From daniel.cruz at sc.senai.br Tue Jul 1 12:39:32 2008 From: daniel.cruz at sc.senai.br (DANIEL CRISTIAN CRUZ) Date: Tue, 1 Jul 2008 09:39:32 -0300 Subject: [Fedora-directory-users] Why there is no rpm for 1.1.1? Message-ID: Hi all, I asked a week ago about the missing packages. Why there is no package there yet? I got a server dying at random, and said to my sponsors that a project from Redhat would be stable and we could get updates when needed. If there is no plan to build these packages, why there is no warning on the first page? Using a package with a serious bug in which any search could stop your server is insane. There is no maintainer for the repository? Regards, -- Daniel Cristian Cruz Administrador de Banco de Dados Dire??o Regional?- N?cleo de Tecnologia da Informa??o SENAI - SC Telefone: 48-3239-1422 (ramal 1422) -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jul 1 15:22:37 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 01 Jul 2008 09:22:37 -0600 Subject: [Fedora-directory-users] Why there is no rpm for 1.1.1? In-Reply-To: References: Message-ID: <486A4BBD.7090606@redhat.com> DANIEL CRISTIAN CRUZ wrote: > > Hi all, > > I asked a week ago about the missing packages. Why there is no package > there yet? > > I got a server dying at random, and said to my sponsors that a project > from Redhat would be stable and we could get updates when needed. If > there is no plan to build these packages, why there is no warning on > the first page? Using a package with a serious bug in which any search > could stop your server is insane. > > There is no maintainer for the repository? > Yes. The problem with FC6 RPMs is that they have to be manually built, signed, and distributed, since Koji/Bodhi do not support FC6. The Fedora guys had been doing me a favor and signing them with the Fedora GPG key, but they don't want to do this anymore, and I don't blame them. So I have signed these with my personal GPG key: http://pgp.mit.edu:11371/pks/lookup?search=rmeggins&op=index Type bits /keyID Date User ID pub 1024D/A7B02652 2008/07/01 Rich Megginson The RPMs are now available. You will have to import my GPG public key into your rpm key store in order to be able to use yum to install these new RPMs. > > Regards, > > ------------------------------------------------------------------------ > > *Daniel Cristian Cruz* > *Administrador de Banco de Dados > *Dire??o Regional - *N?cleo de Tecnologia da Informa??o > SENAI - SC > Telefone: 48-3239-1422 (ramal 1422)* > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From del at babel.com.au Wed Jul 2 02:52:32 2008 From: del at babel.com.au (Del) Date: Wed, 02 Jul 2008 12:52:32 +1000 Subject: [Fedora-directory-users] altServer Message-ID: <486AED70.1070309@babel.com.au> Hi, Is there any plan to support the altServer attribute in the root DSE of a Fedora Directory Server? By that I mean that the server should advertise its list of replicas (currently buried under cn=replica,cn="BASEDN",cn=mapping tree,cn=config for each base DN) in the root DSE using the altServer attribute? This would make it easier to build resilient clients that automatically knew where to reconnect to if the primary server went down. -- Del Babel Com Australia http://www.babel.com.au/ ph: 02 9966 9476 fax: 02 9906 2864 From david_list at boreham.org Wed Jul 2 13:01:21 2008 From: david_list at boreham.org (David Boreham) Date: Wed, 02 Jul 2008 07:01:21 -0600 Subject: [Fedora-directory-users] Scheduled Resync with Windows Sync? In-Reply-To: <20080624151647.M48745@mail.txwes.edu> References: <20080624151647.M48745@mail.txwes.edu> Message-ID: <486B7C21.6000409@boreham.org> Glenn wrote: > It is difficult to know when a full resynchronization is necessary for a > given Windows Sync agreement. Why do you want to perform a full sync ? Typically that would only be done if a) the servers had been out of contact for a long time or b) when bringing up a new server or c) if the software is broken. > I would like to be able to start a full resync > from a cron script. Is this possible, or is there any other way to schedule > a full resync to run periodically without human intervention? > You can do this. The console initiates sync by writing to an LDAP entry in the server's agreement tree. I'm not sure if this is documented so you might need to snoop the traffic from a manual operation and then write a script to generate the same result. From kenoh23 at yahoo.fr Wed Jul 2 15:18:39 2008 From: kenoh23 at yahoo.fr (ken oh) Date: Wed, 2 Jul 2008 15:18:39 +0000 (GMT) Subject: [Fedora-directory-users] howto create the sync manager ? Message-ID: <139422.31177.qm@web26003.mail.ukl.yahoo.com> I've read the 8.3 chapter from the red hat guide I've tried to create the sync manager by adding the following lines in the dse.ldif : ? dn: cn=sync manager,cn=config objectClass: inetorgperson objectClass: person objectClass: top cn:?sync manager sn: RM userPassword: password passwordExpirationTime: 20380119031407Z And when I restart the directory server I've got this error message : ? Entry "cn=sync manager,cn=config " has unknown object class "inetorgperson " (remove the trailing space) [12/Jun/2008:20:47:33 +0200] - Entry "cn=sync manager,cn=config " has unknown object class "person " (remove the trailing space) [12/Jun/2008:20:47:33 +0200] - Entry "cn=sync manager,cn=config " has unknown object class "top " (remove the trailing space) ? So I would like to know what I'm doing wrong and what should I do to create the sync manager, please. ? thanks ? _____________________________________________________________________________ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Jul 2 15:35:40 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 02 Jul 2008 09:35:40 -0600 Subject: [Fedora-directory-users] howto create the sync manager ? In-Reply-To: <139422.31177.qm@web26003.mail.ukl.yahoo.com> References: <139422.31177.qm@web26003.mail.ukl.yahoo.com> Message-ID: <486BA04C.8080702@redhat.com> ken oh wrote: > > I've read the 8.3 chapter from the red hat guide > > I've tried to create the sync manager by adding the following lines in > the dse.ldif : > > > > dn: cn=sync manager,cn=config > objectClass: inetorgperson > objectClass: person > objectClass: top > cn: sync manager > sn: RM > userPassword: password > passwordExpirationTime: 20380119031407Z > > And when I restart the directory server I've got this error message : > > > > Entry "cn=sync manager,cn=config " has unknown object class > "inetorgperson " (remove the trailing space) > LDIF is very, very strict about trailing spaces in values. This message means that there is extra whitespace after inetorgperson. Note that the message says "inetorgperson " <- there is the space before the quote > > [12/Jun/2008:20:47:33 +0200] - Entry "cn=sync manager,cn=config " has > unknown object class "person " (remove the trailing space) > [12/Jun/2008:20:47:33 +0200] - Entry "cn=sync manager,cn=config " has > unknown object class "top " (remove the trailing space) > > > > So I would like to know what I'm doing wrong and what should I do to > create the sync manager, please. > > > > thanks > > > > > ------------------------------------------------------------------------ > Envoy? avec Yahoo! Mail > . > Une boite mail plus intelligente. > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From hicheerup at gmail.com Wed Jul 2 20:16:39 2008 From: hicheerup at gmail.com (lingu) Date: Thu, 3 Jul 2008 01:46:39 +0530 Subject: [Fedora-directory-users] PassSync.msi for 64 bit windows2003 Message-ID: <29e045b80807021316j5e24f6d5g655c290bafbaa94e@mail.gmail.com> HI, Iam trying to migrate from windows to linux for that i am integrating existing windows 2003 R2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From hicheerup at gmail.com Wed Jul 2 20:22:57 2008 From: hicheerup at gmail.com (lingu) Date: Thu, 3 Jul 2008 01:52:57 +0530 Subject: [Fedora-directory-users] Windows to linux migration [PassSync.msi for 64 bit windows2003 ] Message-ID: <29e045b80807021322g8df3647i7d33a81cbebfc57c@mail.gmail.com> HI, I am trying to migrate from windows to linux. For that i am integrating existing windows 2003 R2 64 BIT standard edition running ADS with Redhat Directory Server 8.0 runnning on RHEL5 for user/group and password sync.I followed the step gfeiven in fedora wiki and i sucessfully synced the users but password sync is not happening.In passync log its telling* "unable to load password entries from file" Since i am using 64 bit windows edition but rhds8.0 is running on 32 bit edition.May be the passSync.msi comes along with 32bit edition works only with 32 bit windows or if any 64 bit version of PassSync.msi is available.Plz help me this is very urgent for me. Regards lingu * -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Jul 2 20:27:05 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 02 Jul 2008 14:27:05 -0600 Subject: [Fedora-directory-users] Windows to linux migration [PassSync.msi for 64 bit windows2003 ] In-Reply-To: <29e045b80807021322g8df3647i7d33a81cbebfc57c@mail.gmail.com> References: <29e045b80807021322g8df3647i7d33a81cbebfc57c@mail.gmail.com> Message-ID: <486BE499.1000404@redhat.com> lingu wrote: > HI, > > I am trying to migrate from windows to linux. For that i am > integrating existing windows 2003 R2 64 BIT standard edition running > ADS with Redhat Directory Server 8.0 runnning on RHEL5 for > user/group and password sync.I followed the step gfeiven in fedora > wiki and i sucessfully synced the users but password sync is not > happening.In passync log its telling* "unable to load password entries > from file" > > Since i am using 64 bit windows edition but rhds8.0 is running on 32 > bit edition.May be the passSync.msi comes along with 32bit edition > works only with 32 bit windows or if any 64 bit version of > PassSync.msi is available.Plz help me this is very urgent for me. > * We've never tested 64-bit Windows. I have no idea if it will work. We have no plans currently to support 64-bit Windows. > * > > Regards > lingu > * > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From kenoh23 at yahoo.fr Thu Jul 3 09:02:32 2008 From: kenoh23 at yahoo.fr (ken oh) Date: Thu, 3 Jul 2008 09:02:32 +0000 (GMT) Subject: [Fedora-directory-users] howto create the sync manager ? In-Reply-To: <486BA04C.8080702@redhat.com> Message-ID: <958880.38865.qm@web26004.mail.ukl.yahoo.com> thanks I have another question : Should I do something to give this user read and write permissions to every entry in the synchronized subtree and write access to password attributes ? Or did the sync manager have allready all this permissions after I add him in the ldif file, please ? _____________________________________________________________________________ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr -------------- next part -------------- An HTML attachment was scrubbed... URL: From doug.mallory at tempurpedic.com Thu Jul 3 11:37:04 2008 From: doug.mallory at tempurpedic.com (Mallory, Doug (TPUSA)) Date: Thu, 3 Jul 2008 07:37:04 -0400 Subject: [Fedora-directory-users] Auditing password requirements In-Reply-To: <958880.38865.qm@web26004.mail.ukl.yahoo.com> References: <486BA04C.8080702@redhat.com> <958880.38865.qm@web26004.mail.ukl.yahoo.com> Message-ID: ALL, Internal audit has requested a print out of the password requirements. I can not find where they are defined or stored. I know they are set because they have a length requirement and have to be alphanumeric. Doug Mallory -------------- next part -------------- An HTML attachment was scrubbed... URL: From david_list at boreham.org Thu Jul 3 14:33:31 2008 From: david_list at boreham.org (David Boreham) Date: Thu, 03 Jul 2008 08:33:31 -0600 Subject: [Fedora-directory-users] Windows to linux migration [PassSync.msi for 64 bit windows2003 ] In-Reply-To: <29e045b80807021322g8df3647i7d33a81cbebfc57c@mail.gmail.com> References: <29e045b80807021322g8df3647i7d33a81cbebfc57c@mail.gmail.com> Message-ID: <486CE33B.40704@boreham.org> lingu wrote: > * Since i am using 64 bit windows edition but rhds8.0 is running on 32 > bit edition.May be the passSync.msi comes along with 32bit edition > works only with 32 bit windows or if any 64 bit version of > PassSync.msi is available.Plz help me this is very urgent for me. > * I don't know for sure, but it seems reasonable to assume that the 32-bit password sync dll won't work on a 64-bit system. It's a native code DLL, and so unless Microsoft did something special to support 32-bit password hook DLLs, it won't work. In theory, you could re-build it 64-bit and it should work. * * From jsummers at bachman.cs.ou.edu Fri Jul 4 21:23:15 2008 From: jsummers at bachman.cs.ou.edu (Jim Summers) Date: Fri, 04 Jul 2008 16:23:15 -0500 Subject: [Fedora-directory-users] Slapd Crash and wont start up again Message-ID: <486E94C3.7060205@cs.ou.edu> Hello All, Had a power outage this morning. When the system came back up the slapd would not start. I found the following in the error log: Fedora-Directory/1.0.2 B2006.060.1928 landin.cs.ou.edu:636 (/opt/fedora-ds/slapd-landin) [04/Jul/2008:16:17:37 -0500] - Entry "cn=SNMP,cn=config" -- attribute "nsSNMPName" not allowed [04/Jul/2008:16:17:37 -0500] - Entry "cn=SNMP,cn=config" -- attribute "nsSNMPName" not allowed [04/Jul/2008:16:17:37 -0500] - Fedora-Directory/1.0.2 B2006.060.1928 starting up [04/Jul/2008:16:17:37 -0500] - ERROR: Database version mismatch (expecting 'Netscape-ldbm/7.0' but found 'nsibleObject' in directory /opt/fedora-ds/slapd-landin/db) [04/Jul/2008:16:17:37 -0500] - start: db version is not supported [04/Jul/2008:16:17:37 -0500] - Failed to start database plugin ldbm database [04/Jul/2008:16:17:37 -0500] - WARNING: ldbm instance userRoot already exists [04/Jul/2008:16:17:37 -0500] - WARNING: ldbm instance NetscapeRoot already exists Any ideas on how I can fix this? This is a replica and fortunately the master is ok. Would it be possible to simply copy the db directory from the master and drop it on this replica? Happy Fourth! TIA -- Jim Summers Computer Science - University of Oklahoma From nhosoi at redhat.com Sat Jul 5 15:03:27 2008 From: nhosoi at redhat.com (Noriko Hosoi) Date: Sat, 05 Jul 2008 08:03:27 -0700 Subject: [Fedora-directory-users] Slapd Crash and wont start up again In-Reply-To: <486E94C3.7060205@cs.ou.edu> References: <486E94C3.7060205@cs.ou.edu> Message-ID: <486F8D3F.2030005@redhat.com> Jim Summers wrote: > Hello All, > > Had a power outage this morning. When the system came back up the > slapd would not start. I found the following in the error log: > > Fedora-Directory/1.0.2 B2006.060.1928 > landin.cs.ou.edu:636 (/opt/fedora-ds/slapd-landin) > > [04/Jul/2008:16:17:37 -0500] - Entry "cn=SNMP,cn=config" -- attribute > "nsSNMPName" not allowed > [04/Jul/2008:16:17:37 -0500] - Entry "cn=SNMP,cn=config" -- attribute > "nsSNMPName" not allowed > [04/Jul/2008:16:17:37 -0500] - Fedora-Directory/1.0.2 B2006.060.1928 > starting up > [04/Jul/2008:16:17:37 -0500] - ERROR: Database version mismatch > (expecting 'Netscape-ldbm/7.0' but found 'nsibleObject' in directory > /opt/fedora-ds/slapd-landin/db) > [04/Jul/2008:16:17:37 -0500] - start: db version is not supported > [04/Jul/2008:16:17:37 -0500] - Failed to start database plugin ldbm > database > [04/Jul/2008:16:17:37 -0500] - WARNING: ldbm instance userRoot already > exists > [04/Jul/2008:16:17:37 -0500] - WARNING: ldbm instance NetscapeRoot > already exists > > > Any ideas on how I can fix this? This is a replica and fortunately > the master is ok. Would it be possible to simply copy the db > directory from the master and drop it on this replica? First, you may want to try fixing the corrupted DBVERSION files. Please search DBVERSION files in your db directory. There is one in the db dir, and one in each backend directory (e.g., userRoot). Open the file and if the content is not "Netscape-ldbm/7.0", replace the content with the string. If other db files are not corrupted, your replica would start without the database version mismatch error. (You may still want to run replica initialization to make sure the replica is healthy.) If it still does not start, you have to recover the replica. As you asked, you could "copy" the master db to the replica, but there are some steps to follow. If your master and the replica have the same backend configuration, you could copy the directory EXCEPT __db.* files. If they don't, you could make a back up on the master with "db2bak", then restore on the replica server just the backend to be replicated. http://www.redhat.com/docs/manuals/dir-server/cli/8.0/Configuration_Command_File_Reference-Command_Line_Scripts-Shell_Scripts.html#Configuration_Command_File_Reference-Shell_Scripts-bak2db_Restore_database_from_backup Hopefully, it recovers your replica. Thanks, --noriko -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From jsummers at bachman.cs.ou.edu Sun Jul 6 14:44:30 2008 From: jsummers at bachman.cs.ou.edu (Jim Summers) Date: Sun, 06 Jul 2008 09:44:30 -0500 Subject: [Fedora-directory-users] Slapd Crash and wont start up again In-Reply-To: <486F8D3F.2030005@redhat.com> References: <486E94C3.7060205@cs.ou.edu> <486F8D3F.2030005@redhat.com> Message-ID: <4870DA4E.90309@cs.ou.edu> Many Thanks Norkio, I was able to edit the DBVERSION file, and luckily it started right up. My current methods of backing up using just a baisc tar command trned out to have corrupt tarfiles when I tried to extract. I am going to look into using the db2bak command for sure. Thanks again! --jim Noriko Hosoi wrote: > Jim Summers wrote: >> Hello All, >> >> Had a power outage this morning. When the system came back up the >> slapd would not start. I found the following in the error log: >> >> Fedora-Directory/1.0.2 B2006.060.1928 >> landin.cs.ou.edu:636 (/opt/fedora-ds/slapd-landin) >> >> [04/Jul/2008:16:17:37 -0500] - Entry "cn=SNMP,cn=config" -- attribute >> "nsSNMPName" not allowed >> [04/Jul/2008:16:17:37 -0500] - Entry "cn=SNMP,cn=config" -- attribute >> "nsSNMPName" not allowed >> [04/Jul/2008:16:17:37 -0500] - Fedora-Directory/1.0.2 B2006.060.1928 >> starting up >> [04/Jul/2008:16:17:37 -0500] - ERROR: Database version mismatch >> (expecting 'Netscape-ldbm/7.0' but found 'nsibleObject' in directory >> /opt/fedora-ds/slapd-landin/db) >> [04/Jul/2008:16:17:37 -0500] - start: db version is not supported >> [04/Jul/2008:16:17:37 -0500] - Failed to start database plugin ldbm >> database >> [04/Jul/2008:16:17:37 -0500] - WARNING: ldbm instance userRoot already >> exists >> [04/Jul/2008:16:17:37 -0500] - WARNING: ldbm instance NetscapeRoot >> already exists >> >> >> Any ideas on how I can fix this? This is a replica and fortunately >> the master is ok. Would it be possible to simply copy the db >> directory from the master and drop it on this replica? > First, you may want to try fixing the corrupted DBVERSION files. > > Please search DBVERSION files in your db directory. There is one in the > db dir, and one in each backend directory (e.g., userRoot). Open the > file and if the content is not "Netscape-ldbm/7.0", replace the content > with the string. If other db files are not corrupted, your replica > would start without the database version mismatch error. (You may still > want to run replica initialization to make sure the replica is healthy.) > > If it still does not start, you have to recover the replica. As you > asked, you could "copy" the master db to the replica, but there are some > steps to follow. > > If your master and the replica have the same backend configuration, you > could copy the directory EXCEPT __db.* files. > > If they don't, you could make a back up on the master with "db2bak", > then restore on the replica server just the backend to be replicated. > http://www.redhat.com/docs/manuals/dir-server/cli/8.0/Configuration_Command_File_Reference-Command_Line_Scripts-Shell_Scripts.html#Configuration_Command_File_Reference-Shell_Scripts-bak2db_Restore_database_from_backup > > > Hopefully, it recovers your replica. > > Thanks, > --noriko > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Jim Summers Computer Science - University of Oklahoma From smith.not.western at gmail.com Mon Jul 7 04:45:13 2008 From: smith.not.western at gmail.com (Mike C) Date: Mon, 7 Jul 2008 16:45:13 +1200 Subject: [Fedora-directory-users] Case Sensitive Lookup and Searching Message-ID: Hi, I'm running Fedora-Directory/1.0.2 B2006.111.2147, and talking to it via a Java App. Previously the app was talking to an OpenLDAP 2.3.x server. My problem is with this: Object o = ctx.lookup("memberUid=steves,ou=People"); In OpenLDAP, it returns the correct user (steves). In FDS, it returns the wrong user, 'Steves'. Yes, unfortunately our data is like that, where case sensitivity is important. In fact, as a side issue, when we import the data from ldif into FDS, the ldif2db process ignores duplicate entries (i.e. steves was inserted, but Steves ignored as it was considered a duplicate). ldif2db Error: import company: WARNING: Skipping duplicate entry "memberUid=steves,ou=People,o=company.com" As you might imagine, I'd like to get it so both ldif2db and lookups are case sensitive. However, it seems like ldapsearch is case sensitive. # ./ldapsearch -h 127.0.0.1 -b "o=company.com" memberUid=steves # ./ldapsearch -h 127.0.0.1 -b "o=company.com" memberUid=Steves version: 1 dn: memberUid=Steves,ou=People,o=company.com personalTitle: Mr etc... So, the question goes, what am I missing? I've even tried changing the definition of memberUid in config/schema/10rfc2307.ldif to use attributeTypes: ( 1.3.6.1.1.1.1.12 NAME 'memberUid' DESC 'Standard LDAP attribute type' EQUALITY caseExactIA5Match SUBSTRINGS caseExactIA5SubstringsMatch SYNTAX 'IA5String' ) Ideas? Thanks, Mike From michael at stroeder.com Mon Jul 7 09:13:14 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Mon, 07 Jul 2008 11:13:14 +0200 Subject: [Fedora-directory-users] Case Sensitive Lookup and Searching In-Reply-To: References: Message-ID: <4871DE2A.2050707@stroeder.com> Mike C wrote: > > Object o = ctx.lookup("memberUid=steves,ou=People"); Attribute 'memberUid' was never meant to be used within a user entry. So general advice is to define a better schema and sanitize your data. You probably already know that. ;-) > I've even tried changing the > definition of memberUid in config/schema/10rfc2307.ldif to use > > attributeTypes: ( > 1.3.6.1.1.1.1.12 > NAME 'memberUid' > DESC 'Standard LDAP attribute type' > EQUALITY caseExactIA5Match > SUBSTRINGS caseExactIA5SubstringsMatch > SYNTAX 'IA5String' > ) > > Ideas? Well, looking at the schema in FDS there's no such matching rule named 'caseExactIA5Match' (IMO the server shouldn't even start with such a mis-defined schema element declaration). The only caseExact* matching rules listed in the subschema are 'caseExactOrderingMatch-en' and 'caseExactSubstringMatch-en' which both does not look suitable to me. Strange enough there's not even an EQUALITY matching rule defined for attribute type 'memberUid' at all... I really wonder whether default matching rules are applied for certain LDAP syntaxes and how to find out which these are. Ciao, Michael. From rmeggins at redhat.com Mon Jul 7 13:06:14 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 07 Jul 2008 07:06:14 -0600 Subject: [Fedora-directory-users] Case Sensitive Lookup and Searching In-Reply-To: <4871DE2A.2050707@stroeder.com> References: <4871DE2A.2050707@stroeder.com> Message-ID: <487214C6.2070007@redhat.com> Michael Str?der wrote: > Mike C wrote: >> >> Object o = ctx.lookup("memberUid=steves,ou=People"); > > Attribute 'memberUid' was never meant to be used within a user entry. > > So general advice is to define a better schema and sanitize your data. > You probably already know that. ;-) > >> I've even tried changing the >> definition of memberUid in config/schema/10rfc2307.ldif to use >> >> attributeTypes: ( >> 1.3.6.1.1.1.1.12 >> NAME 'memberUid' >> DESC 'Standard LDAP attribute type' >> EQUALITY caseExactIA5Match >> SUBSTRINGS caseExactIA5SubstringsMatch >> SYNTAX 'IA5String' >> ) >> >> Ideas? > > Well, looking at the schema in FDS there's no such matching rule named > 'caseExactIA5Match' (IMO the server shouldn't even start with such a > mis-defined schema element declaration). The only caseExact* matching > rules listed in the subschema are 'caseExactOrderingMatch-en' and > 'caseExactSubstringMatch-en' which both does not look suitable to me. > > Strange enough there's not even an EQUALITY matching rule defined for > attribute type 'memberUid' at all... > > I really wonder whether default matching rules are applied for certain > LDAP syntaxes and how to find out which these are. > If there is no matching rule, it just goes by the most appropriate internal matching rule that corresponds to the SYNTAX. > Ciao, Michael. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From glenn at mail.txwes.edu Mon Jul 7 14:22:52 2008 From: glenn at mail.txwes.edu (Glenn) Date: Mon, 7 Jul 2008 09:22:52 -0500 Subject: [Fedora-directory-users] Scheduled Resync with Windows Sync? In-Reply-To: <486B7C21.6000409@boreham.org> References: <20080624151647.M48745@mail.txwes.edu> <486B7C21.6000409@boreham.org> Message-ID: <20080707134836.M25987@mail.txwes.edu> David - At least once a week on our 8,000-user systems, synchronization breaks. Usually it is because the Passsync service on the AD server stops running. Other times, Passync is running, but passwords do not sync. Sometimes passwords sync only one way. Sometimes password sync works when we change the user's password on the domain controller, but it does not work when we change the user's password on the user's Windows XP computer. Sometimes password sync breaks and other attributes continue to synchronize. Often while this is going on, new accounts are not replicated from one system to the other. An aggravating factor seems to be accounts that have attributes allowed in Fedora Directory but not allowed in Active Directory, such as duplicate names or user IDs. The remedy for these problems seems to be to stop and restart Passsync and do a full resync from the Fedora Directory Server console. Duplicate entries must be changed so they are acceptable to AD, and a resync is necessary to get them to replicate. Thanks for the suggestion on creating the resync script. -G. ---------- Original Message ----------- From: David Boreham To: "General discussion list for the Fedora Directory server project." Sent: Wed, 02 Jul 2008 07:01:21 -0600 Subject: Re: [Fedora-directory-users] Scheduled Resync with Windows Sync? > Glenn wrote: > > It is difficult to know when a full resynchronization is necessary for a > > given Windows Sync agreement. > Why do you want to perform a full sync ? Typically that would only > be done if a) the servers had been out of contact for a long time or > b) when bringing up a new server or c) if the software is broken. > > I would like to be able to start a full resync > > from a cron script. Is this possible, or is there any other way to schedule > > a full resync to run periodically without human intervention? > > > You can do this. The console initiates sync by writing to an LDAP > entry in the server's agreement tree. I'm not sure if this is > documented so you might need to snoop the traffic from a manual > operation and then write a script to generate the same result. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users ------- End of Original Message ------- From david_list at boreham.org Mon Jul 7 14:29:58 2008 From: david_list at boreham.org (David Boreham) Date: Mon, 07 Jul 2008 08:29:58 -0600 Subject: [Fedora-directory-users] Scheduled Resync with Windows Sync? In-Reply-To: <20080707134836.M25987@mail.txwes.edu> References: <20080624151647.M48745@mail.txwes.edu> <486B7C21.6000409@boreham.org> <20080707134836.M25987@mail.txwes.edu> Message-ID: <48722866.9010900@boreham.org> Glenn wrote: > David - At least once a week on our 8,000-user systems, synchronization > breaks. Usually it is because the Passsync service on the AD server stops > running. Other times, Passync is running, but passwords do not sync. > Sometimes passwords sync only one way. Sometimes password sync works when we > change the user's password on the domain controller, but it does not work > when we change the user's password on the user's Windows XP computer. > You do know that the passsync service is completely autonomous from the FDS server-side sync functionality ? Initiating a re-sync on FDS should have no affect on passsync, since they are separate. > Sometimes password sync breaks and other attributes continue to synchronize. > This would make perfect sense, since the two are implemented in different software, running on different machines. > Often while this is going on, new accounts are not replicated from one system > to the other. An aggravating factor seems to be accounts that have > attributes allowed in Fedora Directory but not allowed in Active Directory, > such as duplicate names or user IDs. > Hmm...the FDS windows sync code is supposed to strip off illegal schema to prevent this problem, but perhaps it isn't working properly in your case. > The remedy for these problems seems to be to stop and restart Passsync and do > a full resync from the Fedora Directory Server console. Duplicate entries > must be changed so they are acceptable to AD, and a resync is necessary to > get them to replicate. > If you're running an 8k user site with this code you might think about investing some money in having someone fix it. It sounds like you have hit one or more quite serious bugs that would probably not take too long to diagnose and fix. From wiskbroom at hotmail.com Mon Jul 7 14:49:23 2008 From: wiskbroom at hotmail.com (wiskbroom at hotmail.com) Date: Mon, 7 Jul 2008 10:49:23 -0400 Subject: [Fedora-directory-users] Linux (RH and FC) & Solaris 8 / 10 group/netgroup and passwd Advice Desperately Needed [OT?] In-Reply-To: <48722866.9010900@boreham.org> References: <20080624151647.M48745@mail.txwes.edu> <486B7C21.6000409@boreham.org> <20080707134836.M25987@mail.txwes.edu> <48722866.9010900@boreham.org> Message-ID: Hello All; My network, which once consisted of mostly Solaris 2.8 and Linux (Fedora Core and ReHat), now consists of mostly Windows 2k3 servers and XP boxes, with a still a large amount of Linux and Solaris Servers, is becoming a nightmare to administer and I am desperately seeking some advice. I would like to simplify all account information on my Solaris 2.8, Solaris 10 and Linux servers/workstations to lookup and authenticate user account info, as well as what is now in NIS netgroup and group, against one of my many AD servers. Would FCS help me at all? Or would it further complicate my already complicated environment? Could someone point me in the right direction for how to get my *nix boxes to perform what I am looking for them to do? I've found a few articles for Solaris 10, but very little information for Solaris 8. Also, not sure if I need some additional PAM modules and or entries, especially for Solaris 8 which I am clueless for. While I realize that this question might be off-topic, I have nowhere else to look, I therefore apologize in advance if this posting has offended anyone. Thank you, .vp -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Mon Jul 7 15:11:23 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Mon, 07 Jul 2008 17:11:23 +0200 Subject: [Fedora-directory-users] Case Sensitive Lookup and Searching In-Reply-To: <487214C6.2070007@redhat.com> References: <4871DE2A.2050707@stroeder.com> <487214C6.2070007@redhat.com> Message-ID: <4872321B.1010805@stroeder.com> Rich Megginson wrote: > Michael Str?der wrote: >> I really wonder whether default matching rules are applied for certain >> LDAP syntaxes and how to find out which these are. >> > If there is no matching rule, it just goes by the most appropriate > internal matching rule that corresponds to the SYNTAX. Any description how the "most appropriate internal matching rule" is chosen? Is the list of matching rules in the subschema subentry complete? Ciao, Michael. From edlinuxguru at gmail.com Mon Jul 7 15:17:49 2008 From: edlinuxguru at gmail.com (Edward Capriolo) Date: Mon, 7 Jul 2008 11:17:49 -0400 Subject: [Fedora-directory-users] A multi-master disaster Message-ID: Sorry for the funny title. I THINK* this may be a bug of multi-master replication agreement created from the Windows Version of the Console Tool but I was hoping someone could shed some light on this. I have set up multi master replication before and did not run into this issue. I go about the normal process described in the documentation to setup a multi-master replication agreement for only one suffix of my directory server. dc_edops_dc_com. Enable changelog Select multi-master replication Give each server a unique id I initialize the side of the connection with data. (I also have tried using ldif to get both sides in sync before the transfer. ) On the side I initialize from I get these messages in the error log. [02/Jul/2008:18:25:19 -0400] - import dc_edops_dc_com: Workers finished; cleaning up... [02/Jul/2008:18:25:19 -0400] - import dc_edops_dc_com: Workers cleaned up. [02/Jul/2008:18:25:19 -0400] - import dc_edops_dc_com: Cleaning up producer thread... [02/Jul/2008:18:25:19 -0400] - import dc_edops_dc_com: Indexing complete. Post-processing... [02/Jul/2008:18:25:19 -0400] - import dc_edops_dc_com: Flushing caches... [02/Jul/2008:18:25:19 -0400] - import dc_edops_dc_com: Closing files... [02/Jul/2008:18:25:19 -0400] - import dc_edops_dc_com: Import complete. Processed 42 entries in 2 seconds. (21.00 entries/sec) [02/Jul/2008:18:25:19 -0400] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=edops,dc=com is coming online; enabling replication [02/Jul/2008:18:25:20 -0400] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=edops,dc=com : 32 At this point actually multi-master replication is enabled, but the B side of the connection has some strange referral to the A side. When I connect to side B of the replication it seems like there is one more level there. Does anyone understand why this simple setup would not be working? From rmeggins at redhat.com Mon Jul 7 15:21:40 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 07 Jul 2008 09:21:40 -0600 Subject: [Fedora-directory-users] Case Sensitive Lookup and Searching In-Reply-To: <4872321B.1010805@stroeder.com> References: <4871DE2A.2050707@stroeder.com> <487214C6.2070007@redhat.com> <4872321B.1010805@stroeder.com> Message-ID: <48723484.6020105@redhat.com> Michael Str?der wrote: > Rich Megginson wrote: >> Michael Str?der wrote: >>> I really wonder whether default matching rules are applied for >>> certain LDAP syntaxes and how to find out which these are. >>> >> If there is no matching rule, it just goes by the most appropriate >> internal matching rule that corresponds to the SYNTAX. > > Any description how the "most appropriate internal matching rule" is > chosen? No, not really, afaik. I suppose it attempts to use "common sense" e.g. if the syntax is for case sensitive string, it uses a matching rule for case sensitive string comparison, and uses indexers for case sensitive strings. > Is the list of matching rules in the subschema subentry complete? Complete as in "implements every matching rule defined in every LDAP RFC" - no. > > Ciao, Michael. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From beyonddc.storage at gmail.com Mon Jul 7 15:21:22 2008 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Mon, 7 Jul 2008 11:21:22 -0400 Subject: [Fedora-directory-users] Question on monitoring authorization Message-ID: <20e4c38c0807070821i10221e0fx508a14196f7f9c75@mail.gmail.com> Hi all, I've a question on monitoring authorization. When a user without sufficient privileges and perform a search request on the LDAP, the user will receive an empty result from the LDAP. I followed the instruction from the Red hat Directory Server Administrator's Guide and set the access mode to 777 to log all read, write and execute commands. When I look at the log of an unauthorize user, all I see is the following [07/Jul/2008:11:08:37 -0400] conn=42 op=81 SRCH base="ou=sandbox,ou=my_test,dc=example,dc=com" scope=1 filter="(objectClass=*)" attrs="objectClass javaClassName" [07/Jul/2008:11:08:37 -0400] conn=42 op=81 RESULT err=0 tag=101 nentries=0 etime=0 The log doesn't indicate any authorization error. I was wondering if there's additional settings that I can set on Fedora DS so I can easily tell if a user is not authorize to perform a search operation on the LDAP. Thanks! - David -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Mon Jul 7 15:31:26 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Mon, 07 Jul 2008 17:31:26 +0200 Subject: [Fedora-directory-users] Case Sensitive Lookup and Searching In-Reply-To: <48723484.6020105@redhat.com> References: <4871DE2A.2050707@stroeder.com> <487214C6.2070007@redhat.com> <4872321B.1010805@stroeder.com> <48723484.6020105@redhat.com> Message-ID: <487236CE.2000509@stroeder.com> Rich Megginson wrote: > Michael Str?der wrote: >> Rich Megginson wrote: >>> Michael Str?der wrote: >>>> I really wonder whether default matching rules are applied for >>>> certain LDAP syntaxes and how to find out which these are. >>>> >>> If there is no matching rule, it just goes by the most appropriate >>> internal matching rule that corresponds to the SYNTAX. >> >> Any description how the "most appropriate internal matching rule" is >> chosen? > No, not really, afaik. I suppose it attempts to use "common sense" e.g. > if the syntax is for case sensitive string, it uses a matching rule for > case sensitive string comparison, and uses indexers for case sensitive > strings. And how to determine whether a syntax is used for case sensitive strings? That's exactly the problem of the original poster I guess. >> Is the list of matching rules in the subschema subentry complete? > Complete as in "implements every matching rule defined in every LDAP > RFC" - no. Complete in the sense: The subschema subentry lists all the matching rules which are implemented, no more, no less. Ciao, Michael. From playactor at gmail.com Mon Jul 7 15:59:07 2008 From: playactor at gmail.com (Eric Brown) Date: Mon, 7 Jul 2008 10:59:07 -0500 Subject: [Fedora-directory-users] Question about setting a Password Policy from the Command Line Message-ID: I am trying to create an LDIF for importing a default password policy for my FDS server that I can quickly import after I start it. I was looking through the Adminstrator's Guide and it seems to be missing some fields that are defined in the objectclass for password policy. I was just wondering if the Admin guide was correct and has all of the defined attributes for the policy there and defined, or if these extra ones are also valid and have documentation associated with them. I am using the 1.0.4 version of FDS and I would guess that they online guides have been updated for the newer versions, but I didn't expect to see this much of a difference. Attributes from the Admin Guide: passwordGraceLimit passwordMustChange passwordChange passwordExp passwordMaxAge passwordWarning passwordCheckSyntax passwordMinLength passwordMinAge passwordHistory passwordInHistory passwordStorageScheme Attributes from the 00core.ldif schema definition of the password policy objectclass: passwordMaxAge passwordExp passwordMinLength passwordKeepHistory passwordInHistory passwordChange passwordWarning passwordLockout passwordMaxFailure passwordResetDuration passwordUnlock passwordLockoutDuration passwordCheckSyntax passwordMustChange passwordStorageScheme passwordMinAge passwordResetFailureCount passwordGraceLimit passwordMinDigits passwordMinAlphas passwordMinUppers passwordMinLowers passwordMinSpecials passwordMin8bit passwordMaxRepeats passwordMinCategories passwordMinTokenLength Just need to know which list is really valid, and I need the documentation or at least explanations of the fields that I can use in my version. Thanks in advance. Eric From rmeggins at redhat.com Mon Jul 7 16:11:44 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 07 Jul 2008 10:11:44 -0600 Subject: [Fedora-directory-users] Case Sensitive Lookup and Searching In-Reply-To: <487236CE.2000509@stroeder.com> References: <4871DE2A.2050707@stroeder.com> <487214C6.2070007@redhat.com> <4872321B.1010805@stroeder.com> <48723484.6020105@redhat.com> <487236CE.2000509@stroeder.com> Message-ID: <48724040.7060308@redhat.com> Michael Str?der wrote: > Rich Megginson wrote: >> Michael Str?der wrote: >>> Rich Megginson wrote: >>>> Michael Str?der wrote: >>>>> I really wonder whether default matching rules are applied for >>>>> certain LDAP syntaxes and how to find out which these are. >>>>> >>>> If there is no matching rule, it just goes by the most appropriate >>>> internal matching rule that corresponds to the SYNTAX. >>> >>> Any description how the "most appropriate internal matching rule" is >>> chosen? >> No, not really, afaik. I suppose it attempts to use "common sense" >> e.g. if the syntax is for case sensitive string, it uses a matching >> rule for case sensitive string comparison, and uses indexers for case >> sensitive strings. > > And how to determine whether a syntax is used for case sensitive > strings? That's exactly the problem of the original poster I guess. I think IA5String is case sensitive, and Directory String is case insensitive. > >>> Is the list of matching rules in the subschema subentry complete? >> Complete as in "implements every matching rule defined in every LDAP >> RFC" - no. > > Complete in the sense: The subschema subentry lists all the matching > rules which are implemented, no more, no less. Not sure. > > Ciao, Michael. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From edlinuxguru at gmail.com Mon Jul 7 17:03:06 2008 From: edlinuxguru at gmail.com (Edward Capriolo) Date: Mon, 7 Jul 2008 13:03:06 -0400 Subject: [Fedora-directory-users] Re: A multi-master disaster In-Reply-To: References: Message-ID: [07/Jul/2008:12:56:49 -0400] conn=2 op=167 SRCH base="cn=repl, cn=replica, cn=\22dc=edops,dc=com\22, cn=mapping tree, cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus nsds5replicaUpdateInProgress nsds5replicaLastInitStart nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh" To follow up. Are these entries being escaped for the log or is it that the console tool is generating these incorrectly? I had similar \22 trying to configure ACI from the gui. On Mon, Jul 7, 2008 at 11:17 AM, Edward Capriolo wrote: > Sorry for the funny title. I THINK* this may be a bug of multi-master > replication agreement created from the Windows Version of the Console > Tool but I was hoping someone could shed some light on this. I have > set up multi master replication before and did not run into this > issue. > > > I go about the normal process described in the documentation to setup > a multi-master replication agreement for only one suffix of my > directory server. dc_edops_dc_com. > Enable changelog > Select multi-master replication > Give each server a unique id > > I initialize the side of the connection with data. (I also have tried > using ldif to get both sides in sync before the transfer. ) > > On the side I initialize from I get these messages in the error log. > > [02/Jul/2008:18:25:19 -0400] - import dc_edops_dc_com: Workers > finished; cleaning up... > [02/Jul/2008:18:25:19 -0400] - import dc_edops_dc_com: Workers cleaned up. > [02/Jul/2008:18:25:19 -0400] - import dc_edops_dc_com: Cleaning up > producer thread... > [02/Jul/2008:18:25:19 -0400] - import dc_edops_dc_com: Indexing > complete. Post-processing... > [02/Jul/2008:18:25:19 -0400] - import dc_edops_dc_com: Flushing caches... > [02/Jul/2008:18:25:19 -0400] - import dc_edops_dc_com: Closing files... > [02/Jul/2008:18:25:19 -0400] - import dc_edops_dc_com: Import > complete. Processed 42 entries in 2 seconds. (21.00 entries/sec) > [02/Jul/2008:18:25:19 -0400] NSMMReplicationPlugin - > multimaster_be_state_change: replica dc=edops,dc=com is coming online; > enabling replication > [02/Jul/2008:18:25:20 -0400] NSMMReplicationPlugin - > repl_set_mtn_referrals: could not set referrals for replica > dc=edops,dc=com : 32 > > At this point actually multi-master replication is enabled, but the B > side of the connection has some strange referral to the A side. When I > connect to side B of the replication it seems like there is one more > level there. > > Does anyone understand why this simple setup would not be working? > From ulf.weltman at hp.com Mon Jul 7 17:36:34 2008 From: ulf.weltman at hp.com (Ulf Weltman) Date: Mon, 07 Jul 2008 10:36:34 -0700 Subject: [Fedora-directory-users] Re: A multi-master disaster In-Reply-To: References: Message-ID: <48725422.1030103@hp.com> Quotes are expected to be escaped in the access log. I wonder if you have a space in the cn value of the mapping node, that is, something like cn="dc=edops, dc=com". That would allow the import to succeed but the node would not be found without the space to set the referral. Compare the mapping tree entries in the dse.ldif files on your two replicas. Edward Capriolo wrote: > [07/Jul/2008:12:56:49 -0400] conn=2 op=167 SRCH base="cn=repl, > cn=replica, cn=\22dc=edops,dc=com\22, cn=mapping tree, cn=config" > scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" > attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd > nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus > nsds5replicaUpdateInProgress nsds5replicaLastInitStart > nsds5replicaLastInitEnd nsds5replicaLastInitStatus > nsds5BeginReplicaRefresh" > > To follow up. Are these entries being escaped for the log or is it > that the console tool is generating these incorrectly? I had similar > \22 trying to configure ACI from the gui. > > > On Mon, Jul 7, 2008 at 11:17 AM, Edward Capriolo wrote: > >> Sorry for the funny title. I THINK* this may be a bug of multi-master >> replication agreement created from the Windows Version of the Console >> Tool but I was hoping someone could shed some light on this. I have >> set up multi master replication before and did not run into this >> issue. >> >> >> I go about the normal process described in the documentation to setup >> a multi-master replication agreement for only one suffix of my >> directory server. dc_edops_dc_com. >> Enable changelog >> Select multi-master replication >> Give each server a unique id >> >> I initialize the side of the connection with data. (I also have tried >> using ldif to get both sides in sync before the transfer. ) >> >> On the side I initialize from I get these messages in the error log. >> >> [02/Jul/2008:18:25:19 -0400] - import dc_edops_dc_com: Workers >> finished; cleaning up... >> [02/Jul/2008:18:25:19 -0400] - import dc_edops_dc_com: Workers cleaned up. >> [02/Jul/2008:18:25:19 -0400] - import dc_edops_dc_com: Cleaning up >> producer thread... >> [02/Jul/2008:18:25:19 -0400] - import dc_edops_dc_com: Indexing >> complete. Post-processing... >> [02/Jul/2008:18:25:19 -0400] - import dc_edops_dc_com: Flushing caches... >> [02/Jul/2008:18:25:19 -0400] - import dc_edops_dc_com: Closing files... >> [02/Jul/2008:18:25:19 -0400] - import dc_edops_dc_com: Import >> complete. Processed 42 entries in 2 seconds. (21.00 entries/sec) >> [02/Jul/2008:18:25:19 -0400] NSMMReplicationPlugin - >> multimaster_be_state_change: replica dc=edops,dc=com is coming online; >> enabling replication >> [02/Jul/2008:18:25:20 -0400] NSMMReplicationPlugin - >> repl_set_mtn_referrals: could not set referrals for replica >> dc=edops,dc=com : 32 >> >> At this point actually multi-master replication is enabled, but the B >> side of the connection has some strange referral to the A side. When I >> connect to side B of the replication it seems like there is one more >> level there. >> >> Does anyone understand why this simple setup would not be working? >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6097 bytes Desc: S/MIME Cryptographic Signature URL: From michael at stroeder.com Mon Jul 7 17:55:25 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Mon, 07 Jul 2008 19:55:25 +0200 Subject: [Fedora-directory-users] Case Sensitive Lookup and Searching In-Reply-To: <48724040.7060308@redhat.com> References: <4871DE2A.2050707@stroeder.com> <487214C6.2070007@redhat.com> <4872321B.1010805@stroeder.com> <48723484.6020105@redhat.com> <487236CE.2000509@stroeder.com> <48724040.7060308@redhat.com> Message-ID: <4872588D.3070907@stroeder.com> Rich Megginson wrote: > Michael Str?der wrote: >> Rich Megginson wrote: >>> Michael Str?der wrote: >>>> Rich Megginson wrote: >>>>> Michael Str?der wrote: >>>>>> I really wonder whether default matching rules are applied for >>>>>> certain LDAP syntaxes and how to find out which these are. >>>>>> >>>>> If there is no matching rule, it just goes by the most appropriate >>>>> internal matching rule that corresponds to the SYNTAX. >>>> >>>> Any description how the "most appropriate internal matching rule" is >>>> chosen? >>> No, not really, afaik. I suppose it attempts to use "common sense" >>> e.g. if the syntax is for case sensitive string, it uses a matching >>> rule for case sensitive string comparison, and uses indexers for case >>> sensitive strings. >> >> And how to determine whether a syntax is used for case sensitive >> strings? That's exactly the problem of the original poster I guess. > > I think IA5String is case sensitive, and Directory String is case > insensitive. I don't think so (see section 4.2. of RFC 4517). Ciao, Michael. From rmeggins at redhat.com Mon Jul 7 18:10:50 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 07 Jul 2008 12:10:50 -0600 Subject: [Fedora-directory-users] Case Sensitive Lookup and Searching In-Reply-To: <4872588D.3070907@stroeder.com> References: <4871DE2A.2050707@stroeder.com> <487214C6.2070007@redhat.com> <4872321B.1010805@stroeder.com> <48723484.6020105@redhat.com> <487236CE.2000509@stroeder.com> <48724040.7060308@redhat.com> <4872588D.3070907@stroeder.com> Message-ID: <48725C2A.5030607@redhat.com> Michael Str?der wrote: > Rich Megginson wrote: >> Michael Str?der wrote: >>> Rich Megginson wrote: >>>> Michael Str?der wrote: >>>>> Rich Megginson wrote: >>>>>> Michael Str?der wrote: >>>>>>> I really wonder whether default matching rules are applied for >>>>>>> certain LDAP syntaxes and how to find out which these are. >>>>>>> >>>>>> If there is no matching rule, it just goes by the most >>>>>> appropriate internal matching rule that corresponds to the SYNTAX. >>>>> >>>>> Any description how the "most appropriate internal matching rule" >>>>> is chosen? >>>> No, not really, afaik. I suppose it attempts to use "common sense" >>>> e.g. if the syntax is for case sensitive string, it uses a matching >>>> rule for case sensitive string comparison, and uses indexers for >>>> case sensitive strings. >>> >>> And how to determine whether a syntax is used for case sensitive >>> strings? That's exactly the problem of the original poster I guess. > > >> I think IA5String is case sensitive, and Directory String is case >> insensitive. > > I don't think so (see section 4.2. of RFC 4517). Ok. But the the way Fedora DS works is that it treats IA5String as case sensitive, and Directory String as case insensitive - see ldap/servers/plugins/syntaxes/ces.c and cis.c > > Ciao, Michael. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From michael at stroeder.com Mon Jul 7 18:24:22 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Mon, 07 Jul 2008 20:24:22 +0200 Subject: [Fedora-directory-users] Case Sensitive Lookup and Searching In-Reply-To: <48725C2A.5030607@redhat.com> References: <4871DE2A.2050707@stroeder.com> <487214C6.2070007@redhat.com> <4872321B.1010805@stroeder.com> <48723484.6020105@redhat.com> <487236CE.2000509@stroeder.com> <48724040.7060308@redhat.com> <4872588D.3070907@stroeder.com> <48725C2A.5030607@redhat.com> Message-ID: <48725F56.2030109@stroeder.com> Rich Megginson wrote: > Michael Str?der wrote: >> Rich Megginson wrote: >>> I think IA5String is case sensitive, and Directory String is case >>> insensitive. >> I don't think so (see section 4.2. of RFC 4517). > Ok. But the the way Fedora DS works is that it treats IA5String as case > sensitive, and Directory String as case insensitive - see > ldap/servers/plugins/syntaxes/ces.c and cis.c Hmm, but then the problem of the original poster is that the matching rule applied to an attribute value (based on your rule above) has nothing to with the normalization of the entry's RDN. Because he was asking about memberUid=steves vs. memberUid=Steves which are two different entries in his data (based on caseExactIA5Match) but are treated as the same entry in FDS. (Nevertheless he should get his data fixed for various reasons.) Ciao, Michael. From edlinuxguru at gmail.com Mon Jul 7 19:12:12 2008 From: edlinuxguru at gmail.com (Edward Capriolo) Date: Mon, 7 Jul 2008 15:12:12 -0400 Subject: [Fedora-directory-users] Re: A multi-master disaster In-Reply-To: <48725422.1030103@hp.com> References: <48725422.1030103@hp.com> Message-ID: Interesting point. I did create the database (suffix and top objects) from LDIF files. I noticed how o=netscaperoot was setup... dn: cn="o=netscaperoot", cn=mapping tree, cn=config cn: "o=netscaperoot" cn: o=netscaperoot dn: cn="dc=edops,dc=com",cn=mapping tree, cn=config cn: dc=edops,dc=com I noticed that the quoted entry was missing. I added this entry and the replication works. In the past I had always used the console tool to create the database backends. Missing the quoted entry caused some features to work and some features not to work. Thank you for 'laser guiding' me to a better target. This was a big help! I still get this error on updates...but this seems like a warning [07/Jul/2008:15:05:09 -0400] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=aboutops,dc=com: 1 On Mon, Jul 7, 2008 at 1:36 PM, Ulf Weltman wrote: > Quotes are expected to be escaped in the access log. I wonder if you have a > space in the cn value of the mapping node, that is, something like > cn="dc=edops, dc=com". That would allow the import to succeed but the node > would not be found without the space to set the referral. Compare the > mapping tree entries in the dse.ldif files on your two replicas. > > Edward Capriolo wrote: > > [07/Jul/2008:12:56:49 -0400] conn=2 op=167 SRCH base="cn=repl, > cn=replica, cn=\22dc=edops,dc=com\22, cn=mapping tree, cn=config" > scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" > attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd > nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus > nsds5replicaUpdateInProgress nsds5replicaLastInitStart > nsds5replicaLastInitEnd nsds5replicaLastInitStatus > nsds5BeginReplicaRefresh" > > To follow up. Are these entries being escaped for the log or is it > that the console tool is generating these incorrectly? I had similar > \22 trying to configure ACI from the gui. > > > On Mon, Jul 7, 2008 at 11:17 AM, Edward Capriolo > wrote: > > > Sorry for the funny title. I THINK* this may be a bug of multi-master > replication agreement created from the Windows Version of the Console > Tool but I was hoping someone could shed some light on this. I have > set up multi master replication before and did not run into this > issue. > > > I go about the normal process described in the documentation to setup > a multi-master replication agreement for only one suffix of my > directory server. dc_edops_dc_com. > Enable changelog > Select multi-master replication > Give each server a unique id > > I initialize the side of the connection with data. (I also have tried > using ldif to get both sides in sync before the transfer. ) > > On the side I initialize from I get these messages in the error log. > > [02/Jul/2008:18:25:19 -0400] - import dc_edops_dc_com: Workers > finished; cleaning up... > [02/Jul/2008:18:25:19 -0400] - import dc_edops_dc_com: Workers cleaned up. > [02/Jul/2008:18:25:19 -0400] - import dc_edops_dc_com: Cleaning up > producer thread... > [02/Jul/2008:18:25:19 -0400] - import dc_edops_dc_com: Indexing > complete. Post-processing... > [02/Jul/2008:18:25:19 -0400] - import dc_edops_dc_com: Flushing caches... > [02/Jul/2008:18:25:19 -0400] - import dc_edops_dc_com: Closing files... > [02/Jul/2008:18:25:19 -0400] - import dc_edops_dc_com: Import > complete. Processed 42 entries in 2 seconds. (21.00 entries/sec) > [02/Jul/2008:18:25:19 -0400] NSMMReplicationPlugin - > multimaster_be_state_change: replica dc=edops,dc=com is coming online; > enabling replication > [02/Jul/2008:18:25:20 -0400] NSMMReplicationPlugin - > repl_set_mtn_referrals: could not set referrals for replica > dc=edops,dc=com : 32 > > At this point actually multi-master replication is enabled, but the B > side of the connection has some strange referral to the A side. When I > connect to side B of the replication it seems like there is one more > level there. > > Does anyone understand why this simple setup would not be working? > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From omight at gmail.com Mon Jul 7 19:39:55 2008 From: omight at gmail.com (omight) Date: Mon, 7 Jul 2008 21:39:55 +0200 Subject: [Fedora-directory-users] active directory synchronization info Message-ID: Hi List, Does fedora-ds only synchronize users, groups and passwords with active directory? So it's not possible to synchronize other objects? Is it possible to synchronize all objects between active directory and linux directory software? Which product do you recommend? thanks heaps, Omight From playactor at gmail.com Mon Jul 7 20:19:13 2008 From: playactor at gmail.com (Eric Brown) Date: Mon, 7 Jul 2008 15:19:13 -0500 Subject: [Fedora-directory-users] Question about setting a Password Policy from the Command Line Message-ID: I am trying to create an LDIF for importing a default password policy for my FDS server that I can quickly import after I start it. I was looking through the Adminstrator's Guide and it seems to be missing some fields that are defined in the objectclass for password policy. I was just wondering if the Admin guide was correct and has all of the defined attributes for the policy there and defined, or if these extra ones are also valid and have documentation associated with them. I am using the 1.0.4 version of FDS and I would guess that they online guides have been updated for the newer versions, but I didn't expect to see this much of a difference. Attributes from the Admin Guide: passwordGraceLimit passwordMustChange passwordChange passwordExp passwordMaxAge passwordWarning passwordCheckSyntax passwordMinLength passwordMinAge passwordHistory passwordInHistory passwordStorageScheme Attributes from the 00core.ldif schema definition of the password policy objectclass: passwordMaxAge passwordExp passwordMinLength passwordKeepHistory passwordInHistory passwordChange passwordWarning passwordLockout passwordMaxFailure passwordResetDuration passwordUnlock passwordLockoutDuration passwordCheckSyntax passwordMustChange passwordStorageScheme passwordMinAge passwordResetFailureCount passwordGraceLimit passwordMinDigits passwordMinAlphas passwordMinUppers passwordMinLowers passwordMinSpecials passwordMin8bit passwordMaxRepeats passwordMinCategories passwordMinTokenLength Just need to know which list is really valid, and I need the documentation or at least explanations of the fields that I can use in my version. Thanks in advance. Eric From smith.not.western at gmail.com Mon Jul 7 22:16:09 2008 From: smith.not.western at gmail.com (Mike C) Date: Tue, 8 Jul 2008 10:16:09 +1200 Subject: [Fedora-directory-users] Case Sensitive Lookup and Searching In-Reply-To: <48725F56.2030109@stroeder.com> References: <4871DE2A.2050707@stroeder.com> <487214C6.2070007@redhat.com> <4872321B.1010805@stroeder.com> <48723484.6020105@redhat.com> <487236CE.2000509@stroeder.com> <48724040.7060308@redhat.com> <4872588D.3070907@stroeder.com> <48725C2A.5030607@redhat.com> <48725F56.2030109@stroeder.com> Message-ID: On Tue, Jul 8, 2008 at 6:24 AM, Michael Str?der wrote: > Hmm, but then the problem of the original poster is that the matching rule > applied to an attribute value (based on your rule above) has nothing to with > the normalization of the entry's RDN. > Because he was asking about memberUid=steves vs. memberUid=Steves which are > two different entries in his data (based on caseExactIA5Match) but are > treated as the same entry in FDS. > > (Nevertheless he should get his data fixed for various reasons.) I agree, my schema (and data) are terrible. It's an artifact from openldap not being as conforming as fds. My main concern is that sanitizing my repository would require changing usernames for a hundred odd external users, something I wish to avoid. But given how memberUid's case sensitivity is nullified when part of a dn, migration it is. Thank you all for your help, Regards, Mike From michael at stroeder.com Mon Jul 7 23:05:30 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 08 Jul 2008 01:05:30 +0200 Subject: [Fedora-directory-users] Case Sensitive Lookup and Searching In-Reply-To: References: <4871DE2A.2050707@stroeder.com> <487214C6.2070007@redhat.com> <4872321B.1010805@stroeder.com> <48723484.6020105@redhat.com> <487236CE.2000509@stroeder.com> <48724040.7060308@redhat.com> <4872588D.3070907@stroeder.com> <48725C2A.5030607@redhat.com> <48725F56.2030109@stroeder.com> Message-ID: <4872A13A.7060909@stroeder.com> Mike C wrote: > I agree, my schema (and data) are terrible. Then fix it. > It's an artifact from openldap not being as conforming as fds. Hmm, from the LDAPv3 standard's standpoint I strongly disagree. Strictly speaking it's the other way round. > My main concern is that sanitizing my repository would require > changing usernames for a hundred odd external users, something I wish > to avoid. Why do you have to change the user names? You could split the data across different subtrees and change the clients' configuration accordingly. Or you could merge entries. Or whatever... That's just meant as a start to think about what you can do without changing what the end-user has to type in. Your mileage may vary... Ciao, Michael. From ando at sys-net.it Mon Jul 7 22:33:00 2008 From: ando at sys-net.it (Pierangelo Masarati) Date: Tue, 08 Jul 2008 00:33:00 +0200 Subject: [Fedora-directory-users] Case Sensitive Lookup and Searching In-Reply-To: References: <4871DE2A.2050707@stroeder.com> <487214C6.2070007@redhat.com> <4872321B.1010805@stroeder.com> <48723484.6020105@redhat.com> <487236CE.2000509@stroeder.com> <48724040.7060308@redhat.com> <4872588D.3070907@stroeder.com> <48725C2A.5030607@redhat.com> <48725F56.2030109@stroeder.com> Message-ID: <4872999C.4050600@sys-net.it> Mike C wrote: > I agree, my schema (and data) are terrible. It's an artifact from > openldap not being as conforming as fds. I assume you meant the opposite. OpenLDAP is operating according to the specification of memberUid as in RFC 2307 (case-sensitive), while FDS isn't. Whether you might consider this a feature or not, this is a fact. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: ando at sys-net.it ----------------------------------- From kmarsh at gdrs.com Tue Jul 8 13:44:34 2008 From: kmarsh at gdrs.com (kmarsh at gdrs.com) Date: Tue, 8 Jul 2008 09:44:34 -0400 Subject: [Fedora-directory-users] Samba/FDS Integration upgrade steps? Message-ID: <5AD9B0E562FEFB4E933861904D7135C598F62F@gdrs-exchange.gdrs.com> I am planning an upgrade on a supported RHES4 server from Samba 3.0.10-1.4E to 3.0.25b or the latest in the RHN update stream. I currently have Samba authentication integrated with AD through FDS 1.0.1-4, only because FDS 1.1 doesn't run on RHES4. I have single sign-on but not integrated password changes for Windows XP Domain users. Every Samba+FDS user currently has objectClass attribute sambasamaccount, and attributes sambaSID, sambaAcctFlags, sAMAccountName, sambaLMPassword and sambaNTPassword. According to Red Hat support (who cannot help me much because they only support OpenLDAP), there is a "schema change" and a script to convert the schema, however they did not know where the script was or its name. I also noticed during an attempt to upgrade that the SambaSID has changed format in 3.0.25b so I suppose I have to change that attribute value for every user. Can someone name the conversion script and lay out the steps that it will take to get me from 3.0.10-1.4E to 3.0.25b/later while maintaining AD integration? If it involves upgrading to FDS1.1, I can handle that, but I'd rather do one thing at a time. If there are any side benefits (like single password change) I'd also like to know. Thanks, Ken. -------------- next part -------------- An HTML attachment was scrubbed... URL: From solarflow99 at gmail.com Tue Jul 8 15:31:36 2008 From: solarflow99 at gmail.com (solarflow99) Date: Tue, 8 Jul 2008 16:31:36 +0100 Subject: [Fedora-directory-users] Samba/FDS Integration upgrade steps? In-Reply-To: <5AD9B0E562FEFB4E933861904D7135C598F62F@gdrs-exchange.gdrs.com> References: <5AD9B0E562FEFB4E933861904D7135C598F62F@gdrs-exchange.gdrs.com> Message-ID: <7020fd000807080831i737368dao589d6cdc145aa4ef@mail.gmail.com> On 7/8/08, kmarsh at gdrs.com wrote: > > > I am planning an upgrade on a supported RHES4 server from Samba 3.0.10-1.4E > to 3.0.25b or the latest in the RHN update stream. I currently have Samba > authentication integrated with AD through FDS 1.0.1-4, only because FDS 1.1 > doesn't run on RHES4. I have single sign-on but not integrated password > changes for Windows XP Domain users. > > > > Every Samba+FDS user currently has objectClass attribute sambasamaccount, > and attributes sambaSID, sambaAcctFlags, sAMAccountName, sambaLMPassword and > sambaNTPassword. > > > > According to Red Hat support (who cannot help me much because they only > support OpenLDAP), there is a "schema change" and a script to convert the > schema, however they did not know where the script was or its name. I also > noticed during an attempt to upgrade that the SambaSID has changed format in > 3.0.25b so I suppose I have to change that attribute value for every user. > > > Here's what I did to include samba support in FDS 1.1, might work with 1.0 too. The script where you add the schema is near the beginning, not all of the howto may be relevent for your purpose. http://directory.fedoraproject.org/wiki/Howto:Samba -------------- next part -------------- An HTML attachment was scrubbed... URL: From hyc at symas.com Tue Jul 8 17:06:05 2008 From: hyc at symas.com (Howard Chu) Date: Tue, 08 Jul 2008 10:06:05 -0700 Subject: [Fedora-directory-users] Re: Case Sensitive Lookup and Searching (Mike C) In-Reply-To: <20080707155922.D86036192B6@hormel.redhat.com> References: <20080707155922.D86036192B6@hormel.redhat.com> Message-ID: <48739E7D.4040607@symas.com> > Date: Tue, 8 Jul 2008 10:16:09 +1200 > From: "Mike C" > I agree, my schema (and data) are terrible. It's an artifact from > openldap not being as conforming as fds. Ahem. OpenLDAP conforms perfectly to the LDAPv3 spec here. The behavior you're seeing with FDS is due to the fact that the FDS code base doesn't have full LDAPv3 schema support. Rich's reference to ces and cis is an artifact of the way the old UMich LDAPv2 code kludged schemas, and his mention of "case sensitive syntax" is archaic. In X.500 and LDAPv3, string syntaxes have no case sensitivity property at all; case sensitivity is determined solely by the matching rules in the schema definition of the attribute using the syntax. The only difference between IA5String and DirectoryString syntax is the range of legal characters that may be contained in the string (DirectoryString accomodates the entire Unicode set in UTF8 encoding, IA5String only allows 7 bit ASCII). > My main concern is that sanitizing my repository would require > changing usernames for a hundred odd external users, something I wish > to avoid. But given how memberUid's case sensitivity is nullified when > part of a dn, migration it is. In a true LDAP/X.500 server, DN evaluation obeys all of the schema rules of the individual attributes in each RDN composing the DN. E.g. in OpenLDAP, memberUid is case-sensitive whether it's being used in a RDN or anywhere else. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From Soeren.Malchow at interone.de Tue Jul 8 17:39:00 2008 From: Soeren.Malchow at interone.de (=?ISO-8859-1?Q?S=F6ren_Malchow?=) Date: Tue, 8 Jul 2008 19:39:00 +0200 Subject: [Fedora-directory-users] =?iso-8859-1?q?Malchow=2C_S=F6ren_is_ou?= =?iso-8859-1?q?t_of_the_office=2E?= Message-ID: I will be out of the office starting 08.07.2008 and will not return until 28.07.2008. Please contact Guenther Kreuzpaintner ( guenther.kreuzpaintner at interone.de ) instead From Chris.Hendry at turner.com Tue Jul 8 20:11:56 2008 From: Chris.Hendry at turner.com (Hendry, Chris) Date: Tue, 8 Jul 2008 16:11:56 -0400 Subject: [Fedora-directory-users] Using Console, posixGroups In-Reply-To: <20080708160010.B53188E0975@hormel.redhat.com> Message-ID: Sorry if this has been asked before. I'm using FDS to authenticate Linux and Mac. Mac uses the LDAP Mappings: RFC 2307, thus to get what groups a users is a part of, it looks at the attribute memberUid from posixGroup Class. When using the console to create a group, by default, it uses the attribute uniquemember from the groupOfUniquNames class. Thus I have to add the posixGroup class manually using the advance button. Also, to modify users of a group, I can not simply use the memberof window, must use the advanced button to modify the memberUid attribute. This does not make much sense. Adding a group should be like adding a User, where you have a window to enable Posix attributes. Any ideas on getting the console to handle the posixGroup class? Chris From rmeggins at redhat.com Tue Jul 8 20:15:58 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 08 Jul 2008 14:15:58 -0600 Subject: [Fedora-directory-users] Using Console, posixGroups In-Reply-To: References: Message-ID: <4873CAFE.1070509@redhat.com> Hendry, Chris wrote: > Sorry if this has been asked before. > > I'm using FDS to authenticate Linux and Mac. > > Mac uses the LDAP Mappings: RFC 2307, thus to get what groups a users is > a part of, it looks at the attribute memberUid from posixGroup Class. > > When using the console to create a group, by default, it uses the > attribute uniquemember from the groupOfUniquNames class. Thus I have > to add the posixGroup class manually using the advance button. Also, to > modify users of a group, I can not simply use the memberof window, must > use the advanced button to modify the memberUid attribute. > Right. > > This does not make much sense. Adding a group should be like adding a > User, where you have a window to enable Posix attributes. Any ideas on > getting the console to handle the posixGroup class? > Please file a bug/enhancement request at bugzilla.redhat.com If you are a Java hacker, patches are welcome. > Chris > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From joliver at john-oliver.net Thu Jul 10 18:09:23 2008 From: joliver at john-oliver.net (John Oliver) Date: Thu, 10 Jul 2008 11:09:23 -0700 Subject: [Fedora-directory-users] Creating backup LDAP server. Message-ID: <20080710180923.GA19668@ns.sdsitehosting.net> One of the projects on my plate is to have a working backup of an existing fedora-ds server. I installed fedora-ds under CentOS 5.2 and copied over the files that result from ns-slapd db2archive from the existing server to the new machine. First off, I know nothing about LDAP or fedora-ds in particular :-) After looking at the existing server and what I had after installing on the new server, I decided that running /usr/sbin/setup-ds-admin.pl was probably necessary. I went through, answering the questions as best I could (and figuring that the answers would be overwritten when I restored the backup). I got this: [08/07/10:10:18:52] - [Setup] Info Are you ready to set up your servers? [08/07/10:10:18:56] - [Setup] Info yes [08/07/10:10:18:56] - [Setup] Info Creating directory server . . . [08/07/10:10:18:59] - [Setup] Info Your new DS instance 'unix-services2' was suc cessfully created. [08/07/10:10:18:59] - [Setup] Info Creating the configuration directory server . . . [08/07/10:10:22:08] - [Setup] Fatal Error: failed to open an LDAP connection to host 'unix-services2.my.domain.com.com' port '389' as user 'cn=Directory Ma nager'. Error: unknown. [08/07/10:10:22:08] - [Setup] Fatal Failed to create the configuration directory server [08/07/10:10:22:08] - [Setup] Fatal Exiting . . . Log file is '/tmp/setupVSpvCl.log Yes, that's two ".com"s No idea why. So, I stop the dirsrv process and try: [root at localhost ~]# ns-slapd archive2db -D /etc/dirsrv/slapd-unix-services2 -a /var/lib/dirsrv/slapd-unix-services2/in [10/Jul/2008:11:05:39 -0700] - ERROR: target server has no NetscapeRoot configured [10/Jul/2008:11:05:39 -0700] - archive2db: Failed to read backup file set. Either the directory specified doesn't exist, or it exists but doesn't contain a valid backup set, or file permissions prevent the server reading the backup set. error=53 (Invalid request descriptor) I have no idea what a NetscapeRoot is, why I would want one, or how I'd get it. Googling didn't help me... I found many references to "-0 netscaperoot", but that seems to be in reference to /etc/dirsrv/admin-serv/adm.conf which does not exist on my new server. What is the easiest way for me to do this? Can I simply copy adm.conf (and other files? Which ones?) from the existing server? Or is there some mysterious problem about why the setup script couldn't contact the LDAP server which is to blame? -- *********************************************************************** * John Oliver http://www.john-oliver.net/ * * * *********************************************************************** From rmeggins at redhat.com Thu Jul 10 19:40:25 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 10 Jul 2008 13:40:25 -0600 Subject: [Fedora-directory-users] Creating backup LDAP server. In-Reply-To: <20080710180923.GA19668@ns.sdsitehosting.net> References: <20080710180923.GA19668@ns.sdsitehosting.net> Message-ID: <487665A9.10908@redhat.com> John Oliver wrote: > One of the projects on my plate is to have a working backup of an > existing fedora-ds server. I installed fedora-ds under CentOS 5.2 and > copied over the files that result from ns-slapd db2archive from the > existing server to the new machine. > > First off, I know nothing about LDAP or fedora-ds in particular :-) > > After looking at the existing server and what I had after installing on > the new server, I decided that running /usr/sbin/setup-ds-admin.pl was > probably necessary. I went through, answering the questions as best I > could (and figuring that the answers would be overwritten when I > restored the backup). I got this: > > [08/07/10:10:18:52] - [Setup] Info Are you ready to set up your servers? > [08/07/10:10:18:56] - [Setup] Info yes > [08/07/10:10:18:56] - [Setup] Info Creating directory server . . . > [08/07/10:10:18:59] - [Setup] Info Your new DS instance 'unix-services2' > was suc > cessfully created. > [08/07/10:10:18:59] - [Setup] Info Creating the configuration directory > server . > . . > [08/07/10:10:22:08] - [Setup] Fatal Error: failed to open an LDAP > connection to > host 'unix-services2.my.domain.com.com' port '389' as user > 'cn=Directory Ma > nager'. Error: unknown. > [08/07/10:10:22:08] - [Setup] Fatal Failed to create the configuration > directory > server > [08/07/10:10:22:08] - [Setup] Fatal Exiting . . . > Log file is '/tmp/setupVSpvCl.log > > > Yes, that's two ".com"s No idea why. > Check /etc/hosts, /etc/nsswitch.conf, and /etc/resolv.conf, and check that against what you typed in as your hostname and what DNS resolves it to. > So, I stop the dirsrv process and try: > > [root at localhost ~]# ns-slapd archive2db -D > /etc/dirsrv/slapd-unix-services2 -a > /var/lib/dirsrv/slapd-unix-services2/in > [10/Jul/2008:11:05:39 -0700] - ERROR: target server has no NetscapeRoot > configured > [10/Jul/2008:11:05:39 -0700] - archive2db: Failed to read backup file > set. Either the directory specified doesn't exist, or it exists but > doesn't contain a valid backup set, or file permissions prevent the > server reading the backup set. error=53 (Invalid request descriptor) > Don't use ns-slapd archive2db directly - use the scripts in /usr/lib/dirsrv/slapd-instance (db2bak, bak2db, etc.) instead. > > I have no idea what a NetscapeRoot is, why I would want one, or how I'd > get it. Googling didn't help me... I found many references to "-0 > netscaperoot", but that seems to be in reference to > /etc/dirsrv/admin-serv/adm.conf which does not exist on my new server. > > What is the easiest way for me to do this? Can I simply copy adm.conf > (and other files? Which ones?) from the existing server? Or is there > some mysterious problem about why the setup script couldn't contact the > LDAP server which is to blame? > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From doug.mallory at tempurpedic.com Thu Jul 10 21:54:56 2008 From: doug.mallory at tempurpedic.com (Mallory, Doug (TPUSA)) Date: Thu, 10 Jul 2008 17:54:56 -0400 Subject: [Fedora-directory-users] Getting closer getting a password policy export In-Reply-To: <487665A9.10908@redhat.com> References: <20080710180923.GA19668@ns.sdsitehosting.net> <487665A9.10908@redhat.com> Message-ID: I have managed to the Fedora Directory server console loaded and running and when I go the directory tab I see manage password policy. But when I select it the window pops up quickly clears to a blank window. Does anyone know how I can get an export of the current password policy? Or ever a screen shot at this point that is not blank. ( I am connecting to the server through VNC) Doug Mallory From joliver at john-oliver.net Thu Jul 10 21:59:44 2008 From: joliver at john-oliver.net (John Oliver) Date: Thu, 10 Jul 2008 14:59:44 -0700 Subject: [Fedora-directory-users] Creating backup LDAP server. In-Reply-To: <487665A9.10908@redhat.com> References: <20080710180923.GA19668@ns.sdsitehosting.net> <487665A9.10908@redhat.com> Message-ID: <20080710215944.GB31584@ns.sdsitehosting.net> On Thu, Jul 10, 2008 at 01:40:25PM -0600, Rich Megginson wrote: > John Oliver wrote: > >One of the projects on my plate is to have a working backup of an > >existing fedora-ds server. I installed fedora-ds under CentOS 5.2 and > >copied over the files that result from ns-slapd db2archive from the > >existing server to the new machine. > > > >First off, I know nothing about LDAP or fedora-ds in particular :-) > > > >After looking at the existing server and what I had after installing on > >the new server, I decided that running /usr/sbin/setup-ds-admin.pl was > >probably necessary. I went through, answering the questions as best I > >could (and figuring that the answers would be overwritten when I > >restored the backup). I got this: > > > >[08/07/10:10:18:52] - [Setup] Info Are you ready to set up your servers? > >[08/07/10:10:18:56] - [Setup] Info yes > >[08/07/10:10:18:56] - [Setup] Info Creating directory server . . . > >[08/07/10:10:18:59] - [Setup] Info Your new DS instance 'unix-services2' > >was suc > >cessfully created. > >[08/07/10:10:18:59] - [Setup] Info Creating the configuration directory > >server . > > . . > >[08/07/10:10:22:08] - [Setup] Fatal Error: failed to open an LDAP > >connection to > >host 'unix-services2.my.domain.com.com' port '389' as user > >'cn=Directory Ma > >nager'. Error: unknown. > >[08/07/10:10:22:08] - [Setup] Fatal Failed to create the configuration > >directory > > server > >[08/07/10:10:22:08] - [Setup] Fatal Exiting . . . > >Log file is '/tmp/setupVSpvCl.log > > > > > >Yes, that's two ".com"s No idea why. > > > Check /etc/hosts, /etc/nsswitch.conf, and /etc/resolv.conf, and check > that against what you typed in as your hostname and what DNS resolves it to. All are correct. /etc/hosts has the correct FQDN as well as hostname. /etc/resolv.conf is pointed to two working DNS servers. And /etc/nsswitch.conf has "hosts: files dns" Is there a way to tell it to remove the problematic stuff and try to set up again? > >So, I stop the dirsrv process and try: > > > >[root at localhost ~]# ns-slapd archive2db -D > >/etc/dirsrv/slapd-unix-services2 -a > >/var/lib/dirsrv/slapd-unix-services2/in > >[10/Jul/2008:11:05:39 -0700] - ERROR: target server has no NetscapeRoot > >configured > >[10/Jul/2008:11:05:39 -0700] - archive2db: Failed to read backup file > >set. Either the directory specified doesn't exist, or it exists but > >doesn't contain a valid backup set, or file permissions prevent the > >server reading the backup set. error=53 (Invalid request descriptor) > > > Don't use ns-slapd archive2db directly - use the scripts in > /usr/lib/dirsrv/slapd-instance (db2bak, bak2db, etc.) instead. [root at unix-services2 ~]# /usr/lib/dirsrv/slapd-unix-services2/bak2db /var/lib/dirsrv/slapd-unix-services2/in/ [10/Jul/2008:14:56:40 -0700] - ERROR: target server has no NetscapeRoot configured [10/Jul/2008:14:56:40 -0700] - archive2db: Failed to read backup file set. Either the directory specified doesn't exist, or it exists but doesn't contain a valid backup set, or file permissions prevent the server reading the backup set. error=53 (Invalid request descriptor) [root at unix-services2 ~]# ls /var/lib/dirsrv/slapd-unix-services2/in/ DBVERSION dse_instance.ldif NetscapeRoot dse_index.ldif log.0000000076 userRoot -- *********************************************************************** * John Oliver http://www.john-oliver.net/ * * * *********************************************************************** From rmeggins at redhat.com Thu Jul 10 22:18:28 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 10 Jul 2008 16:18:28 -0600 Subject: [Fedora-directory-users] Creating backup LDAP server. In-Reply-To: <20080710215944.GB31584@ns.sdsitehosting.net> References: <20080710180923.GA19668@ns.sdsitehosting.net> <487665A9.10908@redhat.com> <20080710215944.GB31584@ns.sdsitehosting.net> Message-ID: <48768AB4.6080400@redhat.com> John Oliver wrote: > On Thu, Jul 10, 2008 at 01:40:25PM -0600, Rich Megginson wrote: > >> John Oliver wrote: >> >>> One of the projects on my plate is to have a working backup of an >>> existing fedora-ds server. I installed fedora-ds under CentOS 5.2 and >>> copied over the files that result from ns-slapd db2archive from the >>> existing server to the new machine. >>> >>> First off, I know nothing about LDAP or fedora-ds in particular :-) >>> >>> After looking at the existing server and what I had after installing on >>> the new server, I decided that running /usr/sbin/setup-ds-admin.pl was >>> probably necessary. I went through, answering the questions as best I >>> could (and figuring that the answers would be overwritten when I >>> restored the backup). I got this: >>> >>> [08/07/10:10:18:52] - [Setup] Info Are you ready to set up your servers? >>> [08/07/10:10:18:56] - [Setup] Info yes >>> [08/07/10:10:18:56] - [Setup] Info Creating directory server . . . >>> [08/07/10:10:18:59] - [Setup] Info Your new DS instance 'unix-services2' >>> was suc >>> cessfully created. >>> [08/07/10:10:18:59] - [Setup] Info Creating the configuration directory >>> server . >>> . . >>> [08/07/10:10:22:08] - [Setup] Fatal Error: failed to open an LDAP >>> connection to >>> host 'unix-services2.my.domain.com.com' port '389' as user >>> 'cn=Directory Ma >>> nager'. Error: unknown. >>> [08/07/10:10:22:08] - [Setup] Fatal Failed to create the configuration >>> directory >>> server >>> [08/07/10:10:22:08] - [Setup] Fatal Exiting . . . >>> Log file is '/tmp/setupVSpvCl.log >>> >>> >>> Yes, that's two ".com"s No idea why. >>> >>> >> Check /etc/hosts, /etc/nsswitch.conf, and /etc/resolv.conf, and check >> that against what you typed in as your hostname and what DNS resolves it to. >> > > All are correct. /etc/hosts has the correct FQDN as well as hostname. > /etc/resolv.conf is pointed to two working DNS servers. And > /etc/nsswitch.conf has "hosts: files dns" > > Is there a way to tell it to remove the problematic stuff and try to set > up again? > When you run setup-ds-admin.pl, and it asks you for the hostname, does it have the correct hostname or the bogus one? If you specify the correct hostname at the dialog prompt, it will use the correct one throughout. > >>> So, I stop the dirsrv process and try: >>> >>> [root at localhost ~]# ns-slapd archive2db -D >>> /etc/dirsrv/slapd-unix-services2 -a >>> /var/lib/dirsrv/slapd-unix-services2/in >>> [10/Jul/2008:11:05:39 -0700] - ERROR: target server has no NetscapeRoot >>> configured >>> [10/Jul/2008:11:05:39 -0700] - archive2db: Failed to read backup file >>> set. Either the directory specified doesn't exist, or it exists but >>> doesn't contain a valid backup set, or file permissions prevent the >>> server reading the backup set. error=53 (Invalid request descriptor) >>> >>> >> Don't use ns-slapd archive2db directly - use the scripts in >> /usr/lib/dirsrv/slapd-instance (db2bak, bak2db, etc.) instead. >> > > [root at unix-services2 ~]# /usr/lib/dirsrv/slapd-unix-services2/bak2db > /var/lib/dirsrv/slapd-unix-services2/in/ > [10/Jul/2008:14:56:40 -0700] - ERROR: target server has no NetscapeRoot > configured > [10/Jul/2008:14:56:40 -0700] - archive2db: Failed to read backup file > set. Either the directory specified doesn't exist, or it exists but > doesn't contain a valid backup set, or file permissions prevent the > server reading the backup set. error=53 (Invalid request descriptor) > [root at unix-services2 ~]# ls /var/lib/dirsrv/slapd-unix-services2/in/ > DBVERSION dse_instance.ldif NetscapeRoot > dse_index.ldif log.0000000076 userRoot The backup was created in a server with both userRoot and NetscapeRoot, but you are attempting to restore it in a server that does not have NetscapeRoot. You need to create a root suffix called o=NetscapeRoot with an associated database called NetscapeRoot. You can do this in the console. *http://tinyurl.com/595tyy* If you don't want NetscapeRoot at all, you could try exporting your old database to LDIF using db2ldif or db2ldif.pl, to get just the userRoot part (i.e. the suffix that you keep your real user&group data in). -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jul 10 22:30:35 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 10 Jul 2008 16:30:35 -0600 Subject: [Fedora-directory-users] Getting closer getting a password policy export In-Reply-To: References: <20080710180923.GA19668@ns.sdsitehosting.net> <487665A9.10908@redhat.com> Message-ID: <48768D8B.3050703@redhat.com> Mallory, Doug (TPUSA) wrote: > I have managed to the Fedora Directory server console loaded and running > and when I go the directory tab I see manage password policy. But when I > select it the window pops up quickly clears to a blank window. This bug is very difficult to reproduce. Can you reproduce it by running fedora-idm-console -D 9 -f console.log, edit console.log to remove any sensitive data, then email me the log? > Does > anyone know how I can get an export of the current password policy? You had sent out a previous email with the list of attributes. The list from the current schema is correct - looks like the admin guide doesn't have the new ones. The others are documented here - http://directory.fedoraproject.org/wiki/Password_Syntax > Or > ever a screen shot at this point that is not blank. ( I am connecting to > the server through VNC) > > Doug Mallory > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jul 10 22:31:03 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 10 Jul 2008 16:31:03 -0600 Subject: [Fedora-directory-users] Question about setting a Password Policy from the Command Line In-Reply-To: References: Message-ID: <48768DA7.1010002@redhat.com> Eric Brown wrote: > I am trying to create an LDIF for importing a default password policy > for my FDS server that I can quickly import after I start it. I was > looking through the Adminstrator's Guide and it seems to be missing > some fields that are defined in the objectclass for password policy. > > I was just wondering if the Admin guide was correct and has all of the > defined attributes for the policy there and defined, or if these extra > ones are also valid and have documentation associated with them. I am > using the 1.0.4 version of FDS and I would guess that they online > guides have been updated for the newer versions, but I didn't expect > to see this much of a difference. > > Attributes from the Admin Guide: > passwordGraceLimit > passwordMustChange > passwordChange > passwordExp > passwordMaxAge > passwordWarning > passwordCheckSyntax > passwordMinLength > passwordMinAge > passwordHistory > passwordInHistory > passwordStorageScheme > > Attributes from the 00core.ldif schema definition of the password > policy objectclass: > passwordMaxAge > passwordExp > passwordMinLength > passwordKeepHistory > passwordInHistory > passwordChange > passwordWarning > passwordLockout > passwordMaxFailure > passwordResetDuration > passwordUnlock > passwordLockoutDuration > passwordCheckSyntax > passwordMustChange > passwordStorageScheme > passwordMinAge > passwordResetFailureCount > passwordGraceLimit > passwordMinDigits > passwordMinAlphas > passwordMinUppers > passwordMinLowers > passwordMinSpecials > passwordMin8bit > passwordMaxRepeats > passwordMinCategories > passwordMinTokenLength > > Just need to know which list is really valid, The latter. > and I need the > documentation or at least explanations of the fields that I can use in > my version. Thanks in advance. > http://directory.fedoraproject.org/wiki/Password_Syntax > Eric > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jul 10 22:32:55 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 10 Jul 2008 16:32:55 -0600 Subject: [Fedora-directory-users] Question on monitoring authorization In-Reply-To: <20e4c38c0807070821i10221e0fx508a14196f7f9c75@mail.gmail.com> References: <20e4c38c0807070821i10221e0fx508a14196f7f9c75@mail.gmail.com> Message-ID: <48768E17.8080705@redhat.com> Chun Tat David Chu wrote: > Hi all, > > I've a question on monitoring authorization. > > When a user without sufficient privileges and perform a search request > on the LDAP, the user will receive an empty result from the LDAP. > > I followed the instruction from the Red hat Directory Server > Administrator's Guide and set the access mode to 777 to log all read, > write and execute commands. > > When I look at the log of an unauthorize user, all I see is the following > [07/Jul/2008:11:08:37 -0400] conn=42 op=81 SRCH > base="ou=sandbox,ou=my_test,dc=example,dc=com" scope=1 > filter="(objectClass=*)" attrs="objectClass javaClassName" > [07/Jul/2008:11:08:37 -0400] conn=42 op=81 RESULT err=0 tag=101 > nentries=0 etime=0 > > The log doesn't indicate any authorization error. I was wondering if > there's additional settings that I can set on Fedora DS so I can > easily tell if a user is not authorize to perform a search operation > on the LDAP. In general, no. However, you could use Get Effective Rights - http://www.redhat.com/docs/manuals/dir-server/release-notes/ger.html > > Thanks! > > - David > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jul 10 22:33:48 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 10 Jul 2008 16:33:48 -0600 Subject: [Fedora-directory-users] altServer In-Reply-To: <486AED70.1070309@babel.com.au> References: <486AED70.1070309@babel.com.au> Message-ID: <48768E4C.4040700@redhat.com> Del wrote: > > Hi, > > Is there any plan to support the altServer attribute in the root DSE > of a Fedora Directory Server? No plans currently. Please file a bug/enhancement request at bugzilla.redhat.com > > By that I mean that the server should advertise its list of replicas > (currently buried under cn=replica,cn="BASEDN",cn=mapping > tree,cn=config for each base DN) in the root DSE using the altServer > attribute? This would make it easier to build resilient clients that > automatically knew where to reconnect to if the primary server went down. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From joliver at john-oliver.net Thu Jul 10 22:52:05 2008 From: joliver at john-oliver.net (John Oliver) Date: Thu, 10 Jul 2008 15:52:05 -0700 Subject: [Fedora-directory-users] Creating backup LDAP server. In-Reply-To: <48768AB4.6080400@redhat.com> References: <20080710180923.GA19668@ns.sdsitehosting.net> <487665A9.10908@redhat.com> <20080710215944.GB31584@ns.sdsitehosting.net> <48768AB4.6080400@redhat.com> Message-ID: <20080710225205.GA1584@ns.sdsitehosting.net> On Thu, Jul 10, 2008 at 04:18:28PM -0600, Rich Megginson wrote: > When you run setup-ds-admin.pl, and it asks you for the hostname, does > it have the correct hostname or the bogus one? If you specify the > correct hostname at the dialog prompt, it will use the correct one > throughout. I'm not sure... I can no longer run that script because... Configuration directory server administrator ID [admin]: Password: Password (confirm): Error: the server already exists at '/etc/dirsrv/slapd-unix-services2' Please remove it first if you really want to recreate it, or use a different ServerIdentifier to create another instance. When using Silent or Express mode, some of the dialogs are skipped, but validation is still performed on the default or given answers. You should run this program again and choose Typical or Custom mode in order to provide a valid input for the problem dialog. Exiting . . . I've tried to remove it, but [root at unix-services2 ~]# /usr/sbin/ds_removal -s unix-services2 -w mypassword Error:The server '' is not reachable. Error: unknown error > >[10/Jul/2008:14:56:40 -0700] - ERROR: target server has no NetscapeRoot > >configured > >[10/Jul/2008:14:56:40 -0700] - archive2db: Failed to read backup file > >set. Either the directory specified doesn't exist, or it exists but > >doesn't contain a valid backup set, or file permissions prevent the > >server reading the backup set. error=53 (Invalid request descriptor) > >[root at unix-services2 ~]# ls /var/lib/dirsrv/slapd-unix-services2/in/ > >DBVERSION dse_instance.ldif NetscapeRoot > >dse_index.ldif log.0000000076 userRoot > The backup was created in a server with both userRoot and NetscapeRoot, > but you are attempting to restore it in a server that does not have > NetscapeRoot. You need to create a root suffix called o=NetscapeRoot > with an associated database called NetscapeRoot. You can do this in the > console. *http://tinyurl.com/595tyy* Unfortunately, I don't know what "o=NetscapeRoot" means. I see references to that all over the place. On the working server, there's a /etc/dirsrv/admin-serv/adm.conf file that contains that line, but I do not have an adm.conf on this new server. Is there a way to back out of this without uninstalling fedora-ds? make it completely forget about everything I've done so I can just start from scratch and try again? -- *********************************************************************** * John Oliver http://www.john-oliver.net/ * * * *********************************************************************** From playactor at gmail.com Thu Jul 10 23:13:43 2008 From: playactor at gmail.com (Eric Brown) Date: Thu, 10 Jul 2008 18:13:43 -0500 Subject: Fwd: [Fedora-directory-users] Question about setting a Password Policy from the Command Line In-Reply-To: <48768DA7.1010002@redhat.com> References: <48768DA7.1010002@redhat.com> Message-ID: Thank you Rich. This is exactly what I needed. ---------- Forwarded message ---------- From: Rich Megginson Date: Thu, Jul 10, 2008 at 5:31 PM Subject: Re: [Fedora-directory-users] Question about setting a Password Policy from the Command Line To: "General discussion list for the Fedora Directory server project." Eric Brown wrote: > > I am trying to create an LDIF for importing a default password policy > for my FDS server that I can quickly import after I start it. I was > looking through the Adminstrator's Guide and it seems to be missing > some fields that are defined in the objectclass for password policy. > > I was just wondering if the Admin guide was correct and has all of the > defined attributes for the policy there and defined, or if these extra > ones are also valid and have documentation associated with them. I am > using the 1.0.4 version of FDS and I would guess that they online > guides have been updated for the newer versions, but I didn't expect > to see this much of a difference. > > Attributes from the Admin Guide: > passwordGraceLimit > passwordMustChange > passwordChange > passwordExp > passwordMaxAge > passwordWarning > passwordCheckSyntax > passwordMinLength > passwordMinAge > passwordHistory > passwordInHistory > passwordStorageScheme > > Attributes from the 00core.ldif schema definition of the password > policy objectclass: > passwordMaxAge > passwordExp > passwordMinLength > passwordKeepHistory > passwordInHistory > passwordChange > passwordWarning > passwordLockout > passwordMaxFailure > passwordResetDuration > passwordUnlock > passwordLockoutDuration > passwordCheckSyntax > passwordMustChange > passwordStorageScheme > passwordMinAge > passwordResetFailureCount > passwordGraceLimit > passwordMinDigits > passwordMinAlphas > passwordMinUppers > passwordMinLowers > passwordMinSpecials > passwordMin8bit > passwordMaxRepeats > passwordMinCategories > passwordMinTokenLength > > Just need to know which list is really valid, The latter. > > and I need the > documentation or at least explanations of the fields that I can use in > my version. Thanks in advance. > http://directory.fedoraproject.org/wiki/Password_Syntax > > Eric > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: not available URL: From joliver at john-oliver.net Thu Jul 10 23:30:52 2008 From: joliver at john-oliver.net (John Oliver) Date: Thu, 10 Jul 2008 16:30:52 -0700 Subject: [Fedora-directory-users] Creating backup LDAP server. In-Reply-To: <20080710225205.GA1584@ns.sdsitehosting.net> References: <20080710180923.GA19668@ns.sdsitehosting.net> <487665A9.10908@redhat.com> <20080710215944.GB31584@ns.sdsitehosting.net> <48768AB4.6080400@redhat.com> <20080710225205.GA1584@ns.sdsitehosting.net> Message-ID: <20080710233052.GB1584@ns.sdsitehosting.net> Since I figured I was pretty well screwed anyway, I deleted /etc/dirsrv/slapd-unix-services2 and re-ran setup-ds-admin.pl To my amazement, it was able to complete successfully! It went all the way through, create an adm.conf and other files, etc. I was able to log in to the web admin screen. So, I ran /usr/lib/dirsrv/slapd-unix-services2/bak2db to restore the database I'd copied over. That looked very promising, but there were two points where it said it was deleting an attribute of unix-services2 and then adding one for unix-services, which is the other, live machine. After that, clicking on Fedora Administration Express gave me an error. I just went back to copy-and-paste it, but now I get an Internal Server Error, and /var/log/httpd is empty. Since I seemed to make some progress, I stopped dirsrv, deleted /etc/dirsrv/slapd-unix-services2 and re-ran setup-ds-admin.pl When it was done, I could get in to the admin interface again, only now it shows me slapd-unix-services and slapd-unix-services2 So, I'm not sure if that's progress or not. I want to wind up with a working backup of slapd-unix-services so if that machine takes a crap, I can just bring up an interface with it's IP address on slapd-unix-services2 and keep LDAP authentication working while I puzzle out what went wrong on the first server. -- *********************************************************************** * John Oliver http://www.john-oliver.net/ * * * *********************************************************************** From nkinder at redhat.com Thu Jul 10 23:33:36 2008 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 10 Jul 2008 16:33:36 -0700 Subject: [Fedora-directory-users] Getting closer getting a password policy export In-Reply-To: References: <20080710180923.GA19668@ns.sdsitehosting.net> <487665A9.10908@redhat.com> Message-ID: <48769C50.1070504@redhat.com> Mallory, Doug (TPUSA) wrote: > I have managed to the Fedora Directory server console loaded and running > and when I go the directory tab I see manage password policy. But when I > select it the window pops up quickly clears to a blank window. Does > anyone know how I can get an export of the current password policy? Or > ever a screen shot at this point that is not blank. ( I am connecting to > the server through VNC) > Try expanding the dialog window to the right. I've seen something similar before with specific JREs where the dialog is smaller than the contents, so it displays nothing. > Doug Mallory > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3254 bytes Desc: S/MIME Cryptographic Signature URL: From doug.mallory at tempurpedic.com Fri Jul 11 01:12:48 2008 From: doug.mallory at tempurpedic.com (Mallory, Doug (TPUSA)) Date: Thu, 10 Jul 2008 21:12:48 -0400 Subject: [Fedora-directory-users] Getting closer getting a password policyexport In-Reply-To: <48768D8B.3050703@redhat.com> References: <20080710180923.GA19668@ns.sdsitehosting.net> <487665A9.10908@redhat.com> <48768D8B.3050703@redhat.com> Message-ID: > anyone know how I can get an export of the current password policy? You had sent out a previous email with the list of attributes. The list from the current schema is correct - looks like the admin guide doesn't have the new ones. The others are documented here - http://directory.fedoraproject.org/wiki/Password_Syntax > Or I can see the schema I just need to see what the current settings are or export them to a flat file and gan give the auditors. (ldif would work) Doug From rmeggins at redhat.com Fri Jul 11 01:22:49 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 10 Jul 2008 19:22:49 -0600 Subject: [Fedora-directory-users] Creating backup LDAP server. In-Reply-To: <20080710225205.GA1584@ns.sdsitehosting.net> References: <20080710180923.GA19668@ns.sdsitehosting.net> <487665A9.10908@redhat.com> <20080710215944.GB31584@ns.sdsitehosting.net> <48768AB4.6080400@redhat.com> <20080710225205.GA1584@ns.sdsitehosting.net> Message-ID: <4876B5E9.9000106@redhat.com> John Oliver wrote: > On Thu, Jul 10, 2008 at 04:18:28PM -0600, Rich Megginson wrote: > >> When you run setup-ds-admin.pl, and it asks you for the hostname, does >> it have the correct hostname or the bogus one? If you specify the >> correct hostname at the dialog prompt, it will use the correct one >> throughout. >> > > I'm not sure... I can no longer run that script because... > > Configuration directory server > administrator ID [admin]: > Password: > Password (confirm): > Error: the server already exists at '/etc/dirsrv/slapd-unix-services2' > Please remove it first if you really want to recreate it, > or use a different ServerIdentifier to create another instance. > When using Silent or Express mode, some of the > dialogs are skipped, but validation is still performed > on the default or given answers. You should run this program again and > choose Typical or Custom mode in order to provide a valid input > for the problem dialog. > > Exiting . . . > > > I've tried to remove it, but > > [root at unix-services2 ~]# /usr/sbin/ds_removal -s unix-services2 -w > mypassword > > Error:The server '' is not reachable. Error: unknown error > Yep. This is a bug due to be fixed soon. In the meantime: service dirsrv stop unix-services2 rm -rf /etc/dirsrv/slapd-unix-services2 /var/*/dirsrv/slapd-unix-services2* /usr/lib/dirsrv/slapd-unix-services2 /usr/lib64/dirsrv/slapd-unix-services2 rm -rf /var/log/dirsrv/admin-serv remove all files from /etc/dirsrv/admin-serv except for httpd.conf, admserv.conf, console.conf, and nss.conf > >>> [10/Jul/2008:14:56:40 -0700] - ERROR: target server has no NetscapeRoot >>> configured >>> [10/Jul/2008:14:56:40 -0700] - archive2db: Failed to read backup file >>> set. Either the directory specified doesn't exist, or it exists but >>> doesn't contain a valid backup set, or file permissions prevent the >>> server reading the backup set. error=53 (Invalid request descriptor) >>> [root at unix-services2 ~]# ls /var/lib/dirsrv/slapd-unix-services2/in/ >>> DBVERSION dse_instance.ldif NetscapeRoot >>> dse_index.ldif log.0000000076 userRoot >>> >> The backup was created in a server with both userRoot and NetscapeRoot, >> but you are attempting to restore it in a server that does not have >> NetscapeRoot. You need to create a root suffix called o=NetscapeRoot >> with an associated database called NetscapeRoot. You can do this in the >> console. *http://tinyurl.com/595tyy* >> > > Unfortunately, I don't know what "o=NetscapeRoot" means. I see > references to that all over the place. On the working server, there's a > /etc/dirsrv/admin-serv/adm.conf file that contains that line, but I do > not have an adm.conf on this new server. > > > Is there a way to back out of this without uninstalling fedora-ds? make > it completely forget about everything I've done so I can just start from > scratch and try again? > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Jul 11 01:28:50 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 10 Jul 2008 19:28:50 -0600 Subject: [Fedora-directory-users] Getting closer getting a password policyexport In-Reply-To: References: <20080710180923.GA19668@ns.sdsitehosting.net> <487665A9.10908@redhat.com> <48768D8B.3050703@redhat.com> Message-ID: <4876B752.5060504@redhat.com> Mallory, Doug (TPUSA) wrote: >> anyone know how I can get an export of the current password policy? >> > You had sent out a previous email with the list of attributes. The list > > from the current schema is correct - looks like the admin guide doesn't > have the new ones. The others are documented here - > http://directory.fedoraproject.org/wiki/Password_Syntax > >> Or >> > > I can see the schema I just need to see what the current settings are or > export them to a flat file and gan give the auditors. (ldif would work) > ldapsearch -s base -b cn=config then just grab those attributes from the LDIF output > Doug > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Jul 11 01:29:03 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 10 Jul 2008 19:29:03 -0600 Subject: [Fedora-directory-users] Creating backup LDAP server. In-Reply-To: <20080710233052.GB1584@ns.sdsitehosting.net> References: <20080710180923.GA19668@ns.sdsitehosting.net> <487665A9.10908@redhat.com> <20080710215944.GB31584@ns.sdsitehosting.net> <48768AB4.6080400@redhat.com> <20080710225205.GA1584@ns.sdsitehosting.net> <20080710233052.GB1584@ns.sdsitehosting.net> Message-ID: <4876B75F.5030202@redhat.com> John Oliver wrote: > Since I figured I was pretty well screwed anyway, I deleted > /etc/dirsrv/slapd-unix-services2 and re-ran setup-ds-admin.pl To my > amazement, it was able to complete successfully! It went all the way > through, create an adm.conf and other files, etc. I was able to log in > to the web admin screen. > > So, I ran /usr/lib/dirsrv/slapd-unix-services2/bak2db to restore the > database I'd copied over. Unfortunately (for your case), when you do bak2db, it copies all of the databases - your user/group database (userRoot), and the console information database (NetscapeRoot). So if you restore it on your new instance . . . > That looked very promising, but there were > two points where it said it was deleting an attribute of unix-services2 > and then adding one for unix-services, which is the other, live machine. > After that, clicking on Fedora Administration Express gave me an error. > . . . you wipe out the new information you just created with setup-ds-admin.pl > I just went back to copy-and-paste it, but now I get an Internal Server > Error, and /var/log/httpd is empty. > /var/log/dirsrv/admin-serv - but it doesn't matter, because the restore from the other backup probably wiped out the information needed by the console. > Since I seemed to make some progress, I stopped dirsrv, deleted > /etc/dirsrv/slapd-unix-services2 and /var/*/dirsrv/slapd-unix-services2, and /usr/lib/dirsrv/slapd-unix-services2, and /usr/lib64/dirsrv/slapd-unix-services2, and /var/log/dirsrv/admin-serv, and all files in /etc/dirsrv/admin-serv except for admserv.conf, httpd.conf, console.conf, and nss.conf > and re-ran setup-ds-admin.pl When it > was done, I could get in to the admin interface again, only now it shows > me slapd-unix-services and slapd-unix-services2 So, I'm not sure if > that's progress or not. > > I want to wind up with a working backup of slapd-unix-services so if > that machine takes a crap, I can just bring up an interface with it's IP > address on slapd-unix-services2 and keep LDAP authentication working > while I puzzle out what went wrong on the first server. > Replication? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From joliver at john-oliver.net Fri Jul 11 15:36:28 2008 From: joliver at john-oliver.net (John Oliver) Date: Fri, 11 Jul 2008 08:36:28 -0700 Subject: [Fedora-directory-users] Creating backup LDAP server. In-Reply-To: <4876B75F.5030202@redhat.com> References: <20080710180923.GA19668@ns.sdsitehosting.net> <487665A9.10908@redhat.com> <20080710215944.GB31584@ns.sdsitehosting.net> <48768AB4.6080400@redhat.com> <20080710225205.GA1584@ns.sdsitehosting.net> <20080710233052.GB1584@ns.sdsitehosting.net> <4876B75F.5030202@redhat.com> Message-ID: <20080711153628.GB19222@ns.sdsitehosting.net> On Thu, Jul 10, 2008 at 07:29:03PM -0600, Rich Megginson wrote: > John Oliver wrote: > > > >I want to wind up with a working backup of slapd-unix-services so if > >that machine takes a crap, I can just bring up an interface with it's IP > >address on slapd-unix-services2 and keep LDAP authentication working > >while I puzzle out what went wrong on the first server. > > > Replication? For some reason, I thought that's be more trouble to set up than what I was trying :-) Is http://www.redhat.com/docs/manuals/dir-server/ag/replicat.htm#pgfId-1027091 the best doc to use to learn more? Thanks for all your help, Rich! -- *********************************************************************** * John Oliver http://www.john-oliver.net/ * * * *********************************************************************** From joliver at john-oliver.net Fri Jul 11 18:12:50 2008 From: joliver at john-oliver.net (John Oliver) Date: Fri, 11 Jul 2008 11:12:50 -0700 Subject: [Fedora-directory-users] Accessing Management Console Message-ID: <20080711181250.GA26243@ns.sdsitehosting.net> fedora-idm-console asks me for User ID and Password (which I should have), but wants an "Administration URL" as well. So far, nothing is working. I've tried http://localhost/ http://localhost:9830 and my FQDN as well as FQDN:9830 None work. What does it want? I've tried against two servers that I can access 9830 via a web browser. It always says: Cannot connect to the Admin Server "http:/" The URL is not correct or the server is not running It says it just like that... "http:/" Almost like it cannot read past six characters. -- *********************************************************************** * John Oliver http://www.john-oliver.net/ * * * *********************************************************************** From benetage at hotmail.com Fri Jul 11 18:39:04 2008 From: benetage at hotmail.com (Mister Anonyme) Date: Fri, 11 Jul 2008 14:39:04 -0400 Subject: [Fedora-directory-users] Configuration Directory Server failover Message-ID: Hi, I installed and configured many LDAP servers in a multi-master environment. Work very well. Now, I want to do a failover of the Configuration Directory Server between two masters, just in case. I tried to follow the instructions right here: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Replicating-ADS-for-Failover.html It's just as clear as a mud... I would really like to have an real-life scenario example to help me because I'm struggling to configure it and it doesn't work at all. For example, the step 1 instruct us to create a file.inf and 4 ldif files: 0.- file.inf FullMachineName = MY FULL HOSTNAME AdminDomain = MY DOMAIN NAME SuiteSpotUserID = nobody SuiteSpotGroup = nobody ConfigDirectoryLdapURL = ldap://MY FULL HOSTNAME:389/o=NetscapeRoot ConfigDirectoryAdminID = admin ConfigDirectoryAdminPwd = MY PASSWORD [admin] ServerAdminID = admin ServerAdminPwd = MY PASSWORD SysUser = nobody ServerIpAddress = MY SERVER IP ADDRESS Port = 9830 [slapd] InstallLdifFile = suggest ServerIdentifier = MY SERVER HOSTNAME ServerPort = 389 AddOrgEntries = Yes RootDN = cn=Directory Manager RootDNPwd = MY DS PASSWORD SlapdConfigForMC = yes Suffix = dc=EXAMPLE, dc=NET UseExistingMC = 0 AddSampleEntries = Yes ConfigFile = repluser.ldif ConfigFile = changelog.ldif ConfigFile = replica.ldif ConfigFile = replagreement.ldif 1.- repluser.ldif dn: cn=replication manager,cn=config changetype: add objectClass: inetorgperson objectClass: person objectClass: top cn: replication manager sn: RM userPassword: MY ENCRYPTED PASSWORD passwordExpirationTime: 20380119031407Z 2.- changelog.ldif dn: cn=changelog5,cn=config changetype: add objectclass: top objectclass: extensibleObject cn: changelog5 nsslapd-changelogdir: /var/lib/dirsrv/slapd-MYINSTANCE/changelogdb 3.- replica.ldif dn: cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config changetype: add objectclass: top objectclass: nsds5replica objectclass: extensibleObject cn: replica nsds5replicaroot: o=NetscapeRoot nsds5replicaid: 1 nsds5replicatype: 3 nsds5flags: 1 nsds5ReplicaPurgeDelay: 604800 nsds5ReplicaBindDN: cn=replication manager,cn=config 4.- replagreement.ldid dn: cn=replication_netscaperoot,cn=replica,cn="o=Netscaperoot",cn=mapping tree,cn=config changetype: add objectclass: top objectclass: nsds5replicationagreement cn: replication_netscaperoot nsds5replicahost: SECONDARY LDAP SERVER HOSTNAME nsds5replicaport: 389 nsds5ReplicaBindDN: cn=replication manager nsds5replicabindmethod: SIMPLE nsds5replicaroot: o=Netscaperoot description: replication netscaperoot nsds5replicacredentials: ENCRYPTEDPASSWORD nsds5BeginReplicaRefresh: start Then, I ran: /usr/sbin/setup-ds-admin.pl -s -f file.inf It went without errors. And then... I don't see any replica nor replica agreement. Even the user "cn=replication manager,cn=config' doesn't appear in the console. So, I'm wondering if any of you has succeeded to configure a replication/failover of o=NetscapeRoot ? If yes, I would be greatly appreciated if you could put your examples in real-life scenaro, it would help me alot. Thank you very much! _________________________________________________________________ Find hidden words, unscramble celebrity names, or try the ultimate crossword puzzle with Live Search Games. Play now! http://g.msn.ca/ca55/212 -------------- next part -------------- An HTML attachment was scrubbed... URL: From solarflow99 at gmail.com Mon Jul 14 10:16:20 2008 From: solarflow99 at gmail.com (solarflow99) Date: Mon, 14 Jul 2008 11:16:20 +0100 Subject: [Fedora-directory-users] Accessing Management Console In-Reply-To: <20080711181250.GA26243@ns.sdsitehosting.net> References: <20080711181250.GA26243@ns.sdsitehosting.net> Message-ID: <7020fd000807140316o4752e488n71ae85334e96406c@mail.gmail.com> On 7/11/08, John Oliver wrote: > > fedora-idm-console asks me for User ID and Password (which I should > have), but wants an "Administration URL" as well. So far, nothing is > working. I've tried http://localhost/ http://localhost:9830 and my FQDN > as well as FQDN:9830 None work. What does it want? I've tried against > two servers that I can access 9830 via a web browser. It always says: > > Cannot connect to the Admin Server "http:/" > The URL is not correct or the server is not running > > It says it just like that... "http:/" Almost like it cannot read past > six characters. it works for me, what system and what command are you running? Also what java? -------------- next part -------------- An HTML attachment was scrubbed... URL: From doug.mallory at tempurpedic.com Mon Jul 14 11:37:07 2008 From: doug.mallory at tempurpedic.com (Mallory, Doug (TPUSA)) Date: Mon, 14 Jul 2008 07:37:07 -0400 Subject: [Fedora-directory-users] Getting closer getting apassword policyexport In-Reply-To: <4876B752.5060504@redhat.com> References: <20080710180923.GA19668@ns.sdsitehosting.net> <487665A9.10908@redhat.com> <48768D8B.3050703@redhat.com> <4876B752.5060504@redhat.com> Message-ID: Using this command it returns nothing ldapsearch -s dc=twi,dc=dom -b cn=config Doug -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson Sent: Thursday, July 10, 2008 9:29 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Getting closer getting apassword policyexport Mallory, Doug (TPUSA) wrote: >> anyone know how I can get an export of the current password policy? >> > You had sent out a previous email with the list of attributes. The list > > from the current schema is correct - looks like the admin guide doesn't > have the new ones. The others are documented here - > http://directory.fedoraproject.org/wiki/Password_Syntax > >> Or >> > > I can see the schema I just need to see what the current settings are or > export them to a flat file and gan give the auditors. (ldif would work) > ldapsearch -s base -b cn=config then just grab those attributes from the LDIF output > Doug > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From doug.mallory at tempurpedic.com Mon Jul 14 12:06:24 2008 From: doug.mallory at tempurpedic.com (Mallory, Doug (TPUSA)) Date: Mon, 14 Jul 2008 08:06:24 -0400 Subject: [Fedora-directory-users] Getting closer getting a password policyexport In-Reply-To: <48769C50.1070504@redhat.com> References: <20080710180923.GA19668@ns.sdsitehosting.net> <487665A9.10908@redhat.com> <48769C50.1070504@redhat.com> Message-ID: I have installed the console on my Winders workstation and pointed it to the server on port 1500. I can log into the console but I don't see the servers and applications like I see running it form the server. Am I missing a step? I was hopping running it from my workstation I could see the panel. Doug Mallory -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Nathan Kinder Sent: Thursday, July 10, 2008 7:34 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Getting closer getting a password policyexport Mallory, Doug (TPUSA) wrote: > I have managed to the Fedora Directory server console loaded and running > and when I go the directory tab I see manage password policy. But when I > select it the window pops up quickly clears to a blank window. Does > anyone know how I can get an export of the current password policy? Or > ever a screen shot at this point that is not blank. ( I am connecting to > the server through VNC) > Try expanding the dialog window to the right. I've seen something similar before with specific JREs where the dialog is smaller than the contents, so it displays nothing. > Doug Mallory > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Mon Jul 14 13:01:28 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 14 Jul 2008 07:01:28 -0600 Subject: [Fedora-directory-users] Getting closer getting apassword policyexport In-Reply-To: References: <20080710180923.GA19668@ns.sdsitehosting.net> <487665A9.10908@redhat.com> <48768D8B.3050703@redhat.com> <4876B752.5060504@redhat.com> Message-ID: <487B4E28.5090300@redhat.com> Mallory, Doug (TPUSA) wrote: > Using this command it returns nothing > ldapsearch -s dc=twi,dc=dom -b cn=config > You have to authenticate as a privileged user - try ldapsearch -x -D "cn=directory manager" -w thepassword -s base -b "cn=config" "objectclass=*" > Doug > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich > Megginson > Sent: Thursday, July 10, 2008 9:29 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Getting closer getting apassword > policyexport > > Mallory, Doug (TPUSA) wrote: > >>> anyone know how I can get an export of the current password policy? >>> >>> >> You had sent out a previous email with the list of attributes. The >> > list > >> from the current schema is correct - looks like the admin guide >> > doesn't > >> have the new ones. The others are documented here - >> http://directory.fedoraproject.org/wiki/Password_Syntax >> >> >>> Or >>> >>> >> I can see the schema I just need to see what the current settings are >> > or > >> export them to a flat file and gan give the auditors. (ldif would >> > work) > >> >> > ldapsearch -s base -b cn=config > then just grab those attributes from the LDIF output > >> Doug >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From doug.mallory at tempurpedic.com Mon Jul 14 14:19:32 2008 From: doug.mallory at tempurpedic.com (Mallory, Doug (TPUSA)) Date: Mon, 14 Jul 2008 10:19:32 -0400 Subject: [Fedora-directory-users] Getting closergetting apassword policyexport In-Reply-To: <487B4E28.5090300@redhat.com> References: <20080710180923.GA19668@ns.sdsitehosting.net> <487665A9.10908@redhat.com> <48768D8B.3050703@redhat.com> <4876B752.5060504@redhat.com> <487B4E28.5090300@redhat.com> Message-ID: This is what I have now and it does not like the syntax. ldapsearch -x -D "cn=directory manager" -w LDSPASSWORD! -s dc=twi,dc=dom -b cn=config "objectclass=*" Doug Mallory, CISM, CISSP Sr Network Security Engineer Cell 859-420-5609 Office 859-514-4833 Fax 859-514-5833 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson Sent: Monday, July 14, 2008 9:01 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Getting closergetting apassword policyexport Mallory, Doug (TPUSA) wrote: > Using this command it returns nothing > ldapsearch -s dc=twi,dc=dom -b cn=config > You have to authenticate as a privileged user - try ldapsearch -x -D "cn=directory manager" -w thepassword -s base -b "cn=config" "objectclass=*" > Doug > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich > Megginson > Sent: Thursday, July 10, 2008 9:29 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Getting closer getting apassword > policyexport > > Mallory, Doug (TPUSA) wrote: > >>> anyone know how I can get an export of the current password policy? >>> >>> >> You had sent out a previous email with the list of attributes. The >> > list > >> from the current schema is correct - looks like the admin guide >> > doesn't > >> have the new ones. The others are documented here - >> http://directory.fedoraproject.org/wiki/Password_Syntax >> >> >>> Or >>> >>> >> I can see the schema I just need to see what the current settings are >> > or > >> export them to a flat file and gan give the auditors. (ldif would >> > work) > >> >> > ldapsearch -s base -b cn=config > then just grab those attributes from the LDIF output > >> Doug >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Mon Jul 14 14:22:39 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 14 Jul 2008 08:22:39 -0600 Subject: [Fedora-directory-users] Getting closergetting apassword policyexport In-Reply-To: References: <20080710180923.GA19668@ns.sdsitehosting.net> <487665A9.10908@redhat.com> <48768D8B.3050703@redhat.com> <4876B752.5060504@redhat.com> <487B4E28.5090300@redhat.com> Message-ID: <487B612F.8050808@redhat.com> Mallory, Doug (TPUSA) wrote: > This is what I have now and it does not like the syntax. > > ldapsearch -x -D "cn=directory manager" -w LDSPASSWORD! -s dc=twi,dc=dom > -b cn=config "objectclass=*" > Ah, I see - when I say "-s base" I mean that literally, not "-s " > Doug Mallory, CISM, CISSP > > Sr Network Security Engineer > > Cell 859-420-5609 > > Office 859-514-4833 > > Fax 859-514-5833 > > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich > Megginson > Sent: Monday, July 14, 2008 9:01 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Getting closergetting apassword > policyexport > > Mallory, Doug (TPUSA) wrote: > >> Using this command it returns nothing >> ldapsearch -s dc=twi,dc=dom -b cn=config >> >> > You have to authenticate as a privileged user - try ldapsearch -x -D > "cn=directory manager" -w thepassword -s base -b "cn=config" > "objectclass=*" > >> Doug >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich >> Megginson >> Sent: Thursday, July 10, 2008 9:29 PM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: [Fedora-directory-users] Getting closer getting apassword >> policyexport >> >> Mallory, Doug (TPUSA) wrote: >> >> >>>> anyone know how I can get an export of the current password policy? >>>> >>>> >>>> >>> You had sent out a previous email with the list of attributes. The >>> >>> >> list >> >> >>> from the current schema is correct - looks like the admin guide >>> >>> >> doesn't >> >> >>> have the new ones. The others are documented here - >>> http://directory.fedoraproject.org/wiki/Password_Syntax >>> >>> >>> >>>> Or >>>> >>>> >>>> >>> I can see the schema I just need to see what the current settings are >>> >>> >> or >> >> >>> export them to a flat file and gan give the auditors. (ldif would >>> >>> >> work) >> >> >>> >>> >>> >> ldapsearch -s base -b cn=config >> then just grab those attributes from the LDIF output >> >> >>> Doug >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From doug.mallory at tempurpedic.com Mon Jul 14 14:25:59 2008 From: doug.mallory at tempurpedic.com (Mallory, Doug (TPUSA)) Date: Mon, 14 Jul 2008 10:25:59 -0400 Subject: [Fedora-directory-users]Getting closergetting apassword policyexport In-Reply-To: <487B612F.8050808@redhat.com> References: <20080710180923.GA19668@ns.sdsitehosting.net> <487665A9.10908@redhat.com> <48768D8B.3050703@redhat.com> <4876B752.5060504@redhat.com> <487B4E28.5090300@redhat.com> <487B612F.8050808@redhat.com> Message-ID: That got hat I was looking for Thanks! Doug Mallory -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson Sent: Monday, July 14, 2008 10:23 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users]Getting closergetting apassword policyexport Mallory, Doug (TPUSA) wrote: > This is what I have now and it does not like the syntax. > > ldapsearch -x -D "cn=directory manager" -w LDSPASSWORD! -s dc=twi,dc=dom > -b cn=config "objectclass=*" > Ah, I see - when I say "-s base" I mean that literally, not "-s " > Doug Mallory, CISM, CISSP > > Sr Network Security Engineer > > Cell 859-420-5609 > > Office 859-514-4833 > > Fax 859-514-5833 > > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich > Megginson > Sent: Monday, July 14, 2008 9:01 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Getting closergetting apassword > policyexport > > Mallory, Doug (TPUSA) wrote: > >> Using this command it returns nothing >> ldapsearch -s dc=twi,dc=dom -b cn=config >> >> > You have to authenticate as a privileged user - try ldapsearch -x -D > "cn=directory manager" -w thepassword -s base -b "cn=config" > "objectclass=*" > >> Doug >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich >> Megginson >> Sent: Thursday, July 10, 2008 9:29 PM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: [Fedora-directory-users] Getting closer getting apassword >> policyexport >> >> Mallory, Doug (TPUSA) wrote: >> >> >>>> anyone know how I can get an export of the current password policy? >>>> >>>> >>>> >>> You had sent out a previous email with the list of attributes. The >>> >>> >> list >> >> >>> from the current schema is correct - looks like the admin guide >>> >>> >> doesn't >> >> >>> have the new ones. The others are documented here - >>> http://directory.fedoraproject.org/wiki/Password_Syntax >>> >>> >>> >>>> Or >>>> >>>> >>>> >>> I can see the schema I just need to see what the current settings are >>> >>> >> or >> >> >>> export them to a flat file and gan give the auditors. (ldif would >>> >>> >> work) >> >> >>> >>> >>> >> ldapsearch -s base -b cn=config >> then just grab those attributes from the LDIF output >> >> >>> Doug >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From beyonddc.storage at gmail.com Mon Jul 14 15:19:04 2008 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Mon, 14 Jul 2008 11:19:04 -0400 Subject: [Fedora-directory-users] Question on monitoring authorization In-Reply-To: <48768E17.8080705@redhat.com> References: <20e4c38c0807070821i10221e0fx508a14196f7f9c75@mail.gmail.com> <48768E17.8080705@redhat.com> Message-ID: <20e4c38c0807140819j482d4d61w18e26c8a14e0b081@mail.gmail.com> Rich, Thanks for information. David On Thu, Jul 10, 2008 at 6:32 PM, Rich Megginson wrote: > Chun Tat David Chu wrote: > >> Hi all, >> >> I've a question on monitoring authorization. >> >> When a user without sufficient privileges and perform a search request on >> the LDAP, the user will receive an empty result from the LDAP. >> I followed the instruction from the Red hat Directory Server >> Administrator's Guide and set the access mode to 777 to log all read, write >> and execute commands. >> >> When I look at the log of an unauthorize user, all I see is the following >> [07/Jul/2008:11:08:37 -0400] conn=42 op=81 SRCH >> base="ou=sandbox,ou=my_test,dc=example,dc=com" scope=1 >> filter="(objectClass=*)" attrs="objectClass javaClassName" >> [07/Jul/2008:11:08:37 -0400] conn=42 op=81 RESULT err=0 tag=101 nentries=0 >> etime=0 >> >> The log doesn't indicate any authorization error. I was wondering if >> there's additional settings that I can set on Fedora DS so I can easily tell >> if a user is not authorize to perform a search operation on the LDAP. >> > In general, no. However, you could use Get Effective Rights - > http://www.redhat.com/docs/manuals/dir-server/release-notes/ger.html > >> >> Thanks! >> >> - David >> >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gene.poole at macys.com Mon Jul 14 17:38:55 2008 From: gene.poole at macys.com (Gene Poole) Date: Mon, 14 Jul 2008 13:38:55 -0400 Subject: [Fedora-directory-users] Fedora DS Installation Message-ID: I would like to install the latest release of Fedora Directory Server onto a specific filesystem. Does anyone know how this can be done? Is it possible using RPM? TIA, Gene Poole -------------- next part -------------- An HTML attachment was scrubbed... URL: From richzendy at gmail.com Tue Jul 15 02:08:46 2008 From: richzendy at gmail.com (Edwind Richzendy Contreras Soto) Date: Tue, 15 Jul 2008 21:38:46 +1930 Subject: [Fedora-directory-users] Fedora DS Installation In-Reply-To: References: Message-ID: <90ba020d0807141908q3f65f956g8bb4920dd221908d@mail.gmail.com> 2008/7/15 Gene Poole : > > I would like to install the latest release of Fedora Directory Server onto a > specific filesystem. Does anyone know how this can be done? Is it possible > using RPM? > perhaps you may have some problem, just try it, the worst that can happen is to get a segment of fault. > TIA, > Gene Poole > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From lbigum at iseek.com.au Tue Jul 15 07:22:27 2008 From: lbigum at iseek.com.au (Luke Bigum) Date: Tue, 15 Jul 2008 17:22:27 +1000 Subject: [Fedora-directory-users] replication spam Message-ID: <50A3F7088FE1A14FB0CF57A22487388679A06FA98A@EXCHANGE1.intranet.iseek.com.au> Hi guys, has anyone come across this error before? It starts about a minute after restarting the directory server and repeats every second. [15/Jul/2008:17:03:05 +1000] NSMMReplicationPlugin - changelog program - libdb: f9d40083-1dd111b2-b30d81db-66a20000_48337401000000010000.db4: unable to flush: No such file or directory [15/Jul/2008:17:03:05 +1000] NSMMReplicationPlugin - changelog program - libdb: txn_checkpoint: failed to flush the buffer cache No such file or directory It's only seen with replication debug logging on, however I don't want to disable this logging as it's helping me catch an MMR bug: https://bugzilla.redhat.com/show_bug.cgi?id=442170 On that note, any word on when the fix for https://bugzilla.redhat.com/show_bug.cgi?id=442170 is getting officially released? Thanks, -Luke -- Luke Bigum Systems Administrator iseek Communications Pty Ltd Excellence in business data solutions ph 1300 661 668 fax 1300 661 540 www.iseek.com.au -------------- next part -------------- An HTML attachment was scrubbed... URL: From kenoh23 at yahoo.fr Tue Jul 15 07:57:56 2008 From: kenoh23 at yahoo.fr (ken oh) Date: Tue, 15 Jul 2008 07:57:56 +0000 (GMT) Subject: [Fedora-directory-users] Accessing Management Console In-Reply-To: <20080711181250.GA26243@ns.sdsitehosting.net> Message-ID: <505441.74330.qm@web26007.mail.ukl.yahoo.com> Before starting the fedora-idm-console, did you run the directory server and admin server ? ? If not, just enter this commands : ? service dirsrv start service dirsrv-admin start --- En date de?: Ven 11.7.08, John Oliver a ?crit?: De: John Oliver Objet: [Fedora-directory-users] Accessing Management Console ?: fedora-directory-users at redhat.com Date: Vendredi 11 Juillet 2008, 20h12 fedora-idm-console asks me for User ID and Password (which I should have), but wants an "Administration URL" as well. So far, nothing is working. I've tried http://localhost/ http://localhost:9830 and my FQDN as well as FQDN:9830 None work. What does it want? I've tried against two servers that I can access 9830 via a web browser. It always says: Cannot connect to the Admin Server "http:/" The URL is not correct or the server is not running It says it just like that... "http:/" Almost like it cannot read past six characters. -- *********************************************************************** * John Oliver http://www.john-oliver.net/ * * * *********************************************************************** -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users _____________________________________________________________________________ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jul 15 14:06:29 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 15 Jul 2008 08:06:29 -0600 Subject: [Fedora-directory-users] Accessing Management Console In-Reply-To: <20080711181250.GA26243@ns.sdsitehosting.net> References: <20080711181250.GA26243@ns.sdsitehosting.net> Message-ID: <487CAEE5.9030306@redhat.com> John Oliver wrote: > fedora-idm-console asks me for User ID and Password (which I should > have), but wants an "Administration URL" as well. So far, nothing is > working. I've tried http://localhost/ http://localhost:9830 and my FQDN > as well as FQDN:9830 None work. What does it want? I've tried against > two servers that I can access 9830 via a web browser. It always says: > > Cannot connect to the Admin Server "http:/" > The URL is not correct or the server is not running > > It says it just like that... "http:/" Almost like it cannot read past > six characters. > > This is usually caused by using the wrong version of java. What platform are you on? Note that if you are not using Fedora 8 or later, you will have to install a proprietary java and configure it - see http://directory.fedoraproject.org/wiki/Install_Guide#Java_is_required_for_the_console -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jul 15 14:07:23 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 15 Jul 2008 08:07:23 -0600 Subject: [Fedora-directory-users] Creating backup LDAP server. In-Reply-To: <20080711153628.GB19222@ns.sdsitehosting.net> References: <20080710180923.GA19668@ns.sdsitehosting.net> <487665A9.10908@redhat.com> <20080710215944.GB31584@ns.sdsitehosting.net> <48768AB4.6080400@redhat.com> <20080710225205.GA1584@ns.sdsitehosting.net> <20080710233052.GB1584@ns.sdsitehosting.net> <4876B75F.5030202@redhat.com> <20080711153628.GB19222@ns.sdsitehosting.net> Message-ID: <487CAF1B.5050803@redhat.com> John Oliver wrote: > On Thu, Jul 10, 2008 at 07:29:03PM -0600, Rich Megginson wrote: > >> John Oliver wrote: >> >>> I want to wind up with a working backup of slapd-unix-services so if >>> that machine takes a crap, I can just bring up an interface with it's IP >>> address on slapd-unix-services2 and keep LDAP authentication working >>> while I puzzle out what went wrong on the first server. >>> >>> >> Replication? >> > > For some reason, I thought that's be more trouble to set up than what I > was trying :-) > > Is > http://www.redhat.com/docs/manuals/dir-server/ag/replicat.htm#pgfId-1027091 > the best doc to use to learn more? > I suggest using the 8.0 version of the guide instead - http://www.redhat.com/docs/manuals/dir-server/ag/8.0/index.html > Thanks for all your help, Rich! > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jul 15 14:13:42 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 15 Jul 2008 08:13:42 -0600 Subject: [Fedora-directory-users] Fedora DS Installation In-Reply-To: References: Message-ID: <487CB096.5010208@redhat.com> Gene Poole wrote: > > I would like to install the latest release of Fedora Directory Server > onto a specific filesystem. Does anyone know how this can be done? > Is it possible using RPM? Not using RPM. The pre-built RPMS available from Fedora and our web site use a strict FHS layout - http://directory.fedoraproject.org/wiki/FHS_Packaging However, when you run setup, you have a great deal of flexibility about where to put files/directories - unfortunately, you will have to read the code in /usr/lib/dirsrv/perl/DSCreate.pm to see what all of those options are, and you will have to create an install.inf file to specify all of the customized paths - take a look at the setDefaults() function in DSCreate.pm > > TIA, > Gene Poole > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jul 15 14:34:09 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 15 Jul 2008 08:34:09 -0600 Subject: [Fedora-directory-users] replication spam In-Reply-To: <50A3F7088FE1A14FB0CF57A22487388679A06FA98A@EXCHANGE1.intranet.iseek.com.au> References: <50A3F7088FE1A14FB0CF57A22487388679A06FA98A@EXCHANGE1.intranet.iseek.com.au> Message-ID: <487CB561.10304@redhat.com> Luke Bigum wrote: > > Hi guys, has anyone come across this error before? It starts about a > minute after restarting the directory server and repeats every second. > > > > [15/Jul/2008:17:03:05 +1000] NSMMReplicationPlugin - changelog program > - libdb: f9d40083-1dd111b2-b30d81db-66a20000_48337401000000010000.db4: > unable to flush: No such file or directory > > [15/Jul/2008:17:03:05 +1000] NSMMReplicationPlugin - changelog program > - libdb: txn_checkpoint: failed to flush the buffer cache No such file > or directory > Do the messages eventually stop, once you have some actual new changes to replicate? > > > > It's only seen with replication debug logging on, however I don't want > to disable this logging as it's helping me catch an MMR bug: > https://bugzilla.redhat.com/show_bug.cgi?id=442170 > Ok. That shouldn't be necessary any more, we've got a pretty good idea of what the problem is. > > > > On that note, any word on when the fix for > https://bugzilla.redhat.com/show_bug.cgi?id=442170 is getting > officially released? > Soon. > > > > Thanks, > > > > -Luke > > > > -- > > Luke Bigum > Systems Administrator > iseek Communications Pty Ltd > Excellence in business data solutions > ph 1300 661 668 fax 1300 661 540 > www.iseek.com.au > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jul 17 02:35:59 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 16 Jul 2008 20:35:59 -0600 Subject: [Fedora-directory-users] Configuration Directory Server failover In-Reply-To: References: Message-ID: <487EB00F.10302@redhat.com> Mister Anonyme wrote: > Hi, > > I installed and configured many LDAP servers in a multi-master > environment. Work very well. > > Now, I want to do a failover of the Configuration Directory Server > between two masters, just in case. I tried to follow the instructions > right here: > > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Replicating-ADS-for-Failover.html > > It's just as clear as a mud... > > I would really like to have an real-life scenario example to help me > because I'm struggling to configure it and it doesn't work at all. > > For example, the step 1 instruct us to create a file.inf and 4 ldif files: > > 0.- file.inf > > FullMachineName = MY FULL HOSTNAME > AdminDomain = MY DOMAIN NAME > SuiteSpotUserID = nobody > SuiteSpotGroup = nobody > ConfigDirectoryLdapURL = ldap://MY FULL HOSTNAME:389/o=NetscapeRoot > ConfigDirectoryAdminID = admin > ConfigDirectoryAdminPwd = MY PASSWORD > > [admin] > ServerAdminID = admin > ServerAdminPwd = MY PASSWORD > SysUser = nobody > ServerIpAddress = MY SERVER IP ADDRESS > Port = 9830 > > [slapd] > InstallLdifFile = suggest > ServerIdentifier = MY SERVER HOSTNAME > ServerPort = 389 > AddOrgEntries = Yes > RootDN = cn=Directory Manager > RootDNPwd = MY DS PASSWORD > SlapdConfigForMC = yes > Suffix = dc=EXAMPLE, dc=NET > UseExistingMC = 0 > AddSampleEntries = Yes > ConfigFile = repluser.ldif > ConfigFile = changelog.ldif > ConfigFile = replica.ldif > ConfigFile = replagreement.ldif > > > 1.- repluser.ldif > dn: cn=replication manager,cn=config > changetype: add > objectClass: inetorgperson > objectClass: person > objectClass: top > cn: replication manager > sn: RM > userPassword: MY ENCRYPTED PASSWORD > passwordExpirationTime: 20380119031407Z > > 2.- changelog.ldif > > dn: cn=changelog5,cn=config > changetype: add > objectclass: top > objectclass: extensibleObject > cn: changelog5 > nsslapd-changelogdir: /var/lib/dirsrv/slapd-MYINSTANCE/changelogdb > > 3.- replica.ldif > > dn: cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config > changetype: add > objectclass: top > objectclass: nsds5replica > objectclass: extensibleObject > cn: replica > nsds5replicaroot: o=NetscapeRoot > nsds5replicaid: 1 > nsds5replicatype: 3 > nsds5flags: 1 > nsds5ReplicaPurgeDelay: 604800 > nsds5ReplicaBindDN: cn=replication manager,cn=config > > > 4.- replagreement.ldid > > > dn: > cn=replication_netscaperoot,cn=replica,cn="o=Netscaperoot",cn=mapping > tree,cn=config > changetype: add > objectclass: top > objectclass: nsds5replicationagreement > cn: replication_netscaperoot > nsds5replicahost: SECONDARY LDAP SERVER HOSTNAME > nsds5replicaport: 389 > nsds5ReplicaBindDN: cn=replication manager > nsds5replicabindmethod: SIMPLE > nsds5replicaroot: o=Netscaperoot > description: replication netscaperoot > nsds5replicacredentials: ENCRYPTEDPASSWORD > nsds5BeginReplicaRefresh: start > > > Then, I ran: /usr/sbin/setup-ds-admin.pl -s -f file.inf > > It went without errors. Try setup-ds-admin.pl -ddd Do you see those replica entries in /etc/dirsrv/slapd-instancename/dse.ldif ? > > And then... I don't see any replica nor replica agreement. Even the > user "cn=replication manager,cn=config' doesn't appear in the console. > > So, I'm wondering if any of you has succeeded to configure a > replication/failover of o=NetscapeRoot ? If yes, I would be greatly > appreciated if you could put your examples in real-life scenaro, it > would help me alot. > > Thank you very much! > > > > ------------------------------------------------------------------------ > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From kenoh23 at yahoo.fr Thu Jul 17 07:33:52 2008 From: kenoh23 at yahoo.fr (ken oh) Date: Thu, 17 Jul 2008 07:33:52 +0000 (GMT) Subject: [Fedora-directory-users] Single master or multiple master for Active Directory Sync Message-ID: <199126.62853.qm@web26006.mail.ukl.yahoo.com> Hello everybody, ? I would like to know what's the best?replica role?option between single master and multiple master when you configure the database for an Active Directory sync. ? I've got another question : Is it possible to synchronize AD and FDS if AD is in native mode ? _____________________________________________________________________________ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew+rhlists at dingman.org Thu Jul 17 11:13:15 2008 From: andrew+rhlists at dingman.org (Andrew C. Dingman) Date: Thu, 17 Jul 2008 07:13:15 -0400 Subject: [Fedora-directory-users] Single master or multiple master for Active Directory Sync In-Reply-To: <199126.62853.qm@web26006.mail.ukl.yahoo.com> References: <199126.62853.qm@web26006.mail.ukl.yahoo.com> Message-ID: <1216293195.24506.577.camel@phorkys> On Thu, 2008-07-17 at 07:33 +0000, ken oh wrote: > I would like to know what's the best replica role option between > single master and multiple master when you configure the database for > an Active Directory sync. > > > I've got another question : Is it possible to synchronize AD and FDS > if AD is in native mode ? Yes, I've done this with Red Hat Directory Server. AD in native mode looks from the outside like a slightly quirky LDAP server with oddball schema, paired with a slightly quirky Kerberos infrastructure. That's a lot easier to deal with than old-style NT domains, as I understand it. As for the replication bit, I'd set that up however makes sense for the FDS deployment. I don't think it's going to make much difference to the AD sync, though AD sync with one master is all you need. From omight at gmail.com Thu Jul 17 11:19:18 2008 From: omight at gmail.com (omight) Date: Thu, 17 Jul 2008 13:19:18 +0200 Subject: [Fedora-directory-users] password sync documentation Message-ID: Hi, I'm trying to follow the documentation to setup synchronisation to windows active directory. >From the documentation: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html [quote] 2. Create a new cert8.db and key.db using certutil.exe on the Password Sync machine. certutil.exe -d . -N ln -s slapd-serverID-cert8.db cert8.db ln -s slapd-serverID-key3.db key3.db [/quote] If I execute that in a new directory: # certutil.exe -d . -N # ln -s slapd-rhds-cert8.db cert8.db ln: creating symbolic link `cert8.db' to `slapd-rhds-cert8.db': File exists I don't follow why the ln -s should be executed? Why not start with part 3: On the Directory Server, export the server certificate using pk12util. pk12util -d . -o servercert.pfx -n Server-Cert Because SSL is already configured on this linux machine, so I guess I can use the server-cert from that cert8.db? Can someone clarify/confirm this? Thanks! From rmeggins at redhat.com Thu Jul 17 14:39:26 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 17 Jul 2008 08:39:26 -0600 Subject: [Fedora-directory-users] password sync documentation In-Reply-To: References: Message-ID: <487F599E.2090503@redhat.com> omight wrote: > Hi, > I'm trying to follow the documentation to setup synchronisation to > windows active directory. > >From the documentation: > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html > [quote] > 2. Create a new cert8.db and key.db using certutil.exe on the Password > Sync machine. > certutil.exe -d . -N > ln -s slapd-serverID-cert8.db cert8.db > ln -s slapd-serverID-key3.db key3.db > [/quote] > > If I execute that in a new directory: > # certutil.exe -d . -N > # ln -s slapd-rhds-cert8.db cert8.db > ln: creating symbolic link `cert8.db' to `slapd-rhds-cert8.db': File exists > > I don't follow why the ln -s should be executed? Why not start with part 3: > On the Directory Server, export the server certificate using pk12util. > pk12util -d . -o servercert.pfx -n Server-Cert > Yes. It looks like that section of the docs has not been updated for RHDS 8.0/Fedora DS 1.1. The key/cert db do not have a prefix anymore, so the ln -s step should be omitted. > Because SSL is already configured on this linux machine, so I guess I > can use the server-cert from that cert8.db? > Can someone clarify/confirm this? Thanks! > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From hicheerup at gmail.com Thu Jul 17 18:31:22 2008 From: hicheerup at gmail.com (lingu) Date: Fri, 18 Jul 2008 00:01:22 +0530 Subject: [Fedora-directory-users] password sync documentation In-Reply-To: References: Message-ID: <29e045b80807171131g459351c2gfff0f7753f84160d@mail.gmail.com> HI, Instead of creating symbolic links u can create all certificates in one directory and copy into the directory instance directory.For example copy all certficates inito /etc/dirsrv/slapd-xxx/.If any file is already existing it will ask u for overwrite while copying tell yes to all. Recently i implemented the user and pass sync from windows 2003 AD box.If you have any query mail me back. Regards lingu On Thu, Jul 17, 2008 at 4:49 PM, omight wrote: > Hi, > I'm trying to follow the documentation to setup synchronisation to > windows active directory. > >From the documentation: > > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html > [quote] > 2. Create a new cert8.db and key.db using certutil.exe on the Password > Sync machine. > certutil.exe -d . -N > ln -s slapd-serverID-cert8.db cert8.db > ln -s slapd-serverID-key3.db key3.db > [/quote] > > If I execute that in a new directory: > # certutil.exe -d . -N > # ln -s slapd-rhds-cert8.db cert8.db > ln: creating symbolic link `cert8.db' to `slapd-rhds-cert8.db': File exists > > I don't follow why the ln -s should be executed? Why not start with part 3: > On the Directory Server, export the server certificate using pk12util. > pk12util -d . -o servercert.pfx -n Server-Cert > > Because SSL is already configured on this linux machine, so I guess I > can use the server-cert from that cert8.db? > Can someone clarify/confirm this? Thanks! > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gene.poole at macys.com Mon Jul 21 15:16:32 2008 From: gene.poole at macys.com (Gene Poole) Date: Mon, 21 Jul 2008 11:16:32 -0400 Subject: [Fedora-directory-users] Fedora DS Installation Message-ID: I would like to install the latest release of Fedora Directory Server onto a specific filesystem. Does anyone know how this can be done? Is it possible using RPM? Thanks, Gene Poole -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Jul 21 15:50:35 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 21 Jul 2008 09:50:35 -0600 Subject: [Fedora-directory-users] Fedora DS Installation In-Reply-To: References: Message-ID: <4884B04B.90009@redhat.com> Gene Poole wrote: > > I would like to install the latest release of Fedora Directory Server > onto a specific filesystem. Can you describe exactly what you are trying to do? > Does anyone know how this can be done? Is it possible using RPM? Not directly with RPM. The Fedora DS RPMs we provide are not relocateable. They abide by the FHS - http://directory.fedoraproject.org/wiki/FHS_Packaging If you want to build it from source, you can provide a specific prefix or use the default prefix /opt/fedora-ds. There may be other ways to achieve what you want to do. Please provide more details. > > Thanks, > Gene Poole > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From gene.poole at macys.com Mon Jul 21 17:20:28 2008 From: gene.poole at macys.com (Gene Poole) Date: Mon, 21 Jul 2008 13:20:28 -0400 Subject: [Fedora-directory-users] Re: Fedora DS Installation In-Reply-To: <20080721160007.7CF3D61A9FF@hormel.redhat.com> Message-ID: Rich Megginson wrote: > > Can you describe exactly what you are trying to do? > > Not directly with RPM. The Fedora DS RPMs we provide are not > relocateable. They abide by the FHS - > http://directory.fedoraproject.org/wiki/FHS_Packaging > > If you want to build it from source, you can provide a specific prefix > or use the default prefix /opt/fedora-ds. > > There may be other ways to achieve what you want to do. Please provide > more details. > If you remember older releases came as tar balls which allowed me to determine where I wanted the software and create a file system ahead of time. Since it started using RPMs, I can no longer build a server and create all of the file systems ahead of time, because how will I know if they decide to move it next week? next month? next year? Thanks, Gene Poole -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Jul 21 17:51:50 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 21 Jul 2008 11:51:50 -0600 Subject: [Fedora-directory-users] Re: Fedora DS Installation In-Reply-To: References: Message-ID: <4884CCB6.9000702@redhat.com> Gene Poole wrote: > > Rich Megginson wrote: > > > > Can you describe exactly what you are trying to do? > > > > Not directly with RPM. The Fedora DS RPMs we provide are not > > relocateable. They abide by the FHS - > > http://directory.fedoraproject.org/wiki/FHS_Packaging > > > > If you want to build it from source, you can provide a specific prefix > > or use the default prefix /opt/fedora-ds. > > > > There may be other ways to achieve what you want to do. Please provide > > more details. > > > > If you remember older releases came as tar balls which allowed me to > determine where I wanted the software and create a file system ahead > of time. Since it started using RPMs, I can no longer build a server > and create all of the file systems ahead of time, because how will I > know if they decide to move it next week? next month? next year? Some of the directories have always been configurable - log file directory, database directory - so those could be changed to a different filesystem, even in the old format - not during setup, but afterwards. And those are the file systems which you will usually have to worry about, in terms of performance and having enough space. > > Thanks, > Gene Poole > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From Soeren.Malchow at interone.de Mon Jul 21 20:01:16 2008 From: Soeren.Malchow at interone.de (=?ISO-8859-1?Q?S=F6ren_Malchow?=) Date: Mon, 21 Jul 2008 22:01:16 +0200 Subject: [Fedora-directory-users] =?iso-8859-1?q?Malchow=2C_S=F6ren_is_ou?= =?iso-8859-1?q?t_of_the_office=2E?= Message-ID: I will be out of the office starting 08.07.2008 and will not return until 28.07.2008. Please contact Guenther Kreuzpaintner ( guenther.kreuzpaintner at interone.de ) instead From jbushey at soleocommunications.com Mon Jul 21 20:02:38 2008 From: jbushey at soleocommunications.com (James) Date: Mon, 21 Jul 2008 16:02:38 -0400 Subject: [Fedora-directory-users] mmr.pl for Fedora DS 1.1 Message-ID: <200807211602.38400.jbushey@soleocommunications.com> Hi All, I'm about to set up a Fedora DS 1.1 instance, but I'm unable to find the "new" mmr.pl script. Every link I've found which purports to have the script seems to be broken. Can someone point me at this script? Thanks, ~James -- James Bushey Software Engineer Soleo Communications (585) 641-4300 x0050 From rmeggins at redhat.com Mon Jul 21 20:13:23 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 21 Jul 2008 14:13:23 -0600 Subject: [Fedora-directory-users] mmr.pl for Fedora DS 1.1 In-Reply-To: <200807211602.38400.jbushey@soleocommunications.com> References: <200807211602.38400.jbushey@soleocommunications.com> Message-ID: <4884EDE3.8050702@redhat.com> James wrote: > Hi All, > > I'm about to set up a Fedora DS 1.1 instance, but I'm unable to find the "new" > mmr.pl script. Every link I've found which purports to have the script seems > to be broken. Can someone point me at this script? > You might try this one instead - https://www.redhat.com/archives/fedora-directory-users/2007-December/msg00141.html > Thanks, > ~James > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From mac.gp at email.it Tue Jul 22 10:33:27 2008 From: mac.gp at email.it (Mac.gp) Date: Tue, 22 Jul 2008 12:33:27 +0200 Subject: [Fedora-directory-users] How to find when a client use anonymous bind using a plugin Message-ID: Hello everyone. I need to intercept when a client try to bind with an anonymous bind to my ds. I wrote a simple plugin and registered it as pre-bind plugin, but it is executed with every kind of bind methods unless than anonymous one. So I assume that pre-bind plugins aren't executed with an anonymous bind. So, is there a way to find from a plugin when a client uses the anonymous bind? Thanks from now -- Email.it, the professional e-mail, gratis per te: http://www.email.it/f Sponsor: EmailBlog: news, curiosit?, tendenze dalla rete ... e le tue opinioni! Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=8138&d=20080722 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jul 22 12:45:42 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 22 Jul 2008 08:45:42 -0400 Subject: [Fedora-directory-users] mmr.pl for Fedora DS 1.1 In-Reply-To: <4884EDE3.8050702@redhat.com> References: <200807211602.38400.jbushey@soleocommunications.com> <4884EDE3.8050702@redhat.com> Message-ID: <4885D676.3060109@redhat.com> Rich Megginson wrote: > James wrote: >> Hi All, >> >> I'm about to set up a Fedora DS 1.1 instance, but I'm unable to find >> the "new" mmr.pl script. Every link I've found which purports to have >> the script seems to be broken. Can someone point me at this script? >> > You might try this one instead - > https://www.redhat.com/archives/fedora-directory-users/2007-December/msg00141.html > >> Thanks, >> ~James Perhaps this should replace the one linked at http://directory.fedoraproject.org/wiki/Howto:MultiMasterReplication rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jul 22 17:32:38 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 22 Jul 2008 11:32:38 -0600 Subject: [Fedora-directory-users] How to find when a client use anonymous bind using a plugin In-Reply-To: References: Message-ID: <488619B6.8070104@redhat.com> Mac.gp wrote: > Hello everyone. > I need to intercept when a client try to bind with an anonymous bind > to my ds. > I wrote a simple plugin and registered it as pre-bind plugin, but it > is executed with every kind of bind methods unless than anonymous one. > So I assume that pre-bind plugins aren't executed with an anonymous bind. > > So, is there a way to find from a plugin when a client uses the > anonymous bind? Not exactly. You have to intercept all operations and reject those which have a null or empty string for SLAPI_CONN_DN > > Thanks from now > > ---- > Email.it, the professional e-mail, gratis per te: clicca qui > > > Sponsor: > EmailBlog: news, curiosit?, tendenze dalla rete ... e le tue opinioni! > Clicca qui > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From dharmin98 at hotmail.com Wed Jul 23 09:23:52 2008 From: dharmin98 at hotmail.com (Dharmin Mandalia) Date: Wed, 23 Jul 2008 09:23:52 +0000 Subject: [Fedora-directory-users] SSL issue Message-ID: Hello I am new to FDS, trying to configure Directory Server to use SSL, did few changes in Fedora Mgmt Console and now am getting below error msg :- # tail -f /var/log/dirsrv/admin-serv/error [Wed Jul 23 01:54:43 2008] [error] SSL_InheritMPServerSIDCache failed [Wed Jul 23 01:54:43 2008] [error] SSL Library Error: -8191 Library Failure [Wed Jul 23 01:54:44 2008] [notice] child pid 3884 exit signal Segmentation fault (11) [Wed Jul 23 01:54:45 2008] [error] SSL_InheritMPServerSIDCache failed [Wed Jul 23 01:54:45 2008] [error] SSL Library Error: -8191 Library Failure [Wed Jul 23 01:54:46 2008] [notice] child pid 3885 exit signal Segmentation fault (11) [Wed Jul 23 01:54:47 2008] [error] SSL_InheritMPServerSIDCache failed [Wed Jul 23 01:54:47 2008] [error] SSL Library Error: -8191 Library Failure [Wed Jul 23 01:54:48 2008] [notice] child pid 3886 exit signal Segmentation fault (11) [Wed Jul 23 01:54:49 2008] [error] SSL_InheritMPServerSIDCache failed [Wed Jul 23 01:54:49 2008] [error] SSL Library Error: -8191 Library Failure [Wed Jul 23 01:54:50 2008] [notice] child pid 3887 exit signal Segmentation fault (11) and when trying to login onto Fedora Mgmt Console, error I get is :- "Cannot login because of incorrect User ID" "Incorrect Password or Directory Problem " "java.io.IntruptedIOException: HTTP respose timeout" I know the username and password is correct. when run ps -ef nobody 3360 1 0 01:46 ? 00:00:02 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-matrix -i /var/run/dirs root 3873 1 0 01:54 ? 00:00:00 /usr/sbin/httpd.worker -k start -f /etc/dirsrv/admin-serv/httpd.conf root 3876 3873 0 01:54 ? 00:00:00 /usr/sbin/httpd.worker -k start -f /etc/dirsrv/admin-serv/httpd.conf matrix more /etc/redhat-release Fedora release 9 (Sulphur) matrix rpm -qa | egrep fedora-* fedora-ds-admin-1.1.5-1.fc9.i386 ffedora-ds-base-1.1.1-1.fc9.i386 fedora-ds-admin-console-1.1.1-3.fc9.noarch fedora-idm-console-1.1.1-2.fc9.i386 fedora-ds-1.1.1-3.fc9.i386 fedora-ds-console-1.1.1-3.fc9.noarch Any help on resolving the issue would be appreciated. Regards Dharmin _________________________________________________________________ Time for vacation? WIN what you need- enter now! http://www.gowindowslive.com/summergiveaway/?ocid=tag_jlyhm From rcritten at redhat.com Wed Jul 23 12:48:37 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 23 Jul 2008 08:48:37 -0400 Subject: [Fedora-directory-users] SSL issue In-Reply-To: References: Message-ID: <488728A5.4050408@redhat.com> Dharmin Mandalia wrote: > Hello > > > I am new to FDS, trying to configure Directory Server to use SSL, did few changes in Fedora Mgmt Console and now am getting below error msg :- > > > # tail -f /var/log/dirsrv/admin-serv/error > > [Wed Jul 23 01:54:43 2008] [error] SSL_InheritMPServerSIDCache failed > [Wed Jul 23 01:54:43 2008] [error] SSL Library Error: -8191 Library Failure > [Wed Jul 23 01:54:44 2008] [notice] child pid 3884 exit signal Segmentation fault (11) > [Wed Jul 23 01:54:45 2008] [error] SSL_InheritMPServerSIDCache failed > [Wed Jul 23 01:54:45 2008] [error] SSL Library Error: -8191 Library Failure > [Wed Jul 23 01:54:46 2008] [notice] child pid 3885 exit signal Segmentation fault (11) > [Wed Jul 23 01:54:47 2008] [error] SSL_InheritMPServerSIDCache failed > [Wed Jul 23 01:54:47 2008] [error] SSL Library Error: -8191 Library Failure > [Wed Jul 23 01:54:48 2008] [notice] child pid 3886 exit signal Segmentation fault (11) > [Wed Jul 23 01:54:49 2008] [error] SSL_InheritMPServerSIDCache failed > [Wed Jul 23 01:54:49 2008] [error] SSL Library Error: -8191 Library Failure > [Wed Jul 23 01:54:50 2008] [notice] child pid 3887 exit signal Segmentation fault (11) > > > and when trying to login onto Fedora Mgmt Console, error I get is :- > "Cannot login because of incorrect User ID" > "Incorrect Password or Directory Problem " > "java.io.IntruptedIOException: HTTP respose timeout" > > I know the username and password is correct. > > when run ps -ef > > nobody 3360 1 0 01:46 ? 00:00:02 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-matrix -i /var/run/dirs > root 3873 1 0 01:54 ? 00:00:00 /usr/sbin/httpd.worker -k start -f /etc/dirsrv/admin-serv/httpd.conf > root 3876 3873 0 01:54 ? 00:00:00 /usr/sbin/httpd.worker -k start -f /etc/dirsrv/admin-serv/httpd.conf > > > matrix more /etc/redhat-release > Fedora release 9 (Sulphur) > > matrix rpm -qa | egrep fedora-* > fedora-ds-admin-1.1.5-1.fc9.i386 > ffedora-ds-base-1.1.1-1.fc9.i386 > fedora-ds-admin-console-1.1.1-3.fc9.noarch > fedora-idm-console-1.1.1-2.fc9.i386 > fedora-ds-1.1.1-3.fc9.i386 > fedora-ds-console-1.1.1-3.fc9.noarch > > > Any help on resolving the issue would be appreciated. You need to upgrade to mod_nss-1.0.7-9.fc9 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From craig.swanson at midwest-tool.com Wed Jul 23 19:02:34 2008 From: craig.swanson at midwest-tool.com (Craig Swanson) Date: Wed, 23 Jul 2008 15:02:34 -0400 Subject: [Fedora-directory-users] fedora-idm-console connecting remotely to fedora ds 1.0.4 Message-ID: <4887804A.2000205@midwest-tool.com> I have installed fedora-idm-console on a fedora 9 workstation. I would like to run the console to connect remotely to a fedora ds 1.0.4 server. After logging in to the console, The Servers and Applications tab is empty. Launching fedora-idm-console -D 9 shows that the console is looking for entries under cn=user, cn=DefaultObjectClassesContainer,ou=1.1, ou=admin, ou=Global Preferences, ou=midwest-tool.com, o=NetscapeRoot. Can the console be configured to point to the existing ou=1.0 entries? Must I copy the entries under ou=1.0 to ou=1.1 for GlobalPreferences and UserPreferences? I noted that upon logging in via the console, several ou=1.1 entries were created under ou=midwest-tool.com, o=NetscapeRoot. Here is the debug output from a fedora-idm-console session. Thank you, Craig Swanson -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: fedora-idm-consoleDebug.txt URL: From rmeggins at redhat.com Wed Jul 23 19:16:20 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 23 Jul 2008 13:16:20 -0600 Subject: [Fedora-directory-users] fedora-idm-console connecting remotely to fedora ds 1.0.4 In-Reply-To: <4887804A.2000205@midwest-tool.com> References: <4887804A.2000205@midwest-tool.com> Message-ID: <48878384.8060305@redhat.com> Craig Swanson wrote: > I have installed fedora-idm-console on a fedora 9 workstation. I > would like to run the console to connect remotely to a fedora ds 1.0.4 > server. > > After logging in to the console, The Servers and Applications tab is > empty. > > Launching fedora-idm-console -D 9 shows that the console is looking > for entries under cn=user, cn=DefaultObjectClassesContainer,ou=1.1, > ou=admin, ou=Global Preferences, ou=midwest-tool.com, o=NetscapeRoot. > > Can the console be configured to point to the existing ou=1.0 entries? I don't think so. You may also be running into this - https://bugzilla.redhat.com/show_bug.cgi?id=431103 > > Must I copy the entries under ou=1.0 to ou=1.1 for GlobalPreferences > and UserPreferences? The missing ones, yes, if the console does not create them. > I noted that upon logging in via the console, several ou=1.1 entries > were created under ou=midwest-tool.com, o=NetscapeRoot. > > Here is the debug output from a fedora-idm-console session. > > Thank you, > > Craig Swanson > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From kenoh23 at yahoo.fr Thu Jul 24 14:03:37 2008 From: kenoh23 at yahoo.fr (ken oh) Date: Thu, 24 Jul 2008 14:03:37 +0000 (GMT) Subject: [Fedora-directory-users] Problem with the synchronization agreement Message-ID: <883613.39457.qm@web26004.mail.ukl.yahoo.com> Hi everybody, ? I'm at the Windows Sync Server Info screen, I?have completed all the fields. And when I click next, I got the message "Unable to contact Active Directory server, continue ?" using the ssl connection or not. ? >From each side, I ping and I use a nslookup command to verify if the domain name is correct; and everything is ok. ? So I would like?to know if someone can help me with what goes wrong, thanks. This is my??Windows Sync Server Info screen, if that can help : http://img291.imageshack.us/img291/4323/sync2ur5.jpg _____________________________________________________________________________ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Jul 24 14:39:59 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 24 Jul 2008 08:39:59 -0600 Subject: [Fedora-directory-users] Problem with the synchronization agreement In-Reply-To: <883613.39457.qm@web26004.mail.ukl.yahoo.com> References: <883613.39457.qm@web26004.mail.ukl.yahoo.com> Message-ID: <4888943F.9010702@redhat.com> ken oh wrote: > Hi everybody, > > I'm at the Windows Sync Server Info screen, I have completed all the > fields. And when I click next, I got the message "Unable to contact > Active Directory server, continue ?" using the ssl connection or not. > > From each side, I ping and I use a nslookup command to verify if the > domain name is correct; and everything is ok. > > So I would like to know if someone can help me with what goes wrong, > thanks. > Try using ldapsearch from the command line to bind and search the AD from your linux box: ldapsearch -x -h anubix -p 389 -D "cn=sync,cn=users,dc=tc-gea,dc=iut,dc=univ-metz,dc=fr" -w password -s base -b "cn=users,dc=tc-gea,dc=iut,dc=univ-metz,dc=fr" "(objectclass=*)" Try 389 first to see if ldap is working - you'll have to do some additional configuration to get SSL working with ldapsearch. I'm assuming you've done all of the SSL setup correctly - http://directory.fedoraproject.org/wiki/Howto:WindowsSync and http://directory.fedoraproject.org/wiki/Howto:SSL > > This is my Windows Sync Server Info screen, if that can help : > http://img291.imageshack.us/img291/4323/sync2ur5.jpg > > > ------------------------------------------------------------------------ > Envoy? avec Yahoo! Mail > . > Une boite mail plus intelligente. > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From dharmin98 at hotmail.com Thu Jul 24 15:11:59 2008 From: dharmin98 at hotmail.com (Dharmin Mandalia) Date: Thu, 24 Jul 2008 15:11:59 +0000 Subject: [Fedora-directory-users] TLS Issue Message-ID: Hi I've enabled TLS and am getting below error msg's in /var/log/secure file on Fedora 9, which is my newly configured FDS , if disable TLS , am able to ssh onto the FDS server and with TLS enabled unable to login via ssh. sshd[5487]: nss_ldap: could not search LDAP server - Server is unavailable sshd[5487]: Invalid user test3 from 192.168.1.1 sshd[5488]: input_userauth_request: invalid user test3 sshd[5487]: nss_ldap: could not search LDAP server - Server is unavailable sshd[5487]: pam_unix(sshd:auth): check pass; user unknown sshd[5487]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1 sshd[5487]: nss_ldap: could not search LDAP server - Server is unavailable sshd[5487]: pam_succeed_if(sshd:auth): error retrieving information about user test3 sshd[5487]: Failed password for invalid user test3 from 192.168.1.1 port 38489 ssh2 /etc/ldap.conf file on Fedora 9, (FDS server ) shows as :- base dc=true,dc=co,dc=uk timelimit 30 bind_timelimit 30 bind_policy soft nss_reconnect_tries 2 idle_timelimit 3600 pam_filter objectclass=posixAccount nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polk ituser ssl start_tls tls_checkpeer yes tls_cacertfile /etc/openldap/cacerts/cacert.asc pam_password md5 uri ldap://127.0.0.1/ tls_cacertdir /etc/openldap/cacerts # authconfig --test caching is disabled nss_files is always enabled nss_compat is disabled nss_db is disabled nss_hesiod is disabled hesiod LHS = "" hesiod RHS = "" nss_ldap is enabled LDAP+TLS is enabled LDAP server = "ldap://127.0.0.1/" LDAP base DN = "dc=true,dc=co,dc=uk" """" """""" pam_ldap is enabled LDAP+TLS is enabled LDAP server = "ldap://127.0.0.1/" LDAP base DN = "dc=true,dc=co,dc=uk" "" """ """ "" pam_cracklib is enabled (try_first_pass retry=3) pam_passwdqc is disabled () pam_access is disabled () pam_mkhomedir is disabled () Always authorize local users is disabled () Authenticate system accounts against network services is disabled Please advice on how to resolve, so am able to ssh onto FDS server running TLS. I've already run setupssl2.sh script from Thanks in advance.. Regards Dharmin _________________________________________________________________ Keep your kids safer online with Windows Live Family Safety. http://www.windowslive.com/family_safety/overview.html?ocid=TXT_TAGLM_WL_family_safety_072008 From nalin at redhat.com Thu Jul 24 15:26:46 2008 From: nalin at redhat.com (Nalin Dahyabhai) Date: Thu, 24 Jul 2008 11:26:46 -0400 Subject: [Fedora-directory-users] TLS Issue In-Reply-To: References: Message-ID: <20080724152646.GB10879@redhat.com> On Thu, Jul 24, 2008 at 03:11:59PM +0000, Dharmin Mandalia wrote: > I've enabled TLS and am getting below error msg's in /var/log/secure file on Fedora 9, which is my newly configured FDS , if disable TLS , am able to ssh onto the FDS server and with TLS enabled unable to login via ssh. [snip] > sshd[5487]: nss_ldap: could not search LDAP server - Server is unavailable [snip] > /etc/ldap.conf file on Fedora 9, (FDS server ) shows as :- [snip] > ssl start_tls > tls_checkpeer yes > tls_cacertfile /etc/openldap/cacerts/cacert.asc > pam_password md5 > uri ldap://127.0.0.1/ > tls_cacertdir /etc/openldap/cacerts If you're using SSL or TLS, the LDAP client library is going to compare the names in the certificate that the server uses against the value that was given in the client's configuration (in this case "127.0.0.1"), and it looks like they're not matching up here. Typically the certificate uses an actual hostname as a "CN" value in its subject, so you'd need to specify the server URI using a hostname rather than an IP address to make sure that they match. If that's not what's going on here, please post a copy of the certificate that the server's using so that we can have a look. HTH, Nalin From dharmin98 at hotmail.com Thu Jul 24 15:33:24 2008 From: dharmin98 at hotmail.com (Dharmin Mandalia) Date: Thu, 24 Jul 2008 15:33:24 +0000 Subject: [Fedora-directory-users] TLS Issue In-Reply-To: <20080724152646.GB10879@redhat.com> References: <20080724152646.GB10879@redhat.com> Message-ID: Hello Nalin Many Thanks... replaced with FQDN instead of 127.0.0.1 and works fine. Thanks for a quick reply. Regards Dharmin ---------------------------------------- > Date: Thu, 24 Jul 2008 11:26:46 -0400 > From: nalin at redhat.com > To: dharmin98 at hotmail.com > CC: fedora-directory-users at redhat.com > Subject: Re: [Fedora-directory-users] TLS Issue > > On Thu, Jul 24, 2008 at 03:11:59PM +0000, Dharmin Mandalia wrote: >> I've enabled TLS and am getting below error msg's in /var/log/secure file on Fedora 9, which is my newly configured FDS , if disable TLS , am able to ssh onto the FDS server and with TLS enabled unable to login via ssh. > [snip] >> sshd[5487]: nss_ldap: could not search LDAP server - Server is unavailable > [snip] >> /etc/ldap.conf file on Fedora 9, (FDS server ) shows as :- > [snip] >> ssl start_tls >> tls_checkpeer yes >> tls_cacertfile /etc/openldap/cacerts/cacert.asc >> pam_password md5 >> uri ldap://127.0.0.1/ >> tls_cacertdir /etc/openldap/cacerts > > If you're using SSL or TLS, the LDAP client library is going to compare > the names in the certificate that the server uses against the value that > was given in the client's configuration (in this case "127.0.0.1"), and > it looks like they're not matching up here. > > Typically the certificate uses an actual hostname as a "CN" value in its > subject, so you'd need to specify the server URI using a hostname rather > than an IP address to make sure that they match. > > If that's not what's going on here, please post a copy of the > certificate that the server's using so that we can have a look. > > HTH, > > Nalin _________________________________________________________________ Time for vacation? WIN what you need- enter now! http://www.gowindowslive.com/summergiveaway/?ocid=tag_jlyhm From dharmin98 at hotmail.com Thu Jul 24 15:59:44 2008 From: dharmin98 at hotmail.com (Dharmin Mandalia) Date: Thu, 24 Jul 2008 15:59:44 +0000 Subject: [Fedora-directory-users] TLS Issue In-Reply-To: <20080724152646.GB10879@redhat.com> References: <20080724152646.GB10879@redhat.com> Message-ID: Hello Nalin and all I just added "ssl on" to below /etc/ldap.conf file and get below error msg in var/log/secure file :- sshd[6212]: pam_unix(sshd:session): session closed for user test1 sshd[6248]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1 user=test1 sshd[6248]: Accepted password for test1 from 192.168.1.1 port 47171 ssh2 sshd[6248]: pam_unix(sshd:session): session opened for user test1 by (uid=0) sshd[6248]: pam_unix(sshd:session): session closed for user test1 sshd[6284]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1 user=test1 sshd[6284]: pam_ldap: ldap_simple_bind Can't contact LDAP server shd[6284]: pam_ldap: reconnecting to LDAP server... sshd[6284]: pam_ldap: ldap_simple_bind Can't contact LDAP server sshd[6284]: Failed password for test1 from 192.168.1.1 port 47172 ssh2 With "ssl on" in ldap.conf, am unable to login via ssh any helpers please... regards Dharmin ---------------------------------------- > Date: Thu, 24 Jul 2008 11:26:46 -0400 > From: nalin at redhat.com > To: dharmin98 at hotmail.com > CC: fedora-directory-users at redhat.com > Subject: Re: [Fedora-directory-users] TLS Issue > > On Thu, Jul 24, 2008 at 03:11:59PM +0000, Dharmin Mandalia wrote: >> I've enabled TLS and am getting below error msg's in /var/log/secure file on Fedora 9, which is my newly configured FDS , if disable TLS , am able to ssh onto the FDS server and with TLS enabled unable to login via ssh. > [snip] >> sshd[5487]: nss_ldap: could not search LDAP server - Server is unavailable > [snip] >> /etc/ldap.conf file on Fedora 9, (FDS server ) shows as :- > [snip] >> ssl start_tls >> tls_checkpeer yes >> tls_cacertfile /etc/openldap/cacerts/cacert.asc >> pam_password md5 >> uri ldap://127.0.0.1/ >> tls_cacertdir /etc/openldap/cacerts > > If you're using SSL or TLS, the LDAP client library is going to compare > the names in the certificate that the server uses against the value that > was given in the client's configuration (in this case "127.0.0.1"), and > it looks like they're not matching up here. > > Typically the certificate uses an actual hostname as a "CN" value in its > subject, so you'd need to specify the server URI using a hostname rather > than an IP address to make sure that they match. > > If that's not what's going on here, please post a copy of the > certificate that the server's using so that we can have a look. > > HTH, > > Nalin _________________________________________________________________ Use video conversation to talk face-to-face with Windows Live Messenger. http://www.windowslive.com/messenger/connect_your_way.html?ocid=TXT_TAGLM_WL_Refresh_messenger_video_072008 From niranjan.ashok at gmail.com Thu Jul 24 16:15:43 2008 From: niranjan.ashok at gmail.com (mallapadi niranjan) Date: Thu, 24 Jul 2008 21:45:43 +0530 Subject: [Fedora-directory-users] TLS Issue In-Reply-To: References: <20080724152646.GB10879@redhat.com> Message-ID: <73e979680807240915j1a7709fape55ef6f5641c04d0@mail.gmail.com> Hi, Can you check What happens if you specify ssl start_tls instead of "ssl on" Regards Niranjan On Thu, Jul 24, 2008 at 9:29 PM, Dharmin Mandalia wrote: > > Hello Nalin and all > > I just added "ssl on" to below /etc/ldap.conf file and get below error > msg in var/log/secure file :- > > > sshd[6212]: pam_unix(sshd:session): session closed for user test1 > sshd[6248]: pam_unix(sshd:auth): authentication failure; logname= uid=0 > euid=0 tty=ssh ruser= rhost=192.168.1.1 user=test1 > sshd[6248]: Accepted password for test1 from 192.168.1.1 port 47171 ssh2 > sshd[6248]: pam_unix(sshd:session): session opened for user test1 by > (uid=0) > sshd[6248]: pam_unix(sshd:session): session closed for user test1 > sshd[6284]: pam_unix(sshd:auth): authentication failure; logname= uid=0 > euid=0 tty=ssh ruser= rhost=192.168.1.1 user=test1 > sshd[6284]: pam_ldap: ldap_simple_bind Can't contact LDAP server > shd[6284]: pam_ldap: reconnecting to LDAP server... > sshd[6284]: pam_ldap: ldap_simple_bind Can't contact LDAP server > sshd[6284]: Failed password for test1 from 192.168.1.1 port 47172 ssh2 > > With "ssl on" in ldap.conf, am unable to login via ssh > > any helpers please... > > regards > Dharmin > > > > ---------------------------------------- > > Date: Thu, 24 Jul 2008 11:26:46 -0400 > > From: nalin at redhat.com > > To: dharmin98 at hotmail.com > > CC: fedora-directory-users at redhat.com > > Subject: Re: [Fedora-directory-users] TLS Issue > > > > On Thu, Jul 24, 2008 at 03:11:59PM +0000, Dharmin Mandalia wrote: > >> I've enabled TLS and am getting below error msg's in /var/log/secure > file on Fedora 9, which is my newly configured FDS , if disable TLS , am > able to ssh onto the FDS server and with TLS enabled unable to login via > ssh. > > [snip] > >> sshd[5487]: nss_ldap: could not search LDAP server - Server is > unavailable > > [snip] > >> /etc/ldap.conf file on Fedora 9, (FDS server ) shows as :- > > [snip] > >> ssl start_tls > >> tls_checkpeer yes > >> tls_cacertfile /etc/openldap/cacerts/cacert.asc > >> pam_password md5 > >> uri ldap://127.0.0.1/ > >> tls_cacertdir /etc/openldap/cacerts > > > > If you're using SSL or TLS, the LDAP client library is going to compare > > the names in the certificate that the server uses against the value that > > was given in the client's configuration (in this case "127.0.0.1"), and > > it looks like they're not matching up here. > > > > Typically the certificate uses an actual hostname as a "CN" value in its > > subject, so you'd need to specify the server URI using a hostname rather > > than an IP address to make sure that they match. > > > > If that's not what's going on here, please post a copy of the > > certificate that the server's using so that we can have a look. > > > > HTH, > > > > Nalin > > _________________________________________________________________ > Use video conversation to talk face-to-face with Windows Live Messenger. > > http://www.windowslive.com/messenger/connect_your_way.html?ocid=TXT_TAGLM_WL_Refresh_messenger_video_072008 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From maspsr at sdu.dk Fri Jul 25 07:40:17 2008 From: maspsr at sdu.dk (=?iso-8859-1?Q?Peter_S=F8rensen?=) Date: Fri, 25 Jul 2008 09:40:17 +0200 Subject: [Fedora-directory-users] Install on RHES5 fails Message-ID: <340ED4EF3E64A64E89F5AEBF0E0EA47602F1896B@ADM-EXCH0A.adm.c.sdu.dk> Hi, I have just joined this list to try and solve an install problem. The reason to try the fedora directory server is, that I have to make some synconisation against Our Active Directory so users gets created/deleted according to this. But at the same time I need additional attributes on each user. I only have read acces to AD. To the problem: I'm running RHES 5 on 64 bit. I followed the install requirements in here: http://directory.fedoraproject.org/wiki/Download Everything works until: ---------------------------------------BELOW OUTPUT FROM INSTALL---------------------------- # yum install fedora-ds Loading "security" plugin Loading "rhnplugin" plugin rhel-x86_64-server-5 100% |=========================| 1.4 kB 00:00 dirsrv-noarch 100% |=========================| 951 B 00:00 idmcommon 100% |=========================| 951 B 00:00 idmcommon-noarch 100% |=========================| 951 B 00:00 dirsrv 100% |=========================| 951 B 00:00 Setting up Install Process Parsing package install arguments Resolving Dependencies --> Running transaction check ---> Package fedora-ds.x86_64 0:1.1.0-3.fc6 set to be updated --> Processing Dependency: fedora-idm-console for package: fedora-ds --> Processing Dependency: fedora-admin-console for package: fedora-ds --> Processing Dependency: fedora-ds-admin for package: fedora-ds --> Processing Dependency: idm-console-framework for package: fedora-ds --> Processing Dependency: fedora-ds-console for package: fedora-ds --> Processing Dependency: fedora-ds-base for package: fedora-ds Running --> transaction check ---> Package fedora-ds-admin.x86_64 0:1.1.2-2.fc6 set to be updated --> Processing Dependency: mod_nss for package: fedora-ds-admin ---> Package fedora-ds-console.noarch 0:1.1.1-2.fc6 set to be updated ---> Package fedora-ds-base.x86_64 0:1.1.1-1.fc6 set to be updated --> Processing Dependency: mozldap-tools for package: fedora-ds-base --> Processing Dependency: cyrus-sasl-gssapi for package: fedora-ds-base --> Processing Dependency: cyrus-sasl-md5 for package: fedora-ds-base ---> Package fedora-admin-console.noarch 0:1.1.0-4.fc6 set to be updated ---> Package idm-console-framework.noarch 0:1.1.1-2.fc6 set to be ---> updated --> Processing Dependency: ldapjdk for package: idm-console-framework ---> Package fedora-idm-console.x86_64 0:1.1.1-1.fc6 set to be updated --> Running transaction check ---> Package ldapjdk.x86_64 0:4.18-2jpp.3.el5 set to be updated Package ---> mozldap-tools.x86_64 0:6.0.5-1.el5 set to be updated Package ---> cyrus-sasl-gssapi.x86_64 0:2.1.22-4 set to be updated Package ---> cyrus-sasl-md5.x86_64 0:2.1.22-4 set to be updated Package ---> mod_nss.x86_64 0:1.0.3-4.el5 set to be updated --> Finished Dependency Resolution Dependencies Resolved ============================================================================= Package Arch Version Repository Size ============================================================================= Installing: fedora-ds x86_64 1.1.0-3.fc6 dirsrv 3.1 k Installing for dependencies: cyrus-sasl-gssapi x86_64 2.1.22-4 rhel-x86_64-server-5 29 k cyrus-sasl-md5 x86_64 2.1.22-4 rhel-x86_64-server-5 46 k fedora-admin-console noarch 1.1.0-4.fc6 dirsrv-noarch 229 k fedora-ds-admin x86_64 1.1.2-2.fc6 dirsrv 362 k fedora-ds-base x86_64 1.1.1-1.fc6 dirsrv 1.6 M fedora-ds-console noarch 1.1.1-2.fc6 dirsrv-noarch 1.3 M fedora-idm-console x86_64 1.1.1-1.fc6 idmcommon 48 k idm-console-framework noarch 1.1.1-2.fc6 idmcommon-noarch 1.0 M ldapjdk x86_64 4.18-2jpp.3.el5 rhel-x86_64-server-5 907 k mod_nss x86_64 1.0.3-4.el5 rhel-x86_64-server-5 81 k mozldap-tools x86_64 6.0.5-1.el5 rhel-x86_64-server-5 146 k Transaction Summary ============================================================================= Install 12 Package(s) Update 0 Package(s) Remove 0 Package(s) Total download size: 5.8 M Is this ok [y/N]: y Downloading Packages: warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID a7b02652 Public key for fedora-ds-base-1.1.1-1.fc6.x86_64.rpm is not installed ------------------------------------------END OUTPUT-------------------------------------- I have tried to install the key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA7B0265 but this fails when using rpm --import with error: mykeyfile: import read failed(0) What am I missing? Regards Peter Sorensen/Universoty of Southern Denmark/mail: maspsr at sdu.dk From dharmin98 at hotmail.com Fri Jul 25 08:02:58 2008 From: dharmin98 at hotmail.com (Dharmin Mandalia) Date: Fri, 25 Jul 2008 08:02:58 +0000 Subject: [Fedora-directory-users] TLS Issue Message-ID: Hello commented out "ssl start_tls" and added "ssl on" , in ldap.conf file get below errors in /var/log/secure file :- Jul 24 15:55:40 matrix sshd[2480]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=matrix.trues.co.uk user=test1 Jul 24 15:55:40 matrix sshd[2480]: pam_ldap: ldap_simple_bind Can't contact LDAP server Jul 24 15:55:40 matrix sshd[2480]: pam_ldap: reconnecting to LDAP server... Jul 24 15:55:40 matrix sshd[2480]: pam_ldap: ldap_simple_bind Can't contact LDAP server Jul 24 15:55:42 matrix sshd[2480]: Failed password for test1 from 192.168.1.129 port 59436 ssh2 where the server matrix is FDS what I did was from FDS "ssh matrix.trues.co.uk -l test1" where test1 users exists in ldap dir Regards Dharmin Hi, Can you check What happens if you specify ssl start_tls instead of "ssl on" Regards Niranjan On Thu, Jul 24, 2008 at 9:29 PM, Dharmin Mandalia wrote: > > Hello Nalin and all > > I just added "ssl on" to below /etc/ldap.conf file and get below error > msg in var/log/secure file :- > > > sshd[6212]: pam_unix(sshd:session): session closed for user test1 > sshd[6248]: pam_unix(sshd:auth): authentication failure; logname= uid=0 > euid=0 tty=ssh ruser= rhost=192.168.1.1 user=test1 > sshd[6248]: Accepted password for test1 from 192.168.1.1 port 47171 ssh2 > sshd[6248]: pam_unix(sshd:session): session opened for user test1 by > (uid=0) > sshd[6248]: pam_unix(sshd:session): session closed for user test1 > sshd[6284]: pam_unix(sshd:auth): authentication failure; logname= uid=0 > euid=0 tty=ssh ruser= rhost=192.168.1.1 user=test1 > sshd[6284]: pam_ldap: ldap_simple_bind Can't contact LDAP server > shd[6284]: pam_ldap: reconnecting to LDAP server... > sshd[6284]: pam_ldap: ldap_simple_bind Can't contact LDAP server > sshd[6284]: Failed password for test1 from 192.168.1.1 port 47172 ssh2 > > With "ssl on" in ldap.conf, am unable to login via ssh > > any helpers please... > > regards > Dharmin > > > > ---------------------------------------- >> Date: Thu, 24 Jul 2008 11:26:46 -0400 >> From: [EMAIL PROTECTED] >> To: [EMAIL PROTECTED] >> CC: fedora-directory-users at redhat.com >> Subject: Re: [Fedora-directory-users] TLS Issue >> >> On Thu, Jul 24, 2008 at 03:11:59PM +0000, Dharmin Mandalia wrote: >>> I've enabled TLS and am getting below error msg's in /var/log/secure > file on Fedora 9, which is my newly configured FDS , if disable TLS , am > able to ssh onto the FDS server and with TLS enabled unable to login via > ssh. >> [snip] >>> sshd[5487]: nss_ldap: could not search LDAP server - Server is > unavailable >> [snip] >>> /etc/ldap.conf file on Fedora 9, (FDS server ) shows as :- >> [snip] >>> ssl start_tls >>> tls_checkpeer yes >>> tls_cacertfile /etc/openldap/cacerts/cacert.asc >>> pam_password md5 >>> uri ldap://127.0.0.1/ >>> tls_cacertdir /etc/openldap/cacerts >> >> If you're using SSL or TLS, the LDAP client library is going to compare >> the names in the certificate that the server uses against the value that >> was given in the client's configuration (in this case "127.0.0.1"), and >> it looks like they're not matching up here. >> >> Typically the certificate uses an actual hostname as a "CN" value in its >> subject, so you'd need to specify the server URI using a hostname rather >> than an IP address to make sure that they match. >> >> If that's not what's going on here, please post a copy of the >> certificate that the server's using so that we can have a look. >> >> HTH, >> >> Nalin > _________________________________________________________________ Use video conversation to talk face-to-face with Windows Live Messenger. http://www.windowslive.com/messenger/connect_your_way.html?ocid=TXT_TAGLM_WL_Refresh_messenger_video_072008 From kenoh23 at yahoo.fr Fri Jul 25 08:36:20 2008 From: kenoh23 at yahoo.fr (ken oh) Date: Fri, 25 Jul 2008 08:36:20 +0000 (GMT) Subject: [Fedora-directory-users] Problem with the synchronization agreement In-Reply-To: <4888943F.9010702@redhat.com> Message-ID: <79288.90770.qm@web26004.mail.ukl.yahoo.com> Thanks for your help I try your command with the right hostname "anubis"? (and not anubix) using the the sync and next the admin account in the command line and I get this result for both account : ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) I don't know if this info can help but my ad server is in native mode. _____________________________________________________________________________ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr -------------- next part -------------- An HTML attachment was scrubbed... URL: From hicheerup at gmail.com Fri Jul 25 09:22:57 2008 From: hicheerup at gmail.com (lingu) Date: Fri, 25 Jul 2008 14:52:57 +0530 Subject: [Fedora-directory-users] Problem with the synchronization agreement In-Reply-To: <79288.90770.qm@web26004.mail.ukl.yahoo.com> References: <4888943F.9010702@redhat.com> <79288.90770.qm@web26004.mail.ukl.yahoo.com> Message-ID: <29e045b80807250222p463127aev546e5528c64a5de5@mail.gmail.com> Hi, While creating sync agrement Dont check the Enable ssl option,it will work , and also check your certificates are proper on both windows and linux directory server.Make sure CLOCK is in sync on both windows and linux. Regards, pradeep On 7/25/08, ken oh wrote: > Thanks for your help > > I try your command with the right hostname "anubis" (and not anubix) using > the the sync and next the admin account in the command line and I get this > result for both account : > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > > I don't know if this info can help but my ad server is in native mode. > > > > > > > _____________________________________________________________________________ > Envoyez avec Yahoo! Mail. Une boite mail plus intelligente > http://mail.yahoo.fr From rmeggins at redhat.com Fri Jul 25 15:57:52 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 25 Jul 2008 09:57:52 -0600 Subject: [Fedora-directory-users] Install on RHES5 fails In-Reply-To: <340ED4EF3E64A64E89F5AEBF0E0EA47602F1896B@ADM-EXCH0A.adm.c.sdu.dk> References: <340ED4EF3E64A64E89F5AEBF0E0EA47602F1896B@ADM-EXCH0A.adm.c.sdu.dk> Message-ID: <4889F800.2000505@redhat.com> Peter S?rensen wrote: > Hi, > > > I have just joined this list to try and solve an install problem. > > The reason to try the fedora directory server is, that I have to make > some synconisation against Our Active Directory so users gets > created/deleted according to this. But at the same time I need > additional attributes on each user. I only have read acces to AD. > > To the problem: > > I'm running RHES 5 on 64 bit. I followed the install requirements in > here: http://directory.fedoraproject.org/wiki/Download > > Everything works until: > > ---------------------------------------BELOW OUTPUT FROM INSTALL---------------------------- > # yum install fedora-ds > Loading "security" plugin > Loading "rhnplugin" plugin > rhel-x86_64-server-5 100% |=========================| 1.4 kB 00:00 > dirsrv-noarch 100% |=========================| 951 B 00:00 > idmcommon 100% |=========================| 951 B 00:00 > idmcommon-noarch 100% |=========================| 951 B 00:00 > dirsrv 100% |=========================| 951 B 00:00 > Setting up Install Process > Parsing package install arguments > Resolving Dependencies > --> Running transaction check > ---> Package fedora-ds.x86_64 0:1.1.0-3.fc6 set to be updated > --> Processing Dependency: fedora-idm-console for package: fedora-ds > --> Processing Dependency: fedora-admin-console for package: fedora-ds > --> Processing Dependency: fedora-ds-admin for package: fedora-ds > --> Processing Dependency: idm-console-framework for package: fedora-ds > --> Processing Dependency: fedora-ds-console for package: fedora-ds > --> Processing Dependency: fedora-ds-base for package: fedora-ds Running > --> transaction check > ---> Package fedora-ds-admin.x86_64 0:1.1.2-2.fc6 set to be updated > --> Processing Dependency: mod_nss for package: fedora-ds-admin > ---> Package fedora-ds-console.noarch 0:1.1.1-2.fc6 set to be updated > ---> Package fedora-ds-base.x86_64 0:1.1.1-1.fc6 set to be updated > --> Processing Dependency: mozldap-tools for package: fedora-ds-base > --> Processing Dependency: cyrus-sasl-gssapi for package: fedora-ds-base > --> Processing Dependency: cyrus-sasl-md5 for package: fedora-ds-base > ---> Package fedora-admin-console.noarch 0:1.1.0-4.fc6 set to be updated > ---> Package idm-console-framework.noarch 0:1.1.1-2.fc6 set to be > ---> updated > --> Processing Dependency: ldapjdk for package: idm-console-framework > ---> Package fedora-idm-console.x86_64 0:1.1.1-1.fc6 set to be updated > --> Running transaction check > ---> Package ldapjdk.x86_64 0:4.18-2jpp.3.el5 set to be updated Package > ---> mozldap-tools.x86_64 0:6.0.5-1.el5 set to be updated Package > ---> cyrus-sasl-gssapi.x86_64 0:2.1.22-4 set to be updated Package > ---> cyrus-sasl-md5.x86_64 0:2.1.22-4 set to be updated Package > ---> mod_nss.x86_64 0:1.0.3-4.el5 set to be updated > --> Finished Dependency Resolution > > Dependencies Resolved > > ============================================================================= > Package Arch Version Repository Size > ============================================================================= > Installing: > fedora-ds x86_64 1.1.0-3.fc6 dirsrv 3.1 k > Installing for dependencies: > cyrus-sasl-gssapi x86_64 2.1.22-4 rhel-x86_64-server-5 29 k > cyrus-sasl-md5 x86_64 2.1.22-4 rhel-x86_64-server-5 46 k > fedora-admin-console noarch 1.1.0-4.fc6 dirsrv-noarch 229 k > fedora-ds-admin x86_64 1.1.2-2.fc6 dirsrv 362 k > fedora-ds-base x86_64 1.1.1-1.fc6 dirsrv 1.6 M > fedora-ds-console noarch 1.1.1-2.fc6 dirsrv-noarch 1.3 M > fedora-idm-console x86_64 1.1.1-1.fc6 idmcommon 48 k > idm-console-framework noarch 1.1.1-2.fc6 idmcommon-noarch 1.0 M > ldapjdk x86_64 4.18-2jpp.3.el5 rhel-x86_64-server-5 907 k > mod_nss x86_64 1.0.3-4.el5 rhel-x86_64-server-5 81 k > mozldap-tools x86_64 6.0.5-1.el5 rhel-x86_64-server-5 146 k > > Transaction Summary > ============================================================================= > Install 12 Package(s) > Update 0 Package(s) > Remove 0 Package(s) > > Total download size: 5.8 M > Is this ok [y/N]: y > Downloading Packages: > warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID a7b02652 > > Public key for fedora-ds-base-1.1.1-1.fc6.x86_64.rpm is not installed > > ------------------------------------------END OUTPUT-------------------------------------- > > I have tried to install the key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA7B0265 > > but this fails when using rpm --import with > > error: mykeyfile: import read failed(0) > You have to escape the ? and & from the shell - try this rpm --import 'http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA7B02652' I've updated the instructions to reflect this. > > What am I missing? > > > Regards > > > Peter Sorensen/Universoty of Southern Denmark/mail: maspsr at sdu.dk > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From niranjan.ashok at gmail.com Sat Jul 26 06:13:40 2008 From: niranjan.ashok at gmail.com (mallapadi niranjan) Date: Sat, 26 Jul 2008 11:43:40 +0530 Subject: [Fedora-directory-users] TLS Issue In-Reply-To: References: Message-ID: <73e979680807252313n6fbf7d66jac07eb858721d33c@mail.gmail.com> On Fri, Jul 25, 2008 at 1:32 PM, Dharmin Mandalia wrote: > > Hello > > commented out "ssl start_tls" and added "ssl on" , in ldap.conf file get > below errors in /var/log/secure file :- > > > Jul 24 15:55:40 matrix sshd[2480]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=matrix.trues.co.uk user=test1 > Jul 24 15:55:40 matrix sshd[2480]: pam_ldap: ldap_simple_bind Can't contact > LDAP server > Jul 24 15:55:40 matrix sshd[2480]: pam_ldap: reconnecting to LDAP server... > Jul 24 15:55:40 matrix sshd[2480]: pam_ldap: ldap_simple_bind Can't contact > LDAP server > Jul 24 15:55:42 matrix sshd[2480]: Failed password for test1 from > 192.168.1.129 port 59436 ssh2 > What do you see in the FDS logs (tail /var/log/dirsrv/slapd-/access Can you check the basic things 1. Is the DIrectory server running on port 636 (netstat -tlnp | grep 636) 2. If you do ldapsearch -x -ZZ -b "your basedn" are you able to search 3. Does getent passwd and getent group enumerate users on the client ? Regards Niranjan > > > where the server matrix is FDS what I did was from FDS "ssh > matrix.trues.co.uk -l test1" where test1 users exists in ldap dir > > Regards > Dharmin > > > > Hi, > > Can you check What happens if you specify > > ssl start_tls > > instead of "ssl on" > > Regards > Niranjan > > > On Thu, Jul 24, 2008 at 9:29 PM, Dharmin Mandalia > wrote: > > > > > Hello Nalin and all > > > > I just added "ssl on" to below /etc/ldap.conf file and get below error > > msg in var/log/secure file :- > > > > > > sshd[6212]: pam_unix(sshd:session): session closed for user test1 > > sshd[6248]: pam_unix(sshd:auth): authentication failure; logname= uid=0 > > euid=0 tty=ssh ruser= rhost=192.168.1.1 user=test1 > > sshd[6248]: Accepted password for test1 from 192.168.1.1 port 47171 ssh2 > > sshd[6248]: pam_unix(sshd:session): session opened for user test1 by > > (uid=0) > > sshd[6248]: pam_unix(sshd:session): session closed for user test1 > > sshd[6284]: pam_unix(sshd:auth): authentication failure; logname= uid=0 > > euid=0 tty=ssh ruser= rhost=192.168.1.1 user=test1 > > sshd[6284]: pam_ldap: ldap_simple_bind Can't contact LDAP server > > shd[6284]: pam_ldap: reconnecting to LDAP server... > > sshd[6284]: pam_ldap: ldap_simple_bind Can't contact LDAP server > > sshd[6284]: Failed password for test1 from 192.168.1.1 port 47172 ssh2 > > > > With "ssl on" in ldap.conf, am unable to login via ssh > > > > any helpers please... > > > > regards > > Dharmin > > > > > > > > ---------------------------------------- > >> Date: Thu, 24 Jul 2008 11:26:46 -0400 > >> From: [EMAIL PROTECTED] > >> To: [EMAIL PROTECTED] > >> CC: fedora-directory-users at redhat.com > >> Subject: Re: [Fedora-directory-users] TLS Issue > >> > >> On Thu, Jul 24, 2008 at 03:11:59PM +0000, Dharmin Mandalia wrote: > >>> I've enabled TLS and am getting below error msg's in /var/log/secure > > file on Fedora 9, which is my newly configured FDS , if disable TLS , am > > able to ssh onto the FDS server and with TLS enabled unable to login via > > ssh. > >> [snip] > >>> sshd[5487]: nss_ldap: could not search LDAP server - Server is > > unavailable > >> [snip] > >>> /etc/ldap.conf file on Fedora 9, (FDS server ) shows as :- > >> [snip] > >>> ssl start_tls > >>> tls_checkpeer yes > >>> tls_cacertfile /etc/openldap/cacerts/cacert.asc > >>> pam_password md5 > >>> uri ldap://127.0.0.1/ > >>> tls_cacertdir /etc/openldap/cacerts > >> > >> If you're using SSL or TLS, the LDAP client library is going to compare > >> the names in the certificate that the server uses against the value that > >> was given in the client's configuration (in this case "127.0.0.1"), and > >> it looks like they're not matching up here. > >> > >> Typically the certificate uses an actual hostname as a "CN" value in its > >> subject, so you'd need to specify the server URI using a hostname rather > >> than an IP address to make sure that they match. > >> > >> If that's not what's going on here, please post a copy of the > >> certificate that the server's using so that we can have a look. > >> > >> HTH, > >> > >> Nalin > > > > _________________________________________________________________ > Use video conversation to talk face-to-face with Windows Live Messenger. > > http://www.windowslive.com/messenger/connect_your_way.html?ocid=TXT_TAGLM_WL_Refresh_messenger_video_072008 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From aly.dharshi at telus.net Sat Jul 26 22:20:43 2008 From: aly.dharshi at telus.net (Aly Dharshi) Date: Sat, 26 Jul 2008 16:20:43 -0600 Subject: [Fedora-directory-users] Wiki Update: PAM HowTo Message-ID: <488BA33B.9060307@telus.net> Hello Folks, I ran into problems this week with getting a RHEL5U2 server to chat with an LDAP server where your uids are less than 500 in LDAP. RHEL assumes that 500 should be the min # for uids. Check out how to solve that in the wiki. Thanks. Cheers, Aly. -- Aly S.P Dharshi aly.dharshi at telus.net Got TELUS TV ? http://www.telus.com/tv or 310-MYTV From maspsr at sdu.dk Mon Jul 28 05:55:47 2008 From: maspsr at sdu.dk (=?iso-8859-1?Q?Peter_S=F8rensen?=) Date: Mon, 28 Jul 2008 07:55:47 +0200 Subject: SV: [Fedora-directory-users] Install on RHES5 fails In-Reply-To: <4889F800.2000505@redhat.com> References: <340ED4EF3E64A64E89F5AEBF0E0EA47602F1896B@ADM-EXCH0A.adm.c.sdu.dk> <4889F800.2000505@redhat.com> Message-ID: <340ED4EF3E64A64E89F5AEBF0E0EA47602F18990@ADM-EXCH0A.adm.c.sdu.dk> Thanks escpaing ? and & solved the problem I should have give this a thougt but anaway thanks. Regards Peter -----Oprindelig meddelelse----- Fra: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] P? vegne af Rich Megginson Sendt: 25. juli 2008 17:58 Til: General discussion list for the Fedora Directory server project. Emne: Re: [Fedora-directory-users] Install on RHES5 fails Peter S?rensen wrote: > Hi, > > > I have just joined this list to try and solve an install problem. > > The reason to try the fedora directory server is, that I have to make > some synconisation against Our Active Directory so users gets > created/deleted according to this. But at the same time I need > additional attributes on each user. I only have read acces to AD. > > To the problem: > > I'm running RHES 5 on 64 bit. I followed the install requirements in > here: http://directory.fedoraproject.org/wiki/Download > > Everything works until: > > ---------------------------------------BELOW OUTPUT FROM > INSTALL---------------------------- > # yum install fedora-ds > Loading "security" plugin > Loading "rhnplugin" plugin > rhel-x86_64-server-5 100% |=========================| 1.4 kB 00:00 > dirsrv-noarch 100% |=========================| 951 B 00:00 > idmcommon 100% |=========================| 951 B 00:00 > idmcommon-noarch 100% |=========================| 951 B 00:00 > dirsrv 100% |=========================| 951 B 00:00 > Setting up Install Process > Parsing package install arguments > Resolving Dependencies > --> Running transaction check > ---> Package fedora-ds.x86_64 0:1.1.0-3.fc6 set to be updated > --> Processing Dependency: fedora-idm-console for package: fedora-ds > --> Processing Dependency: fedora-admin-console for package: fedora-ds > --> Processing Dependency: fedora-ds-admin for package: fedora-ds > --> Processing Dependency: idm-console-framework for package: > --> fedora-ds Processing Dependency: fedora-ds-console for package: > --> fedora-ds Processing Dependency: fedora-ds-base for package: > --> fedora-ds Running transaction check > ---> Package fedora-ds-admin.x86_64 0:1.1.2-2.fc6 set to be updated > --> Processing Dependency: mod_nss for package: fedora-ds-admin > ---> Package fedora-ds-console.noarch 0:1.1.1-2.fc6 set to be updated > ---> Package fedora-ds-base.x86_64 0:1.1.1-1.fc6 set to be updated > --> Processing Dependency: mozldap-tools for package: fedora-ds-base > --> Processing Dependency: cyrus-sasl-gssapi for package: > --> fedora-ds-base Processing Dependency: cyrus-sasl-md5 for package: > --> fedora-ds-base > ---> Package fedora-admin-console.noarch 0:1.1.0-4.fc6 set to be > ---> updated Package idm-console-framework.noarch 0:1.1.1-2.fc6 set to > ---> be updated > --> Processing Dependency: ldapjdk for package: idm-console-framework > ---> Package fedora-idm-console.x86_64 0:1.1.1-1.fc6 set to be updated > --> Running transaction check > ---> Package ldapjdk.x86_64 0:4.18-2jpp.3.el5 set to be updated > ---> Package > ---> mozldap-tools.x86_64 0:6.0.5-1.el5 set to be updated Package > ---> cyrus-sasl-gssapi.x86_64 0:2.1.22-4 set to be updated Package > ---> cyrus-sasl-md5.x86_64 0:2.1.22-4 set to be updated Package > ---> mod_nss.x86_64 0:1.0.3-4.el5 set to be updated > --> Finished Dependency Resolution > > Dependencies Resolved > > ============================================================================= > Package Arch Version Repository Size > ====================================================================== > ======= > Installing: > fedora-ds x86_64 1.1.0-3.fc6 dirsrv 3.1 k > Installing for dependencies: > cyrus-sasl-gssapi x86_64 2.1.22-4 rhel-x86_64-server-5 29 k > cyrus-sasl-md5 x86_64 2.1.22-4 rhel-x86_64-server-5 46 k > fedora-admin-console noarch 1.1.0-4.fc6 dirsrv-noarch 229 k > fedora-ds-admin x86_64 1.1.2-2.fc6 dirsrv 362 k > fedora-ds-base x86_64 1.1.1-1.fc6 dirsrv 1.6 M > fedora-ds-console noarch 1.1.1-2.fc6 dirsrv-noarch 1.3 M > fedora-idm-console x86_64 1.1.1-1.fc6 idmcommon 48 k > idm-console-framework noarch 1.1.1-2.fc6 idmcommon-noarch 1.0 M > ldapjdk x86_64 4.18-2jpp.3.el5 rhel-x86_64-server-5 907 k > mod_nss x86_64 1.0.3-4.el5 rhel-x86_64-server-5 81 k > mozldap-tools x86_64 6.0.5-1.el5 rhel-x86_64-server-5 146 k > > Transaction Summary > ============================================================================= > Install 12 Package(s) > Update 0 Package(s) > Remove 0 Package(s) > > Total download size: 5.8 M > Is this ok [y/N]: y > Downloading Packages: > warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID > a7b02652 > > Public key for fedora-ds-base-1.1.1-1.fc6.x86_64.rpm is not installed > > ------------------------------------------END > OUTPUT-------------------------------------- > > I have tried to install the key: > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA7B0265 > > but this fails when using rpm --import with > > error: mykeyfile: import read failed(0) > You have to escape the ? and & from the shell - try this rpm --import 'http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA7B02652' I've updated the instructions to reflect this. > > What am I missing? > > > Regards > > > Peter Sorensen/Universoty of Southern Denmark/mail: maspsr at sdu.dk > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From cgibbons at tahc.state.tx.us Mon Jul 28 08:54:48 2008 From: cgibbons at tahc.state.tx.us (Carol Gibbons) Date: Mon, 28 Jul 2008 03:54:48 -0500 Subject: [Fedora-directory-users] Can't start Fedora DS server or connect to Admin Console Message-ID: <20080728085527.7C1DD55F3CBB@tahc.state.tx.us> Good morning, Our Fedora DS server has stopped working. I believe it's v1.0.4. I replaced the non-working fedora-ds with a backup of the directory from last week when it _was_ working. The /opt/fedora-ds/slapd-servername directory logs (error and access) provide no clues. But, the /fedora-ds/admin-serv/log/ states: [Mon Jul 28 02:17:34 2008] [warn] Unable to bind as LocalAdmin to populate LocalAdmin tasks into cache. [Mon Jul 28 02:17:34 2008] [crit] host_ip_init(): PSET failure: Failed to create PSET handle (pset error = ) Configuration Failed [Mon Jul 28 02:17:35 2008] [warn] Unable to bind as LocalAdmin to populate LocalAdmin tasks into cache. [Mon Jul 28 02:17:35 2008] [crit] host_ip_init(): PSET failure: Failed to create PSET handle (pset error = ) Configuration Failed I found one posting on the internet that says permissions could be the issue. http://osdir.com/ml/redhat.fedora.directory.user/2006-03/msg00037.html I set the files in /opt/fedora-ds/admin-serv/config/ to my admin user for files. But, that hasn't helped. I tried to do an ldapsearch from /opt/fedora-ds/shared/bin/ and that failed. Error said it couldn't locate the ldap database. I put this in: ldapsearch [-x] -b o=netscaperoot -D "cn=directory manager" -w password "objectclass=nsAdminConfig" dn Error: ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) Am I making sense at 4AM? Any help would be appreciated. I can't decide if this is a BIND, SSL, permissions, or what have you issue. Thanks for your help, Carol -------------- next part -------------- An HTML attachment was scrubbed... URL: From mac.gp at email.it Mon Jul 28 09:19:15 2008 From: mac.gp at email.it (Mac.gp) Date: Mon, 28 Jul 2008 11:19:15 +0200 Subject: [Fedora-directory-users] Error performing an internal search Message-ID: <89ee10e08a1469862f85c8660286e236@193.206.153.208> Hello everyone. I'm trying to perform an internal search from a PRE_SEARCH plugin, but I get this error in the logs:allow_operation: component identity is NULLI think it has some trouble with the slapi_componentid. I declare it in my plugin with this:static Slapi_ComponentId * plugin_id = NULL;Am I doing something wrong? Any suggestion to resolve this?Thanks to all from now. -- Email.it, the professional e-mail, gratis per te: http://www.email.it/f Sponsor: Impazzisci per Vasco? Scarica ora il mondo che vorrei sul cellulare Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=7750&d=20080728 -------------- next part -------------- An HTML attachment was scrubbed... URL: From siedler at hrd-asia.com Mon Jul 28 10:30:52 2008 From: siedler at hrd-asia.com (Wolf Siedler) Date: Mon, 28 Jul 2008 17:30:52 +0700 Subject: [Fedora-directory-users] Can't start Fedora DS server or connect to Admin Console In-Reply-To: <20080728085527.7C1DD55F3CBB@tahc.state.tx.us> References: <20080728085527.7C1DD55F3CBB@tahc.state.tx.us> Message-ID: <488D9FDC.9030303@hrd-asia.com> Carol: It is my experience that the admin console will not start if the underlaying directory server isn't running. How do you normally start Fedora-DS? Do you use one of the init script suggestion from the website? I was using version 1.04 (now upgraded) on RHEL5.2 so probably can't provide much help on other distributions. Regards, Wolf From siedler at hrd-asia.com Mon Jul 28 10:42:32 2008 From: siedler at hrd-asia.com (Wolf Siedler) Date: Mon, 28 Jul 2008 17:42:32 +0700 Subject: [Fedora-directory-users] Can't start Fedora DS server or connect to Admin Console In-Reply-To: <20080728085527.7C1DD55F3CBB@tahc.state.tx.us> References: <20080728085527.7C1DD55F3CBB@tahc.state.tx.us> Message-ID: <488DA298.1070402@hrd-asia.com> PS: I trust that you tried this command already: /opt/fedora-ds/slapd-servername/start-slapd If typing in a terminal window, there might some helpful output. > But, the /fedora-ds/admin-serv/log/ states As said before, it is my experience that - in case the underlaying directory server is not running - that should better be rectified first before taking care of any errors from the admin server. Good luck! Wolf From carol.gibbons at tahc.state.tx.us Mon Jul 28 08:53:24 2008 From: carol.gibbons at tahc.state.tx.us (Carol Gibbons) Date: Mon, 28 Jul 2008 03:53:24 -0500 Subject: [Fedora-directory-users] Can't start Fedora DS server or connect to Admin Console Message-ID: <20080728085403.0EAC955F3C74@tahc.state.tx.us> Good morning, Our Fedora DS server has stopped working. I believe it's v1.0.4. I replaced the non-working fedora-ds with a backup of the directory from last week when it _was_ working. The /opt/fedora-ds/slapd-servername directory logs (error and access) provide no clues. But, the /fedora-ds/admin-serv/log/ states: [Mon Jul 28 02:17:34 2008] [warn] Unable to bind as LocalAdmin to populate LocalAdmin tasks into cache. [Mon Jul 28 02:17:34 2008] [crit] host_ip_init(): PSET failure: Failed to create PSET handle (pset error = ) Configuration Failed [Mon Jul 28 02:17:35 2008] [warn] Unable to bind as LocalAdmin to populate LocalAdmin tasks into cache. [Mon Jul 28 02:17:35 2008] [crit] host_ip_init(): PSET failure: Failed to create PSET handle (pset error = ) Configuration Failed I found one posting on the internet that says permissions could be the issue. http://osdir.com/ml/redhat.fedora.directory.user/2006-03/msg00037.html I set the files in /opt/fedora-ds/admin-serv/config/ to my admin user for files. But, that hasn't helped. I tried to do an ldapsearch from /opt/fedora-ds/shared/bin/ and that failed. Error said it couldn't locate the ldap database. I put this in: ldapsearch [-x] -b o=netscaperoot -D "cn=directory manager" -w password "objectclass=nsAdminConfig" dn Error: ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) Am I making sense at 4AM? Any help would be appreciated. I can't decide if this is a BIND, SSL, permissions, or what have you issue. Thanks for your help, Carol -------------- next part -------------- An HTML attachment was scrubbed... URL: From nalin at redhat.com Mon Jul 28 18:18:48 2008 From: nalin at redhat.com (Nalin Dahyabhai) Date: Mon, 28 Jul 2008 14:18:48 -0400 Subject: [Fedora-directory-users] Error performing an internal search In-Reply-To: <89ee10e08a1469862f85c8660286e236@193.206.153.208> References: <89ee10e08a1469862f85c8660286e236@193.206.153.208> Message-ID: <20080728181848.GB14624@redhat.com> On Mon, Jul 28, 2008 at 11:19:15AM +0200, Mac.gp wrote: > Hello everyone. > I'm trying to perform an internal search from a PRE_SEARCH plugin, but > I get this error in the logs: > allow_operation: component identity is NULL > I think it has some trouble with the slapi_componentid. I declare it in > my plugin with this: > static Slapi_ComponentId * plugin_id = NULL; > Am I doing something wrong? Any suggestion to resolve this? > Thanks to all from now. You need to pass in a valid value -- I'd suggest reading the SLAPI_PLUGIN_IDENTITY value from the Slapi_PBlock which is passed to your module's initialization function, and saving it (along with whatever else you like) for future use as your SLAPI_PLUGIN_PRIVATE value. The value that SLAPI_PLUGIN_IDENTITY has when your search function is called is the one which was passed in by the module that initiated the search. Your own module will be called (along with others) to satisfy your internal searches, so to avoid recursion, you'll probably want to compare the pointer value that the Slapi_PBlock contains when the function is called to the value for your module, and then return early if they're the same. HTH, Nalin From cgibbons at tahc.state.tx.us Mon Jul 28 18:39:31 2008 From: cgibbons at tahc.state.tx.us (Carol Gibbons) Date: Mon, 28 Jul 2008 13:39:31 -0500 Subject: [Fedora-directory-users] Re: Can't start Fedora DS server or connect to Admin Console In-Reply-To: <20080728160009.8FFBC619D88@hormel.redhat.com> References: <20080728160009.8FFBC619D88@hormel.redhat.com> Message-ID: <20080728184010.B818B5609068@tahc.state.tx.us> Thank you, Wolf! After pulling a listing of all files inside the tar of a previous days backup that was good/working - I was able to recreate the unique permissions (not root) for directories and files that your ldap user has to own. This is for Fedora DS 1.0.4. And the server and console now start. I'm listing them in case others get stumped on why neither the Fedora DS server nor the Admin Console will start and the logs don't give enough clues Your defined ldap user and group of same name have to own: /opt/fedora-ds/slapd-mail/ (just the directory level) /opt/fedora-ds/slapd-mail/config /opt/fedora-ds/slapd-mail/db/ /opt/fedora-ds/slapd-mail/locks/ /opt/fedora-ds/slapd-mail/confbak/ /opt/fedora-ds/slapd-mail/ldif/ /opt/fedora-ds/slapd-mail/logs/ /opt/fedora-ds/slapd-mail/bak /opt/fedora-ds/slapd-mail/dsml/ /opt/fedora-ds/alias/ /opt/fedora-ds/bin/slapd/authck/ /opt/fedora-ds/clients/dsgw/context/default.conf /opt/fedora-ds/admin-serv/config/ /opt/fedora-ds/shared/ From mac.gp at email.it Tue Jul 29 07:25:13 2008 From: mac.gp at email.it (Mac.gp) Date: Tue, 29 Jul 2008 09:25:13 +0200 Subject: [Fedora-directory-users] Error performing an internal search Message-ID: <68c97187b42249cdea47ab011643b0c8@193.206.153.208> >You need to pass in a valid value -- I'd suggest reading the >SLAPI_PLUGIN_IDENTITY value from the Slapi_PBlock which is passed to >your module's initialization function, and saving it (along with >whatever else you like) for future use as your SLAPI_PLUGIN_PRIVATE >value. >>The value that SLAPI_PLUGIN_IDENTITY has when your search function is >called is the one which was passed in by the module that initiated the >search. Your own module will be called (along with others) to satisfy >your internal searches, so to avoid recursion, you'll probably want to >compare the pointer value that the Slapi_PBlock contains when the >function is called to the value for your module, and then return early >if they're the same. > >HTH, > >NalinThanks so much, it works really good now! -- Email.it, the professional e-mail, gratis per te: http://www.email.it/f Sponsor: VACANZA RELAX RICCIONE In centro: piscina, idromassaggio, bagno turco, solarium, massaggi e trattamenti Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=8140&d=20080729 -------------- next part -------------- An HTML attachment was scrubbed... URL: From maspsr at sdu.dk Tue Jul 29 08:42:36 2008 From: maspsr at sdu.dk (=?iso-8859-1?Q?Peter_S=F8rensen?=) Date: Tue, 29 Jul 2008 10:42:36 +0200 Subject: [Fedora-directory-users] Sync AD users Message-ID: <340ED4EF3E64A64E89F5AEBF0E0EA476024DC23F@ADM-EXCH0A.adm.c.sdu.dk> Hi, I now have the fedora dirserver up and running on a RHES5 server. What i want to acomplish, is a way to have users replicated from Our AD servers. I need this because I want to add attributes concerning mail spam/virus management but still have the basic user attributes from the AD. I don't know anything about the AD and would like to keep it that way but I need som guidance on what to tell the people maintaining the AD on what to do. I don't need the password sync but only want a few user attributes like mail,proxyaddresses, cn, dn ... replicated. This should be a one way replication AD => FDS I have read the document concerning this but I'm still confused on what I need to do in the AD enviroment to get this up and running. Any other docs to read? Regards Peter Sorensen/University of Southern Denmark/mail: maspsr at sdu.dk From howard at cohtech.com Tue Jul 29 08:51:42 2008 From: howard at cohtech.com (Howard Wilkinson) Date: Tue, 29 Jul 2008 09:51:42 +0100 Subject: [Fedora-directory-users] Recover directory database files when disk fills up! Message-ID: <488EDA1E.1000005@cohtech.com> We had the disk with the directory database files fill up overnight, a rogue process :-[ Now the directory server will not start I get the following reported in the system logs. Jul 29 09:44:50 bastion ns-slapd: auxpropfunc error invalid parameter supplied Jul 29 09:44:50 bastion ns-slapd: sql_select option missing Jul 29 09:44:50 bastion ns-slapd: auxpropfunc error no mechanism available What can I do to recover the database so that I can start the server? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jul 29 14:47:58 2008 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 29 Jul 2008 07:47:58 -0700 Subject: [Fedora-directory-users] Recover directory database files when disk fills up! In-Reply-To: <488EDA1E.1000005@cohtech.com> References: <488EDA1E.1000005@cohtech.com> Message-ID: <488F2D9E.1000805@redhat.com> Howard Wilkinson wrote: > We had the disk with the directory database files fill up overnight, a > rogue process :-[ > > Now the directory server will not start I get the following reported > in the system logs. > > Jul 29 09:44:50 bastion ns-slapd: auxpropfunc error invalid > parameter supplied > Jul 29 09:44:50 bastion ns-slapd: sql_select option missing > Jul 29 09:44:50 bastion ns-slapd: auxpropfunc error no mechanism > available > These are messages from sasl. I believe you can ignore them, I don't think they have anything to do with the problem. > > > What can I do to recover the database so that I can start the server? What messages do you get in the directory server error log? > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kenneho.ndu at gmail.com Wed Jul 30 06:13:50 2008 From: kenneho.ndu at gmail.com (Kenneth Holter) Date: Wed, 30 Jul 2008 08:13:50 +0200 Subject: [Fedora-directory-users] Sync AD users In-Reply-To: <340ED4EF3E64A64E89F5AEBF0E0EA476024DC23F@ADM-EXCH0A.adm.c.sdu.dk> References: <340ED4EF3E64A64E89F5AEBF0E0EA476024DC23F@ADM-EXCH0A.adm.c.sdu.dk> Message-ID: Hi Peter. We're also trying to set up one-way sync from AD to FDS: http://www.redhat.com/archives/fedora-directory-users/2008-May/msg00117.html I haven't been working on this for a while, but as far as I can remember this is not a supported feature in FDS. One thus needs to find a workaround. When we get the time to figure this thing out I'll report back to the list. Please let us know if you find a solution. Regards, Kenneth Holter On 7/29/08, Peter S?rensen wrote: > > > Hi, > > I now have the fedora dirserver up and running on a RHES5 server. > > What i want to acomplish, is a way to have users replicated from Our > AD servers. I need this because I want to add attributes concerning > mail spam/virus management but still have the basic user attributes > from the AD. > > I don't know anything about the AD and would like to keep it that way > but I need som guidance on what to tell the people maintaining the AD > on what to do. > > I don't need the password sync but only want a few user attributes like > mail,proxyaddresses, cn, dn ... replicated. > > This should be a one way replication AD => FDS > > I have read the document concerning this but I'm still confused on what I > need to do in the AD enviroment to get this up and running. > > Any other docs to read? > > Regards > > Peter Sorensen/University of Southern Denmark/mail: maspsr at sdu.dk > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From maspsr at sdu.dk Wed Jul 30 06:26:54 2008 From: maspsr at sdu.dk (=?iso-8859-1?Q?Peter_S=F8rensen?=) Date: Wed, 30 Jul 2008 08:26:54 +0200 Subject: SV: [Fedora-directory-users] Sync AD users In-Reply-To: References: <340ED4EF3E64A64E89F5AEBF0E0EA476024DC23F@ADM-EXCH0A.adm.c.sdu.dk> Message-ID: <340ED4EF3E64A64E89F5AEBF0E0EA47602F18A39@ADM-EXCH0A.adm.c.sdu.dk> Thanks kenneth for responding. I will keep you informed if I find a soilution to the problem. Regards Peter ________________________________ Fra: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] P? vegne af Kenneth Holter Sendt: 30. juli 2008 08:14 Til: General discussion list for the Fedora Directory server project. Emne: Re: [Fedora-directory-users] Sync AD users Hi Peter. We're also trying to set up one-way sync from AD to FDS: http://www.redhat.com/archives/fedora-directory-users/2008-May/msg00117.html I haven't been working on this for a while, but as far as I can remember this is not a supported feature in FDS. One thus needs to find a workaround. When we get the time to figure this thing out I'll report back to the list. Please let us know if you find a solution. Regards, Kenneth Holter On 7/29/08, Peter S?rensen wrote: Hi, I now have the fedora dirserver up and running on a RHES5 server. What i want to acomplish, is a way to have users replicated from Our AD servers. I need this because I want to add attributes concerning mail spam/virus management but still have the basic user attributes from the AD. I don't know anything about the AD and would like to keep it that way but I need som guidance on what to tell the people maintaining the AD on what to do. I don't need the password sync but only want a few user attributes like mail,proxyaddresses, cn, dn ... replicated. This should be a one way replication AD => FDS I have read the document concerning this but I'm still confused on what I need to do in the AD enviroment to get this up and running. Any other docs to read? Regards Peter Sorensen/University of Southern Denmark/mail: maspsr at sdu.dk -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From danny at keyop.co.uk Wed Jul 30 15:17:53 2008 From: danny at keyop.co.uk (Danny Smith) Date: Wed, 30 Jul 2008 16:17:53 +0100 Subject: FDS 1.1.1 RPM release dates [was [Fedora-directory-users] Announcing Fedora Directory Server version 1.1.1] In-Reply-To: <484E9F11.6080701@redhat.com> References: <484E9F11.6080701@redhat.com> Message-ID: <48908621.3010902@keyop.co.uk> Rich, We're about to start testing an implementation of FDS-1.1.1, but we have a query about packaging dates: The update RPMs available for Fedora 8 (which we plan to use) seem to have build dates prior to this release announcement. Is this to be expected, e.g. did the F8 RPMs get built prior to release but with the release code? We just want to make sure we're using the best possible code here. Many TIA, Danny Rich Megginson wrote: > We are pleased to announce the release of Fedora Directory Server > 1.1.1. This release is primarily a bug fix release, but does contain > some new features, mostly to support freeIPA. > > Binary packages are available for Fedora 7, 8, 9, and rawhide. NOTE: > Fedora 6/RHEL5 binaries are not yet available. They will be shortly. > > How to upgrade: > > yum upgrade fedora-ds-base > > No further setup should be required. This should restart the server - > if not, a manual restart (service dirsrv restart) is required for the > new code to take effect. > > * Release Notes - http://directory.fedoraproject.org/wiki/Release_Notes > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Jul 30 15:44:24 2008 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 30 Jul 2008 08:44:24 -0700 Subject: FDS 1.1.1 RPM release dates [was [Fedora-directory-users] Announcing Fedora Directory Server version 1.1.1] In-Reply-To: <48908621.3010902@keyop.co.uk> References: <484E9F11.6080701@redhat.com> <48908621.3010902@keyop.co.uk> Message-ID: <48908C58.2040102@redhat.com> Danny Smith wrote: > Rich, > > We're about to start testing an implementation of FDS-1.1.1, but we > have a query about packaging dates: > > The update RPMs available for Fedora 8 (which we plan to use) seem to > have build dates prior to this release announcement. Is this to be > expected, e.g. did the F8 RPMs get built prior to release but with the > release code? Yes. There is some delay between the time the code is tagged in CVS, the source tarballs are built, the source rpms are built, the rpms are built in koji (the Fedora build system), and the rpms are pushed out to all of the fedora mirrors (via bodhi). > We just want to make sure we're using the best possible code here. The source from http://directory.fedoraproject.org/wiki/Source should be the same as the source tarball in the source rpm. > > Many TIA, > > Danny > > Rich Megginson wrote: >> We are pleased to announce the release of Fedora Directory Server >> 1.1.1. This release is primarily a bug fix release, but does contain >> some new features, mostly to support freeIPA. >> >> Binary packages are available for Fedora 7, 8, 9, and rawhide. >> NOTE: Fedora 6/RHEL5 binaries are not yet available. They will be >> shortly. >> >> How to upgrade: >> >> yum upgrade fedora-ds-base >> >> No further setup should be required. This should restart the server >> - if not, a manual restart (service dirsrv restart) is required for >> the new code to take effect. >> >> * Release Notes - http://directory.fedoraproject.org/wiki/Release_Notes >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From math.de.groot at logica.com Thu Jul 31 09:18:39 2008 From: math.de.groot at logica.com (Groot, Mathijs de (IDT Competence Java)) Date: Thu, 31 Jul 2008 11:18:39 +0200 Subject: [Fedora-directory-users] Unable to SSL with Windows Sync Agreement Message-ID: <72965855C48009408D297A78108567160714E621@nl-ex008.groupinfra.com> Hello everyone, I can use some help with setting up the Windows Sync. Ill give some context first, im trying to sync user, groups and passwords from a Windows 2003 server with Active Directory with a Red Hat enterprise 5, Red Hat Directory Server 8.0. It is a test environment with where I can access and configure the servers easily. But ive got some problems setting a new Windows Sync Agreement. It comes down to the following: I can't get an SSL connection with the a new Windows Sync Agreement, from the Red Hat DS to the Windows AD server. In the Windows Sync Server info screen I get the following message when clicking on next: "unable to contact Active Directory server, continue" (Windows Sync Server info screen located In the Directory Server Console -> Configuration tab -> Replication -> userRoot -> highlight the database -> Object -> New Windows Sync Agreement -> The second screen reads Windows Sync Server Info) But when I uncheck the checkbox "Using encrypted SSL connection" the connection works and the Windows AD server is reached. So this concludes (and ive tested) that the Windows Server and domain is reachable and the Bind DN is valid, and entered values are correct. The SSL connection seems to be setup correctly, the checks (ldapsearch query) described by the fedora manual outputs the correct result. Following: " http://directory.fedoraproject.org/wiki/Howto:WindowsSync Testing your Configuration Test to make sure you can talk SSL from Fedora Directory to AD This is how you test to verify that the Windows side SSL is enabled properly: ldapsearch -Z -P -h -p -D "" -w < sync manager password> -s -b "" "" " My ldapsearch query: /usr/lib64/mozldap/dapsearch -Z -P /etc/dirsrv/slapd-/cert8.db -h compute.domain.com -p 636 -D "CN=Administrator,CN=Users,DC=domain,DC=com" -w -s base -b "dc=domain,dc=com" "objectclass=top" But strangely enough there is not network traffic at all when the SSL connection is checked! (when clicking on next and the message "unable to contact Active Directory server, continue" appears) Ive done the following actions to make to monitor it: First I've disabled SELinux, in case that blocks something (just for testing). watch the tcp ip traffic with: tcpdump -nn -p port not ssh and ip host Here I can see that, when I don't use the SSL connection, there is traffic towards my Widows AD, but when ive check the SSL option, there is no traffic at all, nothing. As well when I look at the iptables: added an extra line: iptables -I OUTPUT 1 -d -j ACCEPT watch -d iptables -L -nv I see the same result, traffic when I don't use the SSL option and no traffic at all when the SSL option is checked. How can I get the message "unable to contact Active Directory server, continue" when there is no outgoing request from my Red Hat server. Ive made certificates at both sides (Windows and Red Hat) and exported and imported these certificated to the other server. Please advice on following steps I can take, what the problem can be and how it is possible that there is no traffic at all. Thanks in advanced. Matt Mathijs A. de Groot Consultant - Software Engineer _________________________________________ Logica - Releasing your potential George Hintzenweg 89 3068 AX Rotterdam Postbus 8566 3009 AN Rotterdam Nederland T: +31 (0) 10 253 7000 D: +31(0) 70 37 56627 E: math.de.groot at logica.com www.logica.com Logica Nederland B.V. Registered office in Amstelveen, The Netherlands Registration Number Chamber of Commerce: 33136004 This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mike.storvick at texturallc.com Thu Jul 31 20:46:27 2008 From: mike.storvick at texturallc.com (Mike Storvick) Date: Thu, 31 Jul 2008 15:46:27 -0500 Subject: [Fedora-directory-users] Passsync and Domain Controllers Message-ID: Hello All, I have successfully installed passsync on one of our domain controllers (32bit, the only one that would work) and only see changes of passwords being replicated from that single domain controller (not entirely useful because we hardly use that one for user changes etc.) Does this somehow need to be installed on ALL domain controllers that may processes the password change or is there some sort of replication problem between DC's? I change the password on any domain controller and it is reflected on our exchange outlook web access. Any insight is appreciated ,especially if you've had luck getting it to run on 64-bit Server 2003. Regards and thanks for your time, Michael Storvick - Network Administrator Textura Corporation 51 Sherwood Terrace Suite K Lake Bluff, IL 60044 Mobile: 847-204-7417 Office: 847-235-8470 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 4271 bytes Desc: image001.jpg URL: