From zahra_bahar at ec.iut.ac.ir Mon Jun 2 11:08:21 2008 From: zahra_bahar at ec.iut.ac.ir (Zahra Bahar) Date: Mon, 2 Jun 2008 14:38:21 +0330 (IRST) Subject: [Fedora-directory-users] new domain out of DS suffix Message-ID: <5193643.65521212404901395.JavaMail.root@mta.iut.ac.ir> Hi, we have zimbra mail server uses fedora ldap DS for users. assume our suffix is test.group.org, how could we use email addresses with domain test2.org in this DS structure? From sanga.c at it-mgt.com Mon Jun 2 19:38:41 2008 From: sanga.c at it-mgt.com (Sanga M. Collins) Date: Mon, 2 Jun 2008 15:38:41 -0400 Subject: [Fedora-directory-users] groups and ou behaviour Message-ID: <5542485358217A4EB9893C4F12C42BF9D6778D@itm-bb01.exch.it-mgt.net> After successful install there are 4 groups under domain example.com when browsing the tree in directory server. Accounting managers HR managers QA managers PD managers When in the 'users and groups' tab of the main management console. A search for any of these groups does not return any results. When browsing the tree in the directory server, 3 organizational units can be seen under the domain example.com. Groups People (5 acis) Special Users >From the users and groups tab in the main management console, I would like to create a new user in the organizational unit 'People' I would also like to create a new group in the organization unit 'Groups' neither one of these ou's are listed as locations that I can create users under. How can this be fixed -------------- next part -------------- An HTML attachment was scrubbed... URL: From triswimjoe at hotmail.com Mon Jun 2 22:24:38 2008 From: triswimjoe at hotmail.com (Joe Sheehan) Date: Mon, 2 Jun 2008 18:24:38 -0400 Subject: [Fedora-directory-users] Command Line Setup of SSL Message-ID: Sorry to bother everyone for a trivial question but what's the easiest way to setup "Enable SSL for this server", etc via the command line. Is there documentation of this somewhere? Thanks Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: From lbigum at iseek.com.au Mon Jun 2 22:29:59 2008 From: lbigum at iseek.com.au (Luke Bigum) Date: Tue, 3 Jun 2008 08:29:59 +1000 Subject: [Fedora-directory-users] Command Line Setup of SSL In-Reply-To: References: Message-ID: <50A3F7088FE1A14FB0CF57A2248738865B667FF5A7@EXCHANGE1.intranet.iseek.com.au> The Fedora Project howto has the LDIF entries required: http://directory.fedoraproject.org/wiki/Howto:SSL#Starting_the_Server_with_SSL_enabled You might find tidbits in the Red Hat guide as well: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_SSL.html -- Luke Bigum Systems Administrator iseek Communications Pty Ltd Excellence in business data solutions ph 1300 661 668 fax 1300 661 540 www.iseek.com.au From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Joe Sheehan Sent: Tuesday, 3 June 2008 8:25 AM To: fedora-directory-users at redhat.com Subject: [Fedora-directory-users] Command Line Setup of SSL Sorry to bother everyone for a trivial question but what's the easiest way to setup "Enable SSL for this server", etc via the command line. Is there documentation of this somewhere? Thanks Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: From goni at selimins.co.kr Tue Jun 3 05:57:49 2008 From: goni at selimins.co.kr (=?ks_c_5601-1987?B?sejBpLDv?=) Date: Tue, 3 Jun 2008 14:57:49 +0900 Subject: [Fedora-directory-users] Unix/Linux vs Windows integration method? Message-ID: <002801c8c53e$c2d36fe0$487a4fa0$@co.kr> Hi everyone. I have plan Linux and windows integrate by FDS. If you have a experience, would you give information to me? how method install and setup. Now, I installed fedora-ds-1.0.4-1 on Redhat AS4 machine. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From solarflow99 at gmail.com Tue Jun 3 09:02:04 2008 From: solarflow99 at gmail.com (solarflow99) Date: Tue, 3 Jun 2008 10:02:04 +0100 Subject: [Fedora-directory-users] Unix/Linux vs Windows integration method? In-Reply-To: <002801c8c53e$c2d36fe0$487a4fa0$@co.kr> References: <002801c8c53e$c2d36fe0$487a4fa0$@co.kr> Message-ID: <7020fd000806030202o64c3b5bu1a7430994765a649@mail.gmail.com> On 6/3/08, ??? wrote: > Hi everyone. > > I have plan Linux and windows integrate by FDS. > > If you have a experience, would you give information to me? how method > install and setup. > > Now, I installed fedora-ds-1.0.4-1 on Redhat AS4 machine. > are you running a windows doamain? ADS? you would neet to also use samba. If possible, redhat EL5 and FDS 1.1 works well. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sanga.c at it-mgt.com Tue Jun 3 14:36:34 2008 From: sanga.c at it-mgt.com (Sanga M. Collins) Date: Tue, 3 Jun 2008 10:36:34 -0400 Subject: [Fedora-directory-users] console breaks after installinglibnss-ldap and libpam-ldap References: <5542485358217A4EB9893C4F12C42BF9D671EC@itm-bb01.exch.it-mgt.net> Message-ID: <5542485358217A4EB9893C4F12C42BF9D677A7@itm-bb01.exch.it-mgt.net> I have narrowed this problem down to one of the config files in /etc/pam.d/ can anyone help me resolve this problem or at least point me in the right direction. I would really like to use FDS to replace all of our Active directory and novell e-directory domain controllers (we have about 47 domains) I am trying to make the case for open source directory management with my employers and the way things are going, they are considering just forking over the money to M$ and Novell [arrgggghhhh] Any way here are my pam.d configs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # /etc/pam.d/common-account - authorization settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authorization modules that define # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired in /etc/shadow. # # pre_auth-client-config # account required pam_unix.so account sufficient pam_ldap.so account required pam_unix.so # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # /etc/pam.d/common-auth - authentication settings common to all services # # pre_auth-client-config # auth requisite pam_unix.so nullok_secure # pre_auth-client-config # auth optional pam_smbpass.so migrate auth sufficient pam_ldap.so auth required pam_unix.so nullok_secure use_first_pass # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # /etc/pam.d/common-password - password-related modules common to all services # # pre_auth-client-config # password optional pam_smbpass.so nullok use_authtok use_first_pass password sufficient pam_ldap.so password required pam_unix.so nullok obscure min=4 max=8 md5 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # /etc/pam.d/common-session - session-related modules common to all services # # pre_auth-client-config # session required pam_unix.so session sufficient pam_ldap.so session required pam_unix.so -------------- next part -------------- An HTML attachment was scrubbed... URL: From betito2208 at hotmail.com Tue Jun 3 18:26:21 2008 From: betito2208 at hotmail.com (beto ..) Date: Tue, 3 Jun 2008 18:26:21 +0000 Subject: [Fedora-directory-users] password incorrect or directory problem Message-ID: When I start fedora-idm-console i get this message: password incorrect or directory problem any solution for this problem? Help me please! _________________________________________________________________ La vida de los famosos al desnudo en MSN Entretenimiento http://entretenimiento.es.msn.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From lyoung at sunyrockland.edu Tue Jun 3 18:34:46 2008 From: lyoung at sunyrockland.edu (Lin Young) Date: Tue, 03 Jun 2008 14:34:46 -0400 Subject: [Fedora-directory-users] password incorrect or directory problem In-Reply-To: References: Message-ID: <48458EC6.30906@sunyrockland.edu> beto .. wrote: > > *When I start fedora-idm-console i get this message: password > incorrect or directory problem > any solution for this problem? Help me please! > * > Sigue los principales acontecimientos deportivos en directo. MSN Motor > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > Check to see if the directory server is running. From betito2208 at hotmail.com Tue Jun 3 19:29:04 2008 From: betito2208 at hotmail.com (beto ..) Date: Tue, 3 Jun 2008 19:29:04 +0000 Subject: [Fedora-directory-users] password incorrect or directory problem In-Reply-To: <48458EC6.30906@sunyrockland.edu> References: <48458EC6.30906@sunyrockland.edu> Message-ID: dirsrv running dirsrv-admin running port 389 and 9830 open what's the problem? beto!!! ---------------------------------------- > Date: Tue, 3 Jun 2008 14:34:46 -0400 > From: lyoung at sunyrockland.edu > To: fedora-directory-users at redhat.com > Subject: Re: [Fedora-directory-users] password incorrect or directory problem > > beto .. wrote: >> >> *When I start fedora-idm-console i get this message: password >> incorrect or directory problem >> any solution for this problem? Help me please! >> * >> Sigue los principales acontecimientos deportivos en directo. MSN Motor >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > Check to see if the directory server is running. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users _________________________________________________________________ MSN Video. http://video.msn.com/?mkt=es-es From goni at selimins.co.kr Wed Jun 4 01:59:36 2008 From: goni at selimins.co.kr (=?ks_c_5601-1987?B?sejBpLDv?=) Date: Wed, 4 Jun 2008 10:59:36 +0900 Subject: [Fedora-directory-users] Unix/Linux vs Windows integration method? In-Reply-To: <7020fd000806030202o64c3b5bu1a7430994765a649@mail.gmail.com> References: <002801c8c53e$c2d36fe0$487a4fa0$@co.kr> <7020fd000806030202o64c3b5bu1a7430994765a649@mail.gmail.com> Message-ID: <001501c8c5e6$a4074930$ec15db90$@co.kr> Thanks I will use ADS on windows machine. From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory- users-bounces at redhat.com] On Behalf Of solarflow99 Sent: Tuesday, June 03, 2008 6:02 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Unix/Linux vs Windows integration method? On 6/3/08, ??? wrote: Hi everyone. I have plan Linux and windows integrate by FDS. If you have a experience, would you give information to me? how method install and setup. Now, I installed fedora-ds-1.0.4-1 on Redhat AS4 machine. are you running a windows doamain? ADS? you would neet to also use samba. If possible, redhat EL5 and FDS 1.1 works well. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigidwu at gmail.com Wed Jun 4 02:35:51 2008 From: sigidwu at gmail.com (sigid@JINLab) Date: Wed, 04 Jun 2008 09:35:51 +0700 Subject: [Fedora-directory-users] password incorrect or directory problem In-Reply-To: References: <48458EC6.30906@sunyrockland.edu> Message-ID: <4845FF87.90901@gmail.com> beto .. wrote: > > dirsrv running > dirsrv-admin running > port 389 and 9830 open > what's the problem? > > beto!!! Fyi i'm having the same problem but only on fedora 8 when using fedora 9 there is no such problem. But currenty my box always hang up when using fedora 9 n runs normally when running fedora 8. So i'm rolling back to use the fedora 8. Note that on fedora 8 i already check all the ldap function should runs well because its able to be accessed by another LDAP administration tool. But when using fedora console it said "password incorrect or directory problem". I assumed that there is some problem on the java console. Therefore i tried to access another server running fedora 9 with FDS 1.1 installed with the fedora 8 FDS console. The fedora 8 FDS console could access the FDS 1.1 on fedora 9 machine normally without any problem. So ....the FDS and FDS console status should be fine then where are the problem? Note that i also disabled the firewall and selinux but that didn't solved my problem. sigidwu.blogspot.com From niranjan.ashok at gmail.com Wed Jun 4 04:41:01 2008 From: niranjan.ashok at gmail.com (mallapadi niranjan) Date: Wed, 4 Jun 2008 10:11:01 +0530 Subject: [Fedora-directory-users] password incorrect or directory problem In-Reply-To: References: Message-ID: <73e979680806032141uf35a95dlada6047434191c05@mail.gmail.com> Can you check what access logs says ? On Tue, Jun 3, 2008 at 11:56 PM, beto .. wrote: > > *When I start fedora-idm-console i get this message: password incorrect or > directory problem > any solution for this problem? Help me please! > * > ------------------------------ > Sigue los principales acontecimientos deportivos en directo. MSN Motor > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From solarflow99 at gmail.com Wed Jun 4 09:11:10 2008 From: solarflow99 at gmail.com (solarflow99) Date: Wed, 4 Jun 2008 10:11:10 +0100 Subject: [Fedora-directory-users] Unix/Linux vs Windows integration method? In-Reply-To: <001501c8c5e6$a4074930$ec15db90$@co.kr> References: <002801c8c53e$c2d36fe0$487a4fa0$@co.kr> <7020fd000806030202o64c3b5bu1a7430994765a649@mail.gmail.com> <001501c8c5e6$a4074930$ec15db90$@co.kr> Message-ID: <7020fd000806040211v67c86b5bxe340b765ed56d5aa@mail.gmail.com> Heres a few links on doing this: http://directory.fedoraproject.org/wiki/Download#Enterprise_Linux_5 http://wiki.samba.org/index.php/Samba_&_Active_Directory There is also lots of info for the samba config from google. On 6/4/08, ??? wrote: > > Thanks > > I will use ADS on windows machine. > > > > > > *From:* fedora-directory-users-bounces at redhat.com [mailto: > fedora-directory-users-bounces at redhat.com] *On Behalf Of *solarflow99 > *Sent:* Tuesday, June 03, 2008 6:02 PM > *To:* General discussion list for the Fedora Directory server project. > *Subject:* Re: [Fedora-directory-users] Unix/Linux vs Windows integration > method? > > > > > > On 6/3/08, *???* wrote: > > Hi everyone. > > I have plan Linux and windows integrate by FDS. > > If you have a experience, would you give information to me? how method > install and setup. > > Now, I installed fedora-ds-1.0.4-1 on Redhat AS4 machine. > > > > are you running a windows doamain? ADS? you would neet to also use samba. > If possible, redhat EL5 and FDS 1.1 works well. > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From g.digiambelardini at fabaris.it Wed Jun 4 10:49:18 2008 From: g.digiambelardini at fabaris.it (g.digiambelardini at fabaris.it) Date: Wed, 4 Jun 2008 12:49:18 +0200 Subject: [Fedora-directory-users] multi master problem Message-ID: Hi to all, this is my first time here, I have a big problem, until 3 days ago averything work wel in my ldap multimaster, but then the replican has stop to work. So I try to sconnect and reconnect with mmr.pl ( old & new ), but I receive allways the same error: on server1: NSMMReplicationPlugin - Beginning total update of replica "agmt="cn="Replication to server2.pippo.it"" (server2:389)". [04/Jun/2008:11:57:18 +0200] NSMMReplicationPlugin - csnplCommit: can't find csn 484666fe000100010000 [04/Jun/2008:11:57:18 +0200] NSMMReplicationPlugin - ruv_update_ruv: cannot commit csn 484666fe000100010000 [04/Jun/2008:11:57:18 +0200] NSMMReplicationPlugin - replica_update_ruv: unable to update RUV for replica dc=pippo,dc=it, csn = 484666fe000100010000 [04/Jun/2008:11:57:18 +0200] NSMMReplicationPlugin - csnplCommit: can't find csn 484666fe000200010000 [04/Jun/2008:11:57:18 +0200] NSMMReplicationPlugin - ruv_update_ruv: cannot commit csn 484666fe000200010000 [04/Jun/2008:11:57:18 +0200] NSMMReplicationPlugin - replica_update_ruv: unable to update RUV for replica dc=pippo,dc=it, csn = 484666fe000200010000 [04/Jun/2008:11:57:18 +0200] NSMMReplicationPlugin - csnplCommit: can't find csn 484666fe000000010000 [04/Jun/2008:11:57:18 +0200] NSMMReplicationPlugin - ruv_update_ruv: cannot commit csn 484666fe000000010000 [04/Jun/2008:11:57:19 +0200] NSMMReplicationPlugin - replica_update_ruv: unable to update RUV for replica dc=pippo,dc=it, csn = 484666fe000000010000 [04/Jun/2008:11:57:41 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Failed to send extended operation: LDAP error 81 (Can't contact LDAP server) [04/Jun/2008:11:57:41 +0200] NSMMReplicationPlugin - csnplCommit: can't find csn 48466715000000010000 [04/Jun/2008:11:57:41 +0200] NSMMReplicationPlugin - ruv_update_ruv: cannot commit csn 48466715000000010000 [04/Jun/2008:11:57:41 +0200] NSMMReplicationPlugin - replica_update_ruv: unable to update RUV for replica dc=pippo,dc=it, csn = 48466715000000010000 [04/Jun/2008:11:57:41 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Received error 89: NULL for total update operation [04/Jun/2008:11:57:41 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Received error 89: NULL for total update operation [04/Jun/2008:11:57:41 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Received error 89: NULL for total update operation [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Received error 89: NULL for total update operation [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Received error 89: NULL for total update operation [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Received error 89: NULL for total update operation [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Received error 89: NULL for total update operation [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Received error 89: NULL for total update operation [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Received error 89: NULL for total update operation [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Received error 89: NULL for total update operation [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Received error 89: NULL for total update operation [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Received error 89: NULL for total update operation [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Received error 89: NULL for total update operation [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Received error 89: NULL for total update operation [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Received error 89: NULL for total update operation [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Received error 89: NULL for total update operation [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Received error 89: NULL for total update operation [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Received error 89: NULL for total update operation [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Received error 89: NULL for total update operation [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Warning: unable to send endReplication extended operation (Bad parameter to an ldap routine) [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Replica has a different generation ID than the local data. [04/Jun/2008:11:57:46 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Replica has a different generation ID than the local data. [04/Jun/2008:11:57:50 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Replica has a different generation ID than the local data. [04/Jun/2008:11:57:52 +0200] NSMMReplicationPlugin - csnplCommit: can't find csn 48466720000000010000 [04/Jun/2008:11:57:52 +0200] NSMMReplicationPlugin - ruv_update_ruv: cannot commit csn 48466720000000010000 [04/Jun/2008:11:57:52 +0200] NSMMReplicationPlugin - replica_update_ruv: unable to update RUV for replica dc=pippo,dc=it, csn = 48466720000000010000 [04/Jun/2008:11:57:54 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Replica has a different generation ID than the local data. [04/Jun/2008:11:57:58 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Replica has a different generation ID than the local data. [04/Jun/2008:11:58:02 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Replica has a different generation ID than the local data. [04/Jun/2008:11:58:06 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Replica has a different generation ID than the local data. [04/Jun/2008:11:58:11 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Replica has a different generation ID than the local data. [04/Jun/2008:11:58:14 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Replica has a different generation ID than the local data. [04/Jun/2008:11:58:14 +0200] NSMMReplicationPlugin - csnplCommit: can't find csn 48466736000100010000 [04/Jun/2008:11:58:14 +0200] NSMMReplicationPlugin - ruv_update_ruv: cannot commit csn 48466736000100010000 [04/Jun/2008:11:58:14 +0200] NSMMReplicationPlugin - replica_update_ruv: unable to update RUV for replica dc=pippo,dc=it, csn = 48466736000100010000 [04/Jun/2008:11:58:17 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Replica has a different generation ID than the local data. [04/Jun/2008:11:58:20 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Replica has a different generation ID than the local data. [04/Jun/2008:11:58:23 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Replica has a different generation ID than the local data. [04/Jun/2008:11:58:26 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Replica has a different generation ID than the local data. [04/Jun/2008:11:58:29 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Replica has a different generation ID than the local data. [04/Jun/2008:11:58:32 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Replica has a different generation ID than the local data. [04/Jun/2008:11:58:36 +0200] NSMMReplicationPlugin - csnplCommit: can't find csn 4846674c000100010000 [04/Jun/2008:11:58:36 +0200] NSMMReplicationPlugin - ruv_update_ruv: cannot commit csn 4846674c000100010000 [04/Jun/2008:11:58:36 +0200] NSMMReplicationPlugin - replica_update_ruv: unable to update RUV for replica dc=pippo,dc=it, csn = 4846674c000100010000 [04/Jun/2008:11:58:36 +0200] NSMMReplicationPlugin - csnplCommit: can't find csn 4846674c000200010000 [04/Jun/2008:11:58:36 +0200] NSMMReplicationPlugin - ruv_update_ruv: cannot commit csn 4846674c000200010000 [04/Jun/2008:11:58:36 +0200] NSMMReplicationPlugin - replica_update_ruv: unable to update RUV for replica dc=pippo,dc=it, csn = 4846674c000200010000 [04/Jun/2008:11:58:36 +0200] NSMMReplicationPlugin - csnplCommit: can't find csn 4846674c000000010000 [04/Jun/2008:11:58:36 +0200] NSMMReplicationPlugin - ruv_update_ruv: cannot commit csn 4846674c000000010000 [04/Jun/2008:11:58:36 +0200] NSMMReplicationPlugin - replica_update_ruv: unable to update RUV for replica dc=pippo,dc=it, csn = 4846674c000000010000 [04/Jun/2008:11:58:36 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Replica has a different generation ID than the local data. [04/Jun/2008:11:58:40 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Replica has a different generation ID than the local data. [04/Jun/2008:11:58:44 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Replica has a different generation ID than the local data. [04/Jun/2008:11:58:46 +0200] NSMMReplicationPlugin - csnplCommit: can't find csn 48466756000000010000 [04/Jun/2008:11:58:46 +0200] NSMMReplicationPlugin - ruv_update_ruv: cannot commit csn 48466756000000010000 [04/Jun/2008:11:58:46 +0200] NSMMReplicationPlugin - replica_update_ruv: unable to update RUV for replica dc=pippo,dc=it, csn = 48466756000000010000 [04/Jun/2008:11:58:48 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Replica has a different generation ID than the local data. [04/Jun/2008:11:58:52 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Replica has a different generation ID than the local data. [04/Jun/2008:11:58:56 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Replica has a different generation ID than the local data. [04/Jun/2008:11:59:00 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Replica has a different generation ID than the local data. [04/Jun/2008:11:59:04 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Replica has a different generation ID than the local data. [04/Jun/2008:11:59:07 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Replica has a different generation ID than the local data. [04/Jun/2008:11:59:10 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Replica has a different generation ID than the local data. [04/Jun/2008:11:59:13 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Replica has a different generation ID than the local data. [04/Jun/2008:11:59:16 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Replica has a different generation ID than the local data. [04/Jun/2008:11:59:19 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Replica has a different generation ID than the local data. [04/Jun/2008:11:59:22 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Replica has a different generation ID than the local data. [04/Jun/2008:11:59:25 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Replica has a different generation ID than the local data. [04/Jun/2008:11:59:29 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Replica has a different generation ID than the local data. [04/Jun/2008:11:59:33 +0200] NSMMReplicationPlugin - agmt="cn="Replication to server2.pippo.it"" (server2:389): Replica has a different generation ID than the local data. [04/Jun/2008:11:59:34 +0200] NSMMReplicationPlugin - csnplCommit: can't find csn 48466786000000010000 [04/Jun/2008:11:59:34 +0200] NSMMReplicationPlugin - ruv_update_ruv: cannot commit csn 48466786000000010000 [04/Jun/2008:11:59:34 +0200] NSMMReplicationPlugin - replica_update_ruv: unable to update RUV for replica dc=pippo,dc=it, csn = 48466786000000010000 on server2: NSMMReplicationPlugin - replica_replace_ruv_tombstone: failed to update replication update vector for replica dc=pippo,dc=it: LDAP error - 1 [04/Jun/2008:11:56:57 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=pippo,dc=it is going offline; disabling replication [04/Jun/2008:11:56:57 +0200] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [04/Jun/2008:11:57:17 +0200] - import userRoot: Processed 30051 entries -- average rate 1502.5/sec, recent rate 1502.5/sec, hit ratio 0% [04/Jun/2008:11:57:29 +0200] - ERROR bulk import abandoned [04/Jun/2008:11:57:29 +0200] - import userRoot: Aborting all import threads... [04/Jun/2008:11:57:35 +0200] - import userRoot: Import threads aborted. [04/Jun/2008:11:57:35 +0200] - import userRoot: Closing files... [04/Jun/2008:11:57:41 +0200] - libdb: userRoot/mailAlternateAddress.db4: unable to flush: No such file or directory [04/Jun/2008:11:57:41 +0200] - libdb: userRoot/mail.db4: unable to flush: No such file or directory [04/Jun/2008:11:57:41 +0200] - libdb: userRoot/givenName.db4: unable to flush: No such file or directory [04/Jun/2008:11:57:41 +0200] - libdb: userRoot/sn.db4: unable to flush: No such file or directory [04/Jun/2008:11:57:41 +0200] - libdb: userRoot/telephoneNumber.db4: unable to flush: No such file or directory [04/Jun/2008:11:57:41 +0200] - libdb: userRoot/uid.db4: unable to flush: No such file or directory [04/Jun/2008:11:57:41 +0200] - libdb: userRoot/cn.db4: unable to flush: No such file or directory [04/Jun/2008:11:57:41 +0200] - libdb: userRoot/nsUniqueId.db4: unable to flush: No such file or directory [04/Jun/2008:11:57:41 +0200] - libdb: userRoot/objectclass.db4: unable to flush: No such file or directory [04/Jun/2008:11:57:41 +0200] - libdb: userRoot/parentid.db4: unable to flush: No such file or directory [04/Jun/2008:11:57:41 +0200] - libdb: userRoot/entrydn.db4: unable to flush: No such file or directory [04/Jun/2008:11:57:41 +0200] - libdb: userRoot/id2entry.db4: unable to flush: No such file or directory [04/Jun/2008:11:57:41 +0200] - import userRoot: Import failed. [04/Jun/2008:11:57:42 +0200] - process_bulk_import_op: NULL backend [04/Jun/2008:11:57:43 +0200] NSMMReplicationPlugin - replica_replace_ruv_tombstone: failed to update replication update vector for replica dc=pippo,dc=it: LDAP error - 1 [04/Jun/2008:11:57:47 +0200] NSMMReplicationPlugin - replica_replace_ruv_tombstone: failed to update replication update vector for replica dc=pippo,dc=it: LDAP error - 1 [04/Jun/2008:11:57:51 +0200] NSMMReplicationPlugin - replica_replace_ruv_tombstone: failed to update replication update vector for replica dc=pippo,dc=it: LDAP error - 1 [04/Jun/2008:11:57:55 +0200] NSMMReplicationPlugin - replica_replace_ruv_tombstone: failed to update replication update vector for replica dc=pippo,dc=it: LDAP error - 1 [04/Jun/2008:11:57:59 +0200] NSMMReplicationPlugin - replica_replace_ruv_tombstone: failed to update replication update vector for replica dc=pippo,dc=it: LDAP error - 1 [04/Jun/2008:11:58:03 +0200] NSMMReplicationPlugin - replica_replace_ruv_tombstone: failed to update replication update vector for replica dc=pippo,dc=it: LDAP error - 1 [04/Jun/2008:11:58:07 +0200] NSMMReplicationPlugin - replica_replace_ruv_tombstone: failed to update replication update vector for replica dc=pippo,dc=it: LDAP error - 1 [04/Jun/2008:11:58:11 +0200] NSMMReplicationPlugin - replica_replace_ruv_tombstone: failed to update replication update vector for replica dc=pippo,dc=it: LDAP error - 1 [04/Jun/2008:11:58:14 +0200] NSMMReplicationPlugin - replica_replace_ruv_tombstone: failed to update replication update vector for replica dc=pippo,dc=it: LDAP error - 1 -------------------------------------------------------------------------- Somebody can help me please??? thanks fon any suggestion From igalvarez at gmail.com Wed Jun 4 12:24:24 2008 From: igalvarez at gmail.com (Israel Garcia) Date: Wed, 4 Jun 2008 07:24:24 -0500 Subject: [Fedora-directory-users] fedora on production enviroment Message-ID: <194a2c240806040524s43eaf840qe3e9d65f00334c3d@mail.gmail.com> Hi everybody, I have to migrate several users from productions serves to a ldap server.. I have some questions? 1. Is fedora-ds ready and stable to work on productions servers? 2. If you have to do this migration of users, do you think in fedora-ds as a ldap server or think in another directory services? thanks in advance Regards; Israel Garcia From alan.orlic at zd-lj.si Thu Jun 5 10:54:59 2008 From: alan.orlic at zd-lj.si (=?ISO-8859-2?Q?Alan_Orli=E8_Bel=B9ak?=) Date: Thu, 05 Jun 2008 12:54:59 +0200 Subject: [Fedora-directory-users] Fedora DS 1.04 and Samba 3.0.25b Message-ID: <4847C603.2080304@zd-lj.si> Hello, I found out something unusual, first, here is the part of smb.conf: ldap admin dn = cn=Directory Manager ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap passwd sync = Yes ldap suffix = dc=zd-lj,dc=lan ldap user suffix = ou=People And here is the error: [04/Jun/2008:08:38:56 +0200] conn=38162 fd=67 slot=67 connection from 192.168.200.253 to 192.168.220.6 [04/Jun/2008:08:38:56 +0200] conn=38162 op=0 BIND dn="cn=Directory manager" method=128 version=3 [04/Jun/2008:08:38:56 +0200] conn=38162 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [04/Jun/2008:08:38:56 +0200] conn=38162 op=1 MOD dn="uid=majdac$,ou=uprava,ou=computers,dc=zd-lj," [04/Jun/2008:08:38:56 +0200] conn=38162 op=1 RESULT err=32 tag=103 nentries=0 etime=0 [04/Jun/2008:08:38:56 +0200] conn=38162 op=2 UNBIND [04/Jun/2008:08:38:56 +0200] conn=38162 op=2 fd=67 closed - U1 If you noticed, in smb.conf I have ldap suffix = dc=zd-lj,dc=lan, error is caused because in ldap modify comes only part of the suffix, dc=zd-lj. I tried to put ldap suffix into quotas (double - "), but then I got smbd error (doesn't start). Any ideas? Bye, Alan From ebeda at udsm.ac.tz Thu Jun 5 12:25:08 2008 From: ebeda at udsm.ac.tz (Eric Beda) Date: Thu, 5 Jun 2008 15:25:08 +0300 (EAT) Subject: [Fedora-directory-users] Resetting Admin Password in FDS Message-ID: <35655.196.44.161.242.1212668708.squirrel@mail.udsm.ac.tz> Hi, I forgot the admin password, to enter the administrative interface, how do i reset it ??, help needed Thanks From kenneho.ndu at gmail.com Thu Jun 5 13:36:34 2008 From: kenneho.ndu at gmail.com (Kenneth Holter) Date: Thu, 5 Jun 2008 15:36:34 +0200 Subject: [Fedora-directory-users] Importing LDIF file from AD Message-ID: Hi. We're trying to populate our DS with users from AD. Our plan is to build and populate the database with entries from AD, and thereafter set up Windows Sync to maintain the database. I import the LDIF file using the ldif2db.pl perl script. One issue I've come across is that the script finishes with "modifcation complete" regardless of success or failure. How can I get the script to report errors? Or are there maybe smarter ways of importing LDIF files on the command line? Furthermore, are there any issues with AD LDIF import I should be aware of`? Regards, kenneho -------------- next part -------------- An HTML attachment was scrubbed... URL: From patrick.morris at hp.com Thu Jun 5 15:19:09 2008 From: patrick.morris at hp.com (Morris, Patrick) Date: Thu, 5 Jun 2008 15:19:09 +0000 Subject: [Fedora-directory-users] Resetting Admin Password in FDS In-Reply-To: <35655.196.44.161.242.1212668708.squirrel@mail.udsm.ac.tz> References: <35655.196.44.161.242.1212668708.squirrel@mail.udsm.ac.tz> Message-ID: <93C487A372B3774CAEAA15D524CCF3D1228B23C511@G1W0485.americas.hpqcorp.net> > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora- > directory-users-bounces at redhat.com] On Behalf Of Eric Beda > Sent: Thursday, June 05, 2008 5:25 AM > To: fedora-directory-users at redhat.com > Subject: [Fedora-directory-users] Resetting Admin Password in FDS > > Hi, > > I forgot the admin password, to enter the administrative interface, how > do > i reset it ??, help needed http://directory.fedoraproject.org/wiki/Howto:ResetDirMgrPassword From kangks_99 at yahoo.com Thu Jun 5 15:37:31 2008 From: kangks_99 at yahoo.com (Khoon Seang Kang) Date: Thu, 5 Jun 2008 08:37:31 -0700 (PDT) Subject: [Fedora-directory-users] Windows Kerberos authentication Message-ID: <465344.90522.qm@web30405.mail.mud.yahoo.com> Hi all, Pardon me if this is the wrong mailing list/channel. I have no idea where can I get experts across domain (M$ and Linux). We need to create a Windows applications, but the application has to do Kerberos authentication with a DS on Fedora (ok, I am testing out the FreeIPA). However, the windows desktop is not authenticated with my Kerberos Realm: in another word, we are trying to run a trusted-application on a untrusted-machine. Any advice? If fact, we are looking for consultant/professional service in this authentication/ACL infrastructure. If your company is offering this service, do drop me an email. (ok, I tried sending an email to Redhat professional service, but till now still no reply. I guess they are not familiar with M$?) Thank you in advance. KhoonSeang From rmeggins at redhat.com Thu Jun 5 23:34:39 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 05 Jun 2008 17:34:39 -0600 Subject: [Fedora-directory-users] Importing LDIF file from AD In-Reply-To: References: Message-ID: <4848780F.7080000@redhat.com> Kenneth Holter wrote: > Hi. > > > We're trying to populate our DS with users from AD. Our plan is to > build and populate the database with entries from AD, and thereafter > set up Windows Sync to maintain the database. > > I import the LDIF file using the ldif2db.pl perl script. One issue > I've come across is that the script finishes with "modifcation > complete" regardless of success or failure. How can I get the script > to report errors? That script just starts the task running in the server. You can check the error log for status. Or query the entry (using ldapsearch) whose DN ldif2db.pl prints out. > Or are there maybe smarter ways of importing LDIF files on the command > line? You can use ldif2db but you can only use that if the server is not running. > > Furthermore, are there any issues with AD LDIF import I should be > aware of`? You mean, exporting an LDIF from AD and importing it directly into Fedora DS? Or vice versa? If you are going to use the Fedora DS AD Sync feature, you should let Fedora DS do the initial sync - do not attempt to manually export/import from AD to Fedora DS. I'm almost certain it will not work without heavy data massaging. > > > Regards, > kenneho > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jun 5 23:35:24 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 05 Jun 2008 17:35:24 -0600 Subject: [Fedora-directory-users] password incorrect or directory problem In-Reply-To: References: Message-ID: <4848783C.5040602@redhat.com> beto .. wrote: > > *When I start fedora-idm-console i get this message: password > incorrect or directory problem > any solution for this problem? Help me please! > * fedora-idm-console -D 9 -f console.log Then check console.log > > ------------------------------------------------------------------------ > Sigue los principales acontecimientos deportivos en directo. MSN Motor > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From gvenkat at gmail.com Thu Jun 5 23:36:37 2008 From: gvenkat at gmail.com (G Venkataraman) Date: Thu, 5 Jun 2008 16:36:37 -0700 Subject: [Fedora-directory-users] Importing LDIF file from AD In-Reply-To: References: Message-ID: On Thu, Jun 5, 2008 at 6:36 AM, Kenneth Holter wrote: > Hi. > > We're trying to populate our DS with users from AD. Our plan is to build > and populate the database with entries from AD, and thereafter set up > Windows Sync to maintain the database. > > I import the LDIF file using the ldif2db.pl perl script. One issue I've > come across is that the script finishes with "modifcation complete" > regardless of success or failure. How can I get the script to report errors? > Or are there maybe smarter ways of importing LDIF files on the command line? > The ldif2db.pl script creates a task entry that does the actual import of the LDIF file and generates the indexes. The "modification complete" message corresponds to the task entry that gets created by ldif2db.pl and not the actual import process. You should be able to see the status of the import (including any errors) in the LDAP server error log. Alternatively, if the server is shutdown, ldif2db can be used to perform a similar import. > Furthermore, are there any issues with AD LDIF import I should be aware > of`? > > Regards, > kenneho > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -=Venkat=- -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigidwu at gmail.com Fri Jun 6 01:47:05 2008 From: sigidwu at gmail.com (sigid@JINLab) Date: Fri, 06 Jun 2008 08:47:05 +0700 Subject: [Fedora-directory-users] password incorrect or directory problem In-Reply-To: <4848783C.5040602@redhat.com> References: <4848783C.5040602@redhat.com> Message-ID: <48489719.5070503@gmail.com> Rich Megginson wrote: > beto .. wrote: >> >> *When I start fedora-idm-console i get this message: password >> incorrect or directory problem >> any solution for this problem? Help me please! >> * > fedora-idm-console -D 9 -f console.log > Then check console.log It seems like http response time out problem but my web server has been run well. here are my console.log ===================== java.util.prefs.userRoot=/home/rizki/.fedora-idm-console java.runtime.name=IcedTea Runtime Environment sun.boot.library.path=/usr/lib/jvm/java-1.7.0-icedtea-1.7.0.0/jre/lib/i386 java.vm.version=1.7.0-b21 java.vm.vendor=Sun Microsystems Inc. java.vendor.url=http://java.sun.com/ path.separator=: java.vm.name=IcedTea Client VM file.encoding.pkg=sun.io sun.java.launcher=SUN_STANDARD user.country=US sun.os.patch.level=unknown java.vm.specification.name=Java Virtual Machine Specification user.dir=/home/rizki java.runtime.version=1.7.0-b21 java.awt.graphicsenv=sun.awt.X11GraphicsEnvironment java.endorsed.dirs=/usr/lib/jvm/java-1.7.0-icedtea-1.7.0.0/jre/lib/endorsed os.arch=i386 java.io.tmpdir=/tmp line.separator= java.vm.specification.vendor=Sun Microsystems Inc. os.name=Linux sun.jnu.encoding=UTF-8 java.library.path=/usr/lib javax.net.ssl.trustStore=/etc/pki/tls/certs/ca-bundle.crt java.specification.name=Java Platform API Specification java.class.version=50.0 sun.management.compiler=HotSpot Client Compiler os.version=2.6.24.7-92.fc8 user.home=/home/rizki user.zoneinfo.dir=/usr/share/javazi user.timezone=Asia/Jakarta java.awt.printerjob=sun.print.PSPrinterJob file.encoding=UTF-8 java.specification.version=1.7 javax.net.ssl.trustStoreType=CertBundle java.class.path=/usr/lib/java/jss4.jar:/usr/share/java/ldapjdk.jar:/usr/share/java/idm-console-base.jar:/usr/share/java/idm-console-mcc.jar:/usr/share/java/idm-console-mcc_en.jar:/usr/share/java/idm-console-nmclf.jar:/usr/share/java/idm-console-nmclf_en.jar:/usr/share/java/fedora-idm-console-1.1.1_en.jar user.name=rizki javax.net.ssl.trustStoreProvider= java.vm.specification.version=1.0 java.home=/usr/lib/jvm/java-1.7.0-icedtea-1.7.0.0/jre sun.arch.data.model=32 java.util.prefs.systemRoot=/home/rizki/.fedora-idm-console user.language=en java.specification.vendor=Sun Microsystems Inc. java.vm.info=mixed mode java.version=1.7.0 java.ext.dirs=/usr/lib/jvm/java-1.7.0-icedtea-1.7.0.0/jre/lib/ext:/usr/java/packages/lib/ext sun.boot.class.path=/usr/lib/jvm/java-1.7.0-icedtea-1.7.0.0/jre/lib/resources.jar:/usr/lib/jvm/java-1.7.0-icedtea-1.7.0.0/jre/lib/rt.jar:/usr/lib/jvm/java-1.7.0-icedtea-1.7.0.0/jre/lib/sunrsasign.jar:/usr/lib/jvm/java-1.7.0-icedtea-1.7.0.0/jre/lib/jsse.jar:/usr/lib/jvm/java-1.7.0-icedtea-1.7.0.0/jre/lib/jce.jar:/usr/lib/jvm/java-1.7.0-icedtea-1.7.0.0/jre/lib/charsets.jar:/usr/lib/jvm/java-1.7.0-icedtea-1.7.0.0/jre/classes java.vendor=Sun Microsystems Inc. file.separator=/ java.vendor.url.bug=http://java.sun.com/cgi-bin/bugreport.cgi sun.io.unicode.encoding=UnicodeLittle sun.cpu.endian=little javax.net.ssl.trustStorePassword= sun.cpu.isalist= Fedora-Management-Console/1.1.1 B2008.107.222 RemoteImage: NOT found in cache loader6298545:com/netscape/management/nmclf/icons/Error.gif RemoteImage: Create RemoteImage cache for loader6298545 RemoteImage: NOT found in cache loader6298545:com/netscape/management/nmclf/icons/Inform.gif RemoteImage: NOT found in cache loader6298545:com/netscape/management/nmclf/icons/Warn.gif RemoteImage: NOT found in cache loader6298545:com/netscape/management/nmclf/icons/Question.gif ResourceSet: NOT found in cache loader6298545:com.netscape.management.client.components.components RemoteImage: NOT found in cache loader6298545:com/netscape/management/client/theme/images/logo16.gif RemoteImage: NOT found in cache loader6298545:com/netscape/management/client/theme/images/login.gif ResourceSet: NOT found in cache loader6298545:com.netscape.management.client.util.default ResourceSet: found in cache loader6298545:com.netscape.management.client.util.default JButtonFactory: button width = 54 JButtonFactory: button height = 18 JButtonFactory: button width = 54 JButtonFactory: button height = 18 JButtonFactory: button width = 90 JButtonFactory: button height = 18 JButtonFactory: button width = 90 JButtonFactory: button height = 18 JButtonFactory: button width = 72 JButtonFactory: button height = 18 JButtonFactory: button width = 72 JButtonFactory: button height = 18 JButtonFactory: button width = 54 JButtonFactory: button height = 18 JButtonFactory: button width = 90 JButtonFactory: button width = 72 ResourceSet: found in cache loader6298545:com.netscape.management.client.util.default CommManager> New CommRecord (http://jstsvr3:7749/admin-serv/authenticate) ResourceSet: found in cache loader6298545:com.netscape.management.client.theme.theme http://jstsvr3:7749/[0:0] open> Ready http://jstsvr3:7749/[0:0] accept> http://jstsvr3:7749/admin-serv/authenticate http://jstsvr3:7749/[0:0] send> GET \ http://jstsvr3:7749/[0:0] send> /admin-serv/authenticate \ http://jstsvr3:7749/[0:0] send> HTTP/1.0 http://jstsvr3:7749/[0:0] send> Host: jstsvr3:7749 http://jstsvr3:7749/[0:0] send> Connection: Keep-Alive http://jstsvr3:7749/[0:0] send> User-Agent: Fedora-Management-Console/1.1.1 http://jstsvr3:7749/[0:0] send> Accept-Language: en http://jstsvr3:7749/[0:0] send> Authorization: Basic \ http://jstsvr3:7749/[0:0] send> YWRtaW46ZmRzYWRtaW4= \ http://jstsvr3:7749/[0:0] send> http://jstsvr3:7749/[0:0] send> http://jstsvr3:7749/[0:0] recv> interrupted http://jstsvr3:7749/[0:0] error> java.io.InterruptedIOException: HTTP response timeout http://jstsvr3:7749/[0:0] close> Closed JButtonFactory: button width = 54 JButtonFactory: button height = 18 JButtonFactory: button width = 54 JButtonFactory: button height = 18 JButtonFactory: button width = 54 JButtonFactory: button height = 18 JButtonFactory: button width = 54 JButtonFactory: button height = 18 Console:invoke_task():error:java.io.InterruptedIOException: HTTP response timeout JButtonFactory: button width = 54 JButtonFactory: button height = 18 JButtonFactory: button width = 54 JButtonFactory: button height = 18 JButtonFactory: button width = 90 JButtonFactory: button height = 18 JButtonFactory: button width = 90 JButtonFactory: button height = 18 JButtonFactory: button width = 72 JButtonFactory: button height = 18 JButtonFactory: button width = 72 JButtonFactory: button height = 18 JButtonFactory: button width = 54 JButtonFactory: button height = 18 JButtonFactory: button width = 90 JButtonFactory: button width = 72 From kenneho.ndu at gmail.com Fri Jun 6 14:13:41 2008 From: kenneho.ndu at gmail.com (Kenneth Holter) Date: Fri, 6 Jun 2008 16:13:41 +0200 Subject: [Fedora-directory-users] Importing LDIF file from AD In-Reply-To: <4848780F.7080000@redhat.com> References: <4848780F.7080000@redhat.com> Message-ID: Thanks, I'll check the error log or ldapsearch for status. Regarding syncing with AD: I see now that I wasn't very clear on this. What I meant was exporting from AD and importing into DS. Our plan is to try and set up an unidirectional sync from AD to DS. In other words, AD should update DS, but never the other way around. If this is possible to do with Windows Sync we'll go for that approach, otherwise we're gonna have to find some other way to do it (script it somehow). Regards, kenneho On 6/6/08, Rich Megginson wrote: > > Kenneth Holter wrote: > >> Hi. >> We're trying to populate our DS with users from AD. Our plan is to build >> and populate the database with entries from AD, and thereafter set up >> Windows Sync to maintain the database. >> I import the LDIF file using the ldif2db.pl perl script. One issue I've >> come across is that the script finishes with "modifcation complete" >> regardless of success or failure. How can I get the script to report errors? >> > That script just starts the task running in the server. You can check the > error log for status. Or query the entry (using ldapsearch) whose DN > ldif2db.pl prints out. > >> Or are there maybe smarter ways of importing LDIF files on the command >> line? >> > You can use ldif2db but you can only use that if the server is not running. > >> Furthermore, are there any issues with AD LDIF import I should be aware >> of`? >> > You mean, exporting an LDIF from AD and importing it directly into Fedora > DS? Or vice versa? If you are going to use the Fedora DS AD Sync feature, > you should let Fedora DS do the initial sync - do not attempt to manually > export/import from AD to Fedora DS. I'm almost certain it will not work > without heavy data massaging. > >> Regards, >> kenneho >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Jun 6 15:00:33 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 06 Jun 2008 09:00:33 -0600 Subject: [Fedora-directory-users] password incorrect or directory problem In-Reply-To: <48489719.5070503@gmail.com> References: <4848783C.5040602@redhat.com> <48489719.5070503@gmail.com> Message-ID: <48495111.2000007@redhat.com> sigid at JINLab wrote: > Rich Megginson wrote: >> beto .. wrote: >>> >>> *When I start fedora-idm-console i get this message: password >>> incorrect or directory problem >>> any solution for this problem? Help me please! >>> * >> fedora-idm-console -D 9 -f console.log >> Then check console.log > > It seems like http response time out problem but my web server has > been run well. Open a web browser on the same machine (the same machine from which you are attempting to run the console) and try to go to url http://jstsvr3:7749/admin-serv/authenticate > > here are my console.log > ===================== > java.util.prefs.userRoot=/home/rizki/.fedora-idm-console > java.runtime.name=IcedTea Runtime Environment > sun.boot.library.path=/usr/lib/jvm/java-1.7.0-icedtea-1.7.0.0/jre/lib/i386 > > java.vm.version=1.7.0-b21 > java.vm.vendor=Sun Microsystems Inc. > java.vendor.url=http://java.sun.com/ > path.separator=: > java.vm.name=IcedTea Client VM > file.encoding.pkg=sun.io > sun.java.launcher=SUN_STANDARD > user.country=US > sun.os.patch.level=unknown > java.vm.specification.name=Java Virtual Machine Specification > user.dir=/home/rizki > java.runtime.version=1.7.0-b21 > java.awt.graphicsenv=sun.awt.X11GraphicsEnvironment > java.endorsed.dirs=/usr/lib/jvm/java-1.7.0-icedtea-1.7.0.0/jre/lib/endorsed > > os.arch=i386 > java.io.tmpdir=/tmp > line.separator= > > java.vm.specification.vendor=Sun Microsystems Inc. > os.name=Linux > sun.jnu.encoding=UTF-8 > java.library.path=/usr/lib > javax.net.ssl.trustStore=/etc/pki/tls/certs/ca-bundle.crt > java.specification.name=Java Platform API Specification > java.class.version=50.0 > sun.management.compiler=HotSpot Client Compiler > os.version=2.6.24.7-92.fc8 > user.home=/home/rizki > user.zoneinfo.dir=/usr/share/javazi > user.timezone=Asia/Jakarta > java.awt.printerjob=sun.print.PSPrinterJob > file.encoding=UTF-8 > java.specification.version=1.7 > javax.net.ssl.trustStoreType=CertBundle > java.class.path=/usr/lib/java/jss4.jar:/usr/share/java/ldapjdk.jar:/usr/share/java/idm-console-base.jar:/usr/share/java/idm-console-mcc.jar:/usr/share/java/idm-console-mcc_en.jar:/usr/share/java/idm-console-nmclf.jar:/usr/share/java/idm-console-nmclf_en.jar:/usr/share/java/fedora-idm-console-1.1.1_en.jar > > user.name=rizki > javax.net.ssl.trustStoreProvider= > java.vm.specification.version=1.0 > java.home=/usr/lib/jvm/java-1.7.0-icedtea-1.7.0.0/jre > sun.arch.data.model=32 > java.util.prefs.systemRoot=/home/rizki/.fedora-idm-console > user.language=en > java.specification.vendor=Sun Microsystems Inc. > java.vm.info=mixed mode > java.version=1.7.0 > java.ext.dirs=/usr/lib/jvm/java-1.7.0-icedtea-1.7.0.0/jre/lib/ext:/usr/java/packages/lib/ext > > sun.boot.class.path=/usr/lib/jvm/java-1.7.0-icedtea-1.7.0.0/jre/lib/resources.jar:/usr/lib/jvm/java-1.7.0-icedtea-1.7.0.0/jre/lib/rt.jar:/usr/lib/jvm/java-1.7.0-icedtea-1.7.0.0/jre/lib/sunrsasign.jar:/usr/lib/jvm/java-1.7.0-icedtea-1.7.0.0/jre/lib/jsse.jar:/usr/lib/jvm/java-1.7.0-icedtea-1.7.0.0/jre/lib/jce.jar:/usr/lib/jvm/java-1.7.0-icedtea-1.7.0.0/jre/lib/charsets.jar:/usr/lib/jvm/java-1.7.0-icedtea-1.7.0.0/jre/classes > > java.vendor=Sun Microsystems Inc. > file.separator=/ > java.vendor.url.bug=http://java.sun.com/cgi-bin/bugreport.cgi > sun.io.unicode.encoding=UnicodeLittle > sun.cpu.endian=little > javax.net.ssl.trustStorePassword= > sun.cpu.isalist= > Fedora-Management-Console/1.1.1 B2008.107.222 > RemoteImage: NOT found in cache > loader6298545:com/netscape/management/nmclf/icons/Error.gif > RemoteImage: Create RemoteImage cache for loader6298545 > RemoteImage: NOT found in cache > loader6298545:com/netscape/management/nmclf/icons/Inform.gif > RemoteImage: NOT found in cache > loader6298545:com/netscape/management/nmclf/icons/Warn.gif > RemoteImage: NOT found in cache > loader6298545:com/netscape/management/nmclf/icons/Question.gif > ResourceSet: NOT found in cache > loader6298545:com.netscape.management.client.components.components > RemoteImage: NOT found in cache > loader6298545:com/netscape/management/client/theme/images/logo16.gif > RemoteImage: NOT found in cache > loader6298545:com/netscape/management/client/theme/images/login.gif > ResourceSet: NOT found in cache > loader6298545:com.netscape.management.client.util.default > ResourceSet: found in cache > loader6298545:com.netscape.management.client.util.default > JButtonFactory: button width = 54 > JButtonFactory: button height = 18 > JButtonFactory: button width = 54 > JButtonFactory: button height = 18 > JButtonFactory: button width = 90 > JButtonFactory: button height = 18 > JButtonFactory: button width = 90 > JButtonFactory: button height = 18 > JButtonFactory: button width = 72 > JButtonFactory: button height = 18 > JButtonFactory: button width = 72 > JButtonFactory: button height = 18 > JButtonFactory: button width = 54 > JButtonFactory: button height = 18 > JButtonFactory: button width = 90 > JButtonFactory: button width = 72 > ResourceSet: found in cache > loader6298545:com.netscape.management.client.util.default > CommManager> New CommRecord (http://jstsvr3:7749/admin-serv/authenticate) > ResourceSet: found in cache > loader6298545:com.netscape.management.client.theme.theme > http://jstsvr3:7749/[0:0] open> Ready > http://jstsvr3:7749/[0:0] accept> > http://jstsvr3:7749/admin-serv/authenticate > http://jstsvr3:7749/[0:0] send> GET \ > http://jstsvr3:7749/[0:0] send> /admin-serv/authenticate \ > http://jstsvr3:7749/[0:0] send> HTTP/1.0 > http://jstsvr3:7749/[0:0] send> Host: jstsvr3:7749 > http://jstsvr3:7749/[0:0] send> Connection: Keep-Alive > http://jstsvr3:7749/[0:0] send> User-Agent: > Fedora-Management-Console/1.1.1 > http://jstsvr3:7749/[0:0] send> Accept-Language: en > http://jstsvr3:7749/[0:0] send> Authorization: Basic \ > http://jstsvr3:7749/[0:0] send> YWRtaW46ZmRzYWRtaW4= \ > http://jstsvr3:7749/[0:0] send> > http://jstsvr3:7749/[0:0] send> > http://jstsvr3:7749/[0:0] recv> interrupted > http://jstsvr3:7749/[0:0] error> java.io.InterruptedIOException: HTTP > response timeout > http://jstsvr3:7749/[0:0] close> Closed > JButtonFactory: button width = 54 > JButtonFactory: button height = 18 > JButtonFactory: button width = 54 > JButtonFactory: button height = 18 > JButtonFactory: button width = 54 > JButtonFactory: button height = 18 > JButtonFactory: button width = 54 > JButtonFactory: button height = 18 > Console:invoke_task():error:java.io.InterruptedIOException: HTTP > response timeout > JButtonFactory: button width = 54 > JButtonFactory: button height = 18 > JButtonFactory: button width = 54 > JButtonFactory: button height = 18 > JButtonFactory: button width = 90 > JButtonFactory: button height = 18 > JButtonFactory: button width = 90 > JButtonFactory: button height = 18 > JButtonFactory: button width = 72 > JButtonFactory: button height = 18 > JButtonFactory: button width = 72 > JButtonFactory: button height = 18 > JButtonFactory: button width = 54 > JButtonFactory: button height = 18 > JButtonFactory: button width = 90 > JButtonFactory: button width = 72 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From iferreir at personal.com.py Fri Jun 6 21:52:48 2008 From: iferreir at personal.com.py (Ivan Ferreira) Date: Fri, 6 Jun 2008 17:52:48 -0400 Subject: [Fedora-directory-users] fedora on production enviroment In-Reply-To: <194a2c240806040524s43eaf840qe3e9d65f00334c3d@mail.gmail.com> Message-ID: 1. Is fedora-ds ready and stable to work on productions servers? In my oppinion, yes. I use it for most production users, but I keep some critical users local, such the users used by applications to start services, take oracle as one example. 2. If you have to do this migration of users, do you think in fedora-ds as a ldap server or think in another directory services? I would consider Fedora o Red Hat directory server and SUN Directory Server. Para "General discussion list for the Fedora Directory server "Israel Garcia" project." fedora-directory-users-b cc ounces at redhat.com Asunto 04/06/2008 08:24 a.m. [Fedora-directory-users] fedora on production enviroment Clasificaci?n Uso Interno Por favor, responda a "General discussion list for the Fedora Directory server project." Hi everybody, I have to migrate several users from productions serves to a ldap server.. I have some questions? 1. Is fedora-ds ready and stable to work on productions servers? 2. If you have to do this migration of users, do you think in fedora-ds as a ldap server or think in another directory services? thanks in advance Regards; Israel Garcia -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. From marco.strullato at gmail.com Mon Jun 9 13:07:14 2008 From: marco.strullato at gmail.com (Marco Strullato) Date: Mon, 9 Jun 2008 15:07:14 +0200 Subject: [Fedora-directory-users] server fails to start Message-ID: Hi all, last year I set up a authentication system based on two fedora ds server set up with multimaster replica. Now a node is down:from errors I have [09/Jun/2008:15:04:07 +0200] - Fedora-Directory/1.0.4 B2006.312.1539 starting up [09/Jun/2008:15:04:07 +0200] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [09/Jun/2008:15:04:07 +0200] - attrcrypt_unwrap_key: failed to unwrap key for cipher AES [09/Jun/2008:15:04:07 +0200] - Failed to retrieve key for cipher AES in attrcrypt_cipher_init [09/Jun/2008:15:04:07 +0200] - Failed to initialize cipher AES in attrcrypt_init [09/Jun/2008:15:04:07 +0200] - attrcrypt_unwrap_key: failed to unwrap key for cipher AES [09/Jun/2008:15:04:07 +0200] - Failed to retrieve key for cipher AES in attrcrypt_cipher_init [09/Jun/2008:15:04:07 +0200] - Failed to initialize cipher AES in attrcrypt_init I mean, the only thing I did is moving the node from a hypervisor to another (it's a virtual machine) >From logs I read that there's a problem with keys but I really don't know what to check. What do you suggest? Thanks Marco Strullato -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Jun 9 14:39:53 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 09 Jun 2008 08:39:53 -0600 Subject: [Fedora-directory-users] server fails to start In-Reply-To: References: Message-ID: <484D40B9.4090706@redhat.com> Marco Strullato wrote: > Hi all, last year I set up a authentication system based on two fedora > ds server set up with multimaster replica. > > Now a node is down:from errors I have > [09/Jun/2008:15:04:07 +0200] - Fedora-Directory/1.0.4 B2006.312.1539 > starting up > [09/Jun/2008:15:04:07 +0200] - Detected Disorderly Shutdown last time > Directory Server was running, recovering database. > [09/Jun/2008:15:04:07 +0200] - attrcrypt_unwrap_key: failed to unwrap > key for cipher AES > [09/Jun/2008:15:04:07 +0200] - Failed to retrieve key for cipher AES > in attrcrypt_cipher_init > [09/Jun/2008:15:04:07 +0200] - Failed to initialize cipher AES in > attrcrypt_init > [09/Jun/2008:15:04:07 +0200] - attrcrypt_unwrap_key: failed to unwrap > key for cipher AES > [09/Jun/2008:15:04:07 +0200] - Failed to retrieve key for cipher AES > in attrcrypt_cipher_init > [09/Jun/2008:15:04:07 +0200] - Failed to initialize cipher AES in > attrcrypt_init > > > I mean, the only thing I did is moving the node from a hypervisor to > another (it's a virtual machine) > > From logs I read that there's a problem with keys but I really don't > know what to check. What do you suggest? I think those attrcrypt failures are benign. What other problems do you have? > > Thanks > > Marco Strullato > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From marco.strullato at gmail.com Mon Jun 9 15:02:50 2008 From: marco.strullato at gmail.com (Marco Strullato) Date: Mon, 9 Jun 2008 17:02:50 +0200 Subject: [Fedora-directory-users] server fails to start In-Reply-To: <484D40B9.4090706@redhat.com> References: <484D40B9.4090706@redhat.com> Message-ID: > I think those attrcrypt failures are benign. What other problems do you have? Simply the server doesn't start. Here the output of this command ./ns-slapd -d 3 -D /opt/fedora-ds/slapd-vm02 -i /opt/fedora-ds/slapd-vm02/logs/pid -w /opt/fedora-ds/slapd-vm02/logs/startpid 2> /tmp/err I hope you can receive the attachment. Thanks Marco -------------- next part -------------- A non-text attachment was scrubbed... Name: err.gz Type: application/x-gzip Size: 9193 bytes Desc: not available URL: From rmeggins at redhat.com Mon Jun 9 15:33:00 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 09 Jun 2008 09:33:00 -0600 Subject: [Fedora-directory-users] server fails to start In-Reply-To: References: <484D40B9.4090706@redhat.com> Message-ID: <484D4D2C.2030601@redhat.com> Marco Strullato wrote: >> I think those attrcrypt failures are benign. What other problems do you have? >> > > Simply the server doesn't start. Here the output of this command > ./ns-slapd -d 3 -D /opt/fedora-ds/slapd-vm02 -i > /opt/fedora-ds/slapd-vm02/logs/pid -w > /opt/fedora-ds/slapd-vm02/logs/startpid 2> /tmp/err > > > I hope you can receive the attachment. > Yes. The last thing I see is "Checkpointing database..." - if for some reason the database was corrupted or had a lot of recovery to do, for whatever reason, it may take a long time to recover at startup. I don't see anything after the checkpointing message which would indicate the server ran into an error and exited unexpectedly. Either the server is running into an exceptional condition which causes it to exit without reporting, or it is crashing. For the former, strace would show that the server is calling exit(). For the latter, try increasing the core file size - ulimit -c unlimited - then look for files called core.* > > Thanks > > Marco > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From siedler at hrd-asia.com Mon Jun 9 16:12:16 2008 From: siedler at hrd-asia.com (Wolf Siedler) Date: Mon, 09 Jun 2008 23:12:16 +0700 Subject: [Fedora-directory-users] Remote console fails for access to Fedora-DS 1.1 Message-ID: <484D5660.5070904@hrd-asia.com> Hi, I am rather new new to Fedora Directory Server. Nevertheless, version 1.0 worked very nicely for so that I decided to upgrade to version 1.1. Unfortunately, since the upgrade console access to the directory server doesn't work anymore, only to the administration server. Previously, the combination RHEL5.1 + Sun-JDK 1.5.0_14 + FDS 1.04 (directory) vs. Fedora7 + Sun-JDK 1.5.0_14 + FDS 1.04 (remote console) worked smoothly. The upgrade to FDS 1.1 was done through the migration script as per instruction and - according to the logfile - the directory server was successfully migrated. Current setup: The directory is running on RHEL 5.1 + Sun-JDK 1.5.0_14, FDS component levels are as follows: fedora-idm-console-1.1.1-1.fc6 fedora-ds-base-1.1.0-3.fc6 fedora-ds-console-1.1.1-2.fc6 fedora-ds-admin-1.1.2-2.fc6 fedora-ds-admin-console-1.1.1-2.fc6 The remote console should run on Fedora 7 + Sun-JDK 1.5.0._14, with these FDS component levels: fedora-idm-console-1.1.1-1.fc6 fedora-ds-base-1.1.1-1.fc7 fedora-ds-console-1.1.1-2.fc6 fedora-ds-admin-1.1.4-1.fc7 fedora-ds-admin-console-1.1.1-2.fc6 I can open the remote console and proceed on tab "Servers and Applications" to example - admin01.example.com - Server Group Below that, two entries are listed: - Administration Server - Directory Server (admin01) I can click on "Administration Server" and get the option to open ist. However, when clicking on "Directory Server", the console seems to freeze (apparently ending in a Java exception). I am attaching the log information below. What surprised me at the first glance are the many references to a fedora-ds-1.0.jar. I even tried to use the console strictly locally on the directory server (by VNC), but the console logon screen didn't accept any password entry, thus not even allowing me to log on. Can anybody advise me what is going wrong here? I suppose I am experiencing a configuration error, but I don't know where to start looking. Needless to say, any advice would be highly appreciated! Regards, Wolf ===console log below=== Instantiate cn=slapd-admin01, cn=Fedora Directory Server, cn=Server Group, cn=admin01.hrd-asia.com, ou=hrd-asia.com, o=NetscapeRoot ResourceSet: found in cache loader20120943:com.netscape.management.client.console.console TRACE ConsoleInfo.clone: tracking cloning of ConsoleInfo for performance tuning ResourceSet: found in cache loader20120943:com.netscape.management.client.console.console ClassLoader: getLocalJarList():Unable to read /home/wjstp/.fedora-idm-console/jars/ directory ResourceSet: found in cache loader20120943:com.netscape.management.client.components.components ResourceSet: found in cache loader20120943:com.netscape.management.client.components.components RemoteImage: NOT found in cache loader20120943:com/netscape/management/client/components/images/upArrow.gif RemoteImage: NOT found in cache loader20120943:com/netscape/management/client/components/images/downArrow.gif RemoteImage: NOT found in cache loader20120943:com/netscape/management/client/components/images/leftArrow.gif RemoteImage: NOT found in cache loader20120943:com/netscape/management/client/components/images/rightArrow.gif ClassLoaderUtil.getClass(com.netscape.admin.dirserv.DSAdmin at fedora-ds-1.0.jar@cn=admin-serv-admin01, cn=Fedora Administration Server, cn=Server Group, cn=admin01.hrd-asia.com, ou=hrd-asia.com, o=NetscapeRoot) ClassLoader: getLocalJarList():Unable to read /home/wjstp/.fedora-idm-console/jars/ directory ClassLoader: checkJarAvailability():sie is cn=admin-serv-admin01, cn=Fedora Administration Server, cn=Server Group, cn=admin01.hrd-asia.com, ou=hrd-asia.com, o=NetscapeRoot ClassLoader: checkJarAvailability():reading cn=Configuration,cn=admin-serv-admin01, cn=Fedora Administration Server, cn=Server Group, cn=admin01.hrd-asia.com, ou=hrd-asia.com, o=NetscapeRoot HttpManager> I/O buffer size set to 32768 ClassLoader: loadJarFile(): attempting to download https://admin01.hrd-asia.com:20126/java/jars/fedora-ds-1.0.jar CommManager> New CommRecord (https://admin01.hrd-asia.com:20126/java/jars/fedora-ds-1.0.jar) CREATE JSS SSLSocket https://admin01.hrd-asia.com:20126/[1:0] open> Ready https://admin01.hrd-asia.com:20126/[1:0] accept> https://admin01.hrd-asia.com:20126/java/jars/fedora-ds-1.0.jar https://admin01.hrd-asia.com:20126/[1:0] send> GET \ https://admin01.hrd-asia.com:20126/[1:0] send> /java/jars/fedora-ds-1.0.jar \ https://admin01.hrd-asia.com:20126/[1:0] send> HTTP/1.0 https://admin01.hrd-asia.com:20126/[1:0] send> Host: admin01.hrd-asia.com:20126 https://admin01.hrd-asia.com:20126/[1:0] send> Connection: Keep-Alive https://admin01.hrd-asia.com:20126/[1:0] send> User-Agent: Fedora-Management-Console/1.1.1 https://admin01.hrd-asia.com:20126/[1:0] send> Accept-Language: en https://admin01.hrd-asia.com:20126/[1:0] send> Authorization: Basic \ https://admin01.hrd-asia.com:20126/[1:0] send> dWlkPWRzYWRtaW4sIG91PUFkbWluaXN0cmF0b3JzLCBvdT1Ub3BvbG9neU1hbmFnZW1lbnQsIG89TmV0c2NhcGVSb290OmFkbWluQDE0 \ https://admin01.hrd-asia.com:20126/[1:0] send> https://admin01.hrd-asia.com:20126/[1:0] send> https://admin01.hrd-asia.com:20126/[1:0] recv> HTTP/1.1 404 Not Found https://admin01.hrd-asia.com:20126/[1:0] error> HttpException: Response: HTTP/1.1 404 Not Found Status: 404 URL: https://admin01.hrd-asia.com:20126/java/jars/fedora-ds-1.0.jar https://admin01.hrd-asia.com:20126/[1:0] close i/o stream https://admin01.hrd-asia.com:20126/[1:0] close socket https://admin01.hrd-asia.com:20126/[1:0] close> Closed ClassLoader: loadJarFile(): HttpException: Response: HTTP/1.1 404 Not Found Status: 404 URL: https://admin01.hrd-asia.com:20126/java/jars/fedora-ds-1.0.jar HttpManager> I/O buffer size set to 32768 ClassLoader: loadJarFile(): attempting to download https://admin01.hrd-asia.com:20126/java/fedora-ds-1.0.jar CommManager> New CommRecord (https://admin01.hrd-asia.com:20126/java/fedora-ds-1.0.jar) <...> ClassLoader: getJarFile():Unable to download https://admin01.hrd-asia.com:20126/java/fedora-ds-1.0_en.jar ClassLoader: No language file for fedora-ds-1.0.jar found on local disk, lang=en ClassLoader: classes.env found in fedora-ds-1.0.jar ClassLoader: manifest loaded for fedora-ds-1.0.jar ClassLoader: manifest: 0 entries found ClassLoader: new LocalJarClassLoader fedora-ds-1.0.jar:{fedora-ds-1.0.jar } ClassLoader: Create loader fedora-ds-1.0.jar ClassLoader: :loadClass():name:com.netscape.admin.dirserv.DSAdmin ClassLoader: :loadClass():loading:com.netscape.admin.dirserv.DSAdmin ClassLoader: com/netscape/admin/dirserv/DSAdmin.class found in fedora-ds-1.0.jar ClassLoader: :loadClass():name:com.netscape.admin.dirserv.IAuthenticationChangeListener ClassLoader: :loadClass():loading:com.netscape.admin.dirserv.IAuthenticationChangeListener ClassLoader: com/netscape/admin/dirserv/IAuthenticationChangeListener.class found in fedora-ds-1.0.jar ClassLoader: :loadClass():name:java.lang.Object ClassLoader: :loadClass():name:com.netscape.management.client.IMenuInfo ClassLoader: :loadClass():loading:com.netscape.management.client.IMenuInfo ClassLoader: com/netscape/management/client/IMenuInfo.class NOT in fedora-ds-1.0.jar ClassLoader: :loadClass():name:com.netscape.management.client.topology.IRemovableServerObject ClassLoader: :loadClass():loading:com.netscape.management.client.topology.IRemovableServerObject ClassLoader: com/netscape/management/client/topology/IRemovableServerObject.class NOT in fedora-ds-1.0.jar ClassLoader: :loadClass():name:com.netscape.management.client.topology.AbstractServerObject ClassLoader: :loadClass():loading:com.netscape.management.client.topology.AbstractServerObject ClassLoader: com/netscape/management/client/topology/AbstractServerObject.class NOT in fedora-ds-1.0.jar ClassLoader: :loadClass():resolving com.netscape.admin.dirserv.DSAdmin ClassLoader: :loadClass():name:javax.swing.Icon ClassLoader: :loadClass():loading:javax.swing.Icon ClassLoader: javax/swing/Icon.class NOT in fedora-ds-1.0.jar ClassLoader: :loadClass():name:java.lang.Throwable ClassLoader: :loadClass():name:java.lang.Exception ClassLoader: :loadClass():name:netscape.ldap.LDAPConnection ClassLoader: :loadClass():loading:netscape.ldap.LDAPConnection ClassLoader: netscape/ldap/LDAPConnection.class NOT in fedora-ds-1.0.jar ClassLoader: :loadClass():name:netscape.ldap.LDAPException ClassLoader: :loadClass():loading:netscape.ldap.LDAPException ClassLoader: netscape/ldap/LDAPException.class NOT in fedora-ds-1.0.jar ClassLoader: :loadClass():name:java.lang.String ClassLoader: :loadClass():name:com.netscape.management.client.IFrameworkInitializer ClassLoader: :loadClass():loading:com.netscape.management.client.IFrameworkInitializer ClassLoader: com/netscape/management/client/IFrameworkInitializer.class NOT in fedora-ds-1.0.jar ClassLoader: :loadClass():name:javax.swing.JFrame ClassLoader: :loadClass():loading:javax.swing.JFrame ClassLoader: javax/swing/JFrame.class NOT in fedora-ds-1.0.jar ClassLoader: :loadClass():name:com.netscape.admin.dirserv.DSFramework ClassLoader: :loadClass():loading:com.netscape.admin.dirserv.DSFramework ClassLoader: com/netscape/admin/dirserv/DSFramework.class found in fedora-ds-1.0.jar ClassLoader: :loadClass():name:com.netscape.management.client.Framework ClassLoader: :loadClass():loading:com.netscape.management.client.Framework ClassLoader: com/netscape/management/client/Framework.class NOT in fedora-ds-1.0.jar ClassLoader: :loadClass():name:com.netscape.management.client.preferences.IPreferencesTab ClassLoader: :loadClass():loading:com.netscape.management.client.preferences.IPreferencesTab ClassLoader: com/netscape/management/client/preferences/IPreferencesTab.class NOT in fedora-ds-1.0.jar ClassLoader: :loadClass():name:java.awt.event.ActionListener ClassLoader: :loadClass():name:java.awt.event.MouseListener ClassLoader: :loadClass():name:com.netscape.management.client.IStatusItem ClassLoader: :loadClass():loading:com.netscape.management.client.IStatusItem ClassLoader: com/netscape/management/client/IStatusItem.class NOT in fedora-ds-1.0.jar ClassLoader: :loadClass():name:java.awt.Component ClassLoader: :loadClass():name:java.lang.Float ClassLoader: :loadClass():name:com.netscape.admin.dirserv.task.CGITask ClassLoader: :loadClass():loading:com.netscape.admin.dirserv.task.CGITask ClassLoader: com/netscape/admin/dirserv/task/CGITask.class found in fedora-ds-1.0.jar ClassLoader: :loadClass():name:com.netscape.management.client.comm.CommClient ClassLoader: :loadClass():loading:com.netscape.management.client.comm.CommClient ClassLoader: com/netscape/management/client/comm/CommClient.class NOT in fedora-ds-1.0.jar ClassLoader: :loadClass():name:com.netscape.management.client.TaskObject ClassLoader: :loadClass():loading:com.netscape.management.client.TaskObject ClassLoader: com/netscape/management/client/TaskObject.class NOT in fedora-ds-1.0.jar ClassLoader: :loadClass():name:com.netscape.admin.dirserv.task.Remove ClassLoader: :loadClass():loading:com.netscape.admin.dirserv.task.Remove ClassLoader: com/netscape/admin/dirserv/task/Remove.class found in fedora-ds-1.0.jar ClassLoader: :loadClass():name:java.lang.Thread ClassLoader: :loadClass():name:com.netscape.admin.dirserv.DSAdmin$3 ClassLoader: :loadClass():loading:com.netscape.admin.dirserv.DSAdmin$3 ClassLoader: com/netscape/admin/dirserv/DSAdmin$3.class found in fedora-ds-1.0.jar ClassLoader: :loadClass():name:com.netscape.management.client.preferences.PreferenceManager ClassLoader: :loadClass():loading:com.netscape.management.client.preferences.PreferenceManager ClassLoader: com/netscape/management/client/preferences/PreferenceManager.class NOT in fedora-ds-1.0.jar ClassLoader: :loadClass():name:com.netscape.management.client.preferences.Preferences ClassLoader: :loadClass():loading:com.netscape.management.client.preferences.Preferences ClassLoader: com/netscape/management/client/preferences/Preferences.class NOT in fedora-ds-1.0.jar ClassLoader: :loadClass():name:com.netscape.admin.dirserv.panel.BlankPanel ClassLoader: :loadClass():loading:com.netscape.admin.dirserv.panel.BlankPanel ClassLoader: com/netscape/admin/dirserv/panel/BlankPanel.class found in fedora-ds-1.0.jar ClassLoader: :loadClass():name:javax.swing.event.DocumentListener ClassLoader: :loadClass():loading:javax.swing.event.DocumentListener ClassLoader: javax/swing/event/DocumentListener.class NOT in fedora-ds-1.0.jar ClassLoader: :loadClass():name:java.awt.event.ItemListener ClassLoader: :loadClass():name:javax.swing.event.ChangeListener ClassLoader: :loadClass():loading:javax.swing.event.ChangeListener ClassLoader: javax/swing/event/ChangeListener.class NOT in fedora-ds-1.0.jar ClassLoader: :loadClass():name:javax.swing.event.ListSelectionListener ClassLoader: :loadClass():loading:javax.swing.event.ListSelectionListener ClassLoader: javax/swing/event/ListSelectionListener.class NOT in fedora-ds-1.0.jar ClassLoader: :loadClass():name:com.netscape.admin.dirserv.IDSResourceSelectionListener ClassLoader: :loadClass():loading:com.netscape.admin.dirserv.IDSResourceSelectionListener ClassLoader: com/netscape/admin/dirserv/IDSResourceSelectionListener.class found in fedora-ds-1.0.jar ClassLoader: :loadClass():name:javax.swing.JPanel ClassLoader: :loadClass():loading:javax.swing.JPanel ClassLoader: javax/swing/JPanel.class NOT in fedora-ds-1.0.jar ClassLoader: :loadClass():name:javax.swing.JComponent ClassLoader: :loadClass():loading:javax.swing.JComponent ClassLoader: javax/swing/JComponent.class NOT in fedora-ds-1.0.jar ClassLoader: :loadClass():name:java.awt.Container ClassLoader: :loadClass():name:javax.swing.JLabel ClassLoader: :loadClass():loading:javax.swing.JLabel ClassLoader: javax/swing/JLabel.class NOT in fedora-ds-1.0.jar ClassLoader: :loadClass():name:java.awt.LayoutManager ClassLoader: :loadClass():name:java.lang.IllegalStateException ClassLoader: :loadClass():name:javax.swing.border.Border ClassLoader: :loadClass():loading:javax.swing.border.Border ClassLoader: javax/swing/border/Border.class NOT in fedora-ds-1.0.jar ClassLoader: :loadClass():name:javax.swing.JScrollPane ClassLoader: :loadClass():loading:javax.swing.JScrollPane ClassLoader: javax/swing/JScrollPane.class NOT in fedora-ds-1.0.jar ClassLoader: :loadClass():name:com.netscape.management.client.util.Debug ClassLoader: :loadClass():loading:com.netscape.management.client.util.Debug ClassLoader: com/netscape/management/client/util/Debug.class NOT in fedora-ds-1.0.jar ClassLoader: :loadClass():name:java.awt.Color ClassLoader: :loadClass():name:java.util.Vector DSAdmin.DSAdmin: constructor ClassLoader: :loadClass():name:java.lang.StringBuilder DSAdmin.initialize(): _removed=false info=ConsoleInfo(admin01.hrd-asia.com, 389, uid=dsadmin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot, admin at 14, o=NetscapeRoot) _info=null ClassLoader: :loadClass():name:com.netscape.management.client.util.UtilConsoleGlobals ClassLoader: :loadClass():loading:com.netscape.management.client.util.UtilConsoleGlobals ClassLoader: com/netscape/management/client/util/UtilConsoleGlobals.class NOT in fedora-ds-1.0.jar ClassLoader: :loadClass():name:com.netscape.management.client.console.VersionInfo ClassLoader: :loadClass():loading:com.netscape.management.client.console.VersionInfo ClassLoader: com/netscape/management/client/console/VersionInfo.class NOT in fedora-ds-1.0.jar JButtonFactory: button width = 90 JButtonFactory: button height = 19 JButtonFactory: button width = 72 JButtonFactory: button height = 19 Exception in thread "AWT-EventQueue-0" java.lang.NullPointerException at com.netscape.management.client.topology.AbstractServerObject.getNodeDataCount(Unknown Source) at com.netscape.management.client.topology.NodeDataPanel.createPanel(Unknown Source) at com.netscape.management.client.topology.NodeDataPanel.(Unknown Source) at com.netscape.management.client.topology.NodeDataPanel.(Unknown Source) at com.netscape.management.client.topology.AbstractServerObject.getCustomPanel(Unknown Source) at com.netscape.management.client.topology.ServerNode.reload(Unknown Source) at com.netscape.management.client.topology.ServerNode.getCustomPanel(Unknown Source) at com.netscape.management.client.ResourceModel.getCustomPanel(Unknown Source) at com.netscape.management.client.ResourcePage.valueChanged(Unknown Source) at javax.swing.JTree.fireValueChanged(JTree.java:2399) at javax.swing.JTree$TreeSelectionRedirector.valueChanged(JTree.java:2770) at javax.swing.tree.DefaultTreeSelectionModel.fireValueChanged(DefaultTreeSelectionModel.java:629) at javax.swing.tree.DefaultTreeSelectionModel.notifyPathChange(DefaultTreeSelectionModel.java:1078) at javax.swing.tree.DefaultTreeSelectionModel.setSelectionPaths(DefaultTreeSelectionModel.java:287) at javax.swing.tree.DefaultTreeSelectionModel.setSelectionPath(DefaultTreeSelectionModel.java:170) at javax.swing.JTree.setSelectionPath(JTree.java:1174) at javax.swing.plaf.basic.BasicTreeUI.selectPathForEvent(BasicTreeUI.java:2296) at javax.swing.plaf.basic.BasicTreeUI$Handler.handleSelectionImpl(BasicTreeUI.java:3509) at javax.swing.plaf.basic.BasicTreeUI$Handler.handleSelection(BasicTreeUI.java:3484) at javax.swing.plaf.basic.BasicTreeUI$Handler.mousePressed(BasicTreeUI.java:3465) at java.awt.AWTEventMulticaster.mousePressed(AWTEventMulticaster.java:222) at java.awt.AWTEventMulticaster.mousePressed(AWTEventMulticaster.java:221) at java.awt.Component.processMouseEvent(Component.java:5514) at javax.swing.JComponent.processMouseEvent(JComponent.java:3135) at java.awt.Component.processEvent(Component.java:5282) at java.awt.Container.processEvent(Container.java:1966) at java.awt.Component.dispatchEventImpl(Component.java:3984) at java.awt.Container.dispatchEventImpl(Container.java:2024) at java.awt.Component.dispatchEvent(Component.java:3819) at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4212) at java.awt.LightweightDispatcher.processMouseEvent(Container.java:3889) at java.awt.LightweightDispatcher.dispatchEvent(Container.java:3822) at java.awt.Container.dispatchEventImpl(Container.java:2010) at java.awt.Window.dispatchEventImpl(Window.java:1791) at java.awt.Component.dispatchEvent(Component.java:3819) at java.awt.EventQueue.dispatchEvent(EventQueue.java:463) at java.awt.EventDispatchThread.pumpOneEventForHierarchy(EventDispatchThread.java:242) at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:163) at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:157) at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:149) at java.awt.EventDispatchThread.run(EventDispatchThread.java:110) From rmeggins at redhat.com Mon Jun 9 23:34:26 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 09 Jun 2008 17:34:26 -0600 Subject: [Fedora-directory-users] Remote console fails for access to Fedora-DS 1.1 In-Reply-To: <484D5660.5070904@hrd-asia.com> References: <484D5660.5070904@hrd-asia.com> Message-ID: <484DBE02.2000300@redhat.com> Wolf Siedler wrote: > Hi, > > I am rather new new to Fedora Directory Server. Nevertheless, version > 1.0 worked very nicely for so that I decided to upgrade to version 1.1. > > Unfortunately, since the upgrade console access to the directory server > doesn't work anymore, only to the administration server. > Previously, the combination RHEL5.1 + Sun-JDK 1.5.0_14 + FDS 1.04 > (directory) vs. Fedora7 + Sun-JDK 1.5.0_14 + FDS 1.04 (remote console) > worked smoothly. > The upgrade to FDS 1.1 was done through the migration script as per > instruction and - according to the logfile - the directory server was > successfully migrated. > > Current setup: > The directory is running on RHEL 5.1 + Sun-JDK 1.5.0_14, FDS component > levels are as follows: > fedora-idm-console-1.1.1-1.fc6 > fedora-ds-base-1.1.0-3.fc6 > fedora-ds-console-1.1.1-2.fc6 > fedora-ds-admin-1.1.2-2.fc6 > fedora-ds-admin-console-1.1.1-2.fc6 > > The remote console should run on Fedora 7 + Sun-JDK 1.5.0._14, with > these FDS component levels: > fedora-idm-console-1.1.1-1.fc6 > fedora-ds-base-1.1.1-1.fc7 > fedora-ds-console-1.1.1-2.fc6 > fedora-ds-admin-1.1.4-1.fc7 > fedora-ds-admin-console-1.1.1-2.fc6 > > I can open the remote console and proceed on tab "Servers and > Applications" to example - admin01.example.com - Server Group > > Below that, two entries are listed: > - Administration Server > - Directory Server (admin01) > > I can click on "Administration Server" and get the option to open ist. > However, when clicking on "Directory Server", the console seems to > freeze (apparently ending in a Java exception). I am attaching the log > information below. > What surprised me at the first glance are the many references to a > fedora-ds-1.0.jar. > > I even tried to use the console strictly locally on the directory > server (by VNC), but the console logon screen didn't accept any > password entry, thus not even allowing me to log on. > > Can anybody advise me what is going wrong here? I suppose I am > experiencing a configuration error, but I don't know where to start > looking. > > Needless to say, any advice would be highly appreciated! I suspect this has something to do with https://bugzilla.redhat.com/show_bug.cgi?id=431103 For the first step, take a look at the access log from the configuration DS beginning from when you launched the console - look for err=32 in the results. > > Regards, > Wolf > ===console log below=== > Instantiate cn=slapd-admin01, cn=Fedora Directory Server, cn=Server > Group, cn=admin01.hrd-asia.com, ou=hrd-asia.com, o=NetscapeRoot > ResourceSet: found in cache > loader20120943:com.netscape.management.client.console.console > TRACE ConsoleInfo.clone: tracking cloning of ConsoleInfo for performance > tuning > ResourceSet: found in cache > loader20120943:com.netscape.management.client.console.console > ClassLoader: getLocalJarList():Unable to read > /home/wjstp/.fedora-idm-console/jars/ directory > ResourceSet: found in cache > loader20120943:com.netscape.management.client.components.components > ResourceSet: found in cache > loader20120943:com.netscape.management.client.components.components > RemoteImage: NOT found in cache > loader20120943:com/netscape/management/client/components/images/upArrow.gif > > RemoteImage: NOT found in cache > loader20120943:com/netscape/management/client/components/images/downArrow.gif > > RemoteImage: NOT found in cache > loader20120943:com/netscape/management/client/components/images/leftArrow.gif > > RemoteImage: NOT found in cache > loader20120943:com/netscape/management/client/components/images/rightArrow.gif > > ClassLoaderUtil.getClass(com.netscape.admin.dirserv.DSAdmin at fedora-ds-1.0.jar@cn=admin-serv-admin01, > > cn=Fedora Administration Server, cn=Server Group, > cn=admin01.hrd-asia.com, ou=hrd-asia.com, o=NetscapeRoot) > ClassLoader: getLocalJarList():Unable to read > /home/wjstp/.fedora-idm-console/jars/ directory > ClassLoader: checkJarAvailability():sie is cn=admin-serv-admin01, > cn=Fedora Administration Server, cn=Server Group, > cn=admin01.hrd-asia.com, ou=hrd-asia.com, o=NetscapeRoot > ClassLoader: checkJarAvailability():reading > cn=Configuration,cn=admin-serv-admin01, cn=Fedora Administration Server, > cn=Server Group, cn=admin01.hrd-asia.com, ou=hrd-asia.com, o=NetscapeRoot > HttpManager> I/O buffer size set to 32768 > ClassLoader: loadJarFile(): attempting to download > https://admin01.hrd-asia.com:20126/java/jars/fedora-ds-1.0.jar > CommManager> New CommRecord > (https://admin01.hrd-asia.com:20126/java/jars/fedora-ds-1.0.jar) > CREATE JSS SSLSocket > https://admin01.hrd-asia.com:20126/[1:0] open> Ready > https://admin01.hrd-asia.com:20126/[1:0] accept> > https://admin01.hrd-asia.com:20126/java/jars/fedora-ds-1.0.jar > https://admin01.hrd-asia.com:20126/[1:0] send> GET \ > https://admin01.hrd-asia.com:20126/[1:0] send> > /java/jars/fedora-ds-1.0.jar \ > https://admin01.hrd-asia.com:20126/[1:0] send> HTTP/1.0 > https://admin01.hrd-asia.com:20126/[1:0] send> Host: > admin01.hrd-asia.com:20126 > https://admin01.hrd-asia.com:20126/[1:0] send> Connection: Keep-Alive > https://admin01.hrd-asia.com:20126/[1:0] send> User-Agent: > Fedora-Management-Console/1.1.1 > https://admin01.hrd-asia.com:20126/[1:0] send> Accept-Language: en > https://admin01.hrd-asia.com:20126/[1:0] send> Authorization: Basic \ > https://admin01.hrd-asia.com:20126/[1:0] send> > dWlkPWRzYWRtaW4sIG91PUFkbWluaXN0cmF0b3JzLCBvdT1Ub3BvbG9neU1hbmFnZW1lbnQsIG89TmV0c2NhcGVSb290OmFkbWluQDE0 > > \ > https://admin01.hrd-asia.com:20126/[1:0] send> > https://admin01.hrd-asia.com:20126/[1:0] send> > https://admin01.hrd-asia.com:20126/[1:0] recv> HTTP/1.1 404 Not Found > https://admin01.hrd-asia.com:20126/[1:0] error> HttpException: > Response: HTTP/1.1 404 Not Found > Status: 404 > URL: https://admin01.hrd-asia.com:20126/java/jars/fedora-ds-1.0.jar > https://admin01.hrd-asia.com:20126/[1:0] close i/o stream > https://admin01.hrd-asia.com:20126/[1:0] close socket > https://admin01.hrd-asia.com:20126/[1:0] close> Closed > ClassLoader: loadJarFile(): HttpException: > Response: HTTP/1.1 404 Not Found > Status: 404 > URL: https://admin01.hrd-asia.com:20126/java/jars/fedora-ds-1.0.jar > HttpManager> I/O buffer size set to 32768 > ClassLoader: loadJarFile(): attempting to download > https://admin01.hrd-asia.com:20126/java/fedora-ds-1.0.jar > CommManager> New CommRecord > (https://admin01.hrd-asia.com:20126/java/fedora-ds-1.0.jar) > <...> > ClassLoader: getJarFile():Unable to download > https://admin01.hrd-asia.com:20126/java/fedora-ds-1.0_en.jar > ClassLoader: No language file for fedora-ds-1.0.jar found on local disk, > lang=en > ClassLoader: classes.env found in fedora-ds-1.0.jar > ClassLoader: manifest loaded for fedora-ds-1.0.jar > ClassLoader: manifest: 0 entries found > ClassLoader: new LocalJarClassLoader > fedora-ds-1.0.jar:{fedora-ds-1.0.jar } > ClassLoader: Create loader fedora-ds-1.0.jar > ClassLoader: :loadClass():name:com.netscape.admin.dirserv.DSAdmin > ClassLoader: :loadClass():loading:com.netscape.admin.dirserv.DSAdmin > ClassLoader: com/netscape/admin/dirserv/DSAdmin.class found in > fedora-ds-1.0.jar > ClassLoader: > :loadClass():name:com.netscape.admin.dirserv.IAuthenticationChangeListener > > ClassLoader: > :loadClass():loading:com.netscape.admin.dirserv.IAuthenticationChangeListener > > ClassLoader: > com/netscape/admin/dirserv/IAuthenticationChangeListener.class found in > fedora-ds-1.0.jar > ClassLoader: :loadClass():name:java.lang.Object > ClassLoader: :loadClass():name:com.netscape.management.client.IMenuInfo > ClassLoader: > :loadClass():loading:com.netscape.management.client.IMenuInfo > ClassLoader: com/netscape/management/client/IMenuInfo.class NOT in > fedora-ds-1.0.jar > ClassLoader: > :loadClass():name:com.netscape.management.client.topology.IRemovableServerObject > > ClassLoader: > :loadClass():loading:com.netscape.management.client.topology.IRemovableServerObject > > ClassLoader: > com/netscape/management/client/topology/IRemovableServerObject.class > NOT in fedora-ds-1.0.jar > ClassLoader: > :loadClass():name:com.netscape.management.client.topology.AbstractServerObject > > ClassLoader: > :loadClass():loading:com.netscape.management.client.topology.AbstractServerObject > > ClassLoader: > com/netscape/management/client/topology/AbstractServerObject.class NOT > in fedora-ds-1.0.jar > ClassLoader: :loadClass():resolving com.netscape.admin.dirserv.DSAdmin > ClassLoader: :loadClass():name:javax.swing.Icon > ClassLoader: :loadClass():loading:javax.swing.Icon > ClassLoader: javax/swing/Icon.class NOT in fedora-ds-1.0.jar > ClassLoader: :loadClass():name:java.lang.Throwable > ClassLoader: :loadClass():name:java.lang.Exception > ClassLoader: :loadClass():name:netscape.ldap.LDAPConnection > ClassLoader: :loadClass():loading:netscape.ldap.LDAPConnection > ClassLoader: netscape/ldap/LDAPConnection.class NOT in fedora-ds-1.0.jar > ClassLoader: :loadClass():name:netscape.ldap.LDAPException > ClassLoader: :loadClass():loading:netscape.ldap.LDAPException > ClassLoader: netscape/ldap/LDAPException.class NOT in fedora-ds-1.0.jar > ClassLoader: :loadClass():name:java.lang.String > ClassLoader: > :loadClass():name:com.netscape.management.client.IFrameworkInitializer > ClassLoader: > :loadClass():loading:com.netscape.management.client.IFrameworkInitializer > ClassLoader: com/netscape/management/client/IFrameworkInitializer.class > NOT in fedora-ds-1.0.jar > ClassLoader: :loadClass():name:javax.swing.JFrame > ClassLoader: :loadClass():loading:javax.swing.JFrame > ClassLoader: javax/swing/JFrame.class NOT in fedora-ds-1.0.jar > ClassLoader: :loadClass():name:com.netscape.admin.dirserv.DSFramework > ClassLoader: :loadClass():loading:com.netscape.admin.dirserv.DSFramework > ClassLoader: com/netscape/admin/dirserv/DSFramework.class found in > fedora-ds-1.0.jar > ClassLoader: :loadClass():name:com.netscape.management.client.Framework > ClassLoader: > :loadClass():loading:com.netscape.management.client.Framework > ClassLoader: com/netscape/management/client/Framework.class NOT in > fedora-ds-1.0.jar > ClassLoader: > :loadClass():name:com.netscape.management.client.preferences.IPreferencesTab > > ClassLoader: > :loadClass():loading:com.netscape.management.client.preferences.IPreferencesTab > > ClassLoader: > com/netscape/management/client/preferences/IPreferencesTab.class NOT in > fedora-ds-1.0.jar > ClassLoader: :loadClass():name:java.awt.event.ActionListener > ClassLoader: :loadClass():name:java.awt.event.MouseListener > ClassLoader: :loadClass():name:com.netscape.management.client.IStatusItem > ClassLoader: > :loadClass():loading:com.netscape.management.client.IStatusItem > ClassLoader: com/netscape/management/client/IStatusItem.class NOT in > fedora-ds-1.0.jar > ClassLoader: :loadClass():name:java.awt.Component > ClassLoader: :loadClass():name:java.lang.Float > ClassLoader: :loadClass():name:com.netscape.admin.dirserv.task.CGITask > ClassLoader: :loadClass():loading:com.netscape.admin.dirserv.task.CGITask > ClassLoader: com/netscape/admin/dirserv/task/CGITask.class found in > fedora-ds-1.0.jar > ClassLoader: > :loadClass():name:com.netscape.management.client.comm.CommClient > ClassLoader: > :loadClass():loading:com.netscape.management.client.comm.CommClient > ClassLoader: com/netscape/management/client/comm/CommClient.class NOT > in fedora-ds-1.0.jar > ClassLoader: :loadClass():name:com.netscape.management.client.TaskObject > ClassLoader: > :loadClass():loading:com.netscape.management.client.TaskObject > ClassLoader: com/netscape/management/client/TaskObject.class NOT in > fedora-ds-1.0.jar > ClassLoader: :loadClass():name:com.netscape.admin.dirserv.task.Remove > ClassLoader: :loadClass():loading:com.netscape.admin.dirserv.task.Remove > ClassLoader: com/netscape/admin/dirserv/task/Remove.class found in > fedora-ds-1.0.jar > ClassLoader: :loadClass():name:java.lang.Thread > ClassLoader: :loadClass():name:com.netscape.admin.dirserv.DSAdmin$3 > ClassLoader: :loadClass():loading:com.netscape.admin.dirserv.DSAdmin$3 > ClassLoader: com/netscape/admin/dirserv/DSAdmin$3.class found in > fedora-ds-1.0.jar > ClassLoader: > :loadClass():name:com.netscape.management.client.preferences.PreferenceManager > > ClassLoader: > :loadClass():loading:com.netscape.management.client.preferences.PreferenceManager > > ClassLoader: > com/netscape/management/client/preferences/PreferenceManager.class NOT > in fedora-ds-1.0.jar > ClassLoader: > :loadClass():name:com.netscape.management.client.preferences.Preferences > ClassLoader: > :loadClass():loading:com.netscape.management.client.preferences.Preferences > > ClassLoader: > com/netscape/management/client/preferences/Preferences.class NOT in > fedora-ds-1.0.jar > ClassLoader: > :loadClass():name:com.netscape.admin.dirserv.panel.BlankPanel > ClassLoader: > :loadClass():loading:com.netscape.admin.dirserv.panel.BlankPanel > ClassLoader: com/netscape/admin/dirserv/panel/BlankPanel.class found in > fedora-ds-1.0.jar > ClassLoader: :loadClass():name:javax.swing.event.DocumentListener > ClassLoader: :loadClass():loading:javax.swing.event.DocumentListener > ClassLoader: javax/swing/event/DocumentListener.class NOT in > fedora-ds-1.0.jar > ClassLoader: :loadClass():name:java.awt.event.ItemListener > ClassLoader: :loadClass():name:javax.swing.event.ChangeListener > ClassLoader: :loadClass():loading:javax.swing.event.ChangeListener > ClassLoader: javax/swing/event/ChangeListener.class NOT in > fedora-ds-1.0.jar > ClassLoader: :loadClass():name:javax.swing.event.ListSelectionListener > ClassLoader: :loadClass():loading:javax.swing.event.ListSelectionListener > ClassLoader: javax/swing/event/ListSelectionListener.class NOT in > fedora-ds-1.0.jar > ClassLoader: > :loadClass():name:com.netscape.admin.dirserv.IDSResourceSelectionListener > ClassLoader: > :loadClass():loading:com.netscape.admin.dirserv.IDSResourceSelectionListener > > ClassLoader: > com/netscape/admin/dirserv/IDSResourceSelectionListener.class found in > fedora-ds-1.0.jar > ClassLoader: :loadClass():name:javax.swing.JPanel > ClassLoader: :loadClass():loading:javax.swing.JPanel > ClassLoader: javax/swing/JPanel.class NOT in fedora-ds-1.0.jar > ClassLoader: :loadClass():name:javax.swing.JComponent > ClassLoader: :loadClass():loading:javax.swing.JComponent > ClassLoader: javax/swing/JComponent.class NOT in fedora-ds-1.0.jar > ClassLoader: :loadClass():name:java.awt.Container > ClassLoader: :loadClass():name:javax.swing.JLabel > ClassLoader: :loadClass():loading:javax.swing.JLabel > ClassLoader: javax/swing/JLabel.class NOT in fedora-ds-1.0.jar > ClassLoader: :loadClass():name:java.awt.LayoutManager > ClassLoader: :loadClass():name:java.lang.IllegalStateException > ClassLoader: :loadClass():name:javax.swing.border.Border > ClassLoader: :loadClass():loading:javax.swing.border.Border > ClassLoader: javax/swing/border/Border.class NOT in fedora-ds-1.0.jar > ClassLoader: :loadClass():name:javax.swing.JScrollPane > ClassLoader: :loadClass():loading:javax.swing.JScrollPane > ClassLoader: javax/swing/JScrollPane.class NOT in fedora-ds-1.0.jar > ClassLoader: :loadClass():name:com.netscape.management.client.util.Debug > ClassLoader: > :loadClass():loading:com.netscape.management.client.util.Debug > ClassLoader: com/netscape/management/client/util/Debug.class NOT in > fedora-ds-1.0.jar > ClassLoader: :loadClass():name:java.awt.Color > ClassLoader: :loadClass():name:java.util.Vector > DSAdmin.DSAdmin: constructor > ClassLoader: :loadClass():name:java.lang.StringBuilder > DSAdmin.initialize(): _removed=false > info=ConsoleInfo(admin01.hrd-asia.com, 389, uid=dsadmin, > ou=Administrators, ou=TopologyManagement, o=NetscapeRoot, admin at 14, > o=NetscapeRoot) _info=null > ClassLoader: > :loadClass():name:com.netscape.management.client.util.UtilConsoleGlobals > ClassLoader: > :loadClass():loading:com.netscape.management.client.util.UtilConsoleGlobals > > ClassLoader: > com/netscape/management/client/util/UtilConsoleGlobals.class NOT in > fedora-ds-1.0.jar > ClassLoader: > :loadClass():name:com.netscape.management.client.console.VersionInfo > ClassLoader: > :loadClass():loading:com.netscape.management.client.console.VersionInfo > ClassLoader: com/netscape/management/client/console/VersionInfo.class > NOT in fedora-ds-1.0.jar > JButtonFactory: button width = 90 > JButtonFactory: button height = 19 > JButtonFactory: button width = 72 > JButtonFactory: button height = 19 > Exception in thread "AWT-EventQueue-0" java.lang.NullPointerException > at > com.netscape.management.client.topology.AbstractServerObject.getNodeDataCount(Unknown > > Source) > at > com.netscape.management.client.topology.NodeDataPanel.createPanel(Unknown > Source) > at > com.netscape.management.client.topology.NodeDataPanel.(Unknown > Source) > at > com.netscape.management.client.topology.NodeDataPanel.(Unknown > Source) > at > com.netscape.management.client.topology.AbstractServerObject.getCustomPanel(Unknown > > Source) > at com.netscape.management.client.topology.ServerNode.reload(Unknown > Source) > at > com.netscape.management.client.topology.ServerNode.getCustomPanel(Unknown > Source) > at > com.netscape.management.client.ResourceModel.getCustomPanel(Unknown > Source) > at > com.netscape.management.client.ResourcePage.valueChanged(Unknown Source) > at javax.swing.JTree.fireValueChanged(JTree.java:2399) > at > javax.swing.JTree$TreeSelectionRedirector.valueChanged(JTree.java:2770) > at > javax.swing.tree.DefaultTreeSelectionModel.fireValueChanged(DefaultTreeSelectionModel.java:629) > > at > javax.swing.tree.DefaultTreeSelectionModel.notifyPathChange(DefaultTreeSelectionModel.java:1078) > > at > javax.swing.tree.DefaultTreeSelectionModel.setSelectionPaths(DefaultTreeSelectionModel.java:287) > > at > javax.swing.tree.DefaultTreeSelectionModel.setSelectionPath(DefaultTreeSelectionModel.java:170) > > at javax.swing.JTree.setSelectionPath(JTree.java:1174) > at > javax.swing.plaf.basic.BasicTreeUI.selectPathForEvent(BasicTreeUI.java:2296) > > at > javax.swing.plaf.basic.BasicTreeUI$Handler.handleSelectionImpl(BasicTreeUI.java:3509) > > at > javax.swing.plaf.basic.BasicTreeUI$Handler.handleSelection(BasicTreeUI.java:3484) > > at > javax.swing.plaf.basic.BasicTreeUI$Handler.mousePressed(BasicTreeUI.java:3465) > > at > java.awt.AWTEventMulticaster.mousePressed(AWTEventMulticaster.java:222) > at > java.awt.AWTEventMulticaster.mousePressed(AWTEventMulticaster.java:221) > at java.awt.Component.processMouseEvent(Component.java:5514) > at javax.swing.JComponent.processMouseEvent(JComponent.java:3135) > at java.awt.Component.processEvent(Component.java:5282) > at java.awt.Container.processEvent(Container.java:1966) > at java.awt.Component.dispatchEventImpl(Component.java:3984) > at java.awt.Container.dispatchEventImpl(Container.java:2024) > at java.awt.Component.dispatchEvent(Component.java:3819) > at > java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4212) > at > java.awt.LightweightDispatcher.processMouseEvent(Container.java:3889) > at java.awt.LightweightDispatcher.dispatchEvent(Container.java:3822) > at java.awt.Container.dispatchEventImpl(Container.java:2010) > at java.awt.Window.dispatchEventImpl(Window.java:1791) > at java.awt.Component.dispatchEvent(Component.java:3819) > at java.awt.EventQueue.dispatchEvent(EventQueue.java:463) > at > java.awt.EventDispatchThread.pumpOneEventForHierarchy(EventDispatchThread.java:242) > > at > java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:163) > > at > java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:157) > at > java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:149) > at java.awt.EventDispatchThread.run(EventDispatchThread.java:110) > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From siedler at hrd-asia.com Tue Jun 10 02:34:23 2008 From: siedler at hrd-asia.com (Wolf Siedler) Date: Tue, 10 Jun 2008 09:34:23 +0700 Subject: [Fedora-directory-users] Remote console fails for access to Fedora-DS 1.1 In-Reply-To: <484DBE02.2000300@redhat.com> References: <484D5660.5070904@hrd-asia.com> <484DBE02.2000300@redhat.com> Message-ID: <484DE82F.8010800@hrd-asia.com> Rich, Thanks for taking time to look into my issue. > I suspect this has something to do with > https://bugzilla.redhat.com/show_bug.cgi?id=431103 > > For the first step, take a look at the access log from the > configuration DS beginning from when you launched the console - look > for err=32 in the results. Just to understand clearly, I have to set up a full DS on my workstation in order to configure a remote DS? I am asking this because with DS 1.04, I just installed the rpm package on my workstation and (simply) used ./startconsole to connect to the remote DS. No configuration/setup done on the local machine. I don't mind doing so, just would like to have a better understanding of what I need to do where. Thanks and regards, Wolf From siedler at hrd-asia.com Tue Jun 10 05:54:36 2008 From: siedler at hrd-asia.com (Wolf Siedler) Date: Tue, 10 Jun 2008 12:54:36 +0700 Subject: [Fedora-directory-users] Remote console fails for access to Fedora-DS 1.1 In-Reply-To: <484DE82F.8010800@hrd-asia.com> References: <484D5660.5070904@hrd-asia.com> <484DBE02.2000300@redhat.com> <484DE82F.8010800@hrd-asia.com> Message-ID: <484E171C.7070902@hrd-asia.com> > Just to understand clearly, I have to set up a full DS on my > workstation in order to configure a remote DS? To express my intention more precisely - from http://directory.fedoraproject.org/wiki/Release_Notes#Console_only_Installation I got the impression that a console-only installation on a separate workstation is possible. Am I correct in assuming that this is - at least for now - not (yet) possible? Regards, Wolf From solarflow99 at gmail.com Tue Jun 10 09:54:31 2008 From: solarflow99 at gmail.com (solarflow99) Date: Tue, 10 Jun 2008 10:54:31 +0100 Subject: [Fedora-directory-users] Remote console fails for access to Fedora-DS 1.1 In-Reply-To: <484E171C.7070902@hrd-asia.com> References: <484D5660.5070904@hrd-asia.com> <484DBE02.2000300@redhat.com> <484DE82F.8010800@hrd-asia.com> <484E171C.7070902@hrd-asia.com> Message-ID: <7020fd000806100254p5044fe0ape66d837fc3cb5d0e@mail.gmail.com> On 6/10/08, Wolf Siedler wrote: > > Just to understand clearly, I have to set up a full DS on my workstation in >> order to configure a remote DS? >> > > To express my intention more precisely - from > > http://directory.fedoraproject.org/wiki/Release_Notes#Console_only_Installation > I got the impression that a console-only installation on a separate > workstation is possible. > > Am I correct in assuming that this is - at least for now - not (yet) > possible? can you confirm that you have the right java installed? What platform are you running on again? -------------- next part -------------- An HTML attachment was scrubbed... URL: From solarflow99 at gmail.com Tue Jun 10 09:58:06 2008 From: solarflow99 at gmail.com (solarflow99) Date: Tue, 10 Jun 2008 10:58:06 +0100 Subject: [Fedora-directory-users] Remote console fails for access to Fedora-DS 1.1 In-Reply-To: <7020fd000806100254p5044fe0ape66d837fc3cb5d0e@mail.gmail.com> References: <484D5660.5070904@hrd-asia.com> <484DBE02.2000300@redhat.com> <484DE82F.8010800@hrd-asia.com> <484E171C.7070902@hrd-asia.com> <7020fd000806100254p5044fe0ape66d837fc3cb5d0e@mail.gmail.com> Message-ID: <7020fd000806100258q6a5d711bodd7e82f671244324@mail.gmail.com> On 6/10/08, solarflow99 wrote: > > > > On 6/10/08, Wolf Siedler wrote: >> >> Just to understand clearly, I have to set up a full DS on my workstation >>> in order to configure a remote DS? >>> >> >> To express my intention more precisely - from >> >> http://directory.fedoraproject.org/wiki/Release_Notes#Console_only_Installation >> I got the impression that a console-only installation on a separate >> workstation is possible. >> >> Am I correct in assuming that this is - at least for now - not (yet) >> possible? > > > can you confirm that you have the right java installed? What platform are > you running on again? > now I see the info from your first message, it looks like a java problem to me even though it should work. What I did was used the java for rhel from the supplimental RHN channel and it always worked well. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jun 10 14:15:56 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 10 Jun 2008 08:15:56 -0600 Subject: [Fedora-directory-users] Remote console fails for access to Fedora-DS 1.1 In-Reply-To: <484DE82F.8010800@hrd-asia.com> References: <484D5660.5070904@hrd-asia.com> <484DBE02.2000300@redhat.com> <484DE82F.8010800@hrd-asia.com> Message-ID: <484E8C9C.7030708@redhat.com> Wolf Siedler wrote: > Rich, > > Thanks for taking time to look into my issue. > >> I suspect this has something to do with >> https://bugzilla.redhat.com/show_bug.cgi?id=431103 >> >> For the first step, take a look at the access log from the >> configuration DS beginning from when you launched the console - look >> for err=32 in the results. > > Just to understand clearly, I have to set up a full DS on my > workstation in order to configure a remote DS? No. If you just want to install the console and run it remotely (i.e. from your personal desktop, not from the server machine itself), just do yum install fedora-idm-console That's all you have to do to install the console on your local machine. One other thing - you may have some files left over from previous runs that are causing problems - try rm -rf ~/.fedora-idm-console Then run fedora-idm-console again. If that still fails, then it looks as though this is probably related to https://bugzilla.redhat.com/show_bug.cgi?id=431103 - so we'll have to examine the access logs from the configuration DS to see what entries are not being found. > > I am asking this because with DS 1.04, I just installed the rpm > package on my workstation and (simply) used ./startconsole to connect > to the remote DS. No configuration/setup done on the local machine. > > I don't mind doing so, just would like to have a better understanding > of what I need to do where. > > Thanks and regards, > Wolf > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jun 10 15:34:41 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 10 Jun 2008 09:34:41 -0600 Subject: [Fedora-directory-users] Announcing Fedora Directory Server version 1.1.1 Message-ID: <484E9F11.6080701@redhat.com> We are pleased to announce the release of Fedora Directory Server 1.1.1. This release is primarily a bug fix release, but does contain some new features, mostly to support freeIPA. Binary packages are available for Fedora 7, 8, 9, and rawhide. NOTE: Fedora 6/RHEL5 binaries are not yet available. They will be shortly. How to upgrade: yum upgrade fedora-ds-base No further setup should be required. This should restart the server - if not, a manual restart (service dirsrv restart) is required for the new code to take effect. * Release Notes - http://directory.fedoraproject.org/wiki/Release_Notes -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From siedler at hrd-asia.com Tue Jun 10 15:30:37 2008 From: siedler at hrd-asia.com (Wolf Siedler) Date: Tue, 10 Jun 2008 22:30:37 +0700 Subject: [Fedora-directory-users] Remote console fails for access to Fedora-DS 1.1 In-Reply-To: <7020fd000806100258q6a5d711bodd7e82f671244324@mail.gmail.com> References: <484D5660.5070904@hrd-asia.com> <484DBE02.2000300@redhat.com> <484DE82F.8010800@hrd-asia.com> <484E171C.7070902@hrd-asia.com> <7020fd000806100254p5044fe0ape66d837fc3cb5d0e@mail.gmail.com> <7020fd000806100258q6a5d711bodd7e82f671244324@mail.gmail.com> Message-ID: <484E9E1D.1050608@hrd-asia.com> > now I see the info from your first message, it looks like a java > problem to me even though it should work. What I did was used the > java for rhel from the supplimental RHN channel and it always worked > well. I just tried it again through the Windows msi for the IDM console. System is Windows 2000 and Sun-JRE 1.5.0_15. The dos prompt shows the same Java error as quoted in my previous report. Windows 2000 and Sun-JRE 1.6.0_06: Same problem as before; when clicking on "Directory Server" in the console there is an error message about a missing fedora-ds-1.0.jar. Furthermore, when clicking on "Administration Server", even that one doesn't open anymore. Instead there is a similar popup windows complaining about a missing fedora-ds-1.1.jar. I'll try Java 6 on Linux tomorrow. Has anybody running a standalone IDM console? If yes - on which OS/Java version? Regards, Wolf From siedler at hrd-asia.com Tue Jun 10 15:34:00 2008 From: siedler at hrd-asia.com (Wolf Siedler) Date: Tue, 10 Jun 2008 22:34:00 +0700 Subject: [Fedora-directory-users] Remote console fails for access to Fedora-DS 1.1 Message-ID: <484E9EE8.8010707@hrd-asia.com> Sorry, my report was premature - bad network connection. This the correct outcome: I just tried it again through the Windows msi for the IDM console. System is Windows 2000 and Sun-JRE 1.5.0_15. The dos prompt shows the same Java error as quoted in my previous report. Windows 2000 and Sun-JRE 1.6.0_06: Same problem as before; when clicking on "Directory Server" in the console there is a Java error. I'll try Java 6 on Linux tomorrow. Has anybody running a standalone IDM console? If yes - on which OS/Java version? Regards, Wolf From rmeggins at redhat.com Tue Jun 10 15:48:52 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 10 Jun 2008 09:48:52 -0600 Subject: [Fedora-directory-users] Remote console fails for access to Fedora-DS 1.1 In-Reply-To: <484E9E1D.1050608@hrd-asia.com> References: <484D5660.5070904@hrd-asia.com> <484DBE02.2000300@redhat.com> <484DE82F.8010800@hrd-asia.com> <484E171C.7070902@hrd-asia.com> <7020fd000806100254p5044fe0ape66d837fc3cb5d0e@mail.gmail.com> <7020fd000806100258q6a5d711bodd7e82f671244324@mail.gmail.com> <484E9E1D.1050608@hrd-asia.com> Message-ID: <484EA264.2010802@redhat.com> Wolf Siedler wrote: >> now I see the info from your first message, it looks like a java >> problem to me even though it should work. What I did was used the >> java for rhel from the supplimental RHN channel and it always worked >> well. > > I just tried it again through the Windows msi for the IDM console. > > System is Windows 2000 and Sun-JRE 1.5.0_15. > The dos prompt shows the same Java error as quoted in my previous report. There is a problem with the windows console .bat file - it does not find the correct version of java. To fix, simply edit the batch file - look for where it sets JAVA (it is commented out - rem means comment in batch file language) - uncomment this and set it to the correct path and file name of your java.exe. > > Windows 2000 and Sun-JRE 1.6.0_06: > Same problem as before; when clicking on "Directory Server" in the > console there is an error message about a missing fedora-ds-1.0.jar. > Furthermore, when clicking on "Administration Server", even that one > doesn't open anymore. Instead there is a similar popup windows > complaining about a missing fedora-ds-1.1.jar. It is supposed to download the correct jar file from the server. I'm not sure where it is stored on Windows, but there will be a directory/folder called .fedora-idm-console in your HOME directory/folder (wherever that is) - remove that directory/folder and try again. > > I'll try Java 6 on Linux tomorrow. > > Has anybody running a standalone IDM console? If yes - on which > OS/Java version? > > Regards, > Wolf > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From siedler at hrd-asia.com Tue Jun 10 15:57:14 2008 From: siedler at hrd-asia.com (Wolf Siedler) Date: Tue, 10 Jun 2008 22:57:14 +0700 Subject: [Fedora-directory-users] Remote console fails for access to Fedora-DS 1.1 In-Reply-To: <484EA264.2010802@redhat.com> References: <484D5660.5070904@hrd-asia.com> <484DBE02.2000300@redhat.com> <484DE82F.8010800@hrd-asia.com> <484E171C.7070902@hrd-asia.com> <7020fd000806100254p5044fe0ape66d837fc3cb5d0e@mail.gmail.com> <7020fd000806100258q6a5d711bodd7e82f671244324@mail.gmail.com> <484E9E1D.1050608@hrd-asia.com> <484EA264.2010802@redhat.com> Message-ID: <484EA45A.1060307@hrd-asia.com> Thanks, Rich, So here we go: > There is a problem with the windows console .bat file - it does not > find the correct version of java. To fix, simply edit the batch file > - look for where it sets JAVA (it is commented out - rem means > comment in batch file language) - uncomment this and set it to the > correct path and file name of your java.exe. Found it and did so (before both tests). > > Windows 2000 and Sun-JRE 1.6.0_06: > > Same problem as before; when clicking on "Directory Server" in the > console there is an error message about a missing fedora-ds-1.0.jar. > > Furthermore, when clicking on "Administration Server", even that > one doesn't open anymore. Instead there is a similar popup windows > complaining about a missing fedora-ds-1.1.jar. > It is supposed to download the correct jar file from the server. Ah - I wasn't aware of this procedure. Your hint gives me some more ideas. I try that tomorrow (very late here). > I'm not sure where it is stored on Windows, but there will be a > directory/folder called .fedora-idm-console in your HOME > directory/folder (wherever that is) - remove that directory/folder > and try again. I realeased that already and did so. Several times today and both on Windows and Fedora. Unfortunately, no change in the outcome... :-( Regards, Wolf From rmeggins at redhat.com Tue Jun 10 15:59:50 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 10 Jun 2008 09:59:50 -0600 Subject: [Fedora-directory-users] Remote console fails for access to Fedora-DS 1.1 In-Reply-To: <484EA45A.1060307@hrd-asia.com> References: <484D5660.5070904@hrd-asia.com> <484DBE02.2000300@redhat.com> <484DE82F.8010800@hrd-asia.com> <484E171C.7070902@hrd-asia.com> <7020fd000806100254p5044fe0ape66d837fc3cb5d0e@mail.gmail.com> <7020fd000806100258q6a5d711bodd7e82f671244324@mail.gmail.com> <484E9E1D.1050608@hrd-asia.com> <484EA264.2010802@redhat.com> <484EA45A.1060307@hrd-asia.com> Message-ID: <484EA4F6.8080508@redhat.com> Wolf Siedler wrote: > Thanks, Rich, > > So here we go: > >> There is a problem with the windows console .bat file - it does not >> find the correct version of java. To fix, simply edit the batch file >> - look for where it sets JAVA (it is commented out - rem means >> comment in batch file language) - uncomment this and set it to the >> correct path and file name of your java.exe. > > Found it and did so (before both tests). > >> > Windows 2000 and Sun-JRE 1.6.0_06: >> > Same problem as before; when clicking on "Directory Server" in the >> console there is an error message about a missing fedora-ds-1.0.jar. >> > Furthermore, when clicking on "Administration Server", even that >> one doesn't open anymore. Instead there is a similar popup windows >> complaining about a missing fedora-ds-1.1.jar. >> It is supposed to download the correct jar file from the server. > > Ah - I wasn't aware of this procedure. Your hint gives me some more > ideas. I try that tomorrow (very late here). Ok. If you run the console with -D (on windows you will have to edit the batch file to do this) you should see it attempt to download the jar files from the admin server via http > >> I'm not sure where it is stored on Windows, but there will be a >> directory/folder called .fedora-idm-console in your HOME >> directory/folder (wherever that is) - remove that directory/folder >> and try again. > > I realeased that already and did so. Several times today and both on > Windows and Fedora. > > Unfortunately, no change in the outcome... :-( > > Regards, > Wolf > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From siedler at hrd-asia.com Tue Jun 10 16:46:37 2008 From: siedler at hrd-asia.com (Wolf Siedler) Date: Tue, 10 Jun 2008 23:46:37 +0700 Subject: [Fedora-directory-users] Remote consolefais for access to Fedora-DS 1.1 In-Reply-To: <484EA4F6.8080508@redhat.com> References: <484D5660.5070904@hrd-asia.com> <484DBE02.2000300@redhat.com> <484DE82F.8010800@hrd-asia.com> <484E171C.7070902@hrd-asia.com> <7020fd000806100254p5044fe0ape66d837fc3cb5d0e@mail.gmail.com> <7020fd000806100258q6a5d711bodd7e82f671244324@mail.gmail.com> <484E9E1D.1050608@hrd-asia.com> <484EA264.2010802@redhat.com> <484EA45A.1060307@hrd-asia.com> <484EA4F6.8080508@redhat.com> Message-ID: <484EAFED.4050203@hrd-asia.com> > Ok. If you run the console with -D (on windows you will have to edit > the batch file to do this) you should see it attempt to download the > jar files from the admin server via http Does it have to be on Windows? I did it before on my Fedora 7 and saw the request from the console to directory server to download fedora-ds-1.0.jar. It received form the DS an error 404 (file not found). All the fedora-ds-1.1...jar files are in /usr/share/dirsrv/html/java/ on the dirctory server. The error 404 disappeared after I manually created /usr/share/dirsrv/html/java/jars/ and placed fedora-ds-1.0.jar / fedora-ds-1.0_en.jar in there. However, I now see plenty of "class not found" errors related to fedora-ds-1.0.jar in the console logfile. Would you want to have the complete log? Regards, Wolf ===console logfile excerpt=== <...snip...> ClassLoader: classes.env found in fedora-ds-1.0.jar ClassLoader: manifest loaded for fedora-ds-1.0.jar ClassLoader: manifest: 0 entries found ClassLoader: new LocalJarClassLoader fedora-ds-1.0.jar:{fedora-ds-1.0.jar fedora-ds-1.0_en.jar } ClassLoader: Create loader fedora-ds-1.0.jar ClassLoader: :loadClass():name:com.netscape.admin.dirserv.DSAdmin ClassLoader: :loadClass():loading:com.netscape.admin.dirserv.DSAdmin ClassLoader: com/netscape/admin/dirserv/DSAdmin.class found in fedora-ds-1.0.jar ClassLoader: :loadClass():name:com.netscape.admin.dirserv.IAuthenticationChangeListener ClassLoader: :loadClass():loading:com.netscape.admin.dirserv.IAuthenticationChangeListener ClassLoader: com/netscape/admin/dirserv/IAuthenticationChangeListener.class found in fedora-ds-1.0.jar ClassLoader: :loadClass():name:java.lang.Object ClassLoader: :loadClass():name:com.netscape.management.client.IMenuInfo ClassLoader: :loadClass():loading:com.netscape.management.client.IMenuInfo ClassLoader: com/netscape/management/client/IMenuInfo.class NOT in fedora-ds-1.0.jar ClassLoader: com/netscape/management/client/IMenuInfo.class NOT in fedora-ds-1.0_en.jar ClassLoader: :loadClass():name:com.netscape.management.client.topology.IRemovableServerObject ClassLoader: :loadClass():loading:com.netscape.management.client.topology.IRemovableServerObject ClassLoader: com/netscape/management/client/topology/IRemovableServerObject.class NOT in fedora-ds-1.0.jar ClassLoader: com/netscape/management/client/topology/IRemovableServerObject.class NOT in fedora-ds-1.0_en.jar ClassLoader: :loadClass():name:com.netscape.management.client.topology.AbstractServerObject ClassLoader: :loadClass():loading:com.netscape.management.client.topology.AbstractServerObject ClassLoader: com/netscape/management/client/topology/AbstractServerObject.class NOT in fedora-ds-1.0.jar ClassLoader: com/netscape/management/client/topology/AbstractServerObject.class NOT in fedora-ds-1.0_en.jar ClassLoader: :loadClass():resolving com.netscape.admin.dirserv.DSAdmin ClassLoader: :loadClass():name:javax.swing.Icon ClassLoader: :loadClass():loading:javax.swing.Icon ClassLoader: javax/swing/Icon.class NOT in fedora-ds-1.0.jar ClassLoader: javax/swing/Icon.class NOT in fedora-ds-1.0_en.jar ClassLoader: :loadClass():name:java.lang.Throwable ClassLoader: :loadClass():name:java.lang.Exception ClassLoader: :loadClass():name:netscape.ldap.LDAPConnection ClassLoader: :loadClass():loading:netscape.ldap.LDAPConnection ClassLoader: netscape/ldap/LDAPConnection.class NOT in fedora-ds-1.0.jar ClassLoader: netscape/ldap/LDAPConnection.class NOT in fedora-ds-1.0_en.jar ClassLoader: :loadClass():name:netscape.ldap.LDAPException ClassLoader: :loadClass():loading:netscape.ldap.LDAPException ClassLoader: netscape/ldap/LDAPException.class NOT in fedora-ds-1.0.jar ClassLoader: netscape/ldap/LDAPException.class NOT in fedora-ds-1.0_en.jar ClassLoader: :loadClass():name:java.lang.String ClassLoader: :loadClass():name:com.netscape.management.client.IFrameworkInitializer ClassLoader: :loadClass():loading:com.netscape.management.client.IFrameworkInitializer ClassLoader: com/netscape/management/client/IFrameworkInitializer.class NOT in fedora-ds-1.0.jar ClassLoader: com/netscape/management/client/IFrameworkInitializer.class NOT in fedora-ds-1.0_en.jar ClassLoader: :loadClass():name:javax.swing.JFrame ClassLoader: :loadClass():loading:javax.swing.JFrame ClassLoader: javax/swing/JFrame.class NOT in fedora-ds-1.0.jar ClassLoader: javax/swing/JFrame.class NOT in fedora-ds-1.0_en.jar ClassLoader: :loadClass():name:com.netscape.admin.dirserv.DSFramework ClassLoader: :loadClass():loading:com.netscape.admin.dirserv.DSFramework ClassLoader: com/netscape/admin/dirserv/DSFramework.class found in fedora-ds-1.0.jar ClassLoader: :loadClass():name:com.netscape.management.client.Framework ClassLoader: :loadClass():loading:com.netscape.management.client.Framework ClassLoader: com/netscape/management/client/Framework.class NOT in fedora-ds-1.0.jar ClassLoader: com/netscape/management/client/Framework.class NOT in fedora-ds-1.0_en.jar ClassLoader: :loadClass():name:com.netscape.management.client.preferences.IPreferencesTab ClassLoader: :loadClass():loading:com.netscape.management.client.preferences.IPreferencesTab ClassLoader: com/netscape/management/client/preferences/IPreferencesTab.class NOT in fedora-ds-1.0.jar ClassLoader: com/netscape/management/client/preferences/IPreferencesTab.class NOT in fedora-ds-1.0_en.jar ClassLoader: :loadClass():name:java.awt.event.ActionListener ClassLoader: :loadClass():name:java.awt.event.MouseListener ClassLoader: :loadClass():name:com.netscape.management.client.IStatusItem ClassLoader: :loadClass():loading:com.netscape.management.client.IStatusItem ClassLoader: com/netscape/management/client/IStatusItem.class NOT in fedora-ds-1.0.jar ClassLoader: com/netscape/management/client/IStatusItem.class NOT in fedora-ds-1.0_en.jar ClassLoader: :loadClass():name:java.awt.Component ClassLoader: :loadClass():name:java.lang.Float ClassLoader: :loadClass():name:com.netscape.admin.dirserv.task.CGITask ClassLoader: :loadClass():loading:com.netscape.admin.dirserv.task.CGITask ClassLoader: com/netscape/admin/dirserv/task/CGITask.class found in fedora-ds-1.0.jar ClassLoader: :loadClass():name:com.netscape.management.client.comm.CommClient ClassLoader: :loadClass():loading:com.netscape.management.client.comm.CommClient ClassLoader: com/netscape/management/client/comm/CommClient.class NOT in fedora-ds-1.0.jar ClassLoader: com/netscape/management/client/comm/CommClient.class NOT in fedora-ds-1.0_en.jar ClassLoader: :loadClass():name:com.netscape.management.client.TaskObject ClassLoader: :loadClass():loading:com.netscape.management.client.TaskObject ClassLoader: com/netscape/management/client/TaskObject.class NOT in fedora-ds-1.0.jar ClassLoader: com/netscape/management/client/TaskObject.class NOT in fedora-ds-1.0_en.jar ClassLoader: :loadClass():name:com.netscape.admin.dirserv.task.Remove ClassLoader: :loadClass():loading:com.netscape.admin.dirserv.task.Remove ClassLoader: com/netscape/admin/dirserv/task/Remove.class found in fedora-ds-1.0.jar ClassLoader: :loadClass():name:java.lang.Thread ClassLoader: :loadClass():name:com.netscape.admin.dirserv.DSAdmin$3 ClassLoader: :loadClass():loading:com.netscape.admin.dirserv.DSAdmin$3 ClassLoader: com/netscape/admin/dirserv/DSAdmin$3.class found in fedora-ds-1.0.jar ClassLoader: :loadClass():name:com.netscape.management.client.preferences.PreferenceManager ClassLoader: :loadClass():loading:com.netscape.management.client.preferences.PreferenceManager ClassLoader: com/netscape/management/client/preferences/PreferenceManager.class NOT in fedora-ds-1.0.jar ClassLoader: com/netscape/management/client/preferences/PreferenceManager.class NOT in fedora-ds-1.0_en.jar https://admin01.hrd-asia.com:20126/[2:0] close i/o stream https://admin01.hrd-asia.com:20126/[2:0] close socket https://admin01.hrd-asia.com:20126/[2:0] close> Closed ClassLoader: :loadClass():name:com.netscape.management.client.preferences.Preferences ClassLoader: :loadClass():loading:com.netscape.management.client.preferences.Preferences ClassLoader: com/netscape/management/client/preferences/Preferences.class NOT in fedora-ds-1.0.jar ClassLoader: com/netscape/management/client/preferences/Preferences.class NOT in fedora-ds-1.0_en.jar ClassLoader: :loadClass():name:com.netscape.admin.dirserv.panel.BlankPanel ClassLoader: :loadClass():loading:com.netscape.admin.dirserv.panel.BlankPanel ClassLoader: com/netscape/admin/dirserv/panel/BlankPanel.class found in fedora-ds-1.0.jar ClassLoader: :loadClass():name:javax.swing.event.DocumentListener ClassLoader: :loadClass():loading:javax.swing.event.DocumentListener ClassLoader: javax/swing/event/DocumentListener.class NOT in fedora-ds-1.0.jar ClassLoader: javax/swing/event/DocumentListener.class NOT in fedora-ds-1.0_en.jar ClassLoader: :loadClass():name:java.awt.event.ItemListener ClassLoader: :loadClass():name:javax.swing.event.ChangeListener ClassLoader: :loadClass():loading:javax.swing.event.ChangeListener ClassLoader: javax/swing/event/ChangeListener.class NOT in fedora-ds-1.0.jar ClassLoader: javax/swing/event/ChangeListener.class NOT in fedora-ds-1.0_en.jar ClassLoader: :loadClass():name:javax.swing.event.ListSelectionListener ClassLoader: :loadClass():loading:javax.swing.event.ListSelectionListener ClassLoader: javax/swing/event/ListSelectionListener.class NOT in fedora-ds-1.0.jar ClassLoader: javax/swing/event/ListSelectionListener.class NOT in fedora-ds-1.0_en.jar ClassLoader: :loadClass():name:com.netscape.admin.dirserv.IDSResourceSelectionListener ClassLoader: :loadClass():loading:com.netscape.admin.dirserv.IDSResourceSelectionListener ClassLoader: com/netscape/admin/dirserv/IDSResourceSelectionListener.class found in fedora-ds-1.0.jar ClassLoader: :loadClass():name:javax.swing.JPanel ClassLoader: :loadClass():loading:javax.swing.JPanel ClassLoader: javax/swing/JPanel.class NOT in fedora-ds-1.0.jar ClassLoader: javax/swing/JPanel.class NOT in fedora-ds-1.0_en.jar ClassLoader: :loadClass():name:javax.swing.JComponent ClassLoader: :loadClass():loading:javax.swing.JComponent ClassLoader: javax/swing/JComponent.class NOT in fedora-ds-1.0.jar ClassLoader: javax/swing/JComponent.class NOT in fedora-ds-1.0_en.jar ClassLoader: :loadClass():name:java.awt.Container ClassLoader: :loadClass():name:javax.swing.JLabel ClassLoader: :loadClass():loading:javax.swing.JLabel ClassLoader: javax/swing/JLabel.class NOT in fedora-ds-1.0.jar ClassLoader: javax/swing/JLabel.class NOT in fedora-ds-1.0_en.jar ClassLoader: :loadClass():name:java.awt.LayoutManager ClassLoader: :loadClass():name:java.lang.IllegalStateException ClassLoader: :loadClass():name:javax.swing.border.Border ClassLoader: :loadClass():loading:javax.swing.border.Border ClassLoader: javax/swing/border/Border.class NOT in fedora-ds-1.0.jar ClassLoader: javax/swing/border/Border.class NOT in fedora-ds-1.0_en.jar ClassLoader: :loadClass():name:javax.swing.JScrollPane ClassLoader: :loadClass():loading:javax.swing.JScrollPane ClassLoader: javax/swing/JScrollPane.class NOT in fedora-ds-1.0.jar ClassLoader: javax/swing/JScrollPane.class NOT in fedora-ds-1.0_en.jar ClassLoader: :loadClass():name:com.netscape.management.client.util.Debug ClassLoader: :loadClass():loading:com.netscape.management.client.util.Debug ClassLoader: com/netscape/management/client/util/Debug.class NOT in fedora-ds-1.0.jar ClassLoader: com/netscape/management/client/util/Debug.class NOT in fedora-ds-1.0_en.jar ClassLoader: :loadClass():name:java.awt.Color ClassLoader: :loadClass():name:java.util.Vector DSAdmin.DSAdmin: constructor ClassLoader: :loadClass():name:java.lang.StringBuilder DSAdmin.initialize(): _removed=false info=ConsoleInfo(admin01.hrd-asia.com, 389, uid=dsadmin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot, admin at 14, o=NetscapeRoot) _info=null ClassLoader: :loadClass():name:com.netscape.management.client.util.UtilConsoleGlobals ClassLoader: :loadClass():loading:com.netscape.management.client.util.UtilConsoleGlobals ClassLoader: com/netscape/management/client/util/UtilConsoleGlobals.class NOT in fedora-ds-1.0.jar ClassLoader: com/netscape/management/client/util/UtilConsoleGlobals.class NOT in fedora-ds-1.0_en.jar ClassLoader: :loadClass():name:com.netscape.management.client.console.VersionInfo ClassLoader: :loadClass():loading:com.netscape.management.client.console.VersionInfo ClassLoader: com/netscape/management/client/console/VersionInfo.class NOT in fedora-ds-1.0.jar ClassLoader: com/netscape/management/client/console/VersionInfo.class NOT in fedora-ds-1.0_en.jar JButtonFactory: button width = 90 JButtonFactory: button height = 19 JButtonFactory: button width = 72 JButtonFactory: button height = 19 Exception in thread "AWT-EventQueue-0" java.lang.NullPointerException <...snip...> From rmeggins at redhat.com Tue Jun 10 17:16:02 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 10 Jun 2008 11:16:02 -0600 Subject: [Fedora-directory-users] Remote consolefais for access to Fedora-DS 1.1 In-Reply-To: <484EAFED.4050203@hrd-asia.com> References: <484D5660.5070904@hrd-asia.com> <484DBE02.2000300@redhat.com> <484DE82F.8010800@hrd-asia.com> <484E171C.7070902@hrd-asia.com> <7020fd000806100254p5044fe0ape66d837fc3cb5d0e@mail.gmail.com> <7020fd000806100258q6a5d711bodd7e82f671244324@mail.gmail.com> <484E9E1D.1050608@hrd-asia.com> <484EA264.2010802@redhat.com> <484EA45A.1060307@hrd-asia.com> <484EA4F6.8080508@redhat.com> <484EAFED.4050203@hrd-asia.com> Message-ID: <484EB6D2.7030401@redhat.com> Wolf Siedler wrote: >> Ok. If you run the console with -D (on windows you will have to edit >> the batch file to do this) you should see it attempt to download the >> jar files from the admin server via http > > Does it have to be on Windows? Does what have to be on Windows? You should be able to install the standalone console on Fedora too: yum install fedora-idm-console > > I did it before on my Fedora 7 and saw the request from the console to > directory server to download fedora-ds-1.0.jar. It received form the DS > an error 404 (file not found). ? > > All the fedora-ds-1.1...jar files are in /usr/share/dirsrv/html/java/ > on the dirctory server. Yes, on the server. When the console starts up on the client machine, the console downloads these jar files into your ~/.fedora-idm-console directory - the admin server should download them from that directory on the server. > The error 404 disappeared after I manually created > /usr/share/dirsrv/html/java/jars/ and placed fedora-ds-1.0.jar / > fedora-ds-1.0_en.jar in there. On the server or on the client machine? > > However, I now see plenty of "class not found" errors related to > fedora-ds-1.0.jar in the console logfile. These are benign. > Would you want to have the complete log? I'm a little bit confused as to what you're trying to do. Let's start over. Are you trying to install a standalone console? If so, on what platform? Are you trying to manage a mixed environment of both Fedora DS 1.1 and Fedora DS 1.0.4 servers? On which platforms are they running? > > Regards, > Wolf > ===console logfile excerpt=== > <...snip...> > ClassLoader: classes.env found in fedora-ds-1.0.jar > ClassLoader: manifest loaded for fedora-ds-1.0.jar > ClassLoader: manifest: 0 entries found > ClassLoader: new LocalJarClassLoader > fedora-ds-1.0.jar:{fedora-ds-1.0.jar fedora-ds-1.0_en.jar } > ClassLoader: Create loader fedora-ds-1.0.jar > ClassLoader: :loadClass():name:com.netscape.admin.dirserv.DSAdmin > ClassLoader: :loadClass():loading:com.netscape.admin.dirserv.DSAdmin > ClassLoader: com/netscape/admin/dirserv/DSAdmin.class found in > fedora-ds-1.0.jar > ClassLoader: > :loadClass():name:com.netscape.admin.dirserv.IAuthenticationChangeListener > > ClassLoader: > :loadClass():loading:com.netscape.admin.dirserv.IAuthenticationChangeListener > > ClassLoader: > com/netscape/admin/dirserv/IAuthenticationChangeListener.class found > in fedora-ds-1.0.jar > ClassLoader: :loadClass():name:java.lang.Object > ClassLoader: :loadClass():name:com.netscape.management.client.IMenuInfo > ClassLoader: > :loadClass():loading:com.netscape.management.client.IMenuInfo > ClassLoader: com/netscape/management/client/IMenuInfo.class NOT in > fedora-ds-1.0.jar > ClassLoader: com/netscape/management/client/IMenuInfo.class NOT in > fedora-ds-1.0_en.jar > ClassLoader: > :loadClass():name:com.netscape.management.client.topology.IRemovableServerObject > > ClassLoader: > :loadClass():loading:com.netscape.management.client.topology.IRemovableServerObject > > ClassLoader: > com/netscape/management/client/topology/IRemovableServerObject.class > NOT in fedora-ds-1.0.jar > ClassLoader: > com/netscape/management/client/topology/IRemovableServerObject.class > NOT in fedora-ds-1.0_en.jar > ClassLoader: > :loadClass():name:com.netscape.management.client.topology.AbstractServerObject > > ClassLoader: > :loadClass():loading:com.netscape.management.client.topology.AbstractServerObject > > ClassLoader: > com/netscape/management/client/topology/AbstractServerObject.class > NOT in fedora-ds-1.0.jar > ClassLoader: > com/netscape/management/client/topology/AbstractServerObject.class > NOT in fedora-ds-1.0_en.jar > ClassLoader: :loadClass():resolving com.netscape.admin.dirserv.DSAdmin > ClassLoader: :loadClass():name:javax.swing.Icon > ClassLoader: :loadClass():loading:javax.swing.Icon > ClassLoader: javax/swing/Icon.class NOT in fedora-ds-1.0.jar > ClassLoader: javax/swing/Icon.class NOT in fedora-ds-1.0_en.jar > ClassLoader: :loadClass():name:java.lang.Throwable > ClassLoader: :loadClass():name:java.lang.Exception > ClassLoader: :loadClass():name:netscape.ldap.LDAPConnection > ClassLoader: :loadClass():loading:netscape.ldap.LDAPConnection > ClassLoader: netscape/ldap/LDAPConnection.class NOT in fedora-ds-1.0.jar > ClassLoader: netscape/ldap/LDAPConnection.class NOT in > fedora-ds-1.0_en.jar > ClassLoader: :loadClass():name:netscape.ldap.LDAPException > ClassLoader: :loadClass():loading:netscape.ldap.LDAPException > ClassLoader: netscape/ldap/LDAPException.class NOT in fedora-ds-1.0.jar > ClassLoader: netscape/ldap/LDAPException.class NOT in > fedora-ds-1.0_en.jar > ClassLoader: :loadClass():name:java.lang.String > ClassLoader: > :loadClass():name:com.netscape.management.client.IFrameworkInitializer > ClassLoader: > :loadClass():loading:com.netscape.management.client.IFrameworkInitializer > ClassLoader: > com/netscape/management/client/IFrameworkInitializer.class NOT in > fedora-ds-1.0.jar > ClassLoader: > com/netscape/management/client/IFrameworkInitializer.class NOT in > fedora-ds-1.0_en.jar > ClassLoader: :loadClass():name:javax.swing.JFrame > ClassLoader: :loadClass():loading:javax.swing.JFrame > ClassLoader: javax/swing/JFrame.class NOT in fedora-ds-1.0.jar > ClassLoader: javax/swing/JFrame.class NOT in fedora-ds-1.0_en.jar > ClassLoader: :loadClass():name:com.netscape.admin.dirserv.DSFramework > ClassLoader: :loadClass():loading:com.netscape.admin.dirserv.DSFramework > ClassLoader: com/netscape/admin/dirserv/DSFramework.class found in > fedora-ds-1.0.jar > ClassLoader: :loadClass():name:com.netscape.management.client.Framework > ClassLoader: > :loadClass():loading:com.netscape.management.client.Framework > ClassLoader: com/netscape/management/client/Framework.class NOT in > fedora-ds-1.0.jar > ClassLoader: com/netscape/management/client/Framework.class NOT in > fedora-ds-1.0_en.jar > ClassLoader: > :loadClass():name:com.netscape.management.client.preferences.IPreferencesTab > > ClassLoader: > :loadClass():loading:com.netscape.management.client.preferences.IPreferencesTab > > ClassLoader: > com/netscape/management/client/preferences/IPreferencesTab.class NOT > in fedora-ds-1.0.jar > ClassLoader: > com/netscape/management/client/preferences/IPreferencesTab.class NOT > in fedora-ds-1.0_en.jar > ClassLoader: :loadClass():name:java.awt.event.ActionListener > ClassLoader: :loadClass():name:java.awt.event.MouseListener > ClassLoader: :loadClass():name:com.netscape.management.client.IStatusItem > ClassLoader: > :loadClass():loading:com.netscape.management.client.IStatusItem > ClassLoader: com/netscape/management/client/IStatusItem.class NOT in > fedora-ds-1.0.jar > ClassLoader: com/netscape/management/client/IStatusItem.class NOT in > fedora-ds-1.0_en.jar > ClassLoader: :loadClass():name:java.awt.Component > ClassLoader: :loadClass():name:java.lang.Float > ClassLoader: :loadClass():name:com.netscape.admin.dirserv.task.CGITask > ClassLoader: :loadClass():loading:com.netscape.admin.dirserv.task.CGITask > ClassLoader: com/netscape/admin/dirserv/task/CGITask.class found in > fedora-ds-1.0.jar > ClassLoader: > :loadClass():name:com.netscape.management.client.comm.CommClient > ClassLoader: > :loadClass():loading:com.netscape.management.client.comm.CommClient > ClassLoader: com/netscape/management/client/comm/CommClient.class NOT > in fedora-ds-1.0.jar > ClassLoader: com/netscape/management/client/comm/CommClient.class NOT > in fedora-ds-1.0_en.jar > ClassLoader: :loadClass():name:com.netscape.management.client.TaskObject > ClassLoader: > :loadClass():loading:com.netscape.management.client.TaskObject > ClassLoader: com/netscape/management/client/TaskObject.class NOT in > fedora-ds-1.0.jar > ClassLoader: com/netscape/management/client/TaskObject.class NOT in > fedora-ds-1.0_en.jar > ClassLoader: :loadClass():name:com.netscape.admin.dirserv.task.Remove > ClassLoader: :loadClass():loading:com.netscape.admin.dirserv.task.Remove > ClassLoader: com/netscape/admin/dirserv/task/Remove.class found in > fedora-ds-1.0.jar > ClassLoader: :loadClass():name:java.lang.Thread > ClassLoader: :loadClass():name:com.netscape.admin.dirserv.DSAdmin$3 > ClassLoader: :loadClass():loading:com.netscape.admin.dirserv.DSAdmin$3 > ClassLoader: com/netscape/admin/dirserv/DSAdmin$3.class found in > fedora-ds-1.0.jar > ClassLoader: > :loadClass():name:com.netscape.management.client.preferences.PreferenceManager > > ClassLoader: > :loadClass():loading:com.netscape.management.client.preferences.PreferenceManager > > ClassLoader: > com/netscape/management/client/preferences/PreferenceManager.class > NOT in fedora-ds-1.0.jar > ClassLoader: > com/netscape/management/client/preferences/PreferenceManager.class > NOT in fedora-ds-1.0_en.jar > https://admin01.hrd-asia.com:20126/[2:0] close i/o stream > https://admin01.hrd-asia.com:20126/[2:0] close socket > https://admin01.hrd-asia.com:20126/[2:0] close> Closed > ClassLoader: > :loadClass():name:com.netscape.management.client.preferences.Preferences > ClassLoader: > :loadClass():loading:com.netscape.management.client.preferences.Preferences > > ClassLoader: > com/netscape/management/client/preferences/Preferences.class NOT in > fedora-ds-1.0.jar > ClassLoader: > com/netscape/management/client/preferences/Preferences.class NOT in > fedora-ds-1.0_en.jar > ClassLoader: > :loadClass():name:com.netscape.admin.dirserv.panel.BlankPanel > ClassLoader: > :loadClass():loading:com.netscape.admin.dirserv.panel.BlankPanel > ClassLoader: com/netscape/admin/dirserv/panel/BlankPanel.class found > in fedora-ds-1.0.jar > ClassLoader: :loadClass():name:javax.swing.event.DocumentListener > ClassLoader: :loadClass():loading:javax.swing.event.DocumentListener > ClassLoader: javax/swing/event/DocumentListener.class NOT in > fedora-ds-1.0.jar > ClassLoader: javax/swing/event/DocumentListener.class NOT in > fedora-ds-1.0_en.jar > ClassLoader: :loadClass():name:java.awt.event.ItemListener > ClassLoader: :loadClass():name:javax.swing.event.ChangeListener > ClassLoader: :loadClass():loading:javax.swing.event.ChangeListener > ClassLoader: javax/swing/event/ChangeListener.class NOT in > fedora-ds-1.0.jar > ClassLoader: javax/swing/event/ChangeListener.class NOT in > fedora-ds-1.0_en.jar > ClassLoader: :loadClass():name:javax.swing.event.ListSelectionListener > ClassLoader: :loadClass():loading:javax.swing.event.ListSelectionListener > ClassLoader: javax/swing/event/ListSelectionListener.class NOT in > fedora-ds-1.0.jar > ClassLoader: javax/swing/event/ListSelectionListener.class NOT in > fedora-ds-1.0_en.jar > ClassLoader: > :loadClass():name:com.netscape.admin.dirserv.IDSResourceSelectionListener > ClassLoader: > :loadClass():loading:com.netscape.admin.dirserv.IDSResourceSelectionListener > > ClassLoader: > com/netscape/admin/dirserv/IDSResourceSelectionListener.class found in > fedora-ds-1.0.jar > ClassLoader: :loadClass():name:javax.swing.JPanel > ClassLoader: :loadClass():loading:javax.swing.JPanel > ClassLoader: javax/swing/JPanel.class NOT in fedora-ds-1.0.jar > ClassLoader: javax/swing/JPanel.class NOT in fedora-ds-1.0_en.jar > ClassLoader: :loadClass():name:javax.swing.JComponent > ClassLoader: :loadClass():loading:javax.swing.JComponent > ClassLoader: javax/swing/JComponent.class NOT in fedora-ds-1.0.jar > ClassLoader: javax/swing/JComponent.class NOT in fedora-ds-1.0_en.jar > ClassLoader: :loadClass():name:java.awt.Container > ClassLoader: :loadClass():name:javax.swing.JLabel > ClassLoader: :loadClass():loading:javax.swing.JLabel > ClassLoader: javax/swing/JLabel.class NOT in fedora-ds-1.0.jar > ClassLoader: javax/swing/JLabel.class NOT in fedora-ds-1.0_en.jar > ClassLoader: :loadClass():name:java.awt.LayoutManager > ClassLoader: :loadClass():name:java.lang.IllegalStateException > ClassLoader: :loadClass():name:javax.swing.border.Border > ClassLoader: :loadClass():loading:javax.swing.border.Border > ClassLoader: javax/swing/border/Border.class NOT in fedora-ds-1.0.jar > ClassLoader: javax/swing/border/Border.class NOT in fedora-ds-1.0_en.jar > ClassLoader: :loadClass():name:javax.swing.JScrollPane > ClassLoader: :loadClass():loading:javax.swing.JScrollPane > ClassLoader: javax/swing/JScrollPane.class NOT in fedora-ds-1.0.jar > ClassLoader: javax/swing/JScrollPane.class NOT in fedora-ds-1.0_en.jar > ClassLoader: :loadClass():name:com.netscape.management.client.util.Debug > ClassLoader: > :loadClass():loading:com.netscape.management.client.util.Debug > ClassLoader: com/netscape/management/client/util/Debug.class NOT in > fedora-ds-1.0.jar > ClassLoader: com/netscape/management/client/util/Debug.class NOT in > fedora-ds-1.0_en.jar > ClassLoader: :loadClass():name:java.awt.Color > ClassLoader: :loadClass():name:java.util.Vector > DSAdmin.DSAdmin: constructor > ClassLoader: :loadClass():name:java.lang.StringBuilder > DSAdmin.initialize(): _removed=false > info=ConsoleInfo(admin01.hrd-asia.com, 389, uid=dsadmin, > ou=Administrators, ou=TopologyManagement, o=NetscapeRoot, admin at 14, > o=NetscapeRoot) _info=null > ClassLoader: > :loadClass():name:com.netscape.management.client.util.UtilConsoleGlobals > ClassLoader: > :loadClass():loading:com.netscape.management.client.util.UtilConsoleGlobals > > ClassLoader: > com/netscape/management/client/util/UtilConsoleGlobals.class NOT in > fedora-ds-1.0.jar > ClassLoader: > com/netscape/management/client/util/UtilConsoleGlobals.class NOT in > fedora-ds-1.0_en.jar > ClassLoader: > :loadClass():name:com.netscape.management.client.console.VersionInfo > ClassLoader: > :loadClass():loading:com.netscape.management.client.console.VersionInfo > ClassLoader: com/netscape/management/client/console/VersionInfo.class > NOT in fedora-ds-1.0.jar > ClassLoader: com/netscape/management/client/console/VersionInfo.class > NOT in fedora-ds-1.0_en.jar > JButtonFactory: button width = 90 > JButtonFactory: button height = 19 > JButtonFactory: button width = 72 > JButtonFactory: button height = 19 > Exception in thread "AWT-EventQueue-0" java.lang.NullPointerException > <...snip...> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From siedler at hrd-asia.com Tue Jun 10 18:58:30 2008 From: siedler at hrd-asia.com (Wolf Siedler) Date: Wed, 11 Jun 2008 01:58:30 +0700 Subject: [Fedora-directory-users] Remote console fails for access to Fedora-DS 1.1 In-Reply-To: <484EB6D2.7030401@redhat.com> References: <484D5660.5070904@hrd-asia.com> <484DBE02.2000300@redhat.com> <484DE82F.8010800@hrd-asia.com> <484E171C.7070902@hrd-asia.com> <7020fd000806100254p5044fe0ape66d837fc3cb5d0e@mail.gmail.com> <7020fd000806100258q6a5d711bodd7e82f671244324@mail.gmail.com> <484E9E1D.1050608@hrd-asia.com> <484EA264.2010802@redhat.com> <484EA45A.1060307@hrd-asia.com> <484EA4F6.8080508@redhat.com> <484EAFED.4050203@hrd-asia.com> <484EB6D2.7030401@redhat.com> Message-ID: <484ECED6.4040008@hrd-asia.com> So let me describe the setup: I have a server (RHEL 5.1) running Fedora Directory Server and Fedora Admin Server. It used to be Fedora-DS 1.0.4 (installed from rpm). A few days ago, I upgraded Fedora-DS to 1.1. For the upgrade procedure, I followed the instructions on the website regarding prerequisites and repo configuration. Afterwards, I ran the migration script migrate-ds-admin.pl. It stated that migration was done successfully (as per the logfile in /tmp/), only failed to start the admin server. Which I then did manually. The directory server was started automatically. Now I would like to use my workstation (running Fedora 7) for configuration. Java is JDK 1.5.0_14 from Sun. In the past, it worked after installing Fedora-DS 1.0.4 rpm and starting the console by ./startconsole. After the upgrade, I tried to duplicate the earlier approach and upgraded everything Fedora-DS-related on my workstation to version 1.1... Then I tried to start the console via fedora-idm-console. It didn't work 100%: I was able to open the configuration window for Fedora Administration Server from the main console window. However, I was unable to open the Fedora Directory Server configuration window from the main console. There were always error messages about a missing/incomplete fedora-ds-1.0.jar and clicking button "Download" in the main console didn't chnage anything. In order to see whether it might be a Java-related problem, I used a virtual machine with Windows 2000, fedora IDM console (.msi) and Sun-JRE 1.5.0_15 for crosschecking. Same failure in the main console window when trying to access the Fedora Directory Server (the one on the RHEL server) configuration window . Then I changed the JRE to Sun-JRE 1.6.0_06. Still, the same error when trying to access the Fedora Directory Server configuration window. So I removed everything Fedora-DS-related on my workstation, including ~/.fedora-idm-console. Next step was to install package fedora-idm-console only through yum. Afterwards, I started the console on my workstation by fedora-idm-console -D 9 -f fds_console.log From studying fds_console.log, I learned that the console apparently could not find fedora-ds-1.0.jar and fedora-ds-1.0_en.jar on the server (error 404). Fedora-ds-1.1(...).jar were found. So I went over the file structure at the server and found the fedora-ds-1.1(...).jar files in directory /usr/share/dirsrv/html/java/. However, copying fedora-ds-1.0.jar and fedora-ds-1.0_en.jar to /usr/share/dirsrv/html/java/ brought no change, fds_console.log still showed the error 404. Only after manually creating (sub)directory /usr/share/dirsrv/html/java/jars/ and copying fedora-ds-1.0.jar + fedora-ds-1.0_en.jar in there (only those two), the error 404 disappeared from fds_console.log. The current status is: On my (Fedora 7) workstation, I can open Fedora IDM console. Problems begin once I expand (in the main console window) the subtree below "Server Group". I still can access Fedora Administration Server and open its configuration window. The (workstation/console) logfile fds_console.log shows that fedora-admin-1.1.jar gets downloaded from server to workstation. When attempting to open entry Fedora Directory Server, the console downloads fedora-ds-1.0.jar and fedora-ds-1.0_en.jar. But I can't open the corresponding configuration window from the console. Fds_console.log shows plenty of "class not found messages" and ends up in a Java exception error (attached below). At least as far as I am aware, there should be no more Fedora-DS components at level 1.0.4, neither on the server nor on the workstation/console side. However, while writing this down, I just double checked with JXplorer and found in cn=Fedora Direcory Server, ... , o=NetscapeRoot the attribute nsProductVersion as 1.0.4. Is this maybe the reason for all my troubles? Is there a way to find out whether my directory server is really still left at version 1.0.4? As mentioned above, based on the feedback of the migration script, I was honestly convinced it was successfully migrated. If is just a matter of an inaccurate version string, I could easily correct that through JXplorer. But to what value? I regret to cause that much trouble. Nevertheless, I appreciate your ongoing and fast advice. Regards, Wolf ====== Exception in thread "AWT-EventQueue-0" java.lang.NullPointerException at com.netscape.management.client.topology.AbstractServerObject.getNodeDataCount(Unknown Source) at com.netscape.management.client.topology.NodeDataPanel.createPanel(Unknown Source) at com.netscape.management.client.topology.NodeDataPanel.(Unknown Source) at com.netscape.management.client.topology.NodeDataPanel.(Unknown Source) at com.netscape.management.client.topology.AbstractServerObject.getCustomPanel(Unknown Source) at com.netscape.management.client.topology.ServerNode.reload(Unknown Source) at com.netscape.management.client.topology.ServerNode.getCustomPanel(Unknown Source) at com.netscape.management.client.ResourceModel.getCustomPanel(Unknown Source) at com.netscape.management.client.ResourcePage.valueChanged(Unknown Source) at javax.swing.JTree.fireValueChanged(JTree.java:2399) at javax.swing.JTree$TreeSelectionRedirector.valueChanged(JTree.java:2770) at javax.swing.tree.DefaultTreeSelectionModel.fireValueChanged(DefaultTreeSelectionModel.java:629) at javax.swing.tree.DefaultTreeSelectionModel.notifyPathChange(DefaultTreeSelectionModel.java:1078) at javax.swing.tree.DefaultTreeSelectionModel.setSelectionPaths(DefaultTreeSelectionModel.java:287) at javax.swing.tree.DefaultTreeSelectionModel.setSelectionPath(DefaultTreeSelectionModel.java:170) at javax.swing.JTree.setSelectionPath(JTree.java:1174) at javax.swing.plaf.basic.BasicTreeUI.selectPathForEvent(BasicTreeUI.java:2296) at javax.swing.plaf.basic.BasicTreeUI$Handler.handleSelectionImpl(BasicTreeUI.java:3509) at javax.swing.plaf.basic.BasicTreeUI$Handler.handleSelection(BasicTreeUI.java:3484) at javax.swing.plaf.basic.BasicTreeUI$Handler.mousePressed(BasicTreeUI.java:3465) at java.awt.AWTEventMulticaster.mousePressed(AWTEventMulticaster.java:222) at java.awt.AWTEventMulticaster.mousePressed(AWTEventMulticaster.java:221) at java.awt.Component.processMouseEvent(Component.java:5514) at javax.swing.JComponent.processMouseEvent(JComponent.java:3135) at java.awt.Component.processEvent(Component.java:5282) at java.awt.Container.processEvent(Container.java:1966) at java.awt.Component.dispatchEventImpl(Component.java:3984) at java.awt.Container.dispatchEventImpl(Container.java:2024) at java.awt.Component.dispatchEvent(Component.java:3819) at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4212) at java.awt.LightweightDispatcher.processMouseEvent(Container.java:3889) at java.awt.LightweightDispatcher.dispatchEvent(Container.java:3822) at java.awt.Container.dispatchEventImpl(Container.java:2010) at java.awt.Window.dispatchEventImpl(Window.java:1791) at java.awt.Component.dispatchEvent(Component.java:3819) at java.awt.EventQueue.dispatchEvent(EventQueue.java:463) at java.awt.EventDispatchThread.pumpOneEventForHierarchy(EventDispatchThread.java:242) at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:163) at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:157) at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:149) at java.awt.EventDispatchThread.run(EventDispatchThread.java:110) From nkinder at redhat.com Tue Jun 10 19:35:01 2008 From: nkinder at redhat.com (Nathan Kinder) Date: Tue, 10 Jun 2008 12:35:01 -0700 Subject: [Fedora-directory-users] Remote console fails for access to Fedora-DS 1.1 In-Reply-To: <484ECED6.4040008@hrd-asia.com> References: <484D5660.5070904@hrd-asia.com> <484DBE02.2000300@redhat.com> <484DE82F.8010800@hrd-asia.com> <484E171C.7070902@hrd-asia.com> <7020fd000806100254p5044fe0ape66d837fc3cb5d0e@mail.gmail.com> <7020fd000806100258q6a5d711bodd7e82f671244324@mail.gmail.com> <484E9E1D.1050608@hrd-asia.com> <484EA264.2010802@redhat.com> <484EA45A.1060307@hrd-asia.com> <484EA4F6.8080508@redhat.com> <484EAFED.4050203@hrd-asia.com> <484EB6D2.7030401@redhat.com> <484ECED6.4040008@hrd-asia.com> Message-ID: <484ED765.5050108@redhat.com> Wolf Siedler wrote: > So let me describe the setup: > I have a server (RHEL 5.1) running Fedora Directory Server and Fedora > Admin Server. It used to be Fedora-DS 1.0.4 (installed from rpm). A > few days ago, I upgraded Fedora-DS to 1.1. For the upgrade procedure, > I followed the instructions on the website regarding prerequisites and > repo configuration. Afterwards, I ran the migration script > migrate-ds-admin.pl. It stated that migration was done successfully > (as per the logfile in /tmp/), only failed to start the admin server. > Which I then did manually. The directory server was started > automatically. > > Now I would like to use my workstation (running Fedora 7) for > configuration. Java is JDK 1.5.0_14 from Sun. > In the past, it worked after installing Fedora-DS 1.0.4 rpm and > starting the console by ./startconsole. > After the upgrade, I tried to duplicate the earlier approach and > upgraded everything Fedora-DS-related on my workstation to version > 1.1... Then I tried to start the console via fedora-idm-console. > > It didn't work 100%: I was able to open the configuration window for > Fedora Administration Server from the main console window. However, I > was unable to open the Fedora Directory Server configuration window > from the main console. There were always error messages about a > missing/incomplete fedora-ds-1.0.jar and clicking button "Download" in > the main console didn't chnage anything. > > In order to see whether it might be a Java-related problem, I used a > virtual machine with Windows 2000, fedora IDM console (.msi) and > Sun-JRE 1.5.0_15 for crosschecking. Same failure in the main console > window when trying to access the Fedora Directory Server (the one on > the RHEL server) configuration window . > Then I changed the JRE to Sun-JRE 1.6.0_06. Still, the same error when > trying to access the Fedora Directory Server configuration window. > > So I removed everything Fedora-DS-related on my workstation, including > ~/.fedora-idm-console. > Next step was to install package fedora-idm-console only through yum. > > Afterwards, I started the console on my workstation by > fedora-idm-console -D 9 -f fds_console.log > > From studying fds_console.log, I learned that the console apparently > could not find fedora-ds-1.0.jar and fedora-ds-1.0_en.jar on the > server (error 404). Fedora-ds-1.1(...).jar were found. > So I went over the file structure at the server and found the > fedora-ds-1.1(...).jar files in directory /usr/share/dirsrv/html/java/. > However, copying fedora-ds-1.0.jar and fedora-ds-1.0_en.jar to > /usr/share/dirsrv/html/java/ brought no change, fds_console.log still > showed the error 404. > Only after manually creating (sub)directory > /usr/share/dirsrv/html/java/jars/ and copying fedora-ds-1.0.jar + > fedora-ds-1.0_en.jar in there (only those two), the error 404 > disappeared from fds_console.log. > > The current status is: On my (Fedora 7) workstation, I can open Fedora > IDM console. Problems begin once I expand (in the main console window) > the subtree below "Server Group". > I still can access Fedora Administration Server and open its > configuration window. The (workstation/console) logfile > fds_console.log shows that fedora-admin-1.1.jar gets downloaded from > server to workstation. > When attempting to open entry Fedora Directory Server, the console > downloads fedora-ds-1.0.jar and fedora-ds-1.0_en.jar. But I can't open > the corresponding configuration window from the console. > Fds_console.log shows plenty of "class not found messages" and ends up > in a Java exception error (attached below). > > At least as far as I am aware, there should be no more Fedora-DS > components at level 1.0.4, neither on the server nor on the > workstation/console side. > However, while writing this down, I just double checked with JXplorer > and found in cn=Fedora Direcory Server, ... , o=NetscapeRoot the > attribute nsProductVersion as 1.0.4. > > Is this maybe the reason for all my troubles? Is there a way to find > out whether my directory server is really still left at version 1.0.4? > As mentioned above, based on the feedback of the migration script, I > was honestly convinced it was successfully migrated. > If is just a matter of an inaccurate version string, I could easily > correct that through JXplorer. But to what value? I believe the migration did upgrade you to Fedora Directory Server 1.1, which you can verify in the ns-slapd errors log. The problem is that not all of the entries used by the Administration Server were properly updated. You should be able to look through the "o=NetscapeRoot" portion of your tree to see where 1.0.4 is still referenced and change them. The incorrect jar file name should be listed in an attribute there as well. -NGK > > I regret to cause that much trouble. Nevertheless, I appreciate your > ongoing and fast advice. > > Regards, > Wolf > > ====== > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3254 bytes Desc: S/MIME Cryptographic Signature URL: From sigidwu at gmail.com Wed Jun 11 01:26:32 2008 From: sigidwu at gmail.com (sigid@JINLab) Date: Wed, 11 Jun 2008 08:26:32 +0700 Subject: [Fedora-directory-users] password incorrect or directory problem In-Reply-To: <48495111.2000007@redhat.com> References: <4848783C.5040602@redhat.com> <48489719.5070503@gmail.com> <48495111.2000007@redhat.com> Message-ID: <484F29C8.8010707@gmail.com> Rich Megginson wrote: > sigid at JINLab wrote: >> Rich Megginson wrote: >>> beto .. wrote: >>>> >>>> *When I start fedora-idm-console i get this message: password >>>> incorrect or directory problem >>>> any solution for this problem? Help me please! >>>> * >>> fedora-idm-console -D 9 -f console.log >>> Then check console.log >> >> It seems like http response time out problem but my web server has >> been run well. > Open a web browser on the same machine (the same machine from which you > are attempting to run the console) and try to go to url > http://jstsvr3:7749/admin-serv/authenticate i tried to access using firefox and no time out message but i'm waiting forever because no login form appears. From rmeggins at redhat.com Wed Jun 11 02:12:57 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 10 Jun 2008 20:12:57 -0600 Subject: [Fedora-directory-users] password incorrect or directory problem In-Reply-To: <484F29C8.8010707@gmail.com> References: <4848783C.5040602@redhat.com> <48489719.5070503@gmail.com> <48495111.2000007@redhat.com> <484F29C8.8010707@gmail.com> Message-ID: <484F34A9.8080107@redhat.com> sigid at JINLab wrote: > Rich Megginson wrote: >> sigid at JINLab wrote: >>> Rich Megginson wrote: >>>> beto .. wrote: >>>>> >>>>> *When I start fedora-idm-console i get this message: password >>>>> incorrect or directory problem >>>>> any solution for this problem? Help me please! >>>>> * >>>> fedora-idm-console -D 9 -f console.log >>>> Then check console.log >>> >>> It seems like http response time out problem but my web server has >>> been run well. >> Open a web browser on the same machine (the same machine from which >> you are attempting to run the console) and try to go to url >> http://jstsvr3:7749/admin-serv/authenticate > > i tried to access using firefox and no time out message but i'm > waiting forever because no login form appears. Do you see a connection attempt in the admin server access log? Could this be a DNS or firewall issue? > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From siedler at hrd-asia.com Wed Jun 11 04:08:48 2008 From: siedler at hrd-asia.com (Wolf Siedler) Date: Wed, 11 Jun 2008 11:08:48 +0700 Subject: [Fedora-directory-users] SOLVED: Remote console fails for access to Fedora-DS 1.1 In-Reply-To: <484ED765.5050108@redhat.com> References: <484D5660.5070904@hrd-asia.com> <484DBE02.2000300@redhat.com> <484DE82F.8010800@hrd-asia.com> <484E171C.7070902@hrd-asia.com> <7020fd000806100254p5044fe0ape66d837fc3cb5d0e@mail.gmail.com> <7020fd000806100258q6a5d711bodd7e82f671244324@mail.gmail.com> <484E9E1D.1050608@hrd-asia.com> <484EA264.2010802@redhat.com> <484EA45A.1060307@hrd-asia.com> <484EA4F6.8080508@redhat.com> <484EAFED.4050203@hrd-asia.com> <484EB6D2.7030401@redhat.com> <484ECED6.4040008@hrd-asia.com> <484ED765.5050108@redhat.com> Message-ID: <484F4FD0.3010200@hrd-asia.com> > I believe the migration did upgrade you to Fedora Directory Server > 1.1, which you can verify in the ns-slapd errors log. The problem is > that not all of the entries used by the Administration Server were > properly updated. You should be able to look through the > "o=NetscapeRoot" portion of your tree to see where 1.0.4 is still > referenced and change them. The incorrect jar file name should be > listed in an attribute there as well. Nathan, thank you - that finally did it! To summarize: Directory server and admin server were upgraded (migrated) from version 1.0.4 to 1.1. Migration was handled by provided script migrate-ds-admin.pl. After migration, fedora-idm-console from remote workstation was able to open admin server, but not directory server. This setup worked when servers and remote console were still at version 1.0.4. Cause: It was found that during migration several entries in subtree below "o=NetscapeRoot" (section "cn=Fedora Directory Server") were still pointing to the old file fedora-ds-1.0.jar. Actually, all references in cn=Fedora Directory Server were still pointing to the old jar file. There were other (textual) references to previous version no. 1.0.4 as well. Altogether, this prevented access from local (on the server itself) as well as remote console to the Fedora Directory Server configuration window. The console tried to load fedora-ds-1.0.jar from the server which was (of course) not available. Remedy: Used a third-party tool (www.jxplorer.org) to manually change all references in the aforementioned tree part from fedora-ds-1.0.jar into fedora-ds-1.1.jar. Achknowledgements: A big Thank You goes to Nathan, Rich and solarflow99 who guided me after a week of fruitless fumbling within two days to the solution. Regards, Wolf From sigidwu at gmail.com Wed Jun 11 05:00:22 2008 From: sigidwu at gmail.com (sigid@JINLab) Date: Wed, 11 Jun 2008 12:00:22 +0700 Subject: [Fedora-directory-users] password incorrect or directory problem In-Reply-To: <484F34A9.8080107@redhat.com> References: <4848783C.5040602@redhat.com> <48489719.5070503@gmail.com> <48495111.2000007@redhat.com> <484F29C8.8010707@gmail.com> <484F34A9.8080107@redhat.com> Message-ID: <484F5BE6.6050209@gmail.com> Rich Megginson wrote: > sigid at JINLab wrote: >> Rich Megginson wrote: >>> sigid at JINLab wrote: >>>> Rich Megginson wrote: >>>>> beto .. wrote: >>>>>> >>>>>> *When I start fedora-idm-console i get this message: password >>>>>> incorrect or directory problem >>>>>> any solution for this problem? Help me please! >>>>>> * >>>>> fedora-idm-console -D 9 -f console.log >>>>> Then check console.log >>>> >>>> It seems like http response time out problem but my web server has >>>> been run well. >>> Open a web browser on the same machine (the same machine from which >>> you are attempting to run the console) and try to go to url >>> http://jstsvr3:7749/admin-serv/authenticate >> >> i tried to access using firefox and no time out message but i'm >> waiting forever because no login form appears. > Do you see a connection attempt in the admin server access log? Could > this be a DNS or firewall issue? There is no changes on access log (using tail -f /var/log/dirsrv/slapd-jstsvr3/access) To make sure that there is no problem with DNS and firewall, this what i do: 1. querying ldap database using command "ldapsearch -x -h jstsvr3" both from local (jstsvr3) and remote host. ==> result is OK (viewing responses and entries) 2. accessing web page using firefox executed on local (jstsvr3) and remote host. ==> result is OK (viewing testpage) Is there anything i can do for testing? From lbigum at iseek.com.au Wed Jun 11 05:05:44 2008 From: lbigum at iseek.com.au (Luke Bigum) Date: Wed, 11 Jun 2008 15:05:44 +1000 Subject: [Fedora-directory-users] password incorrect or directory problem In-Reply-To: <484F5BE6.6050209@gmail.com> References: <4848783C.5040602@redhat.com> <48489719.5070503@gmail.com> <48495111.2000007@redhat.com> <484F29C8.8010707@gmail.com> <484F34A9.8080107@redhat.com> <484F5BE6.6050209@gmail.com> Message-ID: <50A3F7088FE1A14FB0CF57A2248738865B67A84257@EXCHANGE1.intranet.iseek.com.au> Sigid, I think Rich means the admin server access log, which is different to the directory server access log. See /var/log/dirsrv/admin-serv/access. Tail that, then try connect with Firefox and the admin console. Are you seeing any connections? -- Luke Bigum Systems Administrator iseek Communications Pty Ltd Excellence in business data solutions ph 1300 661 668 fax 1300 661 540 www.iseek.com.au -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of sigid at JINLab Sent: Wednesday, 11 June 2008 3:00 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] password incorrect or directory problem Rich Megginson wrote: > sigid at JINLab wrote: >> Rich Megginson wrote: >>> sigid at JINLab wrote: >>>> Rich Megginson wrote: >>>>> beto .. wrote: >>>>>> >>>>>> *When I start fedora-idm-console i get this message: password >>>>>> incorrect or directory problem >>>>>> any solution for this problem? Help me please! >>>>>> * >>>>> fedora-idm-console -D 9 -f console.log >>>>> Then check console.log >>>> >>>> It seems like http response time out problem but my web server has >>>> been run well. >>> Open a web browser on the same machine (the same machine from which >>> you are attempting to run the console) and try to go to url >>> http://jstsvr3:7749/admin-serv/authenticate >> >> i tried to access using firefox and no time out message but i'm >> waiting forever because no login form appears. > Do you see a connection attempt in the admin server access log? Could > this be a DNS or firewall issue? There is no changes on access log (using tail -f /var/log/dirsrv/slapd-jstsvr3/access) To make sure that there is no problem with DNS and firewall, this what i do: 1. querying ldap database using command "ldapsearch -x -h jstsvr3" both from local (jstsvr3) and remote host. ==> result is OK (viewing responses and entries) 2. accessing web page using firefox executed on local (jstsvr3) and remote host. ==> result is OK (viewing testpage) Is there anything i can do for testing? -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From sigidwu at gmail.com Wed Jun 11 06:10:11 2008 From: sigidwu at gmail.com (sigid@JINLab) Date: Wed, 11 Jun 2008 13:10:11 +0700 Subject: [Fedora-directory-users] password incorrect or directory problem In-Reply-To: <50A3F7088FE1A14FB0CF57A2248738865B67A84257@EXCHANGE1.intranet.iseek.com.au> References: <4848783C.5040602@redhat.com> <48489719.5070503@gmail.com> <48495111.2000007@redhat.com> <484F29C8.8010707@gmail.com> <484F34A9.8080107@redhat.com> <484F5BE6.6050209@gmail.com> <50A3F7088FE1A14FB0CF57A2248738865B67A84257@EXCHANGE1.intranet.iseek.com.au> Message-ID: <484F6C43.1050807@gmail.com> Luke Bigum wrote: > Sigid, I think Rich means the admin server access log, which is different to the directory server access log. See /var/log/dirsrv/admin-serv/access. Tail that, then try connect with Firefox and the admin console. Are you seeing any connections? my admin access log was empty and tail was show nothing when i access using firefox or console. But my admin error log shows [Wed Jun 11 13:05:28 2008] [notice] child pid 17620 exit signal Segmentation fault (11) [Wed Jun 11 13:05:29 2008] [notice] child pid 17621 exit signal Segmentation fault (11) [Wed Jun 11 13:05:30 2008] [notice] child pid 17622 exit signal Segmentation fault (11) [Wed Jun 11 13:05:32 2008] [notice] child pid 17623 exit signal Segmentation fault (11) [Wed Jun 11 13:05:34 2008] [notice] child pid 17624 exit signal Segmentation fault (11) [Wed Jun 11 13:05:36 2008] [notice] child pid 17625 exit signal Segmentation fault (11) [Wed Jun 11 13:05:38 2008] [notice] child pid 17626 exit signal Segmentation fault (11) [Wed Jun 11 13:05:40 2008] [notice] child pid 17627 exit signal Segmentation fault (11) [Wed Jun 11 13:05:42 2008] [notice] child pid 17628 exit signal Segmentation fault (11) [Wed Jun 11 13:05:44 2008] [notice] child pid 17629 exit signal Segmentation fault (11) [Wed Jun 11 13:05:46 2008] [notice] child pid 17631 exit signal Segmentation fault (11) [Wed Jun 11 13:05:48 2008] [notice] child pid 17632 exit signal Segmentation fault (11) [Wed Jun 11 13:05:50 2008] [notice] child pid 17633 exit signal Segmentation fault (11) ... Note that the errors continues until the connection to FDS admin was closed or timed out. From k.brown at bbk.ac.uk Wed Jun 11 14:43:03 2008 From: k.brown at bbk.ac.uk (ken) Date: Wed, 11 Jun 2008 15:43:03 +0100 Subject: [Fedora-directory-users] ldapmodify to add OU failed, and led to "ldap_search: Operations error" Message-ID: <484FE477.4040503@bbk.ac.uk> ldapmodify to add OU failed, and led to "ldap_search: Operations error" I set up a directory and am feeling my way towards making it live by doing one thing at a time. I successfully added quite a large number of users using ldapmodify, and could retrieve them with ldapsearch and db2ldif. Then I tried to add some new OUs in order to copy a subset of the OU hierarchy we have on Windows. But when I ran the ldapmodify it failed. From that moment on, every ldapsearch I tried resulted in: ldap_search: Operations error I stopped and restarted the ldap daemon and now every search I try produces: ldap_search: No such object The database looks as if it is empty What did I do wrong? Can a botched modify so easily wipe out what is already there? Or are they secretly hiding somewhere? Is there a utility that can show me what is actually in the database even if I don't know what its root name is? (I thought db2ldif might do that and it shows nothing now) I know I can wipe this database entirely (it looks like I already have!) and re-install. BUT I want to know what I did wrong so I don't do it again. The LDIFs to be imported into the directory will come from a program I wrote (it gathers information from various sources such as an SQL database, WAD, /etc/passwd...) and I really don't want to risk repeating my mistake in batch runs at 2am after we've gone live and coming in to find no-one can use the directory. Any clues? Examples of what I did: Command used to import LDIF to define an OU ======================== ldapmodify -a -B "dc=bbk,dc=ac,dc=uk" -D "cn=directory manager" -w [PWD] ======================== the LDIF that was used: ======================== dn: ou=students,ou=people,dc=bbk,dc=ac,dc=uk objectClass: top objectClass: organizationalunit ou: students ======================== Error log from ldapmodify: ========================================== [09/Jun/2008:19:54:47 +0100] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [09/Jun/2008:19:54:47 +0100] - Bulk import: begin import on 'dc=bbk,dc=ac,dc=uk'. [09/Jun/2008:19:54:56 +0100] - import userRoot: WARNING: Skipping entry "ou=students,ou=people,dc=bbk,dc=ac,dc=uk" which has no parent, ending at line 0 of file "(bulk import)" [09/Jun/2008:19:55:05 +0100] - import userRoot: Workers finished; cleaning up... [09/Jun/2008:19:55:05 +0100] - import userRoot: Workers cleaned up. [09/Jun/2008:19:55:05 +0100] - import userRoot: Indexing complete. Post-processing... [09/Jun/2008:19:55:05 +0100] - Nothing to do to build ancestorid index [09/Jun/2008:19:55:05 +0100] - import userRoot: Flushing caches... [09/Jun/2008:19:55:05 +0100] - import userRoot: Closing files... [09/Jun/2008:19:55:05 +0100] - import userRoot: Import complete. Processed 1 entries (1 were skipped) in 18 seconds. (0.06 entries/sec) [09/Jun/2008:19:55:05 +0100] - Bulk import completed successfully. ========================================== There was no error message on the screen, but the log says the object "has no parent". Though as far as I can tell it has the same parent as the user entries I added successfully, such as: ======================== # ldapsearch -b 'dc=bbk,dc=ac,dc=uk' -D "cn=directory manager" -w [PWD] '(objectclass=person)' version: 1 dn: cn=xlean99,ou=people,dc=bbk,dc=ac,dc=uk cn: xlean99 description: A mythical person to test LDAP with objectClass: person objectClass: top sn: Lean ======================== Which was in there but is no longer. But now I see things like: ======================== [ken@~]$ /usr/lib/mozldap/ldapsearch -b 'dc=bbk,dc=ac,dc=uk' -D "cn=uxxxxxx" '(cn=uxxxxxx)' ldap_search: No such object [ken@~]$ ldapsearch -b 'dc=bbk,dc=ac,dc=uk' -D "cn=directory manager" -w [PWD] '(objectclass=person)' ldap_search: No such object [ken@~]$ ldapsearch -b 'dc=bbk,dc=ac,dc=uk' '(objectclass=*)' ldap_search: No such object ======================== And most worryingly of all: ======================== [ken@~]$ ldapsearch -b "" -s base -D "cn=directory manager" -w [PWD] '(objectclass=*)' namingContext version: 1 dn: [ken@~]$ ======================== :-( It's not a permissions problem because this works: ======================== ldapsearch -b o=netscaperoot "objectclass=*" cn ======================== This also still works: ======================== []# /usr/lib/dirsrv/slapd-ldap1/db2ldif -n NetscapeRoot -a /tmp/stuff2.ldif Exported ldif file: /tmp/stuff2.ldif ldiffile: /tmp/stuff2.ldif [11/Jun/2008:14:03:47 +0100] - export NetscapeRoot: Processed 95 entries (100%). [11/Jun/2008:14:03:47 +0100] - All database threads now stopped ======================== But this produces nothing: ======================== []# /usr/lib/dirsrv/slapd-ldap1/db2ldif -n UserRoot -a /tmp/stuffU.ldif Exported ldif file: /tmp/stuffU.ldif ldiffile: /tmp/stuffU.ldif [11/Jun/2008:14:38:23 +0100] - All database threads now stopped []# more /tmp/stuffU.ldif version: 1 ======================== From rmeggins at redhat.com Wed Jun 11 18:03:03 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 11 Jun 2008 12:03:03 -0600 Subject: [Fedora-directory-users] Re: MMR: excessive clock skew In-Reply-To: <89F8E2BC-9610-4474-A68F-0D3FB72D69B4@email.arizona.edu> References: <89F8E2BC-9610-4474-A68F-0D3FB72D69B4@email.arizona.edu> Message-ID: <48501357.2070704@redhat.com> Gary Windham wrote: > Sorry for not replying to the original thread, but I just joined this > list. > > On Tue, 13 May 2008, Rich Megginson wrote: > > > Has anyone seen these errors with 1.1? We fixed a few 64-bit issues > in 1.1. > > I am running two 32-bit FDS 1.1 (fedora-ds-1.1.0-3.fc6) servers, on > RHEL 5.1, in an MMR configuration. These servers, which are > configured behind a load balancer, act as the University's central > authentication service. We have are using the password policy plugin > and have the "passwordisglobalpolicy" setting enabled, so there is a > substantial amount of write activity due to replication of > password-policy-related attributes (e.g., passwordRetryCount, > retryCountResetTime, etc). Time on both systems is synchronized via > NTP; clocks are in sync. > > We have the same situation as Reinhard Nappert reported on 5/13/2008: > MMR will work fine for a while (usually a few weeks; the longest > period we've gone is a month, the shortest time a few hours). > Eventually replication will fail with the following sequence of > messages in the errors log: > > [24/May/2008:05:18:54 -0700] - csngen_adjust_time: adjustment limit > exceeded; value - 86401, limit - 86400 > [24/May/2008:05:18:54 -0700] NSMMReplicationPlugin - conn=1800 > op=60262 replica="": Unable to acquire replica: error: > excessive clock skew > [24/May/2008:05:20:05 -0700] - csngen_adjust_time: adjustment limit > exceeded; value - 86401, limit - 86400 > [24/May/2008:05:20:05 -0700] NSMMReplicationPlugin - > agmt="cn=kif2zapp" (zapp:389): Incremental protocol: fatal er > ror - too much time skew between replicas! > [24/May/2008:05:20:05 -0700] NSMMReplicationPlugin - > agmt="cn=kif2zapp" (zapp:389): Incremental update failed and > requires administrator action > > The "csngen_adjust_time" error message always reports the same value > when this occurs (86401). > > We have also employed the workaround described by Chris St. Pierre in > https://bugzilla.redhat.com/show_bug.cgi?id=233642#c3. This resolves > the problem for a short while, but it always reappears. BTW, I was in > contact with Chris recently about his experiences with MMR and he said > that, in addition to moving to FDS 1.1, he moved a lot of "frequently > updated" data out of FDS and into MySQL, and that his problem > disappeared afterward; obviously this isn't a solution for us as we > are utilizing FDS as an authentication engine. > > We are desperately trying to find a solution to this issue that will > allow us to continue using MMR...we could resort to a traditional > passive/active + shared storage HA design, but we want to keep that as > a last resort. If there is any additional information I should > provide, please let me know. I've attached a script to https://bugzilla.redhat.com/show_bug.cgi?id=233642 to help diagnose this problem. > > -- > Gary Windham > Senior Enterprise Systems Architect > The University of Arizona, UITS > +1 520 626 5981 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Jun 11 18:04:21 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 11 Jun 2008 12:04:21 -0600 Subject: [Fedora-directory-users] multi master problem In-Reply-To: References: Message-ID: <485013A5.3090903@redhat.com> g.digiambelardini at fabaris.it wrote: > Hi to all, > this is my first time here, I have a big problem, until 3 days ago > averything work wel in my ldap multimaster, but then the replican has stop > to work. > So I try to sconnect and reconnect with mmr.pl ( old & new ), but I receive > allways the same error: > What platform? What version of Fedora DS? > on server1: > > NSMMReplicationPlugin - Beginning total update of replica > "agmt="cn="Replication to server2.pippo.it"" (server2:389)". > [04/Jun/2008:11:57:18 +0200] NSMMReplicationPlugin - csnplCommit: can't > find csn 484666fe000100010000 > [04/Jun/2008:11:57:18 +0200] NSMMReplicationPlugin - ruv_update_ruv: cannot > commit csn 484666fe000100010000 > [04/Jun/2008:11:57:18 +0200] NSMMReplicationPlugin - replica_update_ruv: > unable to update RUV for replica dc=pippo,dc=it, csn = 484666fe000100010000 > [04/Jun/2008:11:57:18 +0200] NSMMReplicationPlugin - csnplCommit: can't > find csn 484666fe000200010000 > [04/Jun/2008:11:57:18 +0200] NSMMReplicationPlugin - ruv_update_ruv: cannot > commit csn 484666fe000200010000 > [04/Jun/2008:11:57:18 +0200] NSMMReplicationPlugin - replica_update_ruv: > unable to update RUV for replica dc=pippo,dc=it, csn = 484666fe000200010000 > [04/Jun/2008:11:57:18 +0200] NSMMReplicationPlugin - csnplCommit: can't > find csn 484666fe000000010000 > [04/Jun/2008:11:57:18 +0200] NSMMReplicationPlugin - ruv_update_ruv: cannot > commit csn 484666fe000000010000 > [04/Jun/2008:11:57:19 +0200] NSMMReplicationPlugin - replica_update_ruv: > unable to update RUV for replica dc=pippo,dc=it, csn = 484666fe000000010000 > [04/Jun/2008:11:57:41 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Failed to send extended operation: > LDAP error 81 (Can't contact LDAP server) > [04/Jun/2008:11:57:41 +0200] NSMMReplicationPlugin - csnplCommit: can't > find csn 48466715000000010000 > [04/Jun/2008:11:57:41 +0200] NSMMReplicationPlugin - ruv_update_ruv: cannot > commit csn 48466715000000010000 > [04/Jun/2008:11:57:41 +0200] NSMMReplicationPlugin - replica_update_ruv: > unable to update RUV for replica dc=pippo,dc=it, csn = 48466715000000010000 > [04/Jun/2008:11:57:41 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Received error 89: NULL for total > update operation > [04/Jun/2008:11:57:41 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Received error 89: NULL for total > update operation > [04/Jun/2008:11:57:41 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Received error 89: NULL for total > update operation > [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Received error 89: NULL for total > update operation > [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Received error 89: NULL for total > update operation > [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Received error 89: NULL for total > update operation > [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Received error 89: NULL for total > update operation > [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Received error 89: NULL for total > update operation > [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Received error 89: NULL for total > update operation > [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Received error 89: NULL for total > update operation > [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Received error 89: NULL for total > update operation > [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Received error 89: NULL for total > update operation > [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Received error 89: NULL for total > update operation > [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Received error 89: NULL for total > update operation > [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Received error 89: NULL for total > update operation > [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Received error 89: NULL for total > update operation > [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Received error 89: NULL for total > update operation > [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Received error 89: NULL for total > update operation > [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Received error 89: NULL for total > update operation > [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Warning: unable to send endReplication > extended operation (Bad parameter to an ldap routine) > [04/Jun/2008:11:57:42 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Replica has a different generation ID > than the local data. > [04/Jun/2008:11:57:46 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Replica has a different generation ID > than the local data. > [04/Jun/2008:11:57:50 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Replica has a different generation ID > than the local data. > [04/Jun/2008:11:57:52 +0200] NSMMReplicationPlugin - csnplCommit: can't > find csn 48466720000000010000 > [04/Jun/2008:11:57:52 +0200] NSMMReplicationPlugin - ruv_update_ruv: cannot > commit csn 48466720000000010000 > [04/Jun/2008:11:57:52 +0200] NSMMReplicationPlugin - replica_update_ruv: > unable to update RUV for replica dc=pippo,dc=it, csn = 48466720000000010000 > [04/Jun/2008:11:57:54 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Replica has a different generation ID > than the local data. > [04/Jun/2008:11:57:58 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Replica has a different generation ID > than the local data. > [04/Jun/2008:11:58:02 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Replica has a different generation ID > than the local data. > [04/Jun/2008:11:58:06 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Replica has a different generation ID > than the local data. > [04/Jun/2008:11:58:11 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Replica has a different generation ID > than the local data. > [04/Jun/2008:11:58:14 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Replica has a different generation ID > than the local data. > [04/Jun/2008:11:58:14 +0200] NSMMReplicationPlugin - csnplCommit: can't > find csn 48466736000100010000 > [04/Jun/2008:11:58:14 +0200] NSMMReplicationPlugin - ruv_update_ruv: cannot > commit csn 48466736000100010000 > [04/Jun/2008:11:58:14 +0200] NSMMReplicationPlugin - replica_update_ruv: > unable to update RUV for replica dc=pippo,dc=it, csn = 48466736000100010000 > [04/Jun/2008:11:58:17 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Replica has a different generation ID > than the local data. > [04/Jun/2008:11:58:20 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Replica has a different generation ID > than the local data. > [04/Jun/2008:11:58:23 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Replica has a different generation ID > than the local data. > [04/Jun/2008:11:58:26 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Replica has a different generation ID > than the local data. > [04/Jun/2008:11:58:29 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Replica has a different generation ID > than the local data. > [04/Jun/2008:11:58:32 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Replica has a different generation ID > than the local data. > [04/Jun/2008:11:58:36 +0200] NSMMReplicationPlugin - csnplCommit: can't > find csn 4846674c000100010000 > [04/Jun/2008:11:58:36 +0200] NSMMReplicationPlugin - ruv_update_ruv: cannot > commit csn 4846674c000100010000 > [04/Jun/2008:11:58:36 +0200] NSMMReplicationPlugin - replica_update_ruv: > unable to update RUV for replica dc=pippo,dc=it, csn = 4846674c000100010000 > [04/Jun/2008:11:58:36 +0200] NSMMReplicationPlugin - csnplCommit: can't > find csn 4846674c000200010000 > [04/Jun/2008:11:58:36 +0200] NSMMReplicationPlugin - ruv_update_ruv: cannot > commit csn 4846674c000200010000 > [04/Jun/2008:11:58:36 +0200] NSMMReplicationPlugin - replica_update_ruv: > unable to update RUV for replica dc=pippo,dc=it, csn = 4846674c000200010000 > [04/Jun/2008:11:58:36 +0200] NSMMReplicationPlugin - csnplCommit: can't > find csn 4846674c000000010000 > [04/Jun/2008:11:58:36 +0200] NSMMReplicationPlugin - ruv_update_ruv: cannot > commit csn 4846674c000000010000 > [04/Jun/2008:11:58:36 +0200] NSMMReplicationPlugin - replica_update_ruv: > unable to update RUV for replica dc=pippo,dc=it, csn = 4846674c000000010000 > [04/Jun/2008:11:58:36 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Replica has a different generation ID > than the local data. > [04/Jun/2008:11:58:40 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Replica has a different generation ID > than the local data. > [04/Jun/2008:11:58:44 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Replica has a different generation ID > than the local data. > [04/Jun/2008:11:58:46 +0200] NSMMReplicationPlugin - csnplCommit: can't > find csn 48466756000000010000 > [04/Jun/2008:11:58:46 +0200] NSMMReplicationPlugin - ruv_update_ruv: cannot > commit csn 48466756000000010000 > [04/Jun/2008:11:58:46 +0200] NSMMReplicationPlugin - replica_update_ruv: > unable to update RUV for replica dc=pippo,dc=it, csn = 48466756000000010000 > [04/Jun/2008:11:58:48 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Replica has a different generation ID > than the local data. > [04/Jun/2008:11:58:52 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Replica has a different generation ID > than the local data. > [04/Jun/2008:11:58:56 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Replica has a different generation ID > than the local data. > [04/Jun/2008:11:59:00 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Replica has a different generation ID > than the local data. > [04/Jun/2008:11:59:04 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Replica has a different generation ID > than the local data. > [04/Jun/2008:11:59:07 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Replica has a different generation ID > than the local data. > [04/Jun/2008:11:59:10 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Replica has a different generation ID > than the local data. > [04/Jun/2008:11:59:13 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Replica has a different generation ID > than the local data. > [04/Jun/2008:11:59:16 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Replica has a different generation ID > than the local data. > [04/Jun/2008:11:59:19 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Replica has a different generation ID > than the local data. > [04/Jun/2008:11:59:22 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Replica has a different generation ID > than the local data. > [04/Jun/2008:11:59:25 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Replica has a different generation ID > than the local data. > [04/Jun/2008:11:59:29 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Replica has a different generation ID > than the local data. > [04/Jun/2008:11:59:33 +0200] NSMMReplicationPlugin - agmt="cn="Replication > to server2.pippo.it"" (server2:389): Replica has a different generation ID > than the local data. > [04/Jun/2008:11:59:34 +0200] NSMMReplicationPlugin - csnplCommit: can't > find csn 48466786000000010000 > [04/Jun/2008:11:59:34 +0200] NSMMReplicationPlugin - ruv_update_ruv: cannot > commit csn 48466786000000010000 > [04/Jun/2008:11:59:34 +0200] NSMMReplicationPlugin - replica_update_ruv: > unable to update RUV for replica dc=pippo,dc=it, csn = 48466786000000010000 > > on server2: > > NSMMReplicationPlugin - replica_replace_ruv_tombstone: failed to update > replication update vector for replica dc=pippo,dc=it: LDAP error - 1 > [04/Jun/2008:11:56:57 +0200] NSMMReplicationPlugin - > multimaster_be_state_change: replica dc=pippo,dc=it is going offline; > disabling replication > [04/Jun/2008:11:56:57 +0200] - WARNING: Import is running with > nsslapd-db-private-import-mem on; No other process is allowed to access the > database > [04/Jun/2008:11:57:17 +0200] - import userRoot: Processed 30051 entries -- > average rate 1502.5/sec, recent rate 1502.5/sec, hit ratio 0% > [04/Jun/2008:11:57:29 +0200] - ERROR bulk import abandoned > [04/Jun/2008:11:57:29 +0200] - import userRoot: Aborting all import > threads... > [04/Jun/2008:11:57:35 +0200] - import userRoot: Import threads aborted. > [04/Jun/2008:11:57:35 +0200] - import userRoot: Closing files... > [04/Jun/2008:11:57:41 +0200] - libdb: userRoot/mailAlternateAddress.db4: > unable to flush: No such file or directory > [04/Jun/2008:11:57:41 +0200] - libdb: userRoot/mail.db4: unable to flush: > No such file or directory > [04/Jun/2008:11:57:41 +0200] - libdb: userRoot/givenName.db4: unable to > flush: No such file or directory > [04/Jun/2008:11:57:41 +0200] - libdb: userRoot/sn.db4: unable to flush: No > such file or directory > [04/Jun/2008:11:57:41 +0200] - libdb: userRoot/telephoneNumber.db4: unable > to flush: No such file or directory > [04/Jun/2008:11:57:41 +0200] - libdb: userRoot/uid.db4: unable to flush: No > such file or directory > [04/Jun/2008:11:57:41 +0200] - libdb: userRoot/cn.db4: unable to flush: No > such file or directory > [04/Jun/2008:11:57:41 +0200] - libdb: userRoot/nsUniqueId.db4: unable to > flush: No such file or directory > [04/Jun/2008:11:57:41 +0200] - libdb: userRoot/objectclass.db4: unable to > flush: No such file or directory > [04/Jun/2008:11:57:41 +0200] - libdb: userRoot/parentid.db4: unable to > flush: No such file or directory > [04/Jun/2008:11:57:41 +0200] - libdb: userRoot/entrydn.db4: unable to > flush: No such file or directory > [04/Jun/2008:11:57:41 +0200] - libdb: userRoot/id2entry.db4: unable to > flush: No such file or directory > [04/Jun/2008:11:57:41 +0200] - import userRoot: Import failed. > [04/Jun/2008:11:57:42 +0200] - process_bulk_import_op: NULL backend > [04/Jun/2008:11:57:43 +0200] NSMMReplicationPlugin - > replica_replace_ruv_tombstone: failed to update replication update vector > for replica dc=pippo,dc=it: LDAP error - 1 > [04/Jun/2008:11:57:47 +0200] NSMMReplicationPlugin - > replica_replace_ruv_tombstone: failed to update replication update vector > for replica dc=pippo,dc=it: LDAP error - 1 > [04/Jun/2008:11:57:51 +0200] NSMMReplicationPlugin - > replica_replace_ruv_tombstone: failed to update replication update vector > for replica dc=pippo,dc=it: LDAP error - 1 > [04/Jun/2008:11:57:55 +0200] NSMMReplicationPlugin - > replica_replace_ruv_tombstone: failed to update replication update vector > for replica dc=pippo,dc=it: LDAP error - 1 > [04/Jun/2008:11:57:59 +0200] NSMMReplicationPlugin - > replica_replace_ruv_tombstone: failed to update replication update vector > for replica dc=pippo,dc=it: LDAP error - 1 > [04/Jun/2008:11:58:03 +0200] NSMMReplicationPlugin - > replica_replace_ruv_tombstone: failed to update replication update vector > for replica dc=pippo,dc=it: LDAP error - 1 > [04/Jun/2008:11:58:07 +0200] NSMMReplicationPlugin - > replica_replace_ruv_tombstone: failed to update replication update vector > for replica dc=pippo,dc=it: LDAP error - 1 > [04/Jun/2008:11:58:11 +0200] NSMMReplicationPlugin - > replica_replace_ruv_tombstone: failed to update replication update vector > for replica dc=pippo,dc=it: LDAP error - 1 > [04/Jun/2008:11:58:14 +0200] NSMMReplicationPlugin - > replica_replace_ruv_tombstone: failed to update replication update vector > for replica dc=pippo,dc=it: LDAP error - 1 > > > > -------------------------------------------------------------------------- > > > Somebody can help me please??? > thanks fon any suggestion > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Jun 11 18:05:09 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 11 Jun 2008 12:05:09 -0600 Subject: [Fedora-directory-users] password incorrect or directory problem In-Reply-To: <484F6C43.1050807@gmail.com> References: <4848783C.5040602@redhat.com> <48489719.5070503@gmail.com> <48495111.2000007@redhat.com> <484F29C8.8010707@gmail.com> <484F34A9.8080107@redhat.com> <484F5BE6.6050209@gmail.com> <50A3F7088FE1A14FB0CF57A2248738865B67A84257@EXCHANGE1.intranet.iseek.com.au> <484F6C43.1050807@gmail.com> Message-ID: <485013D5.9080607@redhat.com> sigid at JINLab wrote: > Luke Bigum wrote: >> Sigid, I think Rich means the admin server access log, which is >> different to the directory server access log. See >> /var/log/dirsrv/admin-serv/access. Tail that, then try connect with >> Firefox and the admin console. Are you seeing any connections? > > my admin access log was empty and tail was show nothing when i access > using firefox or console. But my admin error log shows eek - this is very bad. What platform is this? What version of Fedora DS? > [Wed Jun 11 13:05:28 2008] [notice] child pid 17620 exit signal > Segmentation fault (11) > [Wed Jun 11 13:05:29 2008] [notice] child pid 17621 exit signal > Segmentation fault (11) > [Wed Jun 11 13:05:30 2008] [notice] child pid 17622 exit signal > Segmentation fault (11) > [Wed Jun 11 13:05:32 2008] [notice] child pid 17623 exit signal > Segmentation fault (11) > [Wed Jun 11 13:05:34 2008] [notice] child pid 17624 exit signal > Segmentation fault (11) > [Wed Jun 11 13:05:36 2008] [notice] child pid 17625 exit signal > Segmentation fault (11) > [Wed Jun 11 13:05:38 2008] [notice] child pid 17626 exit signal > Segmentation fault (11) > [Wed Jun 11 13:05:40 2008] [notice] child pid 17627 exit signal > Segmentation fault (11) > [Wed Jun 11 13:05:42 2008] [notice] child pid 17628 exit signal > Segmentation fault (11) > [Wed Jun 11 13:05:44 2008] [notice] child pid 17629 exit signal > Segmentation fault (11) > [Wed Jun 11 13:05:46 2008] [notice] child pid 17631 exit signal > Segmentation fault (11) > [Wed Jun 11 13:05:48 2008] [notice] child pid 17632 exit signal > Segmentation fault (11) > [Wed Jun 11 13:05:50 2008] [notice] child pid 17633 exit signal > Segmentation fault (11) > ... > > Note that the errors continues until the connection to FDS admin was > closed or timed out. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Jun 11 18:06:45 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 11 Jun 2008 12:06:45 -0600 Subject: [Fedora-directory-users] ldapmodify to add OU failed, and led to "ldap_search: Operations error" In-Reply-To: <484FE477.4040503@bbk.ac.uk> References: <484FE477.4040503@bbk.ac.uk> Message-ID: <48501435.60006@redhat.com> ken wrote: > ldapmodify to add OU failed, and led to "ldap_search: Operations error" > > I set up a directory and am feeling my way towards making it live by > doing one thing at a time. I successfully added quite a large number > of users using ldapmodify, and could retrieve them with ldapsearch and > db2ldif. > > Then I tried to add some new OUs in order to copy a subset of the OU > hierarchy we have on Windows. But when I ran the ldapmodify it failed. > > From that moment on, every ldapsearch I tried resulted in: > ldap_search: Operations error > > I stopped and restarted the ldap daemon and now every search I try > produces: > ldap_search: No such object > > The database looks as if it is empty > > What did I do wrong? Can a botched modify so easily wipe out what is > already there? Or are they secretly hiding somewhere? Is there a > utility that can show me what is actually in the database even if I > don't know what its root name is? (I thought db2ldif might do that and > it shows nothing now) > > I know I can wipe this database entirely (it looks like I already > have!) and re-install. BUT I want to know what I did wrong so I don't > do it again. The LDIFs to be imported into the directory will come > from a program I wrote (it gathers information from various sources > such as an SQL database, WAD, /etc/passwd...) and I really don't want > to risk repeating my mistake in batch runs at 2am after we've gone > live and coming in to find no-one can use the directory. > > > Any clues? > > Examples of what I did: > > Command used to import LDIF to define an OU > > ======================== > ldapmodify -a -B "dc=bbk,dc=ac,dc=uk" -D "cn=directory manager" -w > [PWD] Why are you using the -B option here? In mozldap ldapmodify, -B means "bulk online import" which means 1) wipe out the database 2) use the database import code to import the given LDIF > ======================== > > the LDIF that was used: > > ======================== > dn: ou=students,ou=people,dc=bbk,dc=ac,dc=uk > objectClass: top > objectClass: organizationalunit > ou: students > ======================== > > Error log from ldapmodify: > > ========================================== > [09/Jun/2008:19:54:47 +0100] - WARNING: Import is running with > nsslapd-db-private-import-mem on; No other process is allowed to > access the database > [09/Jun/2008:19:54:47 +0100] - Bulk import: begin import on > 'dc=bbk,dc=ac,dc=uk'. > [09/Jun/2008:19:54:56 +0100] - import userRoot: WARNING: Skipping > entry "ou=students,ou=people,dc=bbk,dc=ac,dc=uk" which has no parent, > ending at line 0 of file "(bulk import)" > [09/Jun/2008:19:55:05 +0100] - import userRoot: Workers finished; > cleaning up... > [09/Jun/2008:19:55:05 +0100] - import userRoot: Workers cleaned up. > [09/Jun/2008:19:55:05 +0100] - import userRoot: Indexing complete. > Post-processing... > [09/Jun/2008:19:55:05 +0100] - Nothing to do to build ancestorid index > [09/Jun/2008:19:55:05 +0100] - import userRoot: Flushing caches... > [09/Jun/2008:19:55:05 +0100] - import userRoot: Closing files... > [09/Jun/2008:19:55:05 +0100] - import userRoot: Import complete. > Processed 1 entries (1 were skipped) in 18 seconds. (0.06 entries/sec) > [09/Jun/2008:19:55:05 +0100] - Bulk import completed successfully. > ========================================== > > There was no error message on the screen, but the log says the object > "has no parent". Though as far as I can tell it has the same parent as > the user entries I added successfully, such as: > > ======================== > # ldapsearch -b 'dc=bbk,dc=ac,dc=uk' -D "cn=directory manager" -w > [PWD] '(objectclass=person)' > version: 1 > dn: cn=xlean99,ou=people,dc=bbk,dc=ac,dc=uk > cn: xlean99 > description: A mythical person to test LDAP with > objectClass: person > objectClass: top > sn: Lean > ======================== > > Which was in there but is no longer. > > But now I see things like: > > ======================== > [ken@~]$ /usr/lib/mozldap/ldapsearch -b 'dc=bbk,dc=ac,dc=uk' -D > "cn=uxxxxxx" '(cn=uxxxxxx)' > ldap_search: No such object > > [ken@~]$ ldapsearch -b 'dc=bbk,dc=ac,dc=uk' -D "cn=directory manager" > -w [PWD] '(objectclass=person)' > ldap_search: No such object > > [ken@~]$ ldapsearch -b 'dc=bbk,dc=ac,dc=uk' '(objectclass=*)' > ldap_search: No such object > ======================== > > And most worryingly of all: > > ======================== > [ken@~]$ ldapsearch -b "" -s base -D "cn=directory manager" -w [PWD] > '(objectclass=*)' namingContext > version: 1 > dn: > [ken@~]$ > ======================== > > :-( > > It's not a permissions problem because this works: > > ======================== > ldapsearch -b o=netscaperoot "objectclass=*" cn > ======================== > > This also still works: > > ======================== > []# /usr/lib/dirsrv/slapd-ldap1/db2ldif -n NetscapeRoot -a > /tmp/stuff2.ldif > Exported ldif file: /tmp/stuff2.ldif > ldiffile: /tmp/stuff2.ldif > [11/Jun/2008:14:03:47 +0100] - export NetscapeRoot: Processed 95 > entries (100%). > [11/Jun/2008:14:03:47 +0100] - All database threads now stopped > ======================== > > But this produces nothing: > > ======================== > []# /usr/lib/dirsrv/slapd-ldap1/db2ldif -n UserRoot -a /tmp/stuffU.ldif > Exported ldif file: /tmp/stuffU.ldif > ldiffile: /tmp/stuffU.ldif > [11/Jun/2008:14:38:23 +0100] - All database threads now stopped > []# more /tmp/stuffU.ldif > version: 1 > ======================== > > > > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From k.brown at bbk.ac.uk Wed Jun 11 18:39:19 2008 From: k.brown at bbk.ac.uk (ken) Date: Wed, 11 Jun 2008 19:39:19 +0100 Subject: [Fedora-directory-users] ldapmodify to add OU failed, and led to "ldap_search: Operations error" In-Reply-To: <48501435.60006@redhat.com> References: <484FE477.4040503@bbk.ac.uk> <48501435.60006@redhat.com> Message-ID: <48501BD7.4030402@bbk.ac.uk> Rich Megginson wrote: >> ======================== >> ldapmodify -a -B "dc=bbk,dc=ac,dc=uk" > Why are you using the -B option here? In mozldap ldapmodify, -B means > "bulk online import" which means > 1) wipe out the database > 2) use the database import code to import the given LDIF That's my error! A simple typo. Probably the result of my habit of cutting and pasting commands from one place to another. One of those things that I didn't spot in two days of worrying about the command because when I looked at it I must have assumed it said what I intended it to say rather than what it actually said. Thanks! From wilmer at fedoraproject.org Thu Jun 12 02:19:42 2008 From: wilmer at fedoraproject.org (Wilmer Jaramillo M.) Date: Thu, 12 Jun 2008 21:49:42 +1930 Subject: [Fedora-directory-users] FDS <-> AD: UID/GID and OU sync In-Reply-To: <5fb622120804300134j3281fd9fsa65e23df910aa4e9@mail.gmail.com> References: <5fb622120804300134j3281fd9fsa65e23df910aa4e9@mail.gmail.com> Message-ID: <2b26c4260806111919m5696fe28lb74bfd6682b93778@mail.gmail.com> 2008/5/1 Alex Davies : > Hi All, > > We have an AD architecture setup, and are looking to sync FDS with > this to allow us to authenticate Linux machines and network devices. > > We have two AD domains, and have a winsync and passsync setup with one > of the domain controllers in each domain. This works, subject to the > limitation that we have to manually create each OU. Once we create the > OU in FDS, the users appear at the next sync. Question 1: is it > possible to automatically sync *all* OU's, including creating the OU > in FDS if it does not exist? We have hundreds of OUs, and I don't want > to have to create them all manually. For records, maybe you can use my perl scripts for that. First for search all OU's automatically in a MS ADS: http://wilmer.fedorapeople.org/scripts/ouSearch.pl > Question 2 is on UNIX UID/GID sync from AD. I've found a couple of > posts which imply that it is not possible to sync UID/GUD from AD[1], > but this was some time ago. An alternative piece of documentation > suggests that it is, but provides no details[2]. I'm also struggling > to find documentation on the libdna plugin, which I believe is > involved[3]. > My questions are > - Is it possible to sync UID/GID from AD (where AD has the Unix Tools > installed, and therefore has these attributes in the schema). > - Is it possible to automatically apply a unique UID/GID to each user > that does not have a UID/GID? Once imported the list of OU's, the users can be imported into FDS and create uid/gid automatically with: http://wilmer.fedorapeople.org/scripts/ads2fds.pl -- Wilmer Jaramillo M. GPG Key Fingerprint = 0666 D0D3 24CE 8935 9C24 BBF1 87DD BEA2 A4B2 1E8A From janfrode at tanso.net Thu Jun 12 19:15:49 2008 From: janfrode at tanso.net (Jan Frode Myklebust) Date: Thu, 12 Jun 2008 21:15:49 +0200 Subject: [Fedora-directory-users] fds + kerberos Message-ID: I have fds set up for user management, and have kerberos set up for authentication, but am a bit uncertain if I'm now finished, or if fds+kerberos are supposed to be better integrated. Is the normal procedure for managing users: - add user info to the directory (ldapadd) - create user principal (addprinc username) Or can the creation of user principal be automatically created from within fds when we create users there ? -jf From rmeggins at redhat.com Thu Jun 12 19:45:22 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 12 Jun 2008 13:45:22 -0600 Subject: [Fedora-directory-users] fds + kerberos In-Reply-To: References: Message-ID: <48517CD2.6040205@redhat.com> Jan Frode Myklebust wrote: > I have fds set up for user management, and have kerberos set > up for authentication, but am a bit uncertain if I'm now finished, > or if fds+kerberos are supposed to be better integrated. > > Is the normal procedure for managing users: > > - add user info to the directory (ldapadd) > - create user principal (addprinc username) > > Or can the creation of user principal be automatically created > from within fds when we create users there ? > freeipa.org is a project dedicated to answering this and other similar ldap+kerberos questions. > > -jf > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sigidwu at gmail.com Fri Jun 13 00:55:57 2008 From: sigidwu at gmail.com (sigid@JINLab) Date: Fri, 13 Jun 2008 07:55:57 +0700 Subject: [Fedora-directory-users] password incorrect or directory problem In-Reply-To: <485013D5.9080607@redhat.com> References: <4848783C.5040602@redhat.com> <48489719.5070503@gmail.com> <48495111.2000007@redhat.com> <484F29C8.8010707@gmail.com> <484F34A9.8080107@redhat.com> <484F5BE6.6050209@gmail.com> <50A3F7088FE1A14FB0CF57A2248738865B67A84257@EXCHANGE1.intranet.iseek.com.au> <484F6C43.1050807@gmail.com> <485013D5.9080607@redhat.com> Message-ID: <4851C59D.1000709@gmail.com> Rich Megginson wrote: > sigid at JINLab wrote: >> Luke Bigum wrote: >>> Sigid, I think Rich means the admin server access log, which is >>> different to the directory server access log. See >>> /var/log/dirsrv/admin-serv/access. Tail that, then try connect with >>> Firefox and the admin console. Are you seeing any connections? >> >> my admin access log was empty and tail was show nothing when i access >> using firefox or console. But my admin error log shows > eek - this is very bad. What platform is this? What version of Fedora DS? i'm using fedora 8 kernel 2.6.24.7-92 with fedora ds as follows: - fedora-ds-base 1.1.1-1 - fedora-ds 1.1.1-2 - fedora-ds-admin 1.1.4-1 - fedora-ds-admin-console 1.1.1-3 - fedora-ds-console 1.1.1-3 From janfrode at tanso.net Fri Jun 13 11:49:21 2008 From: janfrode at tanso.net (Jan Frode Myklebust) Date: Fri, 13 Jun 2008 13:49:21 +0200 Subject: [Fedora-directory-users] Re: fds + kerberos References: <48517CD2.6040205@redhat.com> Message-ID: On 2008-06-12, Rich Megginson wrote: >> Is the normal procedure for managing users: >> >> - add user info to the directory (ldapadd) >> - create user principal (addprinc username) >> >> Or can the creation of user principal be automatically created >> from within fds when we create users there ? >> > freeipa.org is a project dedicated to answering this and other similar > ldap+kerberos questions. That felt a bit like an "Active Directory is a solution that does what you're trying to do, why don't you just use that" answer.. ;-) I know about freeipa.org, have read most of the documentation and even lightly tested it. But, freeipa expects you to add/manipulate users trough a webgui, or specialized freeipa-commands. That doesn't tell me much about what's happening behind the scene.. Also, we already have an identity management solution deployed (Sun Identity Manager), so my question is mostly if it should just update the directory server, and have the directory server create the kerberos principals. Or if it needs to know about both resources, and keep them both in sync. -jf From rmeggins at redhat.com Fri Jun 13 13:19:23 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 13 Jun 2008 07:19:23 -0600 Subject: [Fedora-directory-users] password incorrect or directory problem In-Reply-To: <4851C59D.1000709@gmail.com> References: <4848783C.5040602@redhat.com> <48489719.5070503@gmail.com> <48495111.2000007@redhat.com> <484F29C8.8010707@gmail.com> <484F34A9.8080107@redhat.com> <484F5BE6.6050209@gmail.com> <50A3F7088FE1A14FB0CF57A2248738865B67A84257@EXCHANGE1.intranet.iseek.com.au> <484F6C43.1050807@gmail.com> <485013D5.9080607@redhat.com> <4851C59D.1000709@gmail.com> Message-ID: <485273DB.9010702@redhat.com> sigid at JINLab wrote: > Rich Megginson wrote: >> sigid at JINLab wrote: >>> Luke Bigum wrote: >>>> Sigid, I think Rich means the admin server access log, which is >>>> different to the directory server access log. See >>>> /var/log/dirsrv/admin-serv/access. Tail that, then try connect with >>>> Firefox and the admin console. Are you seeing any connections? >>> >>> my admin access log was empty and tail was show nothing when i >>> access using firefox or console. But my admin error log shows >> eek - this is very bad. What platform is this? What version of >> Fedora DS? > > i'm using fedora 8 kernel 2.6.24.7-92 with fedora ds as follows: > - fedora-ds-base 1.1.1-1 > - fedora-ds 1.1.1-2 > - fedora-ds-admin 1.1.4-1 > - fedora-ds-admin-console 1.1.1-3 > - fedora-ds-console 1.1.1-3 Thanks. 32-bit or 64-bit Fedora 8? Are the above packages 32-bit or 64-bit e.g. rpm -qa --qf '%{name}-%{version}.%{arch}\n' | grep fedora-ds > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Jun 13 13:20:49 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 13 Jun 2008 07:20:49 -0600 Subject: [Fedora-directory-users] Re: fds + kerberos In-Reply-To: References: <48517CD2.6040205@redhat.com> Message-ID: <48527431.2080707@redhat.com> Jan Frode Myklebust wrote: > On 2008-06-12, Rich Megginson wrote: > >>> Is the normal procedure for managing users: >>> >>> - add user info to the directory (ldapadd) >>> - create user principal (addprinc username) >>> >>> Or can the creation of user principal be automatically created >>> from within fds when we create users there ? >>> >>> >> freeipa.org is a project dedicated to answering this and other similar >> ldap+kerberos questions. >> > > That felt a bit like an "Active Directory is a solution that does what > you're trying to do, why don't you just use that" answer.. ;-) > Well, if you are just starting out with Fedora DS + Kerberos, that would be the way to go - but since you're not . . . > I know about freeipa.org, have read most of the documentation and even > lightly tested it. But, freeipa expects you to add/manipulate users trough > a webgui, or specialized freeipa-commands. That doesn't tell me much > about what's happening behind the scene.. > > Also, we already have an identity management solution deployed (Sun Identity > Manager), so my question is mostly if it should just update the directory > server, and have the directory server create the kerberos principals. Or if > it needs to know about both resources, and keep them both in sync. > . . . you have to know about both resources, and keep them both in sync. I don't know much about Sun Identity Manager - perhaps it has tools to help you do this. > > -jf > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From edlinuxguru at gmail.com Fri Jun 13 15:27:07 2008 From: edlinuxguru at gmail.com (Edward Capriolo) Date: Fri, 13 Jun 2008 11:27:07 -0400 Subject: [Fedora-directory-users] LDAP and openssh-lpk or kerberos? Message-ID: I already have a working directory server doing password based LDAP login. Now I I am looking to implement two factor authentication. One way to handle this that people are fairly familiar with is ssh public key authentication through SSH. After a quick internet search I found this.... http://dev.inversepath.com/trac/openssh-lpk http://dev.inversepath.com/openssh-lpk/ldap_fosdem_2006.pdf This seems like it will work but has some drawbacks: Implementing this involves patching the SSH server. We are going to have to maintain our own patched open ssh RPM for several linux systems. What other key solutions exist? I am looking int kerb5 now. I am looking for is something that does not involve configuring two systems. LDAP configuration + second system configuration Something that has both a light footprint on the clients something compatible with SSH would be nice. Something that has a light server footprint. Something compatible with modern *nux systems. Hopefully can be done via configuration of a standard service, no/light patching. Any ideas? From janfrode at tanso.net Fri Jun 13 15:46:38 2008 From: janfrode at tanso.net (Jan Frode Myklebust) Date: Fri, 13 Jun 2008 17:46:38 +0200 Subject: [Fedora-directory-users] Re: fds + kerberos References: <48517CD2.6040205@redhat.com> <48527431.2080707@redhat.com> Message-ID: On 2008-06-13, Rich Megginson wrote: >> >> That felt a bit like an "Active Directory is a solution that does what >> you're trying to do, why don't you just use that" answer.. ;-) >> > Well, if you are just starting out with Fedora DS + Kerberos, that would > be the way to go - but since you're not . . . Yea, it looks like a very promising project. Unfortunately (?) we're a bit invested in Sun Identity Manager.. > . . . you have to know about both resources, and keep them both in > sync. I don't know much about Sun Identity Manager - perhaps it has > tools to help you do this. Ok, great. Thanks. Then I think we have the directory and kerberos set up correctly. Time to integrate it with SIM. -jf From hyc at symas.com Fri Jun 13 18:02:36 2008 From: hyc at symas.com (Howard Chu) Date: Fri, 13 Jun 2008 11:02:36 -0700 Subject: [Fedora-directory-users] Re: fds + kerberos In-Reply-To: <20080613160009.BC0B861A794@hormel.redhat.com> References: <20080613160009.BC0B861A794@hormel.redhat.com> Message-ID: <4852B63C.2080505@symas.com> > Date: Thu, 12 Jun 2008 21:15:49 +0200 > From: Jan Frode Myklebust > I have fds set up for user management, and have kerberos set > up for authentication, but am a bit uncertain if I'm now finished, > or if fds+kerberos are supposed to be better integrated. > > Is the normal procedure for managing users: > > - add user info to the directory (ldapadd) > - create user principal (addprinc username) > > Or can the creation of user principal be automatically created > from within fds when we create users there ? If you're using Heimdal's KDC there is a much less clumsy solution - just configure your KDC to store its information in LDAP. Then you can include the KDC-specific attributes in your lddapadd requests, and manage both sets of users solely through LDAP. This works very well with OpenLDAP; I think it should also work with FDS 1.1 now that they've integrated ldapi:// support (but haven't tried it myself). You can then also configure OpenLDAP to automatically synchronize password changes between LDAP and Kerberos (since all the information is in the LDAP entry). I believe recent versions of MIT Kerberos also offer this possibility, but I haven't heard of any success stories with it so far. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From rmeggins at redhat.com Fri Jun 13 18:33:57 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 13 Jun 2008 12:33:57 -0600 Subject: [Fedora-directory-users] Re: fds + kerberos In-Reply-To: <4852B63C.2080505@symas.com> References: <20080613160009.BC0B861A794@hormel.redhat.com> <4852B63C.2080505@symas.com> Message-ID: <4852BD95.6050801@redhat.com> Howard Chu wrote: >> Date: Thu, 12 Jun 2008 21:15:49 +0200 >> From: Jan Frode Myklebust > >> I have fds set up for user management, and have kerberos set >> up for authentication, but am a bit uncertain if I'm now finished, >> or if fds+kerberos are supposed to be better integrated. >> >> Is the normal procedure for managing users: >> >> - add user info to the directory (ldapadd) >> - create user principal (addprinc username) >> >> Or can the creation of user principal be automatically created >> from within fds when we create users there ? > > If you're using Heimdal's KDC there is a much less clumsy solution - > just configure your KDC to store its information in LDAP. Then you can > include the KDC-specific attributes in your lddapadd requests, and > manage both sets of users solely through LDAP. This works very well > with OpenLDAP; I think it should also work with FDS 1.1 now that > they've integrated ldapi:// support (but haven't tried it myself). You > can then also configure OpenLDAP to automatically synchronize password > changes between LDAP and Kerberos (since all the information is in the > LDAP entry). > > I believe recent versions of MIT Kerberos also offer this possibility, > but I haven't heard of any success stories with it so far. This is what freeipa provides - MIT Kerberos using Fedora DS as it's backend database, including password sync. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From scott at scottgrizzard.com Fri Jun 13 18:48:50 2008 From: scott at scottgrizzard.com (Scott Grizzard) Date: Fri, 13 Jun 2008 11:48:50 -0700 Subject: [Fedora-directory-users] Re: fds + kerberos In-Reply-To: <4852B63C.2080505@symas.com> References: <20080613160009.BC0B861A794@hormel.redhat.com> <4852B63C.2080505@symas.com> Message-ID: <4852C112.5050601@scottgrizzard.com> With Heimdal and OpenLDAP, you can use the smbk5pwd overlay (it's in the contrib directory) to sync heimdal keys, openldap passwords (it actually points the openldap password to the heimdal key), and sambaLA and sambaNT hashes. Then, if you configure your client services to change passwords using ldappasswd, you can avoid the long chain of custom scripts to keep everything in sync. If there is something similar for MIT Kerberos and FDS, I would be sold in microsecond. Doesn't Samba 4 make this problem moot though? - Scott Howard Chu wrote: >> Date: Thu, 12 Jun 2008 21:15:49 +0200 >> From: Jan Frode Myklebust > >> I have fds set up for user management, and have kerberos set >> up for authentication, but am a bit uncertain if I'm now finished, >> or if fds+kerberos are supposed to be better integrated. >> >> Is the normal procedure for managing users: >> >> - add user info to the directory (ldapadd) >> - create user principal (addprinc username) >> >> Or can the creation of user principal be automatically created >> from within fds when we create users there ? > > If you're using Heimdal's KDC there is a much less clumsy solution - > just configure your KDC to store its information in LDAP. Then you can > include the KDC-specific attributes in your lddapadd requests, and > manage both sets of users solely through LDAP. This works very well > with OpenLDAP; I think it should also work with FDS 1.1 now that > they've integrated ldapi:// support (but haven't tried it myself). You > can then also configure OpenLDAP to automatically synchronize password > changes between LDAP and Kerberos (since all the information is in the > LDAP entry). > > I believe recent versions of MIT Kerberos also offer this possibility, > but I haven't heard of any success stories with it so far. From rcritten at redhat.com Fri Jun 13 18:53:52 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 13 Jun 2008 14:53:52 -0400 Subject: [Fedora-directory-users] Re: fds + kerberos In-Reply-To: <4852C112.5050601@scottgrizzard.com> References: <20080613160009.BC0B861A794@hormel.redhat.com> <4852B63C.2080505@symas.com> <4852C112.5050601@scottgrizzard.com> Message-ID: <4852C240.6050501@redhat.com> Scott Grizzard wrote: > With Heimdal and OpenLDAP, you can use the smbk5pwd overlay (it's in the > contrib directory) to sync heimdal keys, openldap passwords (it actually > points the openldap password to the heimdal key), and sambaLA and > sambaNT hashes. Then, if you configure your client services to change > passwords using ldappasswd, you can avoid the long chain of custom > scripts to keep everything in sync. > > If there is something similar for MIT Kerberos and FDS, I would be sold > in microsecond. The freeIPA password plugin does that if the entry has the objectclass sambaSamAccount in it. > Doesn't Samba 4 make this problem moot though? > > - Scott > > Howard Chu wrote: >>> Date: Thu, 12 Jun 2008 21:15:49 +0200 >>> From: Jan Frode Myklebust >> >>> I have fds set up for user management, and have kerberos set >>> up for authentication, but am a bit uncertain if I'm now finished, >>> or if fds+kerberos are supposed to be better integrated. >>> >>> Is the normal procedure for managing users: >>> >>> - add user info to the directory (ldapadd) >>> - create user principal (addprinc username) >>> >>> Or can the creation of user principal be automatically created >>> from within fds when we create users there ? >> >> If you're using Heimdal's KDC there is a much less clumsy solution - >> just configure your KDC to store its information in LDAP. Then you can >> include the KDC-specific attributes in your lddapadd requests, and >> manage both sets of users solely through LDAP. This works very well >> with OpenLDAP; I think it should also work with FDS 1.1 now that >> they've integrated ldapi:// support (but haven't tried it myself). You >> can then also configure OpenLDAP to automatically synchronize password >> changes between LDAP and Kerberos (since all the information is in the >> LDAP entry). >> >> I believe recent versions of MIT Kerberos also offer this possibility, >> but I haven't heard of any success stories with it so far. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From hyc at symas.com Sat Jun 14 16:31:16 2008 From: hyc at symas.com (Howard Chu) Date: Sat, 14 Jun 2008 09:31:16 -0700 Subject: [Fedora-directory-users] Re: fds + kerberos In-Reply-To: <20080614160006.5D270618747@hormel.redhat.com> References: <20080614160006.5D270618747@hormel.redhat.com> Message-ID: <4853F254.70301@symas.com> > Date: Fri, 13 Jun 2008 11:48:50 -0700 > From: Scott Grizzard > With Heimdal and OpenLDAP, you can use the smbk5pwd overlay (it's in the > contrib directory) to sync heimdal keys, openldap passwords (it actually > points the openldap password to the heimdal key), and sambaLA and > sambaNT hashes. Then, if you configure your client services to change > passwords using ldappasswd, you can avoid the long chain of custom > scripts to keep everything in sync. Right. (I figure you weren't explaining that to me, since I wrote all that code.) > If there is something similar for MIT Kerberos and FDS, I would be sold > in microsecond. That'd probably be a premature move. The MIT code is far less stable than Heimdal. Their library has a long history of thread safety issues, security flaws, and crashes in threaded servers. The MIT folks may be ok on the conceptual side, but when it comes to practical implementations they fumble the details more often than not. There are a lot of reasons both OpenLDAP and Samba support Heimdal. > Doesn't Samba 4 make this problem moot though? As far as I know Samba 4 handles password synchronization from the SMB side, but you still want to have synchronization for ldappasswd and such. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From Dael.Maselli at lnf.infn.it Sun Jun 15 10:23:26 2008 From: Dael.Maselli at lnf.infn.it (Dael Maselli) Date: Sun, 15 Jun 2008 12:23:26 +0200 Subject: [Fedora-directory-users] Simple Bind only in secured channel Message-ID: <4854ED9E.20207@lnf.infn.it> Hi all, is there any method to deny simple bind operation unless in a secure channel (SSL or STARTTLS)? Do I have to write a plug-in? Hints? Thank you. Dael Maselli. -- ___________________________________________________________________ Dael Maselli --- INFN-LNF Computing Service -- +39.06.9403.2214 ___________________________________________________________________ Democracy is two wolves and a lamb voting on what to have for lunch ___________________________________________________________________ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3000 bytes Desc: S/MIME Cryptographic Signature URL: From diaa.radwan at gmail.com Sun Jun 15 10:38:50 2008 From: diaa.radwan at gmail.com (Diaa Radwan) Date: Sun, 15 Jun 2008 13:38:50 +0300 Subject: [Fedora-directory-users] Simple Bind only in secured channel In-Reply-To: <4854ED9E.20207@lnf.infn.it> References: <4854ED9E.20207@lnf.infn.it> Message-ID: <182b9f450806150338r3fbb947chde9d7d65245aa9f6@mail.gmail.com> You can write aci to restrict the authentication method (ssl). Hope this document would help https://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control-Bind_Rules.html On Sun, Jun 15, 2008 at 1:23 PM, Dael Maselli wrote: > Hi all, > > is there any method to deny simple bind operation unless in a secure > channel (SSL or STARTTLS)? Do I have to write a plug-in? Hints? > > Thank you. > > Dael Maselli. > > > -- > ___________________________________________________________________ > > Dael Maselli --- INFN-LNF Computing Service -- +39.06.9403.2214 > ___________________________________________________________________ > > Democracy is two wolves and a lamb voting on what to have for lunch > ___________________________________________________________________ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- Diaa Radwan http://www.fossology.net From Dael.Maselli at lnf.infn.it Sun Jun 15 10:50:46 2008 From: Dael.Maselli at lnf.infn.it (Dael Maselli) Date: Sun, 15 Jun 2008 12:50:46 +0200 Subject: [Fedora-directory-users] Simple Bind only in secured channel In-Reply-To: <182b9f450806150338r3fbb947chde9d7d65245aa9f6@mail.gmail.com> References: <4854ED9E.20207@lnf.infn.it> <182b9f450806150338r3fbb947chde9d7d65245aa9f6@mail.gmail.com> Message-ID: <4854F406.5000709@lnf.infn.it> I'm going to explain it better. I don't' want a user enter his credential in an unsecured channel. First I thought to close 389 and allow only 636, but ldaps is now deprecated and so I need to allow also 389, but if the user do simple bind before STARTTLS then credentials will be exposed. I want something like Sendmail does: no clear text auth is allowed unless the connection is SSL or STARTTLS based. I hope it is clear now. Thank you so much. Dael. Diaa Radwan, on 15/06/2008 12.38, wrote: > You can write aci to restrict the authentication method (ssl). > > Hope this document would help > https://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control-Bind_Rules.html > > On Sun, Jun 15, 2008 at 1:23 PM, Dael Maselli wrote: >> Hi all, >> >> is there any method to deny simple bind operation unless in a secure >> channel (SSL or STARTTLS)? Do I have to write a plug-in? Hints? >> >> Thank you. >> >> Dael Maselli. >> >> >> -- >> ___________________________________________________________________ >> >> Dael Maselli --- INFN-LNF Computing Service -- +39.06.9403.2214 >> ___________________________________________________________________ >> >> Democracy is two wolves and a lamb voting on what to have for lunch >> ___________________________________________________________________ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Diaa Radwan > http://www.fossology.net > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- ___________________________________________________________________ Dael Maselli --- INFN-LNF Computing Service -- +39.06.9403.2214 ___________________________________________________________________ Democracy is two wolves and a lamb voting on what to have for lunch ___________________________________________________________________ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3000 bytes Desc: S/MIME Cryptographic Signature URL: From michael at stroeder.com Sun Jun 15 11:03:27 2008 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Sun, 15 Jun 2008 13:03:27 +0200 Subject: [Fedora-directory-users] Simple Bind only in secured channel In-Reply-To: <4854F406.5000709@lnf.infn.it> References: <4854ED9E.20207@lnf.infn.it> <182b9f450806150338r3fbb947chde9d7d65245aa9f6@mail.gmail.com> <4854F406.5000709@lnf.infn.it> Message-ID: <4854F6FF.305@stroeder.com> Dael Maselli wrote: > I'm going to explain it better. > > I don't' want a user enter his credential in an unsecured channel. > First I thought to close 389 and allow only 636, but ldaps is now > deprecated Well, most LDAP client software I know of support LDAP over pre-established SSL/TLS tunnel (often called LDAPS). StartTLS is often not supported by client software. > and so I need to allow also 389, but if the user do simple > bind before STARTTLS then credentials will be exposed. That's the serious drawback of StartTLS ext. op. > I want something like Sendmail does: no clear text auth is allowed > unless the connection is SSL or STARTTLS based. Not possible. Even if your server rejects the bind request the clear-text password is already sent over the wire. Simply keep using LDAPS. Ciao, Michael. From Dael.Maselli at lnf.infn.it Sun Jun 15 11:20:34 2008 From: Dael.Maselli at lnf.infn.it (Dael Maselli) Date: Sun, 15 Jun 2008 13:20:34 +0200 Subject: [Fedora-directory-users] Simple Bind only in secured channel In-Reply-To: <4854F6FF.305@stroeder.com> References: <4854ED9E.20207@lnf.infn.it> <182b9f450806150338r3fbb947chde9d7d65245aa9f6@mail.gmail.com> <4854F406.5000709@lnf.infn.it> <4854F6FF.305@stroeder.com> Message-ID: <4854FB02.3050808@lnf.infn.it> Well... this is terrible!!! I _need_ also to support GSSAPI auth, and it doesn't work with SSL! I don't know so much the LDAP protocol, I though the client asks for capabilities the server when connect, so if is possible do hide the simple bind capability in clear channel the clients doesn't try simple bind. No? Please, give me a hint, my institution is going to migrate all Authentication and Authorization to a system based on FDS and MIT Kerberos. This would be a very blocking issue. Dael. Michael Str?der, on 15/06/2008 13.03, wrote: > Dael Maselli wrote: >> I'm going to explain it better. >> >> I don't' want a user enter his credential in an unsecured channel. >> First I thought to close 389 and allow only 636, but ldaps is now >> deprecated > > Well, most LDAP client software I know of support LDAP over > pre-established SSL/TLS tunnel (often called LDAPS). StartTLS is often > not supported by client software. > >> and so I need to allow also 389, but if the user do simple >> bind before STARTTLS then credentials will be exposed. > > That's the serious drawback of StartTLS ext. op. > >> I want something like Sendmail does: no clear text auth is allowed >> unless the connection is SSL or STARTTLS based. > > Not possible. Even if your server rejects the bind request the > clear-text password is already sent over the wire. > > Simply keep using LDAPS. > > Ciao, Michael. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- ___________________________________________________________________ Dael Maselli --- INFN-LNF Computing Service -- +39.06.9403.2214 ___________________________________________________________________ Democracy is two wolves and a lamb voting on what to have for lunch ___________________________________________________________________ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3000 bytes Desc: S/MIME Cryptographic Signature URL: From michael at stroeder.com Sun Jun 15 11:30:19 2008 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Sun, 15 Jun 2008 13:30:19 +0200 Subject: [Fedora-directory-users] Simple Bind only in secured channel In-Reply-To: <4854FB02.3050808@lnf.infn.it> References: <4854ED9E.20207@lnf.infn.it> <182b9f450806150338r3fbb947chde9d7d65245aa9f6@mail.gmail.com> <4854F406.5000709@lnf.infn.it> <4854F6FF.305@stroeder.com> <4854FB02.3050808@lnf.infn.it> Message-ID: <4854FD4B.9050608@stroeder.com> Dael Maselli wrote: > > I _need_ also to support GSSAPI auth, and it doesn't work with SSL! Do you mean you require SASL bind with GSSAPI within the LDAP connection? The Kerberos authentication itself is not affected by SSL anyway since the traffic between clients, KDC and servers is protected by shared secrets. > I don't know so much the LDAP protocol, I though the client asks for > capabilities the server when connect, so if is possible do hide the simple > bind capability in clear channel the clients doesn't try simple bind. No? A well-implemented LDAP client does not send a bind request before trying StartTLS ext. op. It simply trys StartTLS if configured to do so (and without looking at the server's capability which could have been spoofed by an attacker). But frankly, sometimes when examining what LDAP client applications (even the ones shipped by expensive big vendors) send on the wire I'm asking myself what the client developers have smoked before implementing their application. So, no you can't prevent a client application from misbehaving when allowing port 389 and requiring StartTLS. Ciao, Michael. From Dael.Maselli at lnf.infn.it Sun Jun 15 11:51:55 2008 From: Dael.Maselli at lnf.infn.it (Dael Maselli) Date: Sun, 15 Jun 2008 13:51:55 +0200 Subject: [Fedora-directory-users] Simple Bind only in secured channel In-Reply-To: <4854FD4B.9050608@stroeder.com> References: <4854ED9E.20207@lnf.infn.it> <182b9f450806150338r3fbb947chde9d7d65245aa9f6@mail.gmail.com> <4854F406.5000709@lnf.infn.it> <4854F6FF.305@stroeder.com> <4854FB02.3050808@lnf.infn.it> <4854FD4B.9050608@stroeder.com> Message-ID: <4855025B.90808@lnf.infn.it> Michael Str?der, on 15/06/2008 13.30, wrote: > Dael Maselli wrote: >> >> I _need_ also to support GSSAPI auth, and it doesn't work with SSL! > > Do you mean you require SASL bind with GSSAPI within the LDAP connection? Yes. > > The Kerberos authentication itself is not affected by SSL anyway since > the traffic between clients, KDC and servers is protected by shared > secrets. > Yes, but I remember that if I do something like `ldapsearch -Y GSSAPI -h ldaps://server:636` it says that GSSAPI is not supported over SSL. Am I wrong? >> I don't know so much the LDAP protocol, I though the client asks for >> capabilities the server when connect, so if is possible do hide the >> simple >> bind capability in clear channel the clients doesn't try simple bind. No? > > A well-implemented LDAP client does not send a bind request before > trying StartTLS ext. op. It simply trys StartTLS if configured to do so > (and without looking at the server's capability which could have been > spoofed by an attacker). > > But frankly, sometimes when examining what LDAP client applications > (even the ones shipped by expensive big vendors) send on the wire I'm > asking myself what the client developers have smoked before implementing > their application. > > So, no you can't prevent a client application from misbehaving when > allowing port 389 and requiring StartTLS. > > Ciao, Michael. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- ___________________________________________________________________ Dael Maselli --- INFN-LNF Computing Service -- +39.06.9403.2214 ___________________________________________________________________ Democracy is two wolves and a lamb voting on what to have for lunch ___________________________________________________________________ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3000 bytes Desc: S/MIME Cryptographic Signature URL: From sigidwu at gmail.com Mon Jun 16 01:32:05 2008 From: sigidwu at gmail.com (sigid@JINLab) Date: Mon, 16 Jun 2008 08:32:05 +0700 Subject: [Fedora-directory-users] password incorrect or directory problem In-Reply-To: <485273DB.9010702@redhat.com> References: <4848783C.5040602@redhat.com> <48489719.5070503@gmail.com> <48495111.2000007@redhat.com> <484F29C8.8010707@gmail.com> <484F34A9.8080107@redhat.com> <484F5BE6.6050209@gmail.com> <50A3F7088FE1A14FB0CF57A2248738865B67A84257@EXCHANGE1.intranet.iseek.com.au> <484F6C43.1050807@gmail.com> <485013D5.9080607@redhat.com> <4851C59D.1000709@gmail.com> <485273DB.9010702@redhat.com> Message-ID: <4855C295.8070808@gmail.com> Rich Megginson wrote: > sigid at JINLab wrote: >> Rich Megginson wrote: >>> sigid at JINLab wrote: >>>> Luke Bigum wrote: >>>>> Sigid, I think Rich means the admin server access log, which is >>>>> different to the directory server access log. See >>>>> /var/log/dirsrv/admin-serv/access. Tail that, then try connect with >>>>> Firefox and the admin console. Are you seeing any connections? >>>> >>>> my admin access log was empty and tail was show nothing when i >>>> access using firefox or console. But my admin error log shows >>> eek - this is very bad. What platform is this? What version of >>> Fedora DS? >> >> i'm using fedora 8 kernel 2.6.24.7-92 with fedora ds as follows: >> - fedora-ds-base 1.1.1-1 >> - fedora-ds 1.1.1-2 >> - fedora-ds-admin 1.1.4-1 >> - fedora-ds-admin-console 1.1.1-3 >> - fedora-ds-console 1.1.1-3 > Thanks. 32-bit or 64-bit Fedora 8? Are the above packages 32-bit or > 64-bit e.g. > rpm -qa --qf '%{name}-%{version}.%{arch}\n' | grep fedora-ds I'm using 32 bit Fedora 8. -bash-3.2$ rpm -qa --qf '%{name}-%{version}.%{arch}\n' | grep fedora-ds fedora-ds-admin-console-1.1.1.noarch fedora-ds-base-1.1.1.i386 fedora-ds-1.1.1.i386 fedora-ds-admin-1.1.4.i386 fedora-ds-console-1.1.1.noarch From rmeggins at redhat.com Mon Jun 16 15:49:46 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 16 Jun 2008 09:49:46 -0600 Subject: [Fedora-directory-users] Simple Bind only in secured channel In-Reply-To: <4854ED9E.20207@lnf.infn.it> References: <4854ED9E.20207@lnf.infn.it> Message-ID: <48568B9A.1070804@redhat.com> Dael Maselli wrote: > Hi all, > > is there any method to deny simple bind operation unless in a secure > channel (SSL or STARTTLS)? No. This relates to another requested feature, which is the ability to deny anonymous bind or other anonymous operations. I would like to get some requirements for such a feature. * allow simple bind/anonymous operations only over a secure channel? * allow simple bind/anonymous operations for certain hosts/ip addresses? * allow only certain anonymous operations, like startTLS and the password change extop? others? * other access control features related to the above? > Do I have to write a plug-in? Hints? Yes, at this point it would have to be a plug-in, most likely a bind pre-op plug-in. > > Thank you. > > Dael Maselli. > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Jun 16 15:50:53 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 16 Jun 2008 09:50:53 -0600 Subject: [Fedora-directory-users] Simple Bind only in secured channel In-Reply-To: <4855025B.90808@lnf.infn.it> References: <4854ED9E.20207@lnf.infn.it> <182b9f450806150338r3fbb947chde9d7d65245aa9f6@mail.gmail.com> <4854F406.5000709@lnf.infn.it> <4854F6FF.305@stroeder.com> <4854FB02.3050808@lnf.infn.it> <4854FD4B.9050608@stroeder.com> <4855025B.90808@lnf.infn.it> Message-ID: <48568BDD.1060609@redhat.com> Dael Maselli wrote: > Michael Str?der, on 15/06/2008 13.30, wrote: >> Dael Maselli wrote: >>> >>> I _need_ also to support GSSAPI auth, and it doesn't work with SSL! >> >> Do you mean you require SASL bind with GSSAPI within the LDAP >> connection? > > Yes. > >> >> The Kerberos authentication itself is not affected by SSL anyway >> since the traffic between clients, KDC and servers is protected by >> shared secrets. >> > > Yes, but I remember that if I do something like `ldapsearch -Y GSSAPI > -h ldaps://server:636` > it says that GSSAPI is not supported over SSL. Am I wrong? Fedora DS does not support this. Please file a bug for this. There may already be a bug about this too. > >>> I don't know so much the LDAP protocol, I though the client asks for >>> capabilities the server when connect, so if is possible do hide the >>> simple >>> bind capability in clear channel the clients doesn't try simple >>> bind. No? >> >> A well-implemented LDAP client does not send a bind request before >> trying StartTLS ext. op. It simply trys StartTLS if configured to do >> so (and without looking at the server's capability which could have >> been spoofed by an attacker). >> >> But frankly, sometimes when examining what LDAP client applications >> (even the ones shipped by expensive big vendors) send on the wire I'm >> asking myself what the client developers have smoked before >> implementing their application. >> >> So, no you can't prevent a client application from misbehaving when >> allowing port 389 and requiring StartTLS. >> >> Ciao, Michael. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Jun 16 15:58:18 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 16 Jun 2008 09:58:18 -0600 Subject: [Fedora-directory-users] Re: fds + kerberos In-Reply-To: <4853F254.70301@symas.com> References: <20080614160006.5D270618747@hormel.redhat.com> <4853F254.70301@symas.com> Message-ID: <48568D9A.2090000@redhat.com> Howard Chu wrote: >> Date: Fri, 13 Jun 2008 11:48:50 -0700 >> From: Scott Grizzard > >> With Heimdal and OpenLDAP, you can use the smbk5pwd overlay (it's in the >> contrib directory) to sync heimdal keys, openldap passwords (it actually >> points the openldap password to the heimdal key), and sambaLA and >> sambaNT hashes. Then, if you configure your client services to change >> passwords using ldappasswd, you can avoid the long chain of custom >> scripts to keep everything in sync. > > Right. (I figure you weren't explaining that to me, since I wrote all > that code.) > >> If there is something similar for MIT Kerberos and FDS, I would be sold >> in microsecond. > > That'd probably be a premature move. The MIT code is far less stable > than Heimdal. Their library has a long history of thread safety > issues, security flaws, and crashes in threaded servers. The MIT folks > may be ok on the conceptual side, but when it comes to practical > implementations they fumble the details more often than not. There are > a lot of reasons both OpenLDAP and Samba support Heimdal. MIT is widely supported across a variety of operating systems, being the default Kerberos implementation on many of them. It has a lot of vendor support. Although the LDAP features of MIT Kerberos are relatively new, Red Hat has a lot of resources dedicated to ensuring they work well, since this is an important part of the freeIPA project. > >> Doesn't Samba 4 make this problem moot though? > > As far as I know Samba 4 handles password synchronization from the SMB > side, but you still want to have synchronization for ldappasswd and such. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Jun 16 16:02:14 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 16 Jun 2008 10:02:14 -0600 Subject: [Fedora-directory-users] password incorrect or directory problem In-Reply-To: <4855C295.8070808@gmail.com> References: <4848783C.5040602@redhat.com> <48489719.5070503@gmail.com> <48495111.2000007@redhat.com> <484F29C8.8010707@gmail.com> <484F34A9.8080107@redhat.com> <484F5BE6.6050209@gmail.com> <50A3F7088FE1A14FB0CF57A2248738865B67A84257@EXCHANGE1.intranet.iseek.com.au> <484F6C43.1050807@gmail.com> <485013D5.9080607@redhat.com> <4851C59D.1000709@gmail.com> <485273DB.9010702@redhat.com> <4855C295.8070808@gmail.com> Message-ID: <48568E86.2000801@redhat.com> sigid at JINLab wrote: > Rich Megginson wrote: >> sigid at JINLab wrote: >>> Rich Megginson wrote: >>>> sigid at JINLab wrote: >>>>> Luke Bigum wrote: >>>>>> Sigid, I think Rich means the admin server access log, which is >>>>>> different to the directory server access log. See >>>>>> /var/log/dirsrv/admin-serv/access. Tail that, then try connect >>>>>> with Firefox and the admin console. Are you seeing any connections? >>>>> >>>>> my admin access log was empty and tail was show nothing when i >>>>> access using firefox or console. But my admin error log shows >>>> eek - this is very bad. What platform is this? What version of >>>> Fedora DS? >>> >>> i'm using fedora 8 kernel 2.6.24.7-92 with fedora ds as follows: >>> - fedora-ds-base 1.1.1-1 >>> - fedora-ds 1.1.1-2 >>> - fedora-ds-admin 1.1.4-1 >>> - fedora-ds-admin-console 1.1.1-3 >>> - fedora-ds-console 1.1.1-3 >> Thanks. 32-bit or 64-bit Fedora 8? Are the above packages 32-bit or >> 64-bit e.g. >> rpm -qa --qf '%{name}-%{version}.%{arch}\n' | grep fedora-ds > > I'm using 32 bit Fedora 8. > > -bash-3.2$ rpm -qa --qf '%{name}-%{version}.%{arch}\n' | grep fedora-ds > fedora-ds-admin-console-1.1.1.noarch > fedora-ds-base-1.1.1.i386 > fedora-ds-1.1.1.i386 > fedora-ds-admin-1.1.4.i386 > fedora-ds-console-1.1.1.noarch What about httpd? rpm -qi httpd Any messages in /var/log/messages? /var/log/secure? Is SELinux enabled? > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From windhamg at email.arizona.edu Mon Jun 16 17:00:41 2008 From: windhamg at email.arizona.edu (Gary Windham) Date: Mon, 16 Jun 2008 10:00:41 -0700 Subject: [Fedora-directory-users] Simple Bind only in secured channel In-Reply-To: <48568B9A.1070804@redhat.com> References: <4854ED9E.20207@lnf.infn.it> <48568B9A.1070804@redhat.com> Message-ID: On Jun 16, 2008, at 8:49 AM, Rich Megginson wrote: > Dael Maselli wrote: >> Hi all, >> >> is there any method to deny simple bind operation unless in a secure >> channel (SSL or STARTTLS)? > No. This relates to another requested feature, which is the ability > to deny anonymous bind or other anonymous operations. I would like > to get some requirements for such a feature. > * allow simple bind/anonymous operations only over a secure channel? > * allow simple bind/anonymous operations for certain hosts/ip > addresses? > * allow only certain anonymous operations, like startTLS and the > password change extop? others? > * other access control features related to the above? >> Do I have to write a plug-in? Hints? > Yes, at this point it would have to be a plug-in, most likely a bind > pre-op plug-in. I have a bind pre-op plugin that meets the first two requirements; I would be happy to share it with anyone interested. Thanks, --Gary -- Gary Windham Senior Enterprise Systems Architect The University of Arizona, UITS +1 520 626 5981 From sigidwu at gmail.com Tue Jun 17 02:50:44 2008 From: sigidwu at gmail.com (sigid@JINLab) Date: Tue, 17 Jun 2008 09:50:44 +0700 Subject: [Fedora-directory-users] password incorrect or directory problem In-Reply-To: <48568E86.2000801@redhat.com> References: <4848783C.5040602@redhat.com> <48489719.5070503@gmail.com> <48495111.2000007@redhat.com> <484F29C8.8010707@gmail.com> <484F34A9.8080107@redhat.com> <484F5BE6.6050209@gmail.com> <50A3F7088FE1A14FB0CF57A2248738865B67A84257@EXCHANGE1.intranet.iseek.com.au> <484F6C43.1050807@gmail.com> <485013D5.9080607@redhat.com> <4851C59D.1000709@gmail.com> <485273DB.9010702@redhat.com> <4855C295.8070808@gmail.com> <48568E86.2000801@redhat.com> Message-ID: <48572684.7030203@gmail.com> Rich Megginson wrote: > sigid at JINLab wrote: >> Rich Megginson wrote: >>> sigid at JINLab wrote: >>>> Rich Megginson wrote: >>>>> sigid at JINLab wrote: >>>>>> Luke Bigum wrote: >>>>>>> Sigid, I think Rich means the admin server access log, which is >>>>>>> different to the directory server access log. See >>>>>>> /var/log/dirsrv/admin-serv/access. Tail that, then try connect >>>>>>> with Firefox and the admin console. Are you seeing any connections? >>>>>> >>>>>> my admin access log was empty and tail was show nothing when i >>>>>> access using firefox or console. But my admin error log shows >>>>> eek - this is very bad. What platform is this? What version of >>>>> Fedora DS? >>>> >>>> i'm using fedora 8 kernel 2.6.24.7-92 with fedora ds as follows: >>>> - fedora-ds-base 1.1.1-1 >>>> - fedora-ds 1.1.1-2 >>>> - fedora-ds-admin 1.1.4-1 >>>> - fedora-ds-admin-console 1.1.1-3 >>>> - fedora-ds-console 1.1.1-3 >>> Thanks. 32-bit or 64-bit Fedora 8? Are the above packages 32-bit or >>> 64-bit e.g. >>> rpm -qa --qf '%{name}-%{version}.%{arch}\n' | grep fedora-ds >> >> I'm using 32 bit Fedora 8. >> >> -bash-3.2$ rpm -qa --qf '%{name}-%{version}.%{arch}\n' | grep fedora-ds >> fedora-ds-admin-console-1.1.1.noarch >> fedora-ds-base-1.1.1.i386 >> fedora-ds-1.1.1.i386 >> fedora-ds-admin-1.1.4.i386 >> fedora-ds-console-1.1.1.noarch > What about httpd? rpm -qi httpd > > Any messages in /var/log/messages? /var/log/secure? Is SELinux enabled? thanks for your support but i have deadline for this server runs for production. Fortunatelly currently i can use the fedora 9. Refering to my previous post that fedora 9 was having kernel error on my machine so it force me to rollback to fedora 8. On my previous fedora 9 instalation i'm using minimal X by not using KDE or Gnome. But after i add gnome for my desktop manager, my server runs well, Alhamdulillah....thanks god... So right now i'm running fedora 9 instead of fedora 8 on my 3rd server. My FDS and the java console runs well too. Currently i'm preparing to upgrade my 1st server PDC (fedora core 5) to reinstalled with fedora 9. And therefore during reinstalation it need PDC replacement (3rd server) for production server. From zahra_bahar at ec.iut.ac.ir Tue Jun 17 06:17:35 2008 From: zahra_bahar at ec.iut.ac.ir (Zahra Bahar) Date: Tue, 17 Jun 2008 09:47:35 +0330 (IRST) Subject: [Fedora-directory-users] password security Message-ID: <25050909.29081213683455312.JavaMail.root@mta.iut.ac.ir> Hi, I have freeradius server using ldap DS for aaa. my radius supports vpn users and uses PAP. what is the best way for secure user_passwords in connection between ldap server to user? From patrick.morris at hp.com Tue Jun 17 06:37:00 2008 From: patrick.morris at hp.com (Morris, Patrick) Date: Tue, 17 Jun 2008 06:37:00 +0000 Subject: [Fedora-directory-users] password security In-Reply-To: <25050909.29081213683455312.JavaMail.root@mta.iut.ac.ir> References: <25050909.29081213683455312.JavaMail.root@mta.iut.ac.ir> Message-ID: <93C487A372B3774CAEAA15D524CCF3D1228B72577E@G1W0485.americas.hpqcorp.net> > I have freeradius server using ldap DS for aaa. my radius supports vpn > users and uses PAP. > what is the best way for secure user_passwords in connection between > ldap server to user? If you're authenticating against a RADIUS server, clients won't be talking to LDAP directly at all. Any connection security (I'm assuming you're talking about something like encryption here) would need to be done with your RADIUS server, and LDAP server<->client password security is a non-issue. From zahra_bahar at ec.iut.ac.ir Tue Jun 17 08:07:22 2008 From: zahra_bahar at ec.iut.ac.ir (Zahra Bahar) Date: Tue, 17 Jun 2008 11:37:22 +0330 (IRST) Subject: [Fedora-directory-users] password security In-Reply-To: <93C487A372B3774CAEAA15D524CCF3D1228B72577E@G1W0485.americas.hpqcorp.net> Message-ID: <4834311.30601213690042586.JavaMail.root@mta.iut.ac.ir> yes, but using PAP, passwords are sent as clear-text between radius server and ldap ds and it is unsecure, Is it true? From niranjan.ashok at gmail.com Tue Jun 17 07:15:15 2008 From: niranjan.ashok at gmail.com (mallapadi niranjan) Date: Tue, 17 Jun 2008 12:45:15 +0530 Subject: [Fedora-directory-users] password security In-Reply-To: <4834311.30601213690042586.JavaMail.root@mta.iut.ac.ir> References: <93C487A372B3774CAEAA15D524CCF3D1228B72577E@G1W0485.americas.hpqcorp.net> <4834311.30601213690042586.JavaMail.root@mta.iut.ac.ir> Message-ID: <73e979680806170015n2f714231x5e6d0b252ce085e9@mail.gmail.com> On Tue, Jun 17, 2008 at 1:37 PM, Zahra Bahar wrote: > yes, but using PAP, passwords are sent as clear-text between radius server > and ldap ds and it is unsecure, Is it true? I guess for that you need to use SSL/TLS between radius server and DS http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_SSL.html > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From k.brown at bbk.ac.uk Tue Jun 17 10:18:55 2008 From: k.brown at bbk.ac.uk (ken) Date: Tue, 17 Jun 2008 11:18:55 +0100 Subject: [Fedora-directory-users] password security In-Reply-To: <4834311.30601213690042586.JavaMail.root@mta.iut.ac.ir> References: <4834311.30601213690042586.JavaMail.root@mta.iut.ac.ir> Message-ID: <48578F8F.7080109@bbk.ac.uk> Zahra Bahar wrote: > yes, but using PAP, passwords are sent as clear-text > between radius server and ldap ds > and it is unsecure, Is it true? Which is why people who are worried about password security don't use PAP alone - most Radius implementations (e.g. for wireless logins) use other protocols instead of or encapsulating PAP. From rmeggins at redhat.com Tue Jun 17 11:40:22 2008 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 17 Jun 2008 05:40:22 -0600 Subject: [Fedora-directory-users] password incorrect or directory problem In-Reply-To: <48572684.7030203@gmail.com> References: <4848783C.5040602@redhat.com> <48489719.5070503@gmail.com> <48495111.2000007@redhat.com> <484F29C8.8010707@gmail.com> <484F34A9.8080107@redhat.com> <484F5BE6.6050209@gmail.com> <50A3F7088FE1A14FB0CF57A2248738865B67A84257@EXCHANGE1.intranet.iseek.com.au> <484F6C43.1050807@gmail.com> <485013D5.9080607@redhat.com> <4851C59D.1000709@gmail.com> <485273DB.9010702@redhat.com> <4855C295.8070808@gmail.com> <48568E86.2000801@redhat.com> <48572684.7030203@gmail.com> Message-ID: <4857A2A6.2030407@redhat.com> sigid at JINLab wrote: > Rich Megginson wrote: >> sigid at JINLab wrote: >>> Rich Megginson wrote: >>>> sigid at JINLab wrote: >>>>> Rich Megginson wrote: >>>>>> sigid at JINLab wrote: >>>>>>> Luke Bigum wrote: >>>>>>>> Sigid, I think Rich means the admin server access log, which is >>>>>>>> different to the directory server access log. See >>>>>>>> /var/log/dirsrv/admin-serv/access. Tail that, then try connect >>>>>>>> with Firefox and the admin console. Are you seeing any >>>>>>>> connections? >>>>>>> >>>>>>> my admin access log was empty and tail was show nothing when i >>>>>>> access using firefox or console. But my admin error log shows >>>>>> eek - this is very bad. What platform is this? What version of >>>>>> Fedora DS? >>>>> >>>>> i'm using fedora 8 kernel 2.6.24.7-92 with fedora ds as follows: >>>>> - fedora-ds-base 1.1.1-1 >>>>> - fedora-ds 1.1.1-2 >>>>> - fedora-ds-admin 1.1.4-1 >>>>> - fedora-ds-admin-console 1.1.1-3 >>>>> - fedora-ds-console 1.1.1-3 >>>> Thanks. 32-bit or 64-bit Fedora 8? Are the above packages 32-bit >>>> or 64-bit e.g. >>>> rpm -qa --qf '%{name}-%{version}.%{arch}\n' | grep fedora-ds >>> >>> I'm using 32 bit Fedora 8. >>> >>> -bash-3.2$ rpm -qa --qf '%{name}-%{version}.%{arch}\n' | grep fedora-ds >>> fedora-ds-admin-console-1.1.1.noarch >>> fedora-ds-base-1.1.1.i386 >>> fedora-ds-1.1.1.i386 >>> fedora-ds-admin-1.1.4.i386 >>> fedora-ds-console-1.1.1.noarch >> What about httpd? rpm -qi httpd >> >> Any messages in /var/log/messages? /var/log/secure? Is SELinux >> enabled? > > thanks for your support but i have deadline for this server runs for > production. Fortunatelly currently i can use the fedora 9. Refering to > my previous post that fedora 9 was having kernel error on my machine > so it force me to rollback to fedora 8. > > On my previous fedora 9 instalation i'm using minimal X by not using > KDE or Gnome. But after i add gnome for my desktop manager, my server > runs well, Alhamdulillah....thanks god... > > So right now i'm running fedora 9 instead of fedora 8 on my 3rd > server. My FDS and the java console runs well too. Currently i'm > preparing to upgrade my 1st server PDC (fedora core 5) to reinstalled > with fedora 9. And therefore during reinstalation it need PDC > replacement (3rd server) for production server. So, Fedora 9 works but not Fedora 8? What could be the difference? I saw a message last night on IRC - someone attempted to get PHP working in the Admin Server - was that you? If so, that's probably it. The Admin Server was not designed to be a general purpose web/app server - it is a special "instance" of Apache that is designed only to run the Admin Server and Console apps, and nothing else. Other modules such as php, python, etc. are not supported and will probably cause bad behavior up to and including crashing the Admin Server. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From sigidwu at gmail.com Tue Jun 17 12:18:40 2008 From: sigidwu at gmail.com (sigid@JINLab) Date: Tue, 17 Jun 2008 19:18:40 +0700 Subject: [Fedora-directory-users] password incorrect or directory problem In-Reply-To: <4857A2A6.2030407@redhat.com> References: <4848783C.5040602@redhat.com> <48489719.5070503@gmail.com> <48495111.2000007@redhat.com> <484F29C8.8010707@gmail.com> <484F34A9.8080107@redhat.com> <484F5BE6.6050209@gmail.com> <50A3F7088FE1A14FB0CF57A2248738865B67A84257@EXCHANGE1.intranet.iseek.com.au> <484F6C43.1050807@gmail.com> <485013D5.9080607@redhat.com> <4851C59D.1000709@gmail.com> <485273DB.9010702@redhat.com> <4855C295.8070808@gmail.com> <48568E86.2000801@redhat.com> <48572684.7030203@gmail.com> <4857A2A6.2030407@redhat.com> Message-ID: <4857ABA0.7060400@gmail.com> Richard Megginson wrote: > sigid at JINLab wrote: >> Rich Megginson wrote: >>> sigid at JINLab wrote: >>>> Rich Megginson wrote: >>>>> sigid at JINLab wrote: >>>>>> Rich Megginson wrote: >>>>>>> sigid at JINLab wrote: >>>>>>>> Luke Bigum wrote: >>>>>>>>> Sigid, I think Rich means the admin server access log, which is >>>>>>>>> different to the directory server access log. See >>>>>>>>> /var/log/dirsrv/admin-serv/access. Tail that, then try connect >>>>>>>>> with Firefox and the admin console. Are you seeing any >>>>>>>>> connections? >>>>>>>> >>>>>>>> my admin access log was empty and tail was show nothing when i >>>>>>>> access using firefox or console. But my admin error log shows >>>>>>> eek - this is very bad. What platform is this? What version of >>>>>>> Fedora DS? >>>>>> >>>>>> i'm using fedora 8 kernel 2.6.24.7-92 with fedora ds as follows: >>>>>> - fedora-ds-base 1.1.1-1 >>>>>> - fedora-ds 1.1.1-2 >>>>>> - fedora-ds-admin 1.1.4-1 >>>>>> - fedora-ds-admin-console 1.1.1-3 >>>>>> - fedora-ds-console 1.1.1-3 >>>>> Thanks. 32-bit or 64-bit Fedora 8? Are the above packages 32-bit >>>>> or 64-bit e.g. >>>>> rpm -qa --qf '%{name}-%{version}.%{arch}\n' | grep fedora-ds >>>> >>>> I'm using 32 bit Fedora 8. >>>> >>>> -bash-3.2$ rpm -qa --qf '%{name}-%{version}.%{arch}\n' | grep fedora-ds >>>> fedora-ds-admin-console-1.1.1.noarch >>>> fedora-ds-base-1.1.1.i386 >>>> fedora-ds-1.1.1.i386 >>>> fedora-ds-admin-1.1.4.i386 >>>> fedora-ds-console-1.1.1.noarch >>> What about httpd? rpm -qi httpd >>> >>> Any messages in /var/log/messages? /var/log/secure? Is SELinux >>> enabled? >> >> thanks for your support but i have deadline for this server runs for >> production. Fortunatelly currently i can use the fedora 9. Refering to >> my previous post that fedora 9 was having kernel error on my machine >> so it force me to rollback to fedora 8. >> >> On my previous fedora 9 instalation i'm using minimal X by not using >> KDE or Gnome. But after i add gnome for my desktop manager, my server >> runs well, Alhamdulillah....thanks god... >> >> So right now i'm running fedora 9 instead of fedora 8 on my 3rd >> server. My FDS and the java console runs well too. Currently i'm >> preparing to upgrade my 1st server PDC (fedora core 5) to reinstalled >> with fedora 9. And therefore during reinstalation it need PDC >> replacement (3rd server) for production server. > So, Fedora 9 works but not Fedora 8? What could be the difference? Don't know...:-) you tell me..:-) it still confusing me because it only fail as integrated system. But as part it works because the FDS can be accessed from other machine using ldapAdmin (not fds java console). But the java fds console on fedora 8 can access fds on other machine. > I saw a message last night on IRC - someone attempted to get PHP working > in the Admin Server - was that you? No, it wasn't me. From daniel.cruz at sc.senai.br Tue Jun 17 18:26:56 2008 From: daniel.cruz at sc.senai.br (DANIEL CRISTIAN CRUZ) Date: Tue, 17 Jun 2008 15:26:56 -0300 Subject: [Fedora-directory-users] Replication messages Message-ID: <1fcf4f1d4cccb89037df8ba181daf041@intranet.sc.senai.br> Hi all, I had some error messages that I don't understood: [17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - changelog program - agmt="cn=m1-m2-xxx" (m2:389): Failed to retrieve change with CSN 4857f6db000000010000; db error - -30999 DB_BUFFER_SMALL: User memory too small for return value[17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - agmt="cn=m1-m2-xxx" (m2:389): A changelog database error was encountered[17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - changelog program - agmt="cn=m1-c1-xxx" (c1:389): Failed to retrieve change with CSN 4857f6db000000010000; db error - -30999 DB_BUFFER_SMALL: User memory too small for return value[17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - agmt="cn=m1-c1-xxx" (c1:389): A changelog database error was encountered[17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - changelog program - agmt="cn=m1-c2-xxx" (c2:389): Failed to retrieve change with CSN 4857f6db000000010000; db error - -30999?DB_BUFFER_SMALL: User memory too small for return value[17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - agmt="cn=m1-c2-xxx" (c2:389): A changelog database error was encountered[17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - changelog program - agmt="cn=m1-c3-xxx" (c3:389): Failed to retrieve change with CSN 4857f6db000000010000; db error - -30999 DB_BUFFER_SMALL: User memory too small for return value[17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - agmt="cn=m1-c3-xxx" (c3:389): A changelog database error was encountered My schema has two multi masters: m1 and m2, and many consumers c1, c2, c3, ..., cX. There are replication agreements between m1 and m2. There are replication agreements from each master to all consumers. It's the second time I saw the problem, and I need to make a full initialize from m1 to all others, where the log above were taken from m1. m1 receive updates from m2, even after this error. After initializing m2 from m1: I saw the message on m2: [17/Jun/2008:15:02:04 -0300] NSMMReplicationPlugin - replica_reload_ruv: Warning: new data for replica ou=foo,o=bar does not match the data in the changelog.?Recreating the changelog file. This could affect replication with replica's? consumers in which case the consumers should be reinitialized. In a test environment I didn't got this problem. Is there something wrong in my structure (two masters and many consumers)? Is any configuration missing (some gotchas)? Any help would be apreciated. Regards, -- Daniel Cristian Cruz Administrador de Banco de Dados Dire??o Regional?- N?cleo de Tecnologia da Informa??o SENAI - SC Telefone: 48-3239-1422 (ramal 1422) -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Jun 18 03:32:02 2008 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 17 Jun 2008 23:32:02 -0400 Subject: [Fedora-directory-users] Replication messages In-Reply-To: <1fcf4f1d4cccb89037df8ba181daf041@intranet.sc.senai.br> References: <1fcf4f1d4cccb89037df8ba181daf041@intranet.sc.senai.br> Message-ID: <485881B2.50701@redhat.com> DANIEL CRISTIAN CRUZ wrote: > > Hi all, > > I had some error messages that I don't understood: > > [17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - changelog program - agmt="cn=m1-m2-xxx" (m2:389): Failed to retrieve change with CSN 4857f6db000000010000; db error - -30999 > DB_BUFFER_SMALL: User memory too small for return value > [17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - agmt="cn=m1-m2-xxx" (m2:389): A changelog database error was encountered > [17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - changelog program - agmt="cn=m1-c1-xxx" (c1:389): Failed to retrieve change with CSN 4857f6db000000010000; db error - -30999 DB_BUFFER > _SMALL: User memory too small for return value > [17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - agmt="cn=m1-c1-xxx" (c1:389): A changelog database error was encountered > [17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - changelog program - agmt="cn=m1-c2-xxx" (c2:389): Failed to retrieve change with CSN 4857f6db000000010000; db error - -30999 > DB_BUFFER_SMALL: User memory too small for return value > [17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - agmt="cn=m1-c2-xxx" (c2:389): A changelog database error was encountered > [17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - changelog program - agmt="cn=m1-c3-xxx" (c3:389): Failed to retrieve change with CSN 4857f6db000000010000; db error - -30999 DB_ > BUFFER_SMALL: User memory too small for return value > [17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - agmt="cn=m1-c3-xxx" (c3:389): A changelog database error was encountered > > My schema has two multi masters: m1 and m2, and many consumers c1, c2, > c3, ..., cX. > > There are replication agreements between m1 and m2. > > There are replication agreements from each master to all consumers. > > It's the second time I saw the problem, and I need to make a full > initialize from m1 to all others, where the log above were taken from > m1. m1 receive updates from m2, even after this error. > > After initializing m2 from m1: I saw the message on m2: > > [17/Jun/2008:15:02:04 -0300] NSMMReplicationPlugin - replica_reload_ruv: Warning: new data for replica ou=foo,o=bar does not match the data in the changelog. > Recreating the changelog file. This could affect replication with replica's consumers in which case the consumers should be reinitialized. > > In a test environment I didn't got this problem. > > Is there something wrong in my structure (two masters and many consumers)? > No, I don't think so. > > Is any configuration missing (some gotchas)? > What platform? 32-bit or 64-bit? What version of Fedora DS? > > Any help would be apreciated. > > Regards, > > ------------------------------------------------------------------------ > > *Daniel Cristian Cruz* > *Administrador de Banco de Dados > *Dire??o Regional - *N?cleo de Tecnologia da Informa??o > SENAI - SC > Telefone: 48-3239-1422 (ramal 1422)* > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From daniel.cruz at sc.senai.br Wed Jun 18 11:54:49 2008 From: daniel.cruz at sc.senai.br (DANIEL CRISTIAN CRUZ) Date: Wed, 18 Jun 2008 08:54:49 -0300 Subject: [Fedora-directory-users] Replication messages In-Reply-To: <485881B2.50701@redhat.com> Message-ID: "Richard Megginson" escreveu: > DANIEL CRISTIAN CRUZ wrote: >> Is there something wrong in my structure (two masters and many consumers)? >> > No, I don't think so. >> >> Is any configuration missing (some gotchas)? >> > What platform? 32-bit or 64-bit? What version of Fedora DS? I'm using Red Hat EL 5.1, 64-bit and Fedora DS 1.1.0-3. -- Daniel Cristian Cruz Administrador de Banco de Dados Dire??o Regional?- N?cleo de Tecnologia da Informa??o SENAI - SC Telefone: 48-3239-1422 (ramal 1422) From ggistra at aol.com Wed Jun 18 17:50:32 2008 From: ggistra at aol.com (ggistra at aol.com) Date: Wed, 18 Jun 2008 13:50:32 -0400 Subject: [Fedora-directory-users] Displaying User Password Message-ID: <8CA9F82F040B03D-1E00-A8@FWM-D26.sysops.aol.com> Hi all, When displaying a user in the Property Editor window of the admin console, ?is the Password field always masked, or only when?the password is stored encrypted? Thanks, Gabi -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael.brown at redhat.com Thu Jun 19 02:56:49 2008 From: michael.brown at redhat.com (Michael Brown) Date: Wed, 18 Jun 2008 22:56:49 -0400 Subject: [Fedora-directory-users] LDAP Load Tools Message-ID: <4859CAF1.90108@redhat.com> Hello All Can anyone point me to load generation tools specific to LDAP? Do they even exist? I'm working with an RHDS customer (currently RHDS 7.1sp3, hopefully moving to sp6 soon, or RHDS 8) with large attribute requirements (some attributes 25-30 Mbytes) who wants to do some modeling of performance in the lab so that memory sizing and configuration is less of a issue in production. Ideally the tool(s) would incorporate multiple threads, and configurable simultaneous writes and reads/searches of multiple nodes. However, I will settle for anything less than ideal at this point. Thanks -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3265 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Thu Jun 19 04:53:51 2008 From: nkinder at redhat.com (Nathan Kinder) Date: Wed, 18 Jun 2008 21:53:51 -0700 Subject: [Fedora-directory-users] LDAP Load Tools In-Reply-To: <4859CAF1.90108@redhat.com> References: <4859CAF1.90108@redhat.com> Message-ID: <4859E65F.4080502@redhat.com> Michael Brown wrote: > Hello All > > Can anyone point me to load generation tools specific to LDAP? Do > they even exist? I'm working with an RHDS customer (currently RHDS > 7.1sp3, hopefully moving to sp6 soon, or RHDS 8) with large attribute > requirements (some attributes 25-30 Mbytes) who wants to do some > modeling of performance in the lab so that memory sizing and > configuration is less of a issue in production. Ideally the tool(s) > would incorporate multiple threads, and configurable simultaneous > writes and reads/searches of multiple nodes. However, I will settle > for anything less than ideal at this point. There's the ldclt tool that's included with the fedora-ds-base package. It uses multiple threads and is fairly flexible in the operations that you can perform with it. Another popular tool is SLAMD, which is more advanced than ldclt. -NGK > > Thanks > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3254 bytes Desc: S/MIME Cryptographic Signature URL: From michael at stroeder.com Thu Jun 19 07:47:37 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 19 Jun 2008 09:47:37 +0200 Subject: [Fedora-directory-users] LDAP Load Tools In-Reply-To: <4859CAF1.90108@redhat.com> References: <4859CAF1.90108@redhat.com> Message-ID: <485A0F19.2010205@stroeder.com> Michael Brown wrote: > I'm working with an RHDS customer (currently RHDS 7.1sp3, > hopefully moving to sp6 soon, or RHDS 8) with large attribute > requirements (some attributes 25-30 Mbytes) Never saw a deployment where you store several MB into attributes. I'm really curious whether that works? I know you can store this amount of data but whether it really works for many entries. Ciao, Michael. From graf0 at post.pl Thu Jun 19 12:01:21 2008 From: graf0 at post.pl (=?ISO-8859-2?Q?Grzegorz_Marsza=B3ek?=) Date: Thu, 19 Jun 2008 14:01:21 +0200 Subject: [Fedora-directory-users] newbie question - roles AND groups? Message-ID: <88937017-7F2F-4A59-A6B4-671092F62343@post.pl> Hello! I'm newbie to Fedora Directory, but is has two significant features - acl and nested roles. But I could find a way to use roles as groups. That is - I'd like to define role, and then use this to define posix group, which I can use via nss_ldap on my servers. At first glance it seems that dynamic groups will do what I want - I just defined filter to include all users with particular role in group. But unfortunately dynamic groups aren't resolved by server, you need client aplication to do that :( So the question is: is there any way to do this without writing my own slapi plugin? Thanks! --- Grzegorz Marsza?ek graf0 at post.pl From daniel.cruz at sc.senai.br Thu Jun 19 12:41:59 2008 From: daniel.cruz at sc.senai.br (DANIEL CRISTIAN CRUZ) Date: Thu, 19 Jun 2008 09:41:59 -0300 Subject: [Fedora-directory-users] Replication messages In-Reply-To: <1fcf4f1d4cccb89037df8ba181daf041@intranet.sc.senai.br> Message-ID: <49055066e0090fd828a919a2f9c261ad@intranet.sc.senai.br> No one knows what DB_BUFFER_SMALL mean on Fedora DS? How does a change?were not found in the changelog? A problem? A bug? Something "usual"? Is there anything that could prevent this error? "DANIEL CRISTIAN CRUZ" escreveu: ? > >Hi all, > > >I had some error messages that I don't understood: > > > >[17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - changelog program - >agmt="cn=m1-m2-xxx" (m2:389): Failed to retrieve change with CSN >4857f6db000000010000; db error - -30999 DB_BUFFER_SMALL: User memory too >small for return value[17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - >agmt="cn=m1-m2-xxx" (m2:389): A changelog database error was >encountered[17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - changelog >program - agmt="cn=m1-c1-xxx" (c1:389): Failed to retrieve change with CSN >4857f6db000000010000; db error - -30999 DB_BUFFER_SMALL: User memory too >small for return value[17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - >agmt="cn=m1-c1-xxx" (c1:389): A changelog database error was >encountered[17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - changelog >program - agmt="cn=m1-c2-xxx" (c2:389): Failed to retrieve change with CSN >4857f6db000000010000; db error - -30999?DB_BUFFER_SMALL: User memory too >small for return value[17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - >agmt="cn=m1-c2-xxx" (c2:389): A changelog database error was >encountered[17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - changelog >program - agmt="cn=m1-c3-xxx" (c3:389): Failed to retrieve change with CSN >4857f6db000000010000; db error - -30999 DB_BUFFER_SMALL: User memory too >small for return value[17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - >agmt="cn=m1-c3-xxx" (c3:389): A changelog database error was >encountered >My schema has two multi masters: m1 and m2, and many consumers c1, c2, c3, >..., cX. > > >There are replication agreements between m1 and m2. > > >There are replication agreements from each master to all consumers. > > >It's the second time I saw the problem, and I need to make a full >initialize from m1 to all others, where the log above were taken from m1. >m1 receive updates from m2, even after this error. > > >After initializing m2 from m1: I saw the message on m2: > > > >[17/Jun/2008:15:02:04 -0300] NSMMReplicationPlugin - replica_reload_ruv: >Warning: new data for replica ou=foo,o=bar does not match the data in the >changelog.?Recreating the changelog file. This could affect replication >with replica's? consumers in which case the consumers should be >reinitialized. >In a test environment I didn't got this problem. > > >Is there something wrong in my structure (two masters and many consumers)? > > >Is any configuration missing (some gotchas)? > > >Any help would be apreciated. > > >Regards, > > > -- Daniel Cristian Cruz Administrador de Banco de Dados Dire??o Regional?- N?cleo de Tecnologia da Informa??o SENAI - SC Telefone: 48-3239-1422 (ramal 1422) -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Jun 19 13:40:13 2008 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 19 Jun 2008 09:40:13 -0400 Subject: [Fedora-directory-users] newbie question - roles AND groups? In-Reply-To: <88937017-7F2F-4A59-A6B4-671092F62343@post.pl> References: <88937017-7F2F-4A59-A6B4-671092F62343@post.pl> Message-ID: <485A61BD.3090902@redhat.com> Grzegorz Marsza?ek wrote: > Hello! > > I'm newbie to Fedora Directory, but is has two significant features - > acl and nested roles. > > But I could find a way to use roles as groups. That is - I'd like to > define role, and then use this to define posix group, which I can use > via nss_ldap on my servers. At first glance it seems that dynamic > groups will do what I want - I just defined filter to include all > users with particular role in group. But unfortunately dynamic groups > aren't resolved by server, you need client aplication to do that :( > > > So the question is: is there any way to do this without writing my own > slapi plugin? No, not currently. But several other users have expressed an interest in a feature like this. There is another new feature related to this concept that is currently in Fedora DS and being improved for the next version - http://directory.fedoraproject.org/wiki/MemberOf_Plugin Would you be able to create a wiki page to explain your requirements for such a feature? That would be a very good place to start designing this feature. > > Thanks! > --- > Grzegorz Marsza?ek > graf0 at post.pl > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jun 19 13:43:52 2008 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 19 Jun 2008 09:43:52 -0400 Subject: [Fedora-directory-users] Replication messages In-Reply-To: <49055066e0090fd828a919a2f9c261ad@intranet.sc.senai.br> References: <49055066e0090fd828a919a2f9c261ad@intranet.sc.senai.br> Message-ID: <485A6298.1020300@redhat.com> DANIEL CRISTIAN CRUZ wrote: > > No one knows what DB_BUFFER_SMALL mean on Fedora DS? > > How does a change were not found in the changelog? A problem? A bug? > Something "usual"? > I believe this is the following bug - https://bugzilla.redhat.com/show_bug.cgi?id=442170 - we are still working on it. > > Is there anything that could prevent this error? > Are you using password policy with account lockout? > > "DANIEL CRISTIAN CRUZ" escreveu: > > >> Hi all, >> >> I had some error messages that I don't understood: >> >> [17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - changelog program - agmt="cn=m1-m2-xxx" (m2:389): Failed to retrieve change with CSN 4857f6db000000010000; db error - -30999 >> DB_BUFFER_SMALL: User memory too small for return value >> [17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - agmt="cn=m1-m2-xxx" (m2:389): A changelog database error was encountered >> [17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - changelog program - agmt="cn=m1-c1-xxx" (c1:389): Failed to retrieve change with CSN 4857f6db000000010000; db error - -30999 DB_BUFFER >> _SMALL: User memory too small for return value >> [17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - agmt="cn=m1-c1-xxx" (c1:389): A changelog database error was encountered >> [17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - changelog program - agmt="cn=m1-c2-xxx" (c2:389): Failed to retrieve change with CSN 4857f6db000000010000; db error - -30999 >> DB_BUFFER_SMALL: User memory too small for return value >> [17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - agmt="cn=m1-c2-xxx" (c2:389): A changelog database error was encountered >> [17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - changelog program - agmt="cn=m1-c3-xxx" (c3:389): Failed to retrieve change with CSN 4857f6db000000010000; db error - -30999 DB_ >> BUFFER_SMALL: User memory too small for return value >> [17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - agmt="cn=m1-c3-xxx" (c3:389): A changelog database error was encountered >> >> My schema has two multi masters: m1 and m2, and many consumers c1, >> c2, c3, ..., cX. >> >> There are replication agreements between m1 and m2. >> >> There are replication agreements from each master to all consumers. >> >> It's the second time I saw the problem, and I need to make a full >> initialize from m1 to all others, where the log above were taken from >> m1. m1 receive updates from m2, even after this error. >> >> After initializing m2 from m1: I saw the message on m2: >> >> [17/Jun/2008:15:02:04 -0300] NSMMReplicationPlugin - replica_reload_ruv: Warning: new data for replica ou=foo,o=bar does not match the data in the changelog. >> Recreating the changelog file. This could affect replication with replica's consumers in which case the consumers should be reinitialized. >> >> In a test environment I didn't got this problem. >> >> Is there something wrong in my structure (two masters and many >> consumers)? >> >> Is any configuration missing (some gotchas)? >> >> Any help would be apreciated. >> >> Regards, >> > ------------------------------------------------------------------------ > > *Daniel Cristian Cruz* > *Administrador de Banco de Dados > *Dire??o Regional - *N?cleo de Tecnologia da Informa??o > SENAI - SC > Telefone: 48-3239-1422 (ramal 1422)* > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From sanga.c at it-mgt.com Thu Jun 19 13:44:25 2008 From: sanga.c at it-mgt.com (Sanga M. Collins) Date: Thu, 19 Jun 2008 09:44:25 -0400 Subject: [Fedora-directory-users] LDAP Load Tools References: <4859CAF1.90108@redhat.com> <485A0F19.2010205@stroeder.com> Message-ID: <5542485358217A4EB9893C4F12C42BF9E31459@itm-bb01.exch.it-mgt.net> I think the deployment guide suggests you use pointers instead of loading large pieces of data into the directory Sanga M. Collins Network Engineering ~~~~~~~~~~~~~~~~~~~~~~~ IT Management LLC 6491 Sunset Strip #5, Sunrise Fl, 33313 Tel: (954) 572 7411, Fax: (435) 578 7411 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Michael Str?der Sent: Thursday, June 19, 2008 3:48 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] LDAP Load Tools Michael Brown wrote: > I'm working with an RHDS customer (currently RHDS 7.1sp3, > hopefully moving to sp6 soon, or RHDS 8) with large attribute > requirements (some attributes 25-30 Mbytes) Never saw a deployment where you store several MB into attributes. I'm really curious whether that works? I know you can store this amount of data but whether it really works for many entries. Ciao, Michael. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From michael.brown at redhat.com Thu Jun 19 14:15:09 2008 From: michael.brown at redhat.com (Michael Brown) Date: Thu, 19 Jun 2008 10:15:09 -0400 Subject: [Fedora-directory-users] LDAP Load Tools In-Reply-To: <5542485358217A4EB9893C4F12C42BF9E31459@itm-bb01.exch.it-mgt.net> References: <4859CAF1.90108@redhat.com> <485A0F19.2010205@stroeder.com> <5542485358217A4EB9893C4F12C42BF9E31459@itm-bb01.exch.it-mgt.net> Message-ID: <485A69ED.30200@redhat.com> Sanga M. Collins wrote: > I think the deployment guide suggests you use pointers instead of loading large pieces of data into the directory > > Sanga M. Collins > Network Engineering > ~~~~~~~~~~~~~~~~~~~~~~~ > IT Management LLC > 6491 Sunset Strip #5, > Sunrise Fl, 33313 > Tel: (954) 572 7411, > Fax: (435) 578 7411 > > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Michael Str?der > Sent: Thursday, June 19, 2008 3:48 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] LDAP Load Tools > > Michael Brown wrote: > >> I'm working with an RHDS customer (currently RHDS 7.1sp3, >> hopefully moving to sp6 soon, or RHDS 8) with large attribute >> requirements (some attributes 25-30 Mbytes) >> > > Never saw a deployment where you store several MB into attributes. I'm > really curious whether that works? I know you can store this amount of > data but whether it really works for many entries. > > Ciao, Michael. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > As an FYI... The issue in the environment in which I'm working is not a data at rest issue for the large attributes, but rather a replication and writing issue. This is a US Government customer who has deployed a large PKI and LDAP infrastructure based upon the Red Hat CA and DS products, and they have several CA's with large certificate revocation lists approaching several tens of Mbytes each (the customer has issued tens of million of certs from all the CAs deployed, and has revoked > 20% of these prior to expiration at any one time for various reasons, thus the large CRLs). These CRLs are published to Red Hat DS instances in the certificateRevocationList;binary attribute in the entry for each CA and replicated to consumer DS instances and customers who require the CRLs. OCSP is also used, but CRLs are still required for many applications. This is a reasonably mature architecture as far as PKI and LDAP are concerned, first deployed in 1999 or thereabouts (think Netscape days), but the large CRL growth has been problematic both in generation and in publishing/replication at times. The publishing and replication tuning is what I'm trying to address with additional lab testing. The Red Hat CA and DS solutions have shown themselves to be scalable and secure in this environment, with proper care and tuning. Michael From msauton at redhat.com Thu Jun 19 14:21:04 2008 From: msauton at redhat.com (Marc Sauton) Date: Thu, 19 Jun 2008 07:21:04 -0700 Subject: [Fedora-directory-users] LDAP Load Tools In-Reply-To: <485A69ED.30200@redhat.com> References: <4859CAF1.90108@redhat.com> <485A0F19.2010205@stroeder.com> <5542485358217A4EB9893C4F12C42BF9E31459@itm-bb01.exch.it-mgt.net> <485A69ED.30200@redhat.com> Message-ID: <485A6B50.2090603@redhat.com> Michael Brown wrote: > Sanga M. Collins wrote: >> I think the deployment guide suggests you use pointers instead of >> loading large pieces of data into the directory >> >> Sanga M. Collins Network Engineering >> ~~~~~~~~~~~~~~~~~~~~~~~ >> IT Management LLC >> 6491 Sunset Strip #5, Sunrise Fl, 33313 >> Tel: (954) 572 7411, Fax: (435) 578 7411 >> >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >> Michael Str?der >> Sent: Thursday, June 19, 2008 3:48 AM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: [Fedora-directory-users] LDAP Load Tools >> >> Michael Brown wrote: >> >>> I'm working with an RHDS customer (currently RHDS 7.1sp3, hopefully >>> moving to sp6 soon, or RHDS 8) with large attribute requirements >>> (some attributes 25-30 Mbytes) >>> >> >> Never saw a deployment where you store several MB into attributes. >> I'm really curious whether that works? I know you can store this >> amount of data but whether it really works for many entries. >> >> Ciao, Michael. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > As an FYI... The issue in the environment in which I'm working is not > a data at rest issue for the large attributes, but rather a > replication and writing issue. > > This is a US Government customer who has deployed a large PKI and LDAP > infrastructure based upon the Red Hat CA and DS products, and they > have several CA's with large certificate revocation lists approaching > several tens of Mbytes each (the customer has issued tens of million > of certs from all the CAs deployed, and has revoked > 20% of these > prior to expiration at any one time for various reasons, thus the > large CRLs). These CRLs are published to Red Hat DS instances in the > certificateRevocationList;binary attribute in the entry for each CA > and replicated to consumer DS instances and customers who require the > CRLs. OCSP is also used, but CRLs are still required for many > applications. > > This is a reasonably mature architecture as far as PKI and LDAP are > concerned, first deployed in 1999 or thereabouts (think Netscape > days), but the large CRL growth has been problematic both in > generation and in publishing/replication at times. The publishing and > replication tuning is what I'm trying to address with additional lab > testing. > > The Red Hat CA and DS solutions have shown themselves to be scalable > and secure in this environment, with proper care and tuning. > > Michael > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users I sometimes use rpm's or tar files to represent large attributes. M. From edlinuxguru at gmail.com Thu Jun 19 15:08:20 2008 From: edlinuxguru at gmail.com (Edward Capriolo) Date: Thu, 19 Jun 2008 11:08:20 -0400 Subject: [Fedora-directory-users] LDAP Load Tools In-Reply-To: <485A6B50.2090603@redhat.com> References: <4859CAF1.90108@redhat.com> <485A0F19.2010205@stroeder.com> <5542485358217A4EB9893C4F12C42BF9E31459@itm-bb01.exch.it-mgt.net> <485A69ED.30200@redhat.com> <485A6B50.2090603@redhat.com> Message-ID: I see there is much work on the LDAP schema side to support PKE and such tools. However I rarely find documents about how it is incorporated into a Linux sign on system namely SSH. Can anyone point towards good documentation ? I find information on: Roumen Petrov's OpenSSH X.509 patch http://roumenpetrov.info/openssh/ The information seems a little bit vague. Is there a document that shows how to: 1) setup a PKI infrastructure in LDAP. 2) Generate a CA and store it in LDAP 3) Generate client certificates and store them in LDAP 4) Compile and patch ssh server 5) Setup and configure ssh server I was able to get openssh-lpk up and running quickly. However stores public keys in LDAP. It is not a complete PKI . With revocation lists etc. Since PKI is being used in wide range large scale deployments there should be some strong documentation on it? PKI + SSH + LDAP? On Thu, Jun 19, 2008 at 10:21 AM, Marc Sauton wrote: > Michael Brown wrote: >> >> Sanga M. Collins wrote: >>> >>> I think the deployment guide suggests you use pointers instead of loading >>> large pieces of data into the directory >>> >>> Sanga M. Collins Network Engineering >>> ~~~~~~~~~~~~~~~~~~~~~~~ >>> IT Management LLC >>> 6491 Sunset Strip #5, Sunrise Fl, 33313 >>> Tel: (954) 572 7411, Fax: (435) 578 7411 >>> >>> >>> -----Original Message----- >>> From: fedora-directory-users-bounces at redhat.com >>> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Michael >>> Str?der >>> Sent: Thursday, June 19, 2008 3:48 AM >>> To: General discussion list for the Fedora Directory server project. >>> Subject: Re: [Fedora-directory-users] LDAP Load Tools >>> >>> Michael Brown wrote: >>> >>>> >>>> I'm working with an RHDS customer (currently RHDS 7.1sp3, hopefully >>>> moving to sp6 soon, or RHDS 8) with large attribute requirements (some >>>> attributes 25-30 Mbytes) >>>> >>> >>> Never saw a deployment where you store several MB into attributes. I'm >>> really curious whether that works? I know you can store this amount of data >>> but whether it really works for many entries. >>> >>> Ciao, Michael. >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> As an FYI... The issue in the environment in which I'm working is not a >> data at rest issue for the large attributes, but rather a replication and >> writing issue. >> >> This is a US Government customer who has deployed a large PKI and LDAP >> infrastructure based upon the Red Hat CA and DS products, and they have >> several CA's with large certificate revocation lists approaching several >> tens of Mbytes each (the customer has issued tens of million of certs from >> all the CAs deployed, and has revoked > 20% of these prior to expiration at >> any one time for various reasons, thus the large CRLs). These CRLs are >> published to Red Hat DS instances in the certificateRevocationList;binary >> attribute in the entry for each CA and replicated to consumer DS instances >> and customers who require the CRLs. OCSP is also used, but CRLs are still >> required for many applications. >> >> This is a reasonably mature architecture as far as PKI and LDAP are >> concerned, first deployed in 1999 or thereabouts (think Netscape days), but >> the large CRL growth has been problematic both in generation and in >> publishing/replication at times. The publishing and replication tuning is >> what I'm trying to address with additional lab testing. >> >> The Red Hat CA and DS solutions have shown themselves to be scalable and >> secure in this environment, with proper care and tuning. >> >> Michael >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > I sometimes use rpm's or tar files to represent large attributes. > M. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From edlinuxguru at gmail.com Thu Jun 19 15:25:34 2008 From: edlinuxguru at gmail.com (Edward Capriolo) Date: Thu, 19 Jun 2008 11:25:34 -0400 Subject: [Fedora-directory-users] newbie question - roles AND groups? In-Reply-To: <485A61BD.3090902@redhat.com> References: <88937017-7F2F-4A59-A6B4-671092F62343@post.pl> <485A61BD.3090902@redhat.com> Message-ID: If you take a look at openldap it has dyamic 'overlays' . http://www.openldap.org/doc/admin24/overlays.html#Dynamic%20Lists. The main jist of it is that an LDAP Query can be saved in an object. This is similar in my mind to an SQL View. So nss_ldap would referece a dynamic_overlay like object and that would re-search for the actual content to be returned to the user Having the object work in this read-only sense would make it less complicated then http://directory.fedoraproject.org/wiki/MemberOf_Plugin and still fit the need nicely. It would me more generic then memberOf and I can see a lot of uses for it. Maybe another such plug in exists that I am not aware of. 2008/6/19 Richard Megginson : > Grzegorz Marsza?ek wrote: >> >> Hello! >> >> I'm newbie to Fedora Directory, but is has two significant features - acl >> and nested roles. >> >> But I could find a way to use roles as groups. That is - I'd like to >> define role, and then use this to define posix group, which I can use via >> nss_ldap on my servers. At first glance it seems that dynamic groups will do >> what I want - I just defined filter to include all users with particular >> role in group. But unfortunately dynamic groups aren't resolved by server, >> you need client aplication to do that :( >> >> >> So the question is: is there any way to do this without writing my own >> slapi plugin? > > No, not currently. But several other users have expressed an interest in a > feature like this. There is another new feature related to this concept > that is currently in Fedora DS and being improved for the next version - > http://directory.fedoraproject.org/wiki/MemberOf_Plugin > > Would you be able to create a wiki page to explain your requirements for > such a feature? That would be a very good place to start designing this > feature. >> >> Thanks! >> --- >> Grzegorz Marsza?ek >> graf0 at post.pl >> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From graf0 at post.pl Thu Jun 19 15:48:30 2008 From: graf0 at post.pl (=?ISO-8859-2?Q?Grzegorz_Marsza=B3ek?=) Date: Thu, 19 Jun 2008 17:48:30 +0200 Subject: [Fedora-directory-users] newbie question - roles AND groups? In-Reply-To: <485A61BD.3090902@redhat.com> References: <88937017-7F2F-4A59-A6B4-671092F62343@post.pl> <485A61BD.3090902@redhat.com> Message-ID: <359725A7-3314-40D0-B34D-814A76EF1A8F@post.pl> Hi! > > Would you be able to create a wiki page to explain your requirements > for such a feature? That would be a very good place to start > designing this feature. http://directory.fedoraproject.org/wiki/RolesAsGroupsRequirements I've got little carried away :) And sorry for my english. > Bye --- Grzegorz Marsza?ek graf0 at post.pl From nkinder at redhat.com Thu Jun 19 16:41:58 2008 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 19 Jun 2008 09:41:58 -0700 Subject: [Fedora-directory-users] newbie question - roles AND groups? In-Reply-To: References: <88937017-7F2F-4A59-A6B4-671092F62343@post.pl> <485A61BD.3090902@redhat.com> Message-ID: <485A8C56.5020402@redhat.com> Edward Capriolo wrote: > If you take a look at openldap it has dyamic 'overlays' . > http://www.openldap.org/doc/admin24/overlays.html#Dynamic%20Lists. > > The main jist of it is that an LDAP Query can be saved in an object. > This is similar in my mind to an SQL View. > > So nss_ldap would referece a dynamic_overlay like object and that > would re-search for the actual content to be returned to the user > Having the object work in this read-only sense would make it less > complicated then > http://directory.fedoraproject.org/wiki/MemberOf_Plugin and still fit > the need nicely. > The overlay approach is less complicated, but it doesn't appear to deal with nested groups. The complexity of the memberOf plug-in is due to this support for nested groups. The approach of having to do multiple searches to resolve a user's nested memberships every time you just want to find out what groups you belong to would have a negative performance impact for reads over generating the memberOf attribute values when an actual membership modification is made. The assumption is that membership checks occur more often than membership changes, so performing all of the work up front when the modify takes place is best. > It would me more generic then memberOf and I can see a lot of uses for > it. Maybe another such plug in exists that I am not aware of. > The plans for the memberOf plug-in is to make it more generic. The current code in CVS allows the attributes it acts on to be configurable. Other changes would need to be made to the plug-in allow it to truly be a general purpose linked attribute plug-in. In particular, the ability to turn off the nesting capability, configure multiple linked attributes, and define which suffix(es) to operate on would be very useful. > > 2008/6/19 Richard Megginson : > >> Grzegorz Marsza?ek wrote: >> >>> Hello! >>> >>> I'm newbie to Fedora Directory, but is has two significant features - acl >>> and nested roles. >>> >>> But I could find a way to use roles as groups. That is - I'd like to >>> define role, and then use this to define posix group, which I can use via >>> nss_ldap on my servers. At first glance it seems that dynamic groups will do >>> what I want - I just defined filter to include all users with particular >>> role in group. But unfortunately dynamic groups aren't resolved by server, >>> you need client aplication to do that :( >>> >>> >>> So the question is: is there any way to do this without writing my own >>> slapi plugin? >>> >> No, not currently. But several other users have expressed an interest in a >> feature like this. There is another new feature related to this concept >> that is currently in Fedora DS and being improved for the next version - >> http://directory.fedoraproject.org/wiki/MemberOf_Plugin >> >> Would you be able to create a wiki page to explain your requirements for >> such a feature? That would be a very good place to start designing this >> feature. >> >>> Thanks! >>> --- >>> Grzegorz Marsza?ek >>> graf0 at post.pl >>> >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3254 bytes Desc: S/MIME Cryptographic Signature URL: From edlinuxguru at gmail.com Thu Jun 19 17:20:09 2008 From: edlinuxguru at gmail.com (Edward Capriolo) Date: Thu, 19 Jun 2008 13:20:09 -0400 Subject: [Fedora-directory-users] newbie question - roles AND groups? In-Reply-To: <485A8C56.5020402@redhat.com> References: <88937017-7F2F-4A59-A6B4-671092F62343@post.pl> <485A61BD.3090902@redhat.com> <485A8C56.5020402@redhat.com> Message-ID: That would be great for netgroups, that would solve one of the big drawbacks of netgroups in LDAP, being able to quickly query and see who has access to what system. Otherwise you need the client application to figure it out. 2008/6/19 Nathan Kinder : > Edward Capriolo wrote: >> >> If you take a look at openldap it has dyamic 'overlays' . >> http://www.openldap.org/doc/admin24/overlays.html#Dynamic%20Lists. >> >> The main jist of it is that an LDAP Query can be saved in an object. >> This is similar in my mind to an SQL View. >> >> So nss_ldap would referece a dynamic_overlay like object and that >> would re-search for the actual content to be returned to the user >> Having the object work in this read-only sense would make it less >> complicated then >> http://directory.fedoraproject.org/wiki/MemberOf_Plugin and still fit >> the need nicely. >> > > The overlay approach is less complicated, but it doesn't appear to deal with > nested groups. > > The complexity of the memberOf plug-in is due to this support for nested > groups. The approach of having to do multiple searches to resolve a user's > nested memberships every time you just want to find out what groups you > belong to would have a negative performance impact for reads over generating > the memberOf attribute values when an actual membership modification is > made. The assumption is that membership checks occur more often than > membership changes, so performing all of the work up front when the modify > takes place is best. >> >> It would me more generic then memberOf and I can see a lot of uses for >> it. Maybe another such plug in exists that I am not aware of. >> > > The plans for the memberOf plug-in is to make it more generic. The current > code in CVS allows the attributes it acts on to be configurable. Other > changes would need to be made to the plug-in allow it to truly be a general > purpose linked attribute plug-in. In particular, the ability to turn off > the nesting capability, configure multiple linked attributes, and define > which suffix(es) to operate on would be very useful. >> >> 2008/6/19 Richard Megginson : >> >>> >>> Grzegorz Marsza?ek wrote: >>> >>>> >>>> Hello! >>>> >>>> I'm newbie to Fedora Directory, but is has two significant features - >>>> acl >>>> and nested roles. >>>> >>>> But I could find a way to use roles as groups. That is - I'd like to >>>> define role, and then use this to define posix group, which I can use >>>> via >>>> nss_ldap on my servers. At first glance it seems that dynamic groups >>>> will do >>>> what I want - I just defined filter to include all users with particular >>>> role in group. But unfortunately dynamic groups aren't resolved by >>>> server, >>>> you need client aplication to do that :( >>>> >>>> >>>> So the question is: is there any way to do this without writing my own >>>> slapi plugin? >>>> >>> >>> No, not currently. But several other users have expressed an interest in >>> a >>> feature like this. There is another new feature related to this concept >>> that is currently in Fedora DS and being improved for the next version - >>> http://directory.fedoraproject.org/wiki/MemberOf_Plugin >>> >>> Would you be able to create a wiki page to explain your requirements for >>> such a feature? That would be a very good place to start designing this >>> feature. >>> >>>> >>>> Thanks! >>>> --- >>>> Grzegorz Marsza?ek >>>> graf0 at post.pl >>>> >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From daniel.cruz at sc.senai.br Thu Jun 19 20:20:01 2008 From: daniel.cruz at sc.senai.br (DANIEL CRISTIAN CRUZ) Date: Thu, 19 Jun 2008 17:20:01 -0300 Subject: [Fedora-directory-users] Replication messages In-Reply-To: <485A6298.1020300@redhat.com> Message-ID: <637246ffcbe84ac1e057d9cf9f5046ec@intranet.sc.senai.br> "Richard Megginson" escreveu: > DANIEL CRISTIAN CRUZ wrote: >> >> No one knows what DB_BUFFER_SMALL mean on Fedora DS? >> >> How does a change were not found in the changelog? A problem? A bug? >> Something "usual"? >> > I believe this is the following bug - > https://bugzilla.redhat.com/show_bug.cgi?id=442170 - we are still > working on it. Hummm, didn't found this bug before. Why does google get blind aboud fedora ds? >> Is there anything that could prevent this error? >> > Are you using password policy with account lockout? We are using another hash, only. Passwords and Account Lockout are default. >> "DANIEL CRISTIAN CRUZ" escreveu: >> >> >>> Hi all, >>> >>> I had some error messages that I don't understood: >>> >>> [17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - changelog program - >>> agmt="cn=m1-m2-xxx" (m2:389): Failed to retrieve change with CSN >>> 4857f6db000000010000; db error - -30999 >>> DB_BUFFER_SMALL: User memory too small for return value >>> [17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - agmt="cn=m1-m2-xxx" >>> (m2:389): A changelog database error was encountered >>> [17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - changelog program - >>> agmt="cn=m1-c1-xxx" (c1:389): Failed to retrieve change with CSN >>> 4857f6db000000010000; db error - -30999 DB_BUFFER >>> _SMALL: User memory too small for return value >>> [17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - agmt="cn=m1-c1-xxx" >>> (c1:389): A changelog database error was encountered >>> [17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - changelog program - >>> agmt="cn=m1-c2-xxx" (c2:389): Failed to retrieve change with CSN >>> 4857f6db000000010000; db error - -30999 >>> DB_BUFFER_SMALL: User memory too small for return value >>> [17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - agmt="cn=m1-c2-xxx" >>> (c2:389): A changelog database error was encountered >>> [17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - changelog program - >>> agmt="cn=m1-c3-xxx" (c3:389): Failed to retrieve change with CSN >>> 4857f6db000000010000; db error - -30999 DB_ >>> BUFFER_SMALL: User memory too small for return value >>> [17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - agmt="cn=m1-c3-xxx" >>> (c3:389): A changelog database error was encountered >>> >>> My schema has two multi masters: m1 and m2, and many consumers c1, >>> c2, c3, ..., cX. >>> >>> There are replication agreements between m1 and m2. >>> >>> There are replication agreements from each master to all consumers. >>> >>> It's the second time I saw the problem, and I need to make a full >>> initialize from m1 to all others, where the log above were taken from >>> m1. m1 receive updates from m2, even after this error. >>> >>> After initializing m2 from m1: I saw the message on m2: >>> >>> [17/Jun/2008:15:02:04 -0300] NSMMReplicationPlugin - replica_reload_ruv: >>> Warning: new data for replica ou=foo,o=bar does not match the data in the >>> changelog. >>> Recreating the changelog file. This could affect replication with replica's >>> consumers in which case the consumers should be reinitialized. >>> >>> In a test environment I didn't got this problem. >>> >>> Is there something wrong in my structure (two masters and many >>> consumers)? >>> >>> Is any configuration missing (some gotchas)? >>> >>> Any help would be apreciated. >>> >>> Regards, >>> >> ------------------------------------------------------------------------ >> >> *Daniel Cristian Cruz* >> *Administrador de Banco de Dados >> *Dire??o Regional - *N?cleo de Tecnologia da Informa??o >> SENAI - SC >> Telefone: 48-3239-1422 (ramal 1422)* >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > -------------------------------- -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Daniel Cristian Cruz Administrador de Banco de Dados Dire??o Regional?- N?cleo de Tecnologia da Informa??o SENAI - SC Telefone: 48-3239-1422 (ramal 1422) From rmeggins at redhat.com Thu Jun 19 23:15:36 2008 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 19 Jun 2008 19:15:36 -0400 Subject: [Fedora-directory-users] Replication messages In-Reply-To: <637246ffcbe84ac1e057d9cf9f5046ec@intranet.sc.senai.br> References: <637246ffcbe84ac1e057d9cf9f5046ec@intranet.sc.senai.br> Message-ID: <485AE898.5070206@redhat.com> DANIEL CRISTIAN CRUZ wrote: > "Richard Megginson" escreveu: > >> DANIEL CRISTIAN CRUZ wrote: >> >>> No one knows what DB_BUFFER_SMALL mean on Fedora DS? >>> >>> How does a change were not found in the changelog? A problem? A bug? >>> Something "usual"? >>> >>> >> I believe this is the following bug - >> https://bugzilla.redhat.com/show_bug.cgi?id=442170 - we are still >> working on it. >> > > Hummm, didn't found this bug before. Why does google get blind aboud fedora > ds? > > >>> Is there anything that could prevent this error? >>> >>> >> Are you using password policy with account lockout? >> > > We are using another hash, only. Passwords and Account Lockout are default. > Hmm - then this may just be https://bugzilla.redhat.com/show_bug.cgi?id=442170 instead > >>> "DANIEL CRISTIAN CRUZ" escreveu: >>> >>> >>> >>>> Hi all, >>>> >>>> I had some error messages that I don't understood: >>>> >>>> [17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - changelog program - >>>> agmt="cn=m1-m2-xxx" (m2:389): Failed to retrieve change with CSN >>>> 4857f6db000000010000; db error - -30999 >>>> DB_BUFFER_SMALL: User memory too small for return value >>>> [17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - agmt="cn=m1-m2-xxx" >>>> (m2:389): A changelog database error was encountered >>>> [17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - changelog program - >>>> agmt="cn=m1-c1-xxx" (c1:389): Failed to retrieve change with CSN >>>> 4857f6db000000010000; db error - -30999 DB_BUFFER >>>> _SMALL: User memory too small for return value >>>> [17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - agmt="cn=m1-c1-xxx" >>>> (c1:389): A changelog database error was encountered >>>> [17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - changelog program - >>>> agmt="cn=m1-c2-xxx" (c2:389): Failed to retrieve change with CSN >>>> 4857f6db000000010000; db error - -30999 >>>> DB_BUFFER_SMALL: User memory too small for return value >>>> [17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - agmt="cn=m1-c2-xxx" >>>> (c2:389): A changelog database error was encountered >>>> [17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - changelog program - >>>> agmt="cn=m1-c3-xxx" (c3:389): Failed to retrieve change with CSN >>>> 4857f6db000000010000; db error - -30999 DB_ >>>> BUFFER_SMALL: User memory too small for return value >>>> [17/Jun/2008:14:39:11 -0300] NSMMReplicationPlugin - agmt="cn=m1-c3-xxx" >>>> (c3:389): A changelog database error was encountered >>>> >>>> My schema has two multi masters: m1 and m2, and many consumers c1, >>>> c2, c3, ..., cX. >>>> >>>> There are replication agreements between m1 and m2. >>>> >>>> There are replication agreements from each master to all consumers. >>>> >>>> It's the second time I saw the problem, and I need to make a full >>>> initialize from m1 to all others, where the log above were taken from >>>> m1. m1 receive updates from m2, even after this error. >>>> >>>> After initializing m2 from m1: I saw the message on m2: >>>> >>>> [17/Jun/2008:15:02:04 -0300] NSMMReplicationPlugin - replica_reload_ruv: >>>> Warning: new data for replica ou=foo,o=bar does not match the data in >>>> > the > >>>> changelog. >>>> Recreating the changelog file. This could affect replication with >>>> > replica's > >>>> consumers in which case the consumers should be reinitialized. >>>> >>>> In a test environment I didn't got this problem. >>>> >>>> Is there something wrong in my structure (two masters and many >>>> consumers)? >>>> >>>> Is any configuration missing (some gotchas)? >>>> >>>> Any help would be apreciated. >>>> >>>> Regards, >>>> >>>> >>> ------------------------------------------------------------------------ >>> >>> *Daniel Cristian Cruz* >>> *Administrador de Banco de Dados >>> *Dire??o Regional - *N?cleo de Tecnologia da Informa??o >>> SENAI - SC >>> Telefone: 48-3239-1422 (ramal 1422)* >>> >>> ------------------------------------------------------------------------ >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> >> > > -------------------------------- > -- > >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Daniel Cristian Cruz > Administrador de Banco de Dados > Dire??o Regional - N?cleo de Tecnologia da Informa??o > SENAI - SC > Telefone: 48-3239-1422 (ramal 1422) > > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jun 19 23:17:07 2008 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 19 Jun 2008 19:17:07 -0400 Subject: [Fedora-directory-users] newbie question - roles AND groups? In-Reply-To: <359725A7-3314-40D0-B34D-814A76EF1A8F@post.pl> References: <88937017-7F2F-4A59-A6B4-671092F62343@post.pl> <485A61BD.3090902@redhat.com> <359725A7-3314-40D0-B34D-814A76EF1A8F@post.pl> Message-ID: <485AE8F3.5080809@redhat.com> Grzegorz Marsza?ek wrote: > Hi! >> >> Would you be able to create a wiki page to explain your requirements >> for such a feature? That would be a very good place to start >> designing this feature. > http://directory.fedoraproject.org/wiki/RolesAsGroupsRequirements > > I've got little carried away :) > And sorry for my english. This is very good. Thanks! What do other people think? Interesting? >> > > Bye > --- > Grzegorz Marsza?ek > graf0 at post.pl > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From debajit_kataki at rediffmail.com Fri Jun 20 14:50:49 2008 From: debajit_kataki at rediffmail.com (debu) Date: 20 Jun 2008 14:50:49 -0000 Subject: [Fedora-directory-users] MMR issue Message-ID: <20080620145049.5453.qmail@f4mail-235-220.rediffmail.com> Hi Guys, I am stuck in a very crucial FDS server issue, it would be great if any one of you can help me somehow. We are upgrading from Fedora Directory Service from 1.0.4 to 1.1.0-3 We have one existing Server with 1.0.4 Now To one server we have initialized the data base and we were able to load the full DB. But, and when we start the replication we see the following error, and the incremental update is not happening. We are going for a multi master replication. Here is the error. On Supplier: (FDS Version 1.0.4) OS: Red Hat Enterprise Linux ES release 4 (Nahant) [17/Jun/2008:11:23:35 +051800] NSMMReplicationPlugin - agmt="cn=Replication_to_10.91.X.Y" (10:8888): Unable to acquire replica: Excessive clock skew between the supplier and the consumer. Replication is aborting. [17/Jun/2008:11:23:35 +051800] NSMMReplicationPlugin - agmt="cn=Replication_to_10.91.X.Y" (10:8888): Incremental update failed and requires administrator action On consumer: (FD version 1.1.0-3) OS: Red Hat Enterprise Linux Server release 5.1 (Tikanga) [17/Jun/2008:11:12:59 +051800] NSMMReplicationPlugin - conn=46251 op=1975 replica="o=TejaUsers": Unable to acquire replica: error: excessive clock skew [17/Jun/2008:11:23:34 +051800] - csngen_adjust_time: adjustment limit exceeded; value - 86401, limit - 86400 [17/Jun/2008:11:23:34 +051800] NSMMReplicationPlugin - conn=46461 op=792 replica="o=TejaUsers": Unable to acquire replica: error: excessive clock skew Now, My doubt is we succeded in a test environment with the same, with the only diference that we had the same OS in both the server, rest all same. Our servers are perfectly synced with NTP also. Please help in this scenario.. Regards ~Debajit -------------- next part -------------- An HTML attachment was scrubbed... URL: From stpierre at NebrWesleyan.edu Fri Jun 20 16:06:11 2008 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Fri, 20 Jun 2008 11:06:11 -0500 (CDT) Subject: [Fedora-directory-users] MMR issue In-Reply-To: <20080620145049.5453.qmail@f4mail-235-220.rediffmail.com> References: <20080620145049.5453.qmail@f4mail-235-220.rediffmail.com> Message-ID: Did you try the workaround in the bug report I sent to you on the Redhat list? What were your results? For reference, that bug is https://bugzilla.redhat.com/show_bug.cgi?id=233642 Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University On Fri, 20 Jun 2008, debu wrote: > > > Hi Guys, > > I am stuck in a very crucial FDS server issue, it would be great if any one of you can help me somehow. > > We are upgrading from Fedora Directory Service from 1.0.4 to 1.1.0-3 > > We have one existing Server with 1.0.4 > > Now To one server we have initialized the data base and we were able to load the full DB. But, and when we start the replication we see the following error, and the incremental update is not happening. > > We are going for a multi master replication. > > > Here is the error. > > On Supplier: (FDS Version 1.0.4) OS: Red Hat Enterprise Linux ES release 4 (Nahant) > > > [17/Jun/2008:11:23:35 +051800] NSMMReplicationPlugin - agmt="cn=Replication_to_10.91.X.Y" (10:8888): Unable to acquire replica: Excessive clock skew between the supplier and the consumer. Replication is aborting. > > [17/Jun/2008:11:23:35 +051800] NSMMReplicationPlugin - agmt="cn=Replication_to_10.91.X.Y" (10:8888): Incremental update failed and requires administrator action > > > > On consumer: (FD version 1.1.0-3) OS: Red Hat Enterprise Linux Server release 5.1 (Tikanga) > > > > [17/Jun/2008:11:12:59 +051800] NSMMReplicationPlugin - conn=46251 op=1975 replica="o=TejaUsers": Unable to acquire replica: error: excessive clock skew > > [17/Jun/2008:11:23:34 +051800] - csngen_adjust_time: adjustment limit exceeded; value - 86401, limit - 86400 > > [17/Jun/2008:11:23:34 +051800] NSMMReplicationPlugin - conn=46461 op=792 replica="o=TejaUsers": Unable to acquire replica: error: excessive clock skew > > > Now, My doubt is we succeded in a test environment with the same, with the only diference that we had the same OS in both the server, rest all same. Our servers are perfectly synced with NTP also. > > Please help in this scenario.. > > Regards > ~Debajit From edlinuxguru at gmail.com Fri Jun 20 19:40:52 2008 From: edlinuxguru at gmail.com (Edward Capriolo) Date: Fri, 20 Jun 2008 15:40:52 -0400 Subject: [Fedora-directory-users] Trying to follow the howto ssl from wiki Message-ID: I was attempting to follow...http://directory.fedoraproject.org/wiki/Howto:SSL I first ran the script http://directory.fedoraproject.org/download/setupssl2.sh After completing fds would not start. I rein I eventually ended up reading the script and running every operation stp by step. That was quite an ordeal. All the steps ran however no errors. [root at ldapslave1 slapd-ldapslave1]# /etc/init.d/dirsrv start Starting dirsrv: ldapslave1...Warning: Incorrect PIN may result in disabling the token Enter PIN for Internal (Software) Token: I replaced the data inside pin.txt with : Internal (Software) Token:dirserv_cert_password But I am still getting the same message. Is this just a bogus message. The problem could be elsewhere? Thanks in advance. (ps -ef ; w) | sha1sum > /etc/dirsrv/slapd-ldapslave1/pwdfile.txt chown fds:fds /etc/dirsrv/slapd-ldapslave1/pwdfile.txt (w ; ps -ef ; date ) | sha1sum | awk '{print $1}' > /etc/dirsrv/slapd-ldapslave1/noise.txt chown fds:fds /etc/dirsrv/slapd-ldapslave1/noise.txt certutil -N -P new- -d /etc/dirsrv/slapd-ldapslave1 -f /etc/dirsrv/slapd-ldapslave1/pwdfile.txt chown fds:fds /etc/dirsrv/slapd-ldapslave1/key3.db chown fds:fds /etc/dirsrv/slapd-ldapslave1/cert8.db chmod 600 /etc/dirsrv/slapd-ldapslave1/key3.db chmod 600 /etc/dirsrv/slapd-ldapslave1/cert8.db certutil -G -P new- -d /etc/dirsrv/slapd-ldapslave1 -z /etc/dirsrv/slapd-ldapslave1/noise.txt -f /etc/dirsrv/slapd-ldapslave1/pwdfile.txt certutil -S -P new- /etc/dirsrv/slapd-ldapslave1/ -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d /etc/dirsrv/slapd-ldapslave1 -z /etc/dirsrv/slapd-ldapslave1/noise.txt -f /etc/dirsrv/slapd-ldapslave1/pwdfile.txt certutil -L -P new- -d /etc/dirsrv/slapd-ldapslave1 -n "CA certificate" -a > /etc/dirsrv/slapd-ldapslave1/cacert.asc pk12util -d /etc/dirsrv/slapd-ldapslave1 -P new- -o /etc/dirsrv/slapd-ldapslave1/cacert.p12 -n "CA certificate" -w /etc/dirsrv/slapd-ldapslave1/pwdfile.txt -k /etc/dirsrv/slapd-ldapslave1/pwdfile.txt certutil -S -P new- -n "Server-Cert" -s "cn=ldapslave1.ops.ec.com,ou=Fedora Directory Server" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d /etc/dirsrv/slapd-ldapslave1/ -z /etc/dirsrv/slapd-ldapslave1/noise.txt -f /etc/dirsrv/slapd-ldapslave1/pwdfile.txt certutil -S -P new- -n "server-cert" -s "cn=ldapslave1.ops.ec.com,ou=Fedora Administration Server" -c "CA certificate" -t "u,u,u" -m 1002 -v 120 -d /etc/dirsrv/slapd-ldapslave1/ -z /etc/dirsrv/slapd-ldapslave1/noise.txt -f /etc/dirsrv/slapd-ldapslave1/pwdfile.txt pk12util -d /etc/dirsrv/slapd-ldapslave1 -P new- -o /etc/dirsrv/slapd-ldapslave1/adminserver.p12 -n server-cert -w /etc/dirsrv/slapd-ldapslave1/pwdfile.txt -k /etc/dirsrv/slapd-ldapslave1/pwdfile.txt chown fds:fds /etc/dirsrv/slapd-ldapslave1/adminserver.p12 chmod 400 /etc/dirsrv/slapd-ldapslave1/adminserver.p12 cat /etc/dirsrv/slapd-ldapslave1/pwdfile.txt > /etc/dirsrv/slapd-ldapslave1/pin.txt chmod 400 /etc/dirsrv/slapd-ldapslave1/pin.txt mv /etc/dirsrv/slapd-ldapslave1/cert8.db /etc/dirsrv/slapd-ldapslave1/orig-cert8.db mv /etc/dirsrv/slapd-ldapslave1/key3.db /etc/dirsrv/slapd-ldapslave1/orig-key3.db certutil -N -d /etc/dirsrv/slapd-ldapslave1 -P admin-serv- -f /etc/dirsrv/slapd-ldapslave1/pwdfile.txt chown fds:fds /etc/dirsrv/slapd-ldapslave1/admin-serv-*.db [root at ldapslave1 tmp]# chmod 600 /etc/dirsrv/slapd-ldapslave1/admin-serv-*.db pk12util -d /etc/dirsrv/slapd-ldapslave1/ -P admin-serv- -n server-cert -i /etc/dirsrv/slapd-ldapslave1/adminserver.p12 -w /etc/dirsrv/slapd-ldapslave1/pwdfile.txt -k /etc/dirsrv/slapd-ldapslave1/pwdfile.txt certutil -A -d /etc/dirsrv/slapd-ldapslave1/ -P admin-serv- -n "CA certificate" -t "CT,," -a -i /etc/dirsrv/slapd-ldapslave1/cacert.asc cat /etc/dirsrv/slapd-ldapslave1/pwdfile.txt > /etc/dirsrv/slapd-ldapslave1/password.conf chmod 400 /etc/dirsrv/slapd-ldapslave1/password.conf chown fds:fds /etc/dirsrv/slapd-ldapslave1/password.conf sed -e "s@^NSSPassPhrasDialog .*@NSSPassPhraseDialog file:/etc/dirsrv/slapd-ldapslave1/password/conf mv /etc/dirsrv/slapd-ldapslave1/new-key3.db /etc/dirsrv/slapd-ldapslave1/key3.db mv /etc/dirsrv/slapd-ldapslave1/new-cert8.db /etc/dirsrv/slapd-ldapslave1/cert8.db ldapmodify -x -h localhost -p 389 -D "cn=directory manager" -W < Hi Chris, Thanks for your round about way. As you suggested we have removed everything, along with that we have reinstalled the latest version in two machines, and kept one machine as is (in total we have 3 machines). Now, we configured these two servers in multi-master mode and initialized one of them from the old machine. Then all the data got pushed into the new servers. These two new machines are replicating properly. but the replication agreement between the old server and new server is breaking. But we used the console interface to push the delta of updates. But the process is very slow, may be because we haven't done db2ldif to dump the data. We are planning to push delta of updates from old server to 2 new servers (using the console interface) and remove the old server from the system. Then these two servers will become primary point of live interaction for read and write. Since, we can't afford for downtime, we have done like this. Till now the replication is happening fine. hope this continues. Thank you very much for your help. Regards, -Debu,vivek On Fri, 20 Jun 2008 Chris St.Pierre wrote : >Did you try the workaround in the bug report I sent to you on the >Redhat list? What were your results? > >For reference, that bug is https://bugzilla.redhat.com/show_bug.cgi?id=233642 > >Chris St. Pierre >Unix Systems Administrator >Nebraska Wesleyan University > >On Fri, 20 Jun 2008, debu wrote: > >> >> >>Hi Guys, >> >>I am stuck in a very crucial FDS server issue, it would be great if any one of you can help me somehow. >> >>We are upgrading from Fedora Directory Service from 1.0.4 to 1.1.0-3 >> >>We have one existing Server with 1.0.4 >> >>Now To one server we have initialized the data base and we were able to load the full DB. But, and when we start the replication we see the following error, and the incremental update is not happening. >> >>We are going for a multi master replication. >> >> >>Here is the error. >> >>On Supplier: (FDS Version 1.0.4) OS: Red Hat Enterprise Linux ES release 4 (Nahant) >> >> >>[17/Jun/2008:11:23:35 +051800] NSMMReplicationPlugin - agmt="cn=Replication_to_10.91.X.Y" (10:8888): Unable to acquire replica: Excessive clock skew between the supplier and the consumer. Replication is aborting. >> >>[17/Jun/2008:11:23:35 +051800] NSMMReplicationPlugin - agmt="cn=Replication_to_10.91.X.Y" (10:8888): Incremental update failed and requires administrator action >> >> >> >>On consumer: (FD version 1.1.0-3) OS: Red Hat Enterprise Linux Server release 5.1 (Tikanga) >> >> >> >>[17/Jun/2008:11:12:59 +051800] NSMMReplicationPlugin - conn=46251 op=1975 replica="o=TejaUsers": Unable to acquire replica: error: excessive clock skew >> >>[17/Jun/2008:11:23:34 +051800] - csngen_adjust_time: adjustment limit exceeded; value - 86401, limit - 86400 >> >>[17/Jun/2008:11:23:34 +051800] NSMMReplicationPlugin - conn=46461 op=792 replica="o=TejaUsers": Unable to acquire replica: error: excessive clock skew >> >> >>Now, My doubt is we succeded in a test environment with the same, with the only diference that we had the same OS in both the server, rest all same. Our servers are perfectly synced with NTP also. >> >>Please help in this scenario.. >> >>Regards >>~Debajit -------------- next part -------------- An HTML attachment was scrubbed... URL: From betito2208 at hotmail.com Sat Jun 21 18:54:06 2008 From: betito2208 at hotmail.com (beto ..) Date: Sat, 21 Jun 2008 18:54:06 +0000 Subject: [Fedora-directory-users] help!! Message-ID: hello everybody!! i need add windows machine to FDS but i can't. Anybody can help me please!!! pd: sorry for my english.beto!!! _________________________________________________________________ MSN Noticias http://noticias.msn.es/comunidad.aspx -------------- next part -------------- An HTML attachment was scrubbed... URL: From sanga.c at it-mgt.com Sun Jun 22 02:09:26 2008 From: sanga.c at it-mgt.com (Sanga M. Collins) Date: Sat, 21 Jun 2008 22:09:26 -0400 Subject: [Fedora-directory-users] directory tree strategy Message-ID: <5542485358217A4EB9893C4F12C42BF92191@itm-bb01.exch.it-mgt.net> i am planning to move from novell edirectory to fedora ds. i have some questions about deployment strategies. i would like to have 2 Directory server at a data center doing multi master replication. i would also like to have a directory at all our remote locations (30 sites) that will replicate back to the 2 master servers. if each site has its own root suffix eg dc=site1, dc=site2, dc=site3, and the masters have their own root suffix eg dc=master1, dc=master2, do i create additional root suffix on the masters with its own database that corresponds with the root suffix of each remote site? any suggestions are welcome. my deployment strategy is not set in stone, and info from anyone who has done something similar will be very useful -------------- next part -------------- An HTML attachment was scrubbed... URL: From sanga.c at it-mgt.com Sun Jun 22 02:12:42 2008 From: sanga.c at it-mgt.com (Sanga M. Collins) Date: Sat, 21 Jun 2008 22:12:42 -0400 Subject: [Fedora-directory-users] help!! References: Message-ID: <5542485358217A4EB9893C4F12C42BF92193@itm-bb01.exch.it-mgt.net> at what point did your attempts to add windows pc's to a fedora domain fail? give us more info so we can help -----Original Message----- From: fedora-directory-users-bounces at redhat.com on behalf of beto .. Sent: Sat 6/21/2008 2:54 PM To: fedora-directory-users at redhat.com Subject: [Fedora-directory-users] help!! hello everybody!! i need add windows machine to FDS but i can't. Anybody can help me please!!! pd: sorry for my english. beto!!! ________________________________ Tecnolog?a, moda, motor, viajes,.suscr?bete a nuestros boletines para estar siempre a la ?ltima MSN Newsletters -------------- next part -------------- A non-text attachment was scrubbed... Name: winmail.dat Type: application/ms-tnef Size: 2940 bytes Desc: not available URL: From betito2208 at hotmail.com Sun Jun 22 23:52:54 2008 From: betito2208 at hotmail.com (beto ..) Date: Sun, 22 Jun 2008 23:52:54 +0000 Subject: [Fedora-directory-users] FDS + Samba +smbtools Message-ID: Hello everybody When I put this command: #smbldap-useradd -w I got this error message: Error: Insufficient 'write' privilege to the 'uidNumber' attribute of entry 'sambadomainname=ejemplo.com,dc=ejemplo,dc=com'. The configuration for /etc/smbldap-tools/smbldap_bind.conf is: ########################################### slaveDN="cn=Directory Manager,dc=ejemplo,dc=com" slavePw="passwd" masterDN="cn=Directory Manager,dc=ejemplo,dc=com" masterPw="passwd" ########################################### Pleasee!!! help me with this problem. pd: I try to use fdstools but i can't install perl dependencies!!! If anybody had a manual!! help me please. I'am desperate :S Sorry for my English, isn't very good. _________________________________________________________________ Tecnolog?a, moda, motor, viajes,?suscr?bete a nuestros boletines para estar siempre a la ?ltima http://newsletters.msn.com/hm/maintenanceeses.asp?L=ES&C=ES&P=WCMaintenance&Brand=WL&RU=http%3a%2f%2fmail.live.com From felipe at lm2.com.br Mon Jun 23 12:02:21 2008 From: felipe at lm2.com.br (=?ISO-8859-1?Q?Felipe_Alencastro_-_LM=B2?=) Date: Mon, 23 Jun 2008 09:02:21 -0300 (BRT) Subject: [Fedora-directory-users] FDS + Samba +smbtools In-Reply-To: <712546596.1081214222496980.JavaMail.root@hannibal.lm2.com.br> Message-ID: <592300180.1131214222541061.JavaMail.root@hannibal.lm2.com.br> Beto, By default FDS uses "cn=Directory Manager" instead of "cn=Directory Manager,dc=$suffix", try binding with: slaveDN="cn=Directory Manager" slavePw="passwd" masterDN="cn=Directory Manager" masterPw="passwd" ----- Mensagem original ----- De: "beto .." Para: fedora-directory-users at redhat.com Enviadas: Domingo, 22 de Junho de 2008 20:52:54 (GMT-0300) Auto-Detected Assunto: [Fedora-directory-users] FDS + Samba +smbtools Hello everybody When I put this command: #smbldap-useradd -w I got this error message: Error: Insufficient 'write' privilege to the 'uidNumber' attribute of entry 'sambadomainname=ejemplo.com,dc=ejemplo,dc=com'. The configuration for /etc/smbldap-tools/smbldap_bind.conf is: ########################################### slaveDN="cn=Directory Manager,dc=ejemplo,dc=com" slavePw="passwd" masterDN="cn=Directory Manager,dc=ejemplo,dc=com" masterPw="passwd" ########################################### Pleasee!!! help me with this problem. pd: I try to use fdstools but i can't install perl dependencies!!! If anybody had a manual!! help me please. I'am desperate :S Sorry for my English, isn't very good. _________________________________________________________________ Tecnolog?a, moda, motor, viajes,?suscr?bete a nuestros boletines para estar siempre a la ?ltima http://newsletters.msn.com/hm/maintenanceeses.asp?L=ES&C=ES&P=WCMaintenance&Brand=WL&RU=http%3a%2f%2fmail.live.com -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Felipe Alencastro Consultor de TI RHCE 51 8145-3443 MSN: felipe at lm2.com.br Skype: felipe.alencastro LM? Consulting? http://www.lm2.com.br Porto Alegre: 51 3018-1007 Florian?polis: 48 4052-9545 S?o Paulo: 11 3522-5606 Plant?o 24hs: 51 8145-2002 From felipe at lm2.com.br Mon Jun 23 12:02:21 2008 From: felipe at lm2.com.br (=?ISO-8859-1?Q?Felipe_Alencastro_-_LM=B2?=) Date: Mon, 23 Jun 2008 09:02:21 -0300 (BRT) Subject: [Fedora-directory-users] FDS + Samba +smbtools In-Reply-To: <712546596.1081214222496980.JavaMail.root@hannibal.lm2.com.br> Message-ID: <592300180.1131214222541061.JavaMail.root@hannibal.lm2.com.br> Beto, By default FDS uses "cn=Directory Manager" instead of "cn=Directory Manager,dc=$suffix", try binding with: slaveDN="cn=Directory Manager" slavePw="passwd" masterDN="cn=Directory Manager" masterPw="passwd" ----- Mensagem original ----- De: "beto .." Para: fedora-directory-users at redhat.com Enviadas: Domingo, 22 de Junho de 2008 20:52:54 (GMT-0300) Auto-Detected Assunto: [Fedora-directory-users] FDS + Samba +smbtools Hello everybody When I put this command: #smbldap-useradd -w I got this error message: Error: Insufficient 'write' privilege to the 'uidNumber' attribute of entry 'sambadomainname=ejemplo.com,dc=ejemplo,dc=com'. The configuration for /etc/smbldap-tools/smbldap_bind.conf is: ########################################### slaveDN="cn=Directory Manager,dc=ejemplo,dc=com" slavePw="passwd" masterDN="cn=Directory Manager,dc=ejemplo,dc=com" masterPw="passwd" ########################################### Pleasee!!! help me with this problem. pd: I try to use fdstools but i can't install perl dependencies!!! If anybody had a manual!! help me please. I'am desperate :S Sorry for my English, isn't very good. _________________________________________________________________ Tecnolog?a, moda, motor, viajes,?suscr?bete a nuestros boletines para estar siempre a la ?ltima http://newsletters.msn.com/hm/maintenanceeses.asp?L=ES&C=ES&P=WCMaintenance&Brand=WL&RU=http%3a%2f%2fmail.live.com -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Felipe Alencastro Consultor de TI RHCE 51 8145-3443 MSN: felipe at lm2.com.br Skype: felipe.alencastro LM? Consulting? http://www.lm2.com.br Porto Alegre: 51 3018-1007 Florian?polis: 48 4052-9545 S?o Paulo: 11 3522-5606 Plant?o 24hs: 51 8145-2002 From daniel.cruz at sc.senai.br Mon Jun 23 13:35:58 2008 From: daniel.cruz at sc.senai.br (DANIEL CRISTIAN CRUZ) Date: Mon, 23 Jun 2008 10:35:58 -0300 Subject: [Fedora-directory-users] Where is Fedora DS 1.1.1? Message-ID: Hi all, I didn't saw any change on the yum repositories for Fedora 6 (recommended for RH 5.1). Where are the RPMS? Is there another repository? If I ran yum install fedora-ds, nothing happens... Thanks, -- Daniel Cristian Cruz Administrador de Banco de Dados Dire??o Regional?- N?cleo de Tecnologia da Informa??o SENAI - SC Telefone: 48-3239-1422 (ramal 1422) -------------- next part -------------- An HTML attachment was scrubbed... URL: From sanga.c at it-mgt.com Mon Jun 23 13:46:48 2008 From: sanga.c at it-mgt.com (Sanga M. Collins) Date: Mon, 23 Jun 2008 09:46:48 -0400 Subject: [Fedora-directory-users] FDS + Samba +smbtools References: <592300180.1131214222541061.JavaMail.root@hannibal.lm2.com.br> Message-ID: <5542485358217A4EB9893C4F12C42BF9E31650@itm-bb01.exch.it-mgt.net> I think that the directive "cn=Directory Manager,dc=$suffix", is used by openldap Sanga M. Collins Network Engineering ~~~~~~~~~~~~~~~~~~~~~~~ IT Management LLC 6491 Sunset Strip #5, Sunrise Fl, 33313 Tel: (954) 572 7411, Fax: (435) 578 7411 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Felipe Alencastro - LM? Sent: Monday, June 23, 2008 8:02 AM To: General discussion list for the Fedora Directory server project. Cc: fedora-directory-users at redhat.com Subject: Re: [Fedora-directory-users] FDS + Samba +smbtools Beto, By default FDS uses "cn=Directory Manager" instead of "cn=Directory Manager,dc=$suffix", try binding with: slaveDN="cn=Directory Manager" slavePw="passwd" masterDN="cn=Directory Manager" masterPw="passwd" ----- Mensagem original ----- De: "beto .." Para: fedora-directory-users at redhat.com Enviadas: Domingo, 22 de Junho de 2008 20:52:54 (GMT-0300) Auto-Detected Assunto: [Fedora-directory-users] FDS + Samba +smbtools Hello everybody When I put this command: #smbldap-useradd -w I got this error message: Error: Insufficient 'write' privilege to the 'uidNumber' attribute of entry 'sambadomainname=ejemplo.com,dc=ejemplo,dc=com'. The configuration for /etc/smbldap-tools/smbldap_bind.conf is: ########################################### slaveDN="cn=Directory Manager,dc=ejemplo,dc=com" slavePw="passwd" masterDN="cn=Directory Manager,dc=ejemplo,dc=com" masterPw="passwd" ########################################### Pleasee!!! help me with this problem. pd: I try to use fdstools but i can't install perl dependencies!!! If anybody had a manual!! help me please. I'am desperate :S Sorry for my English, isn't very good. _________________________________________________________________ Tecnolog?a, moda, motor, viajes,?suscr?bete a nuestros boletines para estar siempre a la ?ltima http://newsletters.msn.com/hm/maintenanceeses.asp?L=ES&C=ES&P=WCMaintenance&Brand=WL&RU=http%3a%2f%2fmail.live.com -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Felipe Alencastro Consultor de TI RHCE 51 8145-3443 MSN: felipe at lm2.com.br Skype: felipe.alencastro LM? Consulting? http://www.lm2.com.br Porto Alegre: 51 3018-1007 Florian?polis: 48 4052-9545 S?o Paulo: 11 3522-5606 Plant?o 24hs: 51 8145-2002 -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From debajit_kataki at rediffmail.com Mon Jun 23 13:49:22 2008 From: debajit_kataki at rediffmail.com (debu) Date: 23 Jun 2008 13:49:22 -0000 Subject: [Fedora-directory-users] FDS SSHA to md5 Message-ID: <20080623134922.25766.qmail@f4mail-235-246.rediffmail.com> Hi ALL, We are on a process of upgrading Fedora Directory Service from 1.0 to 1.1. But now we have come across a situation where we need to enforce FDS to use md5 as the encryption schema and not SSHS for authentication purpose while storing userPassword. Please comment/help/suggest. Thanks You debu -------------- next part -------------- An HTML attachment was scrubbed... URL: From debajit_kataki at rediffmail.com Mon Jun 23 13:51:34 2008 From: debajit_kataki at rediffmail.com (debu) Date: 23 Jun 2008 13:51:34 -0000 Subject: [Fedora-directory-users] Where is Fedora DS 1.1.1? Message-ID: <20080623135134.20319.qmail@f4mail202.rediffmail.com> Hi, You need to set up yum repository to make it automated. look at step 6 here. http://directory.fedoraproject.org/wiki/Download#Enterprise_Linux_5 Hope that helps! Thanks debu On Mon, 23 Jun 2008 DANIEL CRISTIAN CRUZ wrote : >Hi all, > > >I didn't saw any change on the yum repositories for Fedora 6 (recommended >for RH 5.1). Where are the RPMS? Is there another repository? > > >If I ran yum install fedora-ds, nothing happens... > > >Thanks, > > >-- >Daniel Cristian Cruz >Administrador de Banco de Dados >Dire??o Regional - N?cleo de Tecnologia da Informa??o >SENAI - SC >Telefone: 48-3239-1422 (ramal 1422) > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Jun 23 15:11:45 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 23 Jun 2008 09:11:45 -0600 Subject: [Fedora-directory-users] MMR issue In-Reply-To: <20080621183328.13964.qmail@f4mail-235-132.rediffmail.com> References: <20080621183328.13964.qmail@f4mail-235-132.rediffmail.com> Message-ID: <485FBD31.5040902@redhat.com> debu wrote: > > Hi Chris, > > Thanks for your round about way. > As you suggested we have removed everything, along with that we have > reinstalled the latest version in two machines, and kept one machine > as is (in total we have 3 machines). > > Now, we configured these two servers in multi-master mode and > initialized one of them from the old machine. Then all the data got > pushed into the new servers. These two new machines are replicating > properly. > > but the replication agreement between the old server and new server is > breaking. But we used the console interface to push the delta of > updates. But the process is very slow, may be because we haven't done > db2ldif to dump the data. > > We are planning to push delta of updates from old server to 2 new > servers (using the console interface) and remove the old server from > the system. > > Then these two servers will become primary point of live interaction > for read and write. > > Since, we can't afford for downtime, we have done like this. > > Till now the replication is happening fine. > > hope this continues. > > Thank you very much for your help. > We are working on a fix for the time skew issue. However, we need your help. The bug https://bugzilla.redhat.com/show_bug.cgi?id=233642 has attached to it a script which will provide us with some much needed data. You basically run this on your masters like this: readNsState.py /etc/dirsrv/slapd-yourinstance/dse.ldif The data that it prints out is very useful for help with debugging this problem. You can either attach the output to the bug, or just email the output to me. Anyone else interested in helping? Anyone have MMR running? Please run the script and either attach the output to the bug or just send it to me. > > > Regards, > -Debu,vivek > > > On Fri, 20 Jun 2008 Chris St.Pierre wrote : > >Did you try the workaround in the bug report I sent to you on the > >Redhat list? What were your results? > > > >For reference, that bug is > https://bugzilla.redhat.com/show_bug.cgi?id=233642 > > > >Chris St. Pierre > >Unix Systems Administrator > >Nebraska Wesleyan University > > > >On Fri, 20 Jun 2008, debu wrote: > > > >> > >> > >>Hi Guys, > >> > >>I am stuck in a very crucial FDS server issue, it would be great if > any one of you can help me somehow. > >> > >>We are upgrading from Fedora Directory Service from 1.0.4 to 1.1.0-3 > >> > >>We have one existing Server with 1.0.4 > >> > >>Now To one server we have initialized the data base and we were able > to load the full DB. But, and when we start the replication we see the > following error, and the incremental update is not happening. > >> > >>We are going for a multi master replication. > >> > >> > >>Here is the error. > >> > >>On Supplier: (FDS Version 1.0.4) OS: Red Hat Enterprise Linux ES > release 4 (Nahant) > >> > >> > >>[17/Jun/2008:11:23:35 +051800] NSMMReplicationPlugin - > agmt="cn=Replication_to_10.91.X.Y" (10:8888): Unable to acquire > replica: Excessive clock skew between the supplier and the consumer. > Replication is aborting. > >> > >>[17/Jun/2008:11:23:35 +051800] NSMMReplicationPlugin - > agmt="cn=Replication_to_10.91.X.Y" (10:8888): Incremental update > failed and requires administrator action > >> > >> > >> > >>On consumer: (FD version 1.1.0-3) OS: Red Hat Enterprise Linux > Server release 5.1 (Tikanga) > >> > >> > >> > >>[17/Jun/2008:11:12:59 +051800] NSMMReplicationPlugin - conn=46251 > op=1975 replica="o=TejaUsers": Unable to acquire replica: error: > excessive clock skew > >> > >>[17/Jun/2008:11:23:34 +051800] - csngen_adjust_time: adjustment > limit exceeded; value - 86401, limit - 86400 > >> > >>[17/Jun/2008:11:23:34 +051800] NSMMReplicationPlugin - conn=46461 > op=792 replica="o=TejaUsers": Unable to acquire replica: error: > excessive clock skew > >> > >> > >>Now, My doubt is we succeded in a test environment with the same, > with the only diference that we had the same OS in both the server, > rest all same. Our servers are perfectly synced with NTP also. > >> > >>Please help in this scenario.. > >> > >>Regards > >>~Debajit > > > > Sharekhan Zero > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From aleksander.adamowski.fedora at altkom.pl Mon Jun 23 16:06:42 2008 From: aleksander.adamowski.fedora at altkom.pl (Aleksander Adamowski) Date: Mon, 23 Jun 2008 18:06:42 +0200 Subject: [Fedora-directory-users] Where is Fedora DS 1.1.1? In-Reply-To: <20080623135134.20319.qmail@f4mail202.rediffmail.com> References: <20080623135134.20319.qmail@f4mail202.rediffmail.com> Message-ID: <485FCA12.1030009@altkom.pl> debu wrote: > > > Hi, > > You need to set up yum repository to make it automated. > > look at step 6 here. > > http://directory.fedoraproject.org/wiki/Download#Enterprise_Linux_5 > > Hope that helps! > Problem is, there's no fedora-ds 1.1.1 yet in that repository (fc6), whether your yum configuration is automated or not, it has no significance. The newest version available is fedora-ds-1.1.0-3.fc6, which is old. > > Thanks > debu > > > On Mon, 23 Jun 2008 DANIEL CRISTIAN CRUZ wrote : > >Hi all, > > > > > >I didn't saw any change on the yum repositories for Fedora 6 (recommended > >for RH 5.1). Where are the RPMS? Is there another repository? > > > > > >If I ran yum install fedora-ds, nothing happens... > > > > > >Thanks, > -- Best Regards, Aleksander Adamowski GG#: 274614 ICQ UIN: 19780575 http://olo.org.pl From windhamg at email.arizona.edu Mon Jun 23 16:35:22 2008 From: windhamg at email.arizona.edu (Gary Windham) Date: Mon, 23 Jun 2008 09:35:22 -0700 Subject: [Fedora-directory-users] MMR issue In-Reply-To: <485FBD31.5040902@redhat.com> References: <20080621183328.13964.qmail@f4mail-235-132.rediffmail.com> <485FBD31.5040902@redhat.com> Message-ID: <93758983-FA13-4A32-9984-D46E5493965D@email.arizona.edu> We have a downtime scheduled for our production FDS instance (used for our campus authentication service) this Friday, in order to reestablish MMR. After reestablishing MMR we will be monitoring with the script, so we should be able to provide some data shortly. Thanks, --Gary -- Gary Windham Senior Enterprise Systems Architect The University of Arizona, UITS +1 520 626 5981 On Jun 23, 2008, at 8:11 AM, Rich Megginson wrote: > debu wrote: >> >> Hi Chris, >> >> Thanks for your round about way. >> As you suggested we have removed everything, along with that we >> have reinstalled the latest version in two machines, and kept one >> machine as is (in total we have 3 machines). >> >> Now, we configured these two servers in multi-master mode and >> initialized one of them from the old machine. Then all the data got >> pushed into the new servers. These two new machines are replicating >> properly. >> >> but the replication agreement between the old server and new server >> is breaking. But we used the console interface to push the delta of >> updates. But the process is very slow, may be because we haven't >> done db2ldif to dump the data. >> >> We are planning to push delta of updates from old server to 2 new >> servers (using the console interface) and remove the old server >> from the system. >> >> Then these two servers will become primary point of live >> interaction for read and write. >> Since, we can't afford for downtime, we have done like this. >> >> Till now the replication is happening fine. >> >> hope this continues. >> >> Thank you very much for your help. >> > We are working on a fix for the time skew issue. However, we need > your help. The bug https://bugzilla.redhat.com/show_bug.cgi? > id=233642 has attached to it a script which will provide us with > some much needed data. You basically run this on your masters like > this: > readNsState.py /etc/dirsrv/slapd-yourinstance/dse.ldif > The data that it prints out is very useful for help with debugging > this problem. You can either attach the output to the bug, or just > email the output to me. > > Anyone else interested in helping? Anyone have MMR running? Please > run the script and either attach the output to the bug or just send > it to me. >> >> >> Regards, >> -Debu,vivek >> >> >> On Fri, 20 Jun 2008 Chris St.Pierre wrote : >> >Did you try the workaround in the bug report I sent to you on the >> >Redhat list? What were your results? >> > >> >For reference, that bug is https://bugzilla.redhat.com/show_bug.cgi?id=233642 >> > >> >Chris St. Pierre >> >Unix Systems Administrator >> >Nebraska Wesleyan University >> > >> >On Fri, 20 Jun 2008, debu wrote: >> > >> >> >> >> >> >>Hi Guys, >> >> >> >>I am stuck in a very crucial FDS server issue, it would be great >> if any one of you can help me somehow. >> >> >> >>We are upgrading from Fedora Directory Service from 1.0.4 to >> 1.1.0-3 >> >> >> >>We have one existing Server with 1.0.4 >> >> >> >>Now To one server we have initialized the data base and we were >> able to load the full DB. But, and when we start the replication we >> see the following error, and the incremental update is not happening. >> >> >> >>We are going for a multi master replication. >> >> >> >> >> >>Here is the error. >> >> >> >>On Supplier: (FDS Version 1.0.4) OS: Red Hat Enterprise Linux ES >> release 4 (Nahant) >> >> >> >> >> >>[17/Jun/2008:11:23:35 +051800] NSMMReplicationPlugin - >> agmt="cn=Replication_to_10.91.X.Y" (10:8888): Unable to acquire >> replica: Excessive clock skew between the supplier and the >> consumer. Replication is aborting. >> >> >> >>[17/Jun/2008:11:23:35 +051800] NSMMReplicationPlugin - >> agmt="cn=Replication_to_10.91.X.Y" (10:8888): Incremental update >> failed and requires administrator action >> >> >> >> >> >> >> >>On consumer: (FD version 1.1.0-3) OS: Red Hat Enterprise Linux >> Server release 5.1 (Tikanga) >> >> >> >> >> >> >> >>[17/Jun/2008:11:12:59 +051800] NSMMReplicationPlugin - conn=46251 >> op=1975 replica="o=TejaUsers": Unable to acquire replica: error: >> excessive clock skew >> >> >> >>[17/Jun/2008:11:23:34 +051800] - csngen_adjust_time: adjustment >> limit exceeded; value - 86401, limit - 86400 >> >> >> >>[17/Jun/2008:11:23:34 +051800] NSMMReplicationPlugin - conn=46461 >> op=792 replica="o=TejaUsers": Unable to acquire replica: error: >> excessive clock skew >> >> >> >> >> >>Now, My doubt is we succeded in a test environment with the same, >> with the only diference that we had the same OS in both the server, >> rest all same. Our servers are perfectly synced with NTP also. >> >> >> >>Please help in this scenario.. >> >> >> >>Regards >> >>~Debajit >> >> >> >> Sharekhan Zero >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From betito2208 at hotmail.com Mon Jun 23 16:43:58 2008 From: betito2208 at hotmail.com (beto ..) Date: Mon, 23 Jun 2008 16:43:58 +0000 Subject: [Fedora-directory-users] FDS + Samba +smbtools In-Reply-To: <5542485358217A4EB9893C4F12C42BF9E31650@itm-bb01.exch.it-mgt.net> References: <592300180.1131214222541061.JavaMail.root@hannibal.lm2.com.br> <5542485358217A4EB9893C4F12C42BF9E31650@itm-bb01.exch.it-mgt.net> Message-ID: hello. I try with: slaveDN="cn=Directory Manager" slavePw="passwd" masterDN="cn=Directory Manager" masterPw="passwd" but i got this error message: Can't connect to FDS. Also i try to use fdstools but i can't Any ideas? > Subject: RE: [Fedora-directory-users] FDS + Samba +smbtools > Date: Mon, 23 Jun 2008 09:46:48 -0400 > From: sanga.c at it-mgt.com > To: fedora-directory-users at redhat.com > > I think that the directive "cn=Directory Manager,dc=$suffix", is used by openldap > > Sanga M. Collins > Network Engineering > ~~~~~~~~~~~~~~~~~~~~~~~ > IT Management LLC > 6491 Sunset Strip #5, > Sunrise Fl, 33313 > Tel: (954) 572 7411, > Fax: (435) 578 7411 > > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Felipe Alencastro - LM? > Sent: Monday, June 23, 2008 8:02 AM > To: General discussion list for the Fedora Directory server project. > Cc: fedora-directory-users at redhat.com > Subject: Re: [Fedora-directory-users] FDS + Samba +smbtools > > Beto, > > By default FDS uses "cn=Directory Manager" instead of "cn=Directory Manager,dc=$suffix", try binding with: > > slaveDN="cn=Directory Manager" > slavePw="passwd" > masterDN="cn=Directory Manager" > masterPw="passwd" > > ----- Mensagem original ----- > De: "beto .." > Para: fedora-directory-users at redhat.com > Enviadas: Domingo, 22 de Junho de 2008 20:52:54 (GMT-0300) Auto-Detected > Assunto: [Fedora-directory-users] FDS + Samba +smbtools > > > > > Hello everybody > > When I put this command: > #smbldap-useradd -w > > I got this error message: > > Error: Insufficient 'write' privilege to the 'uidNumber' attribute of entry 'sambadomainname=ejemplo.com,dc=ejemplo,dc=com'. > > The configuration for /etc/smbldap-tools/smbldap_bind.conf is: > ########################################### > slaveDN="cn=Directory Manager,dc=ejemplo,dc=com" > slavePw="passwd" > masterDN="cn=Directory Manager,dc=ejemplo,dc=com" > masterPw="passwd" > ########################################### > > Pleasee!!! help me with this problem. > pd: I try to use fdstools but i can't install perl dependencies!!! > If anybody had a manual!! help me please. I'am desperate :S > Sorry for my English, isn't very good. > > > > > _________________________________________________________________ > Tecnolog?a, moda, motor, viajes,?suscr?bete a nuestros boletines para estar siempre a la ?ltima > http://newsletters.msn.com/hm/maintenanceeses.asp?L=ES&C=ES&P=WCMaintenance&Brand=WL&RU=http%3a%2f%2fmail.live.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Felipe Alencastro > Consultor de TI > RHCE > 51 8145-3443 > MSN: felipe at lm2.com.br > Skype: felipe.alencastro > > LM? Consulting? > http://www.lm2.com.br > Porto Alegre: 51 3018-1007 > Florian?polis: 48 4052-9545 > S?o Paulo: 11 3522-5606 > Plant?o 24hs: 51 8145-2002 > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users _________________________________________________________________ MSN Noticias http://noticias.msn.es/comunidad.aspx -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Jun 23 16:48:04 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 23 Jun 2008 10:48:04 -0600 Subject: [Fedora-directory-users] MMR issue In-Reply-To: <93758983-FA13-4A32-9984-D46E5493965D@email.arizona.edu> References: <20080621183328.13964.qmail@f4mail-235-132.rediffmail.com> <485FBD31.5040902@redhat.com> <93758983-FA13-4A32-9984-D46E5493965D@email.arizona.edu> Message-ID: <485FD3C4.80602@redhat.com> Gary Windham wrote: > We have a downtime scheduled for our production FDS instance (used for > our campus authentication service) this Friday, in order to > reestablish MMR. After reestablishing MMR we will be monitoring with > the script, so we should be able to provide some data shortly. Excellent. Thanks! > > Thanks, > --Gary > > -- > Gary Windham > Senior Enterprise Systems Architect > The University of Arizona, UITS > +1 520 626 5981 > > On Jun 23, 2008, at 8:11 AM, Rich Megginson wrote: > >> debu wrote: >>> >>> Hi Chris, >>> >>> Thanks for your round about way. >>> As you suggested we have removed everything, along with that we have >>> reinstalled the latest version in two machines, and kept one machine >>> as is (in total we have 3 machines). >>> >>> Now, we configured these two servers in multi-master mode and >>> initialized one of them from the old machine. Then all the data got >>> pushed into the new servers. These two new machines are replicating >>> properly. >>> >>> but the replication agreement between the old server and new server >>> is breaking. But we used the console interface to push the delta of >>> updates. But the process is very slow, may be because we haven't >>> done db2ldif to dump the data. >>> >>> We are planning to push delta of updates from old server to 2 new >>> servers (using the console interface) and remove the old server from >>> the system. >>> >>> Then these two servers will become primary point of live interaction >>> for read and write. >>> Since, we can't afford for downtime, we have done like this. >>> >>> Till now the replication is happening fine. >>> >>> hope this continues. >>> >>> Thank you very much for your help. >>> >> We are working on a fix for the time skew issue. However, we need >> your help. The bug >> https://bugzilla.redhat.com/show_bug.cgi?id=233642 has attached to it >> a script which will provide us with some much needed data. You >> basically run this on your masters like this: >> readNsState.py /etc/dirsrv/slapd-yourinstance/dse.ldif >> The data that it prints out is very useful for help with debugging >> this problem. You can either attach the output to the bug, or just >> email the output to me. >> >> Anyone else interested in helping? Anyone have MMR running? Please >> run the script and either attach the output to the bug or just send >> it to me. >>> >>> >>> Regards, >>> -Debu,vivek >>> >>> >>> On Fri, 20 Jun 2008 Chris St.Pierre wrote : >>> >Did you try the workaround in the bug report I sent to you on the >>> >Redhat list? What were your results? >>> > >>> >For reference, that bug is >>> https://bugzilla.redhat.com/show_bug.cgi?id=233642 >>> > >>> >Chris St. Pierre >>> >Unix Systems Administrator >>> >Nebraska Wesleyan University >>> > >>> >On Fri, 20 Jun 2008, debu wrote: >>> > >>> >> >>> >> >>> >>Hi Guys, >>> >> >>> >>I am stuck in a very crucial FDS server issue, it would be great >>> if any one of you can help me somehow. >>> >> >>> >>We are upgrading from Fedora Directory Service from 1.0.4 to 1.1.0-3 >>> >> >>> >>We have one existing Server with 1.0.4 >>> >> >>> >>Now To one server we have initialized the data base and we were >>> able to load the full DB. But, and when we start the replication we >>> see the following error, and the incremental update is not happening. >>> >> >>> >>We are going for a multi master replication. >>> >> >>> >> >>> >>Here is the error. >>> >> >>> >>On Supplier: (FDS Version 1.0.4) OS: Red Hat Enterprise Linux ES >>> release 4 (Nahant) >>> >> >>> >> >>> >>[17/Jun/2008:11:23:35 +051800] NSMMReplicationPlugin - >>> agmt="cn=Replication_to_10.91.X.Y" (10:8888): Unable to acquire >>> replica: Excessive clock skew between the supplier and the consumer. >>> Replication is aborting. >>> >> >>> >>[17/Jun/2008:11:23:35 +051800] NSMMReplicationPlugin - >>> agmt="cn=Replication_to_10.91.X.Y" (10:8888): Incremental update >>> failed and requires administrator action >>> >> >>> >> >>> >> >>> >>On consumer: (FD version 1.1.0-3) OS: Red Hat Enterprise Linux >>> Server release 5.1 (Tikanga) >>> >> >>> >> >>> >> >>> >>[17/Jun/2008:11:12:59 +051800] NSMMReplicationPlugin - conn=46251 >>> op=1975 replica="o=TejaUsers": Unable to acquire replica: error: >>> excessive clock skew >>> >> >>> >>[17/Jun/2008:11:23:34 +051800] - csngen_adjust_time: adjustment >>> limit exceeded; value - 86401, limit - 86400 >>> >> >>> >>[17/Jun/2008:11:23:34 +051800] NSMMReplicationPlugin - conn=46461 >>> op=792 replica="o=TejaUsers": Unable to acquire replica: error: >>> excessive clock skew >>> >> >>> >> >>> >>Now, My doubt is we succeded in a test environment with the same, >>> with the only diference that we had the same OS in both the server, >>> rest all same. Our servers are perfectly synced with NTP also. >>> >> >>> >>Please help in this scenario.. >>> >> >>> >>Regards >>> >>~Debajit >>> >>> >>> >>> Sharekhan Zero >>> >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From edlinuxguru at gmail.com Mon Jun 23 16:48:48 2008 From: edlinuxguru at gmail.com (Edward Capriolo) Date: Mon, 23 Jun 2008 12:48:48 -0400 Subject: [Fedora-directory-users] Re: Trying to follow the howto ssl from wiki In-Reply-To: References: Message-ID: Can anyone else point me to any how to on this? This process seems to be destructive. If anything goes wrong fds will not start making it very hard to roll back the changes to the database. I end up just removing the entire installation and starting over. My fall back plan is to use stunnel or some other proxy. On Fri, Jun 20, 2008 at 3:40 PM, Edward Capriolo wrote: > I was attempting to follow...http://directory.fedoraproject.org/wiki/Howto:SSL > I first ran the script > http://directory.fedoraproject.org/download/setupssl2.sh After > completing fds would not start. I rein > I eventually ended up reading the script and running every operation > stp by step. That was quite an ordeal. All the steps ran however no > errors. > > [root at ldapslave1 slapd-ldapslave1]# /etc/init.d/dirsrv start > Starting dirsrv: > ldapslave1...Warning: Incorrect PIN may result in disabling the token > Enter PIN for Internal (Software) Token: > > I replaced the data inside pin.txt with : > > Internal (Software) Token:dirserv_cert_password > > But I am still getting the same message. Is this just a bogus message. > The problem could be elsewhere? > > > Thanks in advance. > (ps -ef ; w) | sha1sum > /etc/dirsrv/slapd-ldapslave1/pwdfile.txt > chown fds:fds /etc/dirsrv/slapd-ldapslave1/pwdfile.txt > (w ; ps -ef ; date ) | sha1sum | awk '{print $1}' > > /etc/dirsrv/slapd-ldapslave1/noise.txt > chown fds:fds /etc/dirsrv/slapd-ldapslave1/noise.txt > certutil -N -P new- -d /etc/dirsrv/slapd-ldapslave1 -f > /etc/dirsrv/slapd-ldapslave1/pwdfile.txt > chown fds:fds /etc/dirsrv/slapd-ldapslave1/key3.db > chown fds:fds /etc/dirsrv/slapd-ldapslave1/cert8.db > chmod 600 /etc/dirsrv/slapd-ldapslave1/key3.db > chmod 600 /etc/dirsrv/slapd-ldapslave1/cert8.db > certutil -G -P new- -d /etc/dirsrv/slapd-ldapslave1 -z > /etc/dirsrv/slapd-ldapslave1/noise.txt -f > /etc/dirsrv/slapd-ldapslave1/pwdfile.txt > certutil -S -P new- /etc/dirsrv/slapd-ldapslave1/ -n "CA certificate" > -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d > /etc/dirsrv/slapd-ldapslave1 -z /etc/dirsrv/slapd-ldapslave1/noise.txt > -f /etc/dirsrv/slapd-ldapslave1/pwdfile.txt > certutil -L -P new- -d /etc/dirsrv/slapd-ldapslave1 -n "CA > certificate" -a > /etc/dirsrv/slapd-ldapslave1/cacert.asc > pk12util -d /etc/dirsrv/slapd-ldapslave1 -P new- -o > /etc/dirsrv/slapd-ldapslave1/cacert.p12 -n "CA certificate" -w > /etc/dirsrv/slapd-ldapslave1/pwdfile.txt -k > /etc/dirsrv/slapd-ldapslave1/pwdfile.txt > certutil -S -P new- -n "Server-Cert" -s > "cn=ldapslave1.ops.ec.com,ou=Fedora Directory Server" -c "CA > certificate" -t "u,u,u" -m 1001 -v 120 -d > /etc/dirsrv/slapd-ldapslave1/ -z > /etc/dirsrv/slapd-ldapslave1/noise.txt -f > /etc/dirsrv/slapd-ldapslave1/pwdfile.txt > > certutil -S -P new- -n "server-cert" -s > "cn=ldapslave1.ops.ec.com,ou=Fedora Administration Server" -c "CA > certificate" -t "u,u,u" -m 1002 -v 120 -d > /etc/dirsrv/slapd-ldapslave1/ -z > /etc/dirsrv/slapd-ldapslave1/noise.txt -f > /etc/dirsrv/slapd-ldapslave1/pwdfile.txt > > pk12util -d /etc/dirsrv/slapd-ldapslave1 -P new- -o > /etc/dirsrv/slapd-ldapslave1/adminserver.p12 -n server-cert -w > /etc/dirsrv/slapd-ldapslave1/pwdfile.txt -k > /etc/dirsrv/slapd-ldapslave1/pwdfile.txt > > chown fds:fds /etc/dirsrv/slapd-ldapslave1/adminserver.p12 > chmod 400 /etc/dirsrv/slapd-ldapslave1/adminserver.p12 > > cat /etc/dirsrv/slapd-ldapslave1/pwdfile.txt > > /etc/dirsrv/slapd-ldapslave1/pin.txt > > chmod 400 /etc/dirsrv/slapd-ldapslave1/pin.txt > > mv /etc/dirsrv/slapd-ldapslave1/cert8.db > /etc/dirsrv/slapd-ldapslave1/orig-cert8.db > mv /etc/dirsrv/slapd-ldapslave1/key3.db > /etc/dirsrv/slapd-ldapslave1/orig-key3.db > > > certutil -N -d /etc/dirsrv/slapd-ldapslave1 -P admin-serv- -f > /etc/dirsrv/slapd-ldapslave1/pwdfile.txt > > chown fds:fds /etc/dirsrv/slapd-ldapslave1/admin-serv-*.db > [root at ldapslave1 tmp]# chmod 600 /etc/dirsrv/slapd-ldapslave1/admin-serv-*.db > > pk12util -d /etc/dirsrv/slapd-ldapslave1/ -P admin-serv- -n > server-cert -i /etc/dirsrv/slapd-ldapslave1/adminserver.p12 -w > /etc/dirsrv/slapd-ldapslave1/pwdfile.txt -k > /etc/dirsrv/slapd-ldapslave1/pwdfile.txt > > certutil -A -d /etc/dirsrv/slapd-ldapslave1/ -P admin-serv- -n "CA > certificate" -t "CT,," -a -i /etc/dirsrv/slapd-ldapslave1/cacert.asc > > cat /etc/dirsrv/slapd-ldapslave1/pwdfile.txt > > /etc/dirsrv/slapd-ldapslave1/password.conf > > chmod 400 /etc/dirsrv/slapd-ldapslave1/password.conf > chown fds:fds /etc/dirsrv/slapd-ldapslave1/password.conf > > sed -e "s@^NSSPassPhrasDialog .*@NSSPassPhraseDialog > file:/etc/dirsrv/slapd-ldapslave1/password/conf > > mv /etc/dirsrv/slapd-ldapslave1/new-key3.db > /etc/dirsrv/slapd-ldapslave1/key3.db > mv /etc/dirsrv/slapd-ldapslave1/new-cert8.db > /etc/dirsrv/slapd-ldapslave1/cert8.db > > > ldapmodify -x -h localhost -p 389 -D "cn=directory manager" -W < dn: cn=encryption,cn=config > changetype: modify > replace: nsSSL3 > nsSSL3: on > - > replace: nsSSLClientAuth > nsSSLClientAuth: allowed > - > add: nsSSL3Ciphers > nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5, > +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza, > +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha, > +tls_rsa_export1024_with_des_cbc_sha > > dn: cn=config > changetype: modify > add: nsslapd-security > nsslapd-security: on > - > replace: nsslapd-ssl-check-hostname > nsslapd-ssl-check-hostname: off > > dn: cn=RSA,cn=encryption,cn=config > changetype: add > objectclass: top > objectclass: nsEncryptionModule > cn: RSA > nsSSLPersonalitySSL: Server-Cert > nsSSLToken: internal (software) > nsSSLActivation: on > > EOF > > > [root at ldapslave1 slapd-ldapslave1]# /etc/init.d/dirsrv start > Starting dirsrv: > ldapslave1...Warning: Incorrect PIN may result in disabling the token > Enter PIN for Internal (Software) Token: > > Any hints thanks! > From sanga.c at it-mgt.com Mon Jun 23 17:00:15 2008 From: sanga.c at it-mgt.com (Sanga M. Collins) Date: Mon, 23 Jun 2008 13:00:15 -0400 Subject: [Fedora-directory-users] FDS + Samba +smbtools References: <592300180.1131214222541061.JavaMail.root@hannibal.lm2.com.br><5542485358217A4EB9893C4F12C42BF9E31650@itm-bb01.exch.it-mgt.net> Message-ID: <5542485358217A4EB9893C4F12C42BF9E316B3@itm-bb01.exch.it-mgt.net> How did you configure your samba tools? Did you manually modify or create the smbldap.conf, and smbldap_bind, or did you use the '/usr/share/doc/smbldap-tools-*/configure.pl? As long as your smb.conf is correctly configured, using the configure.pl script will setup samba tools for you with all the correct settings. You can then just type smbpopulate and it should auto pop the directory for you (there are a few minor mods to get the samba part correct) Sanga M. Collins Network Engineering ~~~~~~~~~~~~~~~~~~~~~~~ IT Management LLC 6491 Sunset Strip #5, Sunrise Fl, 33313 Tel: (954) 572 7411, Fax: (435) 578 7411 From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of beto .. Sent: Monday, June 23, 2008 12:44 PM To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] FDS + Samba +smbtools hello. I try with: slaveDN="cn=Directory Manager" slavePw="passwd" masterDN="cn=Directory Manager" masterPw="passwd" but i got this error message: Can't connect to FDS. Also i try to use fdstools but i can't Any ideas? > Subject: RE: [Fedora-directory-users] FDS + Samba +smbtools > Date: Mon, 23 Jun 2008 09:46:48 -0400 > From: sanga.c at it-mgt.com > To: fedora-directory-users at redhat.com > > I think that the directive "cn=Directory Manager,dc=$suffix", is used by openldap > > Sanga M. Collins > Network Engineering > ~~~~~~~~~~~~~~~~~~~~~~~ > IT Management LLC > 6491 Sunset Strip #5, > Sunrise Fl, 33313 > Tel: (954) 572 7411, > Fax: (435) 578 7411 > > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Felipe Alencastro - LM? > Sent: Monday, June 23, 2008 8:02 AM > To: General discussion list for the Fedora Directory server project. > Cc: fedora-directory-users at redhat.com > Subject: Re: [Fedora-directory-users] FDS + Samba +smbtools > > Beto, > > By default FDS uses "cn=Directory Manager" instead of "cn=Directory Manager,dc=$suffix", try binding with: > > slaveDN="cn=Directory Manager" > slavePw="passwd" > masterDN="cn=Directory Manager" > masterPw="passwd" > > ----- Mensagem original ----- > De: "beto .." > Para: fedora-directory-users at redhat.com > Enviadas: Domingo, 22 de Junho de 2008 20:52:54 (GMT-0300) Auto-Detected > Assunto: [Fedora-directory-users] FDS + Samba +smbtools > > > > > Hello everybody > > When I put this command: > #smbldap-useradd -w > > I got this error message: > > Error: Insufficient 'write' privilege to the 'uidNumber' attribute of entry 'sambadomainname=ejemplo.com,dc=ejemplo,dc=com'. > > The configuration for /etc/smbldap-tools/smbldap_bind.conf is: > ########################################### > slaveDN="cn=Directory Manager,dc=ejemplo,dc=com" > slavePw="passwd" > masterDN="cn=Directory Manager,dc=ejemplo,dc=com" > masterPw="passwd" > ########################################### > > Pleasee!!! help me with this problem. > pd: I try to use fdstools but i can't install perl dependencies!!! > If anybody had a manual!! help me please. I'am desperate :S > Sorry for my English, isn't very good. > > > > > _________________________________________________________________ > Tecnolog?a, moda, motor, viajes,...suscr?bete a nuestros boletines para estar siempre a la ?ltima > http://newsletters.msn.com/hm/maintenanceeses.asp?L=ES&C=ES&P=WCMaintenance&Brand=WL&RU=http%3a%2f%2fmail.live.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Felipe Alencastro > Consultor de TI > RHCE > 51 8145-3443 > MSN: felipe at lm2.com.br > Skype: felipe.alencastro > > LM? Consulting? > http://www.lm2.com.br > Porto Alegre: 51 3018-1007 > Florian?polis: 48 4052-9545 > S?o Paulo: 11 3522-5606 > Plant?o 24hs: 51 8145-2002 > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users ________________________________ Tecnolog?a, moda, motor, viajes,...suscr?bete a nuestros boletines para estar siempre a la ?ltima MSN Newsletters -------------- next part -------------- An HTML attachment was scrubbed... URL: From merle.reine at gmail.com Mon Jun 23 20:56:17 2008 From: merle.reine at gmail.com (Merle Reine) Date: Mon, 23 Jun 2008 13:56:17 -0700 Subject: [Fedora-directory-users] can't connect to PDC Message-ID: <585947630806231356q5e4ff19fh872ef908e0ffa754@mail.gmail.com> I know this has been asked a million times but I read all the posts and none answer my issue so I hope someone will know a fix. I have fc9 with samba as PDC connecting to FDS. Followed the how-to to the letter but can not get my windows machine to connect to the domain. My domain is : ldap Windows machine is in random workgroup not associated with samba at all. When I try to add to domain using root and pass (yes, it is setup on samba server), I get the following: "The following error occured attempting to join the domain "ldap": A device attached to the system is not functioning. in /var/log/samba/samba.log: *[2008/06/23 13:53:44, 0] lib/util_sock.c:get_peer_addr_internal(1597) getpeername failed. Error was Transport endpoint is not connected [2008/06/23 13:53:44, 0] lib/util_sock.c:write_data(1059) [2008/06/23 13:53:44, 0] lib/util_sock.c:get_peer_addr_internal(1597) getpeername failed. Error was Transport endpoint is not connected write_data: write failure in writing to client 0.0.0.0. Error Connection reset by peer [2008/06/23 13:53:44, 0] smbd/process.c:srv_send_smb(74) Error writing 4 bytes to client. -1. (Transport endpoint is not connected) [2008/06/23 13:53:44, 0] lib/util_sock.c:get_peer_addr_internal(1597) getpeername failed. Error was Transport endpoint is not connected [2008/06/23 13:53:44, 0] lib/util_sock.c:write_data(1059) [2008/06/23 13:53:44, 0] lib/util_sock.c:get_peer_addr_internal(1597) getpeername failed. Error was Transport endpoint is not connected write_data: write failure in writing to client 0.0.0.0. Error Connection reset by peer [2008/06/23 13:53:44, 0] smbd/process.c:srv_send_smb(74) Error writing 4 bytes to client. -1. (Transport endpoint is not connected) [2008/06/23 13:53:44, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(2276) ldapsam_add_sam_account: failed to modify/add user with uid = TEST$ (dn = uid= TEST$,ou=Computers,dc=gardenfreshcorp,dc=com)* Any one have any ideas what I am missing? Thanks. Merle Reine IT Manager Extraordinaire Email Address: echo zreyr.ervar at tznvy.pbz | perl -pe 'y/a-z/n-za-m/' -------------- next part -------------- An HTML attachment was scrubbed... URL: From vcardprocessor at vcardprocessor.com Mon Jun 23 21:02:59 2008 From: vcardprocessor at vcardprocessor.com (Eric) Date: Mon, 23 Jun 2008 14:02:59 -0700 Subject: [Fedora-directory-users] Use of SLAPI_PLUGIN_BE_POST_MODIFY_FN Message-ID: <200862314259.327043@C840> I would like to perform an action if and only if a database operation succeeds, as well as revert that database operation if the action fails. From the documentation I understand I should wrap both in a transaction and implement it through these parameters: SLAPI_PLUGIN_BE_POST_MODIFY_FN, SLAPI_PLUGIN_BE_POST_ADD_FN, SLAPI_PLUGIN_BE_POST_DELETE_FN. However I'm not sure how to write that transaction. Is there a code sample? How should I configure the plugin -- nsslapd-plugintype: postperation doesn't seem to be the right type... From rmeggins at redhat.com Mon Jun 23 21:21:29 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 23 Jun 2008 15:21:29 -0600 Subject: [Fedora-directory-users] Use of SLAPI_PLUGIN_BE_POST_MODIFY_FN In-Reply-To: <200862314259.327043@C840> References: <200862314259.327043@C840> Message-ID: <486013D9.8070004@redhat.com> Eric wrote: > I would like to perform an action if and only if a database operation succeeds, You can do this. > as well as revert that database operation if the action fails. You can't do this. That is, you can't revert another prior operation. > From the documentation I understand I should wrap both in a transaction and implement it through these parameters: SLAPI_PLUGIN_BE_POST_MODIFY_FN, SLAPI_PLUGIN_BE_POST_ADD_FN, SLAPI_PLUGIN_BE_POST_DELETE_FN. > It might be possible, but you'd have to hack the database code in order to get all of your operations into a single database transaction. BE plugins are called inside the database lock, so you can be assured that your code will be called with the database in a consistent state, but you can't use them to add other operations to the transaction. > However I'm not sure how to write that transaction. Is there a code sample? How should I configure the plugin -- nsslapd-plugintype: postperation doesn't seem to be the right type... > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From merle.reine at gmail.com Mon Jun 23 21:27:15 2008 From: merle.reine at gmail.com (Merle Reine) Date: Mon, 23 Jun 2008 14:27:15 -0700 Subject: [Fedora-directory-users] can't connect to PDC Message-ID: <585947630806231427h2ab460caw21bdfcbebe5390e8@mail.gmail.com> I know this has been asked a million times but I read all the posts and none answer my issue so I hope someone will know a fix. I have fc9 with samba as PDC connecting to FDS. Followed the how-to to the letter but can not get my windows machine to connect to the domain. My domain is : ldap Windows machine is in random workgroup not associated with samba at all. When I try to add to domain using root and pass (yes, it is setup on samba server), I get the following: "The following error occured attempting to join the domain "ldap": A device attached to the system is not functioning. in /var/log/samba/samba.log: *[2008/06/23 13:53:44, 0] lib/util_sock.c:get_peer_addr_internal(1597) getpeername failed. Error was Transport endpoint is not connected [2008/06/23 13:53:44, 0] lib/util_sock.c:write_data(1059) [2008/06/23 13:53:44, 0] lib/util_sock.c:get_peer_addr_internal(1597) getpeername failed. Error was Transport endpoint is not connected write_data: write failure in writing to client 0.0.0.0. Error Connection reset by peer [2008/06/23 13:53:44, 0] smbd/process.c:srv_send_smb(74) Error writing 4 bytes to client. -1. (Transport endpoint is not connected) [2008/06/23 13:53:44, 0] lib/util_sock.c:get_peer_addr_internal(1597) getpeername failed. Error was Transport endpoint is not connected [2008/06/23 13:53:44, 0] lib/util_sock.c:write_data(1059) [2008/06/23 13:53:44, 0] lib/util_sock.c:get_peer_addr_internal(1597) getpeername failed. Error was Transport endpoint is not connected write_data: write failure in writing to client 0.0.0.0. Error Connection reset by peer [2008/06/23 13:53:44, 0] smbd/process.c:srv_send_smb(74) Error writing 4 bytes to client. -1. (Transport endpoint is not connected) [2008/06/23 13:53:44, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(2276) ldapsam_add_sam_account: failed to modify/add user with uid = TEST$ (dn = uid= TEST$,ou=Computers,dc=gardenfreshcorp,dc=com)* Any one have any ideas what I am missing? Thanks. Merle Reine IT Manager Extraordinaire Email Address: echo zreyr.ervar at tznvy.pbz | perl -pe 'y/a-z/n-za-m/' -------------- next part -------------- An HTML attachment was scrubbed... URL: From yersinia.spiros at gmail.com Tue Jun 24 09:51:40 2008 From: yersinia.spiros at gmail.com (yersinia) Date: Tue, 24 Jun 2008 11:51:40 +0200 Subject: [Fedora-directory-users] can't connect to PDC In-Reply-To: References: <585947630806231356q5e4ff19fh872ef908e0ffa754@mail.gmail.com> Message-ID: Likely are two different problem. > > "Transport endpoint is not connected" is a very - very - old XP problem > http://wiki.samba.org/index.php/Samba_Myths > > If you set smb ports = 445 (raw smb aka CIFS port) in smb.conf the message > disappear - naturally you are to be sure that > you serve only XP o Vista client. > > For the LDAP problem the message don't tell me so much. So try > > smbcontrol smbd debug 10 > > and read again the log messages. > > Regards > > On Mon, Jun 23, 2008 at 10:56 PM, Merle Reine > wrote: > >> I know this has been asked a million times but I read all the posts and >> none answer my issue so I hope someone will know a fix. >> >> I have fc9 with samba as PDC connecting to FDS. >> >> Followed the how-to to the letter but can not get my windows machine to >> connect to the domain. >> >> My domain is : ldap >> Windows machine is in random workgroup not associated with samba at all. >> >> When I try to add to domain using root and pass (yes, it is setup on samba >> server), I get the following: >> >> >> "The following error occured attempting to join the domain "ldap": >> A device attached to the system is not functioning. >> >> in /var/log/samba/samba.log: >> >> *[2008/06/23 13:53:44, 0] lib/util_sock.c:get_peer_addr_internal(1597) >> getpeername failed. Error was Transport endpoint is not connected >> [2008/06/23 13:53:44, 0] lib/util_sock.c:write_data(1059) >> [2008/06/23 13:53:44, 0] lib/util_sock.c:get_peer_addr_internal(1597) >> getpeername failed. Error was Transport endpoint is not connected >> write_data: write failure in writing to client 0.0.0.0. Error >> Connection reset >> by peer >> [2008/06/23 13:53:44, 0] smbd/process.c:srv_send_smb(74) >> Error writing 4 bytes to client. -1. (Transport endpoint is not >> connected) >> [2008/06/23 13:53:44, 0] lib/util_sock.c:get_peer_addr_internal(1597) >> getpeername failed. Error was Transport endpoint is not connected >> [2008/06/23 13:53:44, 0] lib/util_sock.c:write_data(1059) >> [2008/06/23 13:53:44, 0] lib/util_sock.c:get_peer_addr_internal(1597) >> getpeername failed. Error was Transport endpoint is not connected >> write_data: write failure in writing to client 0.0.0.0. Error >> Connection reset >> by peer >> [2008/06/23 13:53:44, 0] smbd/process.c:srv_send_smb(74) >> Error writing 4 bytes to client. -1. (Transport endpoint is not >> connected) >> [2008/06/23 13:53:44, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(2276) >> ldapsam_add_sam_account: failed to modify/add user with uid = TEST$ (dn >> = uid= >> TEST$,ou=Computers,dc=gardenfreshcorp,dc=com)* >> >> >> Any one have any ideas what I am missing? >> >> Thanks. >> >> >> >> Merle Reine >> IT Manager Extraordinaire >> Email Address: echo zreyr.ervar at tznvy.pbz | perl -pe 'y/a-z/n-za-m/' >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From kenoh23 at yahoo.fr Tue Jun 24 15:09:50 2008 From: kenoh23 at yahoo.fr (ken oh) Date: Tue, 24 Jun 2008 15:09:50 +0000 (GMT) Subject: [Fedora-directory-users] pk12util error Message-ID: <401007.47576.qm@web26004.mail.ukl.yahoo.com> I'm trying to get Windows Sync working on FDS 1.1.? I am stuck at the step where you export the directory server's certificate to a file.? I use this command in /etc/dirsrv/slapd-test2: ? pk12util -d . -P slapd-test2- -o cacert.p12 -n Server-Cert ? And I got this error : ? pk12util-bin: find user certs from nickname failed: security library: bad database. ? I have used the FDS 1.1 script from here : http://directory.fedoraproject.org/wiki/Howto:SSL?for setting up SSL?in the directory server. Everything looks ok. ? When I use this command : certutil -L -d . I got this : ? Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA certificate CTu,u,u server-cert u,u,u Server-Cert u,u,u What can I do to get the pk12util working ? Or is there another way to export the files ? ? Thanks ? ? _____________________________________________________________________________ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jun 24 15:34:05 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 24 Jun 2008 09:34:05 -0600 Subject: [Fedora-directory-users] pk12util error In-Reply-To: <401007.47576.qm@web26004.mail.ukl.yahoo.com> References: <401007.47576.qm@web26004.mail.ukl.yahoo.com> Message-ID: <486113ED.3030501@redhat.com> ken oh wrote: > > I'm trying to get Windows Sync working on FDS 1.1. I am stuck at the > step where you export the directory server's certificate to a file. I > use this command in /etc/dirsrv/slapd-test2: > > > > pk12util -d . -P slapd-test2- -o cacert.p12 -n Server-Cert > You don't need to use the prefix (-P) argument any more with Fedora DS 1.1 - each key/cert db is in its own private directory. In addition, using -o cacert.p12 implies that the file contains a CA certificate/key pair - you probably want to name the file dscert.p12 to avoid any ambiguity. So pk12util -d . -o dscert.p12 -n Server-Cert > > > > And I got this error : > > > > pk12util-bin: find user certs from nickname failed: security library: bad > database. > > > > I have used the FDS 1.1 script from here : > http://directory.fedoraproject.org/wiki/Howto:SSL for setting up > SSL in the directory server. > > Everything looks ok. > > > > When I use this command : certutil -L -d . > > I got this : > > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > CA certificate CTu,u,u > server-cert u,u,u > Server-Cert u,u,u > > What can I do to get the pk12util working ? Or is there another way to > export the files ? > > > > Thanks > > > > > > > > > > > ------------------------------------------------------------------------ > Envoy? avec Yahoo! Mail > . > Une boite mail plus intelligente. > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From glenn at mail.txwes.edu Tue Jun 24 15:42:48 2008 From: glenn at mail.txwes.edu (Glenn) Date: Tue, 24 Jun 2008 10:42:48 -0500 Subject: [Fedora-directory-users] Scheduled Resync with Windows Sync? Message-ID: <20080624151647.M48745@mail.txwes.edu> It is difficult to know when a full resynchronization is necessary for a given Windows Sync agreement. I would like to be able to start a full resync from a cron script. Is this possible, or is there any other way to schedule a full resync to run periodically without human intervention? We are using Fedora Directory 1.04 on Red Hat EL4, synchronizing with Active Directory running on Windows 2003 Server. Thanks. -G. From merle.reine at gmail.com Tue Jun 24 23:44:15 2008 From: merle.reine at gmail.com (Merle Reine) Date: Tue, 24 Jun 2008 16:44:15 -0700 Subject: [Fedora-directory-users] can't connect to PDC In-Reply-To: References: <585947630806231356q5e4ff19fh872ef908e0ffa754@mail.gmail.com> Message-ID: <585947630806241644g422c9d83ufebe731dd7fe98d4@mail.gmail.com> *Any ideas? [root at ldap home]# net join -S ldap -U admin Enter admin's password: Creation of workstation account failed Unable to join domain LDAP. admin is the admin user for ldap and samba. in my directory /var/log/dirsrv/slapd-ldap/access I get:* [24/Jun/2008:16:38:29 -0700] conn=114 op=16 SRCH base="dc=gardenfreshcorp,dc=com " scope=2 filter="(&(sambaSID=S-1-5-21-762671893-3211464481-46508682-1028)(objec tClass=sambaSamAccount))" attrs="uid uidNumber gidNumber homeDirectory sambaPwdL astSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime samba KickoffTime cn sn displayName sambaHomeDrive sambaHomePath sambaLogonScript samb aProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sam baLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMun gedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTi mestamp sambaLogonHours modifyTimestamp uidNumber" [24/Jun/2008:16:38:29 -0700] conn=114 op=16 RESULT err=0 tag=101 nentries=0 etim e=0 [24/Jun/2008:16:38:29 -0700] conn=114 op=17 SRCH base="ou=Groups,dc=gardenfreshc orp,dc=com" scope=2 filter="(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-21- 762671893-3211464481-46508682-1028))" attrs="gidNumber sambaSID sambaGroupType s ambaSIDList description displayName cn objectClass" [24/Jun/2008:16:38:29 -0700] conn=114 op=17 RESULT err=0 tag=101 nentries=0 etim e=0 [24/Jun/2008:16:38:29 -0700] conn=114 op=18 SRCH base="dc=gardenfreshcorp,dc=com " scope=2 filter="(&(uid=ldap$)(objectClass=sambaSamAccount))" attrs="uid uidNum ber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDriv e sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstati ons sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainNam e objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPassw ordTime sambaPasswordHistory modifyTimestamp sambaLogonHours" [24/Jun/2008:16:38:29 -0700] conn=114 op=18 RESULT err=0 tag=101 nentries=0 etim e=0 [24/Jun/2008:16:38:29 -0700] conn=114 op=19 SRCH base="dc=gardenfreshcorp,dc=com " scope=2 filter="(&(sambaSID=S-1-5-21-762671893-3211464481-46508682-1028)(objec tClass=sambaSamAccount))" attrs="uid uidNumber gidNumber homeDirectory sambaPwdL astSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime samba KickoffTime cn sn displayName sambaHomeDrive sambaHomePath sambaLogonScript samb aProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sam baLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMun gedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTi mestamp sambaLogonHours modifyTimestamp uidNumber" [24/Jun/2008:16:38:29 -0700] conn=114 op=19 RESULT err=0 tag=101 nentries=0 etim e=0 [24/Jun/2008:16:38:29 -0700] conn=114 op=20 SRCH base="dc=gardenfreshcorp,dc=com " scope=2 filter="(uid=ldap$)" attrs="uid uidNumber gidNumber homeDirectory samb aPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSI D sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sam baMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory mod ifyTimestamp sambaLogonHours" [24/Jun/2008:16:38:29 -0700] conn=114 op=20 RESULT err=0 tag=101 nentries=0 etim e=0 [24/Jun/2008:16:38:29 -0700] conn=114 op=21 SRCH base="dc=gardenfreshcorp,dc=com " scope=2 filter="(&(sambaSID=S-1-5-21-762671893-3211464481-46508682-1028)(|(obj ectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))" attrs="uid uidNumber gid Number homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaL ogonTime sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive samba HomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sam baSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objec tClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours" [24/Jun/2008:16:38:29 -0700] conn=114 op=21 RESULT err=0 tag=101 nentries=0 etim e=0 [24/Jun/2008:16:38:29 -0700] conn=114 op=22 ADD dn="uid=ldap$,ou=Computers,dc=ga rdenfreshcorp,dc=com" [24/Jun/2008:16:38:29 -0700] conn=114 op=22 RESULT err=32 tag=105 nentries=0 eti me=0 [24/Jun/2008:16:38:29 -0700] conn=114 op=-1 fd=70 closed - B1 Merle Reine IT Manager Extraordinaire Email Address: echo zreyr.ervar at tznvy.pbz | perl -pe 'y/a-z/n-za-m/' On Tue, Jun 24, 2008 at 2:51 AM, yersinia wrote: > Likely are two different problem. > >> >> "Transport endpoint is not connected" is a very - very - old XP problem >> http://wiki.samba.org/index.php/Samba_Myths >> >> If you set smb ports = 445 (raw smb aka CIFS port) in smb.conf the message >> disappear - naturally you are to be sure that >> you serve only XP o Vista client. >> >> For the LDAP problem the message don't tell me so much. So try >> >> smbcontrol smbd debug 10 >> >> and read again the log messages. >> >> Regards >> >> On Mon, Jun 23, 2008 at 10:56 PM, Merle Reine >> wrote: >> >>> I know this has been asked a million times but I read all the posts and >>> none answer my issue so I hope someone will know a fix. >>> >>> I have fc9 with samba as PDC connecting to FDS. >>> >>> Followed the how-to to the letter but can not get my windows machine to >>> connect to the domain. >>> >>> My domain is : ldap >>> Windows machine is in random workgroup not associated with samba at all. >>> >>> When I try to add to domain using root and pass (yes, it is setup on >>> samba server), I get the following: >>> >>> >>> "The following error occured attempting to join the domain "ldap": >>> A device attached to the system is not functioning. >>> >>> in /var/log/samba/samba.log: >>> >>> *[2008/06/23 13:53:44, 0] lib/util_sock.c:get_peer_addr_internal(1597) >>> getpeername failed. Error was Transport endpoint is not connected >>> [2008/06/23 13:53:44, 0] lib/util_sock.c:write_data(1059) >>> [2008/06/23 13:53:44, 0] lib/util_sock.c:get_peer_addr_internal(1597) >>> getpeername failed. Error was Transport endpoint is not connected >>> write_data: write failure in writing to client 0.0.0.0. Error >>> Connection reset >>> by peer >>> [2008/06/23 13:53:44, 0] smbd/process.c:srv_send_smb(74) >>> Error writing 4 bytes to client. -1. (Transport endpoint is not >>> connected) >>> [2008/06/23 13:53:44, 0] lib/util_sock.c:get_peer_addr_internal(1597) >>> getpeername failed. Error was Transport endpoint is not connected >>> [2008/06/23 13:53:44, 0] lib/util_sock.c:write_data(1059) >>> [2008/06/23 13:53:44, 0] lib/util_sock.c:get_peer_addr_internal(1597) >>> getpeername failed. Error was Transport endpoint is not connected >>> write_data: write failure in writing to client 0.0.0.0. Error >>> Connection reset >>> by peer >>> [2008/06/23 13:53:44, 0] smbd/process.c:srv_send_smb(74) >>> Error writing 4 bytes to client. -1. (Transport endpoint is not >>> connected) >>> [2008/06/23 13:53:44, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(2276) >>> ldapsam_add_sam_account: failed to modify/add user with uid = TEST$ (dn >>> = uid= >>> TEST$,ou=Computers,dc=gardenfreshcorp,dc=com)* >>> >>> >>> Any one have any ideas what I am missing? >>> >>> Thanks. >>> >>> >>> >>> Merle Reine >>> IT Manager Extraordinaire >>> Email Address: echo zreyr.ervar at tznvy.pbz | perl -pe 'y/a-z/n-za-m/' >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From merle.reine at gmail.com Wed Jun 25 00:43:53 2008 From: merle.reine at gmail.com (Merle Reine) Date: Tue, 24 Jun 2008 17:43:53 -0700 Subject: [Fedora-directory-users] can't connect to PDC In-Reply-To: References: <585947630806231356q5e4ff19fh872ef908e0ffa754@mail.gmail.com> Message-ID: <585947630806241743n2e5c2546k6c24f99f67f335f5@mail.gmail.com> More errors trying to connect to domain from command line linux: *[root at ldap home]# net rpc join -d 3 -l -S ldap -U admin* [2008/06/24 17:40:54, 3] param/loadparm.c:lp_load_ex(8669) lp_load_ex: refreshing parameters [2008/06/24 17:40:54, 3] param/loadparm.c:init_globals(4588) Initialising global parameters [2008/06/24 17:40:54, 3] param/params.c:pm_process(569) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2008/06/24 17:40:54, 3] param/loadparm.c:do_section(7334) Processing section "[global]" [2008/06/24 17:40:54, 2] lib/interface.c:add_interface(334) added interface eth0 ip=fe80::211:25ff:fe0c:5d8d%eth0 bcast=fe80::ffff:ffff:ff ff:ffff%eth0 netmask=ffff:ffff:ffff:ffff:: [2008/06/24 17:40:54, 2] lib/interface.c:add_interface(334) added interface eth0 ip=192.168.1.12 bcast=192.168.1.255 netmask= 255.255.255.0 [2008/06/24 17:40:54, 3] libsmb/cliconnect.c:cli_start_connection(1632) Connecting to host=ldap [2008/06/24 17:40:54, 3] lib/util_sock.c:open_socket_out(1332) Connecting to 192.168.1.12 at port 445 [2008/06/24 17:40:54, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2086) *rpc_pipe_bind: Remote machine ldap pipe \lsarpc fnum 0x750c bind request retur ned ok.* [2008/06/24 17:40:54, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2086) rpc_pipe_bind: Remote machine ldap pipe \NETLOGON fnum 0x750d bind request ret urned ok. [2008/06/24 17:40:54, 3] libsmb/trusts_util.c:just_change_the_password(56) just_change_the_password: unable to setup creds (NT_STATUS_ACCESS_DENIED)! [2008/06/24 17:40:54, 1] utils/net_rpc.c:run_rpc_command(181) rpc command function failed! (NT_STATUS_ACCESS_DENIED) *Enter admin's password:* [2008/06/24 17:41:03, 3] libsmb/cliconnect.c:cli_start_connection(1632) Connecting to host=ldap [2008/06/24 17:41:03, 3] lib/util_sock.c:open_socket_out(1332) Connecting to 192.168.1.12 at port 445 [2008/06/24 17:41:03, 3] libsmb/cliconnect.c:cli_session_setup_spnego(801) Doing spnego session setup (blob length=58) [2008/06/24 17:41:03, 3] libsmb/cliconnect.c:cli_session_setup_spnego(826) got OID=1 3 6 1 4 1 311 2 2 10 [2008/06/24 17:41:03, 3] libsmb/cliconnect.c:cli_session_setup_spnego(834) got principal=NONE [2008/06/24 17:41:03, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(1025) Got challenge flags: [2008/06/24 17:41:03, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0x60898215 [2008/06/24 17:41:03, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(1047) NTLMSSP: Set final flags: [2008/06/24 17:41:03, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0x60088215 [2008/06/24 17:41:03, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(337) NTLMSSP Sign/Seal - Initialising with flags: [2008/06/24 17:41:03, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0x60088215 [2008/06/24 17:41:03, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2086) rpc_pipe_bind: Remote machine ldap pipe \lsarpc fnum 0x7503 bind request retur ned ok. [2008/06/24 17:41:03, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2086) rpc_pipe_bind: Remote machine ldap pipe \samr fnum 0x7504 bind request returne d ok. *Creation of workstation account failed Unable to join domain LDAP.* [2008/06/24 17:41:03, 2] utils/net.c:main(1172) return code = 1 Merle Reine IT Manager Extraordinaire Email Address: echo zreyr.ervar at tznvy.pbz | perl -pe 'y/a-z/n-za-m/' On Tue, Jun 24, 2008 at 2:51 AM, yersinia wrote: > Likely are two different problem. > >> >> "Transport endpoint is not connected" is a very - very - old XP problem >> http://wiki.samba.org/index.php/Samba_Myths >> >> If you set smb ports = 445 (raw smb aka CIFS port) in smb.conf the message >> disappear - naturally you are to be sure that >> you serve only XP o Vista client. >> >> For the LDAP problem the message don't tell me so much. So try >> >> smbcontrol smbd debug 10 >> >> and read again the log messages. >> >> Regards >> >> On Mon, Jun 23, 2008 at 10:56 PM, Merle Reine >> wrote: >> >>> I know this has been asked a million times but I read all the posts and >>> none answer my issue so I hope someone will know a fix. >>> >>> I have fc9 with samba as PDC connecting to FDS. >>> >>> Followed the how-to to the letter but can not get my windows machine to >>> connect to the domain. >>> >>> My domain is : ldap >>> Windows machine is in random workgroup not associated with samba at all. >>> >>> When I try to add to domain using root and pass (yes, it is setup on >>> samba server), I get the following: >>> >>> >>> "The following error occured attempting to join the domain "ldap": >>> A device attached to the system is not functioning. >>> >>> in /var/log/samba/samba.log: >>> >>> *[2008/06/23 13:53:44, 0] lib/util_sock.c:get_peer_addr_internal(1597) >>> getpeername failed. Error was Transport endpoint is not connected >>> [2008/06/23 13:53:44, 0] lib/util_sock.c:write_data(1059) >>> [2008/06/23 13:53:44, 0] lib/util_sock.c:get_peer_addr_internal(1597) >>> getpeername failed. Error was Transport endpoint is not connected >>> write_data: write failure in writing to client 0.0.0.0. Error >>> Connection reset >>> by peer >>> [2008/06/23 13:53:44, 0] smbd/process.c:srv_send_smb(74) >>> Error writing 4 bytes to client. -1. (Transport endpoint is not >>> connected) >>> [2008/06/23 13:53:44, 0] lib/util_sock.c:get_peer_addr_internal(1597) >>> getpeername failed. Error was Transport endpoint is not connected >>> [2008/06/23 13:53:44, 0] lib/util_sock.c:write_data(1059) >>> [2008/06/23 13:53:44, 0] lib/util_sock.c:get_peer_addr_internal(1597) >>> getpeername failed. Error was Transport endpoint is not connected >>> write_data: write failure in writing to client 0.0.0.0. Error >>> Connection reset >>> by peer >>> [2008/06/23 13:53:44, 0] smbd/process.c:srv_send_smb(74) >>> Error writing 4 bytes to client. -1. (Transport endpoint is not >>> connected) >>> [2008/06/23 13:53:44, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(2276) >>> ldapsam_add_sam_account: failed to modify/add user with uid = TEST$ (dn >>> = uid= >>> TEST$,ou=Computers,dc=gardenfreshcorp,dc=com)* >>> >>> >>> Any one have any ideas what I am missing? >>> >>> Thanks. >>> >>> >>> >>> Merle Reine >>> IT Manager Extraordinaire >>> Email Address: echo zreyr.ervar at tznvy.pbz | perl -pe 'y/a-z/n-za-m/' >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Sergey.Kamshilin at radisys.com Thu Jun 26 00:20:48 2008 From: Sergey.Kamshilin at radisys.com (Sergey Kamshilin) Date: Wed, 25 Jun 2008 17:20:48 -0700 Subject: [Fedora-directory-users] Fedora-DS alias dereference problem. Message-ID: <343AAB782778D44FB06D24560CAFC0E3957EF7@OREXCHANGE01.radisys.com> Hi all, I'd like to report it as a bug because I could not find any help on forums neither in other sources... It appears that Fedora-DS 1.1.0-3 does not dereference aliases even if it asked for. So I have a simple example: ============ # ldapsearch -x -LLL -b "ou=Special Users,dc=lab,dc=convedia,dc=com" -a always dn: ou=Special Users,dc=lab, dc=convedia, dc=com objectClass: top objectClass: organizationalUnit ou: Special Users description: Special Administrative Accounts dn: aliasedobjectname=ou\=DNS\,dc\=lab\,dc\=convedia\,dc\=com,ou=Special Users ,dc=lab,dc=convedia,dc=com aliasedObjectName: ou=DNS,dc=lab,dc=convedia,dc=com objectClass: alias objectClass: top =============== Instead of "dn: aliasedobjectname=..." I would expect to see a DNS subtree (DNS object). Couple lines may be wrapped but the idea is that parameter "-a always" is ignored. Is it a known issue? Is there any workarounds? I have installed: fedora-ds-1.1.0-3.fc6 fedora-ds-admin-1.1.2-2.fc6 fedora-ds-console-1.1.1-2.fc6 fedora-idm-console-1.1.1-1.fc6 fedora-admin-console-1.1.0-4.fc6 fedora-ds-base-1.1.0-3.fc6 Thank you in advance, SergeyK From rmeggins at redhat.com Thu Jun 26 00:50:20 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 25 Jun 2008 18:50:20 -0600 Subject: [Fedora-directory-users] Fedora-DS alias dereference problem. In-Reply-To: <343AAB782778D44FB06D24560CAFC0E3957EF7@OREXCHANGE01.radisys.com> References: <343AAB782778D44FB06D24560CAFC0E3957EF7@OREXCHANGE01.radisys.com> Message-ID: <4862E7CC.4090105@redhat.com> Sergey Kamshilin wrote: > Hi all, > > I'd like to report it as a bug because I could not find any help on > forums neither in other sources... > > It appears that Fedora-DS 1.1.0-3 does not dereference aliases even if > it asked for. So I have a simple example: > > ============ > # ldapsearch -x -LLL -b "ou=Special Users,dc=lab,dc=convedia,dc=com" -a > always > > dn: ou=Special Users,dc=lab, dc=convedia, dc=com > objectClass: top > objectClass: organizationalUnit > ou: Special Users > description: Special Administrative Accounts > > dn: aliasedobjectname=ou\=DNS\,dc\=lab\,dc\=convedia\,dc\=com,ou=Special > Users ,dc=lab,dc=convedia,dc=com > aliasedObjectName: ou=DNS,dc=lab,dc=convedia,dc=com > objectClass: alias > objectClass: top > =============== > > Instead of "dn: aliasedobjectname=..." I would expect to see a DNS > subtree (DNS object). > Couple lines may be wrapped but the idea is that parameter "-a always" > is ignored. Is it a known issue? Yes, Fedora DS does not support aliases. > Is there any workarounds? > You could use a smart referral if the client could resolve this. > I have installed: > fedora-ds-1.1.0-3.fc6 > fedora-ds-admin-1.1.2-2.fc6 > fedora-ds-console-1.1.1-2.fc6 > fedora-idm-console-1.1.1-1.fc6 > fedora-admin-console-1.1.0-4.fc6 > fedora-ds-base-1.1.0-3.fc6 > > Thank you in advance, > SergeyK > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From glenn at mail.txwes.edu Thu Jun 26 13:29:20 2008 From: glenn at mail.txwes.edu (Glenn) Date: Thu, 26 Jun 2008 08:29:20 -0500 Subject: [Fedora-directory-users] Password Sometimes Replicated in Windows Sync Message-ID: <20080626131905.M32@mail.txwes.edu> Here's an odd one. We have a Windows Sync agreement between Fedora Directory 1.04 and Active Directory. If we change a user's password on the domain controller, the password is replicated to Fedora Directory. But if we change the user's password on the user's Windows XP computer using Ctrl-Alt-Del, the change is not replicated. Anyone got a solution to this? It was working a few months ago. Thanks. -G. From graf0 at post.pl Thu Jun 26 18:57:54 2008 From: graf0 at post.pl (=?ISO-8859-2?Q?Grzegorz_Marsza=B3ek?=) Date: Thu, 26 Jun 2008 20:57:54 +0200 Subject: [Fedora-directory-users] how to turn on memberof plugin? Message-ID: <3ED37EA5-3DEE-492B-9E76-FCE7591D4A0E@post.pl> Helo! I'd like to use memberof plugin. How to turn it on? --- Grzegorz Marsza?ek alias Ojciec Dyrektor ;) From kirankmadala at hotmail.com Thu Jun 26 19:02:55 2008 From: kirankmadala at hotmail.com (kiran madala) Date: Thu, 26 Jun 2008 16:02:55 -0300 Subject: [Fedora-directory-users] Module to Sync Novell eDirectory? Message-ID: Hello, Its been great experimenting with fedora DS server, especially with the Active Directory and Novell Sync modules. Unfortunately since these cannot be store in back end MySql I would have to develop one myself. I know the AD Sync is done using DirSync module. I would like to know what module does fedora uses to sync the Novell Directory. Any hint or help is appretiated. Thank you. _________________________________________________________________ Find hidden words, unscramble celebrity names, or try the ultimate crossword puzzle with Live Search Games. Play now! http://g.msn.ca/ca55/212 -------------- next part -------------- An HTML attachment was scrubbed... URL: From sanga.c at it-mgt.com Thu Jun 26 19:25:42 2008 From: sanga.c at it-mgt.com (Sanga M. Collins) Date: Thu, 26 Jun 2008 15:25:42 -0400 Subject: [Fedora-directory-users] Module to Sync Novell eDirectory? References: Message-ID: <5542485358217A4EB9893C4F12C42BF9E318F5@itm-bb01.exch.it-mgt.net> I too am interested in sync edirectory. Where can I find more information on the modules? We have an extensive (30 remote sites) novell network that my company would like to eliminate. If I can sync FDS and edirectory, it shold save hours when it comes to converting users. From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of kiran madala Sent: Thursday, June 26, 2008 3:03 PM To: fedora-directory-users at redhat.com Subject: [Fedora-directory-users] Module to Sync Novell eDirectory? Hello, Its been great experimenting with fedora DS server, especially with the Active Directory and Novell Sync modules. Unfortunately since these cannot be store in back end MySql I would have to develop one myself. I know the AD Sync is done using DirSync module. I would like to know what module does fedora uses to sync the Novell Directory. Any hint or help is appretiated. Thank you. ________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From upanwar at yahoo.com Sat Jun 28 21:09:33 2008 From: upanwar at yahoo.com (UMESH PANWAR) Date: Sat, 28 Jun 2008 14:09:33 -0700 (PDT) Subject: [Fedora-directory-users] getting errors while running console on oracle linux 5 Message-ID: <530319.6336.qm@web30408.mail.mud.yahoo.com> Hi, I am getting following error messages while trying to open console. Exception in thread "main" java.lang.ExceptionInInitializerError ??????? at com.sun.java.swing.plaf.windows.WindowsLookAndFeel.initialize(WindowsLookAndFeel.java:154) ??????? at com.netscape.management.nmclf.SuiLookAndFeel.initialize(Unknown Source) ??????? at javax.swing.UIManager.setLookAndFeel(UIManager.java:424) ??????? at com.netscape.management.client.console.Console.common_init(Unknown Source) ??????? at com.netscape.management.client.console.Console.(Unknown Source) ??????? at com.netscape.management.client.console.Console.main(Unknown Source) Caused by: java.lang.NullPointerException ??????? at java.lang.ClassLoader.loadLibrary0(ClassLoader.java:2159) ??????? at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1994) ??????? at java.lang.Runtime.loadLibrary0(Runtime.java:824) ??????? at java.lang.System.loadLibrary(System.java:908) ??????? at sun.security.action.LoadLibraryAction.run(LoadLibraryAction.java:76) ??????? at java.security.AccessController.doPrivileged1(Native Method) ??????? at java.security.AccessController.doPrivileged(AccessController.java:287) ??????? at java.awt.Toolkit.loadLibraries(Toolkit.java:1488) ??????? at java.awt.Toolkit.(Toolkit.java:1511) ??????? ... 6 more Pls help me. Umesh Panwar +91-9829857475 -------------- next part -------------- An HTML attachment was scrubbed... URL: From hicheerup at gmail.com Sun Jun 29 09:11:48 2008 From: hicheerup at gmail.com (lingu) Date: Sun, 29 Jun 2008 14:41:48 +0530 Subject: [Fedora-directory-users] Rhds8.0 with windows 2003 ADS PassSync Error Message-ID: <29e045b80806290211x34b0b09cs55ae79ec4dc04e34@mail.gmail.com> Hi, I am trying to integrate RHDS 8.0 with windows 2003 ADS on RHEL5 as per the RHEL documentation for user/group and password sync from windows ADS. I am using windows sync and Passsync . But i am facing problem with the certificate creation. *########################################################################## Followed the below step in RHDS box runing on rhel5 to setup ssl.* ############################## ############################################# - vi pin.txt secretpw - Create a noise file for the encryption vi noise.txt dsadasdasdasdadasdasdasdasdsadfwerwerjfdksdjfksdlfhjsdk - Create the key and certificate databases database certutil -N -d . -f pin.txt (results, makes 3 files with db extension) - Generate the encryption key certutil -G -d . -z noise.txt -f pin.txt - Generate the self-signed CA certificate certutil -S -n "CA Certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 9999 -d . -z noise.txt -f pin.txt (generates CA certificate and puts into db stores, can be verified with: certutil ?L ?d . ?n "Certificate Name", where Certificate Name is CA Certificate) - Generate the Directory Server Client Certificate certutil -S -n "server-cert" -s "cn=ldapproxy.example.com,cn=Directory Server" -c "CA Certificate" -t "u,u,u" -m 1001 -v 9999 -d . -z noise.txt -f pin.txt - Convert to pkcs12 format (note these files will be used within the AD system, and the prompted password for the commands below will need to match password in pin.txt file) pk12util -d . -o cacert.pk12 -n "CA Certificate" pk12util -d . -o dscert.pk12 -n "server-cert" ############################################################################################################################### *After that when i executed ldapsearch -x -ZZ it showing all the entries properly on rhds rhel box, so its indicates ssl was perfectly configured on RHDS* ################################################################################################################################## *STEPS FOLLOWED ON WINDOWS 2003 ADS BOX to **Set up SSL on the Active Directory Server* * windows ads domain: example.com windows FQDN: testing.example.com * - Install a certificate authority in the Windows Components section in Add/Remove Programs . - Select the Enterprise Root CA option. - Make sure to use the hostname as the DN serverX and then for the domain dc=example,dc=com (note, this should resemble your FQDN) - Reboot Windows Machine - Log back in to the box...give it a little while, it's windows :-) - Got to Start>>Run>>mmc - Under File>>Add/Remove Snap-in - Click Add, Click Certificates, Click Add, Click Computer Account, Click Next and finish - Go to Trusted Root Certificates>>Certificates>>Right Click>>All Tasks>>Import - Go to where you copied the pk12 files from earlier and import the cacert.pk12 [CREATED IN RHDS RUNNING ON rhel ] *Create DB Stores For PassSync in windows 2003 ads server* - Copy .pk12 files that were put on Windows system to C:\Program Files\Red Hat Directory Password Synchronization\ - In this directory run certutil -d . -N (from dos command) - This creates empty db stores, next run the following to import your dscert.pk12 into the key store pk12util -d . -i dscert.pk12 - Then give trusted peer status to the server certutil -d . -M -n server-cert -t "P,P,P" *ERROR When i executed the above command on windows 2003 ads box it giving me following error certutil.exe unable to decode trust strings error 0 Also the certificate created from rhel box using certutil is showing validation date and expiration date as current date and time in both CA Cert and Server-cert i checked the certificate content by using certutil ?L ?d . ?n "Certificate Name" certutil ?L ?d . ?n "Server-cert" Plz help me how to troubleshoot this error. Regards lingu * -------------- next part -------------- An HTML attachment was scrubbed... URL: From Dael.Maselli at lnf.infn.it Mon Jun 30 14:12:51 2008 From: Dael.Maselli at lnf.infn.it (Dael Maselli) Date: Mon, 30 Jun 2008 16:12:51 +0200 Subject: [Fedora-directory-users] Simple Bind only in secured channel In-Reply-To: References: <4854ED9E.20207@lnf.infn.it> <48568B9A.1070804@redhat.com> Message-ID: <4868E9E3.4050700@lnf.infn.it> Great! Con you send me additional informations and possibly the code? It will be very helpful. Thanks. Dael Maselli. Gary Windham wrote: > On Jun 16, 2008, at 8:49 AM, Rich Megginson wrote: > >> Dael Maselli wrote: >>> Hi all, >>> >>> is there any method to deny simple bind operation unless in a secure >>> channel (SSL or STARTTLS)? >> No. This relates to another requested feature, which is the ability >> to deny anonymous bind or other anonymous operations. I would like to >> get some requirements for such a feature. >> * allow simple bind/anonymous operations only over a secure channel? >> * allow simple bind/anonymous operations for certain hosts/ip addresses? >> * allow only certain anonymous operations, like startTLS and the >> password change extop? others? >> * other access control features related to the above? >>> Do I have to write a plug-in? Hints? >> Yes, at this point it would have to be a plug-in, most likely a bind >> pre-op plug-in. > > I have a bind pre-op plugin that meets the first two requirements; I > would be happy to share it with anyone interested. > > Thanks, > --Gary > > -- > Gary Windham > Senior Enterprise Systems Architect > The University of Arizona, UITS > +1 520 626 5981 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- ___________________________________________________________________ Dael Maselli --- INFN-LNF Computing Service -- +39.06.9403.2214 ___________________________________________________________________ Democracy is two wolves and a lamb voting on what to have for lunch ___________________________________________________________________ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2944 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Jun 30 14:25:04 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 30 Jun 2008 08:25:04 -0600 Subject: [Fedora-directory-users] getting errors while running console on oracle linux 5 In-Reply-To: <530319.6336.qm@web30408.mail.mud.yahoo.com> References: <530319.6336.qm@web30408.mail.mud.yahoo.com> Message-ID: <4868ECC0.3010305@redhat.com> UMESH PANWAR wrote: > Hi, > > I am getting following error messages while trying to open console. > What platform? What version of Java? > > Exception in thread "main" java.lang.ExceptionInInitializerError > at > com.sun.java.swing.plaf.windows.WindowsLookAndFeel.initialize(WindowsLookAndFeel.java:154) > at > com.netscape.management.nmclf.SuiLookAndFeel.initialize(Unknown Source) > at javax.swing.UIManager.setLookAndFeel(UIManager.java:424) > at > com.netscape.management.client.console.Console.common_init(Unknown Source) > at > com.netscape.management.client.console.Console.(Unknown Source) > at com.netscape.management.client.console.Console.main(Unknown > Source) > Caused by: java.lang.NullPointerException > at java.lang.ClassLoader.loadLibrary0(ClassLoader.java:2159) > at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1994) > at java.lang.Runtime.loadLibrary0(Runtime.java:824) > at java.lang.System.loadLibrary(System.java:908) > at > sun.security.action.LoadLibraryAction.run(LoadLibraryAction.java:76) > at java.security.AccessController.doPrivileged1(Native Method) > at > java.security.AccessController.doPrivileged(AccessController.java:287) > at java.awt.Toolkit.loadLibraries(Toolkit.java:1488) > at java.awt.Toolkit.(Toolkit.java:1511) > ... 6 more > > Pls help me. > > Umesh Panwar > +91-9829857475 > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From windhamg at email.arizona.edu Mon Jun 30 16:15:52 2008 From: windhamg at email.arizona.edu (Gary Windham) Date: Mon, 30 Jun 2008 09:15:52 -0700 Subject: [Fedora-directory-users] Simple Bind only in secured channel In-Reply-To: <4868E9E3.4050700@lnf.infn.it> References: <4854ED9E.20207@lnf.infn.it> <48568B9A.1070804@redhat.com> <4868E9E3.4050700@lnf.infn.it> Message-ID: Sorry...I jumped the gun on this. I'm working with the University's Office of Technology Transfer to contribute this code under the terms of The Fedora Project's Corporate Contributor License Agreement (http://directory.fedoraproject.org/wiki/Corporate_Contributor_License_Agreement ). Hopefully I'll hear back soon. Thanks for the interest. --Gary -- Gary Windham Senior Enterprise Systems Architect The University of Arizona, UITS +1 520 626 5981 On Jun 30, 2008, at 7:12 AM, Dael Maselli wrote: > > Great! Con you send me additional informations and possibly the code? > > It will be very helpful. > > Thanks. > > Dael Maselli. > > > Gary Windham wrote: >> On Jun 16, 2008, at 8:49 AM, Rich Megginson wrote: >>> Dael Maselli wrote: >>>> Hi all, >>>> >>>> is there any method to deny simple bind operation unless in a >>>> secure >>>> channel (SSL or STARTTLS)? >>> No. This relates to another requested feature, which is the >>> ability to deny anonymous bind or other anonymous operations. I >>> would like to get some requirements for such a feature. >>> * allow simple bind/anonymous operations only over a secure channel? >>> * allow simple bind/anonymous operations for certain hosts/ip >>> addresses? >>> * allow only certain anonymous operations, like startTLS and the >>> password change extop? others? >>> * other access control features related to the above? >>>> Do I have to write a plug-in? Hints? >>> Yes, at this point it would have to be a plug-in, most likely a >>> bind pre-op plug-in. >> I have a bind pre-op plugin that meets the first two requirements; >> I would be happy to share it with anyone interested. >> Thanks, >> --Gary >> -- >> Gary Windham >> Senior Enterprise Systems Architect >> The University of Arizona, UITS >> +1 520 626 5981 >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > ___________________________________________________________________ > > Dael Maselli --- INFN-LNF Computing Service -- +39.06.9403.2214 > ___________________________________________________________________ > > Democracy is two wolves and a lamb voting on what to have for lunch > ___________________________________________________________________ > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users