? [19/Jan/2008:13:05:02 -0800] NSACLPlugin - -- In cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot [19/Jan/2008:13:05:02 -0800] NSACLPlugin - -- Not in cn=Directory Administrators,dc=hymesruzicka,dc=org [19/Jan/2008:13:05:02 -0800] NSACLPlugin - Evaluated ACL_FALSE [19/Jan/2008:13:05:02 -0800] NSACLPlugin - conn=14 op=142 (main): Deny write on entry(dc=hymesruzicka,dc=org).attr(aci) to uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot: no aci matched the subject by aci(4): aciname= "Directory Administrators Group", acidn="dc=hymesruzicka,dc=org" From carlopmart at gmail.com Sun Jan 20 08:51:33 2008 From: carlopmart at gmail.com (carlopmart) Date: Sun, 20 Jan 2008 09:51:33 +0100 Subject: [Fedora-directory-users] Changing ip and ports on FDS is listening Message-ID: <47930B95.3040803@gmail.com> Hi all, Where I can find docs about changing ip and ports wheres fds process are listening?? I need to configure port ldap to listen only on 127.0.0.1, and ldaps to listen on host ip. Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com From carlopmart at gmail.com Sun Jan 20 08:52:14 2008 From: carlopmart at gmail.com (carlopmart) Date: Sun, 20 Jan 2008 09:52:14 +0100 Subject: [Fedora-directory-users] Re: Changing ip and ports on FDS is listening In-Reply-To: <47930B95.3040803@gmail.com> References: <47930B95.3040803@gmail.com> Message-ID: <47930BBE.10704@gmail.com> carlopmart wrote: > Hi all, > > Where I can find docs about changing ip and ports wheres fds process > are listening?? I need to configure port ldap to listen only on > 127.0.0.1, and ldaps to listen on host ip. > > Thanks. > oops, sorry. I am using FDS 1.1 -- CL Martinez carlopmart {at} gmail {d0t} com From chee.benny at gmail.com Mon Jan 21 05:46:58 2008 From: chee.benny at gmail.com (Benny Chee) Date: Mon, 21 Jan 2008 13:46:58 +0800 Subject: [Fedora-directory-users] Adding additional maxage attribute for changelog Message-ID: <700685de0801202146l4b531c00t31c27fa4efb1b8d1@mail.gmail.com> Hi, I enabled the retro changelog plugin and would also like to use the maxage attribute to control the growth of the changelog table. I read an online document on getting it trimmed, but not sure how do i execute it on the console, esp adding the attribute portion. I could not find the attribute name with the list given. https://www.d2om.com/docs/manuals/dir-server/ag/8.0/Using_the_Retro_Changelog_Plug_in-Trimming_the_Retro_Changelog.html nsslapd-changelogmaxage: 2d Any help? benny -------------- next part -------------- An HTML attachment was scrubbed... URL: From chymes at hymerfania.com Sat Jan 19 21:17:47 2008 From: chymes at hymerfania.com (Charles Hymes) Date: Sat, 19 Jan 2008 13:17:47 -0800 Subject: [Fedora-directory-users] Can't add users with admin console, perhaps because I have no use rs in "Directory Administrators" group. Message-ID: Hi folks, I've got a bootstrap puzzle using the DS console to create my first users. I can't create Directory Administrators for my domain unless I am logged in as a Directory Administrator for that domain. I'm sure this is really simple, but I know a minimum about ldap management, and I cannot find the relevant docs on what exactly to do. This is a brand new installation of FDS 1.1 with a brand new MIT Kerberos setup on a fresh Fedora 7 install. There are no "people" in the LDAP directory. There aren't even any end users in the /etc/passwd file. When I try to use the FDS console to create a user in the "People" directory, I get this error dialog after I close the new user form" netscape.ldap.LDAPException: error result (50); Insufficent 'add' privilige to the 'userPassword'attribute I think my slapd error log is telling me that there is no-one in the "Directory Administrators" 'group' for my "hymesruzicka" 'directory'. [19/Jan/2008:11:16:39 -0800] NSACLPlugin - Processed attr:userpassword for entry:uid=installer,ou=people,dc=hymesruzicka,dc=org [19/Jan/2008:11:16:39 -0800] NSACLPlugin - 1. Evaluating ALLOW aci(4) " "Directory Administrators Group"" [19/Jan/2008:11:16:39 -0800] NSACLPlugin - Evaluating user uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot in group cn=Directory Administrators,dc=hymesruzicka,dc=org? [19/Jan/2008:11:16:39 -0800] NSACLPlugin - -- In cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot [19/Jan/2008:11:16:39 -0800] NSACLPlugin - -- Not in cn=Directory Administrators,dc=hymesruzicka,dc=org [19/Jan/2008:11:16:39 -0800] NSACLPlugin - Evaluated ACL_FALSE [19/Jan/2008:11:16:39 -0800] NSACLPlugin - conn=14 op=22 (main): Deny add on entry(uid=installer,ou=people,dc=hymesruzicka,dc=org).attr(userpassword) to uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot: no aci matched the subject by aci(4): aciname= "Directory Administrators Group", acidn="dc=hymesruzicka,dc=org" I get a similar error in the log when I try to create a new aci for the "hymesruzicka" 'directory'with a user from the "netscaperoot" directory: [19/Jan/2008:13:05:02 -0800] NSACLPlugin - acl_init_userGroup: found in cache for dn:uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot [19/Jan/2008:13:05:02 -0800] NSACLPlugin - #### conn=14 op=142 binddn="uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot" [19/Jan/2008:13:05:02 -0800] NSACLPlugin - Searching AVL tree for update:dc=hymesruzicka,dc=org: container:1 [19/Jan/2008:13:05:02 -0800] NSACLPlugin - Searching AVL tree for update:dc=org: container:-1 [19/Jan/2008:13:05:02 -0800] NSACLPlugin - ************ RESOURCE INFO STARTS ********* [19/Jan/2008:13:05:02 -0800] NSACLPlugin - Client DN: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot [19/Jan/2008:13:05:02 -0800] NSACLPlugin - resource type:256(write target_DN ) [19/Jan/2008:13:05:02 -0800] NSACLPlugin - Slapi_Entry DN: dc=hymesruzicka,dc=org [19/Jan/2008:13:05:02 -0800] NSACLPlugin - ATTR: aci [19/Jan/2008:13:05:02 -0800] NSACLPlugin - rights:write [19/Jan/2008:13:05:02 -0800] NSACLPlugin - ************ RESOURCE INFO ENDS ********* [19/Jan/2008:13:05:02 -0800] NSACLPlugin - Using ACL Cointainer:0 for evaluation [19/Jan/2008:13:05:02 -0800] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory Administrators Group"]*** [19/Jan/2008:13:05:02 -0800] NSACLPlugin - ACL Index:4 ACL_ELEVEL:6 [19/Jan/2008:13:05:02 -0800] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [19/Jan/2008:13:05:02 -0800] NSACLPlugin - ACI RULE type:(groupdn ) [19/Jan/2008:13:05:02 -0800] NSACLPlugin - Slapi_Entry DN:dc=hymesruzicka,dc=org [19/Jan/2008:13:05:02 -0800] NSACLPlugin - ***END ACL INFO***************************** [19/Jan/2008:13:05:02 -0800] NSACLPlugin - Num of ALLOW Handles:1, DENY handles:0 [19/Jan/2008:13:05:02 -0800] NSACLPlugin - Processed attr:aci for entry:dc=hymesruzicka,dc=org [19/Jan/2008:13:05:02 -0800] NSACLPlugin - 1. Evaluating ALLOW aci(4) " "Directory Administrators Group"" [19/Jan/2008:13:05:02 -0800] NSACLPlugin - Evaluating user uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot in group cn=Directory Administrators,dc=hymesruzicka,dc=org? [19/Jan/2008:13:05:02 -0800] NSACLPlugin - -- In cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot [19/Jan/2008:13:05:02 -0800] NSACLPlugin - -- Not in cn=Directory Administrators,dc=hymesruzicka,dc=org [19/Jan/2008:13:05:02 -0800] NSACLPlugin - Evaluated ACL_FALSE [19/Jan/2008:13:05:02 -0800] NSACLPlugin - conn=14 op=142 (main): Deny write on entry(dc=hymesruzicka,dc=org).attr(aci) to uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot: no aci matched the subject by aci(4): aciname= "Directory Administrators Group", acidn="dc=hymesruzicka,dc=org" From wilde at intevation.de Mon Jan 21 13:30:42 2008 From: wilde at intevation.de (Sascha Wilde) Date: Mon, 21 Jan 2008 14:30:42 +0100 Subject: [Fedora-directory-users] unsubscribe In-Reply-To: (fedora-directory-users-request@redhat.com's message of "Thu, 03 May 2007 10:31:50 -0400") References: Message-ID: unsubscribe fedora-directory-users-request at redhat.com writes: > Welcome to the Fedora-directory-users at redhat.com mailing list! > > To post to this list, send your email to: > > fedora-directory-users at redhat.com > > General information about the mailing list is at: > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > If you ever want to unsubscribe or change your options (eg, switch to > or from digest mode, change your password, etc.), visit your > subscription page at: > > https://www.redhat.com/mailman/options/fedora-directory-users/wilde%40intevation.de > > > You can also make such adjustments via email by sending a message to: > > Fedora-directory-users-request at redhat.com > > with the word `help' in the subject or body (don't include the > quotes), and you will get back a message with instructions. > > You must know your password to change your options (including changing > the password, itself) or to unsubscribe. It is: > > q/slci > > Normally, Mailman will remind you of your redhat.com mailing list > passwords once every month, although you can disable this if you > prefer. This reminder will also include instructions on how to > unsubscribe or change your account options. There is also a button on > your options page that will email your current password to you. > > <#secure method=pgpmime mode=sign> -- Sascha Wilde OpenPGP key: 4BB86568 Intevation GmbH, Osnabr?ck http://www.intevation.de/~wilde/ Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From jay.coleman at cctechnol.com Mon Jan 21 17:16:57 2008 From: jay.coleman at cctechnol.com (Jeremiah Coleman) Date: Mon, 21 Jan 2008 11:16:57 -0600 Subject: [Fedora-directory-users] excessive clock skew problem with MMR Message-ID: <1200935817.3864.27.camel@europa.cctechnol.com> My 2 FDS systems will no longer replicate, due to excessive clock skew. Specifically, this is what I get in the log: [21/Jan/2008:11:03:53 -0600] NSMMReplicationPlugin - conn=15 op=3 replica="dc=cctechnol,dc=com": Unable to acquire replica: error: excessive clock skew [21/Jan/2008:11:03:53 -0600] - csngen_adjust_time: adjustment limit exceeded; value - 1872704, limit - 86400 [21/Jan/2008:11:03:53 -0600] NSMMReplicationPlugin - conn=16 op=3 replica="dc=cctechnol,dc=com": Unable to acquire replica: error: excessive clock skew [21/Jan/2008:11:03:55 -0600] - csngen_adjust_time: adjustment limit exceeded; value - 1872702, limit - 86400 [21/Jan/2008:11:03:55 -0600] NSMMReplicationPlugin - conn=17 op=3 replica="dc=cctechnol,dc=com": Unable to acquire replica: error: excessive clock skew I found a discussion of this problem in the archives, but the solution I found there did not work for me. I removed the replication agreements, shutdown the servers, exported the userRoot database from one and imported it to the other. Deleted everything in changelogdb. Restarted the servers and added the replication agreement. Same error. Anyone know of something else to try? Thanks, Jay -- Jeremiah Coleman Systems Administrator C & C Technologies 337-261-0660 x3421 jcoleman at cctechnol.com From howard at cohtech.com Mon Jan 21 17:26:26 2008 From: howard at cohtech.com (Howard Wilkinson) Date: Mon, 21 Jan 2008 17:26:26 +0000 Subject: [Fedora-directory-users] Trying to build idm-console-framework from SRPMS fails on Fedora 7 Message-ID: <4794D5C2.9070400@cohtech.com> I have been trying to build the idm-console-framework for fedora 7+ and get the following warnings and failures - Any suggestions about how I get past these? -- Howard Wilkinson Phone: +44(20)76907075 Coherent Technology Limited Fax: 23 Northampton Square, Mobile: +44(7980)639379 United Kingdom, EC1V 0HL Email: howard at cohtech.com -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: idm-console-framework.log URL: From rcritten at redhat.com Mon Jan 21 17:43:11 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 21 Jan 2008 12:43:11 -0500 Subject: [Fedora-directory-users] Trying to build idm-console-framework from SRPMS fails on Fedora 7 In-Reply-To: <4794D5C2.9070400@cohtech.com> References: <4794D5C2.9070400@cohtech.com> Message-ID: <4794D9AF.2000503@redhat.com> Howard Wilkinson wrote: > I have been trying to build the idm-console-framework for fedora 7+ and > get the following warnings and failures - Any suggestions about how I > get past these? > -- What JDK are you building with? It almost certainly won't build with gcj. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From howard at cohtech.com Mon Jan 21 17:58:40 2008 From: howard at cohtech.com (Howard Wilkinson) Date: Mon, 21 Jan 2008 17:58:40 +0000 Subject: [Fedora-directory-users] Trying to build idm-console-framework from SRPMS fails on Fedora 7 In-Reply-To: <4794D9AF.2000503@redhat.com> References: <4794D5C2.9070400@cohtech.com> <4794D9AF.2000503@redhat.com> Message-ID: <4794DD50.7050008@cohtech.com> Rob Crittenden wrote: > Howard Wilkinson wrote: >> I have been trying to build the idm-console-framework for fedora 7+ >> and get the following warnings and failures - Any suggestions about >> how I get past these? >> -- > > What JDK are you building with? It almost certainly won't build with gcj. > > rob > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > I am using the default Fedora 7 install ... if I need to fix this I need an SRPMS to install the packages and then to fix the idm-console-framekwork SRPMS to use them ... so any suggestions? -- Howard Wilkinson Phone: +44(20)76907075 Coherent Technology Limited Fax: 23 Northampton Square, Mobile: +44(7980)639379 United Kingdom, EC1V 0HL Email: howard at cohtech.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jan 21 18:05:29 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 21 Jan 2008 13:05:29 -0500 Subject: [Fedora-directory-users] Trying to build idm-console-framework from SRPMS fails on Fedora 7 In-Reply-To: <4794DD50.7050008@cohtech.com> References: <4794D5C2.9070400@cohtech.com> <4794D9AF.2000503@redhat.com> <4794DD50.7050008@cohtech.com> Message-ID: <4794DEE9.3090507@redhat.com> Howard Wilkinson wrote: > Rob Crittenden wrote: >> Howard Wilkinson wrote: >>> I have been trying to build the idm-console-framework for fedora 7+ >>> and get the following warnings and failures - Any suggestions about >>> how I get past these? >>> -- >> >> What JDK are you building with? It almost certainly won't build with gcj. >> >> rob >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > I am using the default Fedora 7 install ... if I need to fix this I need > an SRPMS to install the packages and then to fix the > idm-console-framekwork SRPMS to use them ... so any suggestions? You've found the reason that the console isn't provided on F-7. There isn't a free JDK that can build it currently available for F-7. You'd have to start by backporting IcedTea from F-8 to F-7. Or you can install a proprietary JDK and build it that way. I don't think console will run with gcj either still so you'd need the JRE/JDK installed to run console as well. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From howard at cohtech.com Mon Jan 21 18:17:24 2008 From: howard at cohtech.com (Howard Wilkinson) Date: Mon, 21 Jan 2008 18:17:24 +0000 Subject: [Fedora-directory-users] Trying to build idm-console-framework from SRPMS fails on Fedora 7 In-Reply-To: <4794DEE9.3090507@redhat.com> References: <4794D5C2.9070400@cohtech.com> <4794D9AF.2000503@redhat.com> <4794DD50.7050008@cohtech.com> <4794DEE9.3090507@redhat.com> Message-ID: <4794E1B4.1090709@cohtech.com> Rob Crittenden wrote: > Howard Wilkinson wrote: >> Rob Crittenden wrote: >>> Howard Wilkinson wrote: >>>> I have been trying to build the idm-console-framework for fedora 7+ >>>> and get the following warnings and failures - Any suggestions about >>>> how I get past these? >>>> -- >>> >>> What JDK are you building with? It almost certainly won't build with >>> gcj. >>> >>> rob >>> >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> I am using the default Fedora 7 install ... if I need to fix this I >> need an SRPMS to install the packages and then to fix the >> idm-console-framekwork SRPMS to use them ... so any suggestions? > > You've found the reason that the console isn't provided on F-7. There > isn't a free JDK that can build it currently available for F-7. You'd > have to start by backporting IcedTea from F-8 to F-7. > > Or you can install a proprietary JDK and build it that way. I don't > think console will run with gcj either still so you'd need the JRE/JDK > installed to run console as well. > > rob > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > Is the back port just a single package or do I need to recreate Fedora 8? -- Howard Wilkinson Phone: +44(20)76907075 Coherent Technology Limited Fax: 23 Northampton Square, Mobile: +44(7980)639379 United Kingdom, EC1V 0HL Email: howard at cohtech.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jan 21 19:23:44 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 21 Jan 2008 14:23:44 -0500 Subject: [Fedora-directory-users] Trying to build idm-console-framework from SRPMS fails on Fedora 7 In-Reply-To: <4794E1B4.1090709@cohtech.com> References: <4794D5C2.9070400@cohtech.com> <4794D9AF.2000503@redhat.com> <4794DD50.7050008@cohtech.com> <4794DEE9.3090507@redhat.com> <4794E1B4.1090709@cohtech.com> Message-ID: <4794F140.10505@redhat.com> Howard Wilkinson wrote: > Rob Crittenden wrote: >> Howard Wilkinson wrote: >>> Rob Crittenden wrote: >>>> Howard Wilkinson wrote: >>>>> I have been trying to build the idm-console-framework for fedora 7+ >>>>> and get the following warnings and failures - Any suggestions about >>>>> how I get past these? >>>>> -- >>>> >>>> What JDK are you building with? It almost certainly won't build with >>>> gcj. >>>> >>>> rob >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> I am using the default Fedora 7 install ... if I need to fix this I >>> need an SRPMS to install the packages and then to fix the >>> idm-console-framekwork SRPMS to use them ... so any suggestions? >> >> You've found the reason that the console isn't provided on F-7. There >> isn't a free JDK that can build it currently available for F-7. You'd >> have to start by backporting IcedTea from F-8 to F-7. >> >> Or you can install a proprietary JDK and build it that way. I don't >> think console will run with gcj either still so you'd need the JRE/JDK >> installed to run console as well. >> >> rob >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > Is the back port just a single package or do I need to recreate Fedora 8? > I don't know, it could be a can of worms. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From edlinuxguru at gmail.com Mon Jan 21 21:06:14 2008 From: edlinuxguru at gmail.com (Eddie C) Date: Mon, 21 Jan 2008 16:06:14 -0500 Subject: [Fedora-directory-users] excessive clock skew problem with MMR In-Reply-To: <1200935817.3864.27.camel@europa.cctechnol.com> References: <1200935817.3864.27.camel@europa.cctechnol.com> Message-ID: Many things break down due to clock skew. Would it the source of the clock skew? Why not start with that? Edward On Jan 21, 2008 12:16 PM, Jeremiah Coleman wrote: > > My 2 FDS systems will no longer replicate, due to excessive clock skew. > Specifically, this is what I get in the log: > > [21/Jan/2008:11:03:53 -0600] NSMMReplicationPlugin - conn=15 op=3 > replica="dc=cctechnol,dc=com": Unable to acquire replica: error: > excessive clock skew > [21/Jan/2008:11:03:53 -0600] - csngen_adjust_time: adjustment limit > exceeded; value - 1872704, limit - 86400 > [21/Jan/2008:11:03:53 -0600] NSMMReplicationPlugin - conn=16 op=3 > replica="dc=cctechnol,dc=com": Unable to acquire replica: error: > excessive clock skew > [21/Jan/2008:11:03:55 -0600] - csngen_adjust_time: adjustment limit > exceeded; value - 1872702, limit - 86400 > [21/Jan/2008:11:03:55 -0600] NSMMReplicationPlugin - conn=17 op=3 > replica="dc=cctechnol,dc=com": Unable to acquire replica: error: > excessive clock skew > > I found a discussion of this problem in the archives, but the solution I > found there did not work for me. I removed the replication agreements, > shutdown the servers, exported the userRoot database from one and > imported it to the other. Deleted everything in changelogdb. Restarted > the servers and added the replication agreement. Same error. > > Anyone know of something else to try? > > Thanks, > Jay > > -- > Jeremiah Coleman > Systems Administrator > C & C Technologies > 337-261-0660 x3421 > jcoleman at cctechnol.com > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From dandantheitman at gmail.com Mon Jan 21 21:20:05 2008 From: dandantheitman at gmail.com (dandantheitman) Date: Mon, 21 Jan 2008 16:20:05 -0500 Subject: [Fedora-directory-users] excessive clock skew problem with MMR In-Reply-To: References: <1200935817.3864.27.camel@europa.cctechnol.com> Message-ID: <9ee13d4f0801211320u4acc6732webcf55ce371e321f@mail.gmail.com> Eddie is correct, you need to resolve the clock skew before you try to tackle the Fedora DS issue. I had the same issue with a time skew. My problem was related to the fact that I had one of the boxes in one office in a VM. Dan On 21/01/2008, Eddie C wrote: > Many things break down due to clock skew. Would it the source of the > clock skew? Why not start with that? > > Edward > > On Jan 21, 2008 12:16 PM, Jeremiah Coleman wrote: > > > > My 2 FDS systems will no longer replicate, due to excessive clock skew. > > Specifically, this is what I get in the log: > > > > [21/Jan/2008:11:03:53 -0600] NSMMReplicationPlugin - conn=15 op=3 > > replica="dc=cctechnol,dc=com": Unable to acquire replica: error: > > excessive clock skew > > [21/Jan/2008:11:03:53 -0600] - csngen_adjust_time: adjustment limit > > exceeded; value - 1872704, limit - 86400 > > [21/Jan/2008:11:03:53 -0600] NSMMReplicationPlugin - conn=16 op=3 > > replica="dc=cctechnol,dc=com": Unable to acquire replica: error: > > excessive clock skew > > [21/Jan/2008:11:03:55 -0600] - csngen_adjust_time: adjustment limit > > exceeded; value - 1872702, limit - 86400 > > [21/Jan/2008:11:03:55 -0600] NSMMReplicationPlugin - conn=17 op=3 > > replica="dc=cctechnol,dc=com": Unable to acquire replica: error: > > excessive clock skew > > > > I found a discussion of this problem in the archives, but the solution I > > found there did not work for me. I removed the replication agreements, > > shutdown the servers, exported the userRoot database from one and > > imported it to the other. Deleted everything in changelogdb. Restarted > > the servers and added the replication agreement. Same error. > > > > Anyone know of something else to try? > > > > Thanks, > > Jay > > > > -- > > Jeremiah Coleman > > Systems Administrator > > C & C Technologies > > 337-261-0660 x3421 > > jcoleman at cctechnol.com > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- _____________________________________________________________ " They that can give up liberty to obtain a little temporary safety deserve neither liberty nor safety. Benjamin Franklin 1706 - 1790 From dandantheitman at gmail.com Mon Jan 21 21:24:14 2008 From: dandantheitman at gmail.com (dandantheitman) Date: Mon, 21 Jan 2008 16:24:14 -0500 Subject: [Fedora-directory-users] excessive clock skew problem with MMR In-Reply-To: <1200935817.3864.27.camel@europa.cctechnol.com> References: <1200935817.3864.27.camel@europa.cctechnol.com> Message-ID: <9ee13d4f0801211324t479818c8qa1af2287a44d3d7@mail.gmail.com> My VM time skew issue, was not because it was a VM in and of itself issue, I resolved it by installing vm tools on it. Once this was resolved, I made sure that both my boxes were pointing to my ntp server. after that I back up lse.ldif file, and tar ed up the /opt/fedora-ds directory. Then I blew the whole Directory server away, and rebuilt it from scratch, and restored the ldap and have not had any problems with it since. Dan On 21/01/2008, Jeremiah Coleman wrote: > > My 2 FDS systems will no longer replicate, due to excessive clock skew. > Specifically, this is what I get in the log: > > [21/Jan/2008:11:03:53 -0600] NSMMReplicationPlugin - conn=15 op=3 > replica="dc=cctechnol,dc=com": Unable to acquire replica: error: > excessive clock skew > [21/Jan/2008:11:03:53 -0600] - csngen_adjust_time: adjustment limit > exceeded; value - 1872704, limit - 86400 > [21/Jan/2008:11:03:53 -0600] NSMMReplicationPlugin - conn=16 op=3 > replica="dc=cctechnol,dc=com": Unable to acquire replica: error: > excessive clock skew > [21/Jan/2008:11:03:55 -0600] - csngen_adjust_time: adjustment limit > exceeded; value - 1872702, limit - 86400 > [21/Jan/2008:11:03:55 -0600] NSMMReplicationPlugin - conn=17 op=3 > replica="dc=cctechnol,dc=com": Unable to acquire replica: error: > excessive clock skew > > I found a discussion of this problem in the archives, but the solution I > found there did not work for me. I removed the replication agreements, > shutdown the servers, exported the userRoot database from one and > imported it to the other. Deleted everything in changelogdb. Restarted > the servers and added the replication agreement. Same error. > > Anyone know of something else to try? > > Thanks, > Jay > > -- > Jeremiah Coleman > Systems Administrator > C & C Technologies > 337-261-0660 x3421 > jcoleman at cctechnol.com > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- _____________________________________________________________ " They that can give up liberty to obtain a little temporary safety deserve neither liberty nor safety. Benjamin Franklin 1706 - 1790 From jay.coleman at cctechnol.com Mon Jan 21 21:29:42 2008 From: jay.coleman at cctechnol.com (Jeremiah Coleman) Date: Mon, 21 Jan 2008 15:29:42 -0600 Subject: [Fedora-directory-users] excessive clock skew problem with MMR In-Reply-To: <9ee13d4f0801211324t479818c8qa1af2287a44d3d7@mail.gmail.com> References: <1200935817.3864.27.camel@europa.cctechnol.com> <9ee13d4f0801211324t479818c8qa1af2287a44d3d7@mail.gmail.com> Message-ID: <1200950982.3864.39.camel@europa.cctechnol.com> That's what I'm trying to avoid. The clock skew was caused by vmware, but I've gotten that settled down. Unfortunately, there's something in FDS (csngen_adjust_time?) that seems to be stuck. I'm not sure what it is referencing, as the clocks between the two are on time, now. Thanks, Jay On Mon, 2008-01-21 at 16:24 -0500, dandantheitman wrote: > My VM time skew issue, was not because it was a VM in and of itself > issue, I resolved it by installing vm tools on it. Once this was > resolved, I made sure that both my boxes were pointing to my ntp > server. > > after that I back up lse.ldif file, and tar ed up the /opt/fedora-ds > directory. Then I blew the whole Directory server away, and rebuilt > it from scratch, and restored the ldap and have not had any problems > with it since. > > Dan > > On 21/01/2008, Jeremiah Coleman wrote: > > > > My 2 FDS systems will no longer replicate, due to excessive clock skew. > > Specifically, this is what I get in the log: > > > > [21/Jan/2008:11:03:53 -0600] NSMMReplicationPlugin - conn=15 op=3 > > replica="dc=cctechnol,dc=com": Unable to acquire replica: error: > > excessive clock skew > > [21/Jan/2008:11:03:53 -0600] - csngen_adjust_time: adjustment limit > > exceeded; value - 1872704, limit - 86400 > > [21/Jan/2008:11:03:53 -0600] NSMMReplicationPlugin - conn=16 op=3 > > replica="dc=cctechnol,dc=com": Unable to acquire replica: error: > > excessive clock skew > > [21/Jan/2008:11:03:55 -0600] - csngen_adjust_time: adjustment limit > > exceeded; value - 1872702, limit - 86400 > > [21/Jan/2008:11:03:55 -0600] NSMMReplicationPlugin - conn=17 op=3 > > replica="dc=cctechnol,dc=com": Unable to acquire replica: error: > > excessive clock skew > > > > I found a discussion of this problem in the archives, but the solution I > > found there did not work for me. I removed the replication agreements, > > shutdown the servers, exported the userRoot database from one and > > imported it to the other. Deleted everything in changelogdb. Restarted > > the servers and added the replication agreement. Same error. > > > > Anyone know of something else to try? > > > > Thanks, > > Jay > > > > -- > > Jeremiah Coleman > > Systems Administrator > > C & C Technologies > > 337-261-0660 x3421 > > jcoleman at cctechnol.com > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- Jeremiah Coleman Systems Administrator C & C Technologies 337-261-0660 x3421 jcoleman at cctechnol.com From listbox at hymerfania.com Mon Jan 21 23:27:20 2008 From: listbox at hymerfania.com (Listbox) Date: Mon, 21 Jan 2008 15:27:20 -0800 Subject: [Fedora-directory-users] Can't create users, time for complete wipe and re-install? Message-ID: <009201c85c85$2cd213b0$1100a8c0@hymesruzicka.org> Hi folks, I'm really stumped by this "Insufficient 'add' privilege" problem. I can create all the "Administrators" I want for the netscaperoot directory, but none of those users can: A) Create new users for my hymesruzicka directory B) Create a new "Directory Administrator" for my hymesruzicka directory C) Grant "'add' privilege" to my existing "Configuration Administrator" my hymesruzicka directory D) Add a user from the netscaperoot users to my hymesruzicka directory "Directory Administrator" group E) Modify or add the existing ACLs for my hymesruzicka directory Is there a way to create a new "Directory Administrator" and other users? If not, and we have to wipe and re-install from scratch, what must we do to ensure that we can create users and administrators for our directory? Thanks! From beavrz1 at yahoo.com Mon Jan 21 23:47:08 2008 From: beavrz1 at yahoo.com (Jason Beavers) Date: Mon, 21 Jan 2008 15:47:08 -0800 (PST) Subject: [Fedora-directory-users] Unidirectional Windows Sync possible Message-ID: <970904.5913.qm@web50903.mail.re2.yahoo.com> Hi All, Probably been asked before but i didn't quite find the answer i was looking for by searching. Is it possible to configure a Unidirectional Windows Sync agreement? Scenario: Large Enterprise with fully deployed Windows AD We would like to develop an application that runs off of Fedora DS, and allows the users to login using their normal AD credentials. We'll be storing alot of application specific data about each user, (preferences, settings, etc) in FedoraDS and are prohibited from writing anything back to AD. Which pretty much rules out modifying the AD schema, or writing changes back to AD (corporate mandate, don't ask). So basically what i'm asking is whether its possible to configure Windows Sync such that Users (and passwords) can be sync'd over from AD to FDS but not the other way around. This way all user management (creation, password changes, etc) always happens in AD and we only sync over the authentication credentials, leaving the other stuff to FDS. Make sense? Thoughts? Thanks in advance ____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping -------------- next part -------------- An HTML attachment was scrubbed... URL: From chee.benny at gmail.com Tue Jan 22 10:32:36 2008 From: chee.benny at gmail.com (Benny Chee) Date: Tue, 22 Jan 2008 18:32:36 +0800 Subject: [Fedora-directory-users] lastchangenumber and cn=changelog value do not match Message-ID: <700685de0801220232w1c75c0f0t8cc25bdeec9daf9d@mail.gmail.com> Hi, I believe i ve a corrupted changelog DB as my lastchangenumber and the cn=changlog value do not match. How do i restart the numbering and re-initialize the changelog DB? benny -------------- next part -------------- An HTML attachment was scrubbed... URL: From gregory_laroche at yahoo.fr Tue Jan 22 10:44:40 2008 From: gregory_laroche at yahoo.fr (gregory LAROCHE) Date: Tue, 22 Jan 2008 11:44:40 +0100 (CET) Subject: [Fedora-directory-users] migration from 1.0.2 to 1.1 Message-ID: <821154.53102.qm@web26907.mail.ukl.yahoo.com> I try to migrate my DS from fedora-ds-1.0.2-1.RHEL4 on fedora core 3 i386, to have a DS fedora-ds-1.1.0-3.fc6. First, I upgrade OS to fedora core 6, and install and update package ?fedora-ds*? and dependencies. I run the /usr/sbin/setup-ds-admin.pl (express mode), and I connect myself to the console and the console to the directory successfully. Next, erase all packages ?fedora-ds*?, and directory /etc/dirsrv/*, and reinstall all packages. I run the /usr/sbin/migrate-ds-admin.pl General.ConfigDirectoryAdminPwd=mypwd Here is the migration log : ?Beginning migration of Directory and Administration servers from /opt/fedora-ds . . . Beginning migration of directory server instances in /opt/fedora-ds . . . Your new DS instance 'slapd-host02' was successfully created. Beginning migration of Administration server from /opt/fedora-ds . . . Creating Admin Server files and directories . . . The server 'ldaps://host02.domaine.com:636/o=NetscapeRoot' is not reachable. Error: unknown error Exiting . . .? And the /var/log/dirsrv/slapd-host02/errors import userRoot: Finished scanning file "/tmp/ldifMh1yOw.ldif" (9 entries) [22/Jan/2008:11:37:38 +0100] - import userRoot: Workers finished; cleaning up... [22/Jan/2008:11:37:38 +0100] - import userRoot: Workers cleaned up. [22/Jan/2008:11:37:38 +0100] - import userRoot: Cleaning up producer thread... [22/Jan/2008:11:37:38 +0100] - import userRoot: Indexing complete. Post-processing... [22/Jan/2008:11:37:38 +0100] - import userRoot: Flushing caches... [22/Jan/2008:11:37:38 +0100] - import userRoot: Closing files... [22/Jan/2008:11:37:38 +0100] - All database threads now stopped [22/Jan/2008:11:37:38 +0100] - import userRoot: Import complete. Processed 9 entries in 1 seconds. (9.00 entries/sec) [22/Jan/2008:11:37:50 +0100] - Fedora-Directory/1.1.0 B2007.354.1236 starting up [22/Jan/2008:11:37:51 +0100] - Clean up db environment and start from archive. [22/Jan/2008:11:37:51 +0100] - libdb: Program version 4.3 doesn't match environment version [22/Jan/2008:11:37:51 +0100] - Deleting log file: (/var/lib/dirsrv/slapd-host02/db/log.0000000313) [22/Jan/2008:11:37:51 +0100] NSMMReplicationPlugin - changelog program - Upgrading from Changelog5/NSMMReplicationPlugin/4 to bdb/4.3/libreplication-plugin is successfully done (/var/lib/dirsrv/slapd-host02/changelogdb) [22/Jan/2008:11:37:51 +0100] - slapd started. Listening on All Interfaces port 389 for LDAP requests [22/Jan/2008:11:37:51 +0100] - Listening on All Interfaces port 636 for LDAPS requests No logs in /var/log/dirsrv/admin-serv/errors Any ideas to solve this ? Thanks _____________________________________________________________________________ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail http://mail.yahoo.fr From audunroe at tihlde.org Tue Jan 22 13:16:19 2008 From: audunroe at tihlde.org (audunroe at tihlde.org) Date: Tue, 22 Jan 2008 14:16:19 +0100 (CET) Subject: [Fedora-directory-users] ACLPB_MAX_SELECTED_ACLS and aci cache overflows Message-ID: <44814.195.18.161.2.1201007779.squirrel@tihlde.org> Hello, A bit unsure whether this should be posted to the user- or dev- list, but landed on the former. We've recently been attempting to move an existing ldap-structure from a Sun 5.2 server, to Fedora DS 1.1. The move itself was relatively painless apart from one thing: When running certain searches, we'd see loads of "aci cache overflown" messages in the logs, and performance would slow to a crawl. This is probably due to parts of the structure making very heavy use of ACIs. A C/C++ proficient coworker tracked down acl.c and the constant ACLPB_MAX_SELECTED_ACLS in acl.h. By bumping this from the original 200 to something higher, the cache overflows stopped, and searches completed normally. There doesn't seem to be any bad side-effects. For my own peace of mind, however, I'd be interested in hearing thoughts on bumping this value, and the reason it's 200. - Any chance this value might become configurable in future versions? - Can you think of any unfortunate side-effects down the road from bumping this value, aside from increased memory-usage? - Is '200' a more or less arbitrarily chosen round number deemed sufficient, or is there a very specific reason it isn't higher? Ie: a size of 200 should be sufficient for any structure, and overflows might indicate excessive use of ACIs and a structure that should be reworked? (actually not excluding that last one possibility anyway, as evaluating an ACI at every node probably is a performance-killer as far as searches go) I'm interested in hearing any thoughts on this, even wild tangents :) -- Regards, Audun From rnappert at juniper.net Tue Jan 22 15:31:51 2008 From: rnappert at juniper.net (Reinhard Nappert) Date: Tue, 22 Jan 2008 10:31:51 -0500 Subject: [Fedora-directory-users] Recommended Berkley DB version for FDS... Message-ID: <3525C9833C09ED418C6FD6CD9514668C031F4834@emailwf1.jnpr.net> Hi, I was wondering if Berkley DB version 4.2.52 (plus patches) is still the recommended version. Thanks, -Reinhard -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jan 22 16:39:31 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 22 Jan 2008 09:39:31 -0700 Subject: [Fedora-directory-users] ConfigFile for silent install In-Reply-To: <47905345.5020802@eburg.com> References: <478C21C5.2060003@eburg.com> <478CCF6A.3020709@redhat.com> <47905345.5020802@eburg.com> Message-ID: <47961C43.8090708@redhat.com> Gordon Messmer wrote: > Rich Megginson wrote: >> I think that entry is added dynamically at server startup. You may >> have to add the cn=features entry first in your LDIF file. Even then >> it may not work if the server is not expecting that entry to be >> there. So in your LDIF file: >> >> dn: cn=features, cn=config >> objectclass: top >> objectclass: nsContainer >> cn: features >> >> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config >> ... >> >> >> If that still doesn't work, then it is a bug. > > It did work, mostly, except that I end up with both the aci that I > wanted, and the default. I'm not sure yet what effect that will > have. Would this be considered a bug? I suppose, but the ConfigFile thing wasn't designed to modify existing entries, only to add entries (e.g. to add suffixes/databases, replication configuration, SSL configuration, etc.) during setup. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jan 22 16:46:13 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 22 Jan 2008 09:46:13 -0700 Subject: [Fedora-directory-users] Recommended Berkley DB version for FDS... In-Reply-To: <3525C9833C09ED418C6FD6CD9514668C031F4834@emailwf1.jnpr.net> References: <3525C9833C09ED418C6FD6CD9514668C031F4834@emailwf1.jnpr.net> Message-ID: <47961DD5.7040700@redhat.com> Reinhard Nappert wrote: > > Hi, > > I was wondering if Berkley DB version 4.2.52 (plus patches) is still > the recommended version. > Yes. If you are rebuilding it from source. The prebuilt Fedora DS 1.1 binaries just use whatever the default DB is for the operating system. > > Thanks, > -Reinhard > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jan 22 16:51:00 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 22 Jan 2008 09:51:00 -0700 Subject: [Fedora-directory-users] migration from 1.0.2 to 1.1 In-Reply-To: <821154.53102.qm@web26907.mail.ukl.yahoo.com> References: <821154.53102.qm@web26907.mail.ukl.yahoo.com> Message-ID: <47961EF4.8070907@redhat.com> gregory LAROCHE wrote: > I try to migrate my DS from fedora-ds-1.0.2-1.RHEL4 on > fedora core 3 i386, to have a DS > fedora-ds-1.1.0-3.fc6. > First, I upgrade OS to fedora core 6, and install and > update package ?fedora-ds*? and dependencies. I run > the /usr/sbin/setup-ds-admin.pl (express mode), and I > connect myself to the console and the console to the > directory successfully. > > Next, erase all packages ?fedora-ds*?, and directory > /etc/dirsrv/*, That's not enough. You also need to erase /usr/lib/dirsrv (or /usr/lib64/dirsrv) and something like this: rm -rf `find /var -name dirsrv` > and reinstall all packages. I run the > /usr/sbin/migrate-ds-admin.pl > General.ConfigDirectoryAdminPwd=mypwd > > Here is the migration log : > ?Beginning migration of Directory and Administration > servers from /opt/fedora-ds . . . > Beginning migration of directory server instances in > /opt/fedora-ds . . . > Your new DS instance 'slapd-host02' was successfully > created. > Beginning migration of Administration server from > /opt/fedora-ds . . . > Creating Admin Server files and directories . . . > The server > 'ldaps://host02.domaine.com:636/o=NetscapeRoot' is not > reachable. Error: unknown error > Exiting . . .? > > And the /var/log/dirsrv/slapd-host02/errors > > import userRoot: Finished scanning file > "/tmp/ldifMh1yOw.ldif" (9 entries) > [22/Jan/2008:11:37:38 +0100] - import userRoot: > Workers finished; cleaning up... > [22/Jan/2008:11:37:38 +0100] - import userRoot: > Workers cleaned up. > [22/Jan/2008:11:37:38 +0100] - import userRoot: > Cleaning up producer thread... > [22/Jan/2008:11:37:38 +0100] - import userRoot: > Indexing complete. Post-processing... > [22/Jan/2008:11:37:38 +0100] - import userRoot: > Flushing caches... > [22/Jan/2008:11:37:38 +0100] - import userRoot: > Closing files... > [22/Jan/2008:11:37:38 +0100] - All database threads > now stopped > [22/Jan/2008:11:37:38 +0100] - import userRoot: Import > complete. Processed 9 entries in 1 seconds. (9.00 > entries/sec) > [22/Jan/2008:11:37:50 +0100] - Fedora-Directory/1.1.0 > B2007.354.1236 starting up > [22/Jan/2008:11:37:51 +0100] - Clean up db environment > and start from archive. > [22/Jan/2008:11:37:51 +0100] - libdb: Program version > 4.3 doesn't match environment version > [22/Jan/2008:11:37:51 +0100] - Deleting log file: > (/var/lib/dirsrv/slapd-host02/db/log.0000000313) > [22/Jan/2008:11:37:51 +0100] NSMMReplicationPlugin - > changelog program - Upgrading from > Changelog5/NSMMReplicationPlugin/4 to > bdb/4.3/libreplication-plugin > is successfully done > (/var/lib/dirsrv/slapd-host02/changelogdb) > [22/Jan/2008:11:37:51 +0100] - slapd started. > Listening on All Interfaces port 389 for LDAP requests > [22/Jan/2008:11:37:51 +0100] - Listening on All > Interfaces port 636 for LDAPS requests > > No logs in /var/log/dirsrv/admin-serv/errors > > Any ideas to solve this ? > I've seen this with migration to Fedora DS 1.1 on Fedora 8 because F-8 uses bdb 4.6 by default and that does not support the binary databases used by Fedora DS 1.0.x. I suggest doing LDIF file migration e.g. exporting your old databases to LDIF format instead of binary database migration. See http://directory.fedoraproject.org/wiki/DS_Admin_Migration#Remote_Source_to_Local_Target But NOTE that you will not be doing a cross platform migration (i386 to i386 is same platform in this case). > Thanks > > > > _____________________________________________________________________________ > Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail http://mail.yahoo.fr > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jan 22 16:51:38 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 22 Jan 2008 09:51:38 -0700 Subject: [Fedora-directory-users] lastchangenumber and cn=changelog value do not match In-Reply-To: <700685de0801220232w1c75c0f0t8cc25bdeec9daf9d@mail.gmail.com> References: <700685de0801220232w1c75c0f0t8cc25bdeec9daf9d@mail.gmail.com> Message-ID: <47961F1A.4060400@redhat.com> Benny Chee wrote: > Hi, > > I believe i ve a corrupted changelog DB as my lastchangenumber and > the cn=changlog value do not match. How do i restart the numbering and > re-initialize the changelog DB? I think just unconfigure the retro changelog, shutdown the server, remove the changelogdb file, and restart the server. > > benny > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jan 22 16:53:48 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 22 Jan 2008 09:53:48 -0700 Subject: [Fedora-directory-users] Trying to build idm-console-framework from SRPMS fails on Fedora 7 In-Reply-To: <4794E1B4.1090709@cohtech.com> References: <4794D5C2.9070400@cohtech.com> <4794D9AF.2000503@redhat.com> <4794DD50.7050008@cohtech.com> <4794DEE9.3090507@redhat.com> <4794E1B4.1090709@cohtech.com> Message-ID: <47961F9C.7030903@redhat.com> Howard Wilkinson wrote: > Rob Crittenden wrote: >> Howard Wilkinson wrote: >>> Rob Crittenden wrote: >>>> Howard Wilkinson wrote: >>>>> I have been trying to build the idm-console-framework for fedora >>>>> 7+ and get the following warnings and failures - Any suggestions >>>>> about how I get past these? >>>>> -- >>>> >>>> What JDK are you building with? It almost certainly won't build >>>> with gcj. >>>> >>>> rob >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> I am using the default Fedora 7 install ... if I need to fix this I >>> need an SRPMS to install the packages and then to fix the >>> idm-console-framekwork SRPMS to use them ... so any suggestions? >> >> You've found the reason that the console isn't provided on F-7. There >> isn't a free JDK that can build it currently available for F-7. You'd >> have to start by backporting IcedTea from F-8 to F-7. >> >> Or you can install a proprietary JDK and build it that way. I don't >> think console will run with gcj either still so you'd need the >> JRE/JDK installed to run console as well. On F-7 you will have to use a proprietary JRE (sun or ibm). Do you need to build for some reason? The console packages for F-7 are provided in the fedora ds yum repo - http://directory.fedoraproject.org/wiki/Release_Notes#Console_only_Installation >> >> rob >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > Is the back port just a single package or do I need to recreate Fedora 8? > > -- > > Howard Wilkinson > > > > Phone: > > > > +44(20)76907075 > > Coherent Technology Limited > > > > Fax: > > > > > > 23 Northampton Square, > > > > Mobile: > > > > +44(7980)639379 > > United Kingdom, EC1V 0HL > > > > Email: > > > > howard at cohtech.com > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jan 22 17:03:30 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 22 Jan 2008 10:03:30 -0700 Subject: [Fedora-directory-users] Adding additional maxage attribute for changelog In-Reply-To: <700685de0801202146l4b531c00t31c27fa4efb1b8d1@mail.gmail.com> References: <700685de0801202146l4b531c00t31c27fa4efb1b8d1@mail.gmail.com> Message-ID: <479621E2.80204@redhat.com> Benny Chee wrote: > Hi, > > I enabled the retro changelog plugin and would also like to use the > maxage attribute to control the growth of the changelog table. > > I read an online document on getting it trimmed, but not sure how do > i execute it on the console, esp adding the attribute portion. I could > not find the attribute name with the list given. > > https://www.d2om.com/docs/manuals/dir-server/ag/8.0/Using_the_Retro_Changelog_Plug_in-Trimming_the_Retro_Changelog.html > > > nsslapd-changelogmaxage: 2d > > Any help? http://www.redhat.com/docs/manuals/dir-server/cli/8.0/Configuration_Command_File_Reference-Plug_in_Implemented_Server_Functionality_Reference-Retro_Changelog_Plug_in_Attributes.html' There is no specific UI. You can just use the directory browser to navigate to cn=retro changelog, cn=plugins,cn=config > > benny > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jan 22 17:05:42 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 22 Jan 2008 10:05:42 -0700 Subject: [Fedora-directory-users] Difficulties with fedora-idm-console In-Reply-To: <8201283.105261200710508995.JavaMail.root@hrndva-web22-z01> References: <8201283.105261200710508995.JavaMail.root@hrndva-web22-z01> Message-ID: <47962266.4070207@redhat.com> leonhardt at hawaii.rr.com wrote: > Hi everyone...I'm new to LDAP and FDS, so please bear with me. > > I just install FDS 1.1 on a clean F8 box. I got through the setup scripts but when I launch fedora-idm-console, and enter my login info I keep getting an Error 400 response. My login looks like this: > > User ID: cn=Directory Manager > Password: ******** > Administration URL: http://localhost:9830 > > I've tried all kinds of variations, username w/o the "cn=", logging in as "admin", and every variation of IP/partially/fully-qualified domain name I could think of for the box. I've also tried running with '-a' (it didn't recognize the -d option, recommended to me by someone in the #fedora-ds room). This is my error, no matter what I do: > > Can't logon because of an incorrect User ID, > Incorrect password or Directory problem. > HttpException: > Response: HTTP/1.1 400 Bad Request > Status: 400 > URL: http:/admin-serv/authenticate > > This last line bothers me...it looks as if the console is not even trying to pass the login info to a valid URL! If I just point my browser at http://localhost:9830/ I get the HTML back-end and can authenticate there to get into the "Adminsitration Express" tool, so I'm fairly convinced I'm using the correct login info... > > I's confused... > Are you sure you are using the icedtea java and not the default gcj? Try this java -version and yum install java-1.7.0-icedtea > Matt > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jan 22 17:07:22 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 22 Jan 2008 10:07:22 -0700 Subject: [Fedora-directory-users] Re: Changing ip and ports on FDS is listening In-Reply-To: <47930BBE.10704@gmail.com> References: <47930B95.3040803@gmail.com> <47930BBE.10704@gmail.com> Message-ID: <479622CA.8020101@redhat.com> carlopmart wrote: > carlopmart wrote: >> Hi all, >> >> Where I can find docs about changing ip and ports wheres fds process >> are listening?? I need to configure port ldap to listen only on >> 127.0.0.1, and ldaps to listen on host ip. http://www.redhat.com/docs/manuals/dir-server/cli/8.0/Configuration_Command_File_Reference-cnconfig-nsslapd_port_Port_Number.html http://www.redhat.com/docs/manuals/dir-server/cli/8.0/Configuration_Command_File_Reference-cnconfig-nsslapd_securePort_Encrypted_Port_Number.html http://www.redhat.com/docs/manuals/dir-server/cli/8.0/Configuration_Command_File_Reference-cnconfig-nsslapd_listenhost_Listen_to_IP_Address.html http://www.redhat.com/docs/manuals/dir-server/cli/8.0/Configuration_Command_File_Reference-cnconfig-nsslapd_securelistenhost.html >> >> Thanks. >> > > oops, sorry. I am using FDS 1.1 > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jan 22 18:24:19 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 22 Jan 2008 11:24:19 -0700 Subject: [Fedora-directory-users] autofs schema In-Reply-To: References: Message-ID: <479634D3.2060408@redhat.com> Doug Chapman wrote: > > So I just installed fds 1.1.0 on a fedora 8 box and have been trying > to add the automount schema (mentioned > here:http://directory.fedoraproject.org/wiki/Howto:Automount > ) but it's > not loading after a server restart, or erroring out. > > > Are there any new steps not in the above wiki ? > I put the schema into a file called > /etc/dirsrv/slapd-[hostname]/schema/75autofs.ldif What errors are you getting? Check /var/log/dirsrv/slapd-hostname/errors The rfc2307bis schema is now shipped with Fedora DS. Look in /usr/share/dirsrv/data/10rfc2307bis.ldif - this schema cannot co-exist with the older style 10rfc2307.ldif schema file. > > > tia > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jan 22 18:28:00 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 22 Jan 2008 11:28:00 -0700 Subject: [Fedora-directory-users] Can't create users, time for complete wipe and re-install? In-Reply-To: <009201c85c85$2cd213b0$1100a8c0@hymesruzicka.org> References: <009201c85c85$2cd213b0$1100a8c0@hymesruzicka.org> Message-ID: <479635B0.5020000@redhat.com> Listbox wrote: > Hi folks, > I'm really stumped by this "Insufficient 'add' privilege" problem. > I can create all the "Administrators" I want for the netscaperoot directory, > but none of those users can: > > A) Create new users for my hymesruzicka directory > B) Create a new "Directory Administrator" for my hymesruzicka directory > C) Grant "'add' privilege" to my existing "Configuration Administrator" > my hymesruzicka directory > D) Add a user from the netscaperoot users to my hymesruzicka directory > "Directory Administrator" group > E) Modify or add the existing ACLs for my hymesruzicka directory > > Is there a way to create a new "Directory Administrator" and other users? Yes, by adding the appropriate ACIs. How was the data for your default suffix added? The way it works is that setup adds some ACIs to the default suffix you specify during setup to allow the console admin user to have access. If you import your data from another source these ACIs will not be created. You can just do a test install to see exactly what acis are created e.g. ldapsearch -x -D "cn=directory manager" -w yourpassword -b o=netscaperoot "aci=*" aci and ldapsearch -x -D "cn=directory manager" -w yourpassword -b "dc=yourdomain,dc=com" "aci=*" aci > If > not, and we have to wipe and re-install from scratch, what must we do to > ensure that we can create users and administrators for our directory? > > > Thanks! > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jan 22 18:30:11 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 22 Jan 2008 11:30:11 -0700 Subject: [Fedora-directory-users] Unidirectional Windows Sync possible In-Reply-To: <970904.5913.qm@web50903.mail.re2.yahoo.com> References: <970904.5913.qm@web50903.mail.re2.yahoo.com> Message-ID: <47963633.5000706@redhat.com> Jason Beavers wrote: > Hi All, > > Probably been asked before but i didn't quite find the answer i was > looking for by searching. > Is it possible to configure a Unidirectional Windows Sync agreement? > > Scenario: > > Large Enterprise with fully deployed Windows AD > > We would like to develop an application that runs off of Fedora DS, > and allows the users to login using their normal AD credentials. > We'll be storing alot of application specific data about each user, > (preferences, settings, etc) in FedoraDS and are prohibited from > writing anything back to AD. > Which pretty much rules out modifying the AD schema, or writing > changes back to AD (corporate mandate, don't ask). > > So basically what i'm asking is whether its possible to configure > Windows Sync such that Users (and passwords) can be sync'd over from > AD to FDS but not the other way around. > This way all user management (creation, password changes, etc) always > happens in AD and we only sync over the authentication credentials, > leaving the other stuff to FDS. > > Make sense? Thoughts? It's not directly supported, but I suppose you could have your AD administrator create a special admin user that had read/search rights over the AD tree but not update/write rights. Then Fedora DS could read the info from AD but not right any back. I don't know if this would make Fedora DS blow up because it would get lots of errors attempting to write updates to AD. > > Thanks in advance > > ------------------------------------------------------------------------ > Never miss a thing. Make Yahoo your homepage. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From prjctgeek at gmail.com Tue Jan 22 19:11:55 2008 From: prjctgeek at gmail.com (Doug Chapman) Date: Tue, 22 Jan 2008 11:11:55 -0800 Subject: [Fedora-directory-users] autofs schema In-Reply-To: <479634D3.2060408@redhat.com> References: <479634D3.2060408@redhat.com> Message-ID: Turns out it was syntax errors- apparently CR/LF's aren't allowed in atributesTypes . Thanks for pointing out that the rfc2307bis schema is included, that helps. On Jan 22, 2008 10:24 AM, Rich Megginson wrote: > Doug Chapman wrote: > > > > So I just installed fds 1.1.0 on a fedora 8 box and have been trying > > to add the automount schema (mentioned > > here:http://directory.fedoraproject.org/wiki/Howto:Automount > > ) but it's > > not loading after a server restart, or erroring out. > > > > > > Are there any new steps not in the above wiki ? > > I put the schema into a file called > > /etc/dirsrv/slapd-[hostname]/schema/75autofs.ldif > What errors are you getting? Check /var/log/dirsrv/slapd-hostname/errors > > The rfc2307bis schema is now shipped with Fedora DS. Look in > /usr/share/dirsrv/data/10rfc2307bis.ldif - this schema cannot co-exist > with the older style 10rfc2307.ldif schema file. > > > > > > tia > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jsolan at knouse.com Tue Jan 22 22:28:31 2008 From: jsolan at knouse.com (Jason Solan) Date: Tue, 22 Jan 2008 17:28:31 -0500 Subject: [Fedora-directory-users] NT new user sync without management console Message-ID: <1201040911.3116.14.camel@jsolan.knouse.com> Hello, I'm using FDS 1.0.4-1 on fedora 7. This is syncing to an Active Directory server on Windows Server 2003. Everything is working pretty well as far as passwords/attributes syncing back and forth. If I create a new user in AD, everything comes across as expected. If I create a user in FDS using the Fedora Management Console, add the ntuserdomainid and set ntusercreatenewaccount to true, then the new user is also created in AD and everything is peachy. Unfortunately now I'm trying to add users through a perl/php script. If I set the exact same attributes that I'm setting through the Management Console, I get this error in the logs: windows_replay_update: Cannot replay add operation. The only nt attributes I'm setting are ntuserdomainid and ntusercreatenewaccount (along with the ntuser objectclass). The user is created fine in FDS and has the NT attributes checked if I look at it through the management console. The user is _not_ created in AD however. Is there something I'm missing? Is there another attribute I need to send? Is there a 'hidden' script that the management console calls to create an AD user? Any help would be appreciated. IMPORTANT: This transmission is sent on behalf of Knouse Foods for business purposes. It is for the intended recipient only. If you are not the intended recipient or a person responsible for delivering this transmission to the intended recipient, you may not disclose, copy or distribute this transmission or take any action in reliance on it. If you received this transmission in error, please notify us immediately by replying to this Email message, and please dispose of and delete this transmission. Thank you. From bryan at datafoundry.com Wed Jan 23 16:58:16 2008 From: bryan at datafoundry.com (Bryan Wann) Date: Wed, 23 Jan 2008 10:58:16 -0600 Subject: [Fedora-directory-users] Behaviour with not quite blank userPassword Message-ID: <47977228.7090506@datafoundry.com> I am puzzled as to how FDS handles binds when userPassword: is set to "{crypt}" without an actual crypted password following. If I setup a user, say 'cn=bryan,ou=People,o=foo', set "userPassword: {crypt}", then try to bind as that DN, this is what happens: * Bind with this DN and no password given whatsoever, fails as LDAP_INAPPROPRIATE_AUTH(48). This sort of makes sense. * Bind with this DN and password "asdf", it succeeds. conn=539741 fd=64 slot=64 connection from 1.1.1.1 to 1.1.1.1 conn=539741 op=0 BIND dn="cn=bryan,ou=People,o=foo" method=128 version=3 conn=539741 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=bryan,ou=people,o=foo" conn=539741 op=1 UNBIND conn=539741 op=1 fd=64 closed - U1 Why would it succeed when the given bind password doesn't technically match the blank "crypted" password field? Is there any way to prevent this? At the very least, could somebody tell me what sort of bind is happening here. It doesn't look like an anonymous bind as those come in with no DN set. This sounds like an "unauthenticated" bind, but I'm not sure. Thanks! --bryan From listbox at hymerfania.com Wed Jan 23 17:55:19 2008 From: listbox at hymerfania.com (Listbox) Date: Wed, 23 Jan 2008 09:55:19 -0800 Subject: [Fedora-directory-users] Can't create users, time for complete wipe and re-install? In-Reply-To: <479635B0.5020000@redhat.com> References: <009201c85c85$2cd213b0$1100a8c0@hymesruzicka.org> <479635B0.5020000@redhat.com> Message-ID: <006c01c85de9$1f963540$1100a8c0@hymesruzicka.org> Thanks so much! Now I'm looking in http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html#1199651 to see what I might do to fix things. Here is the output from the commands you suggested. At least I can tell one is bigger than the other :) ldapsearch -x -D "cn=directory manager" -w mypassword -b o=netscaperoot "aci=*" aci # extended LDIF # # LDAPv3 # base with scope subtree # filter: aci=* # requesting: aci # # NetscapeRoot dn: o=NetscapeRoot aci: (targetattr="*")(version 3.0; acl "Enable Configuration Administrator Gro up modification"; allow (all) groupdn="ldap:///cn=Configuration Administrator s, ou=Groups, ou=TopologyManagement, o=NetscapeRoot";) aci: (targetattr="*")(targetfilter=(o=NetscapeRoot))(version 3.0; acl "Default anonymous access"; allow (read, search) userdn="ldap:///anyone";) aci: (targetattr="*")(version 3.0; acl "Enable Group Expansion"; allow (read, search, compare) groupdnattr="uniquemember";) aci: (targetattr = "*")(version 3.0; acl "SIE Group (trixter)"; allow (all) gr oupdn = "ldap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Grou p, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";) # TopologyManagement, NetscapeRoot dn: ou=TopologyManagement, o=NetscapeRoot aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare)userdn="ldap:///anyone";) # Global Preferences, hymesruzicka.org, NetscapeRoot dn: ou=Global Preferences, ou=hymesruzicka.org, o=NetscapeRoot aci: (targetattr=*)(version 3.0; acl "Enable anonymous access"; allow(read,sea rch) userdn="ldap:///anyone";) # UserPreferences, hymesruzicka.org, NetscapeRoot dn: ou=UserPreferences, ou=hymesruzicka.org, o=NetscapeRoot aci: (targetattr = "*")(version 3.0; acl "Allow saving of User Preferences"; a llow (add) userdn = "ldap:///all";) # uid\3Dadmin\2C ou\3DAdministrators\2C ou\3DTopologyManagement\2C o\3DNetsca peRoot, UserPreferences, hymesruzicka.org, NetscapeRoot dn: ou="uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot",o u=UserPreferences, ou=hymesruzicka.org, o=NetscapeRoot aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all) userdnattr=" creatorsname";) # cn\3Dadmin-serv-trixter\2C cn\3DFedora Administration Server\2C cn\3DServer Group\2C cn\3Dtrixter.hymesruzicka.org\2C ou\3Dhymesruzicka.org\2C o\3DNets capeRoot, UserPreferences, hymesruzicka.org, NetscapeRoot dn: ou="cn=admin-serv-trixter, cn=Fedora Administration Server, cn=Server Grou p, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot",ou=UserP references, ou=hymesruzicka.org, o=NetscapeRoot aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all) userdnattr=" creatorsname";) # Server Group, trixter.hymesruzicka.org, hymesruzicka.org, NetscapeRoot dn: cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=Netsc apeRoot aci: (targetattr=*)(targetfilter=(nsconfigRoot=*))(version 3.0; acl "Enable de legated access"; allow (read, search, compare) groupdn="ldap:///cn=Server Gro up, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";) aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; allow (read, s earch, compare) userdn="ldap:///cn=admin-serv-trixter, cn=Fedora Administrati on Server, cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";) # PublicViews, 1.1, Admin, Global Preferences, hymesruzicka.org, NetscapeRoot dn: cn=PublicViews, ou=1.1, ou=Admin, ou=Global Preferences, ou=hymesruzicka.o rg, o=NetscapeRoot aci: (targetattr = "*")(version 3.0; acl "Allow Authenticated Users to Save Pu blic Views"; allow (all) userdn = "ldap:///all";) # slapd-trixter, Fedora Directory Server, Server Group, trixter.hymesruzicka. org, hymesruzicka.org, NetscapeRoot dn: cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group, cn=trixter. hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; allow (read, s earch, compare) groupdn="ldap:///cn=slapd-trixter, cn=Fedora Directory Server , cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=Netsca peRoot";) aci: (targetattr="uniquemember || serverProductName || userpassword || descrip tion")(targetfilter=(objectclass=netscapeServer))(version 3.0; acl "Enable ac cess delegation"; allow (write) groupdn="ldap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzic ka.org, o=NetscapeRoot";) # configuration, slapd-trixter, Fedora Directory Server, Server Group, trixte r.hymesruzicka.org, hymesruzicka.org, NetscapeRoot dn: cn=configuration,cn=slapd-trixter, cn=Fedora Directory Server, cn=Server G roup, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot aci: (targetattr=*)(version 3.0; acl "Enable Server configuration"; allow (all ) groupdn="ldap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Gr oup, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";) # cn\3Dslapd-trixter\2C cn\3DFedora Directory Server\2C cn\3DServer Group\2C cn\3Dtrixter.hymesruzicka.org\2C ou\3Dhymesruzicka.org\2C o\3DNetscapeRoot, UserPreferences, hymesruzicka.org, NetscapeRoot dn: ou="cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group, cn=trix ter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot",ou=UserPreferences , ou=hymesruzicka.org, o=NetscapeRoot aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all) userdnattr=" creatorsname";) # cn\3DDirectory Manager, UserPreferences, hymesruzicka.org, NetscapeRoot dn: ou="cn=Directory Manager",ou=UserPreferences, ou=hymesruzicka.org, o=Netsc apeRoot aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all) userdnattr=" creatorsname";) # Fedora Administration Server, Server Group, trixter.hymesruzicka.org, hymes ruzicka.org, NetscapeRoot dn: cn=Fedora Administration Server, cn=Server Group, cn=trixter.hymesruzicka. org, ou=hymesruzicka.org, o=NetscapeRoot aci: (targetattr=*)(targetfilter=(nsNickName=*))(version 3.0; acl "Enable dele gated access"; allow (read, search, compare) groupdn="ldap:///cn=Fedora Admin istration Server, cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzic ka.org, o=NetscapeRoot";) # admin-serv-trixter, Fedora Administration Server, Server Group, trixter.hym esruzicka.org, hymesruzicka.org, NetscapeRoot dn: cn=admin-serv-trixter, cn=Fedora Administration Server, cn=Server Group, c n=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; allow (read, s earch, compare) groupdn="ldap:///cn=admin-serv-trixter, cn=Fedora Administrat ion Server, cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org , o=NetscapeRoot";) aci: (targetattr="uniquemember || serverProductName || userpassword || descrip tion")(targetfilter=(objectclass=netscapeServer))(version 3.0; acl "Enable ac cess delegation"; allow (write) groupdn="ldap:///cn=admin-serv-trixter, cn=Fe dora Administration Server, cn=Server Group, cn=trixter.hymesruzicka.org, ou= hymesruzicka.org, o=NetscapeRoot";) # configuration, admin-serv-trixter, Fedora Administration Server, Server Gro up, trixter.hymesruzicka.org, hymesruzicka.org, NetscapeRoot dn: cn=configuration, cn=admin-serv-trixter, cn=Fedora Administration Server, cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=Netscape Root aci: (targetattr=*)(version 3.0; acl "Enable delegated admin to access configu ration"; allow (read, search) groupdn="ldap:///cn=Server Group, cn=trixter.hy mesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";) aci: (targetattr=*)(version 3.0; acl "Enable Server configuration"; allow (all ) groupdn="ldap:///cn=admin-serv-trixter, cn=Fedora Administration Server, cn =Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRo ot";) # uid\3Ddiradmin\2Cou\3DAdministrators\2C ou\3DTopologyManagement\2C o\3Dnets capeRoot, UserPreferences, hymesruzicka.org, NetscapeRoot dn: ou="uid=diradmin,ou=Administrators, ou=TopologyManagement, o=netscapeRoot" ,ou=UserPreferences, ou=hymesruzicka.org, o=NetscapeRoot aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all) userdnattr=" creatorsname";) # search result search: 2 result: 0 Success # numResponses: 17 # numEntries: 16 ldapsearch -x -D "cn=directory manager" -w anotherpassword -b "dc=hymesruzicka,dc=org" "aci=*" aci # extended LDIF # # LDAPv3 # base with scope subtree # filter: aci=* # requesting: aci # # hymesruzicka.org dn: dc=hymesruzicka, dc=org aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";) aci: (targetattr="carLicense || description || displayName || facsimileTelepho neNumber || homePhone || homePostalAddress || initials || jpegPhoto || labele dURL || mail || mobile || pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddr ess || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertif icate || x500UniqueIdentifier")(version 3.0; acl "Enable self write for commo n attributes"; allow (write) userdn="ldap:///self";) aci: (targetattr ="*")(version 3.0;acl "Directory Administrators Group";allow (all) (groupdn = "ldap:///cn=Directory Administrators, dc=hymesruzicka, dc=or g");) # People, hymesruzicka.org dn: ou=People, dc=hymesruzicka, dc=org aci: (targetattr ="userpassword || telephonenumber || facsimiletelephonenumber ")(version 3.0;acl "Allow self entry modification";allow (write)(userdn = "ld ap:///self");) aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Accounting)")(version 3.0;acl "Accounting Managers Group Permissions";allow (write)(groupdn = "lda p:///cn=Accounting Managers,ou=groups,dc=hymesruzicka, dc=org");) aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Human Resources)")(ve rsion 3.0;acl "HR Group Permissions";allow (write)(groupdn = "ldap:///cn=HR M anagers,ou=groups,dc=hymesruzicka, dc=org");) aci: (targetattr !="cn ||sn || uid")(targetfilter ="(ou=Product Testing)")(ver sion 3.0;acl "QA Group Permissions";allow (write)(groupdn = "ldap:///cn=QA Ma nagers,ou=groups,dc=hymesruzicka, dc=org");) aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Product Development)" )(version 3.0;acl "Engineering Group Permissions";allow (write)(groupdn = "ld ap:///cn=PD Managers,ou=groups,dc=hymesruzicka, dc=org");) # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 From rmeggins at redhat.com Wed Jan 23 18:28:13 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 23 Jan 2008 11:28:13 -0700 Subject: [Fedora-directory-users] Can't create users, time for complete wipe and re-install? In-Reply-To: <006c01c85de9$1f963540$1100a8c0@hymesruzicka.org> References: <009201c85c85$2cd213b0$1100a8c0@hymesruzicka.org> <479635B0.5020000@redhat.com> <006c01c85de9$1f963540$1100a8c0@hymesruzicka.org> Message-ID: <4797873D.3050604@redhat.com> Listbox wrote: > Thanks so much! > Now I'm looking in > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html#1199651 to see > what I might do to fix things. > If you are using Fedora DS 1.1 I suggest you use this instead - http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control.html > Here is the output from the commands you suggested. At least I can tell one > is bigger than the other :) > The console admin user created during setup is uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot. You should look at the acis which have this user as the subject (e.g. anything with userdn="uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" in it). What's odd is that I don't see any acis in dc=hymesruzicka, dc=org to grant this user access. setup-ds-admin.pl should have created them. There is also a group created for console admins and this group is granted access just like for the above user. However, this will not work for remote instances (instances which do not have the real o=NetscapeRoot on them - the console uses pass through authentication on instances without o=NetscapeRoot, and group evaluation does not work remotely). This is the groupdn="ldap:///cn=Configuration Administrators, ou=Groups, ou=TopologyManagement, o=NetscapeRoot". So this group aci only works on the server which hosts o=NetscapeRoot. I don't see any acis for this group in dc=hymesruzicka, dc=org either, which is odd. There is another local administrative group created by setup on each instance for the local suffix - groupdn = "ldap:///cn=Directory Administrators, dc=hymesruzicka, dc=org" - setup-ds-admin.pl will create an ACI for this group. The actual group entry is not created by default, so if you want to use this you will need to create the group entry cn=Directory Administrators, dc=hymesruzicka, dc=org and add users to it. Also check the acis on the configuration entries cn=config and cn=schema and cn=monitor ldapsearch -x -D "cn=directory manager" -w yourpassword -s sub -b cn=config "aci=*" aci ldapsearch -x -D "cn=directory manager" -w yourpassword -s sub -b cn=schema "aci=*" aci ldapsearch -x -D "cn=directory manager" -w yourpassword -s sub -b cn=monitor "aci=*" aci setup-ds-admin.pl is supposed to create acis for uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot and the group cn=Configuration Administrators, ou=Groups, ou=TopologyManagement, o=NetscapeRoot > ldapsearch -x -D "cn=directory manager" -w mypassword -b o=netscaperoot > "aci=*" aci > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: aci=* > # requesting: aci > # > > # NetscapeRoot > dn: o=NetscapeRoot > aci: (targetattr="*")(version 3.0; acl "Enable Configuration Administrator > Gro > up modification"; allow (all) groupdn="ldap:///cn=Configuration > Administrator > s, ou=Groups, ou=TopologyManagement, o=NetscapeRoot";) > aci: (targetattr="*")(targetfilter=(o=NetscapeRoot))(version 3.0; acl > "Default > anonymous access"; allow (read, search) userdn="ldap:///anyone";) > aci: (targetattr="*")(version 3.0; acl "Enable Group Expansion"; allow > (read, > search, compare) groupdnattr="uniquemember";) > aci: (targetattr = "*")(version 3.0; acl "SIE Group (trixter)"; allow (all) > gr > oupdn = "ldap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server > Grou > p, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";) > > # TopologyManagement, NetscapeRoot > dn: ou=TopologyManagement, o=NetscapeRoot > aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous > access"; > allow (read, search, compare)userdn="ldap:///anyone";) > > # Global Preferences, hymesruzicka.org, NetscapeRoot > dn: ou=Global Preferences, ou=hymesruzicka.org, o=NetscapeRoot > aci: (targetattr=*)(version 3.0; acl "Enable anonymous access"; > allow(read,sea > rch) userdn="ldap:///anyone";) > > # UserPreferences, hymesruzicka.org, NetscapeRoot > dn: ou=UserPreferences, ou=hymesruzicka.org, o=NetscapeRoot > aci: (targetattr = "*")(version 3.0; acl "Allow saving of User Preferences"; > a > llow (add) userdn = "ldap:///all";) > > # uid\3Dadmin\2C ou\3DAdministrators\2C ou\3DTopologyManagement\2C > o\3DNetsca > peRoot, UserPreferences, hymesruzicka.org, NetscapeRoot > dn: ou="uid=admin, ou=Administrators, ou=TopologyManagement, > o=NetscapeRoot",o > u=UserPreferences, ou=hymesruzicka.org, o=NetscapeRoot > aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all) > userdnattr=" > creatorsname";) > > # cn\3Dadmin-serv-trixter\2C cn\3DFedora Administration Server\2C > cn\3DServer > Group\2C cn\3Dtrixter.hymesruzicka.org\2C ou\3Dhymesruzicka.org\2C > o\3DNets > capeRoot, UserPreferences, hymesruzicka.org, NetscapeRoot > dn: ou="cn=admin-serv-trixter, cn=Fedora Administration Server, cn=Server > Grou > p, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, > o=NetscapeRoot",ou=UserP > references, ou=hymesruzicka.org, o=NetscapeRoot > aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all) > userdnattr=" > creatorsname";) > > # Server Group, trixter.hymesruzicka.org, hymesruzicka.org, NetscapeRoot > dn: cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, > o=Netsc > apeRoot > aci: (targetattr=*)(targetfilter=(nsconfigRoot=*))(version 3.0; acl "Enable > de > legated access"; allow (read, search, compare) groupdn="ldap:///cn=Server > Gro > up, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";) > aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; allow (read, > s > earch, compare) userdn="ldap:///cn=admin-serv-trixter, cn=Fedora > Administrati > on Server, cn=Server Group, cn=trixter.hymesruzicka.org, > ou=hymesruzicka.org, > o=NetscapeRoot";) > > # PublicViews, 1.1, Admin, Global Preferences, hymesruzicka.org, > NetscapeRoot > dn: cn=PublicViews, ou=1.1, ou=Admin, ou=Global Preferences, > ou=hymesruzicka.o > rg, o=NetscapeRoot > aci: (targetattr = "*")(version 3.0; acl "Allow Authenticated Users to Save > Pu > blic Views"; allow (all) userdn = "ldap:///all";) > > # slapd-trixter, Fedora Directory Server, Server Group, > trixter.hymesruzicka. > org, hymesruzicka.org, NetscapeRoot > dn: cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group, > cn=trixter. > hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot > aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; allow (read, > s > earch, compare) groupdn="ldap:///cn=slapd-trixter, cn=Fedora Directory > Server > , cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, > o=Netsca > peRoot";) > aci: (targetattr="uniquemember || serverProductName || userpassword || > descrip > tion")(targetfilter=(objectclass=netscapeServer))(version 3.0; acl "Enable > ac > cess delegation"; allow (write) groupdn="ldap:///cn=slapd-trixter, > cn=Fedora > Directory Server, cn=Server Group, cn=trixter.hymesruzicka.org, > ou=hymesruzic > ka.org, o=NetscapeRoot";) > > # configuration, slapd-trixter, Fedora Directory Server, Server Group, > trixte > r.hymesruzicka.org, hymesruzicka.org, NetscapeRoot > dn: cn=configuration,cn=slapd-trixter, cn=Fedora Directory Server, cn=Server > G > roup, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot > aci: (targetattr=*)(version 3.0; acl "Enable Server configuration"; allow > (all > ) groupdn="ldap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server > Gr > oup, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";) > > # cn\3Dslapd-trixter\2C cn\3DFedora Directory Server\2C cn\3DServer Group\2C > > cn\3Dtrixter.hymesruzicka.org\2C ou\3Dhymesruzicka.org\2C o\3DNetscapeRoot, > > UserPreferences, hymesruzicka.org, NetscapeRoot > dn: ou="cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group, > cn=trix > ter.hymesruzicka.org, ou=hymesruzicka.org, > o=NetscapeRoot",ou=UserPreferences > , ou=hymesruzicka.org, o=NetscapeRoot > aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all) > userdnattr=" > creatorsname";) > > # cn\3DDirectory Manager, UserPreferences, hymesruzicka.org, NetscapeRoot > dn: ou="cn=Directory Manager",ou=UserPreferences, ou=hymesruzicka.org, > o=Netsc > apeRoot > aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all) > userdnattr=" > creatorsname";) > > # Fedora Administration Server, Server Group, trixter.hymesruzicka.org, > hymes > ruzicka.org, NetscapeRoot > dn: cn=Fedora Administration Server, cn=Server Group, > cn=trixter.hymesruzicka. > org, ou=hymesruzicka.org, o=NetscapeRoot > aci: (targetattr=*)(targetfilter=(nsNickName=*))(version 3.0; acl "Enable > dele > gated access"; allow (read, search, compare) groupdn="ldap:///cn=Fedora > Admin > istration Server, cn=Server Group, cn=trixter.hymesruzicka.org, > ou=hymesruzic > ka.org, o=NetscapeRoot";) > > # admin-serv-trixter, Fedora Administration Server, Server Group, > trixter.hym > esruzicka.org, hymesruzicka.org, NetscapeRoot > dn: cn=admin-serv-trixter, cn=Fedora Administration Server, cn=Server Group, > c > n=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot > aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; allow (read, > s > earch, compare) groupdn="ldap:///cn=admin-serv-trixter, cn=Fedora > Administrat > ion Server, cn=Server Group, cn=trixter.hymesruzicka.org, > ou=hymesruzicka.org > , o=NetscapeRoot";) > aci: (targetattr="uniquemember || serverProductName || userpassword || > descrip > tion")(targetfilter=(objectclass=netscapeServer))(version 3.0; acl "Enable > ac > cess delegation"; allow (write) groupdn="ldap:///cn=admin-serv-trixter, > cn=Fe > dora Administration Server, cn=Server Group, cn=trixter.hymesruzicka.org, > ou= > hymesruzicka.org, o=NetscapeRoot";) > > # configuration, admin-serv-trixter, Fedora Administration Server, Server > Gro > up, trixter.hymesruzicka.org, hymesruzicka.org, NetscapeRoot > dn: cn=configuration, cn=admin-serv-trixter, cn=Fedora Administration > Server, > cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, > o=Netscape > Root > aci: (targetattr=*)(version 3.0; acl "Enable delegated admin to access > configu > ration"; allow (read, search) groupdn="ldap:///cn=Server Group, > cn=trixter.hy > mesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";) > aci: (targetattr=*)(version 3.0; acl "Enable Server configuration"; allow > (all > ) groupdn="ldap:///cn=admin-serv-trixter, cn=Fedora Administration Server, > cn > =Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, > o=NetscapeRo > ot";) > > # uid\3Ddiradmin\2Cou\3DAdministrators\2C ou\3DTopologyManagement\2C > o\3Dnets > capeRoot, UserPreferences, hymesruzicka.org, NetscapeRoot > dn: ou="uid=diradmin,ou=Administrators, ou=TopologyManagement, > o=netscapeRoot" > ,ou=UserPreferences, ou=hymesruzicka.org, o=NetscapeRoot > aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all) > userdnattr=" > creatorsname";) > > # search result > search: 2 > result: 0 Success > > # numResponses: 17 > # numEntries: 16 > > > > ldapsearch -x -D "cn=directory manager" -w anotherpassword -b > "dc=hymesruzicka,dc=org" "aci=*" aci > > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: aci=* > # requesting: aci > # > > # hymesruzicka.org > dn: dc=hymesruzicka, dc=org > aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous > access"; > allow (read, search, compare) userdn="ldap:///anyone";) > aci: (targetattr="carLicense || description || displayName || > facsimileTelepho > neNumber || homePhone || homePostalAddress || initials || jpegPhoto || > labele > dURL || mail || mobile || pager || photo || postOfficeBox || postalAddress > || > postalCode || preferredDeliveryMethod || preferredLanguage || > registeredAddr > ess || roomNumber || secretary || seeAlso || st || street || > telephoneNumber > || telexNumber || title || userCertificate || userPassword || > userSMIMECertif > icate || x500UniqueIdentifier")(version 3.0; acl "Enable self write for > commo > n attributes"; allow (write) userdn="ldap:///self";) > aci: (targetattr ="*")(version 3.0;acl "Directory Administrators > Group";allow > (all) (groupdn = "ldap:///cn=Directory Administrators, dc=hymesruzicka, > dc=or > g");) > > # People, hymesruzicka.org > dn: ou=People, dc=hymesruzicka, dc=org > aci: (targetattr ="userpassword || telephonenumber || > facsimiletelephonenumber > ")(version 3.0;acl "Allow self entry modification";allow (write)(userdn = > "ld > ap:///self");) > aci: (targetattr !="cn || sn || uid")(targetfilter > ="(ou=Accounting)")(version > 3.0;acl "Accounting Managers Group Permissions";allow (write)(groupdn = > "lda > p:///cn=Accounting Managers,ou=groups,dc=hymesruzicka, dc=org");) > aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Human > Resources)")(ve > rsion 3.0;acl "HR Group Permissions";allow (write)(groupdn = "ldap:///cn=HR > M > anagers,ou=groups,dc=hymesruzicka, dc=org");) > aci: (targetattr !="cn ||sn || uid")(targetfilter ="(ou=Product > Testing)")(ver > sion 3.0;acl "QA Group Permissions";allow (write)(groupdn = "ldap:///cn=QA > Ma > nagers,ou=groups,dc=hymesruzicka, dc=org");) > aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Product > Development)" > )(version 3.0;acl "Engineering Group Permissions";allow (write)(groupdn = > "ld > ap:///cn=PD Managers,ou=groups,dc=hymesruzicka, dc=org");) > > # search result > search: 2 > result: 0 Success > > # numResponses: 3 > # numEntries: 2 > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From listbox at hymerfania.com Wed Jan 23 20:17:47 2008 From: listbox at hymerfania.com (Listbox) Date: Wed, 23 Jan 2008 12:17:47 -0800 Subject: NetscapeRootRe: [Fedora-directory-users] Can't create users, time for complete wipe and re-install? In-Reply-To: <4797873D.3050604@redhat.com> References: <009201c85c85$2cd213b0$1100a8c0@hymesruzicka.org> <479635B0.5020000@redhat.com> <006c01c85de9$1f963540$1100a8c0@hymesruzicka.org> <4797873D.3050604@redhat.com> Message-ID: <008701c85dfd$0695f8a0$1100a8c0@hymesruzicka.org> Thanks Rich! I just looked in /usr/share/dirsrv/data, and the file "template.ldif" looks like what I get for the ldapquery of acis in dc=hymesruzicka, dc=org. It does not have any entries for uid=admin ( or uid=%as_uid% ). I did find the file "16dssuffixadmin.mod.tmpl", and looks like it may be useful as a model to make more of the correct acis. Is this a good idea? How much more should I modify it? /usr/share/dirsrv/data/16dssuffixadmin.mod.tmpl # BEGIN COPYRIGHT BLOCK ... # END COPYRIGHT BLOCK dn: %ds_suffix% changetype: modify add: aci aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; allow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups, ou=TopologyManagement, o=NetscapeRoot";) aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (all) userdn="ldap:///uid=%as_uid%,ou=Administrators, ou=TopologyManagement, o=NetscapeRoot";) aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "ldap:///cn=slapd-%dsid%, cn=%brand% Directory Server, cn=Server Group, cn=%fqdn%, ou=%domain%, o=NetscapeRoot";) Thanks again! ************************************************ ************************************************ ************************************************ for bind in config schema monitor ; do ldapsearch -x -D "cn=directory manager" -w mypassword -s sub -b cn=$bind "aci=*" aci ; done # extended LDIF # # LDAPv3 # base with scope subtree # filter: aci=* # requesting: aci # # config dn: cn=config aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; a llow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups, ou=To pologyManagement, o=NetscapeRoot";) aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (a ll) userdn="ldap:///uid=admin, ou=Administrators, ou=TopologyManagement, o=Ne tscapeRoot";) aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "l dap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group, cn=trix ter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";) # SNMP, config dn: cn=SNMP,cn=config aci: (target="ldap:///cn=SNMP,cn=config")(targetattr !="aci")(version 3.0;acl "snmp";allow (read, search, compare)(userdn = "ldap:///anyone");) # 2.16.840.1.113730.3.4.9, features, config dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control"; allow( read , search, compare, proxy ) userdn = "ldap:///all";) # search result search: 2 result: 0 Success # numResponses: 4 # numEntries: 3 # extended LDIF # # LDAPv3 # base with scope subtree # filter: aci=* # requesting: aci # # schema dn: cn=schema aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl "anonymo us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";) aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; a llow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups, ou=To pologyManagement, o=NetscapeRoot";) aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (a ll) userdn="ldap:///uid=admin,ou=Administrators, ou=TopologyManagement, o=Net scapeRoot";) aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "l dap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group, cn=trix ter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";) # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 # extended LDIF # # LDAPv3 # base with scope subtree # filter: aci=* # requesting: aci # # monitor dn: cn=monitor aci: (target ="ldap:///cn=monitor*")(targetattr != "aci || connection")(versio n 3.0; acl "monitor"; allow( read, search, compare ) userdn = "ldap:///anyone ";) # search result search: 2 result: 0 Success From rmeggins at redhat.com Wed Jan 23 20:32:41 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 23 Jan 2008 13:32:41 -0700 Subject: NetscapeRootRe: [Fedora-directory-users] Can't create users, time for complete wipe and re-install? In-Reply-To: <008701c85dfd$0695f8a0$1100a8c0@hymesruzicka.org> References: <009201c85c85$2cd213b0$1100a8c0@hymesruzicka.org> <479635B0.5020000@redhat.com> <006c01c85de9$1f963540$1100a8c0@hymesruzicka.org> <4797873D.3050604@redhat.com> <008701c85dfd$0695f8a0$1100a8c0@hymesruzicka.org> Message-ID: <4797A469.1000300@redhat.com> Listbox wrote: > Thanks Rich! > > I just looked in /usr/share/dirsrv/data, and the file "template.ldif" looks > like what I get for the ldapquery of acis in dc=hymesruzicka, dc=org. It > does not have any entries for uid=admin ( or uid=%as_uid% ). > Right. That's the file that is used for just the fedora-ds-base package - the admin server and console stuff are "add-ons". > I did find the file "16dssuffixadmin.mod.tmpl", and looks like it may be > useful as a model to make more of the correct acis. Is this a good idea? Yes. > How > much more should I modify it? > You have to replace the %token% items: ds_suffix - your suffix e.g. dc=hymesruzicka, dc=org or cn=config or cn=schema or etc. as_uid - admin or change the entire DN uid=%as_uid%,ou=Administrators, ou=TopologyManagement, o=NetscapeRoot to some other DN that you want to use for an administrator. You can just omit the SIE Group ACI Then just feed that file to ldapmodify e.g. ldapmodify -x -D "cn=directory manager" -w yourpassword -f thefile.ldif Note - make a copy of 16dssuffixadmin.mod.tmpl and edit it - do not edit it in place. > /usr/share/dirsrv/data/16dssuffixadmin.mod.tmpl > > # BEGIN COPYRIGHT BLOCK > ... > # END COPYRIGHT BLOCK > dn: %ds_suffix% > changetype: modify > add: aci > aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; > allow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups, > ou=TopologyManagement, o=NetscapeRoot";) > aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow > (all) userdn="ldap:///uid=%as_uid%,ou=Administrators, ou=TopologyManagement, > o=NetscapeRoot";) > aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = > "ldap:///cn=slapd-%dsid%, cn=%brand% Directory Server, cn=Server Group, > cn=%fqdn%, ou=%domain%, o=NetscapeRoot";) > > > Thanks again! > > ************************************************ > ************************************************ > ************************************************ > for bind in config schema monitor ; do ldapsearch -x -D "cn=directory > manager" -w mypassword -s sub -b cn=$bind "aci=*" aci ; done > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: aci=* > # requesting: aci > # > > # config > dn: cn=config > aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; > a > llow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups, > ou=To > pologyManagement, o=NetscapeRoot";) > aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow > (a > ll) userdn="ldap:///uid=admin, ou=Administrators, ou=TopologyManagement, > o=Ne > tscapeRoot";) > aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = > "l > dap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group, > cn=trix > ter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";) > > # SNMP, config > dn: cn=SNMP,cn=config > aci: (target="ldap:///cn=SNMP,cn=config")(targetattr !="aci")(version > 3.0;acl > "snmp";allow (read, search, compare)(userdn = "ldap:///anyone");) > > # 2.16.840.1.113730.3.4.9, features, config > dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config > aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control"; allow( > read > , search, compare, proxy ) userdn = "ldap:///all";) > > # search result > search: 2 > result: 0 Success > > # numResponses: 4 > # numEntries: 3 > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: aci=* > # requesting: aci > # > > # schema > dn: cn=schema > aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl > "anonymo > us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";) > aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; > a > llow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups, > ou=To > pologyManagement, o=NetscapeRoot";) > aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow > (a > ll) userdn="ldap:///uid=admin,ou=Administrators, ou=TopologyManagement, > o=Net > scapeRoot";) > aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = > "l > dap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group, > cn=trix > ter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";) > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: aci=* > # requesting: aci > # > > # monitor > dn: cn=monitor > aci: (target ="ldap:///cn=monitor*")(targetattr != "aci || > connection")(versio > n 3.0; acl "monitor"; allow( read, search, compare ) userdn = > "ldap:///anyone > ";) > > # search result > search: 2 > result: 0 Success > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jared.griffith at farheap.com Thu Jan 24 00:39:08 2008 From: jared.griffith at farheap.com (Jared B. Griffith) Date: Wed, 23 Jan 2008 16:39:08 -0800 (PST) Subject: [Fedora-directory-users] Saslauthd Authentication Issues Message-ID: <19447638.35481201135148062.JavaMail.root@zimbra1.farheap.com> I am trying to see if I can't get an existing Cyrus Imap server to authenticate against our directory server. The people at cyrus recommend the followng configuration in saslauthd.conf ldap_servers: ldap://your.ldap-host.tld ldap_version: 3 ldap_timeout: 10 ldap_time_limit: 10 ldap_search_base: o=what-ever-you-may-have,dc=your-domain,dc=tld ldap_bind_dn: cn=your-ldap-admin-name,dc=your-domain,dc=tld ldap_password: your-ldap-admin-password ldap_scope: sub ldap_uidattr: the-attribute-name-in-which-you-store-usernames, es: uid ldap_filter_mode: yes ldap_filter: (uid=%u%R) This doesn't work, I have tried different variations of this and have had no luck. I am wondering if anyone has had experience with this and what sort of tricks (if any) they did to get this to work properly. Are there any docs out there that I am missing? Any help would be appreciated. -------------- next part -------------- An HTML attachment was scrubbed... URL: From tfar at smc.co.nz Thu Jan 24 01:57:58 2008 From: tfar at smc.co.nz (Anthony M. Farrell) Date: Thu, 24 Jan 2008 14:57:58 +1300 Subject: [Fedora-directory-users] Saslauthd Authentication Issues In-Reply-To: <19447638.35481201135148062.JavaMail.root@zimbra1.farheap.com> References: <19447638.35481201135148062.JavaMail.root@zimbra1.farheap.com> Message-ID: <200801241457.58538.tfar@smc.co.nz> On Thu, 24 Jan 2008 13:39:08 Jared B. Griffith wrote: > I am trying to see if I can't get an existing Cyrus Imap server to > authenticate against our directory server. The people at cyrus recommend > the followng configuration in saslauthd.conf ldap_servers: > ldap://your.ldap-host.tld > ldap_version: 3 > ldap_timeout: 10 > ldap_time_limit: 10 > ldap_search_base: o=what-ever-you-may-have,dc=your-domain,dc=tld > ldap_bind_dn: cn=your-ldap-admin-name,dc=your-domain,dc=tld > ldap_password: your-ldap-admin-password > ldap_scope: sub > ldap_uidattr: the-attribute-name-in-which-you-store-usernames, es: uid > ldap_filter_mode: yes > ldap_filter: (uid=%u%R) > This doesn't work, I have tried different variations of this and have had > no luck. I am wondering if anyone has had experience with this and what > sort of tricks (if any) they did to get this to work properly. Are there > any docs out there that I am missing? > Any help would be appreciated. The easiest way if you are using Cyrus IMAP on Fedora or Redhat is to use PAM to authenticate. The following assumes you have first enabled directory authentication on the mail server using 'authconfig' to set up LDAP in '/etc/pam.d/system-auth' as required. 1. Edit '/etc/sysconfig/saslauthd' and ensure that 'MECH="pam" is set. 2. Edit '/etc/imapd.conf' and make sure that 'sasl_pwcheck_method' is set to 'saslauthd' even though you will be using PAM. 3. Edit '/etc/pam.d/imap' to read as follows: auth sufficient /lib/security/$ISA/pam_ldap.so account sufficient /lib/security/$ISA/pam_ldap.so 4. Start saslauthd and cyrus-imapd and set chkconfig to on. 5. Create some mailboxes and away you go! A more complete blurb can be found at 'www.wlug.org.nz/CyrusNotes' Tony -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jared.griffith at farheap.com Thu Jan 24 04:38:04 2008 From: jared.griffith at farheap.com (Jared B. Griffith) Date: Wed, 23 Jan 2008 20:38:04 -0800 (PST) Subject: [Fedora-directory-users] Saslauthd Authentication Issues In-Reply-To: <200801241457.58538.tfar@smc.co.nz> Message-ID: <3569517.39431201149484102.JavaMail.root@zimbra1.farheap.com> Well..... this sort of works, and yes, the system authentication is already going through ldap. The system is a free-bsd 6.0 system, and I am able to authenticate using what you described but I am not able to create mailboxes, which is something for the cyrus imap list. I was just seeing if anyone had any luck doing this or if there were specific options that had to be enabled or modified for this to work with the FDS. ----- Original Message ----- From: "Anthony M. Farrell" To: "General discussion list for the Fedora Directory server project." Sent: Wednesday, January 23, 2008 5:57:58 PM (GMT-0800) America/Los_Angeles Subject: Re: [Fedora-directory-users] Saslauthd Authentication Issues On Thu, 24 Jan 2008 13:39:08 Jared B. Griffith wrote: > I am trying to see if I can't get an existing Cyrus Imap server to > authenticate against our directory server. The people at cyrus recommend > the followng configuration in saslauthd.conf ldap_servers: > ldap://your.ldap-host.tld > ldap_version: 3 > ldap_timeout: 10 > ldap_time_limit: 10 > ldap_search_base: o=what-ever-you-may-have,dc=your-domain,dc=tld > ldap_bind_dn: cn=your-ldap-admin-name,dc=your-domain,dc=tld > ldap_password: your-ldap-admin-password > ldap_scope: sub > ldap_uidattr: the-attribute-name-in-which-you-store-usernames, es: uid > ldap_filter_mode: yes > ldap_filter: (uid=%u%R) > This doesn't work, I have tried different variations of this and have had > no luck. I am wondering if anyone has had experience with this and what > sort of tricks (if any) they did to get this to work properly. Are there > any docs out there that I am missing? > Any help would be appreciated. The easiest way if you are using Cyrus IMAP on Fedora or Redhat is to use PAM to authenticate. The following assumes you have first enabled directory authentication on the mail server using 'authconfig' to set up LDAP in '/etc/pam.d/system-auth' as required. 1. Edit '/etc/sysconfig/saslauthd' and ensure that 'MECH="pam" is set. 2. Edit '/etc/imapd.conf' and make sure that 'sasl_pwcheck_method' is set to 'saslauthd' even though you will be using PAM. 3. Edit '/etc/pam.d/imap' to read as follows: auth sufficient /lib/security/$ISA/pam_ldap.so account sufficient /lib/security/$ISA/pam_ldap.so 4. Start saslauthd and cyrus-imapd and set chkconfig to on. 5. Create some mailboxes and away you go! A more complete blurb can be found at 'www.wlug.org.nz/CyrusNotes' Tony -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From aGiggins at wcg.net.au Thu Jan 24 04:40:35 2008 From: aGiggins at wcg.net.au (Anthony Giggins) Date: Thu, 24 Jan 2008 15:40:35 +1100 Subject: [Fedora-directory-users] Certutil procedure Incorrect & not adding Certificates to CA Certs? Message-ID: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/certutil-procedure. html This procedure seems to contain errors some errors, mostly only capitalization errors, but none the less they probably should be fixed 10. should be certutil -L -d . -n "CA certificate" -a > cacert.asc ie. NOT Certificate with a Capital C certutil -L -d . -n "CA Certificate" -a > cacert.asc Also 11. has the same problem it should be pk12util -d . -o cacert.pk12 -n "CA certificate" Also The procedure creates 2 Server Certs and no CA Certs can anyone please confirm the correct commands to add the certificates to the CA Certs rather then the Server Certs I'm also getting issues when using the setupssl2.sh script ( http://directory.fedoraproject.org/download/setupssl2.sh ) on the wiki (I am running version Fedora Directory Server 1.1 on Centos 5.1 from the Fedora 6 yum repositories using the procedure http://directory.fedoraproject.org/wiki/Download#Enterprise_Linux_5 ) Regards, Anthony From howard at cohtech.com Thu Jan 24 08:31:29 2008 From: howard at cohtech.com (Howard Wilkinson) Date: Thu, 24 Jan 2008 08:31:29 +0000 Subject: [Fedora-directory-users] Trying to build idm-console-framework from SRPMS fails on Fedora 7 In-Reply-To: <47961F9C.7030903@redhat.com> References: <4794D5C2.9070400@cohtech.com> <4794D9AF.2000503@redhat.com> <4794DD50.7050008@cohtech.com> <4794DEE9.3090507@redhat.com> <4794E1B4.1090709@cohtech.com> <47961F9C.7030903@redhat.com> Message-ID: <47984CE1.1030801@cohtech.com> Rich Megginson wrote: > Howard Wilkinson wrote: >> Rob Crittenden wrote: >>> Howard Wilkinson wrote: >>>> Rob Crittenden wrote: >>>>> Howard Wilkinson wrote: >>>>>> I have been trying to build the idm-console-framework for fedora >>>>>> 7+ and get the following warnings and failures - Any suggestions >>>>>> about how I get past these? >>>>>> -- >>>>> >>>>> ..... >>> > On F-7 you will have to use a proprietary JRE (sun or ibm). Do you > need to build for some reason? The console packages for F-7 are > provided in the fedora ds yum repo - > http://directory.fedoraproject.org/wiki/Release_Notes#Console_only_Installation > >>> I need to build from source as I want to be able to add some changes to the core and the console. I have icedtea built and installed on F7 but the console fails to build because there is a clash between an idm supplied class and a system class. [javac] /usr/src/redhat/BUILD/idm-console-framework-1.1.0/src/com/netscape/management/client/preferences/FilePreferenceManager.java:49: reference to Console is ambiguous, both class com.netscape.management.client.console.Console in com.netscape.management.client.console and class java.io.Console in java.io match IDM supplies the com.netscape.management.client.console.Console and icedtea provides java.io.Console. Before I go diving into the ant environment any pointers where this is being setup and how to fix? Howard. -- Howard Wilkinson Phone: +44(20)76907075 Coherent Technology Limited Fax: 23 Northampton Square, Mobile: +44(7980)639379 United Kingdom, EC1V 0HL Email: howard at cohtech.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From shivaraj.shivanna at wipro.com Thu Jan 24 11:07:26 2008 From: shivaraj.shivanna at wipro.com (shivaraj.shivanna at wipro.com) Date: Thu, 24 Jan 2008 16:37:26 +0530 Subject: [Fedora-directory-users] Authenticate before querying ldap. Message-ID: Hi, Our organization has an AD server running which requires you to bind to it first before querying the server. For example commands like ldapsearch -x -h "some ip" "(cn=abcd)" -b "some base" would fail with LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection. but commands like ldapsearch -x -h "some ip" "(cn=abcd)" -b "some base" -D "some user dn" -W would work on entering correct password. How can we replicate this behavior with the fedora directory server ? Regards, Shivraj -------------- next part -------------- An HTML attachment was scrubbed... URL: From niranjan.ashok at gmail.com Thu Jan 24 14:57:53 2008 From: niranjan.ashok at gmail.com (mallapadi niranjan) Date: Thu, 24 Jan 2008 20:27:53 +0530 Subject: [Fedora-directory-users] Authenticate before querying ldap. In-Reply-To: References: Message-ID: <73e979680801240657r350677aak4526c7d7aaea7865@mail.gmail.com> On Jan 24, 2008 4:37 PM, wrote: > Hi, > Our organization has an AD server running which requires you to bind to it > first before querying the server. > > For example commands like > *ldapsearch -x -h "some ip" "(cn=abcd)" -b "some base" *would fail > with *LdapErr: DSID-0C090627, comment: In order to perform this * > *operation a successful bind must be completed on the connection.* > but commands like > *ldapsearch -x -h "some ip" "(cn=abcd)" -b "some base" -D "some user > dn" -W* would work on entering correct password. > > How can we replicate this behavior with the fedora directory server ? > through access control lists, you can disable anonymous access and specify authorization You can refer the below http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control-Default_ACIs.html http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control-Access_Control_Usage_Examples.html > > Regards, > Shivraj > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From iferreir at personal.com.py Thu Jan 24 15:03:54 2008 From: iferreir at personal.com.py (Ivan Ferreira) Date: Thu, 24 Jan 2008 12:03:54 -0300 Subject: [Fedora-directory-users] Authenticate before querying ldap. In-Reply-To: <73e979680801240657r350677aak4526c7d7aaea7865@mail.gmail.com> Message-ID: One way will be by modifying the ACIs to do not allow anonymous read access to attributes. Not sure if there is an "easy way" to disable anonymous access to the directory in the Console. Para "General discussion list for the Fedora Directory server "mallapadi niranjan" project." om> Enviado por: cc fedora-directory-users-b ounces at redhat.com Asunto Re: [Fedora-directory-users] 24/01/2008 11:57 a.m. Authenticate before querying ldap. Clasificaci?n Uso Interno Por favor, responda a "General discussion list for the Fedora Directory server project." On Jan 24, 2008 4:37 PM, wrote: Hi, Our organization has an AD server running which requires you to bind to it first before querying the server. For example commands like ldapsearch -x -h "some ip" "(cn=abcd)" -b "some base" would fail with LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection. but commands like ldapsearch -x -h "some ip" "(cn=abcd)" -b "some base" -D "some user dn" -W would work on entering correct password. How can we replicate this behavior with the fedora directory server ? through access control lists, you can disable anonymous access and specify authorization You can refer the below http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control-Default_ACIs.html http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control-Access_Control_Usage_Examples.html Regards, Shivraj -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. From rmeggins at redhat.com Thu Jan 24 15:05:39 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 24 Jan 2008 08:05:39 -0700 Subject: [Fedora-directory-users] Authenticate before querying ldap. In-Reply-To: References: Message-ID: <4798A943.2030506@redhat.com> shivaraj.shivanna at wipro.com wrote: > Hi, > Our organization has an AD server running which requires you to bind > to it first before querying the server. > > For example commands like > /ldapsearch -x -h "some ip" "(cn=abcd)" -b "some base" /would fail > with /LdapErr: DSID-0C090627, comment: In order to perform this / > /operation a successful bind must be completed on the connection./ > but commands like > /ldapsearch -x -h "some ip" "(cn=abcd)" -b "some base" -D "some > user dn" -W/ would work on entering correct password. > > How can we replicate this behavior with the fedora directory server ? You cannot currently do that. It's on the roadmap for the near future. > > Regards, > Shivraj > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jan 24 15:12:03 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 24 Jan 2008 08:12:03 -0700 Subject: [Fedora-directory-users] Trying to build idm-console-framework from SRPMS fails on Fedora 7 In-Reply-To: <47984CE1.1030801@cohtech.com> References: <4794D5C2.9070400@cohtech.com> <4794D9AF.2000503@redhat.com> <4794DD50.7050008@cohtech.com> <4794DEE9.3090507@redhat.com> <4794E1B4.1090709@cohtech.com> <47961F9C.7030903@redhat.com> <47984CE1.1030801@cohtech.com> Message-ID: <4798AAC3.1090206@redhat.com> Howard Wilkinson wrote: > Rich Megginson wrote: >> Howard Wilkinson wrote: >>> Rob Crittenden wrote: >>>> Howard Wilkinson wrote: >>>>> Rob Crittenden wrote: >>>>>> Howard Wilkinson wrote: >>>>>>> I have been trying to build the idm-console-framework for fedora >>>>>>> 7+ and get the following warnings and failures - Any suggestions >>>>>>> about how I get past these? >>>>>>> -- >>>>>> >>>>>> > ..... >>>> >> On F-7 you will have to use a proprietary JRE (sun or ibm). Do you >> need to build for some reason? The console packages for F-7 are >> provided in the fedora ds yum repo - >> http://directory.fedoraproject.org/wiki/Release_Notes#Console_only_Installation >> >>>> > I need to build from source as I want to be able to add some changes > to the core and the console. I have icedtea built and installed on F7 > but the console fails to build because there is a clash between an idm > supplied class and a system class. > > [javac] > /usr/src/redhat/BUILD/idm-console-framework-1.1.0/src/com/netscape/management/client/preferences/FilePreferenceManager.java:49: > reference to Console is ambiguous, both class > com.netscape.management.client.console.Console in > com.netscape.management.client.console and class java.io.Console in > java.io match > > IDM supplies the com.netscape.management.client.console.Console and > icedtea provides java.io.Console. > > Before I go diving into the ant environment any pointers where this is > being setup and how to fix? Ah yes. I had to fix this when I submitted the packages to Fedora. There were a few issues like this that IcedTea didn't like. I fixed them and released idm-console-framework 1.1.1 - there are also 1.1.1 versions of the other Java components. I suggest you start with those - they are functionally equivalent to 1.1.0. http://directory.fedoraproject.org/wiki/Source See also http://directory.fedoraproject.org/wiki/BuildingConsole > > Howard. > -- > > Howard Wilkinson > > > > Phone: > > > > +44(20)76907075 > > Coherent Technology Limited > > > > Fax: > > > > > > 23 Northampton Square, > > > > Mobile: > > > > +44(7980)639379 > > United Kingdom, EC1V 0HL > > > > Email: > > > > howard at cohtech.com > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jan 24 15:19:58 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 24 Jan 2008 08:19:58 -0700 Subject: [Fedora-directory-users] Certutil procedure Incorrect & not adding Certificates to CA Certs? In-Reply-To: References: Message-ID: <4798AC9E.4060204@redhat.com> Anthony Giggins wrote: > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/certutil-procedure. > html > > This procedure seems to contain errors some errors, mostly only > capitalization errors, but none the less they probably should be fixed > > 10. should be > certutil -L -d . -n "CA certificate" -a > cacert.asc > ie. NOT Certificate with a Capital C > certutil -L -d . -n "CA Certificate" -a > cacert.asc > > Also > > 11. has the same problem it should be > pk12util -d . -o cacert.pk12 -n "CA certificate" > Thanks. I've created https://bugzilla.redhat.com/show_bug.cgi?id=430103 for these issues. > Also > > The procedure creates 2 Server Certs and no CA Certs No, it does create a CA cert and a Server Cert. > can anyone please > confirm the correct commands to add the certificates to the CA Certs > rather then the Server Certs > "add the certificates to the CA Certs"? > > I'm also getting issues when using the setupssl2.sh script ( > http://directory.fedoraproject.org/download/setupssl2.sh ) on the wiki > (I am running version Fedora Directory Server 1.1 on Centos 5.1 from the > Fedora 6 yum repositories using the procedure > http://directory.fedoraproject.org/wiki/Download#Enterprise_Linux_5 ) > What issues are you getting? > > > Regards, > > Anthony > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jonathan.mills at motricity.com Thu Jan 24 16:25:34 2008 From: jonathan.mills at motricity.com (Jonathan Mills) Date: Thu, 24 Jan 2008 11:25:34 -0500 Subject: [Fedora-directory-users] FDS 1.1 replicate FDS 1.0.4? Message-ID: <4798BBFE.6030705@motricity.com> Hi, I have a FDS 1.0.4 ldap master running on RHEL5. I have a second machine, running RHEL5, that I want to use for replication. From the docs, it seems I need to run FDS 1.1 on RHEL5. Does anyone foresee any problems with an FDS 1.1 server replicating against an FDS 1.0.4 master? -- jonathan mills NOTICE: This e-mail message is for the sole use of the intended recipient(s) and may contain confidential and privileged information of Motricity. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From jonathan.mills at motricity.com Thu Jan 24 16:27:18 2008 From: jonathan.mills at motricity.com (Jonathan Mills) Date: Thu, 24 Jan 2008 11:27:18 -0500 Subject: [Fedora-directory-users] FDS 1.1 replicate FDS 1.0.4? In-Reply-To: <4798BBFE.6030705@motricity.com> References: <4798BBFE.6030705@motricity.com> Message-ID: <4798BC66.6090906@motricity.com> My bad, I meant to say that the ldap master is FDS 1.0.4 on RHEL4, NOT on RHEL5. Doh! Jonathan Mills wrote: > Hi, I have a FDS 1.0.4 ldap master running on RHEL5. I have a second > machine, running RHEL5, that I want to use for replication. From the > docs, it seems I need to run FDS 1.1 on RHEL5. Does anyone foresee any > problems with an FDS 1.1 server replicating against an FDS 1.0.4 master? > > -- jonathan mills system administrator ii NOTICE: This e-mail message is for the sole use of the intended recipient(s) and may contain confidential and privileged information of Motricity. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From rmeggins at redhat.com Thu Jan 24 16:32:33 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 24 Jan 2008 09:32:33 -0700 Subject: [Fedora-directory-users] FDS 1.1 replicate FDS 1.0.4? In-Reply-To: <4798BBFE.6030705@motricity.com> References: <4798BBFE.6030705@motricity.com> Message-ID: <4798BDA1.5010107@redhat.com> Jonathan Mills wrote: > Hi, I have a FDS 1.0.4 ldap master running on RHEL5. I have a second > machine, running RHEL5, that I want to use for replication. From the > docs, it seems I need to run FDS 1.1 on RHEL5. No, you can run the Fedora DS 1.0.4 FC6 rpm on RHEL5. But I recommend running Fedora DS 1.1. > Does anyone foresee any problems with an FDS 1.1 server replicating > against an FDS 1.0.4 master? Should work fine. The repl protocol has not changed in 1.1 > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From beyonddc.storage at gmail.com Thu Jan 24 21:33:39 2008 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Thu, 24 Jan 2008 16:33:39 -0500 Subject: [Fedora-directory-users] Authenticate before querying ldap. In-Reply-To: References: <73e979680801240657r350677aak4526c7d7aaea7865@mail.gmail.com> Message-ID: <20e4c38c0801241333ncd4b662n9ba952c3895fe39@mail.gmail.com> Please correct me if I'm wrong. I thought the easiest way to disable anonymous access is to remove the default anonymous access ACI or modify the ACI from "ldap:///anyone" to "ldap:///all" so that only authenticated user can access to the directory. - David On Jan 24, 2008 10:03 AM, Ivan Ferreira wrote: > One way will be by modifying the ACIs to do not allow anonymous read > access > to attributes. > > Not sure if there is an "easy way" to disable anonymous access to the > directory in the Console. > > > > > > > > Para > "General discussion list for the > Fedora Directory server > "mallapadi niranjan" project." > m> om> > Enviado por: cc > fedora-directory-users-b > ounces at redhat.com Asunto > Re: [Fedora-directory-users] > 24/01/2008 11:57 a.m. Authenticate before querying > ldap. > Clasificaci?n > Uso Interno > Por favor, responda a > "General discussion list > for the Fedora Directory > server project." > redhat.com> > > > > > > > > > On Jan 24, 2008 4:37 PM, wrote: > Hi, > Our organization has an AD server running which requires you to bind > to it first before querying the server. > > For example commands like > ldapsearch -x -h "some ip" "(cn=abcd)" -b "some base" would fail > with LdapErr: DSID-0C090627, comment: In order to perform this > operation a successful bind must be completed on the connection. > but commands like > ldapsearch -x -h "some ip" "(cn=abcd)" -b "some base" -D "some > user dn" -W would work on entering correct password. > > How can we replicate this behavior with the fedora directory server ? > > through access control lists, you can disable anonymous access and > specify > authorization > > You can refer the below > > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control-Default_ACIs.html > > > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control-Access_Control_Usage_Examples.html > > > > > Regards, > Shivraj > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ======================================================================================== > AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida > ?nicamente a su destinatario. Si usted no es el destinatario original de > este mensaje y por este medio pudo acceder a dicha informaci?n por favor > elimine el mensaje. La distribuci?n o copia de este mensaje est? > estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de > informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como > una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de > e-mails no garantiza que el correo electr?nico sea seguro o libre de > error. > Por consiguiente, no manifestamos que esta informaci?n sea completa o > precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. > > This information is private and confidential and intended for the > recipient only. If you are not the intended recipient of this message you > are hereby notified that any review, dissemination, distribution or > copying of this message is strictly prohibited. This communication is for > information purposes only and shall not be regarded neither as a proposal, > acceptance nor as a statement of will or official statement from NUCLEO > S.A. . Email transmission cannot be guaranteed to be secure or error-free. > Therefore, we do not represent that this information is complete or > accurate and it should not be relied upon as such. All information is > subject to change without notice. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Jan 24 21:36:22 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 24 Jan 2008 14:36:22 -0700 Subject: [Fedora-directory-users] Authenticate before querying ldap. In-Reply-To: <20e4c38c0801241333ncd4b662n9ba952c3895fe39@mail.gmail.com> References: <73e979680801240657r350677aak4526c7d7aaea7865@mail.gmail.com> <20e4c38c0801241333ncd4b662n9ba952c3895fe39@mail.gmail.com> Message-ID: <479904D6.6010704@redhat.com> Chun Tat David Chu wrote: > Please correct me if I'm wrong. I thought the easiest way to disable > anonymous access is to remove the default anonymous access ACI or > modify the ACI from "ldap:///anyone" to "ldap:///all" so that only > authenticated user can access to the directory. Yes, that will disallow anonymous from being able to search. But there is no way to completely disallow anonymous bind in the manner that AD does. > > - David > > On Jan 24, 2008 10:03 AM, Ivan Ferreira > wrote: > > One way will be by modifying the ACIs to do not allow anonymous > read access > to attributes. > > Not sure if there is an "easy way" to disable anonymous access to the > directory in the Console. > > > > > > > > > Para > "General discussion list > for the > Fedora Directory server > "mallapadi niranjan" project." > > > m> om> > Enviado por: > cc > fedora-directory-users-b > ounces at redhat.com > Asunto > Re: [Fedora-directory-users] > 24/01/2008 11:57 a.m. Authenticate before querying > ldap. > > Clasificaci?n > Uso Interno > Por favor, responda a > "General discussion list > for the Fedora Directory > server project." > redhat.com > > > > > > > > > > On Jan 24, 2008 4:37 PM, > wrote: > Hi, > Our organization has an AD server running which requires you > to bind > to it first before querying the server. > > For example commands like > ldapsearch -x -h "some ip" "(cn=abcd)" -b "some base" > would fail > with LdapErr: DSID-0C090627, comment: In order to perform this > operation a successful bind must be completed on the connection. > but commands like > ldapsearch -x -h "some ip" "(cn=abcd)" -b "some base" -D > "some > user dn" -W would work on entering correct password. > > How can we replicate this behavior with the fedora directory > server ? > > through access control lists, you can disable anonymous access > and specify > authorization > > You can refer the below > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control-Default_ACIs.html > > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control-Access_Control_Usage_Examples.html > > > > > Regards, > Shivraj > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ======================================================================================== > AVISO LEGAL: Esta informaci?n es privada y confidencial y est? > dirigida > ?nicamente a su destinatario. Si usted no es el destinatario > original de > este mensaje y por este medio pudo acceder a dicha informaci?n > por favor > elimine el mensaje. La distribuci?n o copia de este mensaje est? > estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de > informaci?n y no debe ser considerada como propuesta, aceptaci?n > ni como > una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de > e-mails no garantiza que el correo electr?nico sea seguro o libre > de error. > Por consiguiente, no manifestamos que esta informaci?n sea completa o > precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. > > This information is private and confidential and intended for the > recipient only. If you are not the intended recipient of this > message you > are hereby notified that any review, dissemination, distribution or > copying of this message is strictly prohibited. This communication > is for > information purposes only and shall not be regarded neither as a > proposal, > acceptance nor as a statement of will or official statement from > NUCLEO > S.A. . Email transmission cannot be guaranteed to be secure or > error-free. > Therefore, we do not represent that this information is complete or > accurate and it should not be relied upon as such. All information is > subject to change without notice. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From aGiggins at wcg.net.au Thu Jan 24 23:17:27 2008 From: aGiggins at wcg.net.au (Anthony Giggins) Date: Fri, 25 Jan 2008 10:17:27 +1100 Subject: [Fedora-directory-users] Certutil procedure Incorrect & not addingCertificates to CA Certs? In-Reply-To: <4798AC9E.4060204@redhat.com> References: <4798AC9E.4060204@redhat.com> Message-ID: > Rich Megginson wrote: > > Anthony Giggins wrote: > > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/certutil-procedure. > > html > > > > This procedure seems to contain errors some errors, mostly only > > capitalization errors, but none the less they probably should be fixed > > > > 10. should be > > certutil -L -d . -n "CA certificate" -a > cacert.asc > > ie. NOT Certificate with a Capital C > > certutil -L -d . -n "CA Certificate" -a > cacert.asc > > > > Also > > > > 11. has the same problem it should be > > pk12util -d . -o cacert.pk12 -n "CA certificate" > > > Thanks. I've created https://bugzilla.redhat.com/show_bug.cgi?id=430103 > for these issues. Thank You > > Also > > > > The procedure creates 2 Server Certs and no CA Certs > No, it does create a CA cert and a Server Cert. Yes it does create both but it is adding both the "CA certificate" & "Server-Cert" certificates only to the Server Certs Page Under Manage Certificates and nothing to the CA Certs under the same page. See attached images (if the mailing list allows this) which were added using the setupssl2.sh script but I also get the similar results when using the procedure above > > can anyone please > > confirm the correct commands to add the certificates to the CA Certs > > rather then the Server Certs > > > "add the certificates to the CA Certs"? Please see the attached images also I think the information for creating the CA certificate is missing from http://directory.fedoraproject.org/wiki/Howto:SSL I can only find instructions on adding the Server Certificate please correct me if I'm wrong > > > > I'm also getting issues when using the setupssl2.sh script ( > > http://directory.fedoraproject.org/download/setupssl2.sh ) on the wiki > > (I am running version Fedora Directory Server 1.1 on Centos 5.1 from the > > Fedora 6 yum repositories using the procedure > > http://directory.fedoraproject.org/wiki/Download#Enterprise_Linux_5 ) > > > What issues are you getting? This is explained above hopefully in enough detail Regards, Anthony -------------- next part -------------- A non-text attachment was scrubbed... Name: Managecertificates2.JPG Type: image/jpeg Size: 33236 bytes Desc: Managecertificates2.JPG URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Managecertificates1.JPG Type: image/jpeg Size: 38562 bytes Desc: Managecertificates1.JPG URL: From rmeggins at redhat.com Thu Jan 24 23:47:03 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 24 Jan 2008 16:47:03 -0700 Subject: [Fedora-directory-users] Certutil procedure Incorrect & not addingCertificates to CA Certs? In-Reply-To: References: <4798AC9E.4060204@redhat.com> Message-ID: <47992377.1000304@redhat.com> Anthony Giggins wrote: >> Rich Megginson wrote: >> >>> Also >>> >>> The procedure creates 2 Server Certs and no CA Certs >>> >> No, it does create a CA cert and a Server Cert. >> > > Yes it does create both but it is adding both the "CA certificate" & > "Server-Cert" certificates only to the Server Certs Page Under Manage > Certificates and nothing to the CA Certs under the same page. See > attached images (if the mailing list allows this) which were added using > the setupssl2.sh script but I also get the similar results when using > the procedure above > Hmm - looks like a bug. But at any rate, it is still a CA cert despite what the console says, and will correctly function as a CA cert for all TLS/SSL operations. > >>> can anyone please >>> confirm the correct commands to add the certificates to the CA Certs >>> rather then the Server Certs >>> >>> >> "add the certificates to the CA Certs"? >> > > Please see the attached images also I think the information for creating > the CA certificate is missing from > http://directory.fedoraproject.org/wiki/Howto:SSL I can only find > instructions on adding the Server Certificate please correct me if I'm > wrong > I'm not sure why the CA cert is showing up under Server Certs in the console, but it is indeed a CA cert and will function as such for TLS/SSL operations. > >>> I'm also getting issues when using the setupssl2.sh script ( >>> http://directory.fedoraproject.org/download/setupssl2.sh ) on the >>> > wiki > >>> (I am running version Fedora Directory Server 1.1 on Centos 5.1 from >>> > the > >>> Fedora 6 yum repositories using the procedure >>> http://directory.fedoraproject.org/wiki/Download#Enterprise_Linux_5 >>> > ) > >> What issues are you getting? >> > > This is explained above hopefully in enough detail > > Regards, > > Anthony > > > ------------------------------------------------------------------------ > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ajeet.singh.raina at logicacmg.com Fri Jan 25 11:19:23 2008 From: ajeet.singh.raina at logicacmg.com (Singh Raina, Ajeet) Date: Fri, 25 Jan 2008 16:49:23 +0530 Subject: [Fedora-directory-users] Issue with Fedora DS Client Setup on HP???/ Message-ID: <0139539A634FD04A99C9B8880AB70CB2077DE6A3@in-ex004.groupinfra.com> Hello, I have installed Fedora DS Client on RHEL machine. I was trying to setup Client on HP-UX and am able to list all the DS users created through ldapsearch command.but am not able to see any output through nsquery or pwget command .Even the id command is not working/showing any output. Earlier I upgraded my machine from HP-UX 11.00 to 11.11 PA RISC System and downloaded and installed the patches needed and listed in hp website documentation but am finding only a single change in ldap.conf file that's it. I modified the nsswitch.conf as follows: # # /etc/nsswitch.hp_defaults: # # @(#)B.11.11_LR # # An example file that could be copied over to /etc/nsswitch.conf; it # uses NIS (YP) in conjunction with files. # passwd: files ldap group: files ldap hosts: dns networks: files protocols: nis [NOTFOUND=return] files rpc: nis [NOTFOUND=return] files publickey: nis [NOTFOUND=return] files netgroup: nis [NOTFOUND=return] files automount: files nis aliases: files nis services: nis [NOTFOUND=return] files ~ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From satish at suburbia.org.au Fri Jan 25 17:23:47 2008 From: satish at suburbia.org.au (Satish Chetty) Date: Fri, 25 Jan 2008 09:23:47 -0800 Subject: [Fedora-directory-users] Issue with Fedora DS Client Setup on HP???/ In-Reply-To: <0139539A634FD04A99C9B8880AB70CB2077DE6A3@in-ex004.groupinfra.com> References: <0139539A634FD04A99C9B8880AB70CB2077DE6A3@in-ex004.groupinfra.com> Message-ID: <479A1B23.2030500@suburbia.org.au> Ajeet, You might have already done all this, but here is a summary of what you need to do... * You need to install HP client software/patches from https://h20293.www2.hp.com/portal/swdepot/try.do?productNumber=J4269AA * Create /etc/ldap.conf (if it doesn't exist) * Need to have profile on FDS similar to what is needed by Solaris clients (see FDS site for more info on Solaris profiles) * Create a proxy agent under the profile. You can use ldap_proxy_config for that which is usually under /opt/ldapux/config * Run client setup /opt/ldapux/config/setup * Modify pam.conf and nsswitch.conf cheers, -Satish. Singh Raina, Ajeet wrote: > Hello, > > > > I have installed Fedora DS Client on RHEL machine. I was trying to setup > Client on HP-UX and am able to list all the DS users created through > ldapsearch command.but am not able to see any output through nsquery or > pwget command .Even the id command is not working/showing any output. > > > > Earlier I upgraded my machine from HP-UX 11.00 to 11.11 PA RISC System > and downloaded and installed the patches needed and listed in hp website > documentation but am finding only a single change in ldap.conf file > that?s it. I modified the nsswitch.conf as follows: > > > > # > > # /etc/nsswitch.hp_defaults: > > # > > # @(#)B.11.11_LR > > # > > # An example file that could be copied over to /etc/nsswitch.conf; it > > # uses NIS (YP) in conjunction with files. > > # > > > > passwd: files ldap > > group: files ldap > > hosts: dns > > networks: files > > protocols: nis [NOTFOUND=return] files > > rpc: nis [NOTFOUND=return] files > > publickey: nis [NOTFOUND=return] files > > netgroup: nis [NOTFOUND=return] files > > automount: files nis > > aliases: files nis > > services: nis [NOTFOUND=return] files > > ~ > > > > > > > > > > This e-mail and any attachment is for authorised use by the intended > recipient(s) only. It may contain proprietary material, confidential > information and/or be subject to legal privilege. It should not be > copied, disclosed to, retained or used by, any other party. If you are > not an intended recipient then please promptly delete this e-mail and > any attachment and all copies and inform the sender. Thank you. > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From ulf.weltman at hp.com Fri Jan 25 19:30:16 2008 From: ulf.weltman at hp.com (Ulf Weltman) Date: Fri, 25 Jan 2008 11:30:16 -0800 Subject: [Fedora-directory-users] Issue with Fedora DS Client Setup on HP???/ In-Reply-To: <479A1B23.2030500@suburbia.org.au> References: <0139539A634FD04A99C9B8880AB70CB2077DE6A3@in-ex004.groupinfra.com> <479A1B23.2030500@suburbia.org.au> Message-ID: <479A38C8.8030108@hp.com> Ajeet, sounds like your /etc/pam.conf file needs an update. As an addendum, the configuration aside from nsswitch.conf and pam.conf is created for you by the LDAP-UX /opt/ldapux/config/setup program, including the profile entry in the Directory Server. There will be sample nsswitch.ldap and pam.ldap files in /etc to base the remaining configuration on. There is no /etc/ldap.conf, the LDAP-UX-specific configuration files are in /etc/opt/ldapux. Also, using a proxy agent is optional, for an initial configuration you might want to try the default anonymous mode if your ACIs allow it. Detailed installation information can be found in the LDAP-UX Client Services Administrator's Guide, you can find your version here: http://docs.hp.com/en/internet.html#LDAP-UX%20Integration Satish Chetty wrote: > Ajeet, > You might have already done all this, but here is a summary of what you > need to do... > > * You need to install HP client software/patches from > https://h20293.www2.hp.com/portal/swdepot/try.do?productNumber=J4269AA > * Create /etc/ldap.conf (if it doesn't exist) > * Need to have profile on FDS similar to what is needed by Solaris > clients (see FDS site for more info on Solaris profiles) > * Create a proxy agent under the profile. You can use ldap_proxy_config > for that which is usually under /opt/ldapux/config > * Run client setup /opt/ldapux/config/setup > * Modify pam.conf and nsswitch.conf > > cheers, > -Satish. > > Singh Raina, Ajeet wrote: > >> Hello, >> >> >> >> I have installed Fedora DS Client on RHEL machine. I was trying to setup >> Client on HP-UX and am able to list all the DS users created through >> ldapsearch command.but am not able to see any output through nsquery or >> pwget command .Even the id command is not working/showing any output. >> >> >> >> Earlier I upgraded my machine from HP-UX 11.00 to 11.11 PA RISC System >> and downloaded and installed the patches needed and listed in hp website >> documentation but am finding only a single change in ldap.conf file >> that?s it. I modified the nsswitch.conf as follows: >> >> >> >> # >> >> # /etc/nsswitch.hp_defaults: >> >> # >> >> # @(#)B.11.11_LR >> >> # >> >> # An example file that could be copied over to /etc/nsswitch.conf; it >> >> # uses NIS (YP) in conjunction with files. >> >> # >> >> >> >> passwd: files ldap >> >> group: files ldap >> >> hosts: dns >> >> networks: files >> >> protocols: nis [NOTFOUND=return] files >> >> rpc: nis [NOTFOUND=return] files >> >> publickey: nis [NOTFOUND=return] files >> >> netgroup: nis [NOTFOUND=return] files >> >> automount: files nis >> >> aliases: files nis >> >> services: nis [NOTFOUND=return] files >> >> ~ >> >> >> >> >> >> >> >> >> >> This e-mail and any attachment is for authorised use by the intended >> recipient(s) only. It may contain proprietary material, confidential >> information and/or be subject to legal privilege. It should not be >> copied, disclosed to, retained or used by, any other party. If you are >> not an intended recipient then please promptly delete this e-mail and >> any attachment and all copies and inform the sender. Thank you. >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6097 bytes Desc: S/MIME Cryptographic Signature URL: From listbox at hymerfania.com Fri Jan 25 19:31:06 2008 From: listbox at hymerfania.com (Listbox) Date: Fri, 25 Jan 2008 11:31:06 -0800 Subject: NetscapeRootRe: [Fedora-directory-users] Can't create users, SOLVED! In-Reply-To: <4797A469.1000300@redhat.com> References: <009201c85c85$2cd213b0$1100a8c0@hymesruzicka.org> <479635B0.5020000@redhat.com> <006c01c85de9$1f963540$1100a8c0@hymesruzicka.org> <4797873D.3050604@redhat.com> <008701c85dfd$0695f8a0$1100a8c0@hymesruzicka.org> <4797A469.1000300@redhat.com> Message-ID: <007101c85f88$d5d50e80$1100a8c0@hymesruzicka.org> Got our first user created! I have an idea on why the setup-ds-admin.pl may not have worked completely. When doing the first install, I ran the install script, then aborted it ( within the first few steps ). I thought I was paranoid enough by running "rpm -erase fedora-ds-1.1.0-3", and deleting the contents of : /etc/dirsrv /usr/lib/dirsrv /usr/share/dirsrv /var/lock/dirsrv /var/lib/dirsrv /var/run/dirsrv /var/log/dirsrv /usr/lib/mozldap /usr/share/doc/mozldap-6.0.5 Before I reinstalled, and re-ran the install script. But I know I ran into a slapd startup problem because I made a typo, and I only erased the contents of "/var/run/dirsrv", and left the dir itself. Untill I tried to create users, that was the only problem due to a previous install attempt. Maybe this was another. Thanks again! -----Original Message----- From: Rich Megginson [mailto:rmeggins at redhat.com] Sent: Wednesday, January 23, 2008 12:33 PM To: listbox at hymerfania.com Cc: fedora-directory-users at redhat.com Subject: Re: NetscapeRootRe: [Fedora-directory-users] Can't create users, time for complete wipe and re-install? Listbox wrote: > Thanks Rich! > > I just looked in /usr/share/dirsrv/data, and the file "template.ldif" > looks like what I get for the ldapquery of acis in dc=hymesruzicka, > dc=org. It does not have any entries for uid=admin ( or uid=%as_uid% ). > Right. That's the file that is used for just the fedora-ds-base package - the admin server and console stuff are "add-ons". > I did find the file "16dssuffixadmin.mod.tmpl", and looks like it may > be useful as a model to make more of the correct acis. Is this a good idea? Yes. > How > much more should I modify it? > You have to replace the %token% items: ds_suffix - your suffix e.g. dc=hymesruzicka, dc=org or cn=config or cn=schema or etc. as_uid - admin or change the entire DN uid=%as_uid%,ou=Administrators, ou=TopologyManagement, o=NetscapeRoot to some other DN that you want to use for an administrator. You can just omit the SIE Group ACI Then just feed that file to ldapmodify e.g. ldapmodify -x -D "cn=directory manager" -w yourpassword -f thefile.ldif Note - make a copy of 16dssuffixadmin.mod.tmpl and edit it - do not edit it in place. > /usr/share/dirsrv/data/16dssuffixadmin.mod.tmpl > > # BEGIN COPYRIGHT BLOCK > ... > # END COPYRIGHT BLOCK > dn: %ds_suffix% > changetype: modify > add: aci > aci: (targetattr="*")(version 3.0; acl "Configuration Administrators > Group"; allow (all) groupdn="ldap:///cn=Configuration Administrators, > ou=Groups, ou=TopologyManagement, o=NetscapeRoot";) > aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; > allow > (all) userdn="ldap:///uid=%as_uid%,ou=Administrators, > ou=TopologyManagement, > o=NetscapeRoot";) > aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) > groupdn = "ldap:///cn=slapd-%dsid%, cn=%brand% Directory Server, > cn=Server Group, cn=%fqdn%, ou=%domain%, o=NetscapeRoot";) > > > Thanks again! > > ************************************************ > ************************************************ > ************************************************ > for bind in config schema monitor ; do ldapsearch -x -D "cn=directory > manager" -w mypassword -s sub -b cn=$bind "aci=*" aci ; done # > extended LDIF # # LDAPv3 # base with scope subtree # > filter: aci=* # requesting: aci # > > # config > dn: cn=config > aci: (targetattr="*")(version 3.0; acl "Configuration Administrators > Group"; a llow (all) groupdn="ldap:///cn=Configuration > Administrators, ou=Groups, ou=To pologyManagement, o=NetscapeRoot";) > aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; > allow (a > ll) userdn="ldap:///uid=admin, ou=Administrators, > ou=TopologyManagement, o=Ne > tscapeRoot";) > aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) > groupdn = "l dap:///cn=slapd-trixter, cn=Fedora Directory Server, > cn=Server Group, cn=trix ter.hymesruzicka.org, ou=hymesruzicka.org, > o=NetscapeRoot";) > > # SNMP, config > dn: cn=SNMP,cn=config > aci: (target="ldap:///cn=SNMP,cn=config")(targetattr !="aci")(version > 3.0;acl "snmp";allow (read, search, compare)(userdn = > "ldap:///anyone");) > > # 2.16.840.1.113730.3.4.9, features, config > dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config > aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control"; > allow( read , search, compare, proxy ) userdn = "ldap:///all";) > > # search result > search: 2 > result: 0 Success > > # numResponses: 4 > # numEntries: 3 > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: aci=* > # requesting: aci > # > > # schema > dn: cn=schema > aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl > "anonymo us, no acis"; allow (read, search, compare) userdn = > "ldap:///anyone";) > aci: (targetattr="*")(version 3.0; acl "Configuration Administrators > Group"; a llow (all) groupdn="ldap:///cn=Configuration > Administrators, ou=Groups, ou=To pologyManagement, o=NetscapeRoot";) > aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; > allow (a > ll) userdn="ldap:///uid=admin,ou=Administrators, > ou=TopologyManagement, o=Net > scapeRoot";) > aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) > groupdn = "l dap:///cn=slapd-trixter, cn=Fedora Directory Server, > cn=Server Group, cn=trix ter.hymesruzicka.org, ou=hymesruzicka.org, > o=NetscapeRoot";) > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > # extended LDIF > # > # LDAPv3 > # base with scope subtree # filter: aci=* # requesting: > aci # > > # monitor > dn: cn=monitor > aci: (target ="ldap:///cn=monitor*")(targetattr != "aci || > connection")(versio n 3.0; acl "monitor"; allow( read, search, > compare ) userdn = "ldap:///anyone > ";) > > # search result > search: 2 > result: 0 Success > > > From rmeggins at redhat.com Fri Jan 25 19:35:52 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 25 Jan 2008 12:35:52 -0700 Subject: NetscapeRootRe: [Fedora-directory-users] Can't create users, SOLVED! In-Reply-To: <007101c85f88$d5d50e80$1100a8c0@hymesruzicka.org> References: <009201c85c85$2cd213b0$1100a8c0@hymesruzicka.org> <479635B0.5020000@redhat.com> <006c01c85de9$1f963540$1100a8c0@hymesruzicka.org> <4797873D.3050604@redhat.com> <008701c85dfd$0695f8a0$1100a8c0@hymesruzicka.org> <4797A469.1000300@redhat.com> <007101c85f88$d5d50e80$1100a8c0@hymesruzicka.org> Message-ID: <479A3A18.6060606@redhat.com> Listbox wrote: > Got our first user created! > I have an idea on why the setup-ds-admin.pl may not have worked completely. > > When doing the first install, I ran the install script, then aborted it ( > within the first few steps ). If you abort setup before it finishes asking you questions, you should be able to run it again, no problem. If you abort it after the dialog section during its configuration section, then you will have to do some clean up. > I thought I was paranoid enough by running > "rpm -erase fedora-ds-1.1.0-3", That really doesn't do anything - the fedora-ds package is now completely empty and just Requires (for yum) the "real" packages fedora-ds-base, fedora-ds-admin, etc. It shouldn't be necessary, but if you really want to remove everything, you should do something like yum erase svrcore idm-console-framework > and deleting the contents of : > > /etc/dirsrv > /usr/lib/dirsrv > /usr/lib64/dirsrv on 64bit systems > /usr/share/dirsrv > /var/lock/dirsrv > /var/lib/dirsrv > /var/run/dirsrv > /var/log/dirsrv > Yep. rm -rf all of those > /usr/lib/mozldap > /usr/share/doc/mozldap-6.0.5 > No, not these. > Before I reinstalled, and re-ran the install script. But I know I ran into a > slapd startup problem because I made a typo, and I only erased the contents > of "/var/run/dirsrv", and left the dir itself. > > Untill I tried to create users, that was the only problem due to a previous > install attempt. Maybe this was another. > > > Thanks again! > > > -----Original Message----- > From: Rich Megginson [mailto:rmeggins at redhat.com] > Sent: Wednesday, January 23, 2008 12:33 PM > To: listbox at hymerfania.com > Cc: fedora-directory-users at redhat.com > Subject: Re: NetscapeRootRe: [Fedora-directory-users] Can't create users, > time for complete wipe and re-install? > > Listbox wrote: > >> Thanks Rich! >> >> I just looked in /usr/share/dirsrv/data, and the file "template.ldif" >> looks like what I get for the ldapquery of acis in dc=hymesruzicka, >> dc=org. It does not have any entries for uid=admin ( or uid=%as_uid% ). >> >> > Right. That's the file that is used for just the fedora-ds-base package > - the admin server and console stuff are "add-ons". > >> I did find the file "16dssuffixadmin.mod.tmpl", and looks like it may >> be useful as a model to make more of the correct acis. Is this a good >> > idea? > Yes. > >> How >> much more should I modify it? >> >> > You have to replace the %token% items: > ds_suffix - your suffix e.g. dc=hymesruzicka, dc=org or cn=config or > cn=schema or etc. > as_uid - admin > or change the entire DN uid=%as_uid%,ou=Administrators, > ou=TopologyManagement, o=NetscapeRoot to some other DN that you want to use > for an administrator. > > You can just omit the SIE Group ACI > > Then just feed that file to ldapmodify e.g. > ldapmodify -x -D "cn=directory manager" -w yourpassword -f thefile.ldif > > Note - make a copy of 16dssuffixadmin.mod.tmpl and edit it - do not edit it > in place. > >> /usr/share/dirsrv/data/16dssuffixadmin.mod.tmpl >> >> # BEGIN COPYRIGHT BLOCK >> ... >> # END COPYRIGHT BLOCK >> dn: %ds_suffix% >> changetype: modify >> add: aci >> aci: (targetattr="*")(version 3.0; acl "Configuration Administrators >> Group"; allow (all) groupdn="ldap:///cn=Configuration Administrators, >> ou=Groups, ou=TopologyManagement, o=NetscapeRoot";) >> aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; >> allow >> (all) userdn="ldap:///uid=%as_uid%,ou=Administrators, >> ou=TopologyManagement, >> o=NetscapeRoot";) >> aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) >> groupdn = "ldap:///cn=slapd-%dsid%, cn=%brand% Directory Server, >> cn=Server Group, cn=%fqdn%, ou=%domain%, o=NetscapeRoot";) >> >> >> Thanks again! >> >> ************************************************ >> ************************************************ >> ************************************************ >> for bind in config schema monitor ; do ldapsearch -x -D "cn=directory >> manager" -w mypassword -s sub -b cn=$bind "aci=*" aci ; done # >> extended LDIF # # LDAPv3 # base with scope subtree # >> filter: aci=* # requesting: aci # >> >> # config >> dn: cn=config >> aci: (targetattr="*")(version 3.0; acl "Configuration Administrators >> Group"; a llow (all) groupdn="ldap:///cn=Configuration >> Administrators, ou=Groups, ou=To pologyManagement, o=NetscapeRoot";) >> aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; >> allow (a >> ll) userdn="ldap:///uid=admin, ou=Administrators, >> ou=TopologyManagement, o=Ne >> tscapeRoot";) >> aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) >> groupdn = "l dap:///cn=slapd-trixter, cn=Fedora Directory Server, >> cn=Server Group, cn=trix ter.hymesruzicka.org, ou=hymesruzicka.org, >> o=NetscapeRoot";) >> >> # SNMP, config >> dn: cn=SNMP,cn=config >> aci: (target="ldap:///cn=SNMP,cn=config")(targetattr !="aci")(version >> 3.0;acl "snmp";allow (read, search, compare)(userdn = >> "ldap:///anyone");) >> >> # 2.16.840.1.113730.3.4.9, features, config >> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config >> aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control"; >> allow( read , search, compare, proxy ) userdn = "ldap:///all";) >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 4 >> # numEntries: 3 >> # extended LDIF >> # >> # LDAPv3 >> # base with scope subtree >> # filter: aci=* >> # requesting: aci >> # >> >> # schema >> dn: cn=schema >> aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl >> "anonymo us, no acis"; allow (read, search, compare) userdn = >> "ldap:///anyone";) >> aci: (targetattr="*")(version 3.0; acl "Configuration Administrators >> Group"; a llow (all) groupdn="ldap:///cn=Configuration >> Administrators, ou=Groups, ou=To pologyManagement, o=NetscapeRoot";) >> aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; >> allow (a >> ll) userdn="ldap:///uid=admin,ou=Administrators, >> ou=TopologyManagement, o=Net >> scapeRoot";) >> aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) >> groupdn = "l dap:///cn=slapd-trixter, cn=Fedora Directory Server, >> cn=Server Group, cn=trix ter.hymesruzicka.org, ou=hymesruzicka.org, >> o=NetscapeRoot";) >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: 1 >> # extended LDIF >> # >> # LDAPv3 >> # base with scope subtree # filter: aci=* # requesting: >> aci # >> >> # monitor >> dn: cn=monitor >> aci: (target ="ldap:///cn=monitor*")(targetattr != "aci || >> connection")(versio n 3.0; acl "monitor"; allow( read, search, >> compare ) userdn = "ldap:///anyone >> ";) >> >> # search result >> search: 2 >> result: 0 Success >> >> >> >> > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From listbox at hymerfania.com Fri Jan 25 19:51:07 2008 From: listbox at hymerfania.com (Listbox) Date: Fri, 25 Jan 2008 11:51:07 -0800 Subject: [Fedora-directory-users] ldap commands require "-Y GSSAPI". Fixable with "Identity Mapping" ? Message-ID: <007c01c85f8b$a1eac670$1100a8c0@hymesruzicka.org> Hi folks, I have sasl-gssapi installed. But to use any ldap clients like ldapsearch or ldapmodify, I must specify "-Y GSSAPI" , else I get a "no mechanism available" error. Is this an "Identity Mapping" problem, an ldap.conf problem, or is it "as designed"? My ldap.conf man page says that "SASL_MECH" is a per-user setting in .ldaprc, so I worry that my services without a login will not use LDAP correctly. I read http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Introduction_to_SASL-SA SL_Identity_Mapping.html and the next section on "Realms" but the docs don't say if one should actually put "cn=gssapi,cn=auth" into the SASL map. Thanks! *************************** *************************** *************************** [installer at trixter ~]$ ldapsearch -V ldapsearch: @(#) $OpenLDAP: ldapsearch 2.3.34 (Nov 2 2007 08:16:21) $ kojibuilder at xenbuilder2.fedora.redhat.com:/builddir/build/BUILD/openldap-2.3 .34/openldap-2.3.34/build-clients/clients/tools (LDAP library: OpenLDAP 20333) SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: *************************** *************************** *************************** [installer at trixter ~]$ ldapsearch -V -Y GSSAPI > /dev/null ldapsearch: @(#) $OpenLDAP: ldapsearch 2.3.34 (Nov 2 2007 08:16:21) $ kojibuilder at xenbuilder2.fedora.redhat.com:/builddir/build/BUILD/openldap-2.3 .34/openldap-2.3.34/build-clients/clients/tools (LDAP library: OpenLDAP 20333) SASL/GSSAPI authentication started SASL username: installer at HYMESRUZICKA.ORG SASL SSF: 56 SASL installing layers From rmeggins at redhat.com Fri Jan 25 19:57:55 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 25 Jan 2008 12:57:55 -0700 Subject: [Fedora-directory-users] ldap commands require "-Y GSSAPI". Fixable with "Identity Mapping" ? In-Reply-To: <007c01c85f8b$a1eac670$1100a8c0@hymesruzicka.org> References: <007c01c85f8b$a1eac670$1100a8c0@hymesruzicka.org> Message-ID: <479A3F43.1040205@redhat.com> Listbox wrote: > Hi folks, > > I have sasl-gssapi installed. But to use any ldap clients like ldapsearch or > ldapmodify, I must specify "-Y GSSAPI" , else I get a "no mechanism > available" error. Is this an "Identity Mapping" problem, an ldap.conf > problem, or is it "as designed"? > OpenLDAP ldapsearch, ldapmodify, etc. (/usr/bin/ldapsearch etc.) attempt to use SASL by default. If you use the -x argument, it will use simple userDN/password bind. > My ldap.conf man page says that "SASL_MECH" is a per-user setting in > .ldaprc, so I worry that my services without a login will not use LDAP > correctly. > I read > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Introduction_to_SASL-SA > SL_Identity_Mapping.html > and the next section on "Realms" but the docs don't say if one should > actually put "cn=gssapi,cn=auth" into the SASL map. > > > Thanks! > > > *************************** > *************************** > *************************** > [installer at trixter ~]$ ldapsearch -V > ldapsearch: @(#) $OpenLDAP: ldapsearch 2.3.34 (Nov 2 2007 08:16:21) $ > > kojibuilder at xenbuilder2.fedora.redhat.com:/builddir/build/BUILD/openldap-2.3 > .34/openldap-2.3.34/build-clients/clients/tools > (LDAP library: OpenLDAP 20333) > SASL/EXTERNAL authentication started > ldap_sasl_interactive_bind_s: Unknown authentication method (-6) > additional info: SASL(-4): no mechanism available: > > *************************** > *************************** > *************************** > [installer at trixter ~]$ ldapsearch -V -Y GSSAPI > /dev/null > ldapsearch: @(#) $OpenLDAP: ldapsearch 2.3.34 (Nov 2 2007 08:16:21) $ > > kojibuilder at xenbuilder2.fedora.redhat.com:/builddir/build/BUILD/openldap-2.3 > .34/openldap-2.3.34/build-clients/clients/tools > (LDAP library: OpenLDAP 20333) > SASL/GSSAPI authentication started > SASL username: installer at HYMESRUZICKA.ORG > SASL SSF: 56 > SASL installing layers > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From hyc at symas.com Fri Jan 25 20:21:00 2008 From: hyc at symas.com (Howard Chu) Date: Fri, 25 Jan 2008 12:21:00 -0800 Subject: [Fedora-directory-users] ldap commands require "-Y GSSAPI". Fixable with "Identity Mapping" ? In-Reply-To: <20080125195816.24A6273654@hormel.redhat.com> References: <20080125195816.24A6273654@hormel.redhat.com> Message-ID: <479A44AC.8060903@symas.com> > Date: Fri, 25 Jan 2008 12:57:55 -0700 > From: Rich Megginson > Listbox wrote: >> Hi folks, >> >> I have sasl-gssapi installed. But to use any ldap clients like ldapsearch or >> ldapmodify, I must specify "-Y GSSAPI" , else I get a "no mechanism >> available" error. Is this an "Identity Mapping" problem, an ldap.conf >> problem, or is it "as designed"? >> > OpenLDAP ldapsearch, ldapmodify, etc. (/usr/bin/ldapsearch etc.) attempt > to use SASL by default. If you use the -x argument, it will use simple > userDN/password bind. It sounds like, since he went to the effort of installing sasl-gssapi, that he actually wants to use SASL Binds though. When no mechanism is specified, the client library tries to read the supportedSASLMechanisms attribute from the server's rootDSE. If the rootDSE is unreadable (due to ACLs most likely) then you'll get this type of failure. >> My ldap.conf man page says that "SASL_MECH" is a per-user setting in >> .ldaprc, so I worry that my services without a login will not use LDAP >> correctly. >> I read >> http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Introduction_to_SASL-SA >> SL_Identity_Mapping.html >> and the next section on "Realms" but the docs don't say if one should >> actually put "cn=gssapi,cn=auth" into the SASL map. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From sigidwu at gmail.com Mon Jan 28 03:17:34 2008 From: sigidwu at gmail.com (sigid@JINLab) Date: Mon, 28 Jan 2008 11:17:34 +0800 Subject: [Fedora-directory-users] fedora-ds 1.1.0 on fedora core 5 Message-ID: <479D494E.800@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Is there any posibilities to install fedora-ds 1.1.0 on fedora core 5? thanks -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFHnUlOqiPNNgPlDu0RAlz/AJ4rOGny1yvJy+s1L7bObQfM4HywbwCgyf7R LVNIWqIPqrLeAJRJad9RR38= =cWFf -----END PGP SIGNATURE----- From dennis at ausil.us Mon Jan 28 04:46:01 2008 From: dennis at ausil.us (Dennis Gilmore) Date: Sun, 27 Jan 2008 22:46:01 -0600 Subject: [Fedora-directory-users] fedora-ds 1.1.0 on fedora core 5 In-Reply-To: <479D494E.800@gmail.com> References: <479D494E.800@gmail.com> Message-ID: <200801272246.02669.dennis@ausil.us> On Sunday 27 January 2008, sigid at JINLab wrote: > Is there any posibilities to install fedora-ds 1.1.0 on fedora core 5? > > thanks > > gpgkeys: key AA23CD3603E50EED not found on keyserver you could build it yourself most likely. however Fedora Core 5 has not been supported for over 8 months now. I would suggest you upgrade to something newer and supported. Fedora 8 will soon have all of Fedora Directory server in it Dennis From kirankmadala at hotmail.com Mon Jan 28 17:10:13 2008 From: kirankmadala at hotmail.com (kiran madala) Date: Mon, 28 Jan 2008 13:10:13 -0400 Subject: [Fedora-directory-users] Fedora 1.1 source In-Reply-To: <478B7BA9.4080703@redhat.com> References: <4787D9B5.20609@redhat.com> <478B7BA9.4080703@redhat.com> Message-ID: Hello, Thank you for all the information. I have a question about AD and DirSync though it is not directly related to this group. But I haven't found answer in any other forums for long time now so I am trying here. How do you synchronize when a user is moved from one group to another in AD?. i.e. what kind of notification do you get from DirSync? Kiran Madala. ---------------------------------------- > Date: Mon, 14 Jan 2008 08:11:37 -0700 > From: rmeggins at redhat.com > To: fedora-directory-users at redhat.com > Subject: Re: [Fedora-directory-users] Fedora 1.1 source > > kiran madala wrote: >> Thanks a lot I got that. Got another question where can I find the code that stores the values obtained from Active Directory in Fedora database? > http://cvs.fedoraproject.org/viewcvs/ldapserver/ldap/servers/plugins/replication/?root=dirsec > The windows sync code is part of the replication code - just look for > files beginning with "windows" >> and also how are the values stored like the database tables and design. >> > The windows sync code does this: > 1) issues an LDAP search request with the DirSync control > 2) reads and parses the results > 3) uses internal SLAPI calls to write the data into the Fedora DS data store > > It's all there in the code above. >> Thanks >> ---------------------------------------- >> >>> Date: Fri, 11 Jan 2008 14:03:49 -0700 >>> From: rmeggins at redhat.com >>> To: fedora-directory-users at redhat.com >>> Subject: Re: [Fedora-directory-users] Fedora 1.1 source >>> >>> kiran madala wrote: >>> >>>> Hi, >>>> >>>> Where can I get the source for FDS 1.1? I am particularly looking at the Windows Sync module >>>> >>>> >>> tarballs and cvs information - >>> http://directory.fedoraproject.org/wiki/Source - the fedora-ds-base module >>> or >>> http://cvs.fedoraproject.org/viewcvs/ldapserver/ldap/servers/plugins/replication/?root=dirsec >>> The windows sync code is part of the replication code - just look for >>> files beginning with "windows" >>> >>>> _________________________________________________________________ >>>> Use fowl language with Chicktionary. Click here to start playing! >>>> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >> >> _________________________________________________________________ >> Use fowl language with Chicktionary. Click here to start playing! >> http://puzzles.sympatico.msn.ca/chicktionary/index.html?icid=htmlsig >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > _________________________________________________________________ From gholbert at broadcom.com Tue Jan 29 01:04:15 2008 From: gholbert at broadcom.com (George Holbert) Date: Mon, 28 Jan 2008 17:04:15 -0800 Subject: [Fedora-directory-users] resource limits for replication manager Message-ID: <479E7B8F.20208@broadcom.com> Just curious if anyone knows: Would there ever be a need to extend search resource limits for cn=replication manager,cn=replication,cn=config ? For example, set higher-than-default values for replication manager on any of: nsSizeLimit nsLookThroughLimit nsTimeLimit nsIdleTimeout Or is the replication manager immune to resource limits, like cn=directory manager? Thanks, -- George From rmeggins at redhat.com Tue Jan 29 03:43:03 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 28 Jan 2008 20:43:03 -0700 Subject: [Fedora-directory-users] resource limits for replication manager In-Reply-To: <479E7B8F.20208@broadcom.com> References: <479E7B8F.20208@broadcom.com> Message-ID: <479EA0C7.2080407@redhat.com> George Holbert wrote: > Just curious if anyone knows: > Would there ever be a need to extend search resource limits for > cn=replication manager,cn=replication,cn=config ? No, because that user doesn't do any searching (unless you're using it for something other than replication). > > For example, set higher-than-default values for replication manager on > any of: > nsSizeLimit > nsLookThroughLimit > nsTimeLimit > nsIdleTimeout > > Or is the replication manager immune to resource limits, like > cn=directory manager? > > Thanks, > -- George > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From gm4rtin at gmail.com Tue Jan 29 19:33:48 2008 From: gm4rtin at gmail.com (Gary Martin) Date: Tue, 29 Jan 2008 14:33:48 -0500 Subject: [Fedora-directory-users] Problem with computer accounts and smbldap-tools Message-ID: <43806ba60801291133u15e22e32mf3aae8026b8632e4@mail.gmail.com> I am creating a samba PDC with a FDS passdb backend on Fedora 8. I am having trouble using smbldap tools to integrate and add the computer accounts to the domain. Does any one have a how to for smbldap-tools that picks up where the Howto:Samba wiki leaves off. Thanks. From jtharp at esri.com Tue Jan 29 22:40:01 2008 From: jtharp at esri.com (Jeff Tharp) Date: Tue, 29 Jan 2008 14:40:01 -0800 Subject: [Fedora-directory-users] Migrating from 1.0.2 to 1.1, not all databases migrated Message-ID: I'm working on migrating our Fedora DS 1.0.2 server to FedoraDS 1.1. I did a same platform migration on test box by installing the FedoraDS 1.1 binaries, taring up /opt/fedora-ds from one of our old FedoraDS boxes and then using migrate-ds-admin.pl to migrate the instance. While NetscapeRoot and UserRoot were migrated correctly, the mgration script skipped over our custom database entirely. Now I can always export to LDIF and migrate this database that way, I was hoping to do a direct binary migration to minimize downtime. Are UserRoot and NetscapeRoot the only databases supported, or is it likely that something was misconfigured with my test? Any advice is appreciated, Jeff Tharp System Administrator ESRI - Redlands, CA http://www.esri.com From rmeggins at redhat.com Tue Jan 29 23:22:03 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 29 Jan 2008 16:22:03 -0700 Subject: [Fedora-directory-users] Migrating from 1.0.2 to 1.1, not all databases migrated In-Reply-To: References: Message-ID: <479FB51B.8000007@redhat.com> Jeff Tharp wrote: > I'm working on migrating our Fedora DS 1.0.2 server to FedoraDS 1.1. I > did a same platform migration on test box by installing the FedoraDS 1.1 > binaries, taring up /opt/fedora-ds from one of our old FedoraDS boxes > and then using migrate-ds-admin.pl to migrate the instance. While > NetscapeRoot and UserRoot were migrated correctly, the mgration script > skipped over our custom database entirely. Now I can always export to > LDIF and migrate this database that way, I was hoping to do a direct > binary migration to minimize downtime. Are UserRoot and NetscapeRoot > the only databases supported, or is it likely that something was > misconfigured with my test? > Not sure. Try migrate-ds-admin.pl -ddd to see if turning up the debug level gives you any additional information. > Any advice is appreciated, > Jeff Tharp > System Administrator > ESRI - Redlands, CA > http://www.esri.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jtharp at esri.com Wed Jan 30 02:10:31 2008 From: jtharp at esri.com (Jeff Tharp) Date: Tue, 29 Jan 2008 18:10:31 -0800 Subject: [Fedora-directory-users] RE: Migrating from 1.0.2 to 1.1, not all databases migrated In-Reply-To: References: Message-ID: Argh, I figured out this problem was self-inflicted. I used too old a revision of the dse.ldif file as the basis for my migration. Updating to a newer revision (that included references to the missing backend) solved the problem. Thanks for the help and sorry to have wasted time with this. Jeff > -----Original Message----- > From: Jeff Tharp > Sent: Tuesday, January 29, 2008 2:40 PM > To: 'Fedora-directory-users at redhat.com' > Subject: Migrating from 1.0.2 to 1.1, not all databases migrated > > I'm working on migrating our Fedora DS 1.0.2 server to > FedoraDS 1.1. I did a same platform migration on test box by > installing the FedoraDS 1.1 binaries, taring up > /opt/fedora-ds from one of our old FedoraDS boxes and then > using migrate-ds-admin.pl to migrate the instance. While > NetscapeRoot and UserRoot were migrated correctly, the > mgration script skipped over our custom database entirely. > Now I can always export to LDIF and migrate this database > that way, I was hoping to do a direct binary migration to > minimize downtime. Are UserRoot and NetscapeRoot the only > databases supported, or is it likely that something was > misconfigured with my test? > > Any advice is appreciated, > Jeff Tharp > System Administrator > ESRI - Redlands, CA > http://www.esri.com From richard at powerset.com Wed Jan 30 03:28:23 2008 From: richard at powerset.com (Richard Hesse) Date: Tue, 29 Jan 2008 19:28:23 -0800 Subject: [Fedora-directory-users] FDS 1.1 fail to add configuration data to FDS1.04 DS Message-ID: <84E2AE771361E9419DD0EFBD31F09C4D4CBBB885D4@EXVMBX015-1.exch015.msoutlookonline.net> I'm setting up a few v1.1 test instances in our current 1.04 environment but running into issues trying to add the configuration data to an existing 1.04 server. It appears to be trying to create the children entries before the parent: Are you ready to set up your servers? [yes]: Creating directory server . . . Your new DS instance 'fds' was successfully created. Creating the configuration directory server . . . dn: cn=Fedora Directory Server, cn=Server Group, cn=aa0-002-6-v2.u.powerset.co m, ou=sv.powerset.com, o=NetscapeRoot objectclass: nsApplication objectclass: groupOfUniqueNames objectclass: top cn: Fedora Directory Server nsproductname: Fedora Directory Server nsproductversion: 1.1.0 nsnickname: slapd nsbuildnumber: 2007.355.1657 nsvendor: Fedora Project installationtimestamp: 20080130014937Z nsexpirationdate: 0 nsbuildsecurity: domestic uniquemember: cn=slapd-fds, cn=Fedora Directory Server, cn=Server Group, cn=aa 0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=NetscapeRoot nsservermigrationclassname: com.netscape.admin.dirserv.task.MigrateCreate at fedo ra-ds-1.1.jar at cn=admin-serv-aa0-002-6-v2, cn=Fedora Administration Server, cn =Server Group, cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=Netscape Root nsservercreationclassname: com.netscape.admin.dirserv.task.MigrateCreate at fedor a-ds-1.1.jar at cn=admin-serv-aa0-002-6-v2, cn=Fedora Administration Server, cn= Server Group, cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=NetscapeR oot Error adding entry 'cn=Fedora Directory Server, cn=Server Group, cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=NetscapeRoot'. Error: No such object Could not register the directory server with the configuration directory server. Exiting . . . Log file is '/tmp/setupR29d4F.log' Checking the tree, the intermediate entries are not there. The script is not creating entries beneath ou=sv.powerset.com. I know that the DS is working b/c I can add new 1.04 instances to o=NetscapeRoot, and the 1.1 script is adding an ACI entry for SIE Group(fds) to o=NetscapeRoot. Do I have to upgrade the configuration server to 1.1 first? I'd rather avoid messing with it if at all possible. Any help would be appreciated. Thanks. -richard From mrambo at lsd.k12.mi.us Wed Jan 30 13:50:48 2008 From: mrambo at lsd.k12.mi.us (Mike Rambo) Date: Wed, 30 Jan 2008 08:50:48 -0500 Subject: [Fedora-directory-users] Announcing Fedora Directory Server 1.1.0 In-Reply-To: <4783BA06.3080706@redhat.com> References: <47839C8E.3010408@redhat.com> <20080108175004.GT11941@flea.lifesci.dundee.ac.uk> <4783BA06.3080706@redhat.com> Message-ID: <47A080B8.60000@lsd.k12.mi.us> Rich Megginson wrote: > Jonathan Barber wrote: >> On Tue, Jan 08, 2008 at 08:53:50AM -0700, Rich Megginson wrote: >> >> >> Are there any plans to support RHEL4? >> > No plans currently to provide binary RPMs, although I am working on > updating dsbuild to allow you to build on RHEL4. >> Cheers. >> Any further word on the prospects for building on RHEL4? Thanks. -- Mike Rambo "They that can give up essential liberty to obtain a little temporary security, deserve neither liberty or security." -Benjamin Franklin From alex-saf at npc.vrn.ru Wed Jan 30 18:05:39 2008 From: alex-saf at npc.vrn.ru (=?utf-8?B?0KHQsNGE0L7QvdC+0LIg0JDQu9C10LrRgdC10Lk=?=) Date: Wed, 30 Jan 2008 21:05:39 +0300 (MSK) Subject: [Fedora-directory-users] How to transfer existing server FDS In-Reply-To: <33158456.371201716297981.JavaMail.root@proxy1.npc.vrn.ru> Message-ID: <16847489.391201716339214.JavaMail.root@proxy1.npc.vrn.ru> Greetings! At me the infrastructure with use FDS 1.0.4 is deploymented. There was a necessity to replace a server with FDS. Whether I can in any way to transfer FDS on a new server with preservation of all adjustments. For example, make archive the catalogue /opt/fedora-fs on a "old" server. Then to install rpm (fedora-ds--1.0.4-1. FC6.i386.opt.rpm) on "new" server. And, at last, to unpack archive in /opt/fedora-fs on a "new" server. Whether this algorithm will approach? Whether there will be problems provided that existing server FDS is synchronized with server ADS? I Ask the help From kyley_engle at hotmail.com Wed Jan 30 18:24:30 2008 From: kyley_engle at hotmail.com (Kyley Engle) Date: Wed, 30 Jan 2008 10:24:30 -0800 Subject: [Fedora-directory-users] FDS 1.1 fail to add configuration data to FDS1.04 DS In-Reply-To: <84E2AE771361E9419DD0EFBD31F09C4D4CBBB885D4@EXVMBX015-1.exch015.msoutlookonline.net> References: <84E2AE771361E9419DD0EFBD31F09C4D4CBBB885D4@EXVMBX015-1.exch015.msoutlookonline.net> Message-ID: i've had this same issue on a new installation of FDS1.1 as well. I installed the master/config server but when i tried running the setup-ds-admin.pl on the consumer i got the same type of error, again, with no objects created in the configuration directory. So I don't think this is a 1.0.4/1.1 issue, as much as it is potentially a problem with the setup script. kyley > From: richard at powerset.com> To: fedora-directory-users at redhat.com> Date: Tue, 29 Jan 2008 19:28:23 -0800> Subject: [Fedora-directory-users] FDS 1.1 fail to add configuration data to FDS1.04 DS> > I'm setting up a few v1.1 test instances in our current 1.04 environment but running into issues trying to add the configuration data to an existing 1.04 server. It appears to be trying to create the children entries before the parent:> > Are you ready to set up your servers? [yes]:> Creating directory server . . .> Your new DS instance 'fds' was successfully created.> Creating the configuration directory server . . .> dn: cn=Fedora Directory Server, cn=Server Group, cn=aa0-002-6-v2.u.powerset.co> m, ou=sv.powerset.com, o=NetscapeRoot> objectclass: nsApplication> objectclass: groupOfUniqueNames> objectclass: top> cn: Fedora Directory Server> nsproductname: Fedora Directory Server> nsproductversion: 1.1.0> nsnickname: slapd> nsbuildnumber: 2007.355.1657> nsvendor: Fedora Project> installationtimestamp: 20080130014937Z> nsexpirationdate: 0> nsbuildsecurity: domestic> uniquemember: cn=slapd-fds, cn=Fedora Directory Server, cn=Server Group, cn=aa> 0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=NetscapeRoot> nsservermigrationclassname: com.netscape.admin.dirserv.task.MigrateCreate at fedo> ra-ds-1.1.jar at cn=admin-serv-aa0-002-6-v2, cn=Fedora Administration Server, cn> =Server Group, cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=Netscape> Root> nsservercreationclassname: com.netscape.admin.dirserv.task.MigrateCreate at fedor> a-ds-1.1.jar at cn=admin-serv-aa0-002-6-v2, cn=Fedora Administration Server, cn=> Server Group, cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=NetscapeR> oot> > Error adding entry 'cn=Fedora Directory Server, cn=Server Group, cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=NetscapeRoot'. Error: No such object> Could not register the directory server with the configuration directory server.> Exiting . . .> Log file is '/tmp/setupR29d4F.log'> > Checking the tree, the intermediate entries are not there. The script is not creating entries beneath ou=sv.powerset.com. I know that the DS is working b/c I can add new 1.04 instances to o=NetscapeRoot, and the 1.1 script is adding an ACI entry for SIE Group(fds) to o=NetscapeRoot.> > Do I have to upgrade the configuration server to 1.1 first? I'd rather avoid messing with it if at all possible. Any help would be appreciated. Thanks.> > -richard> > --> Fedora-directory-users mailing list> Fedora-directory-users at redhat.com> https://www.redhat.com/mailman/listinfo/fedora-directory-users _________________________________________________________________ Need to know the score, the latest news, or you need your Hotmail?-get your "fix". http://www.msnmobilefix.com/Default.aspx -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Jan 30 19:01:26 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 30 Jan 2008 12:01:26 -0700 Subject: [Fedora-directory-users] FDS 1.1 fail to add configuration data to FDS1.04 DS In-Reply-To: References: <84E2AE771361E9419DD0EFBD31F09C4D4CBBB885D4@EXVMBX015-1.exch015.msoutlookonline.net> Message-ID: <47A0C986.1030706@redhat.com> Kyley Engle wrote: > > i've had this same issue on a new installation of FDS1.1 as well. I > installed the master/config server but when i tried running the > setup-ds-admin.pl on the consumer i got the same type of error, again, > with no objects created in the configuration directory. So I don't > think this is a 1.0.4/1.1 issue, as much as it is potentially a > problem with the setup script. Try setup-ds-admin.pl -ddd to see if turning up the debug level reveals anything. > > kyley > > > ------------------------------------------------------------------------ > > > From: richard at powerset.com > > To: fedora-directory-users at redhat.com > > Date: Tue, 29 Jan 2008 19:28:23 -0800 > > Subject: [Fedora-directory-users] FDS 1.1 fail to add configuration > data to FDS1.04 DS > > > > I'm setting up a few v1.1 test instances in our current 1.04 > environment but running into issues trying to add the configuration > data to an existing 1.04 server. It appears to be trying to create the > children entries before the parent: > > > > Are you ready to set up your servers? [yes]: > > Creating directory server . . . > > Your new DS instance 'fds' was successfully created. > > Creating the configuration directory server . . . > > dn: cn=Fedora Directory Server, cn=Server Group, > cn=aa0-002-6-v2.u.powerset.co > > m, ou=sv.powerset.com, o=NetscapeRoot > > objectclass: nsApplication > > objectclass: groupOfUniqueNames > > objectclass: top > > cn: Fedora Directory Server > > nsproductname: Fedora Directory Server > > nsproductversion: 1.1.0 > > nsnickname: slapd > > nsbuildnumber: 2007.355.1657 > > nsvendor: Fedora Project > > installationtimestamp: 20080130014937Z > > nsexpirationdate: 0 > > nsbuildsecurity: domestic > > uniquemember: cn=slapd-fds, cn=Fedora Directory Server, cn=Server > Group, cn=aa > > 0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=NetscapeRoot > > nsservermigrationclassname: > com.netscape.admin.dirserv.task.MigrateCreate at fedo > > ra-ds-1.1.jar at cn=admin-serv-aa0-002-6-v2, cn=Fedora Administration > Server, cn > > =Server Group, cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, > o=Netscape > > Root > > nsservercreationclassname: > com.netscape.admin.dirserv.task.MigrateCreate at fedor > > a-ds-1.1.jar at cn=admin-serv-aa0-002-6-v2, cn=Fedora Administration > Server, cn= > > Server Group, cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, > o=NetscapeR > > oot > > > > Error adding entry 'cn=Fedora Directory Server, cn=Server Group, > cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=NetscapeRoot'. > Error: No such object > > Could not register the directory server with the configuration > directory server. > > Exiting . . . > > Log file is '/tmp/setupR29d4F.log' > > > > Checking the tree, the intermediate entries are not there. The > script is not creating entries beneath ou=sv.powerset.com. I know that > the DS is working b/c I can add new 1.04 instances to o=NetscapeRoot, > and the 1.1 script is adding an ACI entry for SIE Group(fds) to > o=NetscapeRoot. > > > > Do I have to upgrade the configuration server to 1.1 first? I'd > rather avoid messing with it if at all possible. Any help would be > appreciated. Thanks. > > > > -richard > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > Need to know the score, the latest news, or you need your Hotmail?-get > your "fix". Check it out. > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Jan 30 20:27:13 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 30 Jan 2008 13:27:13 -0700 Subject: [Fedora-directory-users] How to transfer existing server FDS In-Reply-To: <16847489.391201716339214.JavaMail.root@proxy1.npc.vrn.ru> References: <16847489.391201716339214.JavaMail.root@proxy1.npc.vrn.ru> Message-ID: <47A0DDA1.6060200@redhat.com> ??????? ??????? wrote: > Greetings! > > At me the infrastructure with use FDS 1.0.4 is deploymented. There was a necessity to replace a server with FDS. Whether I can in any way to transfer FDS on a new server with preservation of all adjustments. For example, make archive the catalogue /opt/fedora-fs on a "old" server. Then to install rpm (fedora-ds--1.0.4-1. FC6.i386.opt.rpm) on "new" server. And, at last, to unpack archive in /opt/fedora-fs on a "new" server. > Whether this algorithm will approach? Whether there will be problems provided that existing server FDS is synchronized with server ADS? > If the hostname of the old server is the same as the new server, you can just archive /opt/fedora-ds/admin-serv, /opt/fedora-ds/slapd-*, /opt/fedora-ds/clients/dsgw/context, /opt/fedora-ds/clients/orgchart/config.txt, and unarchive them on the destination machine. > I Ask the help > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From richard at powerset.com Wed Jan 30 22:21:55 2008 From: richard at powerset.com (Richard Hesse) Date: Wed, 30 Jan 2008 14:21:55 -0800 Subject: [Fedora-directory-users] How to transfer existing server FDS In-Reply-To: <47A0DDA1.6060200@redhat.com> References: <16847489.391201716339214.JavaMail.root@proxy1.npc.vrn.ru> <47A0DDA1.6060200@redhat.com> Message-ID: <84E2AE771361E9419DD0EFBD31F09C4D4CBBB8888F@EXVMBX015-1.exch015.msoutlookonline.net> It pretty much confirms what we speculated; the script isn't checking for, nor creating the parent objects before trying to create the children: +++check_and_add_entry: Entry not found cn=Fedora Directory Server, cn=Server Group, cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=NetscapeRoot error No such object +ERROR: adding an entry cn=Fedora Directory Server, cn=Server Group, cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=NetscapeRoot failed, error: No such object dn: cn=Fedora Directory Server, cn=Server Group, cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=NetscapeRoot That's the first operation after adding the SIE ACI's and a few monitor entries. Look at 10dsdata.ldif.tmpl and you'll see what we're talking about. It looks like this script and template were never tested in a clean build environment. I'm ok correcting that template file as long as I'm putting the right information in. Should I use the existing 1.04 entries as a guideline? -richard -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson Sent: Wednesday, January 30, 2008 12:27 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] How to transfer existing server FDS ??????? ??????? wrote: > Greetings! > > At me the infrastructure with use FDS 1.0.4 is deploymented. There was a necessity to replace a server with FDS. Whether I can in any way to transfer FDS on a new server with preservation of all adjustments. For example, make archive the catalogue /opt/fedora-fs on a "old" server. Then to install rpm (fedora-ds--1.0.4-1. FC6.i386.opt.rpm) on "new" server. And, at last, to unpack archive in /opt/fedora-fs on a "new" server. > Whether this algorithm will approach? Whether there will be problems provided that existing server FDS is synchronized with server ADS? > If the hostname of the old server is the same as the new server, you can just archive /opt/fedora-ds/admin-serv, /opt/fedora-ds/slapd-*, /opt/fedora-ds/clients/dsgw/context, /opt/fedora-ds/clients/orgchart/config.txt, and unarchive them on the destination machine. > I Ask the help > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From kyley_engle at hotmail.com Wed Jan 30 22:24:26 2008 From: kyley_engle at hotmail.com (Kyley Engle) Date: Wed, 30 Jan 2008 14:24:26 -0800 Subject: [Fedora-directory-users] FDS 1.1 fail to add configuration data to FDS1.04 DS In-Reply-To: <47A0C986.1030706@redhat.com> References: <84E2AE771361E9419DD0EFBD31F09C4D4CBBB885D4@EXVMBX015-1.exch015.msoutlookonline.net> <47A0C986.1030706@redhat.com> Message-ID: this is the interesting part of the output +Processing /usr/share/dirsrv/data/16dssuffixadmin.mod.tmpl ...+++check_and_add_entry: Entry not found o=company.com error No such object+Processing /usr/share/dirsrv/data/10dsdata.ldif.tmpl ...+++check_and_add_entry: Found entry o=NetscapeRoot+++Adding attr=aci value=(targetattr = "*")(version 3.0; acl "SIE Group (ldap-test)"; allow (all) groupdn = "ldap:///cn=slapd-ldap-test, cn=Fedora Directory Server, cn=Server Group, cn=ldap-test.company.com, ou=company, o=NetscapeRoot";) to entry o=NetscapeRoot+++check_and_add_entry: Entry not found cn=Fedora Directory Server, cn=Server Group, cn=ldap-test.company.com, ou=company, o=NetscapeRoot error No such object+ERROR: adding an entry cn=Fedora Directory Server, cn=Server Group, cn=ldap-test.company.com, ou=company, o=NetscapeRoot failed, error: No such objectdn: cn=Fedora Directory Server, cn=Server Group, cn=ldap-test.company.com, ou=company, o=NetscapeRootobjectclass: nsApplicationobjectclass: groupOfUniqueNamesobjectclass: topcn: Fedora Directory Servernsproductname: Fedora Directory Servernsproductversion: 1.1.0nsnickname: slapdnsbuildnumber: 2007.355.1657nsvendor: Fedora Projectinstallationtimestamp: 20080130220441Znsexpirationdate: 0nsbuildsecurity: domesticuniquemember: cn=slapd-ldap-test, cn=Fedora Directory Server, cn=Server Group, cn=ldap-test.company.com, ou=company, o=NetscapeRootnsservermigrationclassname: com.netscape.admin.dirserv.task.MigrateCreate at fedo ra-ds-1.1.jar at cn=admin-serv-ldap-test, cn=Fedora Administration Server, cn=Se rver Group, cn=ldap-test.company.com, ou=company, o=NetscapeRootnsservercreationclassname: com.netscape.admin.dirserv.task.MigrateCreate at fedor a-ds-1.1.jar at cn=admin-serv-ldap-test, cn=Fedora Administration Server, cn=Ser ver Group, cn=ldap-test.company.com, ou=company, o=NetscapeRoot +ERROR: There was an error processing entry cn=Fedora Directory Server, cn=Server Group, cn=ldap-test.company.com, ou=company, o=NetscapeRoot+Cannot continue processing entries.Error adding entry 'cn=Fedora Directory Server, cn=Server Group, cn=ldap-test.company.com, ou=company, o=NetscapeRoot'. Error: No such objectCould not register the directory server with the configuration directory server.Exiting . what is interesting is that even tho i entered in the configuration URI ldap://ldap-master.company.com:389/o=NetscapeRoot during the custom install, i don't see it referenced anywhere in the log. kyley > Date: Wed, 30 Jan 2008 12:01:26 -0700> From: rmeggins at redhat.com> To: fedora-directory-users at redhat.com> Subject: Re: [Fedora-directory-users] FDS 1.1 fail to add configuration data to FDS1.04 DS> > Kyley Engle wrote:> > > > i've had this same issue on a new installation of FDS1.1 as well. I > > installed the master/config server but when i tried running the > > setup-ds-admin.pl on the consumer i got the same type of error, again, > > with no objects created in the configuration directory. So I don't > > think this is a 1.0.4/1.1 issue, as much as it is potentially a > > problem with the setup script.> Try setup-ds-admin.pl -ddd to see if turning up the debug level reveals > anything.> > > > kyley> >> >> > ------------------------------------------------------------------------> >> > > From: richard at powerset.com> > > To: fedora-directory-users at redhat.com> > > Date: Tue, 29 Jan 2008 19:28:23 -0800> > > Subject: [Fedora-directory-users] FDS 1.1 fail to add configuration > > data to FDS1.04 DS> > >> > > I'm setting up a few v1.1 test instances in our current 1.04 > > environment but running into issues trying to add the configuration > > data to an existing 1.04 server. It appears to be trying to create the > > children entries before the parent:> > >> > > Are you ready to set up your servers? [yes]:> > > Creating directory server . . .> > > Your new DS instance 'fds' was successfully created.> > > Creating the configuration directory server . . .> > > dn: cn=Fedora Directory Server, cn=Server Group, > > cn=aa0-002-6-v2.u.powerset.co> > > m, ou=sv.powerset.com, o=NetscapeRoot> > > objectclass: nsApplication> > > objectclass: groupOfUniqueNames> > > objectclass: top> > > cn: Fedora Directory Server> > > nsproductname: Fedora Directory Server> > > nsproductversion: 1.1.0> > > nsnickname: slapd> > > nsbuildnumber: 2007.355.1657> > > nsvendor: Fedora Project> > > installationtimestamp: 20080130014937Z> > > nsexpirationdate: 0> > > nsbuildsecurity: domestic> > > uniquemember: cn=slapd-fds, cn=Fedora Directory Server, cn=Server > > Group, cn=aa> > > 0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=NetscapeRoot> > > nsservermigrationclassname: > > com.netscape.admin.dirserv.task.MigrateCreate at fedo> > > ra-ds-1.1.jar at cn=admin-serv-aa0-002-6-v2, cn=Fedora Administration > > Server, cn> > > =Server Group, cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, > > o=Netscape> > > Root> > > nsservercreationclassname: > > com.netscape.admin.dirserv.task.MigrateCreate at fedor> > > a-ds-1.1.jar at cn=admin-serv-aa0-002-6-v2, cn=Fedora Administration > > Server, cn=> > > Server Group, cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, > > o=NetscapeR> > > oot> > >> > > Error adding entry 'cn=Fedora Directory Server, cn=Server Group, > > cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=NetscapeRoot'. > > Error: No such object> > > Could not register the directory server with the configuration > > directory server.> > > Exiting . . .> > > Log file is '/tmp/setupR29d4F.log'> > >> > > Checking the tree, the intermediate entries are not there. The > > script is not creating entries beneath ou=sv.powerset.com. I know that > > the DS is working b/c I can add new 1.04 instances to o=NetscapeRoot, > > and the 1.1 script is adding an ACI entry for SIE Group(fds) to > > o=NetscapeRoot.> > >> > > Do I have to upgrade the configuration server to 1.1 first? I'd > > rather avoid messing with it if at all possible. Any help would be > > appreciated. Thanks.> > >> > > -richard> > >> > > --> > > Fedora-directory-users mailing list> > > Fedora-directory-users at redhat.com> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users> >> >> > ------------------------------------------------------------------------> > Need to know the score, the latest news, or you need your Hotmail?-get > > your "fix". Check it out. > > ------------------------------------------------------------------------> >> > --> > Fedora-directory-users mailing list> > Fedora-directory-users at redhat.com> > https://www.redhat.com/mailman/listinfo/fedora-directory-users> > > > _________________________________________________________________ Need to know the score, the latest news, or you need your Hotmail?-get your "fix". http://www.msnmobilefix.com/Default.aspx -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Jan 30 22:26:37 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 30 Jan 2008 15:26:37 -0700 Subject: [Fedora-directory-users] How to transfer existing server FDS In-Reply-To: <84E2AE771361E9419DD0EFBD31F09C4D4CBBB8888F@EXVMBX015-1.exch015.msoutlookonline.net> References: <16847489.391201716339214.JavaMail.root@proxy1.npc.vrn.ru> <47A0DDA1.6060200@redhat.com> <84E2AE771361E9419DD0EFBD31F09C4D4CBBB8888F@EXVMBX015-1.exch015.msoutlookonline.net> Message-ID: <47A0F99D.2050004@redhat.com> Richard Hesse wrote: > It pretty much confirms what we speculated; the script isn't checking for, nor creating the parent objects before trying to create the children: > > +++check_and_add_entry: Entry not found cn=Fedora Directory Server, cn=Server Group, cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=NetscapeRoot error No such object > +ERROR: adding an entry cn=Fedora Directory Server, cn=Server Group, cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=NetscapeRoot failed, error: No such object > dn: cn=Fedora Directory Server, cn=Server Group, cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=NetscapeRoot > > That's the first operation after adding the SIE ACI's and a few monitor entries. Look at 10dsdata.ldif.tmpl and you'll see what we're talking about. It looks like this script and template were never tested in a clean build environment. I'm ok correcting that template file as long as I'm putting the right information in. Should I use the existing 1.04 entries as a guideline? > Well, yes, but I'm curious - if cn=Fedora Directory Server, cn=Server Group, cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=NetscapeRoot is not there, then what is under o=NetscapeRoot? Is ou=sv.powerset.com, o=NetscapeRoot? Is cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=NetscapeRoot? > -richard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson > Sent: Wednesday, January 30, 2008 12:27 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] How to transfer existing server FDS > > ??????? ??????? wrote: > >> Greetings! >> >> At me the infrastructure with use FDS 1.0.4 is deploymented. There was a necessity to replace a server with FDS. Whether I can in any way to transfer FDS on a new server with preservation of all adjustments. For example, make archive the catalogue /opt/fedora-fs on a "old" server. Then to install rpm (fedora-ds--1.0.4-1. FC6.i386.opt.rpm) on "new" server. And, at last, to unpack archive in /opt/fedora-fs on a "new" server. >> Whether this algorithm will approach? Whether there will be problems provided that existing server FDS is synchronized with server ADS? >> >> > If the hostname of the old server is the same as the new server, you can just archive /opt/fedora-ds/admin-serv, /opt/fedora-ds/slapd-*, /opt/fedora-ds/clients/dsgw/context, > /opt/fedora-ds/clients/orgchart/config.txt, and unarchive them on the destination machine. > >> I Ask the help >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Jan 30 22:30:26 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 30 Jan 2008 15:30:26 -0700 Subject: [Fedora-directory-users] FDS 1.1 fail to add configuration data to FDS1.04 DS In-Reply-To: References: <84E2AE771361E9419DD0EFBD31F09C4D4CBBB885D4@EXVMBX015-1.exch015.msoutlookonline.net> <47A0C986.1030706@redhat.com> Message-ID: <47A0FA82.7020209@redhat.com> Kyley Engle wrote: > this is the interesting part of the output > > +Processing /usr/share/dirsrv/data/16dssuffixadmin.mod.tmpl ... > +++check_and_add_entry: Entry not found o=company.com error No such object ? This is really odd. What is your suffix? > +Processing /usr/share/dirsrv/data/10dsdata.ldif.tmpl ... > +++check_and_add_entry: Found entry o=NetscapeRoot > +++Adding attr=aci value=(targetattr = "*")(version 3.0; acl "SIE > Group (ldap-test)"; allow (all) groupdn = "ldap:///cn=slapd-ldap-test, > cn=Fedora Directory Server, cn=Server Group, cn=ldap-test.company.com, > ou=company, o=NetscapeRoot";) to entry o=NetscapeRoot > +++check_and_add_entry: Entry not found cn=Fedora Directory Server, > cn=Server Group, cn=ldap-test.company.com, ou=company, o=NetscapeRoot > error No such object > +ERROR: adding an entry cn=Fedora Directory Server, cn=Server Group, > cn=ldap-test.company.com, ou=company, o=NetscapeRoot failed, error: No > such object > > Error adding entry 'cn=Fedora Directory Server, cn=Server Group, > cn=ldap-test.company.com, ou=company, o=NetscapeRoot'. Error: No such > object > Could not register the directory server with the configuration > directory server. > Exiting . > > what is interesting is that even tho i entered in the configuration > URI ldap://ldap-master.company.com:389/o=NetscapeRoot during the > custom install, i don't see it referenced anywhere in the log. If cn=Fedora Directory Server, cn=Server Group, cn=ldap-test.company.com, ou=company, o=NetscapeRoot does not exist, then what is under o=NetscapeRoot? Does ou=company, o=NetscapeRoot exist? Does cn=ldap-test.company.com, ou=company, o=NetscapeRoot exist? > > kyley > > ------------------------------------------------------------------------ > > > Date: Wed, 30 Jan 2008 12:01:26 -0700 > > From: rmeggins at redhat.com > > To: fedora-directory-users at redhat.com > > Subject: Re: [Fedora-directory-users] FDS 1.1 fail to add > configuration data to FDS1.04 DS > > > > Kyley Engle wrote: > > > > > > i've had this same issue on a new installation of FDS1.1 as well. I > > > installed the master/config server but when i tried running the > > > setup-ds-admin.pl on the consumer i got the same type of error, > again, > > > with no objects created in the configuration directory. So I don't > > > think this is a 1.0.4/1.1 issue, as much as it is potentially a > > > problem with the setup script. > > Try setup-ds-admin.pl -ddd to see if turning up the debug level reveals > > anything. > > > > > > kyley > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > From: richard at powerset.com > > > > To: fedora-directory-users at redhat.com > > > > Date: Tue, 29 Jan 2008 19:28:23 -0800 > > > > Subject: [Fedora-directory-users] FDS 1.1 fail to add configuration > > > data to FDS1.04 DS > > > > > > > > I'm setting up a few v1.1 test instances in our current 1.04 > > > environment but running into issues trying to add the configuration > > > data to an existing 1.04 server. It appears to be trying to create > the > > > children entries before the parent: > > > > > > > > Are you ready to set up your servers? [yes]: > > > > Creating directory server . . . > > > > Your new DS instance 'fds' was successfully created. > > > > Creating the configuration directory server . . . > > > > dn: cn=Fedora Directory Server, cn=Server Group, > > > cn=aa0-002-6-v2.u.powerset.co > > > > m, ou=sv.powerset.com, o=NetscapeRoot > > > > objectclass: nsApplication > > > > objectclass: groupOfUniqueNames > > > > objectclass: top > > > > cn: Fedora Directory Server > > > > nsproductname: Fedora Directory Server > > > > nsproductversion: 1.1.0 > > > > nsnickname: slapd > > > > nsbuildnumber: 2007.355.1657 > > > > nsvendor: Fedora Project > > > > installationtimestamp: 20080130014937Z > > > > nsexpirationdate: 0 > > > > nsbuildsecurity: domestic > > > > uniquemember: cn=slapd-fds, cn=Fedora Directory Server, cn=Server > > > Group, cn=aa > > > > 0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=NetscapeRoot > > > > nsservermigrationclassname: > > > com.netscape.admin.dirserv.task.MigrateCreate at fedo > > > > ra-ds-1.1.jar at cn=admin-serv-aa0-002-6-v2, cn=Fedora Administration > > > Server, cn > > > > =Server Group, cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, > > > o=Netscape > > > > Root > > > > nsservercreationclassname: > > > com.netscape.admin.dirserv.task.MigrateCreate at fedor > > > > a-ds-1.1.jar at cn=admin-serv-aa0-002-6-v2, cn=Fedora Administration > > > Server, cn= > > > > Server Group, cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, > > > o=NetscapeR > > > > oot > > > > > > > > Error adding entry 'cn=Fedora Directory Server, cn=Server Group, > > > cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=NetscapeRoot'. > > > Error: No such object > > > > Could not register the directory server with the configuration > > > directory server. > > > > Exiting . . . > > > > Log file is '/tmp/setupR29d4F.log' > > > > > > > > Checking the tree, the intermediate entries are not there. The > > > script is not creating entries beneath ou=sv.powerset.com. I know > that > > > the DS is working b/c I can add new 1.04 instances to o=NetscapeRoot, > > > and the 1.1 script is adding an ACI entry for SIE Group(fds) to > > > o=NetscapeRoot. > > > > > > > > Do I have to upgrade the configuration server to 1.1 first? I'd > > > rather avoid messing with it if at all possible. Any help would be > > > appreciated. Thanks. > > > > > > > > -richard > > > > > > > > -- > > > > Fedora-directory-users mailing list > > > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > ------------------------------------------------------------------------ > > > Need to know the score, the latest news, or you need your > Hotmail?-get > > > your "fix". Check it out. > > > > ------------------------------------------------------------------------ > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > ------------------------------------------------------------------------ > Need to know the score, the latest news, or you need your Hotmail?-get > your "fix". Check it out. > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From richard at powerset.com Wed Jan 30 22:52:32 2008 From: richard at powerset.com (Richard Hesse) Date: Wed, 30 Jan 2008 14:52:32 -0800 Subject: [Fedora-directory-users] How to transfer existing server FDS In-Reply-To: <47A0F99D.2050004@redhat.com> References: <16847489.391201716339214.JavaMail.root@proxy1.npc.vrn.ru> <47A0DDA1.6060200@redhat.com> <84E2AE771361E9419DD0EFBD31F09C4D4CBBB8888F@EXVMBX015-1.exch015.msoutlookonline.net> <47A0F99D.2050004@redhat.com> Message-ID: <84E2AE771361E9419DD0EFBD31F09C4D4CBBB888B2@EXVMBX015-1.exch015.msoutlookonline.net> Yes, ou=sv.powerset.com,o=netscaperoot exists. Underneath it are other existing 1.04 servers for that administration domain. The script isn't creating cn=aa0-002-6-v2.u.powerset.com,ou=sv.powerset.com,o=NetscapeRoot (or anything below that) before trying to create the entry I listed below. -richard -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson Sent: Wednesday, January 30, 2008 2:27 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] How to transfer existing server FDS Richard Hesse wrote: > It pretty much confirms what we speculated; the script isn't checking for, nor creating the parent objects before trying to create the children: > > +++check_and_add_entry: Entry not found cn=Fedora Directory Server, > +++cn=Server Group, cn=aa0-002-6-v2.u.powerset.com, > +++ou=sv.powerset.com, o=NetscapeRoot error No such object > +ERROR: adding an entry cn=Fedora Directory Server, cn=Server Group, > +cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=NetscapeRoot > +failed, error: No such object > dn: cn=Fedora Directory Server, cn=Server Group, > cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=NetscapeRoot > > That's the first operation after adding the SIE ACI's and a few monitor entries. Look at 10dsdata.ldif.tmpl and you'll see what we're talking about. It looks like this script and template were never tested in a clean build environment. I'm ok correcting that template file as long as I'm putting the right information in. Should I use the existing 1.04 entries as a guideline? > Well, yes, but I'm curious - if cn=Fedora Directory Server, cn=Server Group, cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=NetscapeRoot is not there, then what is under o=NetscapeRoot? Is ou=sv.powerset.com, o=NetscapeRoot? Is cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=NetscapeRoot? > -richard > From kyley_engle at hotmail.com Wed Jan 30 23:22:00 2008 From: kyley_engle at hotmail.com (Kyley Engle) Date: Wed, 30 Jan 2008 15:22:00 -0800 Subject: [Fedora-directory-users] FDS 1.1 fail to add configuration data to FDS1.04 DS In-Reply-To: <47A0FA82.7020209@redhat.com> References: <84E2AE771361E9419DD0EFBD31F09C4D4CBBB885D4@EXVMBX015-1.exch015.msoutlookonline.net> <47A0C986.1030706@redhat.com> <47A0FA82.7020209@redhat.com> Message-ID: on ldap-master.company.com: ou=company, o=NetscapeRoot exists cn=ldap-test.company.com, ou=company, o=NetscapeRoot does not existkyley > Date: Wed, 30 Jan 2008 15:30:26 -0700> From: rmeggins at redhat.com> To: fedora-directory-users at redhat.com> Subject: Re: [Fedora-directory-users] FDS 1.1 fail to add configuration data to FDS1.04 DS> > Kyley Engle wrote:> > this is the interesting part of the output> > > > +Processing /usr/share/dirsrv/data/16dssuffixadmin.mod.tmpl ...> > +++check_and_add_entry: Entry not found o=company.com error No such object> ? This is really odd. What is your suffix?> > +Processing /usr/share/dirsrv/data/10dsdata.ldif.tmpl ...> > +++check_and_add_entry: Found entry o=NetscapeRoot> > +++Adding attr=aci value=(targetattr = "*")(version 3.0; acl "SIE > > Group (ldap-test)"; allow (all) groupdn = "ldap:///cn=slapd-ldap-test, > > cn=Fedora Directory Server, cn=Server Group, cn=ldap-test.company.com, > > ou=company, o=NetscapeRoot";) to entry o=NetscapeRoot> > +++check_and_add_entry: Entry not found cn=Fedora Directory Server, > > cn=Server Group, cn=ldap-test.company.com, ou=company, o=NetscapeRoot > > error No such object> > +ERROR: adding an entry cn=Fedora Directory Server, cn=Server Group, > > cn=ldap-test.company.com, ou=company, o=NetscapeRoot failed, error: No > > such object> > > > Error adding entry 'cn=Fedora Directory Server, cn=Server Group, > > cn=ldap-test.company.com, ou=company, o=NetscapeRoot'. Error: No such > > object> > Could not register the directory server with the configuration > > directory server.> > Exiting .> >> > what is interesting is that even tho i entered in the configuration > > URI ldap://ldap-master.company.com:389/o=NetscapeRoot during the > > custom install, i don't see it referenced anywhere in the log.> If cn=Fedora Directory Server, cn=Server Group, > cn=ldap-test.company.com, ou=company, o=NetscapeRoot does not exist, > then what is under o=NetscapeRoot? Does ou=company, o=NetscapeRoot > exist? Does cn=ldap-test.company.com, ou=company, o=NetscapeRoot exist?> >> > kyley> >> > ------------------------------------------------------------------------> >> > > Date: Wed, 30 Jan 2008 12:01:26 -0700> > > From: rmeggins at redhat.com> > > To: fedora-directory-users at redhat.com> > > Subject: Re: [Fedora-directory-users] FDS 1.1 fail to add > > configuration data to FDS1.04 DS> > >> > > Kyley Engle wrote:> > > >> > > > i've had this same issue on a new installation of FDS1.1 as well. I> > > > installed the master/config server but when i tried running the> > > > setup-ds-admin.pl on the consumer i got the same type of error, > > again,> > > > with no objects created in the configuration directory. So I don't> > > > think this is a 1.0.4/1.1 issue, as much as it is potentially a> > > > problem with the setup script.> > > Try setup-ds-admin.pl -ddd to see if turning up the debug level reveals> > > anything.> > > >> > > > kyley> > > >> > > >> > > > > > ------------------------------------------------------------------------> > > >> > > > > From: richard at powerset.com> > > > > To: fedora-directory-users at redhat.com> > > > > Date: Tue, 29 Jan 2008 19:28:23 -0800> > > > > Subject: [Fedora-directory-users] FDS 1.1 fail to add configuration> > > > data to FDS1.04 DS> > > > >> > > > > I'm setting up a few v1.1 test instances in our current 1.04> > > > environment but running into issues trying to add the configuration> > > > data to an existing 1.04 server. It appears to be trying to create > > the> > > > children entries before the parent:> > > > >> > > > > Are you ready to set up your servers? [yes]:> > > > > Creating directory server . . .> > > > > Your new DS instance 'fds' was successfully created.> > > > > Creating the configuration directory server . . .> > > > > dn: cn=Fedora Directory Server, cn=Server Group,> > > > cn=aa0-002-6-v2.u.powerset.co> > > > > m, ou=sv.powerset.com, o=NetscapeRoot> > > > > objectclass: nsApplication> > > > > objectclass: groupOfUniqueNames> > > > > objectclass: top> > > > > cn: Fedora Directory Server> > > > > nsproductname: Fedora Directory Server> > > > > nsproductversion: 1.1.0> > > > > nsnickname: slapd> > > > > nsbuildnumber: 2007.355.1657> > > > > nsvendor: Fedora Project> > > > > installationtimestamp: 20080130014937Z> > > > > nsexpirationdate: 0> > > > > nsbuildsecurity: domestic> > > > > uniquemember: cn=slapd-fds, cn=Fedora Directory Server, cn=Server> > > > Group, cn=aa> > > > > 0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=NetscapeRoot> > > > > nsservermigrationclassname:> > > > com.netscape.admin.dirserv.task.MigrateCreate at fedo> > > > > ra-ds-1.1.jar at cn=admin-serv-aa0-002-6-v2, cn=Fedora Administration> > > > Server, cn> > > > > =Server Group, cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com,> > > > o=Netscape> > > > > Root> > > > > nsservercreationclassname:> > > > com.netscape.admin.dirserv.task.MigrateCreate at fedor> > > > > a-ds-1.1.jar at cn=admin-serv-aa0-002-6-v2, cn=Fedora Administration> > > > Server, cn=> > > > > Server Group, cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com,> > > > o=NetscapeR> > > > > oot> > > > >> > > > > Error adding entry 'cn=Fedora Directory Server, cn=Server Group,> > > > cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=NetscapeRoot'.> > > > Error: No such object> > > > > Could not register the directory server with the configuration> > > > directory server.> > > > > Exiting . . .> > > > > Log file is '/tmp/setupR29d4F.log'> > > > >> > > > > Checking the tree, the intermediate entries are not there. The> > > > script is not creating entries beneath ou=sv.powerset.com. I know > > that> > > > the DS is working b/c I can add new 1.04 instances to o=NetscapeRoot,> > > > and the 1.1 script is adding an ACI entry for SIE Group(fds) to> > > > o=NetscapeRoot.> > > > >> > > > > Do I have to upgrade the configuration server to 1.1 first? I'd> > > > rather avoid messing with it if at all possible. Any help would be> > > > appreciated. Thanks.> > > > >> > > > > -richard> > > > >> > > > > --> > > > > Fedora-directory-users mailing list> > > > > Fedora-directory-users at redhat.com> > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users> > > >> > > >> > > > > > ------------------------------------------------------------------------> > > > Need to know the score, the latest news, or you need your > > Hotmail?-get> > > > your "fix". Check it out. > > > > > > ------------------------------------------------------------------------> > > >> > > > --> > > > Fedora-directory-users mailing list> > > > Fedora-directory-users at redhat.com> > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users> > > >> > >> > >> >> >> > ------------------------------------------------------------------------> > Need to know the score, the latest news, or you need your Hotmail?-get > > your "fix". Check it out. > > ------------------------------------------------------------------------> >> > --> > Fedora-directory-users mailing list> > Fedora-directory-users at redhat.com> > https://www.redhat.com/mailman/listinfo/fedora-directory-users> > > > _________________________________________________________________ Climb to the top of the charts!?Play the word scramble challenge with star power. http://club.live.com/star_shuffle.aspx?icid=starshuffle_wlmailtextlink_jan -------------- next part -------------- An HTML attachment was scrubbed... URL: From prjctgeek at gmail.com Thu Jan 31 07:20:08 2008 From: prjctgeek at gmail.com (Doug Chapman) Date: Wed, 30 Jan 2008 23:20:08 -0800 Subject: [Fedora-directory-users] heimdal and fds 1.1 Message-ID: Can anyone point me to a wiki/doc on using fds and kerberos where the db is in the directory? (or maybe talk me out of this approach?) These steps are for openldap, but after much googling, I can't find a faq, or ready made schema file to try and wrestle this three headed dog into submission... http://www.h5l.org/manual/heimdal-1-1-branch/info/heimdal.html#Using-LDAP-to-store-the-database tia -------------- next part -------------- An HTML attachment was scrubbed... URL: From markwu at micron.com Wed Jan 30 22:41:35 2008 From: markwu at micron.com (markwu at micron.com) Date: Wed, 30 Jan 2008 14:41:35 -0800 Subject: [Fedora-directory-users] Random UID not found problem Message-ID: Hi, Some of our users get "UID xxxx not found" message when they open a new terminal or run a rsh command, it appears a few times a day and it is mostly just annoying message because users can continue to work as normal, however, sometimes It also causes cron jobs to fail, In system log, it shows, crond(pam_unix)[9225]: could not identify user (from getpwnam(USERNAME)) crond[9225]: User not known to the underlying authentication module We are using Fedora DS 1.0.4, and clients are RHEL 4.5 . This problem started ever since we switched into LDAP three months ago. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Jan 31 14:22:07 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 31 Jan 2008 07:22:07 -0700 Subject: [Fedora-directory-users] heimdal and fds 1.1 In-Reply-To: References: Message-ID: <47A1D98F.2070909@redhat.com> Doug Chapman wrote: > Can anyone point me to a wiki/doc on using fds and kerberos where the > db is in the directory? (or maybe talk me out of this approach?) > > > These steps are for openldap, but after much googling, I can't find a > faq, or ready made schema file to try and wrestle this three headed > dog into submission... Checkout freeipa.org which seeks to do this and more. > > http://www.h5l.org/manual/heimdal-1-1-branch/info/heimdal.html#Using-LDAP-to-store-the-database > > tia > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jan 31 14:51:55 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 31 Jan 2008 07:51:55 -0700 Subject: [Fedora-directory-users] Random UID not found problem In-Reply-To: References: Message-ID: <47A1E08B.40405@redhat.com> markwu at micron.com wrote: > > Hi, > Some of our users get "UID xxxx not found" message when they open a > new terminal or run a rsh command, it appears a few times a day and > it is mostly just annoying message because users can continue to work > as normal, however, sometimes It also causes cron jobs to fail, > > In system log, it shows, > > crond(pam_unix)[9225]: could not identify user (from getpwnam(USERNAME)) > crond[9225]: User not known to the underlying authentication module > > We are using Fedora DS 1.0.4, and clients are RHEL 4.5 . This problem > started ever since we switched into LDAP three months ago. > Look at the DS access logs from around the time of the failure to see if you get a failed BIND or SEARCH attempt. > > Thanks > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jan 31 20:24:51 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 31 Jan 2008 13:24:51 -0700 Subject: [Fedora-directory-users] FDS 1.1 fail to add configuration data to FDS1.04 DS In-Reply-To: References: <84E2AE771361E9419DD0EFBD31F09C4D4CBBB885D4@EXVMBX015-1.exch015.msoutlookonline.net> <47A0C986.1030706@redhat.com> <47A0FA82.7020209@redhat.com> Message-ID: <47A22E93.3010104@redhat.com> Kyley Engle wrote: > > on ldap-master.company.com: > ou=company, o=NetscapeRoot exists > cn=ldap-test.company.com, ou=company, o=NetscapeRoot does not exist This is a bug - https://bugzilla.redhat.com/show_bug.cgi?id=431103 - there is a workaround listed in the bug. > > kyley > > ------------------------------------------------------------------------ > > > Date: Wed, 30 Jan 2008 15:30:26 -0700 > > From: rmeggins at redhat.com > > To: fedora-directory-users at redhat.com > > Subject: Re: [Fedora-directory-users] FDS 1.1 fail to add > configuration data to FDS1.04 DS > > > > Kyley Engle wrote: > > > this is the interesting part of the output > > > > > > +Processing /usr/share/dirsrv/data/16dssuffixadmin.mod.tmpl ... > > > +++check_and_add_entry: Entry not found o=company.com error No > such object > > ? This is really odd. What is your suffix? > > > +Processing /usr/share/dirsrv/data/10dsdata.ldif.tmpl ... > > > +++check_and_add_entry: Found entry o=NetscapeRoot > > > +++Adding attr=aci value=(targetattr = "*")(version 3.0; acl "SIE > > > Group (ldap-test)"; allow (all) groupdn = > "ldap:///cn=slapd-ldap-test, > > > cn=Fedora Directory Server, cn=Server Group, > cn=ldap-test.company.com, > > > ou=company, o=NetscapeRoot";) to entry o=NetscapeRoot > > > +++check_and_add_entry: Entry not found cn=Fedora Directory Server, > > > cn=Server Group, cn=ldap-test.company.com, ou=company, o=NetscapeRoot > > > error No such object > > > +ERROR: adding an entry cn=Fedora Directory Server, cn=Server Group, > > > cn=ldap-test.company.com, ou=company, o=NetscapeRoot failed, > error: No > > > such object > > > > > > Error adding entry 'cn=Fedora Directory Server, cn=Server Group, > > > cn=ldap-test.company.com, ou=company, o=NetscapeRoot'. Error: No such > > > object > > > Could not register the directory server with the configuration > > > directory server. > > > Exiting . > > > > > > what is interesting is that even tho i entered in the configuration > > > URI ldap://ldap-master.company.com:389/o=NetscapeRoot during the > > > custom install, i don't see it referenced anywhere in the log. > > If cn=Fedora Directory Server, cn=Server Group, > > cn=ldap-test.company.com, ou=company, o=NetscapeRoot does not exist, > > then what is under o=NetscapeRoot? Does ou=company, o=NetscapeRoot > > exist? Does cn=ldap-test.company.com, ou=company, o=NetscapeRoot exist? > > > > > > kyley > > > > > > > ------------------------------------------------------------------------ > > > > > > > Date: Wed, 30 Jan 2008 12:01:26 -0700 > > > > From: rmeggins at redhat.com > > > > To: fedora-directory-users at redhat.com > > > > Subject: Re: [Fedora-directory-users] FDS 1.1 fail to add > > > configuration data to FDS1.04 DS > > > > > > > > Kyley Engle wrote: > > > > > > > > > > i've had this same issue on a new installation of FDS1.1 as > well. I > > > > > installed the master/config server but when i tried running the > > > > > setup-ds-admin.pl on the consumer i got the same type of error, > > > again, > > > > > with no objects created in the configuration directory. So I don't > > > > > think this is a 1.0.4/1.1 issue, as much as it is potentially a > > > > > problem with the setup script. > > > > Try setup-ds-admin.pl -ddd to see if turning up the debug level > reveals > > > > anything. > > > > > > > > > > kyley > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > From: richard at powerset.com > > > > > > To: fedora-directory-users at redhat.com > > > > > > Date: Tue, 29 Jan 2008 19:28:23 -0800 > > > > > > Subject: [Fedora-directory-users] FDS 1.1 fail to add > configuration > > > > > data to FDS1.04 DS > > > > > > > > > > > > I'm setting up a few v1.1 test instances in our current 1.04 > > > > > environment but running into issues trying to add the > configuration > > > > > data to an existing 1.04 server. It appears to be trying to > create > > > the > > > > > children entries before the parent: > > > > > > > > > > > > Are you ready to set up your servers? [yes]: > > > > > > Creating directory server . . . > > > > > > Your new DS instance 'fds' was successfully created. > > > > > > Creating the configuration directory server . . . > > > > > > dn: cn=Fedora Directory Server, cn=Server Group, > > > > > cn=aa0-002-6-v2.u.powerset.co > > > > > > m, ou=sv.powerset.com, o=NetscapeRoot > > > > > > objectclass: nsApplication > > > > > > objectclass: groupOfUniqueNames > > > > > > objectclass: top > > > > > > cn: Fedora Directory Server > > > > > > nsproductname: Fedora Directory Server > > > > > > nsproductversion: 1.1.0 > > > > > > nsnickname: slapd > > > > > > nsbuildnumber: 2007.355.1657 > > > > > > nsvendor: Fedora Project > > > > > > installationtimestamp: 20080130014937Z > > > > > > nsexpirationdate: 0 > > > > > > nsbuildsecurity: domestic > > > > > > uniquemember: cn=slapd-fds, cn=Fedora Directory Server, > cn=Server > > > > > Group, cn=aa > > > > > > 0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=NetscapeRoot > > > > > > nsservermigrationclassname: > > > > > com.netscape.admin.dirserv.task.MigrateCreate at fedo > > > > > > ra-ds-1.1.jar at cn=admin-serv-aa0-002-6-v2, cn=Fedora > Administration > > > > > Server, cn > > > > > > =Server Group, cn=aa0-002-6-v2.u.powerset.com, > ou=sv.powerset.com, > > > > > o=Netscape > > > > > > Root > > > > > > nsservercreationclassname: > > > > > com.netscape.admin.dirserv.task.MigrateCreate at fedor > > > > > > a-ds-1.1.jar at cn=admin-serv-aa0-002-6-v2, cn=Fedora > Administration > > > > > Server, cn= > > > > > > Server Group, cn=aa0-002-6-v2.u.powerset.com, > ou=sv.powerset.com, > > > > > o=NetscapeR > > > > > > oot > > > > > > > > > > > > Error adding entry 'cn=Fedora Directory Server, cn=Server Group, > > > > > cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, > o=NetscapeRoot'. > > > > > Error: No such object > > > > > > Could not register the directory server with the configuration > > > > > directory server. > > > > > > Exiting . . . > > > > > > Log file is '/tmp/setupR29d4F.log' > > > > > > > > > > > > Checking the tree, the intermediate entries are not there. The > > > > > script is not creating entries beneath ou=sv.powerset.com. I know > > > that > > > > > the DS is working b/c I can add new 1.04 instances to > o=NetscapeRoot, > > > > > and the 1.1 script is adding an ACI entry for SIE Group(fds) to > > > > > o=NetscapeRoot. > > > > > > > > > > > > Do I have to upgrade the configuration server to 1.1 first? I'd > > > > > rather avoid messing with it if at all possible. Any help would be > > > > > appreciated. Thanks. > > > > > > > > > > > > -richard > > > > > > > > > > > > -- > > > > > > Fedora-directory-users mailing list > > > > > > Fedora-directory-users at redhat.com > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > Need to know the score, the latest news, or you need your > > > Hotmail?-get > > > > > your "fix". Check it out. > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > -- > > > > > Fedora-directory-users mailing list > > > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > Need to know the score, the latest news, or you need your > Hotmail?-get > > > your "fix". Check it out. > > > > ------------------------------------------------------------------------ > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > ------------------------------------------------------------------------ > Climb to the top of the charts! Play the word scramble challenge with > star power. Play now! > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jan 31 20:25:08 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 31 Jan 2008 13:25:08 -0700 Subject: [Fedora-directory-users] How to transfer existing server FDS In-Reply-To: <84E2AE771361E9419DD0EFBD31F09C4D4CBBB888B2@EXVMBX015-1.exch015.msoutlookonline.net> References: <16847489.391201716339214.JavaMail.root@proxy1.npc.vrn.ru> <47A0DDA1.6060200@redhat.com> <84E2AE771361E9419DD0EFBD31F09C4D4CBBB8888F@EXVMBX015-1.exch015.msoutlookonline.net> <47A0F99D.2050004@redhat.com> <84E2AE771361E9419DD0EFBD31F09C4D4CBBB888B2@EXVMBX015-1.exch015.msoutlookonline.net> Message-ID: <47A22EA4.7080003@redhat.com> Richard Hesse wrote: > Yes, ou=sv.powerset.com,o=netscaperoot exists. Underneath it are other existing 1.04 servers for that administration domain. The script isn't creating cn=aa0-002-6-v2.u.powerset.com,ou=sv.powerset.com,o=NetscapeRoot (or anything below that) before trying to create the entry I listed below. > This is a bug - https://bugzilla.redhat.com/show_bug.cgi?id=431103 - there is a workaround listed in the bug. > -richard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson > Sent: Wednesday, January 30, 2008 2:27 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] How to transfer existing server FDS > > Richard Hesse wrote: > >> It pretty much confirms what we speculated; the script isn't checking for, nor creating the parent objects before trying to create the children: >> >> +++check_and_add_entry: Entry not found cn=Fedora Directory Server, >> +++cn=Server Group, cn=aa0-002-6-v2.u.powerset.com, >> +++ou=sv.powerset.com, o=NetscapeRoot error No such object >> +ERROR: adding an entry cn=Fedora Directory Server, cn=Server Group, >> +cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=NetscapeRoot >> +failed, error: No such object >> dn: cn=Fedora Directory Server, cn=Server Group, >> cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=NetscapeRoot >> >> That's the first operation after adding the SIE ACI's and a few monitor entries. Look at 10dsdata.ldif.tmpl and you'll see what we're talking about. It looks like this script and template were never tested in a clean build environment. I'm ok correcting that template file as long as I'm putting the right information in. Should I use the existing 1.04 entries as a guideline? >> >> > Well, yes, but I'm curious - if cn=Fedora Directory Server, cn=Server Group, cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=NetscapeRoot is not there, then what is under o=NetscapeRoot? Is ou=sv.powerset.com, o=NetscapeRoot? Is cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=NetscapeRoot? > > > >> -richard >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jan 31 20:25:53 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 31 Jan 2008 13:25:53 -0700 Subject: [Fedora-directory-users] Announcing Fedora Directory Server 1.1.0 In-Reply-To: <47A080B8.60000@lsd.k12.mi.us> References: <47839C8E.3010408@redhat.com> <20080108175004.GT11941@flea.lifesci.dundee.ac.uk> <4783BA06.3080706@redhat.com> <47A080B8.60000@lsd.k12.mi.us> Message-ID: <47A22ED1.8080005@redhat.com> Mike Rambo wrote: > Rich Megginson wrote: >> Jonathan Barber wrote: >>> On Tue, Jan 08, 2008 at 08:53:50AM -0700, Rich Megginson wrote: >>> >>> >>> Are there any plans to support RHEL4? >>> >> No plans currently to provide binary RPMs, although I am working on >> updating dsbuild to allow you to build on RHEL4. >>> Cheers. >>> > > Any further word on the prospects for building on RHEL4? No, unfortunately I haven't had any more time to work on the dsbuild scripts. Hopefully soon. > > Thanks. > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From prjctgeek at gmail.com Thu Jan 31 22:20:58 2008 From: prjctgeek at gmail.com (Doug Chapman) Date: Thu, 31 Jan 2008 14:20:58 -0800 Subject: [Fedora-directory-users] FDS 1.1 fail to add configuration data to FDS1.04 DS In-Reply-To: <47A22E93.3010104@redhat.com> References: <84E2AE771361E9419DD0EFBD31F09C4D4CBBB885D4@EXVMBX015-1.exch015.msoutlookonline.net> <47A0C986.1030706@redhat.com> <47A0FA82.7020209@redhat.com> <47A22E93.3010104@redhat.com> Message-ID: There maybe a child bug related to this issue, but the admin-server also displays an error after registering another host. On Jan 31, 2008 12:24 PM, Rich Megginson wrote: > Kyley Engle wrote: > > > > on ldap-master.company.com: > > ou=company, o=NetscapeRoot exists > > cn=ldap-test.company.com, ou=company, o=NetscapeRoot does not exist > This is a bug - https://bugzilla.redhat.com/show_bug.cgi?id=431103 - > there is a workaround listed in the bug. > > > > kyley > > > > ------------------------------------------------------------------------ > > > > > Date: Wed, 30 Jan 2008 15:30:26 -0700 > > > From: rmeggins at redhat.com > > > To: fedora-directory-users at redhat.com > > > Subject: Re: [Fedora-directory-users] FDS 1.1 fail to add > > configuration data to FDS1.04 DS > > > > > > Kyley Engle wrote: > > > > this is the interesting part of the output > > > > > > > > +Processing /usr/share/dirsrv/data/16dssuffixadmin.mod.tmpl ... > > > > +++check_and_add_entry: Entry not found o=company.com error No > > such object > > > ? This is really odd. What is your suffix? > > > > +Processing /usr/share/dirsrv/data/10dsdata.ldif.tmpl ... > > > > +++check_and_add_entry: Found entry o=NetscapeRoot > > > > +++Adding attr=aci value=(targetattr = "*")(version 3.0; acl "SIE > > > > Group (ldap-test)"; allow (all) groupdn = > > "ldap:///cn=slapd-ldap-test, > > > > cn=Fedora Directory Server, cn=Server Group, > > cn=ldap-test.company.com, > > > > ou=company, o=NetscapeRoot";) to entry o=NetscapeRoot > > > > +++check_and_add_entry: Entry not found cn=Fedora Directory Server, > > > > cn=Server Group, cn=ldap-test.company.com, ou=company, > o=NetscapeRoot > > > > error No such object > > > > +ERROR: adding an entry cn=Fedora Directory Server, cn=Server Group, > > > > cn=ldap-test.company.com, ou=company, o=NetscapeRoot failed, > > error: No > > > > such object > > > > > > > > Error adding entry 'cn=Fedora Directory Server, cn=Server Group, > > > > cn=ldap-test.company.com, ou=company, o=NetscapeRoot'. Error: No > such > > > > object > > > > Could not register the directory server with the configuration > > > > directory server. > > > > Exiting . > > > > > > > > what is interesting is that even tho i entered in the configuration > > > > URI ldap://ldap-master.company.com:389/o=NetscapeRoot during the > > > > custom install, i don't see it referenced anywhere in the log. > > > If cn=Fedora Directory Server, cn=Server Group, > > > cn=ldap-test.company.com, ou=company, o=NetscapeRoot does not exist, > > > then what is under o=NetscapeRoot? Does ou=company, o=NetscapeRoot > > > exist? Does cn=ldap-test.company.com, ou=company, o=NetscapeRoot > exist? > > > > > > > > kyley > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > Date: Wed, 30 Jan 2008 12:01:26 -0700 > > > > > From: rmeggins at redhat.com > > > > > To: fedora-directory-users at redhat.com > > > > > Subject: Re: [Fedora-directory-users] FDS 1.1 fail to add > > > > configuration data to FDS1.04 DS > > > > > > > > > > Kyley Engle wrote: > > > > > > > > > > > > i've had this same issue on a new installation of FDS1.1 as > > well. I > > > > > > installed the master/config server but when i tried running the > > > > > > setup-ds-admin.pl on the consumer i got the same type of error, > > > > again, > > > > > > with no objects created in the configuration directory. So I > don't > > > > > > think this is a 1.0.4/1.1 issue, as much as it is potentially a > > > > > > problem with the setup script. > > > > > Try setup-ds-admin.pl -ddd to see if turning up the debug level > > reveals > > > > > anything. > > > > > > > > > > > > kyley > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > From: richard at powerset.com > > > > > > > To: fedora-directory-users at redhat.com > > > > > > > Date: Tue, 29 Jan 2008 19:28:23 -0800 > > > > > > > Subject: [Fedora-directory-users] FDS 1.1 fail to add > > configuration > > > > > > data to FDS1.04 DS > > > > > > > > > > > > > > I'm setting up a few v1.1 test instances in our current 1.04 > > > > > > environment but running into issues trying to add the > > configuration > > > > > > data to an existing 1.04 server. It appears to be trying to > > create > > > > the > > > > > > children entries before the parent: > > > > > > > > > > > > > > Are you ready to set up your servers? [yes]: > > > > > > > Creating directory server . . . > > > > > > > Your new DS instance 'fds' was successfully created. > > > > > > > Creating the configuration directory server . . . > > > > > > > dn: cn=Fedora Directory Server, cn=Server Group, > > > > > > cn=aa0-002-6-v2.u.powerset.co > > > > > > > m, ou=sv.powerset.com, o=NetscapeRoot > > > > > > > objectclass: nsApplication > > > > > > > objectclass: groupOfUniqueNames > > > > > > > objectclass: top > > > > > > > cn: Fedora Directory Server > > > > > > > nsproductname: Fedora Directory Server > > > > > > > nsproductversion: 1.1.0 > > > > > > > nsnickname: slapd > > > > > > > nsbuildnumber: 2007.355.1657 > > > > > > > nsvendor: Fedora Project > > > > > > > installationtimestamp: 20080130014937Z > > > > > > > nsexpirationdate: 0 > > > > > > > nsbuildsecurity: domestic > > > > > > > uniquemember: cn=slapd-fds, cn=Fedora Directory Server, > > cn=Server > > > > > > Group, cn=aa > > > > > > > 0-002-6-v2.u.powerset.com, ou=sv.powerset.com, o=NetscapeRoot > > > > > > > nsservermigrationclassname: > > > > > > com.netscape.admin.dirserv.task.MigrateCreate at fedo > > > > > > > ra-ds-1.1.jar at cn=admin-serv-aa0-002-6-v2, cn=Fedora > > Administration > > > > > > Server, cn > > > > > > > =Server Group, cn=aa0-002-6-v2.u.powerset.com, > > ou=sv.powerset.com, > > > > > > o=Netscape > > > > > > > Root > > > > > > > nsservercreationclassname: > > > > > > com.netscape.admin.dirserv.task.MigrateCreate at fedor > > > > > > > a-ds-1.1.jar at cn=admin-serv-aa0-002-6-v2, cn=Fedora > > Administration > > > > > > Server, cn= > > > > > > > Server Group, cn=aa0-002-6-v2.u.powerset.com, > > ou=sv.powerset.com, > > > > > > o=NetscapeR > > > > > > > oot > > > > > > > > > > > > > > Error adding entry 'cn=Fedora Directory Server, cn=Server > Group, > > > > > > cn=aa0-002-6-v2.u.powerset.com, ou=sv.powerset.com, > > o=NetscapeRoot'. > > > > > > Error: No such object > > > > > > > Could not register the directory server with the configuration > > > > > > directory server. > > > > > > > Exiting . . . > > > > > > > Log file is '/tmp/setupR29d4F.log' > > > > > > > > > > > > > > Checking the tree, the intermediate entries are not there. The > > > > > > script is not creating entries beneath ou=sv.powerset.com. I > know > > > > that > > > > > > the DS is working b/c I can add new 1.04 instances to > > o=NetscapeRoot, > > > > > > and the 1.1 script is adding an ACI entry for SIE Group(fds) to > > > > > > o=NetscapeRoot. > > > > > > > > > > > > > > Do I have to upgrade the configuration server to 1.1 first? > I'd > > > > > > rather avoid messing with it if at all possible. Any help would > be > > > > > > appreciated. Thanks. > > > > > > > > > > > > > > -richard > > > > > > > > > > > > > > -- > > > > > > > Fedora-directory-users mailing list > > > > > > > Fedora-directory-users at redhat.com > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > Need to know the score, the latest news, or you need your > > > > Hotmail(R)-get > > > > > > your "fix". Check it out. > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > -- > > > > > > Fedora-directory-users mailing list > > > > > > Fedora-directory-users at redhat.com > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > Need to know the score, the latest news, or you need your > > Hotmail(R)-get > > > > your "fix". Check it out. > > > > > > ------------------------------------------------------------------------ > > > > > > > > -- > > > > Fedora-directory-users mailing list > > > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > Climb to the top of the charts! Play the word scramble challenge with > > star power. Play now! > > < > http://club.live.com/star_shuffle.aspx?icid=starshuffle_wlmailtextlink_jan > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Jan 31 22:24:31 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 31 Jan 2008 15:24:31 -0700 Subject: [Fedora-directory-users] FDS 1.1 fail to add configuration data to FDS1.04 DS In-Reply-To: References: <84E2AE771361E9419DD0EFBD31F09C4D4CBBB885D4@EXVMBX015-1.exch015.msoutlookonline.net> <47A0C986.1030706@redhat.com> <47A0FA82.7020209@redhat.com> <47A22E93.3010104@redhat.com> Message-ID: <47A24A9F.4040001@redhat.com> Doug Chapman wrote: > There maybe a child bug related to this issue, but the admin-server > also displays an error after registering another host. What error do you see? > > On Jan 31, 2008 12:24 PM, Rich Megginson > wrote: > > Kyley Engle wrote: > > > > on ldap-master.company.com : > > ou=company, o=NetscapeRoot exists > > cn=ldap-test.company.com , > ou=company, o=NetscapeRoot does not exist > This is a bug - https://bugzilla.redhat.com/show_bug.cgi?id=431103 - > there is a workaround listed in the bug. > > > > kyley > > > > > ------------------------------------------------------------------------ > > > > > Date: Wed, 30 Jan 2008 15:30:26 -0700 > > > From: rmeggins at redhat.com > > > To: fedora-directory-users at redhat.com > > > > Subject: Re: [Fedora-directory-users] FDS 1.1 fail to add > > configuration data to FDS1.04 DS > > > > > > Kyley Engle wrote: > > > > this is the interesting part of the output > > > > > > > > +Processing /usr/share/dirsrv/data/16dssuffixadmin.mod.tmpl ... > > > > +++check_and_add_entry: Entry not found o=company.com > error No > > such object > > > ? This is really odd. What is your suffix? > > > > +Processing /usr/share/dirsrv/data/10dsdata.ldif.tmpl ... > > > > +++check_and_add_entry: Found entry o=NetscapeRoot > > > > +++Adding attr=aci value=(targetattr = "*")(version 3.0; acl > "SIE > > > > Group (ldap-test)"; allow (all) groupdn = > > "ldap:///cn=slapd-ldap-test, > > > > cn=Fedora Directory Server, cn=Server Group, > > cn=ldap-test.company.com , > > > > ou=company, o=NetscapeRoot";) to entry o=NetscapeRoot > > > > +++check_and_add_entry: Entry not found cn=Fedora Directory > Server, > > > > cn=Server Group, cn=ldap-test.company.com > , ou=company, o=NetscapeRoot > > > > error No such object > > > > +ERROR: adding an entry cn=Fedora Directory Server, > cn=Server Group, > > > > cn=ldap-test.company.com , > ou=company, o=NetscapeRoot failed, > > error: No > > > > such object > > > > > > > > Error adding entry 'cn=Fedora Directory Server, cn=Server Group, > > > > cn=ldap-test.company.com , > ou=company, o=NetscapeRoot'. Error: No such > > > > object > > > > Could not register the directory server with the configuration > > > > directory server. > > > > Exiting . > > > > > > > > what is interesting is that even tho i entered in the > configuration > > > > URI ldap://ldap-master.company.com:389/o=NetscapeRoot > during the > > > > custom install, i don't see it referenced anywhere in the log. > > > If cn=Fedora Directory Server, cn=Server Group, > > > cn=ldap-test.company.com , > ou=company, o=NetscapeRoot does not exist, > > > then what is under o=NetscapeRoot? Does ou=company, o=NetscapeRoot > > > exist? Does cn=ldap-test.company.com > , ou=company, o=NetscapeRoot exist? > > > > > > > > kyley > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > Date: Wed, 30 Jan 2008 12:01:26 -0700 > > > > > From: rmeggins at redhat.com > > > > > To: fedora-directory-users at redhat.com > > > > > > Subject: Re: [Fedora-directory-users] FDS 1.1 fail to add > > > > configuration data to FDS1.04 DS > > > > > > > > > > Kyley Engle wrote: > > > > > > > > > > > > i've had this same issue on a new installation of FDS1.1 as > > well. I > > > > > > installed the master/config server but when i tried > running the > > > > > > setup-ds-admin.pl on the consumer i got the same type of > error, > > > > again, > > > > > > with no objects created in the configuration directory. > So I don't > > > > > > think this is a 1.0.4/1.1 issue, as much as it is > potentially a > > > > > > problem with the setup script. > > > > > Try setup-ds-admin.pl -ddd to see if turning up the debug > level > > reveals > > > > > anything. > > > > > > > > > > > > kyley > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > From: richard at powerset.com > > > > > > > To: fedora-directory-users at redhat.com > > > > > > > > Date: Tue, 29 Jan 2008 19:28:23 -0800 > > > > > > > Subject: [Fedora-directory-users] FDS 1.1 fail to add > > configuration > > > > > > data to FDS1.04 DS > > > > > > > > > > > > > > I'm setting up a few v1.1 test instances in our > current 1.04 > > > > > > environment but running into issues trying to add the > > configuration > > > > > > data to an existing 1.04 server. It appears to be trying to > > create > > > > the > > > > > > children entries before the parent: > > > > > > > > > > > > > > Are you ready to set up your servers? [yes]: > > > > > > > Creating directory server . . . > > > > > > > Your new DS instance 'fds' was successfully created. > > > > > > > Creating the configuration directory server . . . > > > > > > > dn: cn=Fedora Directory Server, cn=Server Group, > > > > > > cn=aa0-002-6-v2.u.powerset.co > > > > > > > > m, ou=sv.powerset.com , > o=NetscapeRoot > > > > > > > objectclass: nsApplication > > > > > > > objectclass: groupOfUniqueNames > > > > > > > objectclass: top > > > > > > > cn: Fedora Directory Server > > > > > > > nsproductname: Fedora Directory Server > > > > > > > nsproductversion: 1.1.0 > > > > > > > nsnickname: slapd > > > > > > > nsbuildnumber: 2007.355.1657 > > > > > > > nsvendor: Fedora Project > > > > > > > installationtimestamp: 20080130014937Z > > > > > > > nsexpirationdate: 0 > > > > > > > nsbuildsecurity: domestic > > > > > > > uniquemember: cn=slapd-fds, cn=Fedora Directory Server, > > cn=Server > > > > > > Group, cn=aa > > > > > > > 0-002-6-v2.u.powerset.com > , ou=sv.powerset.com > , o=NetscapeRoot > > > > > > > nsservermigrationclassname: > > > > > > com.netscape.admin.dirserv.task.MigrateCreate at fedo > > > > > > > ra-ds-1.1.jar at cn=admin-serv-aa0-002-6-v2, cn=Fedora > > Administration > > > > > > Server, cn > > > > > > > =Server Group, cn=aa0-002-6-v2.u.powerset.com > , > > ou=sv.powerset.com , > > > > > > o=Netscape > > > > > > > Root > > > > > > > nsservercreationclassname: > > > > > > com.netscape.admin.dirserv.task.MigrateCreate at fedor > > > > > > > a-ds-1.1.jar at cn=admin-serv-aa0-002-6-v2, cn=Fedora > > Administration > > > > > > Server, cn= > > > > > > > Server Group, cn=aa0-002-6-v2.u.powerset.com > , > > ou=sv.powerset.com , > > > > > > o=NetscapeR > > > > > > > oot > > > > > > > > > > > > > > Error adding entry 'cn=Fedora Directory Server, > cn=Server Group, > > > > > > cn=aa0-002-6-v2.u.powerset.com > , ou=sv.powerset.com > , > > o=NetscapeRoot'. > > > > > > Error: No such object > > > > > > > Could not register the directory server with the > configuration > > > > > > directory server. > > > > > > > Exiting . . . > > > > > > > Log file is '/tmp/setupR29d4F.log' > > > > > > > > > > > > > > Checking the tree, the intermediate entries are not > there. The > > > > > > script is not creating entries beneath > ou=sv.powerset.com . I know > > > > that > > > > > > the DS is working b/c I can add new 1.04 instances to > > o=NetscapeRoot, > > > > > > and the 1.1 script is adding an ACI entry for SIE > Group(fds) to > > > > > > o=NetscapeRoot. > > > > > > > > > > > > > > Do I have to upgrade the configuration server to 1.1 > first? I'd > > > > > > rather avoid messing with it if at all possible. Any > help would be > > > > > > appreciated. Thanks. > > > > > > > > > > > > > > -richard > > > > > > > > > > > > > > -- > > > > > > > Fedora-directory-users mailing list > > > > > > > Fedora-directory-users at redhat.com > > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > Need to know the score, the latest news, or you need your > > > > Hotmail?-get > > > > > > your "fix". Check it out. > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > -- > > > > > > Fedora-directory-users mailing list > > > > > > Fedora-directory-users at redhat.com > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > Need to know the score, the latest news, or you need your > > Hotmail?-get > > > > your "fix". Check it out. > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > -- > > > > Fedora-directory-users mailing list > > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > Climb to the top of the charts! Play the word scramble challenge > with > > star power. Play now! > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jared.griffith at farheap.com Thu Jan 31 22:55:06 2008 From: jared.griffith at farheap.com (Jared B. Griffith) Date: Thu, 31 Jan 2008 14:55:06 -0800 (PST) Subject: [Fedora-directory-users] Mixing Directory Servers Message-ID: <31084967.156271201820106874.JavaMail.root@zimbra1.farheap.com> Is it possible to build and install a 1.1 instance and make it a slave of a 1.0.4 insstance? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Jan 31 23:11:32 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 31 Jan 2008 16:11:32 -0700 Subject: [Fedora-directory-users] Mixing Directory Servers In-Reply-To: <31084967.156271201820106874.JavaMail.root@zimbra1.farheap.com> References: <31084967.156271201820106874.JavaMail.root@zimbra1.farheap.com> Message-ID: <47A255A4.8050903@redhat.com> Jared B. Griffith wrote: > Is it possible to build and install a 1.1 instance and make it a slave > of a 1.0.4 insstance? Yes. Replication works fine from 1.1 to 1.0.4 and vice versa. > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jared.griffith at farheap.com Thu Jan 31 23:18:11 2008 From: jared.griffith at farheap.com (Jared B. Griffith) Date: Thu, 31 Jan 2008 15:18:11 -0800 (PST) Subject: [Fedora-directory-users] Mixing Directory Servers In-Reply-To: <47A255A4.8050903@redhat.com> Message-ID: <19640657.156881201821491795.JavaMail.root@zimbra1.farheap.com> Thanks, just wanted to make sure. I assume replication agreements are set up the same way as they were on 1.0.4 ----- Original Message ----- From: "Rich Megginson" To: "Jared B. Griffith" , "General discussion list for the Fedora Directory server project." Sent: Thursday, January 31, 2008 3:11:32 PM (GMT-0800) America/Los_Angeles Subject: Re: [Fedora-directory-users] Mixing Directory Servers Jared B. Griffith wrote: > Is it possible to build and install a 1.1 instance and make it a slave > of a 1.0.4 insstance? Yes. Replication works fine from 1.1 to 1.0.4 and vice versa. > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailinglists at disgruntled-dutch.com Thu Jan 31 23:27:03 2008 From: mailinglists at disgruntled-dutch.com (Yvo van Doorn) Date: Thu, 31 Jan 2008 15:27:03 -0800 Subject: [Fedora-directory-users] FDS 1.1 fail to add configuration data to FDS1.04 DS In-Reply-To: <47A24A9F.4040001@redhat.com> References: <84E2AE771361E9419DD0EFBD31F09C4D4CBBB885D4@EXVMBX015-1.exch015.msoutlookonline.net> <47A0C986.1030706@redhat.com> <47A0FA82.7020209@redhat.com> <47A22E93.3010104@redhat.com> <47A24A9F.4040001@redhat.com> Message-ID: On 1/31/08, Rich Megginson wrote: > Doug Chapman wrote: > > There maybe a child bug related to this issue, but the admin-server > > also displays an error after registering another host. > > What error do you see? > > > > On Jan 31, 2008 12:24 PM, Rich Megginson > > wrote: > > > > Kyley Engle wrote: > > > > > > on ldap-master.company.com : > > > ou=company, o=NetscapeRoot exists > > > cn=ldap-test.company.com , > > ou=company, o=NetscapeRoot does not exist > > This is a bug - https://bugzilla.redhat.com/show_bug.cgi?id=431103 - > > there is a workaround listed in the bug. > > > > > > kyley > > > > > > > > ------------------------------------------------------------------------ > > > > > > > Date: Wed, 30 Jan 2008 15:30:26 -0700 > > > > From: rmeggins at redhat.com > > > > To: fedora-directory-users at redhat.com > > > > > > Subject: Re: [Fedora-directory-users] FDS 1.1 fail to add > > > configuration data to FDS1.04 DS > > > > > > > > Kyley Engle wrote: > > > > > this is the interesting part of the output > > > > > > > > > > +Processing /usr/share/dirsrv/data/16dssuffixadmin.mod.tmpl ... > > > > > +++check_and_add_entry: Entry not found o=company.com > > error No > > > such object > > > > ? This is really odd. What is your suffix? > > > > > +Processing /usr/share/dirsrv/data/10dsdata.ldif.tmpl ... > > > > > +++check_and_add_entry: Found entry o=NetscapeRoot > > > > > +++Adding attr=aci value=(targetattr = "*")(version 3.0; acl > > "SIE > > > > > Group (ldap-test)"; allow (all) groupdn = > > > "ldap:///cn=slapd-ldap-test, > > > > > cn=Fedora Directory Server, cn=Server Group, > > > cn=ldap-test.company.com , > > > > > ou=company, o=NetscapeRoot";) to entry o=NetscapeRoot > > > > > +++check_and_add_entry: Entry not found cn=Fedora Directory > > Server, > > > > > cn=Server Group, cn=ldap-test.company.com > > , ou=company, o=NetscapeRoot > > > > > error No such object > > > > > +ERROR: adding an entry cn=Fedora Directory Server, > > cn=Server Group, > > > > > cn=ldap-test.company.com , > > ou=company, o=NetscapeRoot failed, > > > error: No > > > > > such object > > > > > > > > > > Error adding entry 'cn=Fedora Directory Server, cn=Server Group, > > > > > cn=ldap-test.company.com , > > ou=company, o=NetscapeRoot'. Error: No such > > > > > object > > > > > Could not register the directory server with the configuration > > > > > directory server. > > > > > Exiting . > > > > > > > > > > what is interesting is that even tho i entered in the > > configuration > > > > > URI ldap://ldap-master.company.com:389/o=NetscapeRoot > > during the > > > > > custom install, i don't see it referenced anywhere in the log. > > > > If cn=Fedora Directory Server, cn=Server Group, > > > > cn=ldap-test.company.com , > > ou=company, o=NetscapeRoot does not exist, > > > > then what is under o=NetscapeRoot? Does ou=company, o=NetscapeRoot > > > > exist? Does cn=ldap-test.company.com > > , ou=company, o=NetscapeRoot exist? > > > > > > > > > > kyley > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > Date: Wed, 30 Jan 2008 12:01:26 -0700 > > > > > > From: rmeggins at redhat.com > > > > > > To: fedora-directory-users at redhat.com > > > > > > > > Subject: Re: [Fedora-directory-users] FDS 1.1 fail to add > > > > > configuration data to FDS1.04 DS > > > > > > > > > > > > Kyley Engle wrote: > > > > > > > > > > > > > > i've had this same issue on a new installation of FDS1.1 as > > > well. I > > > > > > > installed the master/config server but when i tried > > running the > > > > > > > setup-ds-admin.pl on the consumer i got the same type of > > error, > > > > > again, > > > > > > > with no objects created in the configuration directory. > > So I don't > > > > > > > think this is a 1.0.4/1.1 issue, as much as it is > > potentially a > > > > > > > problem with the setup script. > > > > > > Try setup-ds-admin.pl -ddd to see if turning up the debug > > level > > > reveals > > > > > > anything. > > > > > > > > > > > > > > kyley > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > > From: richard at powerset.com > > > > > > > > To: fedora-directory-users at redhat.com > > > > > > > > > > Date: Tue, 29 Jan 2008 19:28:23 -0800 > > > > > > > > Subject: [Fedora-directory-users] FDS 1.1 fail to add > > > configuration > > > > > > > data to FDS1.04 DS > > > > > > > > > > > > > > > > I'm setting up a few v1.1 test instances in our > > current 1.04 > > > > > > > environment but running into issues trying to add the > > > configuration > > > > > > > data to an existing 1.04 server. It appears to be trying to > > > create > > > > > the > > > > > > > children entries before the parent: > > > > > > > > > > > > > > > > Are you ready to set up your servers? [yes]: > > > > > > > > Creating directory server . . . > > > > > > > > Your new DS instance 'fds' was successfully created. > > > > > > > > Creating the configuration directory server . . . > > > > > > > > dn: cn=Fedora Directory Server, cn=Server Group, > > > > > > > cn=aa0-002-6-v2.u.powerset.co > > > > > > > > > > m, ou=sv.powerset.com , > > o=NetscapeRoot > > > > > > > > objectclass: nsApplication > > > > > > > > objectclass: groupOfUniqueNames > > > > > > > > objectclass: top > > > > > > > > cn: Fedora Directory Server > > > > > > > > nsproductname: Fedora Directory Server > > > > > > > > nsproductversion: 1.1.0 > > > > > > > > nsnickname: slapd > > > > > > > > nsbuildnumber: 2007.355.1657 > > > > > > > > nsvendor: Fedora Project > > > > > > > > installationtimestamp: 20080130014937Z > > > > > > > > nsexpirationdate: 0 > > > > > > > > nsbuildsecurity: domestic > > > > > > > > uniquemember: cn=slapd-fds, cn=Fedora Directory Server, > > > cn=Server > > > > > > > Group, cn=aa > > > > > > > > 0-002-6-v2.u.powerset.com > > , ou=sv.powerset.com > > , o=NetscapeRoot > > > > > > > > nsservermigrationclassname: > > > > > > > com.netscape.admin.dirserv.task.MigrateCreate at fedo > > > > > > > > ra-ds-1.1.jar at cn=admin-serv-aa0-002-6-v2, cn=Fedora > > > Administration > > > > > > > Server, cn > > > > > > > > =Server Group, cn=aa0-002-6-v2.u.powerset.com > > , > > > ou=sv.powerset.com , > > > > > > > o=Netscape > > > > > > > > Root > > > > > > > > nsservercreationclassname: > > > > > > > com.netscape.admin.dirserv.task.MigrateCreate at fedor > > > > > > > > a-ds-1.1.jar at cn=admin-serv-aa0-002-6-v2, cn=Fedora > > > Administration > > > > > > > Server, cn= > > > > > > > > Server Group, cn=aa0-002-6-v2.u.powerset.com > > , > > > ou=sv.powerset.com , > > > > > > > o=NetscapeR > > > > > > > > oot > > > > > > > > > > > > > > > > Error adding entry 'cn=Fedora Directory Server, > > cn=Server Group, > > > > > > > cn=aa0-002-6-v2.u.powerset.com > > , ou=sv.powerset.com > > , > > > o=NetscapeRoot'. > > > > > > > Error: No such object > > > > > > > > Could not register the directory server with the > > configuration > > > > > > > directory server. > > > > > > > > Exiting . . . > > > > > > > > Log file is '/tmp/setupR29d4F.log' > > > > > > > > > > > > > > > > Checking the tree, the intermediate entries are not > > there. The > > > > > > > script is not creating entries beneath > > ou=sv.powerset.com . I know > > > > > that > > > > > > > the DS is working b/c I can add new 1.04 instances to > > > o=NetscapeRoot, > > > > > > > and the 1.1 script is adding an ACI entry for SIE > > Group(fds) to > > > > > > > o=NetscapeRoot. > > > > > > > > > > > > > > > > Do I have to upgrade the configuration server to 1.1 > > first? I'd > > > > > > > rather avoid messing with it if at all possible. Any > > help would be > > > > > > > appreciated. Thanks. > > > > > > > > > > > > > > > > -richard > > > > > > > > > > > > > > > > -- > > > > > > > > Fedora-directory-users mailing list > > > > > > > > Fedora-directory-users at redhat.com > > > > > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > Need to know the score, the latest news, or you need your > > > > > Hotmail(R)-get > > > > > > > your "fix". Check it out. > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > -- > > > > > > > Fedora-directory-users mailing list > > > > > > > Fedora-directory-users at redhat.com > > > > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > Need to know the score, the latest news, or you need your > > > Hotmail(R)-get > > > > > your "fix". Check it out. > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > -- > > > > > Fedora-directory-users mailing list > > > > > Fedora-directory-users at redhat.com > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > Climb to the top of the charts! Play the word scramble challenge > > with > > > star power. Play now! > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users I've been working with Doug on this. The error (through the GUI interface) when opening the admin server under "host.example.com" and attempting to complete any task (such as configuration or restarting the server) is: Remote Request Error URL: no protocol: admin-serv/tasks/Configuration/ServerSetup I resolved this by adding: dn: cn=Server Group, cn=host.example.com, ou=example.com, o=NetscapeRoot nsadminsiedn: cn=admin-serv-host, cn=Fedora Administration Server, cn=Server Group, cn=host.example.com, ou=example.com, o=NetscapeRoot I updated the bug (431103) to reflect this. From rmeggins at redhat.com Thu Jan 31 23:37:15 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 31 Jan 2008 16:37:15 -0700 Subject: [Fedora-directory-users] Mixing Directory Servers In-Reply-To: <19640657.156881201821491795.JavaMail.root@zimbra1.farheap.com> References: <19640657.156881201821491795.JavaMail.root@zimbra1.farheap.com> Message-ID: <47A25BAB.2020609@redhat.com> Jared B. Griffith wrote: > Thanks, just wanted to make sure. > I assume replication agreements are set up the same way as they were > on 1.0.4 Yes. > > ----- Original Message ----- > From: "Rich Megginson" > To: "Jared B. Griffith" , "General > discussion list for the Fedora Directory server project." > > Sent: Thursday, January 31, 2008 3:11:32 PM (GMT-0800) America/Los_Angeles > Subject: Re: [Fedora-directory-users] Mixing Directory Servers > > Jared B. Griffith wrote: > > Is it possible to build and install a 1.1 instance and make it a slave > > of a 1.0.4 insstance? > Yes. Replication works fine from 1.1 to 1.0.4 and vice versa. > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From markwu at micron.com Thu Jan 31 22:56:52 2008 From: markwu at micron.com (markwu at micron.com) Date: Thu, 31 Jan 2008 14:56:52 -0800 Subject: [Fedora-directory-users] RE: Random UID not found problem In-Reply-To: References: Message-ID: We just found that all cron jobs at 0,10,20,30,50 every hour would fail consistently and give the error in my original post, but any other minutes all cron jobs are OK. We are using nss_ldap_226-18 and crontabs-1.10-7. I will check if UID not found problem occurs also at 10th minutes. > _____________________________________________ > From: markwu > Sent: Wednesday, January 30, 2008 2:42 PM > To: 'fedora-directory-users at redhat.com' > Subject: Random UID not found problem > > Hi, > Some of our users get "UID xxxx not found" message when they open a > new terminal or run a rsh command, it appears a few times a day and > it is mostly just annoying message because users can continue to work > as normal, however, sometimes It also causes cron jobs to fail, > In system log, it shows, > > crond(pam_unix)[9225]: could not identify user (from > getpwnam(USERNAME)) > crond[9225]: User not known to the underlying authentication module > > We are using Fedora DS 1.0.4, and clients are RHEL 4.5 . This problem > started ever since we switched into LDAP three months ago. > > Thanks > -------------- next part -------------- An HTML attachment was scrubbed... URL: