From maumar at cost.it Sat Mar 1 18:07:42 2008 From: maumar at cost.it (Maurizio Marini) Date: Sat, 1 Mar 2008 19:07:42 +0100 Subject: [Fedora-directory-users] installing samba Message-ID: <200803011907.42496.maumar@cost.it> Hi there i am using http://directory.fedoraproject.org/wiki/Howto:Samba to install samba+fsd=pdc I note that some notes like "All schema?s are located in /opt/fedora-ds/slapd-/config/schema" are refferring 1.0.4 instead of 1.1 and RHS. I wonder if it's wothwile to add some highlights (me or anyone could be that) or some of u is behind this task Regards Maurizio From solarflow99 at gmail.com Sat Mar 1 19:43:14 2008 From: solarflow99 at gmail.com (solarflow99) Date: Sat, 1 Mar 2008 19:43:14 +0000 Subject: [Fedora-directory-users] installing samba In-Reply-To: <200803011907.42496.maumar@cost.it> References: <200803011907.42496.maumar@cost.it> Message-ID: <7020fd000803011143k24467637i45b639f3d7ed772f@mail.gmail.com> sure, I think its worth correcting. I was just going through it too, too bad they do everything with ldif files and command line tools, I wanted to see how to do it from the console. On Sat, Mar 1, 2008 at 6:07 PM, Maurizio Marini wrote: > Hi there > i am using > http://directory.fedoraproject.org/wiki/Howto:Samba > to install samba+fsd=pdc > I note that some notes like > "All schema's are located in /opt/fedora-ds/slapd-/config/schema" > are refferring 1.0.4 instead of 1.1 and RHS. > I wonder if it's wothwile to add some highlights (me or anyone could be > that) > or some of u is behind this task > > Regards > Maurizio > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From goldschr at cshl.edu Mon Mar 3 01:18:14 2008 From: goldschr at cshl.edu (Goldschrafe, Jeff) Date: Sun, 2 Mar 2008 20:18:14 -0500 Subject: [Fedora-directory-users] 1.1.0 net-snmp build issues in mock Message-ID: <000e01c87ccc$745577b0$9401a8c0@jeffwindows> Hey there, I'm trying to build Fedora DS 1.1.0 on my buildsystem, which is mock 0.8.19 on a rather minimal Fedora 8 x86_64 system. Regardless of the distro I try to build for in mock (I've tried CentOS 5, Fedora 8 and Fedora Core 6), I hit the following set of build errors: ---SNIP-- /bin/sh ./libtool --tag=CC --mode=link gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -o ldclt-bin ldap/servers/slapd/tools/ldclt_bin-ldaptool-sasl.o ldap/servers/slapd/tools/ldclt/ldclt_bin-data.o ldap/servers/slapd/tools/ldclt/ldclt_bin-ldapfct.o ldap/servers/slapd/tools/ldclt/ldclt_bin-ldclt.o ldap/servers/slapd/tools/ldclt/ldclt_bin-ldcltU.o ldap/servers/slapd/tools/ldclt/ldclt_bin-parser.o ldap/servers/slapd/tools/ldclt/ldclt_bin-port.o ldap/servers/slapd/tools/ldclt/ldclt_bin-scalab01.o ldap/servers/slapd/tools/ldclt/ldclt_bin-threadMain.o ldap/servers/slapd/tools/ldclt/ldclt_bin-utils.o ldap/servers/slapd/tools/ldclt/ldclt_bin-version.o ldap/servers/slapd/tools/ldclt/ldclt_bin-workarounds.o -lplc4 -lplds4 -lnspr4 -lssl3 -lnss3 -lsoftokn3 -lssldap60 -lprldap60 -lldap60 -lldif60 -lsasl2 /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:64: undefined reference to `snmp_log' /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:62: undefined reference to `snmp_log' ldap/servers/snmp/ldap_agent_bin-main.o: In function `main': /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:117: undefined reference to `netsnmp_ds_set_boolean' /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:120: undefined reference to `netsnmp_register_loghandler' /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:158: undefined reference to `snmp_enable_filelog' /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:164: undefined reference to `snmp_log' /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:167: undefined reference to `netsnmp_ds_set_boolean' /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:170: undefined reference to `netsnmp_ds_set_string' /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:174: undefined reference to `netsnmp_daemonize' /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:189: undefined reference to `init_agent' /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:191: undefined reference to `init_snmp' /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:213: undefined reference to `snmp_log' /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:217: undefined reference to `agent_check_and_process' /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:221: undefined reference to `snmp_shutdown' /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:222: undefined reference to `snmp_log' /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:202: undefined reference to `snmp_log' /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:206: undefined reference to `snmp_log' ldap/servers/snmp/ldap_agent_bin-ldap-agent.o: In function `send_DirectoryServerStart_trap': /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:72 2: undefined reference to `snmp_log' /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:73 1: undefined reference to `snmp_varlist_add_variable' /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:73 6: undefined reference to `snmp_varlist_add_variable' /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:74 1: undefined reference to `snmp_varlist_add_variable' /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:74 6: undefined reference to `snmp_varlist_add_variable' /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:75 4: undefined reference to `send_v2trap' /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:75 5: undefined reference to `snmp_free_varbind' /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:72 6: undefined reference to `snmp_log' ldap/servers/snmp/ldap_agent_bin-ldap-agent.o: In function `send_DirectoryServerDown_trap': /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:65 7: undefined reference to `snmp_log' /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:66 6: undefined reference to `snmp_varlist_add_variable' /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:67 1: undefined reference to `snmp_varlist_add_variable' /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:67 6: undefined reference to `snmp_varlist_add_variable' /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:68 1: undefined reference to `snmp_varlist_add_variable' /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:68 7: undefined reference to `snmp_varlist_add_variable' /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:69 5: undefined reference to `send_v2trap' /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:69 6: undefined reference to `snmp_free_varbind' /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:66 1: undefined reference to `snmp_log' ldap/servers/snmp/ldap_agent_bin-ldap-agent.o: In function `dsEntityTable_get_value': /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:62 8: undefined reference to `snmp_log' /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:62 2: undefined reference to `snmp_set_var_typed_value' ---SNIP--- ...and then about another page of the same stuff, which I've omitted for brevity. I noticed that the command doesn't seem to include -lsnmp, which I imagine it should be including. Is mock an unsupported build environment for FDS? If not, any idea how to get this building? Thanks a lot! Jeff Goldschrafe Systems Engineer Cold Spring Harbor Laboratory 1 Bungtown Road Cold Spring Harbor, NY 11724 (516) 367-6966 http://cshl.edu From maumar at cost.it Mon Mar 3 10:51:23 2008 From: maumar at cost.it (Maurizio Marini) Date: Mon, 3 Mar 2008 11:51:23 +0100 Subject: [Fedora-directory-users] installing samba In-Reply-To: <7020fd000803011143k24467637i45b639f3d7ed772f@mail.gmail.com> References: <200803011907.42496.maumar@cost.it> <7020fd000803011143k24467637i45b639f3d7ed772f@mail.gmail.com> Message-ID: <200803031151.23539.maumar@cost.it> On Sat March 1 2008, solarflow99 wrote: > sure, I think its worth correcting. I was just going through it too, too > bad they do everything with ldif files and command line tools, I wanted to > see how to do it from the console. no, my post is related to wiki: http://directory.fedoraproject.org/wiki/Howto:Samba i think that it would be worthwhile to fix it to take into account of 1.1 changes not more not less ;) Maurizio From andrew at dingman.org Sat Mar 1 21:32:54 2008 From: andrew at dingman.org (Andrew C. Dingman) Date: Sat, 01 Mar 2008 16:32:54 -0500 Subject: [Fedora-directory-users] notes on building fds in etch and a failed build question In-Reply-To: <47C491FE.8020500@redhat.com> References: <200802192232.02999.Ryan.Braun@ec.gc.ca> <200802262139.16676.Ryan.Braun@ec.gc.ca> <47C48A9D.2030706@redhat.com> <200802262212.33606.Ryan.Braun@ec.gc.ca> <47C491FE.8020500@redhat.com> Message-ID: <1204407174.3624.157.camel@Hephaistos.internal.dingman.org> On Tue, 2008-02-26 at 15:26 -0700, Rich Megginson wrote: > Not sure. Could be debug mode? > > Also, where did you get the sun java5 in .deb packages? Are those > provided by Debian? I can't swear to where anyone else gets them, but I use: deb http://ftp.us.debian.org/debian/ sid main contrib nonfree deb-src http://ftp.us.debian.org/debian/ sid main contrib nonfree in my /etc/apt/sources.list file, and probably will until IcedTea or OpenJDK makes it into Debian. The contrib and nonfree repositories aren't officially part of Debian, but contain, respectively, Free software that depends on non-Free software and non-Free software that is legally redistributable. Java has been in there since around the time Sun initially announced that they were going to make it open-source and changed the terms of their license to make the current versions of Java distributable. -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3551 bytes Desc: not available URL: From maumar at cost.it Mon Mar 3 15:01:26 2008 From: maumar at cost.it (Maurizio Marini) Date: Mon, 3 Mar 2008 16:01:26 +0100 Subject: [Fedora-directory-users] trouble installing samba Message-ID: <200803031601.26344.maumar@cost.it> I'am installing samba-pdc using http://directory.fedoraproject.org/wiki/Howto:Samba i am stumbled at the final point of adding Administrator: pdbedit -U S-1-5-21-1017320176-1068811812-2284442376-500 -u Administrator -r Username not found! pdbedit -U S-1-5-21-1017320176-1068811812-2284442376-500 -u Administrator -a Cannot locate Unix account for Administrator in discussion i read: http://directory.fedoraproject.org/wiki/Talk:Howto:Samba "I found that the step to use pdbedit to modify the administrator account was failing. after much searching i realized it is expecting the Administrator account that was added with ldif2ldap of the sambaAdministrator.ldap to *already* have a sambasamaccount object class associated with it." i dunno how to do it :( other comments make me wonder if using this howto i will be ever able to install samba-pdc :( if someone was able to do it, please! share your experience with us :) ????????m. From rmeggins at redhat.com Mon Mar 3 15:32:18 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 03 Mar 2008 08:32:18 -0700 Subject: [Fedora-directory-users] 1.1.0 net-snmp build issues in mock In-Reply-To: <000e01c87ccc$745577b0$9401a8c0@jeffwindows> References: <000e01c87ccc$745577b0$9401a8c0@jeffwindows> Message-ID: <47CC1A02.7050003@redhat.com> Goldschrafe, Jeff wrote: > Hey there, > > I'm trying to build Fedora DS 1.1.0 on my buildsystem, which is mock 0.8.19 > on a rather minimal Fedora 8 x86_64 system. Regardless of the distro I try > to build for in mock (I've tried CentOS 5, Fedora 8 and Fedora Core 6), I > hit the following set of build errors: > Can you post your exact mock command line? > ---SNIP-- > > /bin/sh ./libtool --tag=CC --mode=link gcc -O2 -g -pipe -Wall > -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector > --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic > -fasynchronous-unwind-tables -o ldclt-bin > ldap/servers/slapd/tools/ldclt_bin-ldaptool-sasl.o > ldap/servers/slapd/tools/ldclt/ldclt_bin-data.o > ldap/servers/slapd/tools/ldclt/ldclt_bin-ldapfct.o > ldap/servers/slapd/tools/ldclt/ldclt_bin-ldclt.o > ldap/servers/slapd/tools/ldclt/ldclt_bin-ldcltU.o > ldap/servers/slapd/tools/ldclt/ldclt_bin-parser.o > ldap/servers/slapd/tools/ldclt/ldclt_bin-port.o > ldap/servers/slapd/tools/ldclt/ldclt_bin-scalab01.o > ldap/servers/slapd/tools/ldclt/ldclt_bin-threadMain.o > ldap/servers/slapd/tools/ldclt/ldclt_bin-utils.o > ldap/servers/slapd/tools/ldclt/ldclt_bin-version.o > ldap/servers/slapd/tools/ldclt/ldclt_bin-workarounds.o -lplc4 -lplds4 > -lnspr4 -lssl3 -lnss3 -lsoftokn3 -lssldap60 -lprldap60 -lldap60 -lldif60 > -lsasl2 > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:64: > undefined reference to `snmp_log' > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:62: > undefined reference to `snmp_log' > ldap/servers/snmp/ldap_agent_bin-main.o: In function `main': > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:117: > undefined reference to `netsnmp_ds_set_boolean' > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:120: > undefined reference to `netsnmp_register_loghandler' > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:158: > undefined reference to `snmp_enable_filelog' > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:164: > undefined reference to `snmp_log' > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:167: > undefined reference to `netsnmp_ds_set_boolean' > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:170: > undefined reference to `netsnmp_ds_set_string' > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:174: > undefined reference to `netsnmp_daemonize' > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:189: > undefined reference to `init_agent' > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:191: > undefined reference to `init_snmp' > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:213: > undefined reference to `snmp_log' > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:217: > undefined reference to `agent_check_and_process' > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:221: > undefined reference to `snmp_shutdown' > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:222: > undefined reference to `snmp_log' > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:202: > undefined reference to `snmp_log' > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/main.c:206: > undefined reference to `snmp_log' > ldap/servers/snmp/ldap_agent_bin-ldap-agent.o: In function > `send_DirectoryServerStart_trap': > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:72 > 2: undefined reference to `snmp_log' > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:73 > 1: undefined reference to `snmp_varlist_add_variable' > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:73 > 6: undefined reference to `snmp_varlist_add_variable' > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:74 > 1: undefined reference to `snmp_varlist_add_variable' > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:74 > 6: undefined reference to `snmp_varlist_add_variable' > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:75 > 4: undefined reference to `send_v2trap' > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:75 > 5: undefined reference to `snmp_free_varbind' > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:72 > 6: undefined reference to `snmp_log' > ldap/servers/snmp/ldap_agent_bin-ldap-agent.o: In function > `send_DirectoryServerDown_trap': > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:65 > 7: undefined reference to `snmp_log' > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:66 > 6: undefined reference to `snmp_varlist_add_variable' > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:67 > 1: undefined reference to `snmp_varlist_add_variable' > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:67 > 6: undefined reference to `snmp_varlist_add_variable' > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:68 > 1: undefined reference to `snmp_varlist_add_variable' > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:68 > 7: undefined reference to `snmp_varlist_add_variable' > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:69 > 5: undefined reference to `send_v2trap' > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:69 > 6: undefined reference to `snmp_free_varbind' > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:66 > 1: undefined reference to `snmp_log' > ldap/servers/snmp/ldap_agent_bin-ldap-agent.o: In function > `dsEntityTable_get_value': > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:62 > 8: undefined reference to `snmp_log' > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agent.c:62 > 2: undefined reference to `snmp_set_var_typed_value' > > ---SNIP--- > > ...and then about another page of the same stuff, which I've omitted for > brevity. I noticed that the command doesn't seem to include -lsnmp, which I > imagine it should be including. > Are you using make -j or some other parallel make? Because the compiler/linker errors you are getting are not from the compile/link command above, which is for ldclt. > Is mock an unsupported build environment for FDS? I've used mock to build FDS for f6, f7, f8. > If not, any idea how to > get this building? > > Thanks a lot! > > Jeff Goldschrafe > Systems Engineer > Cold Spring Harbor Laboratory > 1 Bungtown Road > Cold Spring Harbor, NY 11724 > (516) 367-6966 > http://cshl.edu > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From stpierre at NebrWesleyan.edu Mon Mar 3 15:54:05 2008 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Mon, 3 Mar 2008 09:54:05 -0600 (CST) Subject: [Fedora-directory-users] Fedora DS Graph 1.0.0 released Message-ID: I've released version 1.0 of Fedora DS Graph (formerly FDSGraph) at: http://www.stpierreconsulting.com/fedora-ds-graph-1-0-0 This is a _major_ overhaul of the old code, and includes lots of new stuff -- most notably, support for Fedora DS 1.1. (I've also tested it with Fedora DS 1.0.4.) A larger list of changes can be found on the page linked to above. Fedora DS Graph is a graphing utility for graphing connections to and operations on a Fedora Directory Server instance. I've also requested a review of the package for eventual inclusion in Fedora, so hopefully getting your hands on Fedora DS Graph should be easier. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University From goldschr at cshl.edu Mon Mar 3 16:18:32 2008 From: goldschr at cshl.edu (Goldschrafe, Jeffrey) Date: Mon, 3 Mar 2008 11:18:32 -0500 Subject: [Fedora-directory-users] 1.1.0 net-snmp build issues in mock In-Reply-To: <47CC1A02.7050003@redhat.com> References: <000e01c87ccc$745577b0$9401a8c0@jeffwindows> <47CC1A02.7050003@redhat.com> Message-ID: <77B2B6579FFE3A479CD609D3E80E20B272B9EF@mailbox09.cshl.edu> > > Hey there, > > > > I'm trying to build Fedora DS 1.1.0 on my buildsystem, > which is mock > > 0.8.19 on a rather minimal Fedora 8 x86_64 system. > Regardless of the > > distro I try to build for in mock (I've tried CentOS 5, > Fedora 8 and > > Fedora Core 6), I hit the following set of build errors: > > > Can you post your exact mock command line? Sure! rpmbuild -bs --nodeps /usr/src/redhat/SPECS/fedora-ds-base.spec mock rebuild -r fedora-8-i386 /usr/src/redhat/SRPMS/fedora-ds-base-1.1.0-1.2.src.rpm And here's the relevant mock config: -- FILE: /etc/mock/fedora-8-i386.cfg -- #!/usr/bin/python -tt import os config_opts['root'] = 'fedora-8-i386' config_opts['target_arch'] = 'i386' config_opts['yum.conf'] = """ [main] cachedir=/var/cache/yum debuglevel=1 reposdir=/dev/null logfile=/var/log/yum.log retries=20 obsoletes=1 gpgcheck=0 assumeyes=1 # repos [core] name=Fedora 8 baseurl=http://my-fedora-mirror/releases/8/Everything/i386/os/ [updates] name=updates baseurl=http://my-fedora-mirror/updates/8/i386/ [groups] name=groups baseurl=http://buildsys.fedoraproject.org/buildgroups/development/i386/ [cshl] name=cshl baseurl=http://my-repo-host/8/i386/ [local] name=local baseurl=http://koji.fedoraproject.org/static-repos/dist-f8-build-current /i386/ exclude=*debuginfo* enabled=0 """ config_opts['macros']['local'] = """ %fc8 1 """ -- END FILE: /etc/mock/fedora-8-i386.cfg -- -- FILE: /etc/mock/defaults.cfg -- config_opts['basedir'] = '/var/lib/mock/' config_opts['cache_topdir'] = '/var/lib/mock/cache' config_opts['rpmbuild_timeout'] = 10000000 config_opts['use_host_resolv'] = True config_opts['build_log_fmt_name'] = "unadorned" config_opts['root_log_fmt_name'] = "detailed" config_opts['state_log_fmt_name'] = "state" config_opts['internal_dev_setup'] = True config_opts['internal_setarch'] = False config_opts['cleanup_on_success'] = 0 config_opts['cleanup_on_failure'] = 0 config_opts['plugin_conf']['tmpfs_enable'] = False config_opts['plugin_conf']['tmpfs_opts'] = {} config_opts['clean'] = True config_opts['macros']['defaults'] = """ %_topdir /builddir/build %_rpmfilename %%{NAME}-%%{VERSION}-%%{DIST}.%%{RELEASE}.%%{ARCH}.rpm %packager Jeff Goldschrafe %vendor Cold Spring Harbor Laboratory """ -- END FILE: /etc/mock/fedora-8-i386.cfg -- > > ---SNIP-- > > > > /bin/sh ./libtool --tag=CC --mode=link gcc -O2 -g -pipe -Wall > > -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector > > --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic > > -fasynchronous-unwind-tables -o ldclt-bin > > ldap/servers/slapd/tools/ldclt_bin-ldaptool-sasl.o > > ldap/servers/slapd/tools/ldclt/ldclt_bin-data.o > > ldap/servers/slapd/tools/ldclt/ldclt_bin-ldapfct.o > > ldap/servers/slapd/tools/ldclt/ldclt_bin-ldclt.o > > ldap/servers/slapd/tools/ldclt/ldclt_bin-ldcltU.o > > ldap/servers/slapd/tools/ldclt/ldclt_bin-parser.o > > ldap/servers/slapd/tools/ldclt/ldclt_bin-port.o > > ldap/servers/slapd/tools/ldclt/ldclt_bin-scalab01.o > > ldap/servers/slapd/tools/ldclt/ldclt_bin-threadMain.o > > ldap/servers/slapd/tools/ldclt/ldclt_bin-utils.o > > ldap/servers/slapd/tools/ldclt/ldclt_bin-version.o > > ldap/servers/slapd/tools/ldclt/ldclt_bin-workarounds.o > -lplc4 -lplds4 > > -lnspr4 -lssl3 -lnss3 -lsoftokn3 -lssldap60 -lprldap60 -lldap60 > > -lldif60 > > -lsasl2 > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m ain.c:64: > > undefined reference to `snmp_log' > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m ain.c:62: > > undefined reference to `snmp_log' > > ldap/servers/snmp/ldap_agent_bin-main.o: In function `main': > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m ain.c:117: > > undefined reference to `netsnmp_ds_set_boolean' > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m ain.c:120: > > undefined reference to `netsnmp_register_loghandler' > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m ain.c:158: > > undefined reference to `snmp_enable_filelog' > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m ain.c:164: > > undefined reference to `snmp_log' > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m ain.c:167: > > undefined reference to `netsnmp_ds_set_boolean' > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m ain.c:170: > > undefined reference to `netsnmp_ds_set_string' > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m ain.c:174: > > undefined reference to `netsnmp_daemonize' > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m ain.c:189: > > undefined reference to `init_agent' > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m ain.c:191: > > undefined reference to `init_snmp' > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m ain.c:213: > > undefined reference to `snmp_log' > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m ain.c:217: > > undefined reference to `agent_check_and_process' > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m ain.c:221: > > undefined reference to `snmp_shutdown' > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m ain.c:222: > > undefined reference to `snmp_log' > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m ain.c:202: > > undefined reference to `snmp_log' > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m ain.c:206: > > undefined reference to `snmp_log' > > ldap/servers/snmp/ldap_agent_bin-ldap-agent.o: In function > > `send_DirectoryServerStart_trap': > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen > > t.c:72 > > 2: undefined reference to `snmp_log' > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen > > t.c:73 > > 1: undefined reference to `snmp_varlist_add_variable' > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen > > t.c:73 > > 6: undefined reference to `snmp_varlist_add_variable' > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen > > t.c:74 > > 1: undefined reference to `snmp_varlist_add_variable' > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen > > t.c:74 > > 6: undefined reference to `snmp_varlist_add_variable' > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen > > t.c:75 > > 4: undefined reference to `send_v2trap' > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen > > t.c:75 > > 5: undefined reference to `snmp_free_varbind' > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen > > t.c:72 > > 6: undefined reference to `snmp_log' > > ldap/servers/snmp/ldap_agent_bin-ldap-agent.o: In function > > `send_DirectoryServerDown_trap': > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen > > t.c:65 > > 7: undefined reference to `snmp_log' > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen > > t.c:66 > > 6: undefined reference to `snmp_varlist_add_variable' > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen > > t.c:67 > > 1: undefined reference to `snmp_varlist_add_variable' > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen > > t.c:67 > > 6: undefined reference to `snmp_varlist_add_variable' > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen > > t.c:68 > > 1: undefined reference to `snmp_varlist_add_variable' > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen > > t.c:68 > > 7: undefined reference to `snmp_varlist_add_variable' > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen > > t.c:69 > > 5: undefined reference to `send_v2trap' > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen > > t.c:69 > > 6: undefined reference to `snmp_free_varbind' > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen > > t.c:66 > > 1: undefined reference to `snmp_log' > > ldap/servers/snmp/ldap_agent_bin-ldap-agent.o: In function > > `dsEntityTable_get_value': > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen > > t.c:62 > > 8: undefined reference to `snmp_log' > > > /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen > > t.c:62 > > 2: undefined reference to `snmp_set_var_typed_value' > > > > ---SNIP--- > > > > ...and then about another page of the same stuff, which > I've omitted > > for brevity. I noticed that the command doesn't seem to include > > -lsnmp, which I imagine it should be including. > > > Are you using make -j or some other parallel make? Because > the compiler/linker errors you are getting are not from the > compile/link command above, which is for ldclt. You're right, it's running make -j2 and my build environment is dual-core. Here's what I should have pasted instead: gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -o infadd-bin ldap/servers/slapd/tools/rsearch/infadd_bin-addthread.o ldap/servers/slapd/tools/rsearch/infadd_bin-infadd.o ldap/servers/slapd/tools/rsearch/infadd_bin-nametable.o -lplc4 -lplds4 -lnspr4 -lssl3 -lnss3 -lsoftokn3 -lssldap60 -lprldap60 -lldap60 -lldif60 -lsasl2 gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -o ldap-agent-bin ldap/servers/snmp/ldap_agent_bin-main.o ldap/servers/snmp/ldap_agent_bin-ldap-agent.o ldap/servers/slapd/ldap_agent_bin-agtmmap.o -lssldap60 -lprldap60 -lldap60 -lldif60 -lssl3 -lnss3 -lsoftokn3 -lplc4 -lplds4 -lnspr4 > > Is mock an unsupported build environment for FDS? > I've used mock to build FDS for f6, f7, f8. > > If not, any idea how to > > get this building? > > > > Thanks a lot! > > > > Jeff Goldschrafe > > Systems Engineer > > Cold Spring Harbor Laboratory > > 1 Bungtown Road > > Cold Spring Harbor, NY 11724 > > (516) 367-6966 > > http://cshl.edu From rmeggins at redhat.com Mon Mar 3 16:25:46 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 03 Mar 2008 09:25:46 -0700 Subject: [Fedora-directory-users] 1.1.0 net-snmp build issues in mock In-Reply-To: <77B2B6579FFE3A479CD609D3E80E20B272B9EF@mailbox09.cshl.edu> References: <000e01c87ccc$745577b0$9401a8c0@jeffwindows> <47CC1A02.7050003@redhat.com> <77B2B6579FFE3A479CD609D3E80E20B272B9EF@mailbox09.cshl.edu> Message-ID: <47CC268A.4000402@redhat.com> Goldschrafe, Jeffrey wrote: >>> Hey there, >>> >>> I'm trying to build Fedora DS 1.1.0 on my buildsystem, >>> >> which is mock >> >>> 0.8.19 on a rather minimal Fedora 8 x86_64 system. >>> >> Regardless of the >> >>> distro I try to build for in mock (I've tried CentOS 5, >>> >> Fedora 8 and >> >>> Fedora Core 6), I hit the following set of build errors: >>> >>> >> Can you post your exact mock command line? >> > > Sure! > > rpmbuild -bs --nodeps /usr/src/redhat/SPECS/fedora-ds-base.spec > mock rebuild -r fedora-8-i386 > /usr/src/redhat/SRPMS/fedora-ds-base-1.1.0-1.2.src.rpm > I know 1.1.0-1.2 built in mock, but I suggest using the latest which is 1.1.0-3. This is the version that is currently in f7, f8, and f9. Also check your mock root log to see if it found the snmp dependencies and installed them correctly. > And here's the relevant mock config: > > -- FILE: /etc/mock/fedora-8-i386.cfg -- > #!/usr/bin/python -tt > > import os > config_opts['root'] = 'fedora-8-i386' > config_opts['target_arch'] = 'i386' > > config_opts['yum.conf'] = """ > [main] > cachedir=/var/cache/yum > debuglevel=1 > reposdir=/dev/null > logfile=/var/log/yum.log > retries=20 > obsoletes=1 > gpgcheck=0 > assumeyes=1 > > # repos > > [core] > name=Fedora 8 > baseurl=http://my-fedora-mirror/releases/8/Everything/i386/os/ > > [updates] > name=updates > baseurl=http://my-fedora-mirror/updates/8/i386/ > > [groups] > name=groups > baseurl=http://buildsys.fedoraproject.org/buildgroups/development/i386/ > > [cshl] > name=cshl > baseurl=http://my-repo-host/8/i386/ > > [local] > name=local > baseurl=http://koji.fedoraproject.org/static-repos/dist-f8-build-current > /i386/ > exclude=*debuginfo* > enabled=0 > """ > > config_opts['macros']['local'] = """ > %fc8 1 > """ > -- END FILE: /etc/mock/fedora-8-i386.cfg -- > > -- FILE: /etc/mock/defaults.cfg -- > config_opts['basedir'] = '/var/lib/mock/' > config_opts['cache_topdir'] = '/var/lib/mock/cache' > config_opts['rpmbuild_timeout'] = 10000000 > config_opts['use_host_resolv'] = True > config_opts['build_log_fmt_name'] = "unadorned" > config_opts['root_log_fmt_name'] = "detailed" > config_opts['state_log_fmt_name'] = "state" > config_opts['internal_dev_setup'] = True > config_opts['internal_setarch'] = False > config_opts['cleanup_on_success'] = 0 > config_opts['cleanup_on_failure'] = 0 > config_opts['plugin_conf']['tmpfs_enable'] = False > config_opts['plugin_conf']['tmpfs_opts'] = {} > config_opts['clean'] = True > config_opts['macros']['defaults'] = """ > %_topdir /builddir/build > %_rpmfilename %%{NAME}-%%{VERSION}-%%{DIST}.%%{RELEASE}.%%{ARCH}.rpm > %packager Jeff Goldschrafe > %vendor Cold Spring Harbor Laboratory > """ > -- END FILE: /etc/mock/fedora-8-i386.cfg -- > > >>> ---SNIP-- >>> >>> /bin/sh ./libtool --tag=CC --mode=link gcc -O2 -g -pipe -Wall >>> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector >>> --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic >>> -fasynchronous-unwind-tables -o ldclt-bin >>> ldap/servers/slapd/tools/ldclt_bin-ldaptool-sasl.o >>> ldap/servers/slapd/tools/ldclt/ldclt_bin-data.o >>> ldap/servers/slapd/tools/ldclt/ldclt_bin-ldapfct.o >>> ldap/servers/slapd/tools/ldclt/ldclt_bin-ldclt.o >>> ldap/servers/slapd/tools/ldclt/ldclt_bin-ldcltU.o >>> ldap/servers/slapd/tools/ldclt/ldclt_bin-parser.o >>> ldap/servers/slapd/tools/ldclt/ldclt_bin-port.o >>> ldap/servers/slapd/tools/ldclt/ldclt_bin-scalab01.o >>> ldap/servers/slapd/tools/ldclt/ldclt_bin-threadMain.o >>> ldap/servers/slapd/tools/ldclt/ldclt_bin-utils.o >>> ldap/servers/slapd/tools/ldclt/ldclt_bin-version.o >>> ldap/servers/slapd/tools/ldclt/ldclt_bin-workarounds.o >>> >> -lplc4 -lplds4 >> >>> -lnspr4 -lssl3 -lnss3 -lsoftokn3 -lssldap60 -lprldap60 -lldap60 >>> -lldif60 >>> -lsasl2 >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m >> > ain.c:64: > >>> undefined reference to `snmp_log' >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m >> > ain.c:62: > >>> undefined reference to `snmp_log' >>> ldap/servers/snmp/ldap_agent_bin-main.o: In function `main': >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m >> > ain.c:117: > >>> undefined reference to `netsnmp_ds_set_boolean' >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m >> > ain.c:120: > >>> undefined reference to `netsnmp_register_loghandler' >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m >> > ain.c:158: > >>> undefined reference to `snmp_enable_filelog' >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m >> > ain.c:164: > >>> undefined reference to `snmp_log' >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m >> > ain.c:167: > >>> undefined reference to `netsnmp_ds_set_boolean' >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m >> > ain.c:170: > >>> undefined reference to `netsnmp_ds_set_string' >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m >> > ain.c:174: > >>> undefined reference to `netsnmp_daemonize' >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m >> > ain.c:189: > >>> undefined reference to `init_agent' >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m >> > ain.c:191: > >>> undefined reference to `init_snmp' >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m >> > ain.c:213: > >>> undefined reference to `snmp_log' >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m >> > ain.c:217: > >>> undefined reference to `agent_check_and_process' >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m >> > ain.c:221: > >>> undefined reference to `snmp_shutdown' >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m >> > ain.c:222: > >>> undefined reference to `snmp_log' >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m >> > ain.c:202: > >>> undefined reference to `snmp_log' >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/m >> > ain.c:206: > >>> undefined reference to `snmp_log' >>> ldap/servers/snmp/ldap_agent_bin-ldap-agent.o: In function >>> `send_DirectoryServerStart_trap': >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen >> >>> t.c:72 >>> 2: undefined reference to `snmp_log' >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen >> >>> t.c:73 >>> 1: undefined reference to `snmp_varlist_add_variable' >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen >> >>> t.c:73 >>> 6: undefined reference to `snmp_varlist_add_variable' >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen >> >>> t.c:74 >>> 1: undefined reference to `snmp_varlist_add_variable' >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen >> >>> t.c:74 >>> 6: undefined reference to `snmp_varlist_add_variable' >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen >> >>> t.c:75 >>> 4: undefined reference to `send_v2trap' >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen >> >>> t.c:75 >>> 5: undefined reference to `snmp_free_varbind' >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen >> >>> t.c:72 >>> 6: undefined reference to `snmp_log' >>> ldap/servers/snmp/ldap_agent_bin-ldap-agent.o: In function >>> `send_DirectoryServerDown_trap': >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen >> >>> t.c:65 >>> 7: undefined reference to `snmp_log' >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen >> >>> t.c:66 >>> 6: undefined reference to `snmp_varlist_add_variable' >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen >> >>> t.c:67 >>> 1: undefined reference to `snmp_varlist_add_variable' >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen >> >>> t.c:67 >>> 6: undefined reference to `snmp_varlist_add_variable' >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen >> >>> t.c:68 >>> 1: undefined reference to `snmp_varlist_add_variable' >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen >> >>> t.c:68 >>> 7: undefined reference to `snmp_varlist_add_variable' >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen >> >>> t.c:69 >>> 5: undefined reference to `send_v2trap' >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen >> >>> t.c:69 >>> 6: undefined reference to `snmp_free_varbind' >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen >> >>> t.c:66 >>> 1: undefined reference to `snmp_log' >>> ldap/servers/snmp/ldap_agent_bin-ldap-agent.o: In function >>> `dsEntityTable_get_value': >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen >> >>> t.c:62 >>> 8: undefined reference to `snmp_log' >>> >>> >> /builddir/build/BUILD/fedora-ds-base-1.1.0/ldap/servers/snmp/ldap-agen >> >>> t.c:62 >>> 2: undefined reference to `snmp_set_var_typed_value' >>> >>> ---SNIP--- >>> >>> ...and then about another page of the same stuff, which >>> >> I've omitted >> >>> for brevity. I noticed that the command doesn't seem to include >>> -lsnmp, which I imagine it should be including. >>> >>> >> Are you using make -j or some other parallel make? Because >> the compiler/linker errors you are getting are not from the >> compile/link command above, which is for ldclt. >> > > You're right, it's running make -j2 and my build environment is > dual-core. Here's what I should have pasted instead: > > gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions > -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 > -mtune=generic -fasynchronous-unwind-tables -o infadd-bin > ldap/servers/slapd/tools/rsearch/infadd_bin-addthread.o > ldap/servers/slapd/tools/rsearch/infadd_bin-infadd.o > ldap/servers/slapd/tools/rsearch/infadd_bin-nametable.o -lplc4 -lplds4 > -lnspr4 -lssl3 -lnss3 -lsoftokn3 -lssldap60 -lprldap60 -lldap60 -lldif60 > -lsasl2 > gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions > -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 > -mtune=generic -fasynchronous-unwind-tables -o ldap-agent-bin > ldap/servers/snmp/ldap_agent_bin-main.o > ldap/servers/snmp/ldap_agent_bin-ldap-agent.o > ldap/servers/slapd/ldap_agent_bin-agtmmap.o -lssldap60 -lprldap60 > -lldap60 -lldif60 -lssl3 -lnss3 -lsoftokn3 -lplc4 -lplds4 -lnspr4 > > >>> Is mock an unsupported build environment for FDS? >>> >> I've used mock to build FDS for f6, f7, f8. >> >>> If not, any idea how to >>> get this building? >>> >>> Thanks a lot! >>> >>> Jeff Goldschrafe >>> Systems Engineer >>> Cold Spring Harbor Laboratory >>> 1 Bungtown Road >>> Cold Spring Harbor, NY 11724 >>> (516) 367-6966 >>> http://cshl.edu >>> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Mar 3 16:36:40 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 03 Mar 2008 09:36:40 -0700 Subject: [Fedora-directory-users] installing samba In-Reply-To: <200803031151.23539.maumar@cost.it> References: <200803011907.42496.maumar@cost.it> <7020fd000803011143k24467637i45b639f3d7ed772f@mail.gmail.com> <200803031151.23539.maumar@cost.it> Message-ID: <47CC2918.9070004@redhat.com> Maurizio Marini wrote: > On Sat March 1 2008, solarflow99 wrote: > >> sure, I think its worth correcting. I was just going through it too, too >> bad they do everything with ldif files and command line tools, I wanted to >> see how to do it from the console. >> > no, my post is related to wiki: > http://directory.fedoraproject.org/wiki/Howto:Samba > i think that it would be worthwhile to fix it to take into account of 1.1 > changes > Done. Thanks. > not more not less ;) > Maurizio > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From stpierre at NebrWesleyan.edu Mon Mar 3 17:12:45 2008 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Mon, 3 Mar 2008 11:12:45 -0600 (CST) Subject: [Fedora-directory-users] Request For Comment: fedora-ds-utils project Message-ID: My quest to find a copy of mmr.pl last week led me to ask on IRC: [08:51] stpierre has anyone tried pulling together a collection of some of the scripts that support fds -- mmr.pl, ol-schema-migrate.pl, setupssl2.sh, etc. -- and packaging them as, say, fedora-ds-utils? The answer was "no," so I've decided to take this project on. In order to make the fedora-ds-utils package as valuable as possible (and to aid my eventual request for inclusion in Fedora), I'll be enforcing some fairly strict standards for the scripts included in the package. Please read and comment on the standards listed below; once a reasonable comment period has passed (probably a week or two), I'll start redacting the various scripts to conform to the standards and, finally, release the package. Additionally, please nominate any scripts you feel should be included in the package. In addition to mmr.pl, ol-schema-migrate.pl, and setupssl2.sh, I will be including a tool for working with indexes that I wrote but never released. STANDARDS: Program aiming for inclusion in fedora-ds-utils must meet the following standards: 1. The program must implement the following flags, where appropriate: -b searchbase Search in or operate on specified base -D binddn Bind DN -h host LDAP server -H URI LDAP Uniform Resource Indentifier(s) -n instancename Fedora DS instance -p port Port on LDAP server -s scope Search scope --restart Restart Fedora DS without prompting -v Run in verbose mode (diagnostics to standard output) -w passwd Bind password (for simple authentication) -W Prompt for bind password -y file Read password from file -Z Start TLS -ZZ Start TLS and require successful TLS response If the program does not need a given input, it doesn't need to implement the corresponding flag. For instance, if the program does not connect to an LDAP server, it obviously doesn't need to implement the -h/-H flags. Defaults for the -b, -D, -h/-H, and -p flags should be determined first by looking in /etc/openldap/ldap.conf for the following attributes: -b: BASE -D: BINDDN -h: HOST -H: URI -p: PORT If those attributes are not set, then those options should default as follows: -b: no default -D: cn=directory manager -h: localhost -H: ldap://localhost -p: 389 Additionally, the -n flag should default to 'slapd-', where '' is the short hostname of the box as returned by `hostname -s`. If the program requires two or more of any item -- for instance, ds-mmrtool connects to two Fedora DS servers to negotiate multimaster agreements -- then it may ask for those items in any reasonably intuitive manner, and needn't have defaults as specified above. 2. The program must include 'ds' as the first element in the name; for instance: - ds-mmrtool - ds-schema-migrate - ds-setup-ssl 3. The name of the program must not include a suffix denoting the language the program is written in (.sh, .pl, .py, etc.) 4. The program must ONLY produce output a) on errors; or b) with the -v flag. In the event of successful operation, no output should be produced at all. 5. The program must be capable of running completely unattended. 6. The program must not restart Fedora DS unbidden. If the program must restart Fedora DS, it may either a) prompt the user running the program; or b) provide a --restart command-line flag. 7. All dependencies of the program must be available as RPMs in the current release of Fedora Linux 8. In order to minimize dependencies, the program must be written in one of the following languages: - Perl <= 5.8 - Python <= 2.4 - POSIX-compliant Bourne Shell - C/C++ or any other common compiled language 9. Programs that have some value but do not yet conform to the standards may be included in the contrib/ directory of the fedora-ds-utils package. Thanks for your input! Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University From aleksander.adamowski at altkom.pl Mon Mar 3 17:12:57 2008 From: aleksander.adamowski at altkom.pl (Aleksander Adamowski) Date: Mon, 03 Mar 2008 18:12:57 +0100 Subject: [Fedora-directory-users] "Numeric String" attribute syntax not supported by FDS 1.1? Message-ID: <47CC3199.5030401@altkom.pl> Hi! I''ve installed Fedora DS 1.1 for x86_64 and am currently extending my schema. I got some schema ldif files converted from OpenLDAP format. I've placed the converted schema LDIFs in /etc/dirsrv/my_instance_name/schema/, and restarted the dirsrv service. The problem is that FDS reject a quite common attribute syntax: [03/Mar/2008:17:47:54 +0100] dse - The entry cn=schema in file /etc/dirsrv/my_instance_name/schema/75phpgwcontact.ldif is invalid, error code 21 (Invalid syntax) - attribute type phpgwContactOwner: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.36" [03/Mar/2008:17:47:54 +0100] dse - Please edit the file to correct the reported problems and then restart the server. This is very strange, considering that 1.3.6.1.4.1.1466.115.121.1.36 (Numeric String) is a quite common attribute syntax and it's present in Netscape's own RFC 2252, section 6.23: http://www.faqs.org/rfcs/rfc2252.html ============================== 6.23. Numeric String ( 1.3.6.1.4.1.1466.115.121.1.36 DESC 'Numeric String' ) The encoding of a string in this syntax is the string value itself. Example: 1997 ============================== Surely it can't be that Netscape/Fedora Directory Server doesn't support it? -- Best Regards, Aleksander Adamowski GG#: 274614 ICQ UIN: 19780575 http://olo.org.pl -- Aleksander Adamowski Administrator system?w korporacyjnych; Instruktor Altkom Akademia S.A. http://www.altkom.pl Warszawa, ul. Ch?odna 51 kom. +48 601-318-080 S?d Rejonowy dla m.st. Warszawy w Warszawie, XII Wydzia? Gospodarczy Krajowego Rejestru S?dowego, KRS: 0000120139, NIP 118-00-08-391, Kapita? zak?adowy: 1000 000 PLN. Adres rejestrowy Firmy - ul. Stawki 2, 00-193 Warszawa. Niniejsza wiadomo?? zawiera informacje zastrze?one i stanowi?ce tajemnic? przedsi?biorstwa firmy Altkom Akademia S.A. Ujawnianie tych informacji osobom trzecim lub nieuprawnione wykorzystanie ich do w?asnych cel?w jest zabronione. Je?eli otrzymali?cie Pa?stwo niniejsz? wiadomo?? omy?kowo, prosimy o niezw?oczne skontaktowanie si? z nadawc? oraz usuni?cie wszelkich kopii niniejszej wiadomo?ci. This message contains proprietary information and trade secrets of Altkom Akademia S.A. company. Unauthorized use or disclosure of this information to any third party is prohibited. If you received this message by mistake, please contact the sender immediately and delete all copies of this message. From aleksander.adamowski at altkom.pl Mon Mar 3 17:15:34 2008 From: aleksander.adamowski at altkom.pl (Aleksander Adamowski) Date: Mon, 03 Mar 2008 18:15:34 +0100 Subject: [Fedora-directory-users] "Numeric String" attribute syntax not supported by FDS 1.1? Message-ID: <47CC3236.2020009@altkom.pl> Hi! I''ve installed Fedora DS 1.1 for x86_64 and am currently extending my schema. I got some schema ldif files converted from OpenLDAP format. I've placed the converted schema LDIFs in /etc/dirsrv/my_instance_name/schema/, and restarted the dirsrv service. The problem is that FDS reject a quite common attribute syntax: [03/Mar/2008:17:47:54 +0100] dse - The entry cn=schema in file /etc/dirsrv/my_instance_name/schema/75phpgwcontact.ldif is invalid, error code 21 (Invalid syntax) - attribute type phpgwContactOwner: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.36" [03/Mar/2008:17:47:54 +0100] dse - Please edit the file to correct the reported problems and then restart the server. This is very strange, considering that 1.3.6.1.4.1.1466.115.121.1.36 (Numeric String) is a quite common attribute syntax and it's present in Netscape's own RFC 2252, section 6.23: http://www.faqs.org/rfcs/rfc2252.html ============================== 6.23. Numeric String ( 1.3.6.1.4.1.1466.115.121.1.36 DESC 'Numeric String' ) The encoding of a string in this syntax is the string value itself. Example: 1997 ============================== Surely it can't be that Netscape/Fedora Directory Server doesn't support it? -- Best Regards, Aleksander Adamowski GG#: 274614 ICQ UIN: 19780575 http://olo.org.pl -- Aleksander Adamowski Administrator system?w korporacyjnych; Instruktor Altkom Akademia S.A. http://www.altkom.pl Warszawa, ul. Ch?odna 51 kom. +48 601-318-080 S?d Rejonowy dla m.st. Warszawy w Warszawie, XII Wydzia? Gospodarczy Krajowego Rejestru S?dowego, KRS: 0000120139, NIP 118-00-08-391, Kapita? zak?adowy: 1000 000 PLN. Adres rejestrowy Firmy - ul. Stawki 2, 00-193 Warszawa. Niniejsza wiadomo?? zawiera informacje zastrze?one i stanowi?ce tajemnic? przedsi?biorstwa firmy Altkom Akademia S.A. Ujawnianie tych informacji osobom trzecim lub nieuprawnione wykorzystanie ich do w?asnych cel?w jest zabronione. Je?eli otrzymali?cie Pa?stwo niniejsz? wiadomo?? omy?kowo, prosimy o niezw?oczne skontaktowanie si? z nadawc? oraz usuni?cie wszelkich kopii niniejszej wiadomo?ci. This message contains proprietary information and trade secrets of Altkom Akademia S.A. company. Unauthorized use or disclosure of this information to any third party is prohibited. If you received this message by mistake, please contact the sender immediately and delete all copies of this message. From maxim at alamaison.fr Mon Mar 3 17:16:51 2008 From: maxim at alamaison.fr (Maxim Doucet) Date: Mon, 03 Mar 2008 18:16:51 +0100 Subject: [Fedora-directory-users] Fedora DS Graph 1.0.0 released In-Reply-To: References: Message-ID: <47CC3283.3000005@alamaison.fr> Chris St. Pierre a ?crit : > Fedora DS Graph is a graphing utility for graphing connections to and > operations on a Fedora Directory Server instance. I'd like to discover your program but can't find any screen-shots on your website. Is there any place where I can find some visual ? -- Maxim Doucet - www.alamaison.fr sys admin @ la maison From aleksander.adamowski.fedora at altkom.pl Mon Mar 3 17:17:01 2008 From: aleksander.adamowski.fedora at altkom.pl (Aleksander Adamowski) Date: Mon, 03 Mar 2008 18:17:01 +0100 Subject: [Fedora-directory-users] "Numeric String" attribute syntax not supported by FDS 1.1? Message-ID: <47CC328D.2080409@altkom.pl> Hi! I''ve installed Fedora DS 1.1 for x86_64 and am currently extending my schema. I got some schema ldif files converted from OpenLDAP format. I've placed the converted schema LDIFs in /etc/dirsrv/my_instance_name/schema/, and restarted the dirsrv service. The problem is that FDS reject a quite common attribute syntax: [03/Mar/2008:17:47:54 +0100] dse - The entry cn=schema in file /etc/dirsrv/my_instance_name/schema/75phpgwcontact.ldif is invalid, error code 21 (Invalid syntax) - attribute type phpgwContactOwner: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.36" [03/Mar/2008:17:47:54 +0100] dse - Please edit the file to correct the reported problems and then restart the server. This is very strange, considering that 1.3.6.1.4.1.1466.115.121.1.36 (Numeric String) is a quite common attribute syntax and it's present in Netscape's own RFC 2252, section 6.23: http://www.faqs.org/rfcs/rfc2252.html ============================== 6.23. Numeric String ( 1.3.6.1.4.1.1466.115.121.1.36 DESC 'Numeric String' ) The encoding of a string in this syntax is the string value itself. Example: 1997 ============================== Surely it can't be that Netscape/Fedora Directory Server doesn't support it? -- Best Regards, Aleksander Adamowski GG#: 274614 ICQ UIN: 19780575 http://olo.org.pl -- Aleksander Adamowski Administrator system?w korporacyjnych; Instruktor Altkom Akademia S.A. http://www.altkom.pl Warszawa, ul. Ch?odna 51 kom. +48 601-318-080 S?d Rejonowy dla m.st. Warszawy w Warszawie, XII Wydzia? Gospodarczy Krajowego Rejestru S?dowego, KRS: 0000120139, NIP 118-00-08-391, Kapita? zak?adowy: 1000 000 PLN. Adres rejestrowy Firmy - ul. Stawki 2, 00-193 Warszawa. Niniejsza wiadomo?? zawiera informacje zastrze?one i stanowi?ce tajemnic? przedsi?biorstwa firmy Altkom Akademia S.A. Ujawnianie tych informacji osobom trzecim lub nieuprawnione wykorzystanie ich do w?asnych cel?w jest zabronione. Je?eli otrzymali?cie Pa?stwo niniejsz? wiadomo?? omy?kowo, prosimy o niezw?oczne skontaktowanie si? z nadawc? oraz usuni?cie wszelkich kopii niniejszej wiadomo?ci. This message contains proprietary information and trade secrets of Altkom Akademia S.A. company. Unauthorized use or disclosure of this information to any third party is prohibited. If you received this message by mistake, please contact the sender immediately and delete all copies of this message. From aleksander.adamowski.fedora at altkom.pl Mon Mar 3 17:22:09 2008 From: aleksander.adamowski.fedora at altkom.pl (Aleksander Adamowski) Date: Mon, 03 Mar 2008 18:22:09 +0100 Subject: [Fedora-directory-users] "Numeric String" attribute syntax not supported by FDS 1.1? In-Reply-To: <47CC328D.2080409@altkom.pl> References: <47CC328D.2080409@altkom.pl> Message-ID: <47CC33C1.3040305@altkom.pl> Aleksander Adamowski wrote: > [03/Mar/2008:17:47:54 +0100] dse - The entry cn=schema in file > /etc/dirsrv/my_instance_name/schema/75phpgwcontact.ldif is invalid, > error code 21 (Invalid syntax) - attribute type phpgwContactOwner: > Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.36" BTW, here's the problematic schema LDIF fragment: attributeTypes: ( 1.3.6.1.4.1.9554.103 NAME 'phpgwContactOwner' EQUALITY numericStringMatch SUBSTR numericStringSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} SINGLE-VALUE ) P.S. sorry for posting the same message three times, my sender configuration was acting funny... I just subscribed to this list. -- Best Regards, Aleksander Adamowski GG#: 274614 ICQ UIN: 19780575 http://olo.org.pl -- Aleksander Adamowski Administrator system?w korporacyjnych; Instruktor Altkom Akademia S.A. http://www.altkom.pl Warszawa, ul. Ch?odna 51 kom. +48 601-318-080 S?d Rejonowy dla m.st. Warszawy w Warszawie, XII Wydzia? Gospodarczy Krajowego Rejestru S?dowego, KRS: 0000120139, NIP 118-00-08-391, Kapita? zak?adowy: 1000 000 PLN. Adres rejestrowy Firmy - ul. Stawki 2, 00-193 Warszawa. Niniejsza wiadomo?? zawiera informacje zastrze?one i stanowi?ce tajemnic? przedsi?biorstwa firmy Altkom Akademia S.A. Ujawnianie tych informacji osobom trzecim lub nieuprawnione wykorzystanie ich do w?asnych cel?w jest zabronione. Je?eli otrzymali?cie Pa?stwo niniejsz? wiadomo?? omy?kowo, prosimy o niezw?oczne skontaktowanie si? z nadawc? oraz usuni?cie wszelkich kopii niniejszej wiadomo?ci. This message contains proprietary information and trade secrets of Altkom Akademia S.A. company. Unauthorized use or disclosure of this information to any third party is prohibited. If you received this message by mistake, please contact the sender immediately and delete all copies of this message. From bagyi at mail.fmkorhaz.hu Mon Mar 3 17:26:05 2008 From: bagyi at mail.fmkorhaz.hu (Tamas Bagyal) Date: Mon, 03 Mar 2008 18:26:05 +0100 Subject: [Fedora-directory-users] notes on building fds in etch and a failed build question In-Reply-To: <200802261624.06814.Ryan.Braun@ec.gc.ca> References: <200802192232.02999.Ryan.Braun@ec.gc.ca> <200802251508.50693.Ryan.Braun@ec.gc.ca> <47C325E9.4010600@redhat.com> <200802261624.06814.Ryan.Braun@ec.gc.ca> Message-ID: <47CC34AD.6000409@mail.fmkorhaz.hu> hello Ryan, you tried this version? i have two fedora-ds 1.0.4 in mmr configuration. i migrate one of those to 1.1 (builded by your and Rich's instrutctions). but i have a problem with memory usage of ns-slapd process. initially mem usage is 18.5% but after 2 hours this changed to 23.1% and growed until killed by kernel. (i think...) mostly read transactions happen (dns) with a few write (cups). this is a debian etch, mem size is 512 mbyte (i know this is too low, but this is a test environment). cache size of slapd is 67108864. can you give any help? thanks, KeeF Ryan Braun wrote: >>> A couple little bugs creeped up during the build. I think it was during >>> the make install of ldapserver. One of the binaries (the first one I >>> guess) was copied to /opt/dirsrv/bin (the bin being a file not a >>> directory) so the /opt/dirsrv/bin directory isn't getting created. Quick >>> fix was just renaming /opt/dirsrv/bin to /opt/dirsrv/bin.something and >>> rerunning make. Executing /opt/dirsrv/bin.something looks like the binary >>> might be ldappasswd? >> Probably a bug in ds/mozldap/Makefile in the install section. > > I had a peek in there, it looks ok, but I'll add a mkdir -p /opt/dirsrv/bin > before the copy loop and see if that works next time I build. >>> Second, there seems to be a missing library. >>> >>> Starting admin server . . . >>> output: ERROR: ld.so: object '/opt/dirsrv/lib/libssl3.so' from LD_PRELOAD >>> cannot be preloaded: ignored. >>> output: apache2: Syntax error on line 123 >>> of /opt/dirsrv/etc/dirsrv/admin-serv/httpd.conf: module log_config_module >>> is built-in and can't be loaded >>> Could not start the admin server. Error: 256 >>> Failed to create and configure the admin server >>> Exiting . . . >>> >>> I assumed the libssl3.so was supposed to be provided by building nss from >>> source. So I just symlinked the system's libssl3.so provided by >>> libnss3-0d back to /opt/dirsrv/lib/. >> Ok. Or just edit the start-ds-admin script. Looks like a bug - it >> should use the correct path to libssl3.so. But then the NSS devel >> support in etch is not quite there. > > Gotcha > >>> Which leads me to my next question. The java components, are they only >>> required for running the console on your client machines? So building >>> with NOJAVA=1 will provide a fully working adminserver and ldapserver, >>> just no console binaries? >> Mostly correct. The only thing is that the way the console works, it >> downloads the ds and ds-admin jar files from the admin server. However, >> if you build them on the client machine and install them into >> $HOME/.fedora-idm-console/jars then the console will just use the local >> ones. > > Ok, well I tried installing the windows console on one of the windows boxes > around here (easier then downloading fc isos :) ), fired up the console and > am able to connect and it looks like it wants to work, then it reports back > that it can't find the jars. So that being said, is there an easy way to > use FC jars, or do I need to build them for debian? (I have started trying > to build jss but am having some issues) > >>> To be honest, I haven't really looked into the different post install >>> process' with 1.1.0 since 1.0.4 so the reason I could have missing >>> entries in the console could very well be my own fault :) >>> >>> Also, if I want to fine tune the location of some of directories during >>> build. is it safe to modify the CONFIGURE_ARGS variable in the >>> adminserver and ldapserver's Makefile? I want to put >>> /opt/dirsrv/etc/dirsrv into /etc/dirsrv aswell as /opt/dirsrv/var into >>> /var? >> Yes, for those components whose configure respect --sysconfdir and >> --localstatedir - which means not the mozilla components (mozldap, etc.) >> but everything else should work just fine. You'll also have to tweak >> the --prefix argument which is set by default. > > I'll play around with some options. I've started a wiki page for the debian > build. I don't have it linked onto the main page, but you can check it out > in recent changes. > > Ryan > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From rmeggins at redhat.com Mon Mar 3 17:37:45 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 03 Mar 2008 10:37:45 -0700 Subject: [Fedora-directory-users] "Numeric String" attribute syntax not supported by FDS 1.1? In-Reply-To: <47CC328D.2080409@altkom.pl> References: <47CC328D.2080409@altkom.pl> Message-ID: <47CC3769.9010306@redhat.com> Aleksander Adamowski wrote: > Hi! > > I''ve installed Fedora DS 1.1 for x86_64 and am currently extending my > schema. I got some schema ldif files converted from OpenLDAP format. > > I've placed the converted schema LDIFs in > /etc/dirsrv/my_instance_name/schema/, and restarted the dirsrv service. > > The problem is that FDS reject a quite common attribute syntax: > > [03/Mar/2008:17:47:54 +0100] dse - The entry cn=schema in file > /etc/dirsrv/my_instance_name/schema/75phpgwcontact.ldif is invalid, > error code 21 (Invalid syntax) - attribute type phpgwContactOwner: > Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.36" > [03/Mar/2008:17:47:54 +0100] dse - Please edit the file to correct the > reported problems and then restart the server. > > > This is very strange, considering that 1.3.6.1.4.1.1466.115.121.1.36 > (Numeric String) is a quite common attribute syntax and it's present in > Netscape's own RFC 2252, section 6.23: It's not really Netscape's own RFC although some of the authors were Netscape employees. > http://www.faqs.org/rfcs/rfc2252.html > > ============================== > 6.23. Numeric String > > ( 1.3.6.1.4.1.1466.115.121.1.36 DESC 'Numeric String' ) > > The encoding of a string in this syntax is the string value itself. > Example: > > 1997 > ============================== > > Surely it can't be that Netscape/Fedora Directory Server doesn't > support it? > It can be and it is. Fedora DS does not support Numaric String. Please file a bug requesting the addition of this feature. In the meantime, just use a case insensitive string syntax. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Mar 3 17:39:31 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 03 Mar 2008 10:39:31 -0700 Subject: [Fedora-directory-users] notes on building fds in etch and a failed build question In-Reply-To: <47CC34AD.6000409@mail.fmkorhaz.hu> References: <200802192232.02999.Ryan.Braun@ec.gc.ca> <200802251508.50693.Ryan.Braun@ec.gc.ca> <47C325E9.4010600@redhat.com> <200802261624.06814.Ryan.Braun@ec.gc.ca> <47CC34AD.6000409@mail.fmkorhaz.hu> Message-ID: <47CC37D3.70500@redhat.com> Tamas Bagyal wrote: > hello Ryan, > > you tried this version? i have two fedora-ds 1.0.4 in mmr > configuration. i migrate one of those to 1.1 (builded by your and > Rich's instrutctions). but i have a problem with memory usage of > ns-slapd process. initially mem usage is 18.5% but after 2 hours this > changed to 23.1% and growed until killed by kernel. (i think...) > > mostly read transactions happen (dns) with a few write (cups). > this is a debian etch, mem size is 512 mbyte (i know this is too low, > but this is a test environment). cache size of slapd is 67108864. Are you using SSL? Anything interesting in your server error log? > > can you give any help? > > thanks, > > KeeF > > Ryan Braun wrote: >>>> A couple little bugs creeped up during the build. I think it was >>>> during >>>> the make install of ldapserver. One of the binaries (the first one I >>>> guess) was copied to /opt/dirsrv/bin (the bin being a file not a >>>> directory) so the /opt/dirsrv/bin directory isn't getting created. >>>> Quick >>>> fix was just renaming /opt/dirsrv/bin to /opt/dirsrv/bin.something and >>>> rerunning make. Executing /opt/dirsrv/bin.something looks like the >>>> binary >>>> might be ldappasswd? >>> Probably a bug in ds/mozldap/Makefile in the install section. >> >> I had a peek in there, it looks ok, but I'll add a mkdir -p >> /opt/dirsrv/bin before the copy loop and see if that works next time >> I build. >>>> Second, there seems to be a missing library. >>>> >>>> Starting admin server . . . >>>> output: ERROR: ld.so: object '/opt/dirsrv/lib/libssl3.so' from >>>> LD_PRELOAD >>>> cannot be preloaded: ignored. >>>> output: apache2: Syntax error on line 123 >>>> of /opt/dirsrv/etc/dirsrv/admin-serv/httpd.conf: module >>>> log_config_module >>>> is built-in and can't be loaded >>>> Could not start the admin server. Error: 256 >>>> Failed to create and configure the admin server >>>> Exiting . . . >>>> >>>> I assumed the libssl3.so was supposed to be provided by building >>>> nss from >>>> source. So I just symlinked the system's libssl3.so provided by >>>> libnss3-0d back to /opt/dirsrv/lib/. >>> Ok. Or just edit the start-ds-admin script. Looks like a bug - it >>> should use the correct path to libssl3.so. But then the NSS devel >>> support in etch is not quite there. >> >> Gotcha >> >>>> Which leads me to my next question. The java components, are they >>>> only >>>> required for running the console on your client machines? So building >>>> with NOJAVA=1 will provide a fully working adminserver and >>>> ldapserver, just no console binaries? >>> Mostly correct. The only thing is that the way the console works, it >>> downloads the ds and ds-admin jar files from the admin server. >>> However, >>> if you build them on the client machine and install them into >>> $HOME/.fedora-idm-console/jars then the console will just use the local >>> ones. >> >> Ok, well I tried installing the windows console on one of the >> windows boxes around here (easier then downloading fc isos :) ), >> fired up the console and am able to connect and it looks like it >> wants to work, then it reports back that it can't find the jars. So >> that being said, is there an easy way to use FC jars, or do I need >> to build them for debian? (I have started trying to build jss but am >> having some issues) >> >>>> To be honest, I haven't really looked into the different post install >>>> process' with 1.1.0 since 1.0.4 so the reason I could have missing >>>> entries in the console could very well be my own fault :) >>>> >>>> Also, if I want to fine tune the location of some of directories >>>> during >>>> build. is it safe to modify the CONFIGURE_ARGS variable in the >>>> adminserver and ldapserver's Makefile? I want to put >>>> /opt/dirsrv/etc/dirsrv into /etc/dirsrv aswell as /opt/dirsrv/var into >>>> /var? >>> Yes, for those components whose configure respect --sysconfdir and >>> --localstatedir - which means not the mozilla components (mozldap, >>> etc.) >>> but everything else should work just fine. You'll also have to tweak >>> the --prefix argument which is set by default. >> >> I'll play around with some options. I've started a wiki page for the >> debian build. I don't have it linked onto the main page, but you >> can check it out in recent changes. >> >> Ryan >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From stpierre at NebrWesleyan.edu Mon Mar 3 17:39:48 2008 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Mon, 3 Mar 2008 11:39:48 -0600 (CST) Subject: [Fedora-directory-users] Fedora DS Graph 1.0.0 released In-Reply-To: <47CC3283.3000005@alamaison.fr> References: <47CC3283.3000005@alamaison.fr> Message-ID: On Mon, 3 Mar 2008, Maxim Doucet wrote: > Chris St. Pierre a ?crit : >> Fedora DS Graph is a graphing utility for graphing connections to and >> operations on a Fedora Directory Server instance. > I'd like to discover your program but can't find any screen-shots on your > website. Is there any place where I can find some visual ? Your wish is my command. :) http://www.stpierreconsulting.com/node/18 Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University From maxim at alamaison.fr Mon Mar 3 17:42:23 2008 From: maxim at alamaison.fr (Maxim Doucet) Date: Mon, 03 Mar 2008 18:42:23 +0100 Subject: [Fedora-directory-users] Fedora DS Graph 1.0.0 released In-Reply-To: References: <47CC3283.3000005@alamaison.fr> Message-ID: <47CC387F.2060701@alamaison.fr> Chris St. Pierre a ?crit : > On Mon, 3 Mar 2008, Maxim Doucet wrote: >> I'd like to discover your program but can't find any screen-shots on >> your website. Is there any place where I can find some visual ? > Your wish is my command. :) > > http://www.stpierreconsulting.com/node/18 Great, thanks! -- Maxim Doucet - www.alamaison.fr sys admin @ la maison From bagyi at mail.fmkorhaz.hu Mon Mar 3 18:47:31 2008 From: bagyi at mail.fmkorhaz.hu (Tamas Bagyal) Date: Mon, 03 Mar 2008 19:47:31 +0100 Subject: [Fedora-directory-users] notes on building fds in etch and a failed build question In-Reply-To: <47CC37D3.70500@redhat.com> References: <200802192232.02999.Ryan.Braun@ec.gc.ca> <200802251508.50693.Ryan.Braun@ec.gc.ca> <47C325E9.4010600@redhat.com> <200802261624.06814.Ryan.Braun@ec.gc.ca> <47CC34AD.6000409@mail.fmkorhaz.hu> <47CC37D3.70500@redhat.com> Message-ID: <47CC47C3.5030207@mail.fmkorhaz.hu> Rich Megginson wrote: > Tamas Bagyal wrote: >> hello Ryan, >> >> you tried this version? i have two fedora-ds 1.0.4 in mmr >> configuration. i migrate one of those to 1.1 (builded by your and >> Rich's instrutctions). but i have a problem with memory usage of >> ns-slapd process. initially mem usage is 18.5% but after 2 hours this >> changed to 23.1% and growed until killed by kernel. (i think...) >> >> mostly read transactions happen (dns) with a few write (cups). >> this is a debian etch, mem size is 512 mbyte (i know this is too low, >> but this is a test environment). cache size of slapd is 67108864. > Are you using SSL? Anything interesting in your server error log? I runn the setupssl2.sh but not use any ssl connection. error log shows nothing, only the server start. >> >> can you give any help? >> >> thanks, >> >> KeeF >> >> Ryan Braun wrote: >>>>> A couple little bugs creeped up during the build. I think it was >>>>> during >>>>> the make install of ldapserver. One of the binaries (the first one I >>>>> guess) was copied to /opt/dirsrv/bin (the bin being a file not a >>>>> directory) so the /opt/dirsrv/bin directory isn't getting created. >>>>> Quick >>>>> fix was just renaming /opt/dirsrv/bin to /opt/dirsrv/bin.something and >>>>> rerunning make. Executing /opt/dirsrv/bin.something looks like the >>>>> binary >>>>> might be ldappasswd? >>>> Probably a bug in ds/mozldap/Makefile in the install section. >>> >>> I had a peek in there, it looks ok, but I'll add a mkdir -p >>> /opt/dirsrv/bin before the copy loop and see if that works next time >>> I build. >>>>> Second, there seems to be a missing library. >>>>> >>>>> Starting admin server . . . >>>>> output: ERROR: ld.so: object '/opt/dirsrv/lib/libssl3.so' from >>>>> LD_PRELOAD >>>>> cannot be preloaded: ignored. >>>>> output: apache2: Syntax error on line 123 >>>>> of /opt/dirsrv/etc/dirsrv/admin-serv/httpd.conf: module >>>>> log_config_module >>>>> is built-in and can't be loaded >>>>> Could not start the admin server. Error: 256 >>>>> Failed to create and configure the admin server >>>>> Exiting . . . >>>>> >>>>> I assumed the libssl3.so was supposed to be provided by building >>>>> nss from >>>>> source. So I just symlinked the system's libssl3.so provided by >>>>> libnss3-0d back to /opt/dirsrv/lib/. >>>> Ok. Or just edit the start-ds-admin script. Looks like a bug - it >>>> should use the correct path to libssl3.so. But then the NSS devel >>>> support in etch is not quite there. >>> >>> Gotcha >>> >>>>> Which leads me to my next question. The java components, are they >>>>> only >>>>> required for running the console on your client machines? So building >>>>> with NOJAVA=1 will provide a fully working adminserver and >>>>> ldapserver, just no console binaries? >>>> Mostly correct. The only thing is that the way the console works, it >>>> downloads the ds and ds-admin jar files from the admin server. >>>> However, >>>> if you build them on the client machine and install them into >>>> $HOME/.fedora-idm-console/jars then the console will just use the local >>>> ones. >>> >>> Ok, well I tried installing the windows console on one of the >>> windows boxes around here (easier then downloading fc isos :) ), >>> fired up the console and am able to connect and it looks like it >>> wants to work, then it reports back that it can't find the jars. So >>> that being said, is there an easy way to use FC jars, or do I need >>> to build them for debian? (I have started trying to build jss but am >>> having some issues) >>> >>>>> To be honest, I haven't really looked into the different post install >>>>> process' with 1.1.0 since 1.0.4 so the reason I could have missing >>>>> entries in the console could very well be my own fault :) >>>>> >>>>> Also, if I want to fine tune the location of some of directories >>>>> during >>>>> build. is it safe to modify the CONFIGURE_ARGS variable in the >>>>> adminserver and ldapserver's Makefile? I want to put >>>>> /opt/dirsrv/etc/dirsrv into /etc/dirsrv aswell as /opt/dirsrv/var into >>>>> /var? >>>> Yes, for those components whose configure respect --sysconfdir and >>>> --localstatedir - which means not the mozilla components (mozldap, >>>> etc.) >>>> but everything else should work just fine. You'll also have to tweak >>>> the --prefix argument which is set by default. >>> >>> I'll play around with some options. I've started a wiki page for the >>> debian build. I don't have it linked onto the main page, but you >>> can check it out in recent changes. >>> >>> Ryan >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From Ryan.Braun at ec.gc.ca Mon Mar 3 19:53:48 2008 From: Ryan.Braun at ec.gc.ca (Ryan Braun) Date: Mon, 3 Mar 2008 19:53:48 +0000 Subject: [Fedora-directory-users] fds load testing and bench marking suite? Message-ID: <200803031953.48857.Ryan.Braun@ec.gc.ca> Anyone out there have a set of scripts they use for load testing/benchmarking fds? Or any ldap server in general. Something with fake data and *nix friendly would be nice :) Ryan From anguyen at redhat.com Mon Mar 3 20:10:36 2008 From: anguyen at redhat.com (Anh Nguyen) Date: Mon, 03 Mar 2008 12:10:36 -0800 Subject: [Fedora-directory-users] fds load testing and bench marking suite? In-Reply-To: <200803031953.48857.Ryan.Braun@ec.gc.ca> References: <200803031953.48857.Ryan.Braun@ec.gc.ca> Message-ID: <47CC5B3C.9010900@redhat.com> Ryan Braun wrote: > Anyone out there have a set of scripts they use for load testing/benchmarking > fds? Or any ldap server in general. Something with fake data and *nix > friendly would be nice :) > > Ryan > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > Have you tried SLAMD? http://www.slamd.com/ Anh- From Ryan.Braun at ec.gc.ca Mon Mar 3 20:06:15 2008 From: Ryan.Braun at ec.gc.ca (Ryan Braun) Date: Mon, 3 Mar 2008 20:06:15 +0000 Subject: [Fedora-directory-users] notes on building fds in etch and a failed build question In-Reply-To: <47CC34AD.6000409@mail.fmkorhaz.hu> References: <200802192232.02999.Ryan.Braun@ec.gc.ca> <200802261624.06814.Ryan.Braun@ec.gc.ca> <47CC34AD.6000409@mail.fmkorhaz.hu> Message-ID: <200803032006.15874.Ryan.Braun@ec.gc.ca> On Monday 03 March 2008 5:26 pm, Tamas Bagyal wrote: To be honest, I haven't done much operationally with the packages after building them. The extent of my testing was pretty much install, fire up admin and slap services and connect with the console and create a couple entries. But now that you mention it, I was wondering about ldap benchmarking suites and will pop a note off to the list to see what everyone uses. I'm still running 1.0.4 derived from an alien'd rpm on our boxes currently. I still have some packaging work to do on my 1.1.0 binaries before I move our packages to our stable repo. Ryan > hello Ryan, > > you tried this version? i have two fedora-ds 1.0.4 in mmr configuration. i > migrate one of those to 1.1 (builded by your and Rich's instrutctions). but > i have a problem with memory usage of ns-slapd process. initially mem usage > is 18.5% but after 2 hours this changed to 23.1% and growed until killed by > kernel. (i think...) > > mostly read transactions happen (dns) with a few write (cups). > this is a debian etch, mem size is 512 mbyte (i know this is too low, but > this is a test environment). cache size of slapd is 67108864. > > can you give any help? > > thanks, > > KeeF > > Ryan Braun wrote: > >>> A couple little bugs creeped up during the build. I think it was > >>> during the make install of ldapserver. One of the binaries (the first > >>> one I guess) was copied to /opt/dirsrv/bin (the bin being a file not a > >>> directory) so the /opt/dirsrv/bin directory isn't getting created. > >>> Quick fix was just renaming /opt/dirsrv/bin to > >>> /opt/dirsrv/bin.something and rerunning make. Executing > >>> /opt/dirsrv/bin.something looks like the binary might be ldappasswd? > >> > >> Probably a bug in ds/mozldap/Makefile in the install section. > > > > I had a peek in there, it looks ok, but I'll add a mkdir -p > > /opt/dirsrv/bin before the copy loop and see if that works next time I > > build. > > > >>> Second, there seems to be a missing library. > >>> > >>> Starting admin server . . . > >>> output: ERROR: ld.so: object '/opt/dirsrv/lib/libssl3.so' from > >>> LD_PRELOAD cannot be preloaded: ignored. > >>> output: apache2: Syntax error on line 123 > >>> of /opt/dirsrv/etc/dirsrv/admin-serv/httpd.conf: module > >>> log_config_module is built-in and can't be loaded > >>> Could not start the admin server. Error: 256 > >>> Failed to create and configure the admin server > >>> Exiting . . . > >>> > >>> I assumed the libssl3.so was supposed to be provided by building nss > >>> from source. So I just symlinked the system's libssl3.so provided by > >>> libnss3-0d back to /opt/dirsrv/lib/. > >> > >> Ok. Or just edit the start-ds-admin script. Looks like a bug - it > >> should use the correct path to libssl3.so. But then the NSS devel > >> support in etch is not quite there. > > > > Gotcha > > > >>> Which leads me to my next question. The java components, are they > >>> only required for running the console on your client machines? So > >>> building with NOJAVA=1 will provide a fully working adminserver and > >>> ldapserver, just no console binaries? > >> > >> Mostly correct. The only thing is that the way the console works, it > >> downloads the ds and ds-admin jar files from the admin server. However, > >> if you build them on the client machine and install them into > >> $HOME/.fedora-idm-console/jars then the console will just use the local > >> ones. > > > > Ok, well I tried installing the windows console on one of the windows > > boxes around here (easier then downloading fc isos :) ), fired up the > > console and am able to connect and it looks like it wants to work, then > > it reports back that it can't find the jars. So that being said, is > > there an easy way to use FC jars, or do I need to build them for debian? > > (I have started trying to build jss but am having some issues) > > > >>> To be honest, I haven't really looked into the different post install > >>> process' with 1.1.0 since 1.0.4 so the reason I could have missing > >>> entries in the console could very well be my own fault :) > >>> > >>> Also, if I want to fine tune the location of some of directories > >>> during build. is it safe to modify the CONFIGURE_ARGS variable in the > >>> adminserver and ldapserver's Makefile? I want to put > >>> /opt/dirsrv/etc/dirsrv into /etc/dirsrv aswell as /opt/dirsrv/var into > >>> /var? > >> > >> Yes, for those components whose configure respect --sysconfdir and > >> --localstatedir - which means not the mozilla components (mozldap, etc.) > >> but everything else should work just fine. You'll also have to tweak > >> the --prefix argument which is set by default. > > > > I'll play around with some options. I've started a wiki page for the > > debian build. I don't have it linked onto the main page, but you can > > check it out in recent changes. > > > > Ryan > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From solarflow99 at gmail.com Tue Mar 4 12:09:38 2008 From: solarflow99 at gmail.com (solarflow99) Date: Tue, 4 Mar 2008 12:09:38 +0000 Subject: [Fedora-directory-users] groups In-Reply-To: <47C83635.7060607@redhat.com> References: <7020fd000802290832h66257157o5a54d6c48f41d1a6@mail.gmail.com> <47C83635.7060607@redhat.com> Message-ID: <7020fd000803040409m7fed0f22w19c9ee3c4795b25a@mail.gmail.com> I don't see this actually doing group control, it looks more like access control within the LDAP tree itself. On 2/29/08, Rich Megginson wrote: > > solarflow99 wrote: > > I was interested to create groups to use for authenticated access. > > Say for instance I configure samba to use FDS, can it actually use > > those groups to control permissions? What about the gidnumber? This > > all the docs had to say about it: > > > > > > > > 5.4. Using Groups > > > > Groups are a mechanism for associating entries for ease of > > administration. This mechanism was provided with previous versions of > > Directory Server and should be used primarily for compatibility with > > older versions of the server. > > > See http://tinyurl.com/3yo88r and http://tinyurl.com/2snfle and > http://tinyurl.com/337g46 for some examples using groups with ACIs. > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From suuuper at messinalug.org Tue Mar 4 13:23:11 2008 From: suuuper at messinalug.org (Giovanni Mancuso) Date: Tue, 04 Mar 2008 14:23:11 +0100 Subject: [Fedora-directory-users] Prolem with pam_passthru Message-ID: <47CD4D3F.2070207@messinalug.org> Hi to all, i have a problem with pam_passthru module. I use Fedora DS 1.04 and configure it with: pamIDMapMethod: RDN pamIDAttr: mail pamIDMapMethod: ENTRY If i try to authenticate i have: pam_passthru-plugin - Could not find BIND dn uid=usetest,ou=people,dc=castest.it,dc=babel,dc=int (error 32 - No such object) Any idea? -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbagyal at fmkorhaz.hu Mon Mar 3 18:13:36 2008 From: tbagyal at fmkorhaz.hu (Bagyal Tamas) Date: Mon, 03 Mar 2008 19:13:36 +0100 Subject: [Fedora-directory-users] notes on building fds in etch and a failed build question In-Reply-To: <47CC37D3.70500@redhat.com> References: <200802192232.02999.Ryan.Braun@ec.gc.ca> <200802251508.50693.Ryan.Braun@ec.gc.ca> <47C325E9.4010600@redhat.com> <200802261624.06814.Ryan.Braun@ec.gc.ca> <47CC34AD.6000409@mail.fmkorhaz.hu> <47CC37D3.70500@redhat.com> Message-ID: <47CC3FD0.7010300@fmkorhaz.hu> Rich Megginson wrote: > Tamas Bagyal wrote: >> hello Ryan, >> >> you tried this version? i have two fedora-ds 1.0.4 in mmr >> configuration. i migrate one of those to 1.1 (builded by your and >> Rich's instrutctions). but i have a problem with memory usage of >> ns-slapd process. initially mem usage is 18.5% but after 2 hours this >> changed to 23.1% and growed until killed by kernel. (i think...) >> >> mostly read transactions happen (dns) with a few write (cups). >> this is a debian etch, mem size is 512 mbyte (i know this is too low, >> but this is a test environment). cache size of slapd is 67108864. > Are you using SSL? Anything interesting in your server error log? I running the setupssl2.sh but not use any ssl connection. error log shows nothing, only the server start. >> >> can you give any help? >> >> thanks, >> >> KeeF >> >> Ryan Braun wrote: >>>>> A couple little bugs creeped up during the build. I think it was >>>>> during >>>>> the make install of ldapserver. One of the binaries (the first one I >>>>> guess) was copied to /opt/dirsrv/bin (the bin being a file not a >>>>> directory) so the /opt/dirsrv/bin directory isn't getting created. >>>>> Quick >>>>> fix was just renaming /opt/dirsrv/bin to /opt/dirsrv/bin.something and >>>>> rerunning make. Executing /opt/dirsrv/bin.something looks like the >>>>> binary >>>>> might be ldappasswd? >>>> Probably a bug in ds/mozldap/Makefile in the install section. >>> >>> I had a peek in there, it looks ok, but I'll add a mkdir -p >>> /opt/dirsrv/bin before the copy loop and see if that works next time >>> I build. >>>>> Second, there seems to be a missing library. >>>>> >>>>> Starting admin server . . . >>>>> output: ERROR: ld.so: object '/opt/dirsrv/lib/libssl3.so' from >>>>> LD_PRELOAD >>>>> cannot be preloaded: ignored. >>>>> output: apache2: Syntax error on line 123 >>>>> of /opt/dirsrv/etc/dirsrv/admin-serv/httpd.conf: module >>>>> log_config_module >>>>> is built-in and can't be loaded >>>>> Could not start the admin server. Error: 256 >>>>> Failed to create and configure the admin server >>>>> Exiting . . . >>>>> >>>>> I assumed the libssl3.so was supposed to be provided by building >>>>> nss from >>>>> source. So I just symlinked the system's libssl3.so provided by >>>>> libnss3-0d back to /opt/dirsrv/lib/. >>>> Ok. Or just edit the start-ds-admin script. Looks like a bug - it >>>> should use the correct path to libssl3.so. But then the NSS devel >>>> support in etch is not quite there. >>> >>> Gotcha >>> >>>>> Which leads me to my next question. The java components, are they >>>>> only >>>>> required for running the console on your client machines? So building >>>>> with NOJAVA=1 will provide a fully working adminserver and >>>>> ldapserver, just no console binaries? >>>> Mostly correct. The only thing is that the way the console works, it >>>> downloads the ds and ds-admin jar files from the admin server. >>>> However, >>>> if you build them on the client machine and install them into >>>> $HOME/.fedora-idm-console/jars then the console will just use the local >>>> ones. >>> >>> Ok, well I tried installing the windows console on one of the >>> windows boxes around here (easier then downloading fc isos :) ), >>> fired up the console and am able to connect and it looks like it >>> wants to work, then it reports back that it can't find the jars. So >>> that being said, is there an easy way to use FC jars, or do I need >>> to build them for debian? (I have started trying to build jss but am >>> having some issues) >>> >>>>> To be honest, I haven't really looked into the different post install >>>>> process' with 1.1.0 since 1.0.4 so the reason I could have missing >>>>> entries in the console could very well be my own fault :) >>>>> >>>>> Also, if I want to fine tune the location of some of directories >>>>> during >>>>> build. is it safe to modify the CONFIGURE_ARGS variable in the >>>>> adminserver and ldapserver's Makefile? I want to put >>>>> /opt/dirsrv/etc/dirsrv into /etc/dirsrv aswell as /opt/dirsrv/var into >>>>> /var? >>>> Yes, for those components whose configure respect --sysconfdir and >>>> --localstatedir - which means not the mozilla components (mozldap, >>>> etc.) >>>> but everything else should work just fine. You'll also have to tweak >>>> the --prefix argument which is set by default. >>> >>> I'll play around with some options. I've started a wiki page for the >>> debian build. I don't have it linked onto the main page, but you >>> can check it out in recent changes. >>> >>> Ryan >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Bagyal Tamas Fejer Megyei Szt. Gyorgy Korhaz, Informatikai Igazgatosag. From rmeggins at redhat.com Tue Mar 4 15:23:26 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 04 Mar 2008 08:23:26 -0700 Subject: [Fedora-directory-users] Prolem with pam_passthru In-Reply-To: <47CD4D3F.2070207@messinalug.org> References: <47CD4D3F.2070207@messinalug.org> Message-ID: <47CD696E.1080507@redhat.com> Giovanni Mancuso wrote: > Hi to all, > i have a problem with pam_passthru module. > I use Fedora DS 1.04 and configure it with: > > pamIDMapMethod: RDN > pamIDAttr: mail > pamIDMapMethod: ENTRY > > If i try to authenticate i have: > pam_passthru-plugin - Could not find BIND dn > uid=usetest,ou=people,dc=castest.it,dc=babel,dc=int (error 32 - No > such object) It means the entry uid=usetest,ou=people,dc=castest.it,dc=babel,dc=int does not exist. > > Any idea? > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Mar 4 15:23:58 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 04 Mar 2008 08:23:58 -0700 Subject: [Fedora-directory-users] groups In-Reply-To: <7020fd000803040409m7fed0f22w19c9ee3c4795b25a@mail.gmail.com> References: <7020fd000802290832h66257157o5a54d6c48f41d1a6@mail.gmail.com> <47C83635.7060607@redhat.com> <7020fd000803040409m7fed0f22w19c9ee3c4795b25a@mail.gmail.com> Message-ID: <47CD698E.3020705@redhat.com> solarflow99 wrote: > I don't see this actually doing group control, it looks more like > access control within the LDAP tree itself. What do you mean by "group control"? Something like Group Policy in Active Directory? > > > > On 2/29/08, *Rich Megginson* > wrote: > > solarflow99 wrote: > > I was interested to create groups to use for authenticated access. > > Say for instance I configure samba to use FDS, can it actually use > > those groups to control permissions? What about the > gidnumber? This > > all the docs had to say about it: > > > > > > > > 5.4. Using Groups > > > > Groups are a mechanism for associating entries for ease of > > administration. This mechanism was provided with previous > versions of > > Directory Server and should be used primarily for compatibility with > > older versions of the server. > > > See http://tinyurl.com/3yo88r and http://tinyurl.com/2snfle and > http://tinyurl.com/337g46 for some examples using groups with ACIs. > > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Mar 4 15:24:50 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 04 Mar 2008 08:24:50 -0700 Subject: [Fedora-directory-users] notes on building fds in etch and a failed build question In-Reply-To: <47CC3FD0.7010300@fmkorhaz.hu> References: <200802192232.02999.Ryan.Braun@ec.gc.ca> <200802251508.50693.Ryan.Braun@ec.gc.ca> <47C325E9.4010600@redhat.com> <200802261624.06814.Ryan.Braun@ec.gc.ca> <47CC34AD.6000409@mail.fmkorhaz.hu> <47CC37D3.70500@redhat.com> <47CC3FD0.7010300@fmkorhaz.hu> Message-ID: <47CD69C2.2030209@redhat.com> Bagyal Tamas wrote: > Rich Megginson wrote: >> Tamas Bagyal wrote: >>> hello Ryan, >>> >>> you tried this version? i have two fedora-ds 1.0.4 in mmr >>> configuration. i migrate one of those to 1.1 (builded by your and >>> Rich's instrutctions). but i have a problem with memory usage of >>> ns-slapd process. initially mem usage is 18.5% but after 2 hours >>> this changed to 23.1% and growed until killed by kernel. (i think...) >>> >>> mostly read transactions happen (dns) with a few write (cups). >>> this is a debian etch, mem size is 512 mbyte (i know this is too >>> low, but this is a test environment). cache size of slapd is 67108864. >> Are you using SSL? Anything interesting in your server error log? > > I running the setupssl2.sh but not use any ssl connection. error log > shows nothing, only the server start. The reason I ask is that older versions of the NSS crypto/SSL libraries had a memory leak. NSS 3.11.7 does not have this problem. But you would only see the problem if you were using SSL connections. > >>> >>> can you give any help? >>> >>> thanks, >>> >>> KeeF >>> >>> Ryan Braun wrote: >>>>>> A couple little bugs creeped up during the build. I think it was >>>>>> during >>>>>> the make install of ldapserver. One of the binaries (the first >>>>>> one I >>>>>> guess) was copied to /opt/dirsrv/bin (the bin being a file not a >>>>>> directory) so the /opt/dirsrv/bin directory isn't getting >>>>>> created. Quick >>>>>> fix was just renaming /opt/dirsrv/bin to >>>>>> /opt/dirsrv/bin.something and >>>>>> rerunning make. Executing /opt/dirsrv/bin.something looks like >>>>>> the binary >>>>>> might be ldappasswd? >>>>> Probably a bug in ds/mozldap/Makefile in the install section. >>>> >>>> I had a peek in there, it looks ok, but I'll add a mkdir -p >>>> /opt/dirsrv/bin before the copy loop and see if that works next >>>> time I build. >>>>>> Second, there seems to be a missing library. >>>>>> >>>>>> Starting admin server . . . >>>>>> output: ERROR: ld.so: object '/opt/dirsrv/lib/libssl3.so' from >>>>>> LD_PRELOAD >>>>>> cannot be preloaded: ignored. >>>>>> output: apache2: Syntax error on line 123 >>>>>> of /opt/dirsrv/etc/dirsrv/admin-serv/httpd.conf: module >>>>>> log_config_module >>>>>> is built-in and can't be loaded >>>>>> Could not start the admin server. Error: 256 >>>>>> Failed to create and configure the admin server >>>>>> Exiting . . . >>>>>> >>>>>> I assumed the libssl3.so was supposed to be provided by building >>>>>> nss from >>>>>> source. So I just symlinked the system's libssl3.so provided by >>>>>> libnss3-0d back to /opt/dirsrv/lib/. >>>>> Ok. Or just edit the start-ds-admin script. Looks like a bug - it >>>>> should use the correct path to libssl3.so. But then the NSS devel >>>>> support in etch is not quite there. >>>> >>>> Gotcha >>>> >>>>>> Which leads me to my next question. The java components, are >>>>>> they only >>>>>> required for running the console on your client machines? So >>>>>> building >>>>>> with NOJAVA=1 will provide a fully working adminserver and >>>>>> ldapserver, just no console binaries? >>>>> Mostly correct. The only thing is that the way the console works, it >>>>> downloads the ds and ds-admin jar files from the admin server. >>>>> However, >>>>> if you build them on the client machine and install them into >>>>> $HOME/.fedora-idm-console/jars then the console will just use the >>>>> local >>>>> ones. >>>> >>>> Ok, well I tried installing the windows console on one of the >>>> windows boxes around here (easier then downloading fc isos :) ), >>>> fired up the console and am able to connect and it looks like it >>>> wants to work, then it reports back that it can't find the jars. >>>> So that being said, is there an easy way to use FC jars, or do I >>>> need to build them for debian? (I have started trying to build jss >>>> but am having some issues) >>>> >>>>>> To be honest, I haven't really looked into the different post >>>>>> install >>>>>> process' with 1.1.0 since 1.0.4 so the reason I could have missing >>>>>> entries in the console could very well be my own fault :) >>>>>> >>>>>> Also, if I want to fine tune the location of some of directories >>>>>> during >>>>>> build. is it safe to modify the CONFIGURE_ARGS variable in the >>>>>> adminserver and ldapserver's Makefile? I want to put >>>>>> /opt/dirsrv/etc/dirsrv into /etc/dirsrv aswell as /opt/dirsrv/var >>>>>> into >>>>>> /var? >>>>> Yes, for those components whose configure respect --sysconfdir and >>>>> --localstatedir - which means not the mozilla components (mozldap, >>>>> etc.) >>>>> but everything else should work just fine. You'll also have to tweak >>>>> the --prefix argument which is set by default. >>>> >>>> I'll play around with some options. I've started a wiki page for >>>> the debian build. I don't have it linked onto the main page, but >>>> you can check it out in recent changes. >>>> >>>> Ryan >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From suuuper at messinalug.org Tue Mar 4 15:34:21 2008 From: suuuper at messinalug.org (Giovanni Mancuso) Date: Tue, 04 Mar 2008 16:34:21 +0100 Subject: [Fedora-directory-users] Prolem with pam_passthru In-Reply-To: <47CD696E.1080507@redhat.com> References: <47CD4D3F.2070207@messinalug.org> <47CD696E.1080507@redhat.com> Message-ID: <47CD6BFD.3010500@messinalug.org> But the entry realy exist. How can i debug it?? Thanks Rich Megginson ha scritto: > Giovanni Mancuso wrote: >> Hi to all, >> i have a problem with pam_passthru module. >> I use Fedora DS 1.04 and configure it with: >> >> pamIDMapMethod: RDN >> pamIDAttr: mail >> pamIDMapMethod: ENTRY >> >> If i try to authenticate i have: >> pam_passthru-plugin - Could not find BIND dn >> uid=usetest,ou=people,dc=castest.it,dc=babel,dc=int (error 32 - No >> such object) > It means the entry uid=usetest,ou=people,dc=castest.it,dc=babel,dc=int > does not exist. >> >> Any idea? >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Mar 4 15:44:01 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 04 Mar 2008 08:44:01 -0700 Subject: [Fedora-directory-users] Prolem with pam_passthru In-Reply-To: <47CD6BFD.3010500@messinalug.org> References: <47CD4D3F.2070207@messinalug.org> <47CD696E.1080507@redhat.com> <47CD6BFD.3010500@messinalug.org> Message-ID: <47CD6E41.9080306@redhat.com> Giovanni Mancuso wrote: > But the entry realy exist. You have confirmed this with ldapsearch? > How can i debug it?? The code is pretty clear on this point - it does an internal search for uid=usetest,ou=people,dc=castest.it,dc=babel,dc=int and it is not there. However, if you turn on the TRACE debug log level you might find some clues - http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting One more thing - in your config you have both pamIDMapMethod: RDN and pamIDMapMethod: ENTRY I'm assuming you want to use the mail attribute value as the value to pass to PAM. So you should get rid of the pamIDMapMethod: RDN - I don't think that is causing the problem but you should fix it to eliminate that as a potential cause. > > Thanks > > Rich Megginson ha scritto: >> Giovanni Mancuso wrote: >>> Hi to all, >>> i have a problem with pam_passthru module. >>> I use Fedora DS 1.04 and configure it with: >>> >>> pamIDMapMethod: RDN >>> pamIDAttr: mail >>> pamIDMapMethod: ENTRY >>> >>> If i try to authenticate i have: >>> pam_passthru-plugin - Could not find BIND dn >>> uid=usetest,ou=people,dc=castest.it,dc=babel,dc=int (error 32 - No >>> such object) >> It means the entry >> uid=usetest,ou=people,dc=castest.it,dc=babel,dc=int does not exist. >>> >>> Any idea? >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From suuuper at messinalug.org Tue Mar 4 16:01:50 2008 From: suuuper at messinalug.org (Giovanni Mancuso) Date: Tue, 04 Mar 2008 17:01:50 +0100 Subject: [Fedora-directory-users] Prolem with pam_passthru In-Reply-To: <47CD6E41.9080306@redhat.com> References: <47CD4D3F.2070207@messinalug.org> <47CD696E.1080507@redhat.com> <47CD6BFD.3010500@messinalug.org> <47CD6E41.9080306@redhat.com> Message-ID: <47CD726E.9020905@messinalug.org> Rich Megginson ha scritto: > However, if you turn on the TRACE debug log level you might find some > clues - http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting > > One more thing - in your config you have both no, sorry, i meant: the pam_passthru auth works if I set pamIDMapMethod: RDN but it maps the wrong user then if I change the dse.ldif and put pamIDMapMethod: ENTRY pamIDAttr: mail then the slapi_something_() won't find the entry even if it's there... anyway yes, I want to use the email as the pam userid. I wish it's clearer now.. Thx, Giovanni From rmeggins at redhat.com Tue Mar 4 16:52:30 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 04 Mar 2008 09:52:30 -0700 Subject: [Fedora-directory-users] Prolem with pam_passthru In-Reply-To: <47CD726E.9020905@messinalug.org> References: <47CD4D3F.2070207@messinalug.org> <47CD696E.1080507@redhat.com> <47CD6BFD.3010500@messinalug.org> <47CD6E41.9080306@redhat.com> <47CD726E.9020905@messinalug.org> Message-ID: <47CD7E4E.9090801@redhat.com> Giovanni Mancuso wrote: > Rich Megginson ha scritto: >> However, if you turn on the TRACE debug log level you might find some >> clues - http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting >> >> One more thing - in your config you have both > no, sorry, i meant: > the pam_passthru auth works if I set > pamIDMapMethod: RDN > but it maps the wrong user Ok. So this means you have a user uid=username whose pam login is not "username". > > then if I change the dse.ldif and put > pamIDMapMethod: ENTRY > pamIDAttr: mail > then the slapi_something_() won't find the entry even if it's there... > anyway yes, I want to use the email as the pam userid. > > I wish it's clearer now.. Yes. So I think the next step will be to turn on TRACE level debuggging in the error log to see why it cannot find your entry. > > Thx, > Giovanni > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From solarflow99 at gmail.com Tue Mar 4 17:53:37 2008 From: solarflow99 at gmail.com (solarflow99) Date: Tue, 4 Mar 2008 17:53:37 +0000 Subject: [Fedora-directory-users] groups In-Reply-To: <47CD698E.3020705@redhat.com> References: <7020fd000802290832h66257157o5a54d6c48f41d1a6@mail.gmail.com> <47C83635.7060607@redhat.com> <7020fd000803040409m7fed0f22w19c9ee3c4795b25a@mail.gmail.com> <47CD698E.3020705@redhat.com> Message-ID: <7020fd000803040953o8d5d2c1h4503384b997ecc42@mail.gmail.com> not even that complex. Just a logical grouping like unix groups work. Do the groups in FDS work like that if I add users in them? I think i've almost got it working with samba from the howto, but where to create the groups and map them I still don't understand. On 3/4/08, Rich Megginson wrote: > > solarflow99 wrote: > > I don't see this actually doing group control, it looks more like > > access control within the LDAP tree itself. > What do you mean by "group control"? Something like Group Policy in > Active Directory? > > > > > > > > On 2/29/08, *Rich Megginson* > > wrote: > > > > solarflow99 wrote: > > > I was interested to create groups to use for authenticated access. > > > Say for instance I configure samba to use FDS, can it actually use > > > those groups to control permissions? What about the > > gidnumber? This > > > all the docs had to say about it: > > > > > > > > > > > > 5.4. Using Groups > > > > > > Groups are a mechanism for associating entries for ease of > > > administration. This mechanism was provided with previous > > versions of > > > Directory Server and should be used primarily for compatibility > with > > > older versions of the server. > > > > > See http://tinyurl.com/3yo88r and http://tinyurl.com/2snfle and > > http://tinyurl.com/337g46 for some examples using groups with ACIs. > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From suuuper at messinalug.org Tue Mar 4 18:05:24 2008 From: suuuper at messinalug.org (Giovanni Mancuso) Date: Tue, 04 Mar 2008 19:05:24 +0100 Subject: [Fedora-directory-users] Prolem with pam_passthru In-Reply-To: <47CD7E4E.9090801@redhat.com> References: <47CD4D3F.2070207@messinalug.org> <47CD696E.1080507@redhat.com> <47CD6BFD.3010500@messinalug.org> <47CD6E41.9080306@redhat.com> <47CD726E.9020905@messinalug.org> <47CD7E4E.9090801@redhat.com> Message-ID: <47CD8F64.8040800@messinalug.org> The TRACE is: [04/Mar/2008:19:04:15 +0100] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [04/Mar/2008:19:04:15 +0100] - => slapi_control_present (looking for 2.16.840.1.113730.3.4.2) [04/Mar/2008:19:04:15 +0100] - => slapi_reslimit_get_integer_limit() conn=0xb669b948, handle=3 [04/Mar/2008:19:04:15 +0100] - <= slapi_control_present 0 (NOT FOUND) [04/Mar/2008:19:04:15 +0100] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [04/Mar/2008:19:04:15 +0100] - => slapi_control_present (looking for 1.3.6.1.4.1.42.2.27.8.5.1) [04/Mar/2008:19:04:15 +0100] - => slapi_reslimit_get_integer_limit() conn=0xb669b8a8, handle=3 [04/Mar/2008:19:04:15 +0100] - <= slapi_control_present 1 (FOUND) [04/Mar/2008:19:04:15 +0100] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [04/Mar/2008:19:04:15 +0100] - <= get_ldapmessage_controls 1 controls [04/Mar/2008:19:04:15 +0100] - => slapi_reslimit_get_integer_limit() conn=0xb669b808, handle=3 [04/Mar/2008:19:04:15 +0100] - => slapi_control_present (looking for 2.16.840.1.113730.3.4.16) [04/Mar/2008:19:04:15 +0100] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [04/Mar/2008:19:04:15 +0100] - <= slapi_control_present 0 (NOT FOUND) [04/Mar/2008:19:04:15 +0100] - do_bind: version 3 method 0x80 dn uid=usertest,ou=people,dc=castest.it,dc=babel,dc=int [04/Mar/2008:19:04:15 +0100] - mapping tree selected backend : userRoot [04/Mar/2008:19:04:15 +0100] - Calling plugin 'Legacy replication preoperation plugin' #3 type 401 [04/Mar/2008:19:04:15 +0100] - Calling plugin 'Multimaster replication preoperation plugin' #4 type 401 [04/Mar/2008:19:04:15 +0100] - Calling plugin 'PAM Pass Through Auth' #5 type 401 [04/Mar/2008:19:04:15 +0100] - allow_operation: component identity is NULL [04/Mar/2008:19:04:15 +0100] pam_passthru-plugin - Could not find BIND dn uid=usertest,ou=people,dc=castest.it,dc=babel,dc=int (error 32 - No such object) [04/Mar/2008:19:04:15 +0100] pam_passthru-plugin - Bind DN [uid=usertest,ou=people,dc=castest.it,dc=babel,dc=int] is invalid or not found [04/Mar/2008:19:04:15 +0100] - => send_ldap_result 32::Bind DN [uid=usertest,ou=people,dc=castest.it,dc=babel,dc=int] is invalid or not found [04/Mar/2008:19:04:15 +0100] - add_pb [04/Mar/2008:19:04:15 +0100] - <= send_ldap_result [04/Mar/2008:19:04:15 +0100] - get_pb [04/Mar/2008:19:04:15 +0100] - => slapi_reslimit_get_integer_limit() conn=0xb669b8a8, handle=3 [04/Mar/2008:19:04:15 +0100] - do_unbind [04/Mar/2008:19:04:15 +0100] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [04/Mar/2008:19:04:15 +0100] - => get_ldapmessage_controls [04/Mar/2008:19:04:15 +0100] - => slapi_reslimit_get_integer_limit() conn=0xb669b808, handle=3 [04/Mar/2008:19:04:15 +0100] - <= get_ldapmessage_controls no controls [04/Mar/2008:19:04:15 +0100] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [04/Mar/2008:19:04:15 +0100] - defbackend_noop [04/Mar/2008:19:04:16 +0100] - ldbm backend flushing [04/Mar/2008:19:04:16 +0100] - ldbm backend done flushing [04/Mar/2008:19:04:16 +0100] - ldbm backend flushing [04/Mar/2008:19:04:16 +0100] - ldbm backend done flushing Rich Megginson ha scritto: > Giovanni Mancuso wrote: >> Rich Megginson ha scritto: >>> However, if you turn on the TRACE debug log level you might find >>> some clues - >>> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting >>> >>> One more thing - in your config you have both >> no, sorry, i meant: >> the pam_passthru auth works if I set >> pamIDMapMethod: RDN >> but it maps the wrong user > Ok. So this means you have a user uid=username whose pam login is not > "username". >> >> then if I change the dse.ldif and put >> pamIDMapMethod: ENTRY >> pamIDAttr: mail >> then the slapi_something_() won't find the entry even if it's there... >> anyway yes, I want to use the email as the pam userid. >> >> I wish it's clearer now.. > Yes. So I think the next step will be to turn on TRACE level > debuggging in the error log to see why it cannot find your entry. >> >> Thx, >> Giovanni >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From iferreir at personal.com.py Tue Mar 4 21:10:07 2008 From: iferreir at personal.com.py (Ivan Ferreira) Date: Tue, 4 Mar 2008 18:10:07 -0300 Subject: [Fedora-directory-users] groups In-Reply-To: <7020fd000803040953o8d5d2c1h4503384b997ecc42@mail.gmail.com> Message-ID: Yes, groups works exactly as local groups. In fact, you must ensure that your users belongs to the right group or you may have problems accessing samba shares. Para "General discussion list for the Fedora Directory server solarflow99 project." fedora-directory-users-b cc ounces at redhat.com Asunto 04/03/2008 02:53 p.m. Re: [Fedora-directory-users] groups Clasificaci?n Uso Interno Por favor, responda a "General discussion list for the Fedora Directory server project." not even that complex. Just a logical grouping like unix groups work. Do the groups in FDS work like that if I add users in them? I think i've almost got it working with samba from the howto, but where to create the groups and map them I still don't understand. On 3/4/08, Rich Megginson wrote: solarflow99 wrote: > I don't see this actually doing group control, it looks more like > access control within the LDAP tree itself. What do you mean by "group control"? Something like Group Policy in Active Directory? > > > > On 2/29/08, *Rich Megginson* > wrote: > > solarflow99 wrote: > > I was interested to create groups to use for authenticated access. > > Say for instance I configure samba to use FDS, can it actually use > > those groups to control permissions? What about the > gidnumber? This > > all the docs had to say about it: > > > > > > > > 5.4. Using Groups > > > > Groups are a mechanism for associating entries for ease of > > administration. This mechanism was provided with previous > versions of > > Directory Server and should be used primarily for compatibility with > > older versions of the server. > > > See http://tinyurl.com/3yo88r and http://tinyurl.com/2snfle and > http://tinyurl.com/337g46 for some examples using groups with ACIs. > > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. From solarflow99 at gmail.com Tue Mar 4 23:28:04 2008 From: solarflow99 at gmail.com (solarflow99) Date: Tue, 4 Mar 2008 23:28:04 +0000 Subject: [Fedora-directory-users] groups In-Reply-To: References: <7020fd000803040953o8d5d2c1h4503384b997ecc42@mail.gmail.com> Message-ID: <7020fd000803041528u3182b4f1ufadb54d7ce4e953f@mail.gmail.com> do you use FDS with samba? I wonder what you did for the groups. On Tue, Mar 4, 2008 at 9:10 PM, Ivan Ferreira wrote: > Yes, groups works exactly as local groups. > > In fact, you must ensure that your users belongs to the right group or you > may have problems accessing samba shares. > > > > > > > > > Para > "General discussion list for the > Fedora Directory server > solarflow99 project." > Enviado por: om> > fedora-directory-users-b cc > ounces at redhat.com > Asunto > 04/03/2008 02:53 p.m. Re: [Fedora-directory-users] > groups > Clasificaci?n > Uso Interno > Por favor, responda a > "General discussion list > for the Fedora Directory > server project." > redhat.com> > > > > > > > not even that complex. Just a logical grouping like unix groups work. Do > the groups in FDS work like that if I add users in them? > > I think i've almost got it working with samba from the howto, but where to > create the groups and map them I still don't understand. > > > > On 3/4/08, Rich Megginson wrote: > solarflow99 wrote: > > I don't see this actually doing group control, it looks more like > > access control within the LDAP tree itself. > What do you mean by "group control"? Something like Group Policy in > Active Directory? > > > > > > > > On 2/29/08, *Rich Megginson* > > wrote: > > > > solarflow99 wrote: > > > I was interested to create groups to use for authenticated > access. > > > Say for instance I configure samba to use FDS, can it > actually use > > > those groups to control permissions? What about the > > gidnumber? This > > > all the docs had to say about it: > > > > > > > > > > > > 5.4. Using Groups > > > > > > Groups are a mechanism for associating entries for ease of > > > administration. This mechanism was provided with previous > > versions of > > > Directory Server and should be used primarily for > compatibility with > > > older versions of the server. > > > > > See http://tinyurl.com/3yo88r and http://tinyurl.com/2snfle and > > http://tinyurl.com/337g46 for some examples using groups with > ACIs. > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > ------------------------------------------------------------------------ > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ======================================================================================== > AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida > ?nicamente a su destinatario. Si usted no es el destinatario original de > este mensaje y por este medio pudo acceder a dicha informaci?n por favor > elimine el mensaje. La distribuci?n o copia de este mensaje est? > estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de > informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como > una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de > e-mails no garantiza que el correo electr?nico sea seguro o libre de > error. > Por consiguiente, no manifestamos que esta informaci?n sea completa o > precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. > > This information is private and confidential and intended for the > recipient only. If you are not the intended recipient of this message you > are hereby notified that any review, dissemination, distribution or > copying of this message is strictly prohibited. This communication is for > information purposes only and shall not be regarded neither as a proposal, > acceptance nor as a statement of will or official statement from NUCLEO > S.A. . Email transmission cannot be guaranteed to be secure or error-free. > Therefore, we do not represent that this information is complete or > accurate and it should not be relied upon as such. All information is > subject to change without notice. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From johnsimcall at gmail.com Wed Mar 5 02:40:47 2008 From: johnsimcall at gmail.com (John Call) Date: Tue, 4 Mar 2008 16:40:47 -1000 Subject: [Fedora-directory-users] Apple OS X 10.5 question In-Reply-To: <9ee13d4f0802280800l5695ca48x6b04d558f17faf27@mail.gmail.com> References: <2f05bdbb0802271842i46224c9ei657367f29933ce4f@mail.gmail.com> <20080228091327.GQ23283@flea.lifesci.dundee.ac.uk> <9ee13d4f0802280800l5695ca48x6b04d558f17faf27@mail.gmail.com> Message-ID: Jonathan, Dan, Thank you for your help. After being sick for a few days I sat down with one of my Apple users. We are still unable to log in to OS X 10.5 after changing /etc/openldap/ldap.conf to the following... #BASE dc=example, dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never #TLS_REQCERT demand TLS_REQCERT never Is there any direction you might offer? I've included a copy of my Template as an attachment. I believe I've kept it quite simple, maybe too simple. Thanks, John -------------- next part -------------- A non-text attachment was scrubbed... Name: OSX105-LDAP-Template.plist Type: application/octet-stream Size: 2112 bytes Desc: not available URL: -------------- next part -------------- On Feb 28, 2008, at 6:00 AM, dandantheitman wrote: > On 28/02/2008, Jonathan Barber wrote: >> On Wed, Feb 27, 2008 at 04:42:12PM -1000, John Call wrote: >>> Aloha list, >>> >>> My university has been authenticating Mac OS X 10.4 clients to FDS >>> 1.04 for about a year now. Things have been working great, as >>> long as >>> we keep an eye on the external SASL mechanisms. However, now that >>> our >>> staff is deploying the new OS X 10.5 things aren't working. To the >>> best of our knowledge we have maintained the same client LDAP >>> configuration from 10.4 to 10.5, but the Apple clients refuse to >>> authenticate. Has anybody else experienced this? >> >> >> Are you doing SSL to the ldap? If so, check the clientside SSL >> verification. I'm not big on the different Mac OS X versions, so >> can't >> say when it occured, but for one of the revisions we did see the >> default >> openldap SSL verification change from "never" to "demand" on the >> clients. >> >> I don't think we found a GUI widget to config this behaviour, but you >> can via /etc/openldap/ldap.conf like linux. >> > > Jonathon is 100% correct. Starting with OSX Leopard the ldap client > was 'locked down' to make it more secure out of the box. The > TLS_REQCERT = never was revised to TLS_REQCERT = demand. > > You either need to make the change on each client in > /etc/openldap/ldap.conf to reset it back to its previous state or you > shall need to do the following: > > (01) Copy the cert to the client /etc/openldap/certs > (02) Add the following line to /etc/openldap/ldap.conf: > TLS_CACERT /etc/openldap/certs/bright.newshinycert.com > > Dan > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From solarflow99 at gmail.com Wed Mar 5 12:23:00 2008 From: solarflow99 at gmail.com (solarflow99) Date: Wed, 5 Mar 2008 12:23:00 +0000 Subject: [Fedora-directory-users] trouble installing samba In-Reply-To: <200803031601.26344.maumar@cost.it> References: <200803031601.26344.maumar@cost.it> Message-ID: <7020fd000803050423j38f1219csf18619a17feb34d4@mail.gmail.com> Does anyone have samba working with FDS? I can add a sambasamaccount objectclass, but it looks like there are missing attributes from advanced properties. From the schema config, I see the required attributes are only: objectclass, sambasid, uid. Other important attributes such as sambaLMpassword, sambadomain, are only listed as allowed attributes. I don't know if I have to add them manually, how many are required, or how to generate the encrypted password. If anyone has any ideas, any help would be appreciated. On 3/3/08, Maurizio Marini wrote: > > I'am installing samba-pdc using > http://directory.fedoraproject.org/wiki/Howto:Samba > > i am stumbled at the final point of adding Administrator: > pdbedit -U S-1-5-21-1017320176-1068811812-2284442376-500 -u Administrator > -r > Username not found! > pdbedit -U S-1-5-21-1017320176-1068811812-2284442376-500 -u Administrator > -a > Cannot locate Unix account for Administrator > > in discussion i read: > http://directory.fedoraproject.org/wiki/Talk:Howto:Samba > > "I found that the step to use pdbedit to modify the administrator account > was > failing. after much searching i realized it is expecting the Administrator > account that was added with ldif2ldap of the sambaAdministrator.ldap to > *already* have a sambasamaccount object class associated with it." > > i dunno how to do it :( > > other comments make me wonder if using this howto i will be ever able to > install samba-pdc :( > > > if someone was able to do it, please! share your experience with us :) > m. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bagyi at mail.fmkorhaz.hu Wed Mar 5 12:52:54 2008 From: bagyi at mail.fmkorhaz.hu (Tamas Bagyal) Date: Wed, 05 Mar 2008 13:52:54 +0100 Subject: [Fedora-directory-users] notes on building fds in etch and a failed build question In-Reply-To: <47CD69C2.2030209@redhat.com> References: <200802192232.02999.Ryan.Braun@ec.gc.ca> <200802251508.50693.Ryan.Braun@ec.gc.ca> <47C325E9.4010600@redhat.com> <200802261624.06814.Ryan.Braun@ec.gc.ca> <47CC34AD.6000409@mail.fmkorhaz.hu> <47CC37D3.70500@redhat.com> <47CC3FD0.7010300@fmkorhaz.hu> <47CD69C2.2030209@redhat.com> Message-ID: <47CE97A6.5020701@mail.fmkorhaz.hu> Rich Megginson wrote: > Bagyal Tamas wrote: >> Rich Megginson wrote: >>> Tamas Bagyal wrote: >>>> hello Ryan, >>>> >>>> you tried this version? i have two fedora-ds 1.0.4 in mmr >>>> configuration. i migrate one of those to 1.1 (builded by your and >>>> Rich's instrutctions). but i have a problem with memory usage of >>>> ns-slapd process. initially mem usage is 18.5% but after 2 hours >>>> this changed to 23.1% and growed until killed by kernel. (i think...) >>>> >>>> mostly read transactions happen (dns) with a few write (cups). >>>> this is a debian etch, mem size is 512 mbyte (i know this is too >>>> low, but this is a test environment). cache size of slapd is 67108864. >>> Are you using SSL? Anything interesting in your server error log? >> >> I running the setupssl2.sh but not use any ssl connection. error log >> shows nothing, only the server start. > The reason I ask is that older versions of the NSS crypto/SSL libraries > had a memory leak. NSS 3.11.7 does not have this problem. But you > would only see the problem if you were using SSL connections. ok. I tried again from begining. fresh install, no ssl, no migration, used the setup-ds-admi.pl and setup the mmr with a fedora-ds 1.0.4. but nothing changed, memory usage growing... All setting is default except the mmr/changelog and access.log is off. errors: Fedora-Directory/1.1.0 B2008.059.1017 tower.fmintra.hu:389 (/opt/dirsrv/etc/dirsrv/slapd-tower) [05/Mar/2008:10:19:20 +0100] - dblayer_instance_start: pagesize: 4096, pages: 128798, procpages: 5983 [05/Mar/2008:10:19:20 +0100] - cache autosizing: import cache: 204800k [05/Mar/2008:10:19:21 +0100] - li_import_cache_autosize: 50, import_pages: 51200, pagesize: 4096 [05/Mar/2008:10:19:21 +0100] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [05/Mar/2008:10:19:21 +0100] - dblayer_instance_start: pagesize: 4096, pages: 128798, procpages: 5983 [05/Mar/2008:10:19:21 +0100] - cache autosizing: import cache: 204800k [05/Mar/2008:10:19:21 +0100] - li_import_cache_autosize: 50, import_pages: 51200, pagesize: 4096 [05/Mar/2008:10:19:21 +0100] - import userRoot: Beginning import job... [05/Mar/2008:10:19:21 +0100] - import userRoot: Index buffering enabled with bucket size 100 [05/Mar/2008:10:19:21 +0100] - import userRoot: Processing file "/tmp/ldifZHth0D.ldif" [05/Mar/2008:10:19:21 +0100] - import userRoot: Finished scanning file "/tmp/ldifZHth0D.ldif" (9 entries) [05/Mar/2008:10:19:21 +0100] - import userRoot: Workers finished; cleaning up... [05/Mar/2008:10:19:21 +0100] - import userRoot: Workers cleaned up. [05/Mar/2008:10:19:21 +0100] - import userRoot: Cleaning up producer thread... [05/Mar/2008:10:19:21 +0100] - import userRoot: Indexing complete. Post-processing... [05/Mar/2008:10:19:21 +0100] - import userRoot: Flushing caches... [05/Mar/2008:10:19:21 +0100] - import userRoot: Closing files... [05/Mar/2008:10:19:21 +0100] - All database threads now stopped [05/Mar/2008:10:19:21 +0100] - import userRoot: Import complete. Processed 9 entries in 0 seconds. (inf entries/sec) [05/Mar/2008:10:19:22 +0100] - Fedora-Directory/1.1.0 B2008.059.1017 starting up [05/Mar/2008:10:19:22 +0100] - I'm resizing my cache now...cache was 209715200 and is now 8000000 [05/Mar/2008:10:19:22 +0100] - slapd started. Listening on All Interfaces port 389 for LDAP requests [05/Mar/2008:10:22:23 +0100] NSMMReplicationPlugin - changelog program - cl5Open: failed to open changelog [05/Mar/2008:10:22:24 +0100] NSMMReplicationPlugin - changelog program - changelog5_config_add: failed to start changelog [05/Mar/2008:10:26:49 +0100] NSMMReplicationPlugin - agmt="cn=replica to backup" (backup:389): Replica has a different generation ID than the local data. [05/Mar/2008:10:32:00 +0100] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=fmintra,dc=hu: 32 [05/Mar/2008:10:32:00 +0100] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=fmintra,dc=hu is going offline; disabling replication [05/Mar/2008:10:32:00 +0100] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [05/Mar/2008:10:32:13 +0100] - import userRoot: Workers finished; cleaning up... [05/Mar/2008:10:32:13 +0100] - import userRoot: Workers cleaned up. [05/Mar/2008:10:32:13 +0100] - import userRoot: Indexing complete. Post-processing... [05/Mar/2008:10:32:13 +0100] - import userRoot: Flushing caches... [05/Mar/2008:10:32:13 +0100] - import userRoot: Closing files... [05/Mar/2008:10:32:14 +0100] - import userRoot: Import complete. Processed 12242 entries in 13 seconds. (941.69 entries/sec) [05/Mar/2008:10:32:14 +0100] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=fmintra,dc=hu is coming online; enabling replication memory usage by top: top - 10:58:21 up 25 days, 22:36, 2 users, load average: 0.01, 0.13, 0.22 Tasks: 61 total, 2 running, 59 sleeping, 0 stopped, 0 zombie Cpu(s): 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st Mem: 515192k total, 189600k used, 325592k free, 36472k buffers Swap: 489848k total, 18292k used, 471556k free, 106188k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 27647 fds 15 0 464m 47m 25m S 0.0 9.4 1:34.57 ns-slapd top - 11:23:12 up 25 days, 23:01, 2 users, load average: 0.36, 0.27, 0.20 Tasks: 61 total, 2 running, 59 sleeping, 0 stopped, 0 zombie Cpu(s): 3.0%us, 0.0%sy, 0.0%ni, 96.0%id, 1.0%wa, 0.0%hi, 0.0%si, 0.0%st Mem: 515192k total, 210700k used, 304492k free, 36488k buffers Swap: 489848k total, 18288k used, 471560k free, 117204k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 27647 fds 15 0 473m 59m 28m S 3.0 11.9 2:52.77 ns-slapd top - 11:48:26 up 25 days, 23:26, 2 users, load average: 0.02, 0.08, 0.10 Tasks: 61 total, 1 running, 60 sleeping, 0 stopped, 0 zombie Cpu(s): 3.0%us, 0.0%sy, 0.0%ni, 97.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st Mem: 515192k total, 222756k used, 292436k free, 36520k buffers Swap: 489848k total, 18288k used, 471560k free, 118932k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 27647 fds 15 0 483m 72m 30m S 0.0 14.4 4:12.04 ns-slapd top - 13:31:42 up 26 days, 1:09, 2 users, load average: 0.28, 0.17, 0.15 Tasks: 61 total, 2 running, 59 sleeping, 0 stopped, 0 zombie Cpu(s): 1.1%us, 0.0%sy, 0.0%ni, 98.9%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st Mem: 515192k total, 285572k used, 229620k free, 36540k buffers Swap: 489848k total, 18288k used, 471560k free, 140412k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 27647 fds 15 0 523m 116m 34m S 0.0 23.3 9:35.65 ns-slapd >>>> >>>> can you give any help? >>>> >>>> thanks, >>>> >>>> KeeF >>>> >>>> Ryan Braun wrote: >>>>>>> A couple little bugs creeped up during the build. I think it was >>>>>>> during >>>>>>> the make install of ldapserver. One of the binaries (the first >>>>>>> one I >>>>>>> guess) was copied to /opt/dirsrv/bin (the bin being a file not a >>>>>>> directory) so the /opt/dirsrv/bin directory isn't getting >>>>>>> created. Quick >>>>>>> fix was just renaming /opt/dirsrv/bin to >>>>>>> /opt/dirsrv/bin.something and >>>>>>> rerunning make. Executing /opt/dirsrv/bin.something looks like >>>>>>> the binary >>>>>>> might be ldappasswd? >>>>>> Probably a bug in ds/mozldap/Makefile in the install section. >>>>> >>>>> I had a peek in there, it looks ok, but I'll add a mkdir -p >>>>> /opt/dirsrv/bin before the copy loop and see if that works next >>>>> time I build. >>>>>>> Second, there seems to be a missing library. >>>>>>> >>>>>>> Starting admin server . . . >>>>>>> output: ERROR: ld.so: object '/opt/dirsrv/lib/libssl3.so' from >>>>>>> LD_PRELOAD >>>>>>> cannot be preloaded: ignored. >>>>>>> output: apache2: Syntax error on line 123 >>>>>>> of /opt/dirsrv/etc/dirsrv/admin-serv/httpd.conf: module >>>>>>> log_config_module >>>>>>> is built-in and can't be loaded >>>>>>> Could not start the admin server. Error: 256 >>>>>>> Failed to create and configure the admin server >>>>>>> Exiting . . . >>>>>>> >>>>>>> I assumed the libssl3.so was supposed to be provided by building >>>>>>> nss from >>>>>>> source. So I just symlinked the system's libssl3.so provided by >>>>>>> libnss3-0d back to /opt/dirsrv/lib/. >>>>>> Ok. Or just edit the start-ds-admin script. Looks like a bug - it >>>>>> should use the correct path to libssl3.so. But then the NSS devel >>>>>> support in etch is not quite there. >>>>> >>>>> Gotcha >>>>> >>>>>>> Which leads me to my next question. The java components, are >>>>>>> they only >>>>>>> required for running the console on your client machines? So >>>>>>> building >>>>>>> with NOJAVA=1 will provide a fully working adminserver and >>>>>>> ldapserver, just no console binaries? >>>>>> Mostly correct. The only thing is that the way the console works, it >>>>>> downloads the ds and ds-admin jar files from the admin server. >>>>>> However, >>>>>> if you build them on the client machine and install them into >>>>>> $HOME/.fedora-idm-console/jars then the console will just use the >>>>>> local >>>>>> ones. >>>>> >>>>> Ok, well I tried installing the windows console on one of the >>>>> windows boxes around here (easier then downloading fc isos :) ), >>>>> fired up the console and am able to connect and it looks like it >>>>> wants to work, then it reports back that it can't find the jars. >>>>> So that being said, is there an easy way to use FC jars, or do I >>>>> need to build them for debian? (I have started trying to build jss >>>>> but am having some issues) >>>>> >>>>>>> To be honest, I haven't really looked into the different post >>>>>>> install >>>>>>> process' with 1.1.0 since 1.0.4 so the reason I could have missing >>>>>>> entries in the console could very well be my own fault :) >>>>>>> >>>>>>> Also, if I want to fine tune the location of some of directories >>>>>>> during >>>>>>> build. is it safe to modify the CONFIGURE_ARGS variable in the >>>>>>> adminserver and ldapserver's Makefile? I want to put >>>>>>> /opt/dirsrv/etc/dirsrv into /etc/dirsrv aswell as /opt/dirsrv/var >>>>>>> into >>>>>>> /var? >>>>>> Yes, for those components whose configure respect --sysconfdir and >>>>>> --localstatedir - which means not the mozilla components (mozldap, >>>>>> etc.) >>>>>> but everything else should work just fine. You'll also have to tweak >>>>>> the --prefix argument which is set by default. >>>>> >>>>> I'll play around with some options. I've started a wiki page for >>>>> the debian build. I don't have it linked onto the main page, but >>>>> you can check it out in recent changes. >>>>> >>>>> Ryan >>>>> From ncohen.sts at gmail.com Tue Mar 4 21:37:57 2008 From: ncohen.sts at gmail.com (Ben Cohen) Date: Tue, 4 Mar 2008 13:37:57 -0800 Subject: [Fedora-directory-users] Setting up Multiple Directory Servers - in a multi-master mesh. Having problems with admin server. Message-ID: <5AEE54F9-9435-4F71-8765-1D110E951126@ucsd.edu> Did anyone find a fix for this? I'm having the same problem. Here's the interactive output from register-ds-admin.pl [root at generic-02 ~]# register-ds-admin.pl --debug Beginning registration of the Directory Server = = = = = = ======================================================================== The Directory Server locates its configuration file (dse.ldif) at /etc/ dirsrv/slapd-ID, by default. If you have Directory Server(s) which configuration file is put at the other location, you need to input it to register the server. If you have such Directory Server, type the full path that stores the configuration file. If you don't, type return. [configuration directory path or return]: = = = = = = ======================================================================== Candidate servers to register: /etc/dirsrv/slapd-generic-02 /etc/dirsrv/slapd-temp-02 = = = = = = ======================================================================== Do you want to use this server as Configuration Directory Server? Directory server identifier [generic-02]: = = = = = = ======================================================================== Registering new Config DS: generic-02 = = = = = = ======================================================================== Input the Directory Server password on the server generic-02: = = = = = = ======================================================================== Please input the password for the Administrator User uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot: Error: failed to register the configuration server info to the Configuration Directory Server generic-02. = = = = = = ======================================================================== Please input the password for the Administrator User uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot: Error: failed to register the configuration server info to the Configuration Directory Server generic-02. = = = = = = ======================================================================== Please input the password for the Administrator User uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot: and here is the output of the .log file [root at generic-02 ~]# cat /tmp/setupJYeuBo.log [08/03/04:13:15:25] - [Setup] Info Beginning registration of the Directory Server[08/03/04:13:15:26] - [Setup] Info Candidate servers to register: [08/03/04:13:15:26] - [Setup] Info Do you want to use this server as Configuration Directory Server? [08/03/04:13:15:26] - [Setup] Info Directory server identifier [08/03/04:13:15:33] - [Setup] Info generic-02 [08/03/04:13:15:33] - [Setup] Info Registering new Config DS: generic-02 [08/03/04:13:15:42] - [Setup] Warning Error: failed to register the configuration server info to the Configuration Directory Server generic-02. [08/03/04:13:15:44] - [Setup] Warning Error: failed to register the configuration server info to the Configuration Directory Server generic-02. Rich Megginson wrote: > > Howard Wilkinson wrote: >> Richard et al, >> >> I have obviously confused you on this so to start again! >> >> I have four machines on which I am installing directory server >> version 1.1. >> >> I have automated the install so that I start with a virgin install >> every time - erase the packages and delete all of the files left >> lying around and then reinstall the packages. >> >> I want to set up the four machines in a fault-tolerant fashion. So >> I have an initial master, a secondary on a separate machine, and 2 >> consumers on the other machines. >> >> I can setup the servers on each machine with their own admin server >> and can gt the SSL working and have modified the mmr script and can >> get all other server to replicate. Master and Secondary in multi- >> master mode, consumers fed from master and secondary. >> >> What I want to achieve is to have all of the servers sharing the >> o=NetscapeRoot paritition (i.e. all having an admin server but all >> having the same configuration for the admin server). Now this means >> that they need to be in a mesh multi-master - OK I can set that up >> but I can't get the servers to register cleanly with the individual >> admin servers on each of the machines. > Ok. I understand. First, you have to follow these guidelines - http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Replicating-ADS-for-Failover.html > > Next, it sounds like you are running into this bug - https://bugzilla.redhat.com/show_bug.cgi?id=431103 Have followed these instructions, with the fixes from the patch and we are further along! I now have all servers registered on the master server and can see them from there as expected. I now face an issue with "register-ds-admin.pl" when I run it in the secondary server I get the following output. If you have such Directory Server, type the full path that stores the configuration file. If you don't, type return. [configuration directory path or return]: = = = = = = ======================================================================== Candidate servers to register: /etc/dirsrv/slapd-backus = = = = = = ======================================================================== Do you want to use this server as Configuration Directory Server? Directory server identifier: backus = = = = = = ======================================================================== Do you want to use this server as Configuration Directory Server? Directory server identifier: and this justs keeps cycling asking the same question. If I run on one of the consumers the behaviour is different but still no very useful. I get a bit further but it refuses to recognise the admin password. Do you want to use this server as Configuration Directory Server? Directory server identifier: barnacle = = = = = = ======================================================================== Cleaning up old Config DS: = = = = = = ======================================================================== Please input the password for the Administrator User uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot: Error: failed to clean up the configuration info from the old Configuration Directory Server . = = = = = = ======================================================================== Please input the password for the Administrator User uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot: I get the same behaviour if I run on the Master server. Any suggestions? ............. From ncohen.sts at gmail.com Wed Mar 5 01:32:10 2008 From: ncohen.sts at gmail.com (Ben Cohen) Date: Tue, 4 Mar 2008 17:32:10 -0800 Subject: [Fedora-directory-users] Is the userRoot database special? Message-ID: Is the userRoot database treated specially in any way by fedora directory server? I setup a directory server and made it a supplier of its userRoot database. I installed a second server and set its default suffix to the same as the first server's when I created the directory instance (so the db named 'userRoot' created on the second server had the same root suffix as the db on the first server). I then replicated the first server's userRoot database to the second server (first server is supplier, second is consumer). My intention is that the second server will carry a read-only replica of the first server's database but the worry was raised that the userRoot database might be treated specially by some portion of the directory server and not like being a read only replica ...? Should this be a concern? Any clarity is appreciated. Thanks much. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Mar 5 15:12:19 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 05 Mar 2008 08:12:19 -0700 Subject: [Fedora-directory-users] Is the userRoot database special? In-Reply-To: References: Message-ID: <47CEB853.5050207@redhat.com> Ben Cohen wrote: > Is the userRoot database treated specially in any way by fedora > directory server? > I setup a directory server and made it a supplier of its userRoot > database. I installed a second server and set its default suffix to > the same as the first server's when I created the directory instance > (so the db named 'userRoot' created on the second server had the same > root suffix as the db on the first server). I then replicated the > first server's userRoot database to the second server (first server is > supplier, second is consumer). > My intention is that the second server will carry a read-only replica > of the first server's database but the worry was raised that the > userRoot database might be treated specially by some portion of the > directory server and not like being a read only replica ...? No, there is nothing special about the userRoot database. That's just the name given to the suffix used for user&group data that was configured during set up. The suffix name is what matters, not the database name. > Should this be a concern? Any clarity is appreciated. > Thanks much. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Mar 5 15:17:16 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 05 Mar 2008 08:17:16 -0700 Subject: [Fedora-directory-users] notes on building fds in etch and a failed build question In-Reply-To: <47CE97A6.5020701@mail.fmkorhaz.hu> References: <200802192232.02999.Ryan.Braun@ec.gc.ca> <200802251508.50693.Ryan.Braun@ec.gc.ca> <47C325E9.4010600@redhat.com> <200802261624.06814.Ryan.Braun@ec.gc.ca> <47CC34AD.6000409@mail.fmkorhaz.hu> <47CC37D3.70500@redhat.com> <47CC3FD0.7010300@fmkorhaz.hu> <47CD69C2.2030209@redhat.com> <47CE97A6.5020701@mail.fmkorhaz.hu> Message-ID: <47CEB97C.3070107@redhat.com> Tamas Bagyal wrote: > Rich Megginson wrote: >> Bagyal Tamas wrote: >>> Rich Megginson wrote: >>>> Tamas Bagyal wrote: >>>>> hello Ryan, >>>>> >>>>> you tried this version? i have two fedora-ds 1.0.4 in mmr >>>>> configuration. i migrate one of those to 1.1 (builded by your and >>>>> Rich's instrutctions). but i have a problem with memory usage of >>>>> ns-slapd process. initially mem usage is 18.5% but after 2 hours >>>>> this changed to 23.1% and growed until killed by kernel. (i think...) >>>>> >>>>> mostly read transactions happen (dns) with a few write (cups). >>>>> this is a debian etch, mem size is 512 mbyte (i know this is too >>>>> low, but this is a test environment). cache size of slapd is >>>>> 67108864. >>>> Are you using SSL? Anything interesting in your server error log? >>> >>> I running the setupssl2.sh but not use any ssl connection. error log >>> shows nothing, only the server start. >> The reason I ask is that older versions of the NSS crypto/SSL >> libraries had a memory leak. NSS 3.11.7 does not have this problem. >> But you would only see the problem if you were using SSL connections. > > ok. I tried again from begining. fresh install, no ssl, no migration, > used the setup-ds-admi.pl and setup the mmr with a fedora-ds 1.0.4. > but nothing changed, memory usage growing... > All setting is default except the mmr/changelog and access.log is off. > > errors: > > Fedora-Directory/1.1.0 B2008.059.1017 > tower.fmintra.hu:389 (/opt/dirsrv/etc/dirsrv/slapd-tower) > > > [05/Mar/2008:10:19:20 +0100] - dblayer_instance_start: pagesize: 4096, > pages: 128798, procpages: 5983 > [05/Mar/2008:10:19:20 +0100] - cache autosizing: import cache: 204800k > [05/Mar/2008:10:19:21 +0100] - li_import_cache_autosize: 50, > import_pages: 51200, pagesize: 4096 > [05/Mar/2008:10:19:21 +0100] - WARNING: Import is running with > nsslapd-db-private-import-mem on; No other process is allowed to > access the database > [05/Mar/2008:10:19:21 +0100] - dblayer_instance_start: pagesize: 4096, > pages: 128798, procpages: 5983 > [05/Mar/2008:10:19:21 +0100] - cache autosizing: import cache: 204800k > [05/Mar/2008:10:19:21 +0100] - li_import_cache_autosize: 50, > import_pages: 51200, pagesize: 4096 > [05/Mar/2008:10:19:21 +0100] - import userRoot: Beginning import job... > [05/Mar/2008:10:19:21 +0100] - import userRoot: Index buffering > enabled with bucket size 100 > [05/Mar/2008:10:19:21 +0100] - import userRoot: Processing file > "/tmp/ldifZHth0D.ldif" > [05/Mar/2008:10:19:21 +0100] - import userRoot: Finished scanning file > "/tmp/ldifZHth0D.ldif" (9 entries) > [05/Mar/2008:10:19:21 +0100] - import userRoot: Workers finished; > cleaning up... > [05/Mar/2008:10:19:21 +0100] - import userRoot: Workers cleaned up. > [05/Mar/2008:10:19:21 +0100] - import userRoot: Cleaning up producer > thread... > [05/Mar/2008:10:19:21 +0100] - import userRoot: Indexing complete. > Post-processing... > [05/Mar/2008:10:19:21 +0100] - import userRoot: Flushing caches... > [05/Mar/2008:10:19:21 +0100] - import userRoot: Closing files... > [05/Mar/2008:10:19:21 +0100] - All database threads now stopped > [05/Mar/2008:10:19:21 +0100] - import userRoot: Import complete. > Processed 9 entries in 0 seconds. (inf entries/sec) > [05/Mar/2008:10:19:22 +0100] - Fedora-Directory/1.1.0 B2008.059.1017 > starting up > [05/Mar/2008:10:19:22 +0100] - I'm resizing my cache now...cache was > 209715200 and is now 8000000 > [05/Mar/2008:10:19:22 +0100] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > [05/Mar/2008:10:22:23 +0100] NSMMReplicationPlugin - changelog program > - cl5Open: failed to open changelog > [05/Mar/2008:10:22:24 +0100] NSMMReplicationPlugin - changelog program > - changelog5_config_add: failed to start changelog > [05/Mar/2008:10:26:49 +0100] NSMMReplicationPlugin - agmt="cn=replica > to backup" (backup:389): Replica has a different generation ID than > the local data. > [05/Mar/2008:10:32:00 +0100] NSMMReplicationPlugin - > repl_set_mtn_referrals: could not set referrals for replica > dc=fmintra,dc=hu: 32 > [05/Mar/2008:10:32:00 +0100] NSMMReplicationPlugin - > multimaster_be_state_change: replica dc=fmintra,dc=hu is going > offline; disabling replication > [05/Mar/2008:10:32:00 +0100] - WARNING: Import is running with > nsslapd-db-private-import-mem on; No other process is allowed to > access the database > [05/Mar/2008:10:32:13 +0100] - import userRoot: Workers finished; > cleaning up... > [05/Mar/2008:10:32:13 +0100] - import userRoot: Workers cleaned up. > [05/Mar/2008:10:32:13 +0100] - import userRoot: Indexing complete. > Post-processing... > [05/Mar/2008:10:32:13 +0100] - import userRoot: Flushing caches... > [05/Mar/2008:10:32:13 +0100] - import userRoot: Closing files... > [05/Mar/2008:10:32:14 +0100] - import userRoot: Import complete. > Processed 12242 entries in 13 seconds. (941.69 entries/sec) > [05/Mar/2008:10:32:14 +0100] NSMMReplicationPlugin - > multimaster_be_state_change: replica dc=fmintra,dc=hu is coming > online; enabling replication > > memory usage by top: > > top - 10:58:21 up 25 days, 22:36, 2 users, load average: 0.01, 0.13, > 0.22 > Tasks: 61 total, 2 running, 59 sleeping, 0 stopped, 0 zombie > Cpu(s): 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, > 0.0%si, 0.0%st > Mem: 515192k total, 189600k used, 325592k free, 36472k buffers > Swap: 489848k total, 18292k used, 471556k free, 106188k cached > > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND > 27647 fds 15 0 464m 47m 25m S 0.0 9.4 1:34.57 ns-slapd > > > top - 11:23:12 up 25 days, 23:01, 2 users, load average: 0.36, 0.27, > 0.20 > Tasks: 61 total, 2 running, 59 sleeping, 0 stopped, 0 zombie > Cpu(s): 3.0%us, 0.0%sy, 0.0%ni, 96.0%id, 1.0%wa, 0.0%hi, > 0.0%si, 0.0%st > Mem: 515192k total, 210700k used, 304492k free, 36488k buffers > Swap: 489848k total, 18288k used, 471560k free, 117204k cached > > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND > 27647 fds 15 0 473m 59m 28m S 3.0 11.9 2:52.77 ns-slapd > > > top - 11:48:26 up 25 days, 23:26, 2 users, load average: 0.02, 0.08, > 0.10 > Tasks: 61 total, 1 running, 60 sleeping, 0 stopped, 0 zombie > Cpu(s): 3.0%us, 0.0%sy, 0.0%ni, 97.0%id, 0.0%wa, 0.0%hi, > 0.0%si, 0.0%st > Mem: 515192k total, 222756k used, 292436k free, 36520k buffers > Swap: 489848k total, 18288k used, 471560k free, 118932k cached > > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND > 27647 fds 15 0 483m 72m 30m S 0.0 14.4 4:12.04 ns-slapd > > > top - 13:31:42 up 26 days, 1:09, 2 users, load average: 0.28, 0.17, > 0.15 > Tasks: 61 total, 2 running, 59 sleeping, 0 stopped, 0 zombie > Cpu(s): 1.1%us, 0.0%sy, 0.0%ni, 98.9%id, 0.0%wa, 0.0%hi, > 0.0%si, 0.0%st > Mem: 515192k total, 285572k used, 229620k free, 36540k buffers > Swap: 489848k total, 18288k used, 471560k free, 140412k cached > > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND > 27647 fds 15 0 523m 116m 34m S 0.0 23.3 9:35.65 ns-slapd Can you post your dse.ldif to pastebin.com? Be sure to omit or obscure any sensitive data first. I'd like to see what all of your cache settings are. Normally the server will increase in memory usage until the caches are full, then memory usage should level off. The speed at which this occurs depends on usage. When the kernel kills your server, how much memory is it using? Is there anything in the server error log at around the time the kernel kills it? Finally, if you are convinced that there is a real memory leak in the server, would it be possible for you to run it under valgrind? Just running it under valgrind for 30 minutes or so should reveal any memory leaks in normal usage. > >>>>> >>>>> can you give any help? >>>>> >>>>> thanks, >>>>> >>>>> KeeF >>>>> >>>>> Ryan Braun wrote: >>>>>>>> A couple little bugs creeped up during the build. I think it >>>>>>>> was during >>>>>>>> the make install of ldapserver. One of the binaries (the first >>>>>>>> one I >>>>>>>> guess) was copied to /opt/dirsrv/bin (the bin being a file not a >>>>>>>> directory) so the /opt/dirsrv/bin directory isn't getting >>>>>>>> created. Quick >>>>>>>> fix was just renaming /opt/dirsrv/bin to >>>>>>>> /opt/dirsrv/bin.something and >>>>>>>> rerunning make. Executing /opt/dirsrv/bin.something looks like >>>>>>>> the binary >>>>>>>> might be ldappasswd? >>>>>>> Probably a bug in ds/mozldap/Makefile in the install section. >>>>>> >>>>>> I had a peek in there, it looks ok, but I'll add a mkdir -p >>>>>> /opt/dirsrv/bin before the copy loop and see if that works next >>>>>> time I build. >>>>>>>> Second, there seems to be a missing library. >>>>>>>> >>>>>>>> Starting admin server . . . >>>>>>>> output: ERROR: ld.so: object '/opt/dirsrv/lib/libssl3.so' from >>>>>>>> LD_PRELOAD >>>>>>>> cannot be preloaded: ignored. >>>>>>>> output: apache2: Syntax error on line 123 >>>>>>>> of /opt/dirsrv/etc/dirsrv/admin-serv/httpd.conf: module >>>>>>>> log_config_module >>>>>>>> is built-in and can't be loaded >>>>>>>> Could not start the admin server. Error: 256 >>>>>>>> Failed to create and configure the admin server >>>>>>>> Exiting . . . >>>>>>>> >>>>>>>> I assumed the libssl3.so was supposed to be provided by >>>>>>>> building nss from >>>>>>>> source. So I just symlinked the system's libssl3.so provided by >>>>>>>> libnss3-0d back to /opt/dirsrv/lib/. >>>>>>> Ok. Or just edit the start-ds-admin script. Looks like a bug - it >>>>>>> should use the correct path to libssl3.so. But then the NSS devel >>>>>>> support in etch is not quite there. >>>>>> >>>>>> Gotcha >>>>>> >>>>>>>> Which leads me to my next question. The java components, are >>>>>>>> they only >>>>>>>> required for running the console on your client machines? So >>>>>>>> building >>>>>>>> with NOJAVA=1 will provide a fully working adminserver and >>>>>>>> ldapserver, just no console binaries? >>>>>>> Mostly correct. The only thing is that the way the console >>>>>>> works, it >>>>>>> downloads the ds and ds-admin jar files from the admin server. >>>>>>> However, >>>>>>> if you build them on the client machine and install them into >>>>>>> $HOME/.fedora-idm-console/jars then the console will just use >>>>>>> the local >>>>>>> ones. >>>>>> >>>>>> Ok, well I tried installing the windows console on one of the >>>>>> windows boxes around here (easier then downloading fc isos :) ), >>>>>> fired up the console and am able to connect and it looks like it >>>>>> wants to work, then it reports back that it can't find the >>>>>> jars. So that being said, is there an easy way to use FC jars, >>>>>> or do I need to build them for debian? (I have started trying to >>>>>> build jss but am having some issues) >>>>>> >>>>>>>> To be honest, I haven't really looked into the different post >>>>>>>> install >>>>>>>> process' with 1.1.0 since 1.0.4 so the reason I could have missing >>>>>>>> entries in the console could very well be my own fault :) >>>>>>>> >>>>>>>> Also, if I want to fine tune the location of some of >>>>>>>> directories during >>>>>>>> build. is it safe to modify the CONFIGURE_ARGS variable in the >>>>>>>> adminserver and ldapserver's Makefile? I want to put >>>>>>>> /opt/dirsrv/etc/dirsrv into /etc/dirsrv aswell as >>>>>>>> /opt/dirsrv/var into >>>>>>>> /var? >>>>>>> Yes, for those components whose configure respect --sysconfdir and >>>>>>> --localstatedir - which means not the mozilla components >>>>>>> (mozldap, etc.) >>>>>>> but everything else should work just fine. You'll also have to >>>>>>> tweak >>>>>>> the --prefix argument which is set by default. >>>>>> >>>>>> I'll play around with some options. I've started a wiki page for >>>>>> the debian build. I don't have it linked onto the main page, >>>>>> but you can check it out in recent changes. >>>>>> >>>>>> Ryan >>>>>> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Mar 5 15:20:08 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 05 Mar 2008 08:20:08 -0700 Subject: [Fedora-directory-users] Setting up Multiple Directory Servers - in a multi-master mesh. Having problems with admin server. In-Reply-To: <5AEE54F9-9435-4F71-8765-1D110E951126@ucsd.edu> References: <5AEE54F9-9435-4F71-8765-1D110E951126@ucsd.edu> Message-ID: <47CEBA28.8060609@redhat.com> Ben Cohen wrote: > Did anyone find a fix for this? I'm having the same problem. > > Here's the interactive output from register-ds-admin.pl > > [root at generic-02 ~]# register-ds-admin.pl --debug > Beginning registration of the Directory Server > = > = > = > = > = > = > ======================================================================== > The Directory Server locates its configuration file (dse.ldif) at > /etc/dirsrv/slapd-ID, by default. If you have Directory Server(s) > which configuration file is put at the other location, you need to > input it to register the server. > > If you have such Directory Server, type the full path that stores the > configuration file. > > If you don't, type return. > [configuration directory path or return]: > > > ============================================================================== > > Candidate servers to register: > /etc/dirsrv/slapd-generic-02 > /etc/dirsrv/slapd-temp-02 > > ============================================================================== > > Do you want to use this server as Configuration Directory Server? > > Directory server identifier [generic-02]: > > ============================================================================== > > Registering new Config DS: generic-02 > > ============================================================================== > > Input the Directory Server password on the server generic-02: > > ============================================================================== > > Please input the password for the Administrator User uid=admin, > ou=Administrators, ou=TopologyManagement, o=NetscapeRoot: > Error: failed to register the configuration server info to the > Configuration Directory Server generic-02. > > ============================================================================== > > Please input the password for the Administrator User uid=admin, > ou=Administrators, ou=TopologyManagement, o=NetscapeRoot: > Error: failed to register the configuration server info to the > Configuration Directory Server generic-02. > > ============================================================================== > > Please input the password for the Administrator User uid=admin, > ou=Administrators, ou=TopologyManagement, o=NetscapeRoot: > > and here is the output of the .log file > > [root at generic-02 ~]# cat /tmp/setupJYeuBo.log > [08/03/04:13:15:25] - [Setup] Info Beginning registration of the > Directory Server[08/03/04:13:15:26] - [Setup] Info Candidate servers > to register: > [08/03/04:13:15:26] - [Setup] Info Do you want to use this server as > Configuration Directory Server? > > [08/03/04:13:15:26] - [Setup] Info Directory server identifier > [08/03/04:13:15:33] - [Setup] Info generic-02 > [08/03/04:13:15:33] - [Setup] Info Registering new Config DS: generic-02 > [08/03/04:13:15:42] - [Setup] Warning Error: failed to register the > configuration server info to the Configuration Directory Server > generic-02. > [08/03/04:13:15:44] - [Setup] Warning Error: failed to register the > configuration server info to the Configuration Directory Server > generic-02. I think there is a bug somewhere that causes the directory server you select to be the configuration directory server (in your case, generic-02) to have the pass through auth plugin enabled. Try this - when you get to the prompt to input the password for the Administrator User, in another window, shutdown that directory server, edit dse.ldif - search for the Pass Through Auth plugin (not the PAM pass through auth plugin) and set the nsslapd-pluginEnabled attribute to off, then restart that server. Then resume with the prompt to input the password. > > > Rich Megginson wrote: >> >> Howard Wilkinson wrote: >>> Richard et al, >>> >>> I have obviously confused you on this so to start again! >>> >>> I have four machines on which I am installing directory server >>> version 1.1. >>> >>> I have automated the install so that I start with a virgin install >>> every time - erase the packages and delete all of the files left >>> lying around and then reinstall the packages. >>> >>> I want to set up the four machines in a fault-tolerant fashion. So I >>> have an initial master, a secondary on a separate machine, and 2 >>> consumers on the other machines. >>> >>> I can setup the servers on each machine with their own admin server >>> and can gt the SSL working and have modified the mmr script and can >>> get all other server to replicate. Master and Secondary in >>> multi-master mode, consumers fed from master and secondary. >>> >>> What I want to achieve is to have all of the servers sharing the >>> o=NetscapeRoot paritition (i.e. all having an admin server but all >>> having the same configuration for the admin server). Now this means >>> that they need to be in a mesh multi-master - OK I can set that up >>> but I can't get the servers to register cleanly with the individual >>> admin servers on each of the machines. >> Ok. I understand. First, you have to follow these guidelines - >> http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Replicating-ADS-for-Failover.html >> >> >> Next, it sounds like you are running into this bug - >> https://bugzilla.redhat.com/show_bug.cgi?id=431103 > Have followed these instructions, with the fixes from the patch and we > are further along! I now have all servers registered on the master > server and can see them from there as expected. > > I now face an issue with "register-ds-admin.pl" when I run it in the > secondary server I get the following output. > If you have such Directory Server, type the full path that stores the > configuration file. > > If you don't, type return. > [configuration directory path or return]: > > > ============================================================================== > > Candidate servers to register: > /etc/dirsrv/slapd-backus > > ============================================================================== > > Do you want to use this server as Configuration Directory Server? > > Directory server identifier: backus > > ============================================================================== > > Do you want to use this server as Configuration Directory Server? > > Directory server identifier: > and this justs keeps cycling asking the same question. > > If I run on one of the consumers the behaviour is different but still > no very useful. I get a bit further but it refuses to recognise the > admin password. > Do you want to use this server as Configuration Directory Server? > > Directory server identifier: barnacle > > ============================================================================== > > Cleaning up old Config DS: > > ============================================================================== > > Please input the password for the Administrator User uid=admin, > ou=Administrators, ou=TopologyManagement, o=NetscapeRoot: > Error: failed to clean up the configuration info from the old > Configuration > Directory Server . > > ============================================================================== > > Please input the password for the Administrator User uid=admin, > ou=Administrators, ou=TopologyManagement, o=NetscapeRoot: > I get the same behaviour if I run on the Master server. > > Any suggestions? > > ............. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Mar 5 15:21:00 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 05 Mar 2008 08:21:00 -0700 Subject: [Fedora-directory-users] Prolem with pam_passthru In-Reply-To: <47CD8F64.8040800@messinalug.org> References: <47CD4D3F.2070207@messinalug.org> <47CD696E.1080507@redhat.com> <47CD6BFD.3010500@messinalug.org> <47CD6E41.9080306@redhat.com> <47CD726E.9020905@messinalug.org> <47CD7E4E.9090801@redhat.com> <47CD8F64.8040800@messinalug.org> Message-ID: <47CEBA5C.6060601@redhat.com> Giovanni Mancuso wrote: > The TRACE is: > > [04/Mar/2008:19:04:15 +0100] - <= slapi_reslimit_get_integer_limit() > returning NO VALUE > [04/Mar/2008:19:04:15 +0100] - => slapi_control_present (looking for > 2.16.840.1.113730.3.4.2) > [04/Mar/2008:19:04:15 +0100] - => slapi_reslimit_get_integer_limit() > conn=0xb669b948, handle=3 > [04/Mar/2008:19:04:15 +0100] - <= slapi_control_present 0 (NOT FOUND) > [04/Mar/2008:19:04:15 +0100] - <= slapi_reslimit_get_integer_limit() > returning NO VALUE > [04/Mar/2008:19:04:15 +0100] - => slapi_control_present (looking for > 1.3.6.1.4.1.42.2.27.8.5.1) > [04/Mar/2008:19:04:15 +0100] - => slapi_reslimit_get_integer_limit() > conn=0xb669b8a8, handle=3 > [04/Mar/2008:19:04:15 +0100] - <= slapi_control_present 1 (FOUND) > [04/Mar/2008:19:04:15 +0100] - <= slapi_reslimit_get_integer_limit() > returning NO VALUE > [04/Mar/2008:19:04:15 +0100] - <= get_ldapmessage_controls 1 controls > [04/Mar/2008:19:04:15 +0100] - => slapi_reslimit_get_integer_limit() > conn=0xb669b808, handle=3 > [04/Mar/2008:19:04:15 +0100] - => slapi_control_present (looking for > 2.16.840.1.113730.3.4.16) > [04/Mar/2008:19:04:15 +0100] - <= slapi_reslimit_get_integer_limit() > returning NO VALUE > [04/Mar/2008:19:04:15 +0100] - <= slapi_control_present 0 (NOT FOUND) > [04/Mar/2008:19:04:15 +0100] - do_bind: version 3 method 0x80 dn > uid=usertest,ou=people,dc=castest.it,dc=babel,dc=int > [04/Mar/2008:19:04:15 +0100] - mapping tree selected backend : userRoot > [04/Mar/2008:19:04:15 +0100] - Calling plugin 'Legacy replication > preoperation plugin' #3 type 401 > [04/Mar/2008:19:04:15 +0100] - Calling plugin 'Multimaster replication > preoperation plugin' #4 type 401 > [04/Mar/2008:19:04:15 +0100] - Calling plugin 'PAM Pass Through Auth' > #5 type 401 > [04/Mar/2008:19:04:15 +0100] - allow_operation: component identity is NULL Looks like the bug is here. The component identity is NULL when it should not be. Can you please file a bug about this issue? > [04/Mar/2008:19:04:15 +0100] pam_passthru-plugin - Could not find BIND > dn uid=usertest,ou=people,dc=castest.it,dc=babel,dc=int (error 32 - No > such object) > [04/Mar/2008:19:04:15 +0100] pam_passthru-plugin - Bind DN > [uid=usertest,ou=people,dc=castest.it,dc=babel,dc=int] is invalid or > not found > [04/Mar/2008:19:04:15 +0100] - => send_ldap_result 32::Bind DN > [uid=usertest,ou=people,dc=castest.it,dc=babel,dc=int] is invalid or > not found > [04/Mar/2008:19:04:15 +0100] - add_pb > [04/Mar/2008:19:04:15 +0100] - <= send_ldap_result > [04/Mar/2008:19:04:15 +0100] - get_pb > [04/Mar/2008:19:04:15 +0100] - => slapi_reslimit_get_integer_limit() > conn=0xb669b8a8, handle=3 > [04/Mar/2008:19:04:15 +0100] - do_unbind > [04/Mar/2008:19:04:15 +0100] - <= slapi_reslimit_get_integer_limit() > returning NO VALUE > [04/Mar/2008:19:04:15 +0100] - => get_ldapmessage_controls > [04/Mar/2008:19:04:15 +0100] - => slapi_reslimit_get_integer_limit() > conn=0xb669b808, handle=3 > [04/Mar/2008:19:04:15 +0100] - <= get_ldapmessage_controls no controls > [04/Mar/2008:19:04:15 +0100] - <= slapi_reslimit_get_integer_limit() > returning NO VALUE > [04/Mar/2008:19:04:15 +0100] - defbackend_noop > [04/Mar/2008:19:04:16 +0100] - ldbm backend flushing > [04/Mar/2008:19:04:16 +0100] - ldbm backend done flushing > [04/Mar/2008:19:04:16 +0100] - ldbm backend flushing > [04/Mar/2008:19:04:16 +0100] - ldbm backend done flushing > > > Rich Megginson ha scritto: >> Giovanni Mancuso wrote: >>> Rich Megginson ha scritto: >>>> However, if you turn on the TRACE debug log level you might find >>>> some clues - >>>> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting >>>> >>>> One more thing - in your config you have both >>> no, sorry, i meant: >>> the pam_passthru auth works if I set >>> pamIDMapMethod: RDN >>> but it maps the wrong user >> Ok. So this means you have a user uid=username whose pam login is >> not "username". >>> >>> then if I change the dse.ldif and put >>> pamIDMapMethod: ENTRY >>> pamIDAttr: mail >>> then the slapi_something_() won't find the entry even if it's there... >>> anyway yes, I want to use the email as the pam userid. >>> >>> I wish it's clearer now.. >> Yes. So I think the next step will be to turn on TRACE level >> debuggging in the error log to see why it cannot find your entry. >>> >>> Thx, >>> Giovanni >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From bagyi at mail.fmkorhaz.hu Wed Mar 5 17:00:24 2008 From: bagyi at mail.fmkorhaz.hu (Tamas Bagyal) Date: Wed, 05 Mar 2008 18:00:24 +0100 Subject: [Fedora-directory-users] notes on building fds in etch and a failed build question In-Reply-To: <47CEB97C.3070107@redhat.com> References: <200802192232.02999.Ryan.Braun@ec.gc.ca> <200802251508.50693.Ryan.Braun@ec.gc.ca> <47C325E9.4010600@redhat.com> <200802261624.06814.Ryan.Braun@ec.gc.ca> <47CC34AD.6000409@mail.fmkorhaz.hu> <47CC37D3.70500@redhat.com> <47CC3FD0.7010300@fmkorhaz.hu> <47CD69C2.2030209@redhat.com> <47CE97A6.5020701@mail.fmkorhaz.hu> <47CEB97C.3070107@redhat.com> Message-ID: <47CED1A8.5080608@mail.fmkorhaz.hu> Rich Megginson wrote: > Tamas Bagyal wrote: >> Rich Megginson wrote: >>> Bagyal Tamas wrote: >>>> Rich Megginson wrote: >>>>> Tamas Bagyal wrote: >>>>>> hello Ryan, >>>>>> >>>>>> you tried this version? i have two fedora-ds 1.0.4 in mmr >>>>>> configuration. i migrate one of those to 1.1 (builded by your and >>>>>> Rich's instrutctions). but i have a problem with memory usage of >>>>>> ns-slapd process. initially mem usage is 18.5% but after 2 hours >>>>>> this changed to 23.1% and growed until killed by kernel. (i think...) >>>>>> >>>>>> mostly read transactions happen (dns) with a few write (cups). >>>>>> this is a debian etch, mem size is 512 mbyte (i know this is too >>>>>> low, but this is a test environment). cache size of slapd is >>>>>> 67108864. >>>>> Are you using SSL? Anything interesting in your server error log? >>>> >>>> I running the setupssl2.sh but not use any ssl connection. error log >>>> shows nothing, only the server start. >>> The reason I ask is that older versions of the NSS crypto/SSL >>> libraries had a memory leak. NSS 3.11.7 does not have this problem. >>> But you would only see the problem if you were using SSL connections. >> >> ok. I tried again from begining. fresh install, no ssl, no migration, >> used the setup-ds-admi.pl and setup the mmr with a fedora-ds 1.0.4. >> but nothing changed, memory usage growing... >> All setting is default except the mmr/changelog and access.log is off. >> >> errors: >> >> Fedora-Directory/1.1.0 B2008.059.1017 >> tower.fmintra.hu:389 (/opt/dirsrv/etc/dirsrv/slapd-tower) >> >> >> [05/Mar/2008:10:19:20 +0100] - dblayer_instance_start: pagesize: 4096, >> pages: 128798, procpages: 5983 >> [05/Mar/2008:10:19:20 +0100] - cache autosizing: import cache: 204800k >> [05/Mar/2008:10:19:21 +0100] - li_import_cache_autosize: 50, >> import_pages: 51200, pagesize: 4096 >> [05/Mar/2008:10:19:21 +0100] - WARNING: Import is running with >> nsslapd-db-private-import-mem on; No other process is allowed to >> access the database >> [05/Mar/2008:10:19:21 +0100] - dblayer_instance_start: pagesize: 4096, >> pages: 128798, procpages: 5983 >> [05/Mar/2008:10:19:21 +0100] - cache autosizing: import cache: 204800k >> [05/Mar/2008:10:19:21 +0100] - li_import_cache_autosize: 50, >> import_pages: 51200, pagesize: 4096 >> [05/Mar/2008:10:19:21 +0100] - import userRoot: Beginning import job... >> [05/Mar/2008:10:19:21 +0100] - import userRoot: Index buffering >> enabled with bucket size 100 >> [05/Mar/2008:10:19:21 +0100] - import userRoot: Processing file >> "/tmp/ldifZHth0D.ldif" >> [05/Mar/2008:10:19:21 +0100] - import userRoot: Finished scanning file >> "/tmp/ldifZHth0D.ldif" (9 entries) >> [05/Mar/2008:10:19:21 +0100] - import userRoot: Workers finished; >> cleaning up... >> [05/Mar/2008:10:19:21 +0100] - import userRoot: Workers cleaned up. >> [05/Mar/2008:10:19:21 +0100] - import userRoot: Cleaning up producer >> thread... >> [05/Mar/2008:10:19:21 +0100] - import userRoot: Indexing complete. >> Post-processing... >> [05/Mar/2008:10:19:21 +0100] - import userRoot: Flushing caches... >> [05/Mar/2008:10:19:21 +0100] - import userRoot: Closing files... >> [05/Mar/2008:10:19:21 +0100] - All database threads now stopped >> [05/Mar/2008:10:19:21 +0100] - import userRoot: Import complete. >> Processed 9 entries in 0 seconds. (inf entries/sec) >> [05/Mar/2008:10:19:22 +0100] - Fedora-Directory/1.1.0 B2008.059.1017 >> starting up >> [05/Mar/2008:10:19:22 +0100] - I'm resizing my cache now...cache was >> 209715200 and is now 8000000 >> [05/Mar/2008:10:19:22 +0100] - slapd started. Listening on All >> Interfaces port 389 for LDAP requests >> [05/Mar/2008:10:22:23 +0100] NSMMReplicationPlugin - changelog program >> - cl5Open: failed to open changelog >> [05/Mar/2008:10:22:24 +0100] NSMMReplicationPlugin - changelog program >> - changelog5_config_add: failed to start changelog >> [05/Mar/2008:10:26:49 +0100] NSMMReplicationPlugin - agmt="cn=replica >> to backup" (backup:389): Replica has a different generation ID than >> the local data. >> [05/Mar/2008:10:32:00 +0100] NSMMReplicationPlugin - >> repl_set_mtn_referrals: could not set referrals for replica >> dc=fmintra,dc=hu: 32 >> [05/Mar/2008:10:32:00 +0100] NSMMReplicationPlugin - >> multimaster_be_state_change: replica dc=fmintra,dc=hu is going >> offline; disabling replication >> [05/Mar/2008:10:32:00 +0100] - WARNING: Import is running with >> nsslapd-db-private-import-mem on; No other process is allowed to >> access the database >> [05/Mar/2008:10:32:13 +0100] - import userRoot: Workers finished; >> cleaning up... >> [05/Mar/2008:10:32:13 +0100] - import userRoot: Workers cleaned up. >> [05/Mar/2008:10:32:13 +0100] - import userRoot: Indexing complete. >> Post-processing... >> [05/Mar/2008:10:32:13 +0100] - import userRoot: Flushing caches... >> [05/Mar/2008:10:32:13 +0100] - import userRoot: Closing files... >> [05/Mar/2008:10:32:14 +0100] - import userRoot: Import complete. >> Processed 12242 entries in 13 seconds. (941.69 entries/sec) >> [05/Mar/2008:10:32:14 +0100] NSMMReplicationPlugin - >> multimaster_be_state_change: replica dc=fmintra,dc=hu is coming >> online; enabling replication >> >> memory usage by top: >> >> top - 10:58:21 up 25 days, 22:36, 2 users, load average: 0.01, 0.13, >> 0.22 >> Tasks: 61 total, 2 running, 59 sleeping, 0 stopped, 0 zombie >> Cpu(s): 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, >> 0.0%si, 0.0%st >> Mem: 515192k total, 189600k used, 325592k free, 36472k buffers >> Swap: 489848k total, 18292k used, 471556k free, 106188k cached >> >> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND >> 27647 fds 15 0 464m 47m 25m S 0.0 9.4 1:34.57 ns-slapd >> >> >> top - 11:23:12 up 25 days, 23:01, 2 users, load average: 0.36, 0.27, >> 0.20 >> Tasks: 61 total, 2 running, 59 sleeping, 0 stopped, 0 zombie >> Cpu(s): 3.0%us, 0.0%sy, 0.0%ni, 96.0%id, 1.0%wa, 0.0%hi, >> 0.0%si, 0.0%st >> Mem: 515192k total, 210700k used, 304492k free, 36488k buffers >> Swap: 489848k total, 18288k used, 471560k free, 117204k cached >> >> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND >> 27647 fds 15 0 473m 59m 28m S 3.0 11.9 2:52.77 ns-slapd >> >> >> top - 11:48:26 up 25 days, 23:26, 2 users, load average: 0.02, 0.08, >> 0.10 >> Tasks: 61 total, 1 running, 60 sleeping, 0 stopped, 0 zombie >> Cpu(s): 3.0%us, 0.0%sy, 0.0%ni, 97.0%id, 0.0%wa, 0.0%hi, >> 0.0%si, 0.0%st >> Mem: 515192k total, 222756k used, 292436k free, 36520k buffers >> Swap: 489848k total, 18288k used, 471560k free, 118932k cached >> >> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND >> 27647 fds 15 0 483m 72m 30m S 0.0 14.4 4:12.04 ns-slapd >> >> >> top - 13:31:42 up 26 days, 1:09, 2 users, load average: 0.28, 0.17, >> 0.15 >> Tasks: 61 total, 2 running, 59 sleeping, 0 stopped, 0 zombie >> Cpu(s): 1.1%us, 0.0%sy, 0.0%ni, 98.9%id, 0.0%wa, 0.0%hi, >> 0.0%si, 0.0%st >> Mem: 515192k total, 285572k used, 229620k free, 36540k buffers >> Swap: 489848k total, 18288k used, 471560k free, 140412k cached >> >> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND >> 27647 fds 15 0 523m 116m 34m S 0.0 23.3 9:35.65 ns-slapd > Can you post your dse.ldif to pastebin.com? Be sure to omit or obscure > any sensitive data first. I'd like to see what all of your cache > settings are. Normally the server will increase in memory usage until > the caches are full, then memory usage should level off. The speed at > which this occurs depends on usage. > http://www.pastebin.org/22477 i forget a thing. i use some custom schema (ldapdns, ibm... etc.) if this is changed anything. (but i think this is not relevant info) > When the kernel kills your server, how much memory is it using? Is > there anything in the server error log at around the time the kernel > kills it? > i'm not sure, but at the time use the maximum as possible (512ram + 512 swap available) i think around 940mb, the kernel first kill some other processes, like mc, and after these the ns-slapd. I can't see anything in the log file, just the server start. > Finally, if you are convinced that there is a real memory leak in the > server, would it be possible for you to run it under valgrind? Just > running it under valgrind for 30 minutes or so should reveal any memory > leaks in normal usage. http://www.pastebin.org/22484 I can't understand this output, I never used valgrind before. I hope used the right options for valgrind. >> >>>>>> >>>>>> can you give any help? >>>>>> >>>>>> thanks, >>>>>> >>>>>> KeeF >>>>>> >>>>>> Ryan Braun wrote: >>>>>>>>> A couple little bugs creeped up during the build. I think it >>>>>>>>> was during >>>>>>>>> the make install of ldapserver. One of the binaries (the first >>>>>>>>> one I >>>>>>>>> guess) was copied to /opt/dirsrv/bin (the bin being a file not a >>>>>>>>> directory) so the /opt/dirsrv/bin directory isn't getting >>>>>>>>> created. Quick >>>>>>>>> fix was just renaming /opt/dirsrv/bin to >>>>>>>>> /opt/dirsrv/bin.something and >>>>>>>>> rerunning make. Executing /opt/dirsrv/bin.something looks like >>>>>>>>> the binary >>>>>>>>> might be ldappasswd? >>>>>>>> Probably a bug in ds/mozldap/Makefile in the install section. >>>>>>> >>>>>>> I had a peek in there, it looks ok, but I'll add a mkdir -p >>>>>>> /opt/dirsrv/bin before the copy loop and see if that works next >>>>>>> time I build. >>>>>>>>> Second, there seems to be a missing library. >>>>>>>>> >>>>>>>>> Starting admin server . . . >>>>>>>>> output: ERROR: ld.so: object '/opt/dirsrv/lib/libssl3.so' from >>>>>>>>> LD_PRELOAD >>>>>>>>> cannot be preloaded: ignored. >>>>>>>>> output: apache2: Syntax error on line 123 >>>>>>>>> of /opt/dirsrv/etc/dirsrv/admin-serv/httpd.conf: module >>>>>>>>> log_config_module >>>>>>>>> is built-in and can't be loaded >>>>>>>>> Could not start the admin server. Error: 256 >>>>>>>>> Failed to create and configure the admin server >>>>>>>>> Exiting . . . >>>>>>>>> >>>>>>>>> I assumed the libssl3.so was supposed to be provided by >>>>>>>>> building nss from >>>>>>>>> source. So I just symlinked the system's libssl3.so provided by >>>>>>>>> libnss3-0d back to /opt/dirsrv/lib/. >>>>>>>> Ok. Or just edit the start-ds-admin script. Looks like a bug - it >>>>>>>> should use the correct path to libssl3.so. But then the NSS devel >>>>>>>> support in etch is not quite there. >>>>>>> >>>>>>> Gotcha >>>>>>> >>>>>>>>> Which leads me to my next question. The java components, are >>>>>>>>> they only >>>>>>>>> required for running the console on your client machines? So >>>>>>>>> building >>>>>>>>> with NOJAVA=1 will provide a fully working adminserver and >>>>>>>>> ldapserver, just no console binaries? >>>>>>>> Mostly correct. The only thing is that the way the console >>>>>>>> works, it >>>>>>>> downloads the ds and ds-admin jar files from the admin server. >>>>>>>> However, >>>>>>>> if you build them on the client machine and install them into >>>>>>>> $HOME/.fedora-idm-console/jars then the console will just use >>>>>>>> the local >>>>>>>> ones. >>>>>>> >>>>>>> Ok, well I tried installing the windows console on one of the >>>>>>> windows boxes around here (easier then downloading fc isos :) ), >>>>>>> fired up the console and am able to connect and it looks like it >>>>>>> wants to work, then it reports back that it can't find the >>>>>>> jars. So that being said, is there an easy way to use FC jars, >>>>>>> or do I need to build them for debian? (I have started trying to >>>>>>> build jss but am having some issues) >>>>>>> >>>>>>>>> To be honest, I haven't really looked into the different post >>>>>>>>> install >>>>>>>>> process' with 1.1.0 since 1.0.4 so the reason I could have missing >>>>>>>>> entries in the console could very well be my own fault :) >>>>>>>>> >>>>>>>>> Also, if I want to fine tune the location of some of >>>>>>>>> directories during >>>>>>>>> build. is it safe to modify the CONFIGURE_ARGS variable in the >>>>>>>>> adminserver and ldapserver's Makefile? I want to put >>>>>>>>> /opt/dirsrv/etc/dirsrv into /etc/dirsrv aswell as >>>>>>>>> /opt/dirsrv/var into >>>>>>>>> /var? >>>>>>>> Yes, for those components whose configure respect --sysconfdir and >>>>>>>> --localstatedir - which means not the mozilla components >>>>>>>> (mozldap, etc.) >>>>>>>> but everything else should work just fine. You'll also have to >>>>>>>> tweak >>>>>>>> the --prefix argument which is set by default. >>>>>>> >>>>>>> I'll play around with some options. I've started a wiki page for >>>>>>> the debian build. I don't have it linked onto the main page, >>>>>>> but you can check it out in recent changes. >>>>>>> >>>>>>> Ryan >>>>>>> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From squid at oranged.to Wed Mar 5 17:22:37 2008 From: squid at oranged.to (Jimmy Stewpot) Date: Wed, 05 Mar 2008 17:22:37 +0000 Subject: [Fedora-directory-users] SecurID and FDS/RHDS Message-ID: <47CED6DD.7030605@oranged.to> Hello, I am keen to know if anyone has any experience with RHDS or FDS with SecurID. I asked our RSA sales consultant who said it was not supported. I noticed that Sun Directory Server is on the list which comes from the same base so im wondering if anyone has it working and if there are any gotchas. Regards, Jimmy From kmarsh at gdrs.com Wed Mar 5 18:39:06 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Wed, 5 Mar 2008 13:39:06 -0500 Subject: [Fedora-directory-users] Adding users to additional Linux/Posix groups Message-ID: <5AD9B0E562FEFB4E933861904D7135C5796595@gdrs-exchange.gdrs.com> Hi, I read the previous post on Unix groups, and I read the linked information on mapping to ACI's. This is far more involved then my question (and I didn't find the answer, either). I am looking to simply add a Linux user to more than one Posix group. I've searched through the docs and have yet to find a clear simple explanation of how to do this. Do I just use commas to separate on the value in the existing posix group attributes? Thanks, Ken Marsh ANS System Administration Lead (410) 876-9200 -------------- next part -------------- An HTML attachment was scrubbed... URL: From iferreir at personal.com.py Wed Mar 5 19:18:49 2008 From: iferreir at personal.com.py (Ivan Ferreira) Date: Wed, 5 Mar 2008 16:18:49 -0300 Subject: [Fedora-directory-users] Adding users to additional Linux/Posix groups In-Reply-To: <5AD9B0E562FEFB4E933861904D7135C5796595@gdrs-exchange.gdrs.com> Message-ID: If you want to do it simple, use a tool like ldapadmin.exe or phpldapadmin. ldapadmin.sourceforge.net/ phpldapadmin.sourceforge.net/ What this tools will do is to add the user to the specified group. The LDIF entry for the group will be: dn: cn=devel,ou=Groups,dc=domain,dc=com,dc=py memberUid: user1 memberUid: user2 memberUid: user3 memberUid: user4 If the user belogs to more then one group, the the user will exist as an entry in more than one posixGroup object. Para "Ken Marsh" cc Enviado por: Asunto fedora-directory-users-b [Fedora-directory-users] Adding ounces at redhat.com users to additional Linux/Posix groups 05/03/2008 03:39 p.m. Clasificaci?n Uso Interno Por favor, responda a "General discussion list for the Fedora Directory server project." Hi, I read the previous post on Unix groups, and I read the linked information on mapping to ACI?s. This is far more involved then my question (and I didn?t find the answer, either). I am looking to simply add a Linux user to more than one Posix group. I?ve searched through the docs and have yet to find a clear simple explanation of how to do this. Do I just use commas to separate on the value in the existing posix group attributes? Thanks, Ken Marsh ANS System Administration Lead (410) 876-9200 -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. From johnsimcall at gmail.com Wed Mar 5 19:26:26 2008 From: johnsimcall at gmail.com (John Call) Date: Wed, 5 Mar 2008 09:26:26 -1000 Subject: [Fedora-directory-users] Training / Certification Offerings Message-ID: Are there any training/certification offerings for FDS? Or, are there any highly suggested readings for self-study? John From squid at oranged.to Wed Mar 5 19:32:06 2008 From: squid at oranged.to (Jimmy Stewpot) Date: Wed, 05 Mar 2008 19:32:06 +0000 Subject: [Fedora-directory-users] Training / Certification Offerings In-Reply-To: References: Message-ID: <47CEF536.3080507@oranged.to> Hi, Here is a good start for you https://www.redhat.com/courses/rh423_red_hat_enterprise_directory_services_and_authentication/ Regards, Jimmy John Call wrote: > Are there any training/certification offerings for FDS? Or, are there > any highly suggested readings for self-study? > > John > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From johnsimcall at gmail.com Wed Mar 5 19:51:40 2008 From: johnsimcall at gmail.com (John Call) Date: Wed, 5 Mar 2008 09:51:40 -1000 Subject: [Fedora-directory-users] Training / Certification Offerings In-Reply-To: <47CEF536.3080507@oranged.to> References: <47CEF536.3080507@oranged.to> Message-ID: Thank you Jimmy, John On Mar 5, 2008, at 9:32 AM, Jimmy Stewpot wrote: > Hi, > > Here is a good start for you > > https://www.redhat.com/courses/rh423_red_hat_enterprise_directory_services_and_authentication/ > > Regards, > > Jimmy > > John Call wrote: >> Are there any training/certification offerings for FDS? Or, are >> there any highly suggested readings for self-study? >> John >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From solarflow99 at gmail.com Wed Mar 5 23:07:41 2008 From: solarflow99 at gmail.com (solarflow99) Date: Wed, 5 Mar 2008 15:07:41 -0800 Subject: [Fedora-directory-users] Adding users to additional Linux/Posix groups In-Reply-To: References: <5AD9B0E562FEFB4E933861904D7135C5796595@gdrs-exchange.gdrs.com> Message-ID: <7020fd000803051507o19876e26y409d3a4f811ae245@mail.gmail.com> I have no idea why you need to suggest a different front end for FDS. I was the one that asked about the groups, and as far as I can tell all he has to do is add the user to the various groups he wants right from the console. Just click on groups in the tree, and add members. On 3/5/08, Ivan Ferreira wrote: > > If you want to do it simple, use a tool like ldapadmin.exe or > phpldapadmin. > > ldapadmin.sourceforge.net/ > phpldapadmin.sourceforge.net/ > > What this tools will do is to add the user to the specified group. The > LDIF > entry for the group will be: > > dn: cn=devel,ou=Groups,dc=domain,dc=com,dc=py > memberUid: user1 > memberUid: user2 > memberUid: user3 > memberUid: user4 > > If the user belogs to more then one group, the the user will exist as an > entry in more than one posixGroup object. > > > > > > > Para > om> > "Ken Marsh" cc > > Enviado por: Asunto > fedora-directory-users-b [Fedora-directory-users] Adding > ounces at redhat.com users to additional Linux/Posix > groups > 05/03/2008 03:39 p.m. Clasificaci?n > Uso Interno > > > Por favor, responda a > "General discussion list > for the Fedora Directory > server project." > redhat.com> > > > > > > > Hi, > > I read the previous post on Unix groups, and I read the linked information > on mapping to ACI's. This is far more involved then my question (and I > didn't find the answer, either). > > I am looking to simply add a Linux user to more than one Posix group. I've > searched through the docs and have yet to find a clear simple explanation > of how to do this. Do I just use commas to separate on the value in the > existing posix group attributes? > > Thanks, > > Ken Marsh > ANS System Administration Lead > (410) 876-9200 > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ======================================================================================== > AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida > ?nicamente a su destinatario. Si usted no es el destinatario original de > este mensaje y por este medio pudo acceder a dicha informaci?n por favor > elimine el mensaje. La distribuci?n o copia de este mensaje est? > estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de > informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como > una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de > e-mails no garantiza que el correo electr?nico sea seguro o libre de > error. > Por consiguiente, no manifestamos que esta informaci?n sea completa o > precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. > > This information is private and confidential and intended for the > recipient only. If you are not the intended recipient of this message you > are hereby notified that any review, dissemination, distribution or > copying of this message is strictly prohibited. This communication is for > information purposes only and shall not be regarded neither as a proposal, > acceptance nor as a statement of will or official statement from NUCLEO > S.A. . Email transmission cannot be guaranteed to be secure or error-free. > Therefore, we do not represent that this information is complete or > accurate and it should not be relied upon as such. All information is > subject to change without notice. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From steve at cozi.com Thu Mar 6 03:50:37 2008 From: steve at cozi.com (Steve Jacobson) Date: Wed, 05 Mar 2008 19:50:37 -0800 Subject: [Fedora-directory-users] Install fails to create domain after re-install Message-ID: All, I had a successful installation of FDS 1.1 on CentOS 5.1 x86_64. I had a bunch of cruft in the directory from a poor migration, so I decided to start over with a re-install to get things clean. The uninstall was successful, and I wiped /etc/dirsrv, /var/lib/dirsrv, and /usr/share/dirsrv. Then I re-installed, and ran setup-ds-admin.pl. The dialogs were as expected, and seemed to be just fine. The setup program reported that everything was fine, and the directory was created. However, the domain didn?t materialize. There was nothing in the setup log to hint at any problem. I found the following messages in /var/log/messages: Mar 5 19:20:38 corp-admin-001 ns-slapd: unable to dlopen /usr/lib/sasl2/libcrammd5.so.2: /usr/lib/sasl2/libcrammd5.so.2: wrong ELF class: ELFCLASS32 Mar 5 19:20:38 corp-admin-001 ns-slapd: unable to dlopen /usr/lib/sasl2/libanonymous.so.2: /usr/lib/sasl2/libanonymous.so.2: wrong ELF class: ELFCLASS32 Mar 5 19:20:38 corp-admin-001 ns-slapd: unable to dlopen /usr/lib/sasl2/libplain.so.2: /usr/lib/sasl2/libplain.so.2: wrong ELF class: ELFCLASS32 Mar 5 19:20:38 corp-admin-001 ns-slapd: unable to dlopen /usr/lib/sasl2/libgssapiv2.so.2: /usr/lib/sasl2/libgssapiv2.so.2: wrong ELF class: ELFCLASS32 Mar 5 19:20:38 corp-admin-001 ns-slapd: unable to dlopen /usr/lib/sasl2/liblogin.so.2: /usr/lib/sasl2/liblogin.so.2: wrong ELF class: ELFCLASS32 Mar 5 19:20:38 corp-admin-001 ns-slapd: unable to dlopen /usr/lib/sasl2/libdigestmd5.so.2: /usr/lib/sasl2/libdigestmd5.so.2: wrong ELF class: ELFCLASS32 So, this implies that ns-slapd is trying to get at the 32 bit libraries instead of the 64 bit versions. I tried setting LD_LIBRARY_PATH to /usr/lib64, I?ve tried renaming /usr/lib/sasl2 to get it out of the path, hoping the software would just find the right version. After these two attempts, the setup procedure created without generating any error messages. However, the domain still failed to be created. Any advice on where to look, or what else to try? Thanks! -steve j -- Steve Jacobson ? Cozi ? IT Manager ? m: 206.310.7760 ? www.cozi.com -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 3573 bytes Desc: not available URL: From iferreir at personal.com.py Thu Mar 6 11:57:40 2008 From: iferreir at personal.com.py (Ivan Ferreira) Date: Thu, 6 Mar 2008 08:57:40 -0300 Subject: [Fedora-directory-users] Adding users to additional Linux/Posix groups In-Reply-To: <7020fd000803051507o19876e26y409d3a4f811ae245@mail.gmail.com> Message-ID: Just suggestions, if your destop is Windows based, then ldapadmin is a very powerfull tool and a lot more easy to use then the Console. It has plugins, for example for SUDO, postfix, samba, and more. You can't compare it with the console. If you use phpldapadmin, you can do it from everywhere, idependent of the client operating system, it also has plugins. If you wan to use the console, normally, you need an X session somewhere. Para "General discussion list for the Fedora Directory server solarflow99 project." fedora-directory-users-b cc ounces at redhat.com Asunto 05/03/2008 08:07 p.m. Re: [Fedora-directory-users] Adding users to additional Linux/Posix groups Clasificaci?n Por favor, responda a Uso Interno "General discussion list for the Fedora Directory server project." I have no idea why you need to suggest a different front end for FDS. I was the one that asked about the groups, and as far as I can tell all he has to do is add the user to the various groups he wants right from the console. Just click on groups in the tree, and add members. On 3/5/08, Ivan Ferreira wrote: If you want to do it simple, use a tool like ldapadmin.exe or phpldapadmin. ldapadmin.sourceforge.net/ phpldapadmin.sourceforge.net/ What this tools will do is to add the user to the specified group. The LDIF entry for the group will be: dn: cn=devel,ou=Groups,dc=domain,dc=com,dc=py memberUid: user1 memberUid: user2 memberUid: user3 memberUid: user4 If the user belogs to more then one group, the the user will exist as an entry in more than one posixGroup object. Para < fedora-directory-users at redhat.c om> "Ken Marsh" cc Enviado por: Asunto fedora-directory-users-b [Fedora-directory-users] Adding ounces at redhat.com users to additional Linux/Posix groups 05/03/2008 03:39 p.m. Clasificaci?n Uso Interno Por favor, responda a "General discussion list for the Fedora Directory server project." Hi, I read the previous post on Unix groups, and I read the linked information on mapping to ACI's. This is far more involved then my question (and I didn't find the answer, either). I am looking to simply add a Linux user to more than one Posix group. I've searched through the docs and have yet to find a clear simple explanation of how to do this. Do I just use commas to separate on the value in the existing posix group attributes? Thanks, Ken Marsh ANS System Administration Lead (410) 876-9200 -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. From ncohen.sts at gmail.com Wed Mar 5 18:54:14 2008 From: ncohen.sts at gmail.com (Ben Cohen) Date: Wed, 5 Mar 2008 10:54:14 -0800 Subject: [Fedora-directory-users] Setting up Multiple Directory Servers - in a multi-master mesh. Having problems with admin server. Message-ID: Rich Megginson wrote: > I think there is a bug somewhere that causes the directory server > you select to be the configuration directory server (in your case, > generic-02) to have the pass through auth plugin enabled. Try this - > when you get to the prompt to input the password for the > Administrator User, in another window, shutdown that directory > server, edit dse.ldif -search for the Pass Through Auth plugin (not > the PAM pass through auth plugin) and set the nsslapd-pluginEnabled > attribute to off, then restart that server. Then resume with the > prompt to input the password. I tried this but the The Pass Through Auth plugin was already off... Ben From rmeggins at redhat.com Thu Mar 6 15:55:14 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 06 Mar 2008 08:55:14 -0700 Subject: [Fedora-directory-users] Adding users to additional Linux/Posix groups In-Reply-To: References: Message-ID: <47D013E2.8090202@redhat.com> Ivan Ferreira wrote: > Just suggestions, if your destop is Windows based, then ldapadmin is a very > powerfull tool and a lot more easy to use then the Console. It has plugins, > for example for SUDO, postfix, samba, and more. You can't compare it with > the console. > Yes, agreed for user management. The console is extensible in that regard but you have to write Java code and the process is not documented very well. Or you have to use the advanced entry editor to add specific objectclasses and attributes. The console is also used for server management tasks such as replication config and monitoring, database backend and suffix config and monitoring, other types of entry creation (Groups, Roles, Class of Service, et. al.), log config and monitoring, TLS/SSL management, and more. Almost all of these functions are specific to Fedora Directory Server and it's unlikely a third party tool would be able to do all of them - but they could, because almost all of this is done over LDAP or via CGIs. > If you use phpldapadmin, you can do it from everywhere, idependent of the > client operating system, it also has plugins. > > If you wan to use the console, normally, you need an X session somewhere. > > > > > > > > Para > "General discussion list for the > Fedora Directory server > solarflow99 project." > Enviado por: om> > fedora-directory-users-b cc > ounces at redhat.com > Asunto > 05/03/2008 08:07 p.m. Re: [Fedora-directory-users] > Adding users to additional > Linux/Posix groups > Clasificaci?n > Por favor, responda a Uso Interno > "General discussion list > for the Fedora Directory > server project." > redhat.com> > > > > > > > I have no idea why you need to suggest a different front end for FDS. I > was the one that asked about the groups, and as far as I can tell all he > has to do is add the user to the various groups he wants right from the > console. Just click on groups in the tree, and add members. > > > > > On 3/5/08, Ivan Ferreira wrote: > If you want to do it simple, use a tool like ldapadmin.exe or > phpldapadmin. > > ldapadmin.sourceforge.net/ > phpldapadmin.sourceforge.net/ > > What this tools will do is to add the user to the specified group. > The LDIF > entry for the group will be: > > dn: cn=devel,ou=Groups,dc=domain,dc=com,dc=py > memberUid: user1 > memberUid: user2 > memberUid: user3 > memberUid: user4 > > If the user belogs to more then one group, the the user will exist as > an > entry in more than one posixGroup object. > > > > > > > > Para > < > fedora-directory-users at redhat.c > om> > "Ken Marsh" > cc > > Enviado por: > Asunto > fedora-directory-users-b [Fedora-directory-users] > Adding > ounces at redhat.com users to additional > Linux/Posix > groups > 05/03/2008 03:39 p.m. > Clasificaci?n > Uso Interno > > > Por favor, responda a > "General discussion list > for the Fedora Directory > server project." > redhat.com> > > > > > > > Hi, > > I read the previous post on Unix groups, and I read the linked > information > on mapping to ACI's. This is far more involved then my question (and > I > didn't find the answer, either). > > I am looking to simply add a Linux user to more than one Posix group. > I've > searched through the docs and have yet to find a clear simple > explanation > of how to do this. Do I just use commas to separate on the value in > the > existing posix group attributes? > > Thanks, > > Ken Marsh > ANS System Administration Lead > (410) 876-9200 > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ======================================================================================== > > AVISO LEGAL: Esta informaci?n es privada y confidencial y est? > dirigida > ?nicamente a su destinatario. Si usted no es el destinatario original > de > este mensaje y por este medio pudo acceder a dicha informaci?n por > favor > elimine el mensaje. La distribuci?n o copia de este mensaje est? > estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos > de > informaci?n y no debe ser considerada como propuesta, aceptaci?n ni > como > una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de > e-mails no garantiza que el correo electr?nico sea seguro o libre de > error. > Por consiguiente, no manifestamos que esta informaci?n sea completa o > precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. > > This information is private and confidential and intended for the > recipient only. If you are not the intended recipient of this message > you > are hereby notified that any review, dissemination, distribution or > copying of this message is strictly prohibited. This communication is > for > information purposes only and shall not be regarded neither as a > proposal, > acceptance nor as a statement of will or official statement from > NUCLEO > S.A. . Email transmission cannot be guaranteed to be secure or > error-free. > Therefore, we do not represent that this information is complete or > accurate and it should not be relied upon as such. All information is > subject to change without notice. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ======================================================================================== > AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida > ?nicamente a su destinatario. Si usted no es el destinatario original de > este mensaje y por este medio pudo acceder a dicha informaci?n por favor > elimine el mensaje. La distribuci?n o copia de este mensaje est? > estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de > informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como > una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de > e-mails no garantiza que el correo electr?nico sea seguro o libre de error. > Por consiguiente, no manifestamos que esta informaci?n sea completa o > precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. > > This information is private and confidential and intended for the > recipient only. If you are not the intended recipient of this message you > are hereby notified that any review, dissemination, distribution or > copying of this message is strictly prohibited. This communication is for > information purposes only and shall not be regarded neither as a proposal, > acceptance nor as a statement of will or official statement from NUCLEO > S.A. . Email transmission cannot be guaranteed to be secure or error-free. > Therefore, we do not represent that this information is complete or > accurate and it should not be relied upon as such. All information is > subject to change without notice. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Mar 6 15:57:03 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 06 Mar 2008 08:57:03 -0700 Subject: [Fedora-directory-users] Setting up Multiple Directory Servers - in a multi-master mesh. Having problems with admin server. In-Reply-To: References: Message-ID: <47D0144F.3020106@redhat.com> Ben Cohen wrote: > Rich Megginson wrote: >> I think there is a bug somewhere that causes the directory server you >> select to be the configuration directory server (in your case, >> generic-02) to have the pass through auth plugin enabled. Try this - >> when you get to the prompt to input the password for the >> Administrator User, in another window, shutdown that directory >> server, edit dse.ldif -search for the Pass Through Auth plugin (not >> the PAM pass through auth plugin) and set the nsslapd-pluginEnabled >> attribute to off, then restart that server. Then resume with the >> prompt to input the password. > > I tried this but the The Pass Through Auth plugin was already off... Can you paste relevant access log excerpts (showing the connection attempt and BIND, if any) from the configuration directory server? > Ben > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Mar 6 15:59:56 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 06 Mar 2008 08:59:56 -0700 Subject: [Fedora-directory-users] Install fails to create domain after re-install In-Reply-To: References: Message-ID: <47D014FC.1060204@redhat.com> Steve Jacobson wrote: > All, > > I had a successful installation of FDS 1.1 on CentOS 5.1 x86_64. I had > a bunch of cruft in the directory from a poor migration, so I decided > to start over with a re-install to get things clean. The uninstall was > successful, and I wiped /etc/dirsrv, /var/lib/dirsrv, and > /usr/share/dirsrv. Also /usr/lib64/dirsrv/slapd* > Then I re-installed, and ran setup-ds-admin.pl. The dialogs were as > expected, and seemed to be just fine. The setup program reported that > everything was fine, and the directory was created. However, the > domain didn?t materialize. There was nothing in the setup log to hint > at any problem. I found the following messages in /var/log/messages: > > > Mar 5 19:20:38 corp-admin-001 ns-slapd: unable to dlopen > /usr/lib/sasl2/libcrammd5.so.2: /usr/lib/sasl2/libcrammd5.so.2: wrong > ELF class: ELFCLASS32 > Mar 5 19:20:38 corp-admin-001 ns-slapd: unable to dlopen > /usr/lib/sasl2/libanonymous.so.2: /usr/lib/sasl2/libanonymous.so.2: > wrong ELF class: ELFCLASS32 > Mar 5 19:20:38 corp-admin-001 ns-slapd: unable to dlopen > /usr/lib/sasl2/libplain.so.2: /usr/lib/sasl2/libplain.so.2: wrong ELF > class: ELFCLASS32 > Mar 5 19:20:38 corp-admin-001 ns-slapd: unable to dlopen > /usr/lib/sasl2/libgssapiv2.so.2: /usr/lib/sasl2/libgssapiv2.so.2: > wrong ELF class: ELFCLASS32 > Mar 5 19:20:38 corp-admin-001 ns-slapd: unable to dlopen > /usr/lib/sasl2/liblogin.so.2: /usr/lib/sasl2/liblogin.so.2: wrong ELF > class: ELFCLASS32 > Mar 5 19:20:38 corp-admin-001 ns-slapd: unable to dlopen > /usr/lib/sasl2/libdigestmd5.so.2: /usr/lib/sasl2/libdigestmd5.so.2: > wrong ELF class: ELFCLASS32 > > So, this implies that ns-slapd is trying to get at the 32 bit > libraries instead of the 64 bit versions. I'm assuming you have the 64-bit versions of the sasl package installed? rpm -qa --queryformat '%{name}-%{version}.%{arch}\n' | grep sasl > > I tried setting LD_LIBRARY_PATH to /usr/lib64, I?ve tried renaming > /usr/lib/sasl2 to get it out of the path, hoping the software would > just find the right version. > > After these two attempts, the setup procedure created without > generating any error messages. However, the domain still failed to be > created. I'm not sure what you mean by "domain" in this context. If you can, try starting over from scratch, and running setup-ds-admin.pl -ddd to generate verbose debug logs. By default the log file is written to /tmp/setupXXXXX.log > > Any advice on where to look, or what else to try? > > Thanks! > > -steve j > > > -- > > * > **Steve Jacobson* ? *Cozi * ? IT Manager ? m: 206.310.7760 ? www.cozi.com > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kmarsh at gdrs.com Thu Mar 6 21:21:57 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Thu, 6 Mar 2008 16:21:57 -0500 Subject: [Fedora-directory-users] netscapeRoot and Config propagation Message-ID: <5AD9B0E562FEFB4E933861904D7135C5796673@gdrs-exchange.gdrs.com> Thanks everyone for answering on the Groups question. I was so focused People ou in the GUI I didn't see the Group ou a few menu lines up. :-) I went into it and rediscovered that I knew how to create posixgroups two years ago. I created a new one succesfully and added users to it. On an LDAP-ified Linux host they can now newgrp to that group. Now I have two more complicated questions. 1. Group info does not multi-master replicate like user info does. Specifically, I would like to manage posixgroups from any MultiMaster server. My new posix group is stuck on just the server I created it on. 2. Config data does not multi-master replicate like user info does. It would be nice to administer any server from any server. At the moment the only way I know how to do this is on installation. I don't want to reinstall any DS at this point, though. My understanding is that mmr.pl sets up replication for only userRoot, not NetscapeRoot. I went through the Admin GUI and under the Configuration tab, Replication->NetscapeRoot I checked "Enable Replica", checked MultiMaster and set up the Current Supplier DN's to cn=repman,cn=config just like userRoot. Now it has a replica entry under Directory Tab->config->mapping tree just like dc=company,dc=com . However the attributes under o=NetscapeRoot do not have the nsslapd-backend and nsslapd-referral attributes. I'm guessing I need something like mmr.pl except for NetscapeRoot to fill in the blanks. Is there a howto for this, or any tips? Once again, thanks to the Fedora DS development team for a great product. Despite my noobish questions, it has saved me countless manhours and been very reliable. Ken Marsh ANS System Administration Lead (410) 876-9200 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Mar 6 21:39:21 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 06 Mar 2008 14:39:21 -0700 Subject: [Fedora-directory-users] netscapeRoot and Config propagation In-Reply-To: <5AD9B0E562FEFB4E933861904D7135C5796673@gdrs-exchange.gdrs.com> References: <5AD9B0E562FEFB4E933861904D7135C5796673@gdrs-exchange.gdrs.com> Message-ID: <47D06489.1050705@redhat.com> Ken Marsh wrote: > > Thanks everyone for answering on the Groups question. I was so focused > People ou in the GUI I didn?t see the Group ou a few menu lines up. J > I went into it and rediscovered that I knew how to create posixgroups > two years ago. I created a new one succesfully and added users to it. > On an LDAP-ified Linux host they can now newgrp to that group. > > Now I have two more complicated questions. > > 1. Group info does not multi-master replicate like user info does. > > Specifically, I would like to manage posixgroups from any MultiMaster > server. My new posix group is stuck on just the server I created it on. > By default replication should replicate everything - it does not care what type of data it is. > > 2. Config data does not multi-master replicate like user info does. > > It would be nice to administer any server from any server. > The console/admin server don't really work that way. You should use o=NetscapeRoot replication for failover, not general load balancing. See http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Replicating-ADS-for-Failover.html > > At the moment the only way I know how to do this is on installation. I > don?t want to reinstall any DS at this point, though. My understanding > is that mmr.pl sets up replication for only userRoot, not NetscapeRoot. > > I went through the Admin GUI and under the Configuration tab, > Replication->NetscapeRoot I checked ?Enable Replica?, checked > MultiMaster and set up the Current Supplier DN?s to > cn=repman,cn=config just like userRoot. > > Now it has a replica entry under Directory Tab->config->mapping tree > just like dc=company,dc=com . However the attributes under > o=NetscapeRoot do not have the nsslapd-backend and nsslapd-referral > attributes. I?m guessing I need something like mmr.pl except for > NetscapeRoot to fill in the blanks. > > Is there a howto for this, or any tips? > > Once again, thanks to the Fedora DS development team for a great > product. Despite my noobish questions, it has saved me countless > manhours and been very reliable. > > Ken Marsh > > ANS System Administration Lead > > (410) 876-9200 > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From steve at cozi.com Thu Mar 6 22:06:35 2008 From: steve at cozi.com (Steve Jacobson) Date: Thu, 06 Mar 2008 14:06:35 -0800 Subject: [Fedora-directory-users] Install fails to create domain after re-install In-Reply-To: <47D014FC.1060204@redhat.com> Message-ID: Hi Rich, Thanks for the help. I've run setup-ds-admin.pl with the -ddd option. The compressed log is attached to this. Short version is, I can't tell from this what went wrong. It claims to have successfully created "dc=kasayka,dc=local" (This is what I meant by 'domain' - the suffix for all the other entries for our directory). Trying to add an item to that directory under that suffix yields "No such object". Looking with the idm-console shows nothing. A search of "Users and Groups" shows no groups or anything else installed in the directory, and I can't create a user with the console, since there's no Groups for the user to be part of. Same with trying to create a Group, or an ou. As for the 64-bit version of sasl, this is what I've got installed: # rpm -qa --queryformat '%{name}-%{version}.%{arch}\n' | grep sasl cyrus-sasl-lib-2.1.22.i386 cyrus-sasl-plain-2.1.22.i386 cyrus-sasl-gssapi-2.1.22.x86_64 cyrus-sasl-plain-2.1.22.x86_64 cyrus-sasl-gssapi-2.1.22.i386 cyrus-sasl-lib-2.1.22.x86_64 cyrus-sasl-md5-2.1.22.i386 cyrus-sasl-2.1.22.x86_64 cyrus-sasl-devel-2.1.22.x86_64 cyrus-sasl-md5-2.1.22.x86_64 Thanks for any futher help or guidance. I'm thinking of blowing the OS away at this point, and trying to get back to the point where I was able to create everything. I started trying to configure samba to use the directory, and added a couple of RPMs for samba. I'm wondering if any of them could have interfered? If so, I haven't been able to figure out which one yet. Thanks again! -Steve J. On 3/6/08 7:59 AM, "Rich Megginson" wrote: > Steve Jacobson wrote: >> All, >> >> I had a successful installation of FDS 1.1 on CentOS 5.1 x86_64. I had >> a bunch of cruft in the directory from a poor migration, so I decided >> to start over with a re-install to get things clean. The uninstall was >> successful, and I wiped /etc/dirsrv, /var/lib/dirsrv, and >> /usr/share/dirsrv. > Also /usr/lib64/dirsrv/slapd* >> Then I re-installed, and ran setup-ds-admin.pl. The dialogs were as >> expected, and seemed to be just fine. The setup program reported that >> everything was fine, and the directory was created. However, the >> domain didn?t materialize. There was nothing in the setup log to hint >> at any problem. I found the following messages in /var/log/messages: >> >> >> Mar 5 19:20:38 corp-admin-001 ns-slapd: unable to dlopen >> /usr/lib/sasl2/libcrammd5.so.2: /usr/lib/sasl2/libcrammd5.so.2: wrong >> ELF class: ELFCLASS32 >> Mar 5 19:20:38 corp-admin-001 ns-slapd: unable to dlopen >> /usr/lib/sasl2/libanonymous.so.2: /usr/lib/sasl2/libanonymous.so.2: >> wrong ELF class: ELFCLASS32 >> Mar 5 19:20:38 corp-admin-001 ns-slapd: unable to dlopen >> /usr/lib/sasl2/libplain.so.2: /usr/lib/sasl2/libplain.so.2: wrong ELF >> class: ELFCLASS32 >> Mar 5 19:20:38 corp-admin-001 ns-slapd: unable to dlopen >> /usr/lib/sasl2/libgssapiv2.so.2: /usr/lib/sasl2/libgssapiv2.so.2: >> wrong ELF class: ELFCLASS32 >> Mar 5 19:20:38 corp-admin-001 ns-slapd: unable to dlopen >> /usr/lib/sasl2/liblogin.so.2: /usr/lib/sasl2/liblogin.so.2: wrong ELF >> class: ELFCLASS32 >> Mar 5 19:20:38 corp-admin-001 ns-slapd: unable to dlopen >> /usr/lib/sasl2/libdigestmd5.so.2: /usr/lib/sasl2/libdigestmd5.so.2: >> wrong ELF class: ELFCLASS32 >> >> So, this implies that ns-slapd is trying to get at the 32 bit >> libraries instead of the 64 bit versions. > I'm assuming you have the 64-bit versions of the sasl package installed? > rpm -qa --queryformat '%{name}-%{version}.%{arch}\n' | grep sasl >> >> I tried setting LD_LIBRARY_PATH to /usr/lib64, I?ve tried renaming >> /usr/lib/sasl2 to get it out of the path, hoping the software would >> just find the right version. >> >> After these two attempts, the setup procedure created without >> generating any error messages. However, the domain still failed to be >> created. > I'm not sure what you mean by "domain" in this context. > > If you can, try starting over from scratch, and running > setup-ds-admin.pl -ddd to generate verbose debug logs. By default the > log file is written to /tmp/setupXXXXX.log >> >> Any advice on where to look, or what else to try? >> >> Thanks! >> >> -steve j >> >> >> -- >> >> * >> **Steve Jacobson* ? *Cozi * ? IT Manager ? m: 206.310.7760 ? www.cozi.com >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Steve Jacobson ? Cozi ? IT Manager ? m: 206.310.7760 ? www.cozi.com -------------- next part -------------- A non-text attachment was scrubbed... Name: setup.err.gz Type: application/octet-stream Size: 5422 bytes Desc: not available URL: From solarflow99 at gmail.com Fri Mar 7 00:49:57 2008 From: solarflow99 at gmail.com (solarflow99) Date: Fri, 7 Mar 2008 00:49:57 +0000 Subject: [Fedora-directory-users] netscapeRoot and Config propagation In-Reply-To: <47D06489.1050705@redhat.com> References: <5AD9B0E562FEFB4E933861904D7135C5796673@gdrs-exchange.gdrs.com> <47D06489.1050705@redhat.com> Message-ID: <7020fd000803061649i766c9b22pe37d0d0b1efe9c06@mail.gmail.com> On Thu, Mar 6, 2008 at 9:39 PM, Rich Megginson wrote: > Ken Marsh wrote: > > > > Thanks everyone for answering on the Groups question. I was so focused > > People ou in the GUI I didn't see the Group ou a few menu lines up. J > > I went into it and rediscovered that I knew how to create posixgroups > > two years ago. I created a new one succesfully and added users to it. > > On an LDAP-ified Linux host they can now newgrp to that group. > is this actually a requirement, or does adding their groups from the console give them the extra GID access? -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at runyanrants.net Fri Mar 7 05:17:09 2008 From: lists at runyanrants.net (Legatus) Date: Thu, 6 Mar 2008 23:17:09 -0600 Subject: [Fedora-directory-users] Password Warnings Message-ID: I am new to the list, and I apologize if this question has been answered before. I haven't done much programming for LDAP, though I have been managing directories for years. I am working with some developers, who a) aren't very imaginative, b) not very clever, and c) lazy. So I need to know how to get at the password information that says a password has expired, is about to expire, et. al. I have tried to query for the attributes using ldapsearch that seem to be what I want, like passwordexpirationtime, but I get nothing back. They all figure I should know the magic incantation, since I know how to make the directory work, and usually that would be the case. This time I am stuck. Anyone solved this problem. I am running FDS 1.0.2, and 1.0.4. I get the same result in both. Any help would be great. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Enrico.M.V.Fasanelli at le.infn.it Fri Mar 7 12:24:56 2008 From: Enrico.M.V.Fasanelli at le.infn.it (Enrico M. V. Fasanelli) Date: Fri, 07 Mar 2008 13:24:56 +0100 Subject: [Fedora-directory-users] Per DB Windows sync between different BaseDN Message-ID: <47D13418.6070301@le.infn.it> Dear all, a question on the Windows Sync. Scenario: example.com is spread in some sites (a.example.com, b.example.com, etc. etc) and in a few of this there is already an AD domain. For example there is an AD domain win.a.example.com, another one w2k.c.example.com, but the site b.example.com doesn't run any AD. In the FDS 4-way Multi Master "core" servers, you setup one DB per site, related to the corresponding suffix, and in each site you configure a consumer for the site-specific DB. Core Servers BaseDN dc=example,dc=com DataBase userRoot BaseDN dc=a,dc=example,dc=com Database aUserRoot BaseDN dc=b,dc=example,dc=com Database bUserRoot BaseDN dc=c,dc=example,dc=com Database cUserRoot The "Site-x" local server(s) will receive only the userRoot and xUserRoot via the replication defined in the suppliers core servers. Now the question: it is possible to define the Windows Syncs agreements between a) aUserRoot DataBase (dc=a,dc=example,dc=com) and the AD domain dc=win,dc=a,dc=example,dc=com b) cUserRoot (dc=c,dc=example,dc=com) and the AD domain dc=w2k,dc=c,dc=example,dc=com ? Thank you in advance. Ciao, Enrico -- Non seguire nessuna strada... ...creala! (Pubblicita'...) -------------- next part -------------- A non-text attachment was scrubbed... Name: Enrico_M_V_Fasanelli.vcf Type: text/x-vcard Size: 289 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2954 bytes Desc: S/MIME Cryptographic Signature URL: From beyonddc.storage at gmail.com Fri Mar 7 14:55:42 2008 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Fri, 7 Mar 2008 09:55:42 -0500 Subject: [Fedora-directory-users] Password Warnings In-Reply-To: References: Message-ID: <20e4c38c0803070655h3652584by3092c3aa4d9c561a@mail.gmail.com> Did you make sure the account you login to do the ldapsearch has the right privilege (ACI) to retrieve the password attributes you want? What programming language you guys use to talk to the LDAP? - dc On Fri, Mar 7, 2008 at 12:17 AM, Legatus wrote: > I am new to the list, and I apologize if this question has been answered > before. > > I haven't done much programming for LDAP, though I have been managing > directories for years. I am working with some developers, who a) aren't very > imaginative, b) not very clever, and c) lazy. So I need to know how to get > at the password information that says a password has expired, is about to > expire, et. al. I have tried to query for the attributes using ldapsearch > that seem to be what I want, like passwordexpirationtime, but I get nothing > back. They all figure I should know the magic incantation, since I know how > to make the directory work, and usually that would be the case. This time I > am stuck. Anyone solved this problem. I am running FDS 1.0.2, and 1.0.4. I > get the same result in both. Any help would be great. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Mar 7 15:39:11 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 07 Mar 2008 08:39:11 -0700 Subject: [Fedora-directory-users] Password Warnings In-Reply-To: References: Message-ID: <47D1619F.7050207@redhat.com> Legatus wrote: > I am new to the list, and I apologize if this question has been > answered before. > > I haven't done much programming for LDAP, though I have been managing > directories for years. I am working with some developers, who a) > aren't very imaginative, b) not very clever, and c) lazy. So I need > to know how to get at the password information that says a password > has expired, is about to expire, et. al. I have tried to query for the > attributes using ldapsearch that seem to be what I want, like > passwordexpirationtime, but I get nothing back. Can you post your exact ldapsearch command line? Note that passwordexpirationtime and other password attributes in user entries are operational attributes - this means they are not retrieved by default with an LDAP search but must be explicitly listed in the list of attributes to retrieve. > They all figure I should know the magic incantation, since I know how > to make the directory work, and usually that would be the case. This > time I am stuck. Anyone solved this problem. I am running FDS 1.0.2, > and 1.0.4. I get the same result in both. Any help would be great. > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From lists at runyanrants.net Fri Mar 7 17:07:58 2008 From: lists at runyanrants.net (Legatus) Date: Fri, 7 Mar 2008 11:07:58 -0600 Subject: [Fedora-directory-users] Password Warnings In-Reply-To: <20e4c38c0803070655h3652584by3092c3aa4d9c561a@mail.gmail.com> References: <20e4c38c0803070655h3652584by3092c3aa4d9c561a@mail.gmail.com> Message-ID: I have used just command line tools. The developers are using java. On Fri, Mar 7, 2008 at 8:55 AM, Chun Tat David Chu < beyonddc.storage at gmail.com> wrote: > Did you make sure the account you login to do the ldapsearch has the right > privilege (ACI) to retrieve the password attributes you want? > > What programming language you guys use to talk to the LDAP? > > - dc > > On Fri, Mar 7, 2008 at 12:17 AM, Legatus wrote: > > > I am new to the list, and I apologize if this question has been answered > > before. > > > > I haven't done much programming for LDAP, though I have been managing > > directories for years. I am working with some developers, who a) aren't very > > imaginative, b) not very clever, and c) lazy. So I need to know how to get > > at the password information that says a password has expired, is about to > > expire, et. al. I have tried to query for the attributes using ldapsearch > > that seem to be what I want, like passwordexpirationtime, but I get nothing > > back. They all figure I should know the magic incantation, since I know how > > to make the directory work, and usually that would be the case. This time I > > am stuck. Anyone solved this problem. I am running FDS 1.0.2, and 1.0.4. > > I get the same result in both. Any help would be great. > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at runyanrants.net Fri Mar 7 17:08:57 2008 From: lists at runyanrants.net (Legatus) Date: Fri, 7 Mar 2008 11:08:57 -0600 Subject: Fwd: [Fedora-directory-users] Password Warnings In-Reply-To: References: <47D1619F.7050207@redhat.com> Message-ID: I have tried with this search, and also using the userid that I am requesting the information from. So "uid=me,ou=people,dc=mydc" to get info on "uid=me,ou=people,dc=mydc" ldapsearch -x -b 'ou=people,dc=mydc' -s sub -D 'cn=directory manager' -w "objectclass=*" attrs="passwordExpWarned passwordExpirationTime" On Fri, Mar 7, 2008 at 9:39 AM, Rich Megginson wrote: > Legatus wrote: > > I am new to the list, and I apologize if this question has been > > answered before. > > > > I haven't done much programming for LDAP, though I have been managing > > directories for years. I am working with some developers, who a) > > aren't very imaginative, b) not very clever, and c) lazy. So I need > > to know how to get at the password information that says a password > > has expired, is about to expire, et. al. I have tried to query for the > > attributes using ldapsearch that seem to be what I want, like > > passwordexpirationtime, but I get nothing back. > Can you post your exact ldapsearch command line? Note that > passwordexpirationtime and other password attributes in user entries are > operational attributes - this means they are not retrieved by default > with an LDAP search but must be explicitly listed in the list of > attributes to retrieve. > > They all figure I should know the magic incantation, since I know how > > to make the directory work, and usually that would be the case. This > > time I am stuck. Anyone solved this problem. I am running FDS 1.0.2, > > and 1.0.4. I get the same result in both. Any help would be great. > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Mar 7 17:17:38 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 07 Mar 2008 10:17:38 -0700 Subject: Fwd: [Fedora-directory-users] Password Warnings In-Reply-To: References: <47D1619F.7050207@redhat.com> Message-ID: <47D178B2.9030202@redhat.com> Legatus wrote: > I have tried with this search, and also using the userid that I am > requesting the information from. So "uid=me,ou=people,dc=mydc" to get > info on "uid=me,ou=people,dc=mydc" > > ldapsearch -x -b 'ou=people,dc=mydc' -s sub -D 'cn=directory manager' > -w "objectclass=*" attrs="passwordExpWarned > passwordExpirationTime" Don't use attrs="..." Just specify them on the command line - ... "objectclass=*" passwordExpWarned passwordExpirationTime If you want all regular attributes plus the additional operational attributes, use "*" e.g. ldapsearch .... "objectclass=*" \* passwordExpWarned passwordExpirationTime ldapsearch --help ... usage: ldapsearch [options] [filter [attributes...]] where: filter RFC-2254 compliant LDAP search filter attributes whitespace-separated list of attribute descriptions Note that openldap has a special attribute called "+" but this is not supported by Fedora DS. > > > On Fri, Mar 7, 2008 at 9:39 AM, Rich Megginson > wrote: > > Legatus wrote: > > I am new to the list, and I apologize if this question has been > > answered before. > > > > I haven't done much programming for LDAP, though I have been > managing > > directories for years. I am working with some developers, who a) > > aren't very imaginative, b) not very clever, and c) lazy. So I need > > to know how to get at the password information that says a password > > has expired, is about to expire, et. al. I have tried to query > for the > > attributes using ldapsearch that seem to be what I want, like > > passwordexpirationtime, but I get nothing back. > Can you post your exact ldapsearch command line? Note that > passwordexpirationtime and other password attributes in user > entries are > operational attributes - this means they are not retrieved by default > with an LDAP search but must be explicitly listed in the list of > attributes to retrieve. > > They all figure I should know the magic incantation, since I > know how > > to make the directory work, and usually that would be the case. This > > time I am stuck. Anyone solved this problem. I am running FDS 1.0.2, > > and 1.0.4. I get the same result in both. Any help would be great. > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From lists at runyanrants.net Fri Mar 7 18:08:45 2008 From: lists at runyanrants.net (Legatus) Date: Fri, 7 Mar 2008 12:08:45 -0600 Subject: Fwd: [Fedora-directory-users] Password Warnings In-Reply-To: <47D178B2.9030202@redhat.com> References: <47D1619F.7050207@redhat.com> <47D178B2.9030202@redhat.com> Message-ID: I did that. I know I have done that in the past. I see on one account the passwordExpWarned, I don't see passwordExpirationTime. We need to be able to give users warnings that the password will expire in N days. Am I looking in the wrong place, or is there a setting I haven't set? I set up a policy that is supposed to expire passwords, and warn users. On Fri, Mar 7, 2008 at 11:17 AM, Rich Megginson wrote: > Legatus wrote: > > I have tried with this search, and also using the userid that I am > > requesting the information from. So "uid=me,ou=people,dc=mydc" to get > > info on "uid=me,ou=people,dc=mydc" > > > > ldapsearch -x -b 'ou=people,dc=mydc' -s sub -D 'cn=directory manager' > > -w "objectclass=*" attrs="passwordExpWarned > > passwordExpirationTime" > Don't use attrs="..." Just specify them on the command line - ... > "objectclass=*" passwordExpWarned passwordExpirationTime > If you want all regular attributes plus the additional operational > attributes, use "*" e.g. > ldapsearch .... "objectclass=*" \* passwordExpWarned > passwordExpirationTime > ldapsearch --help > ... > usage: ldapsearch [options] [filter [attributes...]] > where: > filter RFC-2254 compliant LDAP search filter > attributes whitespace-separated list of attribute descriptions > > Note that openldap has a special attribute called "+" but this is not > supported by Fedora DS. > > > > > > On Fri, Mar 7, 2008 at 9:39 AM, Rich Megginson > > wrote: > > > > Legatus wrote: > > > I am new to the list, and I apologize if this question has been > > > answered before. > > > > > > I haven't done much programming for LDAP, though I have been > > managing > > > directories for years. I am working with some developers, who a) > > > aren't very imaginative, b) not very clever, and c) lazy. So I > need > > > to know how to get at the password information that says a > password > > > has expired, is about to expire, et. al. I have tried to query > > for the > > > attributes using ldapsearch that seem to be what I want, like > > > passwordexpirationtime, but I get nothing back. > > Can you post your exact ldapsearch command line? Note that > > passwordexpirationtime and other password attributes in user > > entries are > > operational attributes - this means they are not retrieved by > default > > with an LDAP search but must be explicitly listed in the list of > > attributes to retrieve. > > > They all figure I should know the magic incantation, since I > > know how > > > to make the directory work, and usually that would be the case. > This > > > time I am stuck. Anyone solved this problem. I am running FDS > 1.0.2, > > > and 1.0.4. I get the same result in both. Any help would be > great. > > > > > > ------------------------------------------------------------------------ > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From kmarsh at gdrs.com Fri Mar 7 18:57:17 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Fri, 7 Mar 2008 13:57:17 -0500 Subject: [Fedora-directory-users] netscapeRoot and Config propagation Message-ID: <5AD9B0E562FEFB4E933861904D7135C57966FA@gdrs-exchange.gdrs.com> solarflow99 wrote: >is this actually a requirement, or does adding their groups from the console >give them the extra GID access? If your question is, "is newgrp on Linux required to use the permissions of the added group?" The answer depends on your O/S and your file system and mount point ACL settings, but on my Red Hat E4 system with ext3, I don't need to newgrp. Ken Marsh ANS System Administration Lead (410) 876-9200 -------------- next part -------------- An HTML attachment was scrubbed... URL: From kmarsh at gdrs.com Fri Mar 7 19:07:14 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Fri, 7 Mar 2008 14:07:14 -0500 Subject: [Fedora-directory-users] netscapeRoot and Config propagation Message-ID: <5AD9B0E562FEFB4E933861904D7135C57966FD@gdrs-exchange.gdrs.com> Rich Megginson wrote: >By default replication should replicate everything - it does not care what >type of data it is. Thanks, Rich. This just confirms what I suspected- my replication is broken. I'll start a new thread on that one. >The console/admin server don't really work that way. You should use >o=NetscapeRoot replication for failover, not general load balancing. Sorry, I only meant, I want to be able to get from any DS from any Admin Console. >See http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replicatio n-Replicating-ADS-for-Failover.html Looks like exactly what I need. Thanks again, Ken Marsh From rmeggins at redhat.com Fri Mar 7 19:18:54 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 07 Mar 2008 12:18:54 -0700 Subject: Fwd: [Fedora-directory-users] Password Warnings In-Reply-To: References: <47D1619F.7050207@redhat.com> <47D178B2.9030202@redhat.com> Message-ID: <47D1951E.7070700@redhat.com> Legatus wrote: > I did that. I know I have done that in the past. I see on one account > the passwordExpWarned, I don't see passwordExpirationTime. We need to > be able to give users warnings that the password will expire in N > days. Am I looking in the wrong place, or is there a setting I > haven't set? I set up a policy that is supposed to expire passwords, > and warn users. One thing is that a user who has not had his/her password changed since password expiration was enabled will not have the passwordExpirationTime attribute in his/her entry, but you could add it manually. Another thing - I'm not sure how it is possible that a user could have the passwordExpWarned but not the passwordExpirationTime attribute. Just looking at the code, everywhere it sets passwordExpWarned it also sets passwordExpirationTime. I started with an existing database (Example.ldif) I then enabled password expiration - ldapsearch showed no passwordExpWarned nor passwordExpirationTime Then, as directory manager, I used ldapmodify to modify a user's password - the search showed this: ldapsearch -D "cn=directory manager" ... "uid=scarter" passwordExpirationTime passwordExpWarned # extended LDIF # # LDAPv3 # base with scope subtree # filter: uid=scarter # requesting: passwordExpirationTime passwordExpWarned # # scarter, People, example.com dn: uid=scarter, ou=People, dc=example,dc=com passwordExpirationTime: 20080615185146Z passwordExpWarned: 0 > > On Fri, Mar 7, 2008 at 11:17 AM, Rich Megginson > wrote: > > Legatus wrote: > > I have tried with this search, and also using the userid that I am > > requesting the information from. So "uid=me,ou=people,dc=mydc" > to get > > info on "uid=me,ou=people,dc=mydc" > > > > ldapsearch -x -b 'ou=people,dc=mydc' -s sub -D 'cn=directory > manager' > > -w "objectclass=*" attrs="passwordExpWarned > > passwordExpirationTime" > Don't use attrs="..." Just specify them on the command line - ... > "objectclass=*" passwordExpWarned passwordExpirationTime > If you want all regular attributes plus the additional operational > attributes, use "*" e.g. > ldapsearch .... "objectclass=*" \* passwordExpWarned > passwordExpirationTime > ldapsearch --help > ... > usage: ldapsearch [options] [filter [attributes...]] > where: > filter RFC-2254 compliant LDAP search filter > attributes whitespace-separated list of attribute descriptions > > Note that openldap has a special attribute called "+" but this is not > supported by Fedora DS. > > > > > > On Fri, Mar 7, 2008 at 9:39 AM, Rich Megginson > > > >> wrote: > > > > Legatus wrote: > > > I am new to the list, and I apologize if this question has > been > > > answered before. > > > > > > I haven't done much programming for LDAP, though I have been > > managing > > > directories for years. I am working with some developers, > who a) > > > aren't very imaginative, b) not very clever, and c) lazy. > So I need > > > to know how to get at the password information that says a > password > > > has expired, is about to expire, et. al. I have tried to query > > for the > > > attributes using ldapsearch that seem to be what I want, like > > > passwordexpirationtime, but I get nothing back. > > Can you post your exact ldapsearch command line? Note that > > passwordexpirationtime and other password attributes in user > > entries are > > operational attributes - this means they are not retrieved > by default > > with an LDAP search but must be explicitly listed in the list of > > attributes to retrieve. > > > They all figure I should know the magic incantation, since I > > know how > > > to make the directory work, and usually that would be the > case. This > > > time I am stuck. Anyone solved this problem. I am running > FDS 1.0.2, > > > and 1.0.4. I get the same result in both. Any help would > be great. > > > > > > ------------------------------------------------------------------------ > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From b.t.roy at brianandkelly.ws Fri Mar 7 19:26:17 2008 From: b.t.roy at brianandkelly.ws (Brian Roy) Date: Fri, 7 Mar 2008 12:26:17 -0700 Subject: [Fedora-directory-users] Password Warnings Message-ID: <4157DAF9-296D-4F75-829B-66848DD91E55@brianandkelly.ws> I have a PHP script that will query FDS for users with about to and expired passwords. It sends out email to both the user and a sysadmin. Let me know if you are interested. Regards, Name: Brian Roy Status: enjoying the weekend Brian Roy Visit my blog at www.briantroy.com/blog contact | b.t.roy at brianandkelly.ws - 602.445.9849 | GoogleTalk - briantroy at chat.brianandkelly.ws -------------- next part -------------- An HTML attachment was scrubbed... URL: From kmarsh at gdrs.com Fri Mar 7 19:48:00 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Fri, 7 Mar 2008 14:48:00 -0500 Subject: [Fedora-directory-users] netscapeRoot and Config propagation Message-ID: <5AD9B0E562FEFB4E933861904D7135C579670A@gdrs-exchange.gdrs.com> Rich, The script mentioned in "8.14. Replicating o=NetscapeRoot for Administration Server Failover", "setup-ds-admin.pl" was not installed on any of my three Directory Servers. It does not seem to exist in fedora-ds-1.0.4-1-FC6.x86_64.opt.rpm or fedora-ds-1.0.4-1.RHEL3.rpm . I even converted them to CPIO using rpm2cpio and dumped them, to no avail. Do you know where I can download this script? Thanks, Ken Marsh From kmarsh at gdrs.com Fri Mar 7 20:04:08 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Fri, 7 Mar 2008 15:04:08 -0500 Subject: [Fedora-directory-users] Request For Comment: fedora-ds-utils project Message-ID: <5AD9B0E562FEFB4E933861904D7135C5796710@gdrs-exchange.gdrs.com> Chris, As someone currently looking for some of these scripts, I think this is a great idea. I'll throw in a few comments. >2. The program must include 'ds' as the first element in the name; for > instance: > > - ds-mmrtool > - ds-schema-migrate > - ds-setup-ssl While I like the consistancy, this sort of introduces a massive documentation bug. People will read the Red Hat DS or 7.1 DS or latest DS documentation, look for (say) setup-ds-admin.pl, and it will be missing (renamed), and come right back to the mailing list asking for it again. >4. The program must ONLY produce output a) on errors; or b) with the -v > flag. In the event of successful operation, no output should be > produced at all. I suspect the purpose of some scripts is to produce output. Also, some scripts call other perl or shell scripts, and tying up all those outputs neatly would probably involve rewriting them all. >5. The program must be capable of running completely unattended. Yes! 7. All dependencies of the program must be available as RPMs in the current release of Fedora Linux OK, but hey! Don't forget us Red Hat (paying) customers. I've had many a cool new package refuse to run on Enterprise 4 because supporting packages were "too old" or packages weren't available. I can understand giving up on Enterprise 3, but right now E4 is still the massive user base. Ken Marsh From rmeggins at redhat.com Fri Mar 7 20:19:25 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 07 Mar 2008 13:19:25 -0700 Subject: [Fedora-directory-users] netscapeRoot and Config propagation In-Reply-To: <5AD9B0E562FEFB4E933861904D7135C579670A@gdrs-exchange.gdrs.com> References: <5AD9B0E562FEFB4E933861904D7135C579670A@gdrs-exchange.gdrs.com> Message-ID: <47D1A34D.1070003@redhat.com> Ken Marsh wrote: > Rich, > > The script mentioned in "8.14. Replicating o=NetscapeRoot for > Administration Server Failover", "setup-ds-admin.pl" was not installed > on any of my three Directory Servers. It does not seem to exist in > fedora-ds-1.0.4-1-FC6.x86_64.opt.rpm or fedora-ds-1.0.4-1.RHEL3.rpm . I > even converted them to CPIO using rpm2cpio and dumped them, to no avail. > > Do you know where I can download this script? > The script is provided with and only works with Fedora DS 1.1 and later. I'm not really sure how to do this with 1.0.4, if you can't use the setup program that comes with 1.0.4 (/opt/fedora-ds/setup/setup). > Thanks, > Ken Marsh > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Ryan.Braun at ec.gc.ca Fri Mar 7 20:19:49 2008 From: Ryan.Braun at ec.gc.ca (Ryan Braun) Date: Fri, 7 Mar 2008 20:19:49 +0000 Subject: [Fedora-directory-users] netscapeRoot and Config propagation In-Reply-To: <5AD9B0E562FEFB4E933861904D7135C579670A@gdrs-exchange.gdrs.com> References: <5AD9B0E562FEFB4E933861904D7135C579670A@gdrs-exchange.gdrs.com> Message-ID: <200803072019.49487.Ryan.Braun@ec.gc.ca> On Friday 07 March 2008 7:48 pm, Ken Marsh wrote: > Rich, > > The script mentioned in "8.14. Replicating o=NetscapeRoot for > Administration Server Failover", "setup-ds-admin.pl" was not installed > on any of my three Directory Servers. It does not seem to exist in > fedora-ds-1.0.4-1-FC6.x86_64.opt.rpm or fedora-ds-1.0.4-1.RHEL3.rpm . I > even converted them to CPIO using rpm2cpio and dumped them, to no avail. > > Do you know where I can download this script? setup-ds-admin.pl is part of Directory Server 8, or FDS 1.1.0. The 1.0.4 release uses the setup command if I remember correctly. Ryan From lists at runyanrants.net Fri Mar 7 20:51:00 2008 From: lists at runyanrants.net (Legatus) Date: Fri, 7 Mar 2008 14:51:00 -0600 Subject: [Fedora-directory-users] Password Warnings In-Reply-To: <4157DAF9-296D-4F75-829B-66848DD91E55@brianandkelly.ws> References: <4157DAF9-296D-4F75-829B-66848DD91E55@brianandkelly.ws> Message-ID: I would love that. Picking through some working code, would be the kind of eye opener I could use. On Fri, Mar 7, 2008 at 1:26 PM, Brian Roy wrote: > I have a PHP script that will query FDS for users with about to and > expired passwords. > It sends out email to both the user and a sysadmin. Let me know if you are > interested. > > Regards, > [image: Brian Roy's Facebook profile] > Name:Brian Roy Status:enjoying > the weekend > > *Brian Roy* > Visit my blog at www.briantroy.com/blog > contact | b.t.roy at brianandkelly.ws - 602.445.9849 | GoogleTalk - > briantroy at chat.brianandkelly.ws > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at runyanrants.net Fri Mar 7 20:53:58 2008 From: lists at runyanrants.net (Legatus) Date: Fri, 7 Mar 2008 14:53:58 -0600 Subject: Fwd: [Fedora-directory-users] Password Warnings In-Reply-To: <47D1951E.7070700@redhat.com> References: <47D1619F.7050207@redhat.com> <47D178B2.9030202@redhat.com> <47D1951E.7070700@redhat.com> Message-ID: On Fri, Mar 7, 2008 at 1:18 PM, Rich Megginson wrote: > Legatus wrote: > > I did that. I know I have done that in the past. I see on one account > > the passwordExpWarned, I don't see passwordExpirationTime. We need to > > be able to give users warnings that the password will expire in N > > days. Am I looking in the wrong place, or is there a setting I > > haven't set? I set up a policy that is supposed to expire passwords, > > and warn users. > One thing is that a user who has not had his/her password changed since > password expiration was enabled will not have the passwordExpirationTime > attribute in his/her entry, but you could add it manually. > > Another thing - I'm not sure how it is possible that a user could have > the passwordExpWarned but not the passwordExpirationTime attribute. > Just looking at the code, everywhere it sets passwordExpWarned it also > sets passwordExpirationTime. > That is why I am confused. I thought that was how it was supposed to work. -------------- next part -------------- An HTML attachment was scrubbed... URL: From kmarsh at gdrs.com Fri Mar 7 21:08:38 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Fri, 7 Mar 2008 16:08:38 -0500 Subject: [Fedora-directory-users] 3-way MMR problem on 1.01-4 Message-ID: <5AD9B0E562FEFB4E933861904D7135C5796722@gdrs-exchange.gdrs.com> Hi, OK, I have a problem with MultiMaster Replication between my 3 x 1.01-4 FDS. I have already tried the following: Stop servers A and C Delete the contents of the changelog database directory restart push a replication to each from Server B (successful) While my data was momentarily in sync, I immediately went back to the problem where incremental updates (users updating passwords) failed. Here is a typical set of errors from logs/errors on server A: [07/Mar/2008:15:46:31 -0500] agmt="cn="Replication to B.company.com"" (B:389) - Can't locate CSN 47d04e2e000000010000 in the changelog (DB rc=-30990). The consumer may need to be reinitialized. [07/Mar/2008:15:46:31 -0500] agmt="cn="Replication to C.company.com"" (C:389) - Can't locate CSN 47d04e2e000000010000 in the changelog (DB rc=-30990). The consumer may need to be reinitialized. The logs on B and C are analogous. Both have the following (This from C): [07/Mar/2008:07:46:48 -0500] - import userRoot: Workers finished; cleaning up... [07/Mar/2008:07:46:48 -0500] - import userRoot: Workers cleaned up. [07/Mar/2008:07:46:48 -0500] - import userRoot: Indexing complete. Post-processing... [07/Mar/2008:07:46:48 -0500] - import userRoot: Flushing caches... [07/Mar/2008:07:46:48 -0500] - import userRoot: Closing files... [07/Mar/2008:07:46:49 -0500] - import userRoot: Import complete. Processed 496 entries in 5 seconds. (99.20 entries/sec) [07/Mar/2008:07:46:49 -0500] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=company,dc=com is coming online; enabling replication [07/Mar/2008:07:46:49 -0500] NSMMReplicationPlugin - replica_reload_ruv: Warning: new data for replica dc=company,dc=com does not match the data in the changelog. Recreating the changelog file. This could affect replication with replica's consumers in which case the consumers should be reinitialized. The user data started out on 7.1 on Directory Server "A". I installed and replicated it to servers B and C and ran it like that for a while, and replication worked fine. Then I replaced 7.1 with 1.01-4 on A (just as 1.1 was released), and replication has been broken since. I am willing to lose whatever updates or differences necessary to get these sync'ed up ASAP, any tips? Thanks for looking, Ken Marsh From rmeggins at redhat.com Fri Mar 7 21:22:20 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 07 Mar 2008 14:22:20 -0700 Subject: [Fedora-directory-users] 3-way MMR problem on 1.01-4 In-Reply-To: <5AD9B0E562FEFB4E933861904D7135C5796722@gdrs-exchange.gdrs.com> References: <5AD9B0E562FEFB4E933861904D7135C5796722@gdrs-exchange.gdrs.com> Message-ID: <47D1B20C.10508@redhat.com> Ken Marsh wrote: > Hi, > > OK, I have a problem with MultiMaster Replication between my 3 x 1.01-4 > FDS. I have already tried the following: > > Stop servers A and C > Delete the contents of the changelog database directory > restart > push a replication to each from Server B (successful) > > While my data was momentarily in sync, I immediately went back to the > problem where incremental updates (users updating passwords) failed. > > Here is a typical set of errors from logs/errors on server A: > > [07/Mar/2008:15:46:31 -0500] agmt="cn="Replication to B.company.com"" > (B:389) - Can't locate CSN 47d04e2e000000010000 in the changelog (DB > rc=-30990). The consumer may need to be reinitialized. > [07/Mar/2008:15:46:31 -0500] agmt="cn="Replication to C.company.com"" > (C:389) - Can't locate CSN 47d04e2e000000010000 in the changelog (DB > rc=-30990). The consumer may need to be reinitialized. > > The logs on B and C are analogous. Both have the following (This from > C): > > [07/Mar/2008:07:46:48 -0500] - import userRoot: Workers finished; > cleaning up... > [07/Mar/2008:07:46:48 -0500] - import userRoot: Workers cleaned up. > [07/Mar/2008:07:46:48 -0500] - import userRoot: Indexing complete. > Post-processing... > [07/Mar/2008:07:46:48 -0500] - import userRoot: Flushing caches... > [07/Mar/2008:07:46:48 -0500] - import userRoot: Closing files... > [07/Mar/2008:07:46:49 -0500] - import userRoot: Import complete. > Processed 496 entries in 5 seconds. (99.20 entries/sec) > [07/Mar/2008:07:46:49 -0500] NSMMReplicationPlugin - > multimaster_be_state_change: replica dc=company,dc=com is coming online; > enabling replication > [07/Mar/2008:07:46:49 -0500] NSMMReplicationPlugin - replica_reload_ruv: > Warning: new data for replica dc=company,dc=com does not match the data > in the changelog. > Recreating the changelog file. This could affect replication with > replica's consumers in which case the consumers should be > reinitialized. > > The user data started out on 7.1 on Directory Server "A". I installed > and replicated it to servers B and C and ran it like that for a while, > and replication worked fine. Then I replaced 7.1 with 1.01-4 on A (just > as 1.1 was released), and replication has been broken since. > > I am willing to lose whatever updates or differences necessary to get > these sync'ed up ASAP, any tips? > Looks like you may be running into https://bugzilla.redhat.com/show_bug.cgi?id=388021 which was fixed in Fedora DS 1.1. One of the comments has a workaround from another Fedora DS 1.0.x user. > Thanks for looking, > Ken Marsh > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Mar 7 21:30:00 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 07 Mar 2008 14:30:00 -0700 Subject: Fwd: [Fedora-directory-users] Password Warnings In-Reply-To: References: <47D1619F.7050207@redhat.com> <47D178B2.9030202@redhat.com> <47D1951E.7070700@redhat.com> Message-ID: <47D1B3D8.2050202@redhat.com> Legatus wrote: > On Fri, Mar 7, 2008 at 1:18 PM, Rich Megginson > wrote: > > Legatus wrote: > > I did that. I know I have done that in the past. I see on one > account > > the passwordExpWarned, I don't see passwordExpirationTime. We > need to > > be able to give users warnings that the password will expire in N > > days. Am I looking in the wrong place, or is there a setting I > > haven't set? I set up a policy that is supposed to expire passwords, > > and warn users. > One thing is that a user who has not had his/her password changed > since > password expiration was enabled will not have the > passwordExpirationTime > attribute in his/her entry, but you could add it manually. > > Another thing - I'm not sure how it is possible that a user could have > the passwordExpWarned but not the passwordExpirationTime attribute. > Just looking at the code, everywhere it sets passwordExpWarned it also > sets passwordExpirationTime. > > > That is why I am confused. I thought that was how it was supposed to > work. If you update the password, do both attributes appear? > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From beyonddc.storage at gmail.com Sat Mar 8 02:18:57 2008 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Fri, 7 Mar 2008 21:18:57 -0500 Subject: [Fedora-directory-users] Unable to delete replication changelog Message-ID: <20e4c38c0803071818o56664ce6q979ce1b04819f7c4@mail.gmail.com> Hi, we're using Fedora DS 1.0.2. I'm trying to delete the replication change log by unchecking the "Enable Chanelog" box. After I done that, I click the button "Save", and I see the following message. "Error disabling changelog." "The error is 'Operations error' I then look at the "Error Log" and saw the following. "NSMMReplicationPlugin - changelog program - changelog5_config_delete: chagelog is not configured". Any idea what's going on? Thanks in advance. - dc -------------- next part -------------- An HTML attachment was scrubbed... URL: From angad at infonox.com Sun Mar 9 14:13:50 2008 From: angad at infonox.com (angad) Date: Sun, 9 Mar 2008 19:43:50 +0530 Subject: [Fedora-directory-users] Problem while authenticating against FDS Message-ID: <002f01c881ef$d10287f0$3801f00a@ifxpune.com> Hi Friends, I have installed Fedora Directory Server on RHEL 4. When I am configuring RHEL 4 clients for authentication, authentication is working fine. But I configure RHEL 3 client for authenticate against RHEL 4 FDS server , it is not authenticating. Is there any compability issue or any settings need to be done. Please help me out in this issue. Thanks in advance Regards, Angad -------------- next part -------------- An HTML attachment was scrubbed... URL: From niranjan.ashok at gmail.com Sun Mar 9 14:50:27 2008 From: niranjan.ashok at gmail.com (mallapadi niranjan) Date: Sun, 9 Mar 2008 20:20:27 +0530 Subject: [Fedora-directory-users] Problem while authenticating against FDS In-Reply-To: <002f01c881ef$d10287f0$3801f00a@ifxpune.com> References: <002f01c881ef$d10287f0$3801f00a@ifxpune.com> Message-ID: <73e979680803090750x6d2d58ech58ac0666c0d32894@mail.gmail.com> As far as i know, there is no compatibility issue, But can post what error you are getting when login as ldap user. Suggestion, 1. Check from rhel3 box, you are to contact FDS, do ldapsearch and see whether you get results, 2. when you login as ldap user, what error is reported in /var/log/messages and at the same time check what error is reported in directory server logs On Sun, Mar 9, 2008 at 7:43 PM, angad wrote: > Hi Friends, > > I have installed Fedora Directory Server on RHEL 4. When I am configuring > RHEL 4 clients for authentication, authentication is working fine. But I > configure RHEL 3 client for authenticate against RHEL 4 FDS server , it is > not authenticating. Is there any compability issue or any settings need to > be done. Please help me out in this issue. > > Thanks in advance > > Regards, > Angad > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From stpierre at NebrWesleyan.edu Mon Mar 10 03:15:59 2008 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Sun, 9 Mar 2008 22:15:59 -0500 (CDT) Subject: [Fedora-directory-users] Request For Comment: fedora-ds-utils project In-Reply-To: <5AD9B0E562FEFB4E933861904D7135C5796710@gdrs-exchange.gdrs.com> References: <5AD9B0E562FEFB4E933861904D7135C5796710@gdrs-exchange.gdrs.com> Message-ID: Ken-- Thanks for your comments. Some counterpoints below. :) > While I like the consistancy, this sort of introduces a massive > documentation bug. People will read the Red Hat DS or 7.1 DS or latest > DS documentation, look for (say) setup-ds-admin.pl, and it will be > missing (renamed), and come right back to the mailing list asking for it > again. Most of the scripts I'll be working with won't be mentioned in the official Redhat documentation; they're peripherals, not central to the operation of the DS. (E.g., setup-ds-admin.pl -- which _has_ been renamed, incidentally -- is packaged in fedora-ds-base itself.) That said, it might be a reasonable compromise to create a package that installs a script, say, ds-schema-migrate, plus a symlink to that script from ol-schema-migrate.pl, but make the script generate a warning when it's called by the old name. This should make it possible to change the existing documentation -- mostly on the Fedora DS wiki, I believe -- referring to those scripts at our leisure, while not breaking old functionality. Thoughts? > I suspect the purpose of some scripts is to produce output. Heh, good point. I'll have to write that requirement a little more carefully. > Also, some scripts call other perl or shell scripts, and tying up > all those outputs neatly would probably involve rewriting them all. I'm still not deterred. If the programmer calls a command that generates unwanted output, it should be the job of the programmer -- not of the sysadmin -- to handle that output gracefully. > OK, but hey! Don't forget us Red Hat (paying) customers. I've had many a > cool new package refuse to run on Enterprise 4 because supporting > packages were "too old" or packages weren't available. I can understand > giving up on Enterprise 3, but right now E4 is still the massive user > base. I actually _am_ one of those paying customers, so I feel your pain. :) That said, Fedora DS is a Fedora project, and while it'd be nice to only allow RHEL dependencies, I don't think it's reasonable for a Fedora-related project to tie itself to that (slower) release cycle. In practice, this is really only a problem where a package requires a _newer_ version of something than is available for RHEL X.Y; I've rarely run into a package available for Fedora that isn't available, prebuilt, for RHEL, whether from Dag Wieers, EPEL, CentOS Extras, or any of the other third-party repos out there. I'll add some language stating that scripts _should_ endeavor to work on all currently supported RHEL releases, but I don't think we can make this a requirement. Thanks again! Great input! Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University From diwakoe at gmail.com Mon Mar 10 08:49:08 2008 From: diwakoe at gmail.com (Diwakoe) Date: Mon, 10 Mar 2008 08:49:08 +0000 Subject: [Fedora-directory-users] Password Warnings In-Reply-To: <4157DAF9-296D-4F75-829B-66848DD91E55@brianandkelly.ws> References: <4157DAF9-296D-4F75-829B-66848DD91E55@brianandkelly.ws> Message-ID: On Fri, Mar 7, 2008 at 7:26 PM, Brian Roy wrote: > I have a PHP script that will query FDS for users with about to and expired > passwords. > > It sends out email to both the user and a sysadmin. Let me know if you are > interested. > > Regards, > > Brian Roy It would be nice if you post in here. Thanks. -- Semua rasa ada disini http://www.teoteblung.co.nr From jason at runyan.net Fri Mar 7 17:07:20 2008 From: jason at runyan.net (JD runyan) Date: Fri, 7 Mar 2008 11:07:20 -0600 Subject: [Fedora-directory-users] Password Warnings In-Reply-To: <47D1619F.7050207@redhat.com> References: <47D1619F.7050207@redhat.com> Message-ID: I have tried with this search, and also using the userid that I am requesting the information from. So "uid=me,ou=people,dc=mydc" to get info on "uid=me,ou=people,dc=mydc" ldapsearch -x -b 'ou=people,dc=mydc' -s sub -D 'cn=directory manager' -w "objectclass=*" attrs="passwordExpWarned passwordExpirationTime" On Fri, Mar 7, 2008 at 9:39 AM, Rich Megginson wrote: > Legatus wrote: > > I am new to the list, and I apologize if this question has been > > answered before. > > > > I haven't done much programming for LDAP, though I have been managing > > directories for years. I am working with some developers, who a) > > aren't very imaginative, b) not very clever, and c) lazy. So I need > > to know how to get at the password information that says a password > > has expired, is about to expire, et. al. I have tried to query for the > > attributes using ldapsearch that seem to be what I want, like > > passwordexpirationtime, but I get nothing back. > Can you post your exact ldapsearch command line? Note that > passwordexpirationtime and other password attributes in user entries are > operational attributes - this means they are not retrieved by default > with an LDAP search but must be explicitly listed in the list of > attributes to retrieve. > > They all figure I should know the magic incantation, since I know how > > to make the directory work, and usually that would be the case. This > > time I am stuck. Anyone solved this problem. I am running FDS 1.0.2, > > and 1.0.4. I get the same result in both. Any help would be great. > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jason at runyan.net Fri Mar 7 18:08:17 2008 From: jason at runyan.net (JD runyan) Date: Fri, 7 Mar 2008 12:08:17 -0600 Subject: Fwd: [Fedora-directory-users] Password Warnings In-Reply-To: <47D178B2.9030202@redhat.com> References: <47D1619F.7050207@redhat.com> <47D178B2.9030202@redhat.com> Message-ID: I did that. I know I have done that in the past. I see on one account the passwordExpWarned, I don't see passwordExpirationTime. We need to be able to give users warnings that the password will expire in N days. Am I looking in the wrong place, or is there a setting I haven't set? I set up a policy that is supposed to expire passwords, and warn users. On Fri, Mar 7, 2008 at 11:17 AM, Rich Megginson wrote: > Legatus wrote: > > I have tried with this search, and also using the userid that I am > > requesting the information from. So "uid=me,ou=people,dc=mydc" to get > > info on "uid=me,ou=people,dc=mydc" > > > > ldapsearch -x -b 'ou=people,dc=mydc' -s sub -D 'cn=directory manager' > > -w "objectclass=*" attrs="passwordExpWarned > > passwordExpirationTime" > Don't use attrs="..." Just specify them on the command line - ... > "objectclass=*" passwordExpWarned passwordExpirationTime > If you want all regular attributes plus the additional operational > attributes, use "*" e.g. > ldapsearch .... "objectclass=*" \* passwordExpWarned > passwordExpirationTime > ldapsearch --help > ... > usage: ldapsearch [options] [filter [attributes...]] > where: > filter RFC-2254 compliant LDAP search filter > attributes whitespace-separated list of attribute descriptions > > Note that openldap has a special attribute called "+" but this is not > supported by Fedora DS. > > > > > > On Fri, Mar 7, 2008 at 9:39 AM, Rich Megginson > > wrote: > > > > Legatus wrote: > > > I am new to the list, and I apologize if this question has been > > > answered before. > > > > > > I haven't done much programming for LDAP, though I have been > > managing > > > directories for years. I am working with some developers, who a) > > > aren't very imaginative, b) not very clever, and c) lazy. So I > need > > > to know how to get at the password information that says a > password > > > has expired, is about to expire, et. al. I have tried to query > > for the > > > attributes using ldapsearch that seem to be what I want, like > > > passwordexpirationtime, but I get nothing back. > > Can you post your exact ldapsearch command line? Note that > > passwordexpirationtime and other password attributes in user > > entries are > > operational attributes - this means they are not retrieved by > default > > with an LDAP search but must be explicitly listed in the list of > > attributes to retrieve. > > > They all figure I should know the magic incantation, since I > > know how > > > to make the directory work, and usually that would be the case. > This > > > time I am stuck. Anyone solved this problem. I am running FDS > 1.0.2, > > > and 1.0.4. I get the same result in both. Any help would be > great. > > > > > > ------------------------------------------------------------------------ > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From kmarsh at gdrs.com Mon Mar 10 15:12:32 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Mon, 10 Mar 2008 11:12:32 -0400 Subject: [Fedora-directory-users] YUM and 64 bit upgrade to 1.1 questions Message-ID: <5AD9B0E562FEFB4E933861904D7135C579679B@gdrs-exchange.gdrs.com> Hi, I have some questions upgrading 3 Red Hat systems (ES3, 4 x86 & ES5x86_64, one each) from FDS 1.01-4 to 1.1. 1. On RHES5.1 x86_64, is it safe to do yum to update the installation? There are a lot of warnings out there about yum vs Beta of 1.1. Should I remove all of 1.01-4 first? 2. Should I be using redhat-ds instead of fedora-ds for supported RH systems? 3. Searching for packages in rhn.redhat.com, there is no redhat-ds available. Shouldn't it be there? I have entitlements for 3, 4 and 5. 4. Must I use YUM for Enterprise 4 systems? Why can't I just download an FDS 1.1 RPM and install it? It would be much easier than converting E4 systems to YUM. 5. If I must use YUM, is there some EASY, STRAIGHTFORWARD instructions for installing YUM on ES4? Everything out there seems to assume I am setting up some grand upgrade redistribution engine when all I want is a few packages. Ken Marsh ANS System Administration Lead (410) 876-9200 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Mar 10 15:20:03 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 10 Mar 2008 09:20:03 -0600 Subject: [Fedora-directory-users] YUM and 64 bit upgrade to 1.1 questions In-Reply-To: <5AD9B0E562FEFB4E933861904D7135C579679B@gdrs-exchange.gdrs.com> References: <5AD9B0E562FEFB4E933861904D7135C579679B@gdrs-exchange.gdrs.com> Message-ID: <47D551A3.9010809@redhat.com> Ken Marsh wrote: > > Hi, > > I have some questions upgrading 3 Red Hat systems (ES3, 4 x86 & > ES5x86_64, one each) from FDS 1.01-4 to 1.1. > > 1. On RHES5.1 x86_64, is it safe to do yum to update the > installation? There are a lot of warnings out there about yum vs > Beta of 1.1. Should I remove all of 1.01-4 first? > Either way is fine. Just be sure to backup your data (db2bak, db2ldif) and your config (slapd-instance/config) before you upgrade. > > 1. > > > 2. Should I be using redhat-ds instead of fedora-ds for supported > RH systems? > Red Hat Directory Server is not free - you have to purchase a separate subscription/entitlement. If you would like to purchase Red Hat DS, please contact me off list. > > 1. > > > 2. Searching for packages in rhn.redhat.com, there is no redhat-ds > available. Shouldn?t it be there? I have entitlements for 3, 4 > and 5. > See above. > > 1. > > > 2. Must I use YUM for Enterprise 4 systems? Why can?t I just > download an FDS 1.1 RPM and install it? > There is no FDS 1.1 RPM for EL4. > > 1. It would be much easier than converting E4 systems to YUM. > 2. If I must use YUM, is there some EASY, STRAIGHTFORWARD > instructions for installing YUM on ES4? Everything out there > seems to assume I am setting up some grand upgrade > redistribution engine when all I want is a few packages. > > 1. > > > > Ken Marsh > > ANS System Administration Lead > > (410) 876-9200 > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From stpierre at NebrWesleyan.edu Mon Mar 10 15:24:34 2008 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Mon, 10 Mar 2008 10:24:34 -0500 (CDT) Subject: [Fedora-directory-users] Fedora DS Graph 1.0.1 released Message-ID: Fedora DS Graph 1.0.0, released last week, has a bug that prevents SSL connections from being counted. Fedora DS Graph 1.0.1, available at http://www.stpierreconsulting.com/fedora-ds-1-0-1, fixes this bug. Thanks go to Andrey Ivanov for discovering it! Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University From rcritten at redhat.com Mon Mar 10 15:41:37 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 10 Mar 2008 11:41:37 -0400 Subject: [Fedora-directory-users] YUM and 64 bit upgrade to 1.1 questions In-Reply-To: <47D551A3.9010809@redhat.com> References: <5AD9B0E562FEFB4E933861904D7135C579679B@gdrs-exchange.gdrs.com> <47D551A3.9010809@redhat.com> Message-ID: <47D556B1.90807@redhat.com> Rich Megginson wrote: > Ken Marsh wrote: >> >> Hi, >> >> I have some questions upgrading 3 Red Hat systems (ES3, 4 x86 & >> ES5x86_64, one each) from FDS 1.01-4 to 1.1. >> >> 1. On RHES5.1 x86_64, is it safe to do yum to update the >> installation? There are a lot of warnings out there about yum vs >> Beta of 1.1. Should I remove all of 1.01-4 first? >> > Either way is fine. Just be sure to backup your data (db2bak, db2ldif) > and your config (slapd-instance/config) before you upgrade. >> >> 1. >> >> >> 2. Should I be using redhat-ds instead of fedora-ds for supported >> RH systems? >> > Red Hat Directory Server is not free - you have to purchase a separate > subscription/entitlement. If you would like to purchase Red Hat DS, > please contact me off list. >> >> 1. >> >> >> 2. Searching for packages in rhn.redhat.com, there is no redhat-ds >> available. Shouldn?t it be there? I have entitlements for 3, 4 >> and 5. >> > See above. >> >> 1. >> >> >> 2. Must I use YUM for Enterprise 4 systems? Why can?t I just >> download an FDS 1.1 RPM and install it? >> > There is no FDS 1.1 RPM for EL4. As an aside, up2date supports yum repos to some extent. If you look in /etc/sysconfig/sources (I think) you'll see some syntax for it. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kmarsh at gdrs.com Mon Mar 10 15:54:19 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Mon, 10 Mar 2008 11:54:19 -0400 Subject: [Fedora-directory-users] Re: YUM and 64 bit upgrade to 1.1 questions Message-ID: <5AD9B0E562FEFB4E933861904D7135C57967A8@gdrs-exchange.gdrs.com> Update- OK, I got YUM working on a RHE4 system. Now, what YUM repository do I use, 6, 7, 8, 9 and/or common? Thanks, Ken Marsh ANS System Administration Lead (410) 876-9200 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Mar 10 16:11:32 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 10 Mar 2008 10:11:32 -0600 Subject: [Fedora-directory-users] Re: YUM and 64 bit upgrade to 1.1 questions In-Reply-To: <5AD9B0E562FEFB4E933861904D7135C57967A8@gdrs-exchange.gdrs.com> References: <5AD9B0E562FEFB4E933861904D7135C57967A8@gdrs-exchange.gdrs.com> Message-ID: <47D55DB4.3050204@redhat.com> Ken Marsh wrote: > > Update- OK, I got YUM working on a RHE4 system. > > > > Now, what YUM repository do I use, 6, 7, 8, 9 and/or common? > None of the above. Fedora DS 1.1 does not work on EL4. > > > > Thanks, > > > > Ken Marsh > > ANS System Administration Lead > > (410) 876-9200 > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From bagyi at mail.fmkorhaz.hu Mon Mar 10 16:20:22 2008 From: bagyi at mail.fmkorhaz.hu (Tamas Bagyal) Date: Mon, 10 Mar 2008 17:20:22 +0100 Subject: [Fedora-directory-users] notes on building fds in etch and a failed build question In-Reply-To: <47CED1A8.5080608@mail.fmkorhaz.hu> References: <200802192232.02999.Ryan.Braun@ec.gc.ca> <200802251508.50693.Ryan.Braun@ec.gc.ca> <47C325E9.4010600@redhat.com> <200802261624.06814.Ryan.Braun@ec.gc.ca> <47CC34AD.6000409@mail.fmkorhaz.hu> <47CC37D3.70500@redhat.com> <47CC3FD0.7010300@fmkorhaz.hu> <47CD69C2.2030209@redhat.com> <47CE97A6.5020701@mail.fmkorhaz.hu> <47CEB97C.3070107@redhat.com> <47CED1A8.5080608@mail.fmkorhaz.hu> Message-ID: <47D55FC6.40708@mail.fmkorhaz.hu> Tamas Bagyal wrote: > Rich Megginson wrote: >> Tamas Bagyal wrote: >>> Rich Megginson wrote: >>>> Bagyal Tamas wrote: >>>>> Rich Megginson wrote: >>>>>> Tamas Bagyal wrote: >>>>>>> hello Ryan, >>>>>>> >>>>>>> you tried this version? i have two fedora-ds 1.0.4 in mmr >>>>>>> configuration. i migrate one of those to 1.1 (builded by your and >>>>>>> Rich's instrutctions). but i have a problem with memory usage of >>>>>>> ns-slapd process. initially mem usage is 18.5% but after 2 hours >>>>>>> this changed to 23.1% and growed until killed by kernel. (i >>>>>>> think...) >>>>>>> >>>>>>> mostly read transactions happen (dns) with a few write (cups). >>>>>>> this is a debian etch, mem size is 512 mbyte (i know this is too >>>>>>> low, but this is a test environment). cache size of slapd is >>>>>>> 67108864. >>>>>> Are you using SSL? Anything interesting in your server error log? >>>>> >>>>> I running the setupssl2.sh but not use any ssl connection. error >>>>> log shows nothing, only the server start. >>>> The reason I ask is that older versions of the NSS crypto/SSL >>>> libraries had a memory leak. NSS 3.11.7 does not have this >>>> problem. But you would only see the problem if you were using SSL >>>> connections. >>> >>> ok. I tried again from begining. fresh install, no ssl, no migration, >>> used the setup-ds-admi.pl and setup the mmr with a fedora-ds 1.0.4. >>> but nothing changed, memory usage growing... >>> All setting is default except the mmr/changelog and access.log is off. >>> >>> errors: >>> >>> Fedora-Directory/1.1.0 B2008.059.1017 >>> tower.fmintra.hu:389 (/opt/dirsrv/etc/dirsrv/slapd-tower) >>> >>> >>> [05/Mar/2008:10:19:20 +0100] - dblayer_instance_start: pagesize: >>> 4096, pages: 128798, procpages: 5983 >>> [05/Mar/2008:10:19:20 +0100] - cache autosizing: import cache: 204800k >>> [05/Mar/2008:10:19:21 +0100] - li_import_cache_autosize: 50, >>> import_pages: 51200, pagesize: 4096 >>> [05/Mar/2008:10:19:21 +0100] - WARNING: Import is running with >>> nsslapd-db-private-import-mem on; No other process is allowed to >>> access the database >>> [05/Mar/2008:10:19:21 +0100] - dblayer_instance_start: pagesize: >>> 4096, pages: 128798, procpages: 5983 >>> [05/Mar/2008:10:19:21 +0100] - cache autosizing: import cache: 204800k >>> [05/Mar/2008:10:19:21 +0100] - li_import_cache_autosize: 50, >>> import_pages: 51200, pagesize: 4096 >>> [05/Mar/2008:10:19:21 +0100] - import userRoot: Beginning import job... >>> [05/Mar/2008:10:19:21 +0100] - import userRoot: Index buffering >>> enabled with bucket size 100 >>> [05/Mar/2008:10:19:21 +0100] - import userRoot: Processing file >>> "/tmp/ldifZHth0D.ldif" >>> [05/Mar/2008:10:19:21 +0100] - import userRoot: Finished scanning >>> file "/tmp/ldifZHth0D.ldif" (9 entries) >>> [05/Mar/2008:10:19:21 +0100] - import userRoot: Workers finished; >>> cleaning up... >>> [05/Mar/2008:10:19:21 +0100] - import userRoot: Workers cleaned up. >>> [05/Mar/2008:10:19:21 +0100] - import userRoot: Cleaning up producer >>> thread... >>> [05/Mar/2008:10:19:21 +0100] - import userRoot: Indexing complete. >>> Post-processing... >>> [05/Mar/2008:10:19:21 +0100] - import userRoot: Flushing caches... >>> [05/Mar/2008:10:19:21 +0100] - import userRoot: Closing files... >>> [05/Mar/2008:10:19:21 +0100] - All database threads now stopped >>> [05/Mar/2008:10:19:21 +0100] - import userRoot: Import complete. >>> Processed 9 entries in 0 seconds. (inf entries/sec) >>> [05/Mar/2008:10:19:22 +0100] - Fedora-Directory/1.1.0 B2008.059.1017 >>> starting up >>> [05/Mar/2008:10:19:22 +0100] - I'm resizing my cache now...cache was >>> 209715200 and is now 8000000 >>> [05/Mar/2008:10:19:22 +0100] - slapd started. Listening on All >>> Interfaces port 389 for LDAP requests >>> [05/Mar/2008:10:22:23 +0100] NSMMReplicationPlugin - changelog >>> program - cl5Open: failed to open changelog >>> [05/Mar/2008:10:22:24 +0100] NSMMReplicationPlugin - changelog >>> program - changelog5_config_add: failed to start changelog >>> [05/Mar/2008:10:26:49 +0100] NSMMReplicationPlugin - agmt="cn=replica >>> to backup" (backup:389): Replica has a different generation ID than >>> the local data. >>> [05/Mar/2008:10:32:00 +0100] NSMMReplicationPlugin - >>> repl_set_mtn_referrals: could not set referrals for replica >>> dc=fmintra,dc=hu: 32 >>> [05/Mar/2008:10:32:00 +0100] NSMMReplicationPlugin - >>> multimaster_be_state_change: replica dc=fmintra,dc=hu is going >>> offline; disabling replication >>> [05/Mar/2008:10:32:00 +0100] - WARNING: Import is running with >>> nsslapd-db-private-import-mem on; No other process is allowed to >>> access the database >>> [05/Mar/2008:10:32:13 +0100] - import userRoot: Workers finished; >>> cleaning up... >>> [05/Mar/2008:10:32:13 +0100] - import userRoot: Workers cleaned up. >>> [05/Mar/2008:10:32:13 +0100] - import userRoot: Indexing complete. >>> Post-processing... >>> [05/Mar/2008:10:32:13 +0100] - import userRoot: Flushing caches... >>> [05/Mar/2008:10:32:13 +0100] - import userRoot: Closing files... >>> [05/Mar/2008:10:32:14 +0100] - import userRoot: Import complete. >>> Processed 12242 entries in 13 seconds. (941.69 entries/sec) >>> [05/Mar/2008:10:32:14 +0100] NSMMReplicationPlugin - >>> multimaster_be_state_change: replica dc=fmintra,dc=hu is coming >>> online; enabling replication >>> >>> memory usage by top: >>> >>> top - 10:58:21 up 25 days, 22:36, 2 users, load average: 0.01, >>> 0.13, 0.22 >>> Tasks: 61 total, 2 running, 59 sleeping, 0 stopped, 0 zombie >>> Cpu(s): 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, >>> 0.0%si, 0.0%st >>> Mem: 515192k total, 189600k used, 325592k free, 36472k buffers >>> Swap: 489848k total, 18292k used, 471556k free, 106188k cached >>> >>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND >>> 27647 fds 15 0 464m 47m 25m S 0.0 9.4 1:34.57 ns-slapd >>> >>> >>> top - 11:23:12 up 25 days, 23:01, 2 users, load average: 0.36, >>> 0.27, 0.20 >>> Tasks: 61 total, 2 running, 59 sleeping, 0 stopped, 0 zombie >>> Cpu(s): 3.0%us, 0.0%sy, 0.0%ni, 96.0%id, 1.0%wa, 0.0%hi, >>> 0.0%si, 0.0%st >>> Mem: 515192k total, 210700k used, 304492k free, 36488k buffers >>> Swap: 489848k total, 18288k used, 471560k free, 117204k cached >>> >>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND >>> 27647 fds 15 0 473m 59m 28m S 3.0 11.9 2:52.77 ns-slapd >>> >>> >>> top - 11:48:26 up 25 days, 23:26, 2 users, load average: 0.02, >>> 0.08, 0.10 >>> Tasks: 61 total, 1 running, 60 sleeping, 0 stopped, 0 zombie >>> Cpu(s): 3.0%us, 0.0%sy, 0.0%ni, 97.0%id, 0.0%wa, 0.0%hi, >>> 0.0%si, 0.0%st >>> Mem: 515192k total, 222756k used, 292436k free, 36520k buffers >>> Swap: 489848k total, 18288k used, 471560k free, 118932k cached >>> >>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND >>> 27647 fds 15 0 483m 72m 30m S 0.0 14.4 4:12.04 ns-slapd >>> >>> >>> top - 13:31:42 up 26 days, 1:09, 2 users, load average: 0.28, >>> 0.17, 0.15 >>> Tasks: 61 total, 2 running, 59 sleeping, 0 stopped, 0 zombie >>> Cpu(s): 1.1%us, 0.0%sy, 0.0%ni, 98.9%id, 0.0%wa, 0.0%hi, >>> 0.0%si, 0.0%st >>> Mem: 515192k total, 285572k used, 229620k free, 36540k buffers >>> Swap: 489848k total, 18288k used, 471560k free, 140412k cached >>> >>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND >>> 27647 fds 15 0 523m 116m 34m S 0.0 23.3 9:35.65 ns-slapd > >> Can you post your dse.ldif to pastebin.com? Be sure to omit or >> obscure any sensitive data first. I'd like to see what all of your >> cache settings are. Normally the server will increase in memory usage >> until the caches are full, then memory usage should level off. The >> speed at which this occurs depends on usage. >> > http://www.pastebin.org/22477 > > i forget a thing. i use some custom schema (ldapdns, ibm... etc.) if > this is changed anything. (but i think this is not relevant info) > >> When the kernel kills your server, how much memory is it using? Is >> there anything in the server error log at around the time the kernel >> kills it? >> > i'm not sure, but at the time use the maximum as possible (512ram + 512 > swap available) i think around 940mb, the kernel first kill some other > processes, like mc, and after these the ns-slapd. I can't see anything > in the log file, just the server start. > >> Finally, if you are convinced that there is a real memory leak in the >> server, would it be possible for you to run it under valgrind? Just >> running it under valgrind for 30 minutes or so should reveal any >> memory leaks in normal usage. > > http://www.pastebin.org/22484 > > I can't understand this output, I never used valgrind before. I hope > used the right options for valgrind. > can you tell me what mean the valgrind's output? thanks, KEeF From rmeggins at redhat.com Mon Mar 10 16:53:30 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 10 Mar 2008 10:53:30 -0600 Subject: [Fedora-directory-users] notes on building fds in etch and a failed build question In-Reply-To: <47D55FC6.40708@mail.fmkorhaz.hu> References: <200802192232.02999.Ryan.Braun@ec.gc.ca> <200802251508.50693.Ryan.Braun@ec.gc.ca> <47C325E9.4010600@redhat.com> <200802261624.06814.Ryan.Braun@ec.gc.ca> <47CC34AD.6000409@mail.fmkorhaz.hu> <47CC37D3.70500@redhat.com> <47CC3FD0.7010300@fmkorhaz.hu> <47CD69C2.2030209@redhat.com> <47CE97A6.5020701@mail.fmkorhaz.hu> <47CEB97C.3070107@redhat.com> <47CED1A8.5080608@mail.fmkorhaz.hu> <47D55FC6.40708@mail.fmkorhaz.hu> Message-ID: <47D5678A.5020400@redhat.com> Tamas Bagyal wrote: > Tamas Bagyal wrote: >> Rich Megginson wrote: >>> Tamas Bagyal wrote: >>>> Rich Megginson wrote: >>>>> Bagyal Tamas wrote: >>>>>> Rich Megginson wrote: >>>>>>> Tamas Bagyal wrote: >>>>>>>> hello Ryan, >>>>>>>> >>>>>>>> you tried this version? i have two fedora-ds 1.0.4 in mmr >>>>>>>> configuration. i migrate one of those to 1.1 (builded by your >>>>>>>> and Rich's instrutctions). but i have a problem with memory >>>>>>>> usage of ns-slapd process. initially mem usage is 18.5% but >>>>>>>> after 2 hours this changed to 23.1% and growed until killed by >>>>>>>> kernel. (i think...) >>>>>>>> >>>>>>>> mostly read transactions happen (dns) with a few write (cups). >>>>>>>> this is a debian etch, mem size is 512 mbyte (i know this is >>>>>>>> too low, but this is a test environment). cache size of slapd >>>>>>>> is 67108864. >>>>>>> Are you using SSL? Anything interesting in your server error log? >>>>>> >>>>>> I running the setupssl2.sh but not use any ssl connection. error >>>>>> log shows nothing, only the server start. >>>>> The reason I ask is that older versions of the NSS crypto/SSL >>>>> libraries had a memory leak. NSS 3.11.7 does not have this >>>>> problem. But you would only see the problem if you were using SSL >>>>> connections. >>>> >>>> ok. I tried again from begining. fresh install, no ssl, no >>>> migration, used the setup-ds-admi.pl and setup the mmr with a >>>> fedora-ds 1.0.4. but nothing changed, memory usage growing... >>>> All setting is default except the mmr/changelog and access.log is off. >>>> >>>> errors: >>>> >>>> Fedora-Directory/1.1.0 B2008.059.1017 >>>> tower.fmintra.hu:389 (/opt/dirsrv/etc/dirsrv/slapd-tower) >>>> >>>> >>>> [05/Mar/2008:10:19:20 +0100] - dblayer_instance_start: pagesize: >>>> 4096, pages: 128798, procpages: 5983 >>>> [05/Mar/2008:10:19:20 +0100] - cache autosizing: import cache: 204800k >>>> [05/Mar/2008:10:19:21 +0100] - li_import_cache_autosize: 50, >>>> import_pages: 51200, pagesize: 4096 >>>> [05/Mar/2008:10:19:21 +0100] - WARNING: Import is running with >>>> nsslapd-db-private-import-mem on; No other process is allowed to >>>> access the database >>>> [05/Mar/2008:10:19:21 +0100] - dblayer_instance_start: pagesize: >>>> 4096, pages: 128798, procpages: 5983 >>>> [05/Mar/2008:10:19:21 +0100] - cache autosizing: import cache: 204800k >>>> [05/Mar/2008:10:19:21 +0100] - li_import_cache_autosize: 50, >>>> import_pages: 51200, pagesize: 4096 >>>> [05/Mar/2008:10:19:21 +0100] - import userRoot: Beginning import >>>> job... >>>> [05/Mar/2008:10:19:21 +0100] - import userRoot: Index buffering >>>> enabled with bucket size 100 >>>> [05/Mar/2008:10:19:21 +0100] - import userRoot: Processing file >>>> "/tmp/ldifZHth0D.ldif" >>>> [05/Mar/2008:10:19:21 +0100] - import userRoot: Finished scanning >>>> file "/tmp/ldifZHth0D.ldif" (9 entries) >>>> [05/Mar/2008:10:19:21 +0100] - import userRoot: Workers finished; >>>> cleaning up... >>>> [05/Mar/2008:10:19:21 +0100] - import userRoot: Workers cleaned up. >>>> [05/Mar/2008:10:19:21 +0100] - import userRoot: Cleaning up >>>> producer thread... >>>> [05/Mar/2008:10:19:21 +0100] - import userRoot: Indexing complete. >>>> Post-processing... >>>> [05/Mar/2008:10:19:21 +0100] - import userRoot: Flushing caches... >>>> [05/Mar/2008:10:19:21 +0100] - import userRoot: Closing files... >>>> [05/Mar/2008:10:19:21 +0100] - All database threads now stopped >>>> [05/Mar/2008:10:19:21 +0100] - import userRoot: Import complete. >>>> Processed 9 entries in 0 seconds. (inf entries/sec) >>>> [05/Mar/2008:10:19:22 +0100] - Fedora-Directory/1.1.0 >>>> B2008.059.1017 starting up >>>> [05/Mar/2008:10:19:22 +0100] - I'm resizing my cache now...cache >>>> was 209715200 and is now 8000000 >>>> [05/Mar/2008:10:19:22 +0100] - slapd started. Listening on All >>>> Interfaces port 389 for LDAP requests >>>> [05/Mar/2008:10:22:23 +0100] NSMMReplicationPlugin - changelog >>>> program - cl5Open: failed to open changelog >>>> [05/Mar/2008:10:22:24 +0100] NSMMReplicationPlugin - changelog >>>> program - changelog5_config_add: failed to start changelog >>>> [05/Mar/2008:10:26:49 +0100] NSMMReplicationPlugin - >>>> agmt="cn=replica to backup" (backup:389): Replica has a different >>>> generation ID than the local data. >>>> [05/Mar/2008:10:32:00 +0100] NSMMReplicationPlugin - >>>> repl_set_mtn_referrals: could not set referrals for replica >>>> dc=fmintra,dc=hu: 32 >>>> [05/Mar/2008:10:32:00 +0100] NSMMReplicationPlugin - >>>> multimaster_be_state_change: replica dc=fmintra,dc=hu is going >>>> offline; disabling replication >>>> [05/Mar/2008:10:32:00 +0100] - WARNING: Import is running with >>>> nsslapd-db-private-import-mem on; No other process is allowed to >>>> access the database >>>> [05/Mar/2008:10:32:13 +0100] - import userRoot: Workers finished; >>>> cleaning up... >>>> [05/Mar/2008:10:32:13 +0100] - import userRoot: Workers cleaned up. >>>> [05/Mar/2008:10:32:13 +0100] - import userRoot: Indexing complete. >>>> Post-processing... >>>> [05/Mar/2008:10:32:13 +0100] - import userRoot: Flushing caches... >>>> [05/Mar/2008:10:32:13 +0100] - import userRoot: Closing files... >>>> [05/Mar/2008:10:32:14 +0100] - import userRoot: Import complete. >>>> Processed 12242 entries in 13 seconds. (941.69 entries/sec) >>>> [05/Mar/2008:10:32:14 +0100] NSMMReplicationPlugin - >>>> multimaster_be_state_change: replica dc=fmintra,dc=hu is coming >>>> online; enabling replication >>>> >>>> memory usage by top: >>>> >>>> top - 10:58:21 up 25 days, 22:36, 2 users, load average: 0.01, >>>> 0.13, 0.22 >>>> Tasks: 61 total, 2 running, 59 sleeping, 0 stopped, 0 zombie >>>> Cpu(s): 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, >>>> 0.0%si, 0.0%st >>>> Mem: 515192k total, 189600k used, 325592k free, 36472k >>>> buffers >>>> Swap: 489848k total, 18292k used, 471556k free, 106188k >>>> cached >>>> >>>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND >>>> 27647 fds 15 0 464m 47m 25m S 0.0 9.4 1:34.57 ns-slapd >>>> >>>> >>>> top - 11:23:12 up 25 days, 23:01, 2 users, load average: 0.36, >>>> 0.27, 0.20 >>>> Tasks: 61 total, 2 running, 59 sleeping, 0 stopped, 0 zombie >>>> Cpu(s): 3.0%us, 0.0%sy, 0.0%ni, 96.0%id, 1.0%wa, 0.0%hi, >>>> 0.0%si, 0.0%st >>>> Mem: 515192k total, 210700k used, 304492k free, 36488k >>>> buffers >>>> Swap: 489848k total, 18288k used, 471560k free, 117204k >>>> cached >>>> >>>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND >>>> 27647 fds 15 0 473m 59m 28m S 3.0 11.9 2:52.77 ns-slapd >>>> >>>> >>>> top - 11:48:26 up 25 days, 23:26, 2 users, load average: 0.02, >>>> 0.08, 0.10 >>>> Tasks: 61 total, 1 running, 60 sleeping, 0 stopped, 0 zombie >>>> Cpu(s): 3.0%us, 0.0%sy, 0.0%ni, 97.0%id, 0.0%wa, 0.0%hi, >>>> 0.0%si, 0.0%st >>>> Mem: 515192k total, 222756k used, 292436k free, 36520k >>>> buffers >>>> Swap: 489848k total, 18288k used, 471560k free, 118932k >>>> cached >>>> >>>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND >>>> 27647 fds 15 0 483m 72m 30m S 0.0 14.4 4:12.04 ns-slapd >>>> >>>> >>>> top - 13:31:42 up 26 days, 1:09, 2 users, load average: 0.28, >>>> 0.17, 0.15 >>>> Tasks: 61 total, 2 running, 59 sleeping, 0 stopped, 0 zombie >>>> Cpu(s): 1.1%us, 0.0%sy, 0.0%ni, 98.9%id, 0.0%wa, 0.0%hi, >>>> 0.0%si, 0.0%st >>>> Mem: 515192k total, 285572k used, 229620k free, 36540k >>>> buffers >>>> Swap: 489848k total, 18288k used, 471560k free, 140412k >>>> cached >>>> >>>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND >>>> 27647 fds 15 0 523m 116m 34m S 0.0 23.3 9:35.65 ns-slapd >> >>> Can you post your dse.ldif to pastebin.com? Be sure to omit or >>> obscure any sensitive data first. I'd like to see what all of your >>> cache settings are. Normally the server will increase in memory >>> usage until the caches are full, then memory usage should level >>> off. The speed at which this occurs depends on usage. >>> >> http://www.pastebin.org/22477 >> >> i forget a thing. i use some custom schema (ldapdns, ibm... etc.) if >> this is changed anything. (but i think this is not relevant info) >> >>> When the kernel kills your server, how much memory is it using? Is >>> there anything in the server error log at around the time the kernel >>> kills it? >>> >> i'm not sure, but at the time use the maximum as possible (512ram + >> 512 swap available) i think around 940mb, the kernel first kill some >> other processes, like mc, and after these the ns-slapd. I can't see >> anything in the log file, just the server start. >> >>> Finally, if you are convinced that there is a real memory leak in >>> the server, would it be possible for you to run it under valgrind? >>> Just running it under valgrind for 30 minutes or so should reveal >>> any memory leaks in normal usage. >> >> http://www.pastebin.org/22484 >> >> I can't understand this output, I never used valgrind before. I hope >> used the right options for valgrind. >> > > can you tell me what mean the valgrind's output? I'm not sure. The output is truncated, and valgrind is producing a lot of spurious errors, or at least errors not in directory server code. I guess pastebin is not going to like a several hundred thousand byte output file - is there somewhere else you can post the entire output? > > thanks, > > KEeF > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From bagyi at mail.fmkorhaz.hu Mon Mar 10 17:17:01 2008 From: bagyi at mail.fmkorhaz.hu (Tamas Bagyal) Date: Mon, 10 Mar 2008 18:17:01 +0100 Subject: [Fedora-directory-users] notes on building fds in etch and a failed build question In-Reply-To: <47D5678A.5020400@redhat.com> References: <200802192232.02999.Ryan.Braun@ec.gc.ca> <200802251508.50693.Ryan.Braun@ec.gc.ca> <47C325E9.4010600@redhat.com> <200802261624.06814.Ryan.Braun@ec.gc.ca> <47CC34AD.6000409@mail.fmkorhaz.hu> <47CC37D3.70500@redhat.com> <47CC3FD0.7010300@fmkorhaz.hu> <47CD69C2.2030209@redhat.com> <47CE97A6.5020701@mail.fmkorhaz.hu> <47CEB97C.3070107@redhat.com> <47CED1A8.5080608@mail.fmkorhaz.hu> <47D55FC6.40708@mail.fmkorhaz.hu> <47D5678A.5020400@redhat.com> Message-ID: <47D56D0D.1040809@mail.fmkorhaz.hu> Rich Megginson wrote: > Tamas Bagyal wrote: >> Tamas Bagyal wrote: >>> Rich Megginson wrote: >>>> Tamas Bagyal wrote: >>>>> Rich Megginson wrote: >>>>>> Bagyal Tamas wrote: >>>>>>> Rich Megginson wrote: >>>>>>>> Tamas Bagyal wrote: >>>>>>>>> hello Ryan, >>>>>>>>> >>>>>>>>> you tried this version? i have two fedora-ds 1.0.4 in mmr >>>>>>>>> configuration. i migrate one of those to 1.1 (builded by your >>>>>>>>> and Rich's instrutctions). but i have a problem with memory >>>>>>>>> usage of ns-slapd process. initially mem usage is 18.5% but >>>>>>>>> after 2 hours this changed to 23.1% and growed until killed by >>>>>>>>> kernel. (i think...) >>>>>>>>> >>>>>>>>> mostly read transactions happen (dns) with a few write (cups). >>>>>>>>> this is a debian etch, mem size is 512 mbyte (i know this is >>>>>>>>> too low, but this is a test environment). cache size of slapd >>>>>>>>> is 67108864. >>>>>>>> Are you using SSL? Anything interesting in your server error log? >>>>>>> >>>>>>> I running the setupssl2.sh but not use any ssl connection. error >>>>>>> log shows nothing, only the server start. >>>>>> The reason I ask is that older versions of the NSS crypto/SSL >>>>>> libraries had a memory leak. NSS 3.11.7 does not have this >>>>>> problem. But you would only see the problem if you were using SSL >>>>>> connections. >>>>> >>>>> ok. I tried again from begining. fresh install, no ssl, no >>>>> migration, used the setup-ds-admi.pl and setup the mmr with a >>>>> fedora-ds 1.0.4. but nothing changed, memory usage growing... >>>>> All setting is default except the mmr/changelog and access.log is off. >>>>> >>>>> errors: >>>>> >>>>> Fedora-Directory/1.1.0 B2008.059.1017 >>>>> tower.fmintra.hu:389 (/opt/dirsrv/etc/dirsrv/slapd-tower) >>>>> >>>>> >>>>> [05/Mar/2008:10:19:20 +0100] - dblayer_instance_start: pagesize: >>>>> 4096, pages: 128798, procpages: 5983 >>>>> [05/Mar/2008:10:19:20 +0100] - cache autosizing: import cache: 204800k >>>>> [05/Mar/2008:10:19:21 +0100] - li_import_cache_autosize: 50, >>>>> import_pages: 51200, pagesize: 4096 >>>>> [05/Mar/2008:10:19:21 +0100] - WARNING: Import is running with >>>>> nsslapd-db-private-import-mem on; No other process is allowed to >>>>> access the database >>>>> [05/Mar/2008:10:19:21 +0100] - dblayer_instance_start: pagesize: >>>>> 4096, pages: 128798, procpages: 5983 >>>>> [05/Mar/2008:10:19:21 +0100] - cache autosizing: import cache: 204800k >>>>> [05/Mar/2008:10:19:21 +0100] - li_import_cache_autosize: 50, >>>>> import_pages: 51200, pagesize: 4096 >>>>> [05/Mar/2008:10:19:21 +0100] - import userRoot: Beginning import >>>>> job... >>>>> [05/Mar/2008:10:19:21 +0100] - import userRoot: Index buffering >>>>> enabled with bucket size 100 >>>>> [05/Mar/2008:10:19:21 +0100] - import userRoot: Processing file >>>>> "/tmp/ldifZHth0D.ldif" >>>>> [05/Mar/2008:10:19:21 +0100] - import userRoot: Finished scanning >>>>> file "/tmp/ldifZHth0D.ldif" (9 entries) >>>>> [05/Mar/2008:10:19:21 +0100] - import userRoot: Workers finished; >>>>> cleaning up... >>>>> [05/Mar/2008:10:19:21 +0100] - import userRoot: Workers cleaned up. >>>>> [05/Mar/2008:10:19:21 +0100] - import userRoot: Cleaning up >>>>> producer thread... >>>>> [05/Mar/2008:10:19:21 +0100] - import userRoot: Indexing complete. >>>>> Post-processing... >>>>> [05/Mar/2008:10:19:21 +0100] - import userRoot: Flushing caches... >>>>> [05/Mar/2008:10:19:21 +0100] - import userRoot: Closing files... >>>>> [05/Mar/2008:10:19:21 +0100] - All database threads now stopped >>>>> [05/Mar/2008:10:19:21 +0100] - import userRoot: Import complete. >>>>> Processed 9 entries in 0 seconds. (inf entries/sec) >>>>> [05/Mar/2008:10:19:22 +0100] - Fedora-Directory/1.1.0 >>>>> B2008.059.1017 starting up >>>>> [05/Mar/2008:10:19:22 +0100] - I'm resizing my cache now...cache >>>>> was 209715200 and is now 8000000 >>>>> [05/Mar/2008:10:19:22 +0100] - slapd started. Listening on All >>>>> Interfaces port 389 for LDAP requests >>>>> [05/Mar/2008:10:22:23 +0100] NSMMReplicationPlugin - changelog >>>>> program - cl5Open: failed to open changelog >>>>> [05/Mar/2008:10:22:24 +0100] NSMMReplicationPlugin - changelog >>>>> program - changelog5_config_add: failed to start changelog >>>>> [05/Mar/2008:10:26:49 +0100] NSMMReplicationPlugin - >>>>> agmt="cn=replica to backup" (backup:389): Replica has a different >>>>> generation ID than the local data. >>>>> [05/Mar/2008:10:32:00 +0100] NSMMReplicationPlugin - >>>>> repl_set_mtn_referrals: could not set referrals for replica >>>>> dc=fmintra,dc=hu: 32 >>>>> [05/Mar/2008:10:32:00 +0100] NSMMReplicationPlugin - >>>>> multimaster_be_state_change: replica dc=fmintra,dc=hu is going >>>>> offline; disabling replication >>>>> [05/Mar/2008:10:32:00 +0100] - WARNING: Import is running with >>>>> nsslapd-db-private-import-mem on; No other process is allowed to >>>>> access the database >>>>> [05/Mar/2008:10:32:13 +0100] - import userRoot: Workers finished; >>>>> cleaning up... >>>>> [05/Mar/2008:10:32:13 +0100] - import userRoot: Workers cleaned up. >>>>> [05/Mar/2008:10:32:13 +0100] - import userRoot: Indexing complete. >>>>> Post-processing... >>>>> [05/Mar/2008:10:32:13 +0100] - import userRoot: Flushing caches... >>>>> [05/Mar/2008:10:32:13 +0100] - import userRoot: Closing files... >>>>> [05/Mar/2008:10:32:14 +0100] - import userRoot: Import complete. >>>>> Processed 12242 entries in 13 seconds. (941.69 entries/sec) >>>>> [05/Mar/2008:10:32:14 +0100] NSMMReplicationPlugin - >>>>> multimaster_be_state_change: replica dc=fmintra,dc=hu is coming >>>>> online; enabling replication >>>>> >>>>> memory usage by top: >>>>> >>>>> top - 10:58:21 up 25 days, 22:36, 2 users, load average: 0.01, >>>>> 0.13, 0.22 >>>>> Tasks: 61 total, 2 running, 59 sleeping, 0 stopped, 0 zombie >>>>> Cpu(s): 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, >>>>> 0.0%si, 0.0%st >>>>> Mem: 515192k total, 189600k used, 325592k free, 36472k >>>>> buffers >>>>> Swap: 489848k total, 18292k used, 471556k free, 106188k >>>>> cached >>>>> >>>>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND >>>>> 27647 fds 15 0 464m 47m 25m S 0.0 9.4 1:34.57 ns-slapd >>>>> >>>>> >>>>> top - 11:23:12 up 25 days, 23:01, 2 users, load average: 0.36, >>>>> 0.27, 0.20 >>>>> Tasks: 61 total, 2 running, 59 sleeping, 0 stopped, 0 zombie >>>>> Cpu(s): 3.0%us, 0.0%sy, 0.0%ni, 96.0%id, 1.0%wa, 0.0%hi, >>>>> 0.0%si, 0.0%st >>>>> Mem: 515192k total, 210700k used, 304492k free, 36488k >>>>> buffers >>>>> Swap: 489848k total, 18288k used, 471560k free, 117204k >>>>> cached >>>>> >>>>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND >>>>> 27647 fds 15 0 473m 59m 28m S 3.0 11.9 2:52.77 ns-slapd >>>>> >>>>> >>>>> top - 11:48:26 up 25 days, 23:26, 2 users, load average: 0.02, >>>>> 0.08, 0.10 >>>>> Tasks: 61 total, 1 running, 60 sleeping, 0 stopped, 0 zombie >>>>> Cpu(s): 3.0%us, 0.0%sy, 0.0%ni, 97.0%id, 0.0%wa, 0.0%hi, >>>>> 0.0%si, 0.0%st >>>>> Mem: 515192k total, 222756k used, 292436k free, 36520k >>>>> buffers >>>>> Swap: 489848k total, 18288k used, 471560k free, 118932k >>>>> cached >>>>> >>>>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND >>>>> 27647 fds 15 0 483m 72m 30m S 0.0 14.4 4:12.04 ns-slapd >>>>> >>>>> >>>>> top - 13:31:42 up 26 days, 1:09, 2 users, load average: 0.28, >>>>> 0.17, 0.15 >>>>> Tasks: 61 total, 2 running, 59 sleeping, 0 stopped, 0 zombie >>>>> Cpu(s): 1.1%us, 0.0%sy, 0.0%ni, 98.9%id, 0.0%wa, 0.0%hi, >>>>> 0.0%si, 0.0%st >>>>> Mem: 515192k total, 285572k used, 229620k free, 36540k >>>>> buffers >>>>> Swap: 489848k total, 18288k used, 471560k free, 140412k >>>>> cached >>>>> >>>>> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND >>>>> 27647 fds 15 0 523m 116m 34m S 0.0 23.3 9:35.65 ns-slapd >>> >>>> Can you post your dse.ldif to pastebin.com? Be sure to omit or >>>> obscure any sensitive data first. I'd like to see what all of your >>>> cache settings are. Normally the server will increase in memory >>>> usage until the caches are full, then memory usage should level >>>> off. The speed at which this occurs depends on usage. >>>> >>> http://www.pastebin.org/22477 >>> >>> i forget a thing. i use some custom schema (ldapdns, ibm... etc.) if >>> this is changed anything. (but i think this is not relevant info) >>> >>>> When the kernel kills your server, how much memory is it using? Is >>>> there anything in the server error log at around the time the kernel >>>> kills it? >>>> >>> i'm not sure, but at the time use the maximum as possible (512ram + >>> 512 swap available) i think around 940mb, the kernel first kill some >>> other processes, like mc, and after these the ns-slapd. I can't see >>> anything in the log file, just the server start. >>> >>>> Finally, if you are convinced that there is a real memory leak in >>>> the server, would it be possible for you to run it under valgrind? >>>> Just running it under valgrind for 30 minutes or so should reveal >>>> any memory leaks in normal usage. >>> >>> http://www.pastebin.org/22484 >>> >>> I can't understand this output, I never used valgrind before. I hope >>> used the right options for valgrind. >>> >> >> can you tell me what mean the valgrind's output? > I'm not sure. The output is truncated, and valgrind is producing a lot > of spurious errors, or at least errors not in directory server code. I > guess pastebin is not going to like a several hundred thousand byte > output file - is there somewhere else you can post the entire output? >> sorry, i not verified after the paste. but i hope you access the output here: http://keef.uw.hu/valgrind-fds-test.28385 KeeF From rmeggins at redhat.com Mon Mar 10 17:38:57 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 10 Mar 2008 11:38:57 -0600 Subject: [Fedora-directory-users] notes on building fds in etch and a failed build question In-Reply-To: <47D56D0D.1040809@mail.fmkorhaz.hu> References: <200802192232.02999.Ryan.Braun@ec.gc.ca> <200802251508.50693.Ryan.Braun@ec.gc.ca> <47C325E9.4010600@redhat.com> <200802261624.06814.Ryan.Braun@ec.gc.ca> <47CC34AD.6000409@mail.fmkorhaz.hu> <47CC37D3.70500@redhat.com> <47CC3FD0.7010300@fmkorhaz.hu> <47CD69C2.2030209@redhat.com> <47CE97A6.5020701@mail.fmkorhaz.hu> <47CEB97C.3070107@redhat.com> <47CED1A8.5080608@mail.fmkorhaz.hu> <47D55FC6.40708@mail.fmkorhaz.hu> <47D5678A.5020400@redhat.com> <47D56D0D.1040809@mail.fmkorhaz.hu> Message-ID: <47D57231.3040109@redhat.com> Tamas Bagyal wrote: > Rich Megginson wrote: >> I'm not sure. The output is truncated, and valgrind is producing a >> lot of spurious errors, or at least errors not in directory server >> code. I guess pastebin is not going to like a several hundred >> thousand byte output file - is there somewhere else you can post the >> entire output? >>> > > sorry, i not verified after the paste. > but i hope you access the output here: > http://keef.uw.hu/valgrind-fds-test.28385 Yes. That's very useful. Looks like class of service is leaking. Are you using Class of Service, or some feature which uses it, like per subtree/per user password policy, or account inactivation? > > KeeF > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From slat3dx at gmail.com Mon Mar 10 21:13:17 2008 From: slat3dx at gmail.com (slat3dx slat3dx) Date: Mon, 10 Mar 2008 14:13:17 -0700 Subject: [Fedora-directory-users] Help with NIS->FDS & AD migration Message-ID: Hello FDS users - I am learning as I go here so please excuse my ignorance. I have scoured over the Fedora and Redhat docs for Directory Server and read many threads from this list archive concerning Active Directory sync. I'm having trouble putting all the pieces together and would greatly appreciate some guidance from people that have already gone through this process :) I am in the process of migrating from NIS to LDAP. In our environment we run both Windows and Linux systems. For quite awhile we have been maintaining both NIS and Active Directory. Our goal is to move away from NIS and achieve single sign on for our users. I have installed and configured FDS, converted and imported our NIS maps as ldif. This worked beautifully. Can I create a sync agreement that only sends passwords from AD->FDS, nothing else and no updates from FDS->AD? I would like to configure our Linux clients to authenticate to AD with kerberos and use FDS as the LDAP server. I understand we need to install the password sync utility on one of our DC's and that when a user changes their password in AD the utility will capture it in plaintext and send to FDS. I also see that FDS and the pass sync have to be configured to share certificates for the SSL connection between them. Can the sync utility be restricted to one OU within AD? What access within AD is required for the utility to run? Domain Admin rights or can specific rights be delegated? I would really appreciate some steps for: configuring SSL on the AD and FDS side. Creating and testing the sync agreement. Thank you so much for the help!! Slat3dx -------------- next part -------------- An HTML attachment was scrubbed... URL: From iferreir at personal.com.py Mon Mar 10 22:04:17 2008 From: iferreir at personal.com.py (Ivan Ferreira) Date: Mon, 10 Mar 2008 18:04:17 -0400 Subject: [Fedora-directory-users] Help with NIS->FDS & AD migration In-Reply-To: Message-ID: >>> I understand we need to install the password sync utility on one of our DC's and that when a user changes their password in AD the utility will capture it in plaintext and send to FDS. You must install the password sync utility in all your DC's. You can't say which one will handle the password change. >>> I also see that FDS and the pass sync have to be configured to share certificates for the SSL connection between them. That is correct. >> Can the sync utility be restricted to one OU within AD? As far I know, you can't. Passync will catch all password changes, and if the user exists on FDS, then the entry is updated. >> What access within AD is required for the utility to run? Domain Admin rights or can specific rights be delegated? Only Domain Admins have enough rights. You can't use delegation. >>> I would really appreciate some steps for: configuring SSL on the AD and FDS side. Creating and testing the sync agreement. Please refer to Red Hat Directory server documentation and http://directory.fedoraproject.org/wiki/Howto:WindowsSync Para fedora-directory-users at redhat.co m "slat3dx slat3dx" cc Enviado por: Asunto fedora-directory-users-b [Fedora-directory-users] Help ounces at redhat.com with NIS->FDS & AD migration Clasificaci?n 10/03/2008 05:13 p.m. Uso Interno Por favor, responda a "General discussion list for the Fedora Directory server project." Hello FDS users - I am learning as I go here so please excuse my ignorance. I have scoured over the Fedora and Redhat docs for Directory Server and read many threads from this list archive concerning Active Directory sync. I'm having trouble putting all the pieces together and would greatly appreciate some guidance from people that have already gone through this process :) I am in the process of migrating from NIS to LDAP. In our environment we run both Windows and Linux systems. For quite awhile we have been maintaining both NIS and Active Directory. Our goal is to move away from NIS and achieve single sign on for our users. I have installed and configured FDS, converted and imported our NIS maps as ldif. This worked beautifully. Can I create a sync agreement that only sends passwords from AD->FDS, nothing else and no updates from FDS->AD? I would like to configure our Linux clients to authenticate to AD with kerberos and use FDS as the LDAP server. I understand we need to install the password sync utility on one of our DC's and that when a user changes their password in AD the utility will capture it in plaintext and send to FDS. I also see that FDS and the pass sync have to be configured to share certificates for the SSL connection between them. Can the sync utility be restricted to one OU within AD? What access within AD is required for the utility to run? Domain Admin rights or can specific rights be delegated? I would really appreciate some steps for: configuring SSL on the AD and FDS side. Creating and testing the sync agreement. Thank you so much for the help!! Slat3dx -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. From iferreir at personal.com.py Mon Mar 10 22:15:37 2008 From: iferreir at personal.com.py (Ivan Ferreira) Date: Mon, 10 Mar 2008 18:15:37 -0400 Subject: [Fedora-directory-users] Help with NIS->FDS & AD migration In-Reply-To: Message-ID: Please see also: Twenty Questions to Ask Yourself During a Red Hat Directory Server Deployment by Satish Chetty www.redhat.com/f/pdf/whitepapers/RHDS_TwentyQuestions.pdf Para fedora-directory-users at redhat.co m "slat3dx slat3dx" cc Enviado por: Asunto fedora-directory-users-b [Fedora-directory-users] Help ounces at redhat.com with NIS->FDS & AD migration Clasificaci?n 10/03/2008 05:13 p.m. Uso Interno Por favor, responda a "General discussion list for the Fedora Directory server project." Hello FDS users - I am learning as I go here so please excuse my ignorance. I have scoured over the Fedora and Redhat docs for Directory Server and read many threads from this list archive concerning Active Directory sync. I'm having trouble putting all the pieces together and would greatly appreciate some guidance from people that have already gone through this process :) I am in the process of migrating from NIS to LDAP. In our environment we run both Windows and Linux systems. For quite awhile we have been maintaining both NIS and Active Directory. Our goal is to move away from NIS and achieve single sign on for our users. I have installed and configured FDS, converted and imported our NIS maps as ldif. This worked beautifully. Can I create a sync agreement that only sends passwords from AD->FDS, nothing else and no updates from FDS->AD? I would like to configure our Linux clients to authenticate to AD with kerberos and use FDS as the LDAP server. I understand we need to install the password sync utility on one of our DC's and that when a user changes their password in AD the utility will capture it in plaintext and send to FDS. I also see that FDS and the pass sync have to be configured to share certificates for the SSL connection between them. Can the sync utility be restricted to one OU within AD? What access within AD is required for the utility to run? Domain Admin rights or can specific rights be delegated? I would really appreciate some steps for: configuring SSL on the AD and FDS side. Creating and testing the sync agreement. Thank you so much for the help!! Slat3dx -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. From slat3dx at gmail.com Mon Mar 10 23:02:30 2008 From: slat3dx at gmail.com (slat3dx slat3dx) Date: Mon, 10 Mar 2008 16:02:30 -0700 Subject: [Fedora-directory-users] Help with NIS->FDS & AD migration In-Reply-To: References: Message-ID: Ivan - Thanks for the info! On Mon, Mar 10, 2008 at 3:15 PM, Ivan Ferreira wrote: > Please see also: > > Twenty Questions to Ask Yourself During a Red Hat Directory Server > Deployment by Satish Chetty > > www.redhat.com/f/pdf/whitepapers/RHDS_TwentyQuestions.pdf > > > > > > > Para > fedora-directory-users at redhat.co > m > "slat3dx slat3dx" cc > > Enviado por: Asunto > fedora-directory-users-b [Fedora-directory-users] Help > ounces at redhat.com with NIS->FDS & AD migration > Clasificaci?n > 10/03/2008 05:13 p.m. Uso Interno > > > > Por favor, responda a > "General discussion list > for the Fedora Directory > server project." > redhat.com> > > > > > > > Hello FDS users - > > I am learning as I go here so please excuse my ignorance. I have scoured > over the Fedora and Redhat docs for Directory Server and read many threads > from this list archive concerning Active Directory sync. I'm having > trouble putting all the pieces together and would greatly appreciate some > guidance from people that have already gone through this process :) > > I am in the process of migrating from NIS to LDAP. In our environment we > run both Windows and Linux systems. For quite awhile we have been > maintaining both NIS and Active Directory. Our goal is to move away from > NIS and achieve single sign on for our users. I have installed and > configured FDS, converted and imported our NIS maps as ldif. This worked > beautifully. > > Can I create a sync agreement that only sends passwords from AD->FDS, > nothing else and no updates from FDS->AD? > I would like to configure our Linux clients to authenticate to AD with > kerberos and use FDS as the LDAP server. I understand we need to install > the password sync utility on one of our DC's and that when a user changes > their password in AD the utility will capture it in plaintext and send to > FDS. I also see that FDS and the pass sync have to be configured to share > certificates for the SSL connection between them. > > Can the sync utility be restricted to one OU within AD? What access > within > AD is required for the utility to run? Domain Admin rights or can > specific > rights be delegated? > > I would really appreciate some steps for: configuring SSL on the AD and > FDS > side. Creating and testing the sync agreement. > > Thank you so much for the help!! > > Slat3dx > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ======================================================================================== > AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida > ?nicamente a su destinatario. Si usted no es el destinatario original de > este mensaje y por este medio pudo acceder a dicha informaci?n por favor > elimine el mensaje. La distribuci?n o copia de este mensaje est? > estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de > informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como > una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de > e-mails no garantiza que el correo electr?nico sea seguro o libre de > error. > Por consiguiente, no manifestamos que esta informaci?n sea completa o > precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. > > This information is private and confidential and intended for the > recipient only. If you are not the intended recipient of this message you > are hereby notified that any review, dissemination, distribution or > copying of this message is strictly prohibited. This communication is for > information purposes only and shall not be regarded neither as a proposal, > acceptance nor as a statement of will or official statement from NUCLEO > S.A. . Email transmission cannot be guaranteed to be secure or error-free. > Therefore, we do not represent that this information is complete or > accurate and it should not be relied upon as such. All information is > subject to change without notice. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ipvx.low at gmail.com Tue Mar 11 03:31:50 2008 From: ipvx.low at gmail.com (M Vallapan) Date: Tue, 11 Mar 2008 11:31:50 +0800 Subject: [Fedora-directory-users] temporary resource unavailable problem with fedora directory server In-Reply-To: <47C84FD1.7030407@redhat.com> References: <7cea65400802171907r6c4d7904x666b60d119ba2a87@mail.gmail.com> <47BB1DEE.7010807@redhat.com> <7cea65400802192020o32915bddyee33df6cea0bee3e@mail.gmail.com> <7cea65400802251921w3fd76b79mf822b96dd08192a8@mail.gmail.com> <47C387D2.207@redhat.com> <7cea65400802252006r2e710562r1390aa84edb81fcf@mail.gmail.com> <7cea65400802252010ra41fd5bl311ccd6adde9beb9@mail.gmail.com> <47C44CEE.5080905@redhat.com> <7cea65400802291016s5b317ef7y6b645cc143c6e96a@mail.gmail.com> <47C84FD1.7030407@redhat.com> Message-ID: <7cea65400803102031t79d79bfbv6f908488590ab43a@mail.gmail.com> How do you figure out which clients are grabbing the available connections and not letting go ? Could you please provide an example ? On Sat, Mar 1, 2008 at 2:32 AM, Rich Megginson wrote: > M Vallapan wrote: > > Thanks ! the settings you mentioned work, but only for some time then > > the problem arises again. then I have to manually restart fedora-ds to > > break off all the idle sessions for it to be okay again for a little > > while. How do I go about this ? > > > First, figure out what the clients are which are grabbing all of the > available connections and not letting them go . . . > > The server does not close idle connections until some other connection > is made. So you could use ldapsearch to write a script that "pings" the > server every few minutes to force it to close idle connections. > > > > > > On Wed, Feb 27, 2008 at 1:31 AM, Rich Megginson wrote: > > > >> Low Kian Seong wrote: > >> > Wow ... a bit of ip information there could someone please take out > >> > the last email i sent ? How do i request an email be removed ? > >> > > >> And in your reply, you copied the entire previous message - I've > >> contacted Red Hat support to remove the messages from the archive. But > >> there is no way to revoke the messages once they are sent. > >> > >> This information is interesting: > >> > >> > >> ----- Total Connection Codes ----- > >> > >> B1 11480 Bad Ber Tag Encountered > >> U1 5877 Cleanly Closed Connections > >> T1 2187 Idle Timeout Exceeded > >> > >> B1 usually means the client just exit()'ed without first calling close() > >> or shutdown() on the TCP/IP socket. Which is fine. It's the T1 which > >> are odd. Of these 2187, 1864 come from the same client: > >> > >> 13800 XXX.XXX.XXX.129 > >> > >> 8254 - B1 Bad Ber Tag Encountered > >> 3608 - U1 Cleanly Closed Connections > >> 1864 - T1 Idle Timeout Exceeded > >> > >> Take a look at the access log where you get the T1 error upon > >> disconnect. You want to find out what the conn=XXXXX is. From there, > >> go back in the access log looking for the operations on that > >> connection. What are they? What application are they from? Why is > >> that application opening connections and just leaving them open? If it > >> is a monitoring application like nagios, you will need to increase the > >> idle timeout for that application. You can do this by using a dedicated > >> BIND dn for that application, then you can increase the idle timeout for > >> that user without affecting any of the other users - see > >> http://tinyurl.com/2sy8bl > >> > >> If you have a lot of applications that open connections and leave them > >> open for a long time, you will need to figure out how many file > >> descriptors you need for other clients, and you will need to increase > >> the number of file descriptors available for the directory server as > >> well as the size of the directory server connection table - > >> http://tinyurl.com/35qddb and > >> http://directory.fedoraproject.org/wiki/Performance_Tuning#Linux > >> > >> See http://tinyurl.com/35qddb for real time server connection monitoring > >> information. > >> > >> > >> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > >> > >> > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From ipvx.low at gmail.com Tue Mar 11 03:32:51 2008 From: ipvx.low at gmail.com (M Vallapan) Date: Tue, 11 Mar 2008 11:32:51 +0800 Subject: [Fedora-directory-users] temporary resource unavailable problem with fedora directory server In-Reply-To: <47C84FD1.7030407@redhat.com> References: <7cea65400802171907r6c4d7904x666b60d119ba2a87@mail.gmail.com> <47BB1DEE.7010807@redhat.com> <7cea65400802192020o32915bddyee33df6cea0bee3e@mail.gmail.com> <7cea65400802251921w3fd76b79mf822b96dd08192a8@mail.gmail.com> <47C387D2.207@redhat.com> <7cea65400802252006r2e710562r1390aa84edb81fcf@mail.gmail.com> <7cea65400802252010ra41fd5bl311ccd6adde9beb9@mail.gmail.com> <47C44CEE.5080905@redhat.com> <7cea65400802291016s5b317ef7y6b645cc143c6e96a@mail.gmail.com> <47C84FD1.7030407@redhat.com> Message-ID: <7cea65400803102032m7d361458mb0e2ed61591b753b@mail.gmail.com> Also, I have this : # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1 net.ipv4.ip_local_port_range = 1024 65000 fs.file-max = 128000 net.ipv4.tcp_keepalive_time = 100 as my sysctl.conf. Does this contribute to the problem? On Sat, Mar 1, 2008 at 2:32 AM, Rich Megginson wrote: > M Vallapan wrote: > > Thanks ! the settings you mentioned work, but only for some time then > > the problem arises again. then I have to manually restart fedora-ds to > > break off all the idle sessions for it to be okay again for a little > > while. How do I go about this ? > > > First, figure out what the clients are which are grabbing all of the > available connections and not letting them go . . . > > The server does not close idle connections until some other connection > is made. So you could use ldapsearch to write a script that "pings" the > server every few minutes to force it to close idle connections. > > > > > > On Wed, Feb 27, 2008 at 1:31 AM, Rich Megginson wrote: > > > >> Low Kian Seong wrote: > >> > Wow ... a bit of ip information there could someone please take out > >> > the last email i sent ? How do i request an email be removed ? > >> > > >> And in your reply, you copied the entire previous message - I've > >> contacted Red Hat support to remove the messages from the archive. But > >> there is no way to revoke the messages once they are sent. > >> > >> This information is interesting: > >> > >> > >> ----- Total Connection Codes ----- > >> > >> B1 11480 Bad Ber Tag Encountered > >> U1 5877 Cleanly Closed Connections > >> T1 2187 Idle Timeout Exceeded > >> > >> B1 usually means the client just exit()'ed without first calling close() > >> or shutdown() on the TCP/IP socket. Which is fine. It's the T1 which > >> are odd. Of these 2187, 1864 come from the same client: > >> > >> 13800 XXX.XXX.XXX.129 > >> > >> 8254 - B1 Bad Ber Tag Encountered > >> 3608 - U1 Cleanly Closed Connections > >> 1864 - T1 Idle Timeout Exceeded > >> > >> Take a look at the access log where you get the T1 error upon > >> disconnect. You want to find out what the conn=XXXXX is. From there, > >> go back in the access log looking for the operations on that > >> connection. What are they? What application are they from? Why is > >> that application opening connections and just leaving them open? If it > >> is a monitoring application like nagios, you will need to increase the > >> idle timeout for that application. You can do this by using a dedicated > >> BIND dn for that application, then you can increase the idle timeout for > >> that user without affecting any of the other users - see > >> http://tinyurl.com/2sy8bl > >> > >> If you have a lot of applications that open connections and leave them > >> open for a long time, you will need to figure out how many file > >> descriptors you need for other clients, and you will need to increase > >> the number of file descriptors available for the directory server as > >> well as the size of the directory server connection table - > >> http://tinyurl.com/35qddb and > >> http://directory.fedoraproject.org/wiki/Performance_Tuning#Linux > >> > >> See http://tinyurl.com/35qddb for real time server connection monitoring > >> information. > >> > >> > >> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > >> > >> > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From maumar at cost.it Tue Mar 11 09:05:52 2008 From: maumar at cost.it (Maurizio Marini) Date: Tue, 11 Mar 2008 10:05:52 +0100 Subject: [Fedora-directory-users] trouble installing samba In-Reply-To: <7020fd000803050423j38f1219csf18619a17feb34d4@mail.gmail.com> References: <200803031601.26344.maumar@cost.it> <7020fd000803050423j38f1219csf18619a17feb34d4@mail.gmail.com> Message-ID: <200803111005.53143.maumar@cost.it> On Wed March 5 2008, solarflow99 wrote: > Does anyone have samba working with FDS? > > I can add a sambasamaccount objectclass, but it looks like there are > missing attributes from advanced properties. From the schema config, I see > the required attributes are only: objectclass, sambasid, uid. Other > important attributes such as sambaLMpassword, sambadomain, are only listed > as allowed attributes. I don't know if I have to add them manually, how > many are required, or how to generate the encrypted password. If anyone > has any ideas, any help would be appreciated. Hi i finally got samba working with fds 1.1; what was missing was /etc/ldap.conf configuration. This url can be very helpful: http://wiki.zimbra.com/index.php?title=UNIX_and_Windows_Accounts_in_Zimbra_LDAP_and_Zimbra_Admin_UI the "Configuring on RHEL5/CentOS5/Fedora7 using authconfig" help me. Firstly: authconfig --enableldap --enableldapauth --disablenis --enablecache \ --ldapserver=gregzimbra1.zimbra.com --ldapbasedn=dc=gregzimbra1,dc=zimbra,dc=com \ --updateall further: " The last parameter will update /etc/ldap.conf, /etc/nsswitch.conf and /etc/pam.d/system-auth configuration files. The only file which requires manual editing is /etc/ldap.conf. The base line should be already there. It is inserted by authconfig. You should also see a uri line with the address of your ldap server. The host, binddn, bindpw, rootbinddn lines should be added as explained above and /etc/ldap.secret file should exist and contain a password." after these 2 stepes, i was able to add administrator samba account. Thns, i installed smbldap an di run smbldap-populate populate is very very powerful, it does and fixes everything, at all. After populate veriything is workung like a charm :) m. -- Dr. Maurizio Marini CoST Computers Services and Technologies s.r.l. http://www.cost.it e-mail: maurizio.marini at cost.it phone: +39.0245446202 fax: +39.0245446333 mobile: +39.3358259739 From solarflow99 at gmail.com Tue Mar 11 10:01:52 2008 From: solarflow99 at gmail.com (solarflow99) Date: Tue, 11 Mar 2008 10:01:52 +0000 Subject: [Fedora-directory-users] Help with NIS->FDS & AD migration In-Reply-To: References: Message-ID: <7020fd000803110301v5b20d265s65f7bee6aeb7ed55@mail.gmail.com> i'm struggling just with workgroups in FDS, it would sure be nice if there was a samba enable section and some explanations. I see ldapadmin is a ways ahead of the FDS console for user administration, but i'm seeing some problems with that. On 3/10/08, slat3dx slat3dx wrote: > > Ivan - > > Thanks for the info! > > > On Mon, Mar 10, 2008 at 3:15 PM, Ivan Ferreira > wrote: > > > Please see also: > > > > Twenty Questions to Ask Yourself During a Red Hat Directory Server > > Deployment by Satish Chetty > > > > www.redhat.com/f/pdf/whitepapers/RHDS_TwentyQuestions.pdf > > > > > > > > > > > > > > > > Para > > > > fedora-directory-users at redhat.co > > m > > "slat3dx slat3dx" > > cc > > > > Enviado por: > > Asunto > > fedora-directory-users-b [Fedora-directory-users] Help > > ounces at redhat.com with NIS->FDS & AD migration > > > > Clasificaci?n > > 10/03/2008 05:13 p.m. Uso Interno > > > > > > > > Por favor, responda a > > "General discussion list > > for the Fedora Directory > > server project." > > > redhat.com> > > > > > > > > > > > > > > > > Hello FDS users - > > > > I am learning as I go here so please excuse my ignorance. I have > > scoured > > over the Fedora and Redhat docs for Directory Server and read many > > threads > > from this list archive concerning Active Directory sync. I'm having > > trouble putting all the pieces together and would greatly appreciate > > some > > guidance from people that have already gone through this process :) > > > > I am in the process of migrating from NIS to LDAP. In our environment > > we > > run both Windows and Linux systems. For quite awhile we have been > > maintaining both NIS and Active Directory. Our goal is to move away > > from > > NIS and achieve single sign on for our users. I have installed and > > configured FDS, converted and imported our NIS maps as ldif. This > > worked > > beautifully. > > > > Can I create a sync agreement that only sends passwords from AD->FDS, > > nothing else and no updates from FDS->AD? > > I would like to configure our Linux clients to authenticate to AD with > > kerberos and use FDS as the LDAP server. I understand we need to > > install > > the password sync utility on one of our DC's and that when a user > > changes > > their password in AD the utility will capture it in plaintext and send > > to > > FDS. I also see that FDS and the pass sync have to be configured to > > share > > certificates for the SSL connection between them. > > > > Can the sync utility be restricted to one OU within AD? What access > > within > > AD is required for the utility to run? Domain Admin rights or can > > specific > > rights be delegated? > > > > I would really appreciate some steps for: configuring SSL on the AD and > > FDS > > side. Creating and testing the sync agreement. > > > > Thank you so much for the help!! > > > > Slat3dx > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > ======================================================================================== > > AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida > > ?nicamente a su destinatario. Si usted no es el destinatario original de > > este mensaje y por este medio pudo acceder a dicha informaci?n por > > favor > > elimine el mensaje. La distribuci?n o copia de este mensaje est? > > estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de > > informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como > > una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de > > e-mails no garantiza que el correo electr?nico sea seguro o libre de > > error. > > Por consiguiente, no manifestamos que esta informaci?n sea completa o > > precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. > > > > This information is private and confidential and intended for the > > recipient only. If you are not the intended recipient of this message > > you > > are hereby notified that any review, dissemination, distribution or > > copying of this message is strictly prohibited. This communication is > > for > > information purposes only and shall not be regarded neither as a > > proposal, > > acceptance nor as a statement of will or official statement from NUCLEO > > S.A. . Email transmission cannot be guaranteed to be secure or > > error-free. > > Therefore, we do not represent that this information is complete or > > accurate and it should not be relied upon as such. All information is > > subject to change without notice. > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From maumar at cost.it Tue Mar 11 12:01:43 2008 From: maumar at cost.it (Maurizio Marini) Date: Tue, 11 Mar 2008 13:01:43 +0100 Subject: [Fedora-directory-users] installing samba In-Reply-To: <47CC2918.9070004@redhat.com> References: <200803011907.42496.maumar@cost.it> <200803031151.23539.maumar@cost.it> <47CC2918.9070004@redhat.com> Message-ID: <200803111301.43408.maumar@cost.it> On Mon March 3 2008, Rich Megginson wrote: > Maurizio Marini wrote: > > On Sat March 1 2008, solarflow99 wrote: > >> sure, I think its worth correcting. I was just going through it too, > >> too bad they do everything with ldif files and command line tools, I > >> wanted to see how to do it from the console. > > > > no, my post is related to wiki: > > http://directory.fedoraproject.org/wiki/Howto:Samba > > i think that it would be worthwhile to fix it to take into account of 1.1 > > changes > > Done. Thanks. I have just updated: http://directory.fedoraproject.org/wiki/Howto:PAM#Red_Hat_Clients plz, Richard, if u can, give it a look to see if changes are consistent. tia Maurizio From rmeggins at redhat.com Tue Mar 11 13:04:50 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 11 Mar 2008 07:04:50 -0600 Subject: [Fedora-directory-users] temporary resource unavailable problem with fedora directory server In-Reply-To: <7cea65400803102031t79d79bfbv6f908488590ab43a@mail.gmail.com> References: <7cea65400802171907r6c4d7904x666b60d119ba2a87@mail.gmail.com> <47BB1DEE.7010807@redhat.com> <7cea65400802192020o32915bddyee33df6cea0bee3e@mail.gmail.com> <7cea65400802251921w3fd76b79mf822b96dd08192a8@mail.gmail.com> <47C387D2.207@redhat.com> <7cea65400802252006r2e710562r1390aa84edb81fcf@mail.gmail.com> <7cea65400802252010ra41fd5bl311ccd6adde9beb9@mail.gmail.com> <47C44CEE.5080905@redhat.com> <7cea65400802291016s5b317ef7y6b645cc143c6e96a@mail.gmail.com> <47C84FD1.7030407@redhat.com> <7cea65400803102031t79d79bfbv6f908488590ab43a@mail.gmail.com> Message-ID: <47D68372.3060507@redhat.com> M Vallapan wrote: > How do you figure out which clients are grabbing the available > connections and not letting go ? Could you please provide an example ? > Take a look at the directory server access log. When a client first connects, you will see the connection logged with the client's IP address. The connection will be assigned a number (conn=4364 for example). Then search through the access log from that point looking for conn=XXXX to see all operations on that connection. You should eventually see a disconnect. If you do not, find out what client is on the other end of that connection (by IP address or by the types of operations it performs). > On Sat, Mar 1, 2008 at 2:32 AM, Rich Megginson wrote: > >> M Vallapan wrote: >> > Thanks ! the settings you mentioned work, but only for some time then >> > the problem arises again. then I have to manually restart fedora-ds to >> > break off all the idle sessions for it to be okay again for a little >> > while. How do I go about this ? >> > >> First, figure out what the clients are which are grabbing all of the >> available connections and not letting them go . . . >> >> The server does not close idle connections until some other connection >> is made. So you could use ldapsearch to write a script that "pings" the >> server every few minutes to force it to close idle connections. >> >> >> >> > On Wed, Feb 27, 2008 at 1:31 AM, Rich Megginson wrote: >> > >> >> Low Kian Seong wrote: >> >> > Wow ... a bit of ip information there could someone please take out >> >> > the last email i sent ? How do i request an email be removed ? >> >> > >> >> And in your reply, you copied the entire previous message - I've >> >> contacted Red Hat support to remove the messages from the archive. But >> >> there is no way to revoke the messages once they are sent. >> >> >> >> This information is interesting: >> >> >> >> >> >> ----- Total Connection Codes ----- >> >> >> >> B1 11480 Bad Ber Tag Encountered >> >> U1 5877 Cleanly Closed Connections >> >> T1 2187 Idle Timeout Exceeded >> >> >> >> B1 usually means the client just exit()'ed without first calling close() >> >> or shutdown() on the TCP/IP socket. Which is fine. It's the T1 which >> >> are odd. Of these 2187, 1864 come from the same client: >> >> >> >> 13800 XXX.XXX.XXX.129 >> >> >> >> 8254 - B1 Bad Ber Tag Encountered >> >> 3608 - U1 Cleanly Closed Connections >> >> 1864 - T1 Idle Timeout Exceeded >> >> >> >> Take a look at the access log where you get the T1 error upon >> >> disconnect. You want to find out what the conn=XXXXX is. From there, >> >> go back in the access log looking for the operations on that >> >> connection. What are they? What application are they from? Why is >> >> that application opening connections and just leaving them open? If it >> >> is a monitoring application like nagios, you will need to increase the >> >> idle timeout for that application. You can do this by using a dedicated >> >> BIND dn for that application, then you can increase the idle timeout for >> >> that user without affecting any of the other users - see >> >> http://tinyurl.com/2sy8bl >> >> >> >> If you have a lot of applications that open connections and leave them >> >> open for a long time, you will need to figure out how many file >> >> descriptors you need for other clients, and you will need to increase >> >> the number of file descriptors available for the directory server as >> >> well as the size of the directory server connection table - >> >> http://tinyurl.com/35qddb and >> >> http://directory.fedoraproject.org/wiki/Performance_Tuning#Linux >> >> >> >> See http://tinyurl.com/35qddb for real time server connection monitoring >> >> information. >> >> >> >> >> >> >> >> -- >> >> Fedora-directory-users mailing list >> >> Fedora-directory-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> >> >> >> > >> > -- >> > Fedora-directory-users mailing list >> > Fedora-directory-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From slat3dx at gmail.com Mon Mar 10 20:10:25 2008 From: slat3dx at gmail.com (Devon) Date: Mon, 10 Mar 2008 13:10:25 -0700 Subject: [Fedora-directory-users] Help with NIS->FDS & AD migration Message-ID: <47D595B1.9050304@gmail.com> Hello FDS users - I am learning as I go here so please excuse my ignorance. I have scoured over the Fedora and Redhat docs for Directory Server and read many threads from this list archive concerning Active Directory sync. I'm having trouble putting all the pieces together and would greatly appreciate some guidance from people that have already gone through this process :) I am in the process of migrating from NIS to LDAP. In our environment we run both Windows and Linux systems. For quite awhile we have been maintaining both NIS and Active Directory. Our goal is to move away from NIS and achieve single sign on for our users. I have installed and configured FDS, converted and imported our NIS maps as ldif. This worked beautifully. Can I create a sync agreement that only sends passwords from AD->FDS, nothing else and no updates from FDS->AD? I would like to configure our Linux clients to authenticate to AD with kerberos and use FDS as the LDAP server. I understand we need to install the password sync utility on one of our DC's and that when a user changes their password in AD the utility will capture it in plaintext and send to FDS. I also see that FDS and the pass sync have to be configured to share certificates for the SSL connection between them. Can the sync utility be restricted to one OU within AD? What access within AD is required for the utility to run? Domain Admin rights or can specific rights be delegated? I would really appreciate some steps for: configuring SSL on the AD and FDS side. Creating and testing the sync agreement. Thank you so much for the help!! Devon From par.aronsson at telia.com Tue Mar 11 16:34:09 2008 From: par.aronsson at telia.com (=?utf-8?q?P=C3=A4r_Aronsson?=) Date: Tue, 11 Mar 2008 17:34:09 +0100 Subject: [Fedora-directory-users] SELinux policy for Fedora Directory Server 1.1.0 Message-ID: <200803111734.10289.par.aronsson@telia.com> Hello, Attached is a SELinux policy for the Fedora Directory Server 1.1.0. It is composed of three parts. * dirsrv - directory server and setup programs * dirsrv-admin - administration server and setup programs * fedora-idm-console - java based console for administration The policies were developed on a CentOS 5.1 with the following packages: fedora-ds-base-1.1.0-3.fc6 fedora-ds-admin-1.1.1-1.fc6 fedora-ds-console-1.1.0-5.fc6 selinux-policy-2.4.6-106.el5_1.3 kernel-2.6.18-53.1.4.el5 I've succesfully tested the policies in targeted and strict mode. The dirsrv-admin policy requires that the apache policy module is loaded. Also run: setsebool -P httpd_enable_cgi on Comment out the following in /usr/sbin/start-ds-admin (line 63-65): if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then SELINUX_CMD="runcon -t unconfined_t --" fi I had trouble with the replication plugin so I haven't been able to do any testing with replication. Any comments are welcome. // P?r Aronsson -------------- next part -------------- ## Administration application for Fedora Directory Server, dirsrv-admin. ######################################## ## ## Execute dirsrv-admin setup programs in the dirsrvadmin_setup_t domain ## and the system_r role. Strict policy. ## ## ## ## Prefix of the domain performing this action. ## ## ## ## ## The role to allow the domain. ## ## # interface(`dirsrvadmin_setup_domtrans_strict',` gen_require(` type dirsrvadmin_t, dirsrvadmin_setup_t, dirsrvadmin_setupexec_t; type $1_t, $1_devpts_t; ') domain_auto_trans($1_t, dirsrvadmin_setupexec_t, dirsrvadmin_setup_t) allow dirsrvadmin_setup_t $1_t:fd use; allow dirsrvadmin_setup_t $1_t:process sigchld; allow dirsrvadmin_setup_t $1_devpts_t:chr_file rw_term_perms; role $2 types dirsrvadmin_setup_t; role system_r types dirsrvadmin_setup_t; role_transition $2 dirsrvadmin_setupexec_t system_r; ') ######################################## ## ## Execute dirsrv-admin setup programs in the dirsrvadmin_setup_t domain ## and the system_r role. Targeted policy. ## ## ## ## Prefix of the domain performing this action. ## ## ## ## ## The role to allow the domain. ## ## # interface(`dirsrvadmin_setup_domtrans_targeted',` gen_require(` type $1, dirsrvadmin_setupexec_t, dirsrvadmin_setup_t; ') domain_auto_trans($1, dirsrvadmin_setupexec_t, dirsrvadmin_setup_t) ') ######################################## ## ## Read setup log files. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrvadmin_read_setuplog',` gen_require(` type dirsrvadmin_setuplog_t; ') files_search_tmp($1) allow $1 dirsrvadmin_setuplog_t:file r_file_perms; ') ######################################## ## ## Manage setup log files. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrvadmin_manage_setuplog',` gen_require(` type dirsrvadmin_setuplog_t; ') files_search_tmp($1) allow $1 dirsrvadmin_setuplog_t:file manage_file_perms; ') ######################################## ## ## Extend httpd domain for dirsrv-admin. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrvadmin_extend_httpd',` gen_require(` type httpd_t; ') # Allow httpd domain to interact with dirsrv dirsrv_manage_config(httpd_t) dirsrv_manage_log(httpd_t) dirsrv_manage_var_run(httpd_t) dirsrvadmin_manage_setuplog(httpd_t) dirsrvadmin_manage_config(httpd_t) dirsrv_signal(httpd_t) dirsrv_signull(httpd_t) dirsrv_run_helper_exec(httpd_t) files_exec_usr_files(httpd_t) corenet_tcp_bind_generic_port(httpd_t) corenet_tcp_connect_generic_port(httpd_t) # Strict policy ifdef(`strict_policy',` userdom_dontaudit_search_sysadm_home_dirs(httpd_t) ') ') ######################################## ## ## Extend httpd domain for dirsrv-admin cgi. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrvadmin_script_extend_httpd',` gen_require(` type httpd_t, httpd_exec_t, httpd_suexec_exec_t, httpd_tmp_t, httpd_var_run_t; ') allow $1 httpd_exec_t:file { read getattr execute_no_trans }; allow $1 httpd_suexec_exec_t:file getattr; allow $1 httpd_tmp_t:file { read write }; allow $1 httpd_t:udp_socket { read write }; allow $1 httpd_t:unix_stream_socket { ioctl getattr read write }; allow $1 httpd_t:netlink_route_socket { read write }; allow $1 httpd_t:fifo_file { write read }; allow $1 httpd_var_run_t:file { read getattr }; apache_list_modules($1) apache_exec_modules($1) apache_use_fds($1) dirsrvadmin_run_httpd_script_exec(httpd_t) ') ######################################## ## ## Extend init domain for dirsrv-admin. ## The initscript searches in a config file. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrvadmin_extend_init',` gen_require(` type initrc_t; ') allow initrc_t dirsrvadmin_config_t:file read; ') ######################################## ## ## Exec dirsrv-admin programs. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrvadmin_run_exec',` gen_require(` type dirsrvadmin_exec_t; ') allow $1 dirsrvadmin_exec_t:dir search_dir_perms; can_exec($1,dirsrvadmin_exec_t) ') ######################################## ## ## Exec cgi programs. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrvadmin_run_httpd_script_exec',` gen_require(` type httpd_dirsrvadmin_script_exec_t; ') allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms; can_exec($1, httpd_dirsrvadmin_script_exec_t) ') ######################################## ## ## Manage cgi programs. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrvadmin_manage_httpd_script_exec',` gen_require(` type httpd_dirsrvadmin_script_exec_t; ') allow $1 httpd_dirsrvadmin_script_exec_t:dir manage_dir_perms; allow $1 httpd_dirsrvadmin_script_exec_t:file manage_file_perms; ') ######################################## ## ## Read tmp files created by cgi programs. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrvadmin_read_httpd_script_tmpfile',` gen_require(` type httpd_dirsrvadmin_script_rw_t; ') allow $1 httpd_dirsrvadmin_script_rw_t:file r_file_perms; ') ######################################## ## ## Manage tmp files created by cgi programs. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrvadmin_manage_httpd_script_tmpfile',` gen_require(` type httpd_dirsrvadmin_script_rw_t; ') allow $1 httpd_dirsrvadmin_script_rw_t:file manage_file_perms; ') ######################################## ## ## Read dirsrv-adminserver configuration files. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrvadmin_read_config',` gen_require(` type dirsrvadmin_config_t; ') allow $1 dirsrvadmin_config_t:dir r_dir_perms; allow $1 dirsrvadmin_config_t:file r_file_perms; ') ######################################## ## ## Manage dirsrv-adminserver configuration files. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrvadmin_manage_config',` gen_require(` type dirsrvadmin_config_t; ') allow $1 dirsrvadmin_config_t:dir manage_dir_perms; allow $1 dirsrvadmin_config_t:file manage_file_perms; ') ######################################## ## ## Read and write to cgi program over an unix stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrvadmin_script_stream_rw',` gen_require(` type httpd_dirsrvadmin_script_t; ') allow $1 httpd_dirsrvadmin_script_t:unix_stream_socket { read write }; ') ######################################## ## ## Read migration inf file in sysadm home dir. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrvadmin_read_inffile',` ifdef(`targeted_policy',` gen_require(` type user_home_t, user_home_dir_t; ') userdom_list_user_home_dirs(user, $1) allow $1 user_home_t:file r_file_perms; ',` gen_require(` type sysadm_home_t; ') userdom_list_sysadm_home_dirs($1) allow $1 sysadm_home_t:file r_file_perms; ') ') -------------- next part -------------- # Start script for daemon (domain entry point) /usr/sbin/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) /usr/sbin/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) /usr/sbin/restart-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) # Configuration /etc/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0) # Log dir /var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) # Pid /var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) # cgi /usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0) # Setup applications /usr/sbin/migrate-ds-admin.pl -- gen_context(system_u:object_r:dirsrvadmin_setupexec_t,s0) /usr/sbin/setup-ds-admin.pl -- gen_context(system_u:object_r:dirsrvadmin_setupexec_t,s0) -------------- next part -------------- # Daemon (domain entry point) /usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0) # Setup applications /usr/sbin/migrate-ds.pl -- gen_context(system_u:object_r:dirsrv_setupexec_t,s0) /usr/sbin/setup-ds.pl -- gen_context(system_u:object_r:dirsrv_setupexec_t,s0) # Helper scripts /usr/lib/dirsrv(/slapd-.*)? gen_context(system_u:object_r:dirsrv_helper_exec_t,s0) # Configuration /etc/dirsrv(/slapd-.*)? gen_context(system_u:object_r:dirsrv_config_t,s0) # Db files /var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_db_t,s0) # Lock files /var/lock/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_lock_t,s0) # Log files /var/log/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_log_t,s0) # var_run /var/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_run_t,s0) -------------- next part -------------- ## Fedora Directory server, dirsrv ######################################## ## ## Execute dirsrv programs in the dirsrv_t domain. ## ## ## ## The type of the process performing this action. ## ## # interface(`dirsrv_domtrans',` gen_require(` type dirsrv_t, dirsrv_exec_t; ') allow $1 dirsrv_t:process signull; domain_auto_trans($1, dirsrv_exec_t, dirsrv_t) allow dirsrv_t $1:fd use; allow dirsrv_t $1:fifo_file rw_file_perms; allow dirsrv_t $1:process sigchld; ') ######################################## ## ## Execute dirsrv setup programs in the dirsrv_setup_t domain ## and the system_r role. Strict policy. ## ## ## ## Prefix of the domain performing this action. ## ## ## ## ## The role to allow the domain. ## ## # interface(`dirsrv_setup_domtrans_strict',` gen_require(` type dirsrv_t, dirsrv_setup_t, dirsrv_setupexec_t; type $1_t, $1_devpts_t; ') domain_auto_trans($1_t, dirsrv_setupexec_t, dirsrv_setup_t) allow dirsrv_setup_t $1_t:fd use; allow dirsrv_setup_t $1_t:process sigchld; allow dirsrv_setup_t $1_devpts_t:chr_file rw_term_perms; role $2 types dirsrv_setup_t; role_transition $2 dirsrv_setupexec_t system_r; ') ######################################## ## ## Execute dirsrv setup programs in the dirsrv_setup_t domain ## and the system_r role. Targeted policy. ## ## ## ## Prefix of the domain performing this action. ## ## ## ## ## The role to allow the domain. ## ## # interface(`dirsrv_setup_domtrans_targeted',` gen_require(` type dirsrv_setupexec_t, dirsrv_setup_t; ') domain_auto_trans($1, dirsrv_setupexec_t, dirsrv_setup_t) ') ######################################## ## ## Extend httpd domain for dirsrv. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrv_extend_httpd',` gen_require(` type httpd_t, httpd_tmp_t; ') allow $1 httpd_t:fifo_file { write read }; allow $1 httpd_t:unix_stream_socket { ioctl getattr read write }; allow $1 httpd_tmp_t:file { read write }; apache_use_fds($1) ') ######################################## ## ## Read setup log files. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrv_read_setuplog',` gen_require(` type dirsrv_setuplog_t; ') files_search_tmp($1) allow $1 dirsrv_setuplog_t:file r_file_perms; ') ######################################## ## ## Read the contents of Directory server ## database directories. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrv_list_db',` gen_require(` type dirsrv_db_t; ') allow $1 dirsrv_db_t:dir r_dir_perms; ') ######################################## ## ## Manage the contents of Directory server ## database directories. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrv_manage_db',` gen_require(` type dirsrv_db_t; ') allow $1 dirsrv_db_t:dir manage_dir_perms; allow $1 dirsrv_db_t:file manage_file_perms; ') ######################################## ## ## Read Directory server configuration files. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrv_read_config',` gen_require(` type dirsrv_config_t; ') allow $1 dirsrv_config_t:dir r_dir_perms; allow $1 dirsrv_config_t:file r_file_perms; ') ######################################## ## ## Manage Directory server configuration files. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrv_manage_config',` gen_require(` type dirsrv_config_t; ') allow $1 dirsrv_config_t:dir manage_dir_perms; allow $1 dirsrv_config_t:file manage_file_perms; ') ######################################## ## ## Read Directory server log files. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrv_list_log',` gen_require(` type dirsrv_log_t; ') allow $1 dirsrv_log_t:dir r_dir_perms; ') ######################################## ## ## Manage Directory server log files. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrv_manage_log',` gen_require(` type dirsrv_log_t; ') allow $1 dirsrv_log_t:dir manage_dir_perms; allow $1 dirsrv_log_t:file manage_file_perms; ') ######################################## ## ## Read Directory server lock files. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrv_list_lock',` gen_require(` type dirsrv_lock_t; ') allow $1 dirsrv_lock_t:dir r_dir_perms; ') ######################################## ## ## Manage Directory server lock files. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrv_manage_lock',` gen_require(` type dirsrv_lock_t; ') allow $1 dirsrv_lock_t:dir manage_dir_perms; allow $1 dirsrv_lock_t:file manage_file_perms; ') ######################################## ## ## Read Directory server var_run files. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrv_list_var_run',` gen_require(` type dirsrv_var_run_t; ') allow $1 dirsrv_var_run_t:dir r_dir_perms; ') ######################################## ## ## Manage Directory server var_run files. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrv_manage_var_run',` gen_require(` type dirsrv_var_run_t; ') allow $1 dirsrv_var_run_t:dir manage_dir_perms; allow $1 dirsrv_var_run_t:file manage_file_perms; allow $1 dirsrv_var_run_t:sock_file manage_file_perms; # Allow creating a dir in /var/run with this type files_pid_filetrans($1, dirsrv_var_run_t, dir) ') ######################################## ## ## Exec Directory server helper programs. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrv_run_helper_exec',` gen_require(` type dirsrv_helper_exec_t; ') allow $1 dirsrv_helper_exec_t:dir search_dir_perms; can_exec($1,dirsrv_helper_exec_t) ') ######################################## ## ## Manage Directory server helper programs. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrv_manage_helper_exec',` gen_require(` type dirsrv_helper_exec_t; ') allow $1 dirsrv_helper_exec_t:dir manage_dir_perms; allow $1 dirsrv_helper_exec_t:file { manage_file_perms rw_file_perms }; ') ######################################## ## ## Allow caller to signal dirsrv. ## ## ## ## Domain to not audit. ## ## # interface(`dirsrv_signal',` gen_require(` type dirsrv_t; ') allow $1 dirsrv_t:process signal; ') ######################################## ## ## Send a null signal to dirsrv. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrv_signull',` gen_require(` type dirsrv_t; ') allow $1 dirsrv_t:process signull; ') -------------- next part -------------- policy_module(dirsrv,1.0.0) ######################################## # # Declarations for daemon # ## Create domain for daemon type dirsrv_t; domain_type(dirsrv_t) ## Type for the daemon type dirsrv_exec_t; files_type(dirsrv_exec_t) # Start from initrc init_domain(dirsrv_t, dirsrv_exec_t) init_daemon_domain(dirsrv_t, dirsrv_exec_t) role system_r types dirsrv_t; ## Type for helper programs type dirsrv_helper_exec_t; files_type(dirsrv_helper_exec_t); ## Type for configuration files type dirsrv_config_t; files_config_file(dirsrv_config_t) ## Type for db files type dirsrv_db_t; files_type(dirsrv_db_t) ## Type for lock files type dirsrv_lock_t; files_lock_file(dirsrv_lock_t) files_lock_filetrans(dirsrv_t, dirsrv_lock_t, {file dir}) ## Type for log files type dirsrv_log_t; logging_log_file(dirsrv_log_t) ## Type for var_run file type dirsrv_var_run_t; files_pid_file(dirsrv_var_run_t) files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, {file dir}) ######################################## # # Declarations for setup programs # ## Domain for setup program type dirsrv_setup_t; domain_type(dirsrv_setup_t) role sysadm_r types dirsrv_setup_t; ## Type for setup program type dirsrv_setupexec_t; files_type(dirsrv_setupexec_t) domain_entry_file(dirsrv_setup_t, dirsrv_setupexec_t) ## Type for tmp files setup creates type dirsrv_setuplog_t; files_tmp_file(dirsrv_setuplog_t) files_tmp_filetrans(dirsrv_setup_t, dirsrv_setuplog_t, file) files_tmp_filetrans(dirsrv_t, dirsrv_setuplog_t, file) ######################################## # # Local policy for the daemon # ## Executable allow dirsrv_t self:capability { chown dac_override fowner setuid sys_nice setgid }; allow dirsrv_t self:process { setsched getsched signull }; allow dirsrv_t self:fifo_file { write read }; allow dirsrv_t self:sem { create getattr associate unix_read unix_write }; ## Config allow dirsrv_t dirsrv_config_t:file { getattr read create_file_perms }; allow dirsrv_t dirsrv_config_t:dir create_dir_perms; ## Database files allow dirsrv_t dirsrv_db_t:dir manage_dir_perms; allow dirsrv_t dirsrv_db_t:file manage_file_perms; # Allow search in /var/lib files_list_var_lib(dirsrv_t) ## Manage locks allow dirsrv_t dirsrv_lock_t:dir manage_dir_perms; allow dirsrv_t dirsrv_lock_t:file manage_file_perms; ## Logging allow dirsrv_t dirsrv_log_t:file { create rename setattr manage_file_perms }; allow dirsrv_t dirsrv_log_t:dir { setattr rw_dir_perms }; allow dirsrv_t self:unix_dgram_socket create_socket_perms; # Allow search in /var/log logging_search_logs(dirsrv_t) ## var_run allow dirsrv_t dirsrv_var_run_t:file manage_file_perms; allow dirsrv_t dirsrv_var_run_t:dir rw_dir_perms; ## Helper programs dirsrv_run_helper_exec(dirsrv_t) ## Setup log dirsrv_read_setuplog(dirsrv_t) dirsrvadmin_read_setuplog(dirsrv_t) ## Files in /tmp, created by setup app allow dirsrv_t dirsrv_setuplog_t:file manage_file_perms; ## When restarted from cgi script the dirsrv need to communicate back dirsrvadmin_script_stream_rw(dirsrv_t) # dirsrv need some permissions that has no interface in the apache policy dirsrv_extend_httpd(dirsrv_t) dirsrvadmin_manage_httpd_script_tmpfile(dirsrv_t) ## Allow networking corenet_tcp_bind_ldap_port(dirsrv_t) corenet_tcp_sendrecv_ldap_port(dirsrv_t) corenet_sendrecv_ldap_server_packets(dirsrv_t) corenet_tcp_bind_unspec_node(dirsrv_t) corenet_tcp_bind_inaddr_any_node(dirsrv_t) kernel_sendrecv_unlabeled_packets(dirsrv_t) allow dirsrv_t self:tcp_socket create_stream_socket_perms; allow dirsrv_t self:udp_socket create_socket_perms; ## Misc interfaces # Access to shared libraries libs_use_ld_so(dirsrv_t) libs_use_shared_libs(dirsrv_t) files_exec_usr_files(dirsrv_t) # Read locale miscfiles_read_localization(dirsrv_t) # Read etc files_read_etc_files(dirsrv_t) sysnet_read_config(dirsrv_t) # Allow using syslog logging_send_syslog_msg(dirsrv_t) # Search sbin corecmd_search_sbin(dirsrv_t) # Allow read urandom dev_read_urand(dirsrv_t) # Allow listing /tmp files_list_tmp(dirsrv_t) # Allow read /usr/tmp files_read_usr_symlinks(dirsrv_t) # Allow stat file system fs_getattr_xattr_fs(dirsrv_t) # Allow read proc kernel_read_system_state(dirsrv_t) # Strict policy ifdef(`strict_policy',` # Daemon search for plugins in cwd userdom_dontaudit_search_sysadm_home_dirs(dirsrv_t) ') # In targeted policy ifdef(`targeted_policy',` files_read_generic_tmp_files(dirsrv_t) userdom_dontaudit_search_generic_user_home_dirs(dirsrv_t) ') ######################################## # # Local policy for setup programs # ## Transtion into dirsrv domain when running setup # Should be in userdomain ifdef(`strict_policy',` dirsrv_setup_domtrans_strict(sysadm, sysadm_r) ') # A similar policy should be in unconfined ifdef(`targeted_policy',` dirsrv_setup_domtrans_targeted(unconfined_t) ') seutil_use_newrole_fds(dirsrv_setup_t) ## Executable allow dirsrv_setup_t self:capability { sys_nice chown fsetid fowner kill net_bind_service dac_override }; allow dirsrv_setup_t self:fifo_file { read write getattr ioctl }; allow dirsrv_setup_t self:process { setsched getsched }; allow dirsrv_setup_t self:tcp_socket { bind create ioctl }; # Start daemon from setup program dirsrv_domtrans(dirsrv_setup_t) ## Manage db dir dirsrv_manage_db(dirsrv_setup_t) ## Manage configuration dirsrv_manage_config(dirsrv_setup_t) ## Manage log dir dirsrv_manage_log(dirsrv_setup_t) ## Manage lock dir dirsrv_manage_lock(dirsrv_setup_t) ## Manage var_run files dirsrv_manage_var_run(dirsrv_setup_t) ## Manage helper programs dirsrv_manage_helper_exec(dirsrv_setup_t) dirsrv_run_helper_exec(dirsrv_setup_t) ## Files in /tmp allow dirsrv_setup_t dirsrv_setuplog_t:file manage_file_perms; ## Networking # Connect server using ldap corenet_tcp_bind_inaddr_any_node(dirsrv_setup_t) corenet_tcp_bind_ldap_port(dirsrv_setup_t) ## Misc interfaces # Access to shared libraries libs_use_ld_so(dirsrv_setup_t) libs_use_shared_libs(dirsrv_setup_t) # Read locale miscfiles_read_localization(dirsrv_setup_t) # mtab files_dontaudit_read_etc_runtime_files(dirsrv_setup_t) # Execute corecmd_exec_bin(dirsrv_setup_t) corecmd_exec_sbin(dirsrv_setup_t) corecmd_exec_shell(dirsrv_setup_t) # Read /usr/share files_read_usr_files(dirsrv_setup_t) # Allow read urandom dev_read_urand(dirsrv_setup_t) # Read proc kernel_read_net_sysctls(dirsrv_setup_t) kernel_read_sysctl(dirsrv_setup_t) kernel_read_system_state(dirsrv_setup_t) kernel_search_network_sysctl(dirsrv_setup_t) # Stat shadow auth_read_shadow(dirsrv_setup_t) # Exec nsswitch.conf files_exec_etc_files(dirsrv_setup_t) # Find dirsrv dirs files_search_locks(dirsrv_setup_t) files_search_var_lib(dirsrv_setup_t) logging_search_logs(dirsrv_setup_t) # Allow stat file system fs_getattr_xattr_fs(dirsrv_setup_t) sysnet_read_config(dirsrv_setup_t) term_search_ptys(dirsrv_setup_t) optional_policy(` nscd_read_pid(dirsrv_setup_t) ') # Strict policy ifdef(`strict_policy',` # Read cwd (/root) userdom_list_sysadm_home_dirs(dirsrv_setup_t) ') # In targeted policy ifdef(`targeted_policy',` term_use_generic_ptys(dirsrv_setup_t) # Read cwd (/root) userdom_list_user_home_dirs(user,dirsrv_setup_t) userdom_search_generic_user_home_dirs(dirsrv_setup_t) ') -------------- next part -------------- A non-text attachment was scrubbed... Name: dirsrv-admin.te Type: text/x-java Size: 8756 bytes Desc: not available URL: -------------- next part -------------- -------------- next part -------------- policy_module(fedora-idm-console,1.0.0) ######################################## # # Declarations # type fedora-idm-console_t; domain_type(fedora-idm-console_t) ######################################## # # Local policy # # In strict policy we need to extend the java domain ifdef(`strict_policy',` fedoraidmconsole_extend_java(user) ## Misc interfaces # Access to shared libraries libs_use_ld_so(fedora-idm-console_t) libs_use_shared_libs(fedora-idm-console_t) # Read locale miscfiles_read_localization(fedora-idm-console_t) ') -------------- next part -------------- ## Java based fedora-idm-console ######################################## ## ## Extend java domain for fedora-idm-console. ## ## ## ## Prefix of domain allowed access. ## ## # interface(`fedoraidmconsole_extend_java',` gen_require(` type $1_javaplugin_t; type $1_t, $1_xserver_tmp_t, $1_gconf_home_t, $1_home_ssh_t, $1_mozilla_home_t; ') allow $1_javaplugin_t $1_t:process sigchld; allow $1_t $1_javaplugin_t:process { signal ptrace }; allow $1_javaplugin_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; allow $1_javaplugin_t self:tcp_socket { accept listen }; allow $1_javaplugin_t $1_xserver_tmp_t:dir search; allow $1_javaplugin_t $1_xserver_tmp_t:sock_file write; dirsrv_list_db($1_javaplugin_t) corecmd_exec_bin($1_javaplugin_t) corenet_tcp_bind_inaddr_any_node($1_javaplugin_t) files_read_var_files($1_javaplugin_t) # Sun java check out some dirs, there is probably more than this dontaudit $1_javaplugin_t $1_gconf_home_t:dir getattr; dontaudit $1_javaplugin_t $1_home_ssh_t:dir getattr; dontaudit $1_javaplugin_t $1_mozilla_home_t:dir getattr; ') From burt.s.e at gmail.com Wed Mar 12 11:44:32 2008 From: burt.s.e at gmail.com (Steve Burt) Date: Wed, 12 Mar 2008 11:44:32 +0000 Subject: [Fedora-directory-users] Problems in adding a second server into a new Message-ID: Greetings Folks I am very new to Fedora-DS and have I think Sucessfully installed a Directory Server and a server group with a admin server and 1 Directory Server. My Aim is to Install a second directory server, I think this is basically running the setup-ds-admin.pl on the second server... Could anyone help.. Yours Humbly Steve From rmeggins at redhat.com Wed Mar 12 13:52:09 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 12 Mar 2008 07:52:09 -0600 Subject: [Fedora-directory-users] Problems in adding a second server into a new In-Reply-To: References: Message-ID: <47D7E009.9060605@redhat.com> Steve Burt wrote: > Greetings Folks > > I am very new to Fedora-DS and have I think Sucessfully installed a > Directory Server and a server group with a admin server and 1 > Directory Server. > > My Aim is to Install a second directory server, I think this is > basically running the setup-ds-admin.pl on the second server... > Yes. But read about this bug first - https://bugzilla.redhat.com/show_bug.cgi?id=431103 > Could anyone help.. > > Yours Humbly > > Steve > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From solarflow99 at gmail.com Wed Mar 12 17:34:07 2008 From: solarflow99 at gmail.com (solarflow99) Date: Wed, 12 Mar 2008 17:34:07 +0000 Subject: [Fedora-directory-users] groups Message-ID: <7020fd000803121034v21d63c40u5122aa4d4ad4d2be@mail.gmail.com> I guess FDS doesn't really make use of the UPG scheme that local authentication in redhat has always used? If I could say a feature request, it would be a simple way to customise templates for adding users/groups, etc. I don't see any way to add objectcalsses and values, or hashed samba SID and passwords, without doing them manually after the object has already been created. Also, some objectclasses should be changed, for example adding a group uses groupofuniquenames instead of posixgroup. -------------- next part -------------- An HTML attachment was scrubbed... URL: From burt.s.e at gmail.com Wed Mar 12 17:35:12 2008 From: burt.s.e at gmail.com (Steve Burt) Date: Wed, 12 Mar 2008 17:35:12 +0000 Subject: [Fedora-directory-users] Re: Fedora-directory-users Digest, Vol 34, Issue 24 In-Reply-To: <20080312160006.E97488E019D@hormel.redhat.com> References: <20080312160006.E97488E019D@hormel.redhat.com> Message-ID: Hi Rich, Ok so I think I have to create an ldif file There is a workaround - if the fqdn is host.example.com, you just have to create the following entries: dn: cn=host.example.com, ou=example.com, o=NetscapeRoot objectclass: top objectclass: nsHost objectclass: groupOfUniqueNames cn: host.example.com nsosversion: output of uname -a on the machine nshardwareplatform: arch e.g. i386 or x86_64 or ... serverHostName: host.example.com dn: cn=Server Group, cn=host.example.com, ou=example.com, o=NetscapeRoot objectclass: top objectclass: nsAdminGroup objectclass: nsDirectoryInfo objectclass: groupOfUniqueNames nsAdminGroupName: Server Group nsDirectoryInfoRef: cn=User Directory, ou=Global Preferences, ou=example.com, o=NetscapeRoot Is that correct On 12/03/2008, fedora-directory-users-request at redhat.com wrote: > Send Fedora-directory-users mailing list submissions to > fedora-directory-users at redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/fedora-directory-users > or, via email, send a message with subject or body 'help' to > fedora-directory-users-request at redhat.com > > You can reach the person managing the list at > fedora-directory-users-owner at redhat.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Fedora-directory-users digest..." > > > Today's Topics: > > 1. SELinux policy for Fedora Directory Server 1.1.0 (P?r Aronsson) > 2. Problems in adding a second server into a new (Steve Burt) > 3. Re: Problems in adding a second server into a new (Rich Megginson) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 11 Mar 2008 17:34:09 +0100 > From: P?r Aronsson > Subject: [Fedora-directory-users] SELinux policy for Fedora Directory > Server 1.1.0 > To: selinux at tycho.nsa.gov, fedora-directory-users at redhat.com > Message-ID: <200803111734.10289.par.aronsson at telia.com> > Content-Type: text/plain; charset="utf-8" > > Hello, > > Attached is a SELinux policy for the Fedora Directory Server 1.1.0. > It is composed of three parts. > * dirsrv - directory server and setup programs > * dirsrv-admin - administration server and setup programs > * fedora-idm-console - java based console for administration > > The policies were developed on a CentOS 5.1 with the following packages: > fedora-ds-base-1.1.0-3.fc6 > fedora-ds-admin-1.1.1-1.fc6 > fedora-ds-console-1.1.0-5.fc6 > selinux-policy-2.4.6-106.el5_1.3 > kernel-2.6.18-53.1.4.el5 > > I've succesfully tested the policies in targeted and strict mode. > > The dirsrv-admin policy requires that the apache policy module is loaded. > Also run: > setsebool -P httpd_enable_cgi on > > Comment out the following in /usr/sbin/start-ds-admin (line 63-65): > if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then > SELINUX_CMD="runcon -t unconfined_t --" > fi > > I had trouble with the replication plugin so I haven't been able to do any > testing with replication. > > Any comments are welcome. > > // P?r Aronsson > -------------- next part -------------- > ## Administration application for Fedora Directory Server, dirsrv-admin. > > ######################################## > ## > ## Execute dirsrv-admin setup programs in the dirsrvadmin_setup_t domain > ## and the system_r role. Strict policy. > ## > ## > ## > ## Prefix of the domain performing this action. > ## > ## > ## > ## > ## The role to allow the domain. > ## > ## > # > interface(`dirsrvadmin_setup_domtrans_strict',` > gen_require(` > type dirsrvadmin_t, dirsrvadmin_setup_t, dirsrvadmin_setupexec_t; > type $1_t, $1_devpts_t; > ') > > domain_auto_trans($1_t, dirsrvadmin_setupexec_t, dirsrvadmin_setup_t) > allow dirsrvadmin_setup_t $1_t:fd use; > allow dirsrvadmin_setup_t $1_t:process sigchld; > allow dirsrvadmin_setup_t $1_devpts_t:chr_file rw_term_perms; > role $2 types dirsrvadmin_setup_t; > role system_r types dirsrvadmin_setup_t; > role_transition $2 dirsrvadmin_setupexec_t system_r; > ') > > ######################################## > ## > ## Execute dirsrv-admin setup programs in the dirsrvadmin_setup_t domain > ## and the system_r role. Targeted policy. > ## > ## > ## > ## Prefix of the domain performing this action. > ## > ## > ## > ## > ## The role to allow the domain. > ## > ## > # > interface(`dirsrvadmin_setup_domtrans_targeted',` > gen_require(` > type $1, dirsrvadmin_setupexec_t, dirsrvadmin_setup_t; > ') > > domain_auto_trans($1, dirsrvadmin_setupexec_t, dirsrvadmin_setup_t) > ') > > ######################################## > ## > ## Read setup log files. > ## > ## > ## > ## Domain allowed access. > ## > ## > # > interface(`dirsrvadmin_read_setuplog',` > gen_require(` > type dirsrvadmin_setuplog_t; > ') > > files_search_tmp($1) > allow $1 dirsrvadmin_setuplog_t:file r_file_perms; > ') > > ######################################## > ## > ## Manage setup log files. > ## > ## > ## > ## Domain allowed access. > ## > ## > # > interface(`dirsrvadmin_manage_setuplog',` > gen_require(` > type dirsrvadmin_setuplog_t; > ') > > files_search_tmp($1) > allow $1 dirsrvadmin_setuplog_t:file manage_file_perms; > ') > > ######################################## > ## > ## Extend httpd domain for dirsrv-admin. > ## > ## > ## > ## Domain allowed access. > ## > ## > # > interface(`dirsrvadmin_extend_httpd',` > gen_require(` > type httpd_t; > ') > > # Allow httpd domain to interact with dirsrv > dirsrv_manage_config(httpd_t) > dirsrv_manage_log(httpd_t) > dirsrv_manage_var_run(httpd_t) > dirsrvadmin_manage_setuplog(httpd_t) > dirsrvadmin_manage_config(httpd_t) > dirsrv_signal(httpd_t) > dirsrv_signull(httpd_t) > dirsrv_run_helper_exec(httpd_t) > files_exec_usr_files(httpd_t) > corenet_tcp_bind_generic_port(httpd_t) > corenet_tcp_connect_generic_port(httpd_t) > > # Strict policy > ifdef(`strict_policy',` > userdom_dontaudit_search_sysadm_home_dirs(httpd_t) > ') > ') > > ######################################## > ## > ## Extend httpd domain for dirsrv-admin cgi. > ## > ## > ## > ## Domain allowed access. > ## > ## > # > interface(`dirsrvadmin_script_extend_httpd',` > gen_require(` > type httpd_t, httpd_exec_t, httpd_suexec_exec_t, httpd_tmp_t, httpd_var_run_t; > ') > > allow $1 httpd_exec_t:file { read getattr execute_no_trans }; > allow $1 httpd_suexec_exec_t:file getattr; > allow $1 httpd_tmp_t:file { read write }; > allow $1 httpd_t:udp_socket { read write }; > allow $1 httpd_t:unix_stream_socket { ioctl getattr read write }; > allow $1 httpd_t:netlink_route_socket { read write }; > allow $1 httpd_t:fifo_file { write read }; > allow $1 httpd_var_run_t:file { read getattr }; > apache_list_modules($1) > apache_exec_modules($1) > apache_use_fds($1) > dirsrvadmin_run_httpd_script_exec(httpd_t) > ') > > ######################################## > ## > ## Extend init domain for dirsrv-admin. > ## The initscript searches in a config file. > ## > ## > ## > ## Domain allowed access. > ## > ## > # > interface(`dirsrvadmin_extend_init',` > gen_require(` > type initrc_t; > ') > > allow initrc_t dirsrvadmin_config_t:file read; > ') > > ######################################## > ## > ## Exec dirsrv-admin programs. > ## > ## > ## > ## Domain allowed access. > ## > ## > # > interface(`dirsrvadmin_run_exec',` > gen_require(` > type dirsrvadmin_exec_t; > ') > > allow $1 dirsrvadmin_exec_t:dir search_dir_perms; > can_exec($1,dirsrvadmin_exec_t) > ') > > ######################################## > ## > ## Exec cgi programs. > ## > ## > ## > ## Domain allowed access. > ## > ## > # > interface(`dirsrvadmin_run_httpd_script_exec',` > gen_require(` > type httpd_dirsrvadmin_script_exec_t; > ') > > allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms; > can_exec($1, httpd_dirsrvadmin_script_exec_t) > ') > > ######################################## > ## > ## Manage cgi programs. > ## > ## > ## > ## Domain allowed access. > ## > ## > # > interface(`dirsrvadmin_manage_httpd_script_exec',` > gen_require(` > type httpd_dirsrvadmin_script_exec_t; > ') > > allow $1 httpd_dirsrvadmin_script_exec_t:dir manage_dir_perms; > allow $1 httpd_dirsrvadmin_script_exec_t:file manage_file_perms; > ') > > ######################################## > ## > ## Read tmp files created by cgi programs. > ## > ## > ## > ## Domain allowed access. > ## > ## > # > interface(`dirsrvadmin_read_httpd_script_tmpfile',` > gen_require(` > type httpd_dirsrvadmin_script_rw_t; > ') > > allow $1 httpd_dirsrvadmin_script_rw_t:file r_file_perms; > ') > > ######################################## > ## > ## Manage tmp files created by cgi programs. > ## > ## > ## > ## Domain allowed access. > ## > ## > # > interface(`dirsrvadmin_manage_httpd_script_tmpfile',` > gen_require(` > type httpd_dirsrvadmin_script_rw_t; > ') > > allow $1 httpd_dirsrvadmin_script_rw_t:file manage_file_perms; > ') > > ######################################## > ## > ## Read dirsrv-adminserver configuration files. > ## > ## > ## > ## Domain allowed access. > ## > ## > # > interface(`dirsrvadmin_read_config',` > gen_require(` > type dirsrvadmin_config_t; > ') > > allow $1 dirsrvadmin_config_t:dir r_dir_perms; > allow $1 dirsrvadmin_config_t:file r_file_perms; > ') > > ######################################## > ## > ## Manage dirsrv-adminserver configuration files. > ## > ## > ## > ## Domain allowed access. > ## > ## > # > interface(`dirsrvadmin_manage_config',` > gen_require(` > type dirsrvadmin_config_t; > ') > > allow $1 dirsrvadmin_config_t:dir manage_dir_perms; > allow $1 dirsrvadmin_config_t:file manage_file_perms; > ') > > ######################################## > ## > ## Read and write to cgi program over an unix stream socket. > ## > ## > ## > ## Domain allowed access. > ## > ## > # > interface(`dirsrvadmin_script_stream_rw',` > gen_require(` > type httpd_dirsrvadmin_script_t; > ') > > allow $1 httpd_dirsrvadmin_script_t:unix_stream_socket { read write }; > ') > > ######################################## > ## > ## Read migration inf file in sysadm home dir. > ## > ## > ## > ## Domain allowed access. > ## > ## > # > interface(`dirsrvadmin_read_inffile',` > ifdef(`targeted_policy',` > gen_require(` > type user_home_t, user_home_dir_t; > ') > > userdom_list_user_home_dirs(user, $1) > allow $1 user_home_t:file r_file_perms; > ',` > gen_require(` > type sysadm_home_t; > ') > > userdom_list_sysadm_home_dirs($1) > allow $1 sysadm_home_t:file r_file_perms; > ') > ') > > -------------- next part -------------- > # Start script for daemon (domain entry point) > /usr/sbin/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) > /usr/sbin/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) > /usr/sbin/restart-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) > # Configuration > /etc/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0) > # Log dir > /var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) > # Pid > /var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) > # cgi > /usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0) > # Setup applications > /usr/sbin/migrate-ds-admin.pl -- gen_context(system_u:object_r:dirsrvadmin_setupexec_t,s0) > /usr/sbin/setup-ds-admin.pl -- gen_context(system_u:object_r:dirsrvadmin_setupexec_t,s0) > -------------- next part -------------- > # Daemon (domain entry point) > /usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0) > # Setup applications > /usr/sbin/migrate-ds.pl -- gen_context(system_u:object_r:dirsrv_setupexec_t,s0) > /usr/sbin/setup-ds.pl -- gen_context(system_u:object_r:dirsrv_setupexec_t,s0) > # Helper scripts > /usr/lib/dirsrv(/slapd-.*)? gen_context(system_u:object_r:dirsrv_helper_exec_t,s0) > # Configuration > /etc/dirsrv(/slapd-.*)? gen_context(system_u:object_r:dirsrv_config_t,s0) > # Db files > /var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_db_t,s0) > # Lock files > /var/lock/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_lock_t,s0) > # Log files > /var/log/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_log_t,s0) > # var_run > /var/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_run_t,s0) > -------------- next part -------------- > ## Fedora Directory server, dirsrv > > ######################################## > ## > ## Execute dirsrv programs in the dirsrv_t domain. > ## > ## > ## > ## The type of the process performing this action. > ## > ## > # > interface(`dirsrv_domtrans',` > gen_require(` > type dirsrv_t, dirsrv_exec_t; > ') > > allow $1 dirsrv_t:process signull; > domain_auto_trans($1, dirsrv_exec_t, dirsrv_t) > allow dirsrv_t $1:fd use; > allow dirsrv_t $1:fifo_file rw_file_perms; > allow dirsrv_t $1:process sigchld; > ') > > ######################################## > ## > ## Execute dirsrv setup programs in the dirsrv_setup_t domain > ## and the system_r role. Strict policy. > ## > ## > ## > ## Prefix of the domain performing this action. > ## > ## > ## > ## > ## The role to allow the domain. > ## > ## > # > interface(`dirsrv_setup_domtrans_strict',` > gen_require(` > type dirsrv_t, dirsrv_setup_t, dirsrv_setupexec_t; > type $1_t, $1_devpts_t; > ') > > domain_auto_trans($1_t, dirsrv_setupexec_t, dirsrv_setup_t) > allow dirsrv_setup_t $1_t:fd use; > allow dirsrv_setup_t $1_t:process sigchld; > allow dirsrv_setup_t $1_devpts_t:chr_file rw_term_perms; > role $2 types dirsrv_setup_t; > role_transition $2 dirsrv_setupexec_t system_r; > ') > > ######################################## > ## > ## Execute dirsrv setup programs in the dirsrv_setup_t domain > ## and the system_r role. Targeted policy. > ## > ## > ## > ## Prefix of the domain performing this action. > ## > ## > ## > ## > ## The role to allow the domain. > ## > ## > # > interface(`dirsrv_setup_domtrans_targeted',` > gen_require(` > type dirsrv_setupexec_t, dirsrv_setup_t; > ') > > domain_auto_trans($1, dirsrv_setupexec_t, dirsrv_setup_t) > ') > > ######################################## > ## > ## Extend httpd domain for dirsrv. > ## > ## > ## > ## Domain allowed access. > ## > ## > # > interface(`dirsrv_extend_httpd',` > gen_require(` > type httpd_t, httpd_tmp_t; > ') > > allow $1 httpd_t:fifo_file { write read }; > allow $1 httpd_t:unix_stream_socket { ioctl getattr read write }; > allow $1 httpd_tmp_t:file { read write }; > apache_use_fds($1) > ') > > ######################################## > ## > ## Read setup log files. > ## > ## > ## > ## Domain allowed access. > ## > ## > # > interface(`dirsrv_read_setuplog',` > gen_require(` > type dirsrv_setuplog_t; > ') > > files_search_tmp($1) > allow $1 dirsrv_setuplog_t:file r_file_perms; > ') > > ######################################## > ## > ## Read the contents of Directory server > ## database directories. > ## > ## > ## > ## Domain allowed access. > ## > ## > # > interface(`dirsrv_list_db',` > gen_require(` > type dirsrv_db_t; > ') > > allow $1 dirsrv_db_t:dir r_dir_perms; > ') > > ######################################## > ## > ## Manage the contents of Directory server > ## database directories. > ## > ## > ## > ## Domain allowed access. > ## > ## > # > interface(`dirsrv_manage_db',` > gen_require(` > type dirsrv_db_t; > ') > > allow $1 dirsrv_db_t:dir manage_dir_perms; > allow $1 dirsrv_db_t:file manage_file_perms; > ') > > ######################################## > ## > ## Read Directory server configuration files. > ## > ## > ## > ## Domain allowed access. > ## > ## > # > interface(`dirsrv_read_config',` > gen_require(` > type dirsrv_config_t; > ') > > allow $1 dirsrv_config_t:dir r_dir_perms; > allow $1 dirsrv_config_t:file r_file_perms; > ') > > ######################################## > ## > ## Manage Directory server configuration files. > ## > ## > ## > ## Domain allowed access. > ## > ## > # > interface(`dirsrv_manage_config',` > gen_require(` > type dirsrv_config_t; > ') > > allow $1 dirsrv_config_t:dir manage_dir_perms; > allow $1 dirsrv_config_t:file manage_file_perms; > ') > > ######################################## > ## > ## Read Directory server log files. > ## > ## > ## > ## Domain allowed access. > ## > ## > # > interface(`dirsrv_list_log',` > gen_require(` > type dirsrv_log_t; > ') > > allow $1 dirsrv_log_t:dir r_dir_perms; > ') > > ######################################## > ## > ## Manage Directory server log files. > ## > ## > ## > ## Domain allowed access. > ## > ## > # > interface(`dirsrv_manage_log',` > gen_require(` > type dirsrv_log_t; > ') > > allow $1 dirsrv_log_t:dir manage_dir_perms; > allow $1 dirsrv_log_t:file manage_file_perms; > ') > > ######################################## > ## > ## Read Directory server lock files. > ## > ## > ## > ## Domain allowed access. > ## > ## > # > interface(`dirsrv_list_lock',` > gen_require(` > type dirsrv_lock_t; > ') > > allow $1 dirsrv_lock_t:dir r_dir_perms; > ') > > ######################################## > ## > ## Manage Directory server lock files. > ## > ## > ## > ## Domain allowed access. > ## > ## > # > interface(`dirsrv_manage_lock',` > gen_require(` > type dirsrv_lock_t; > ') > > allow $1 dirsrv_lock_t:dir manage_dir_perms; > allow $1 dirsrv_lock_t:file manage_file_perms; > ') > > ######################################## > ## > ## Read Directory server var_run files. > ## > ## > ## > ## Domain allowed access. > ## > ## > # > interface(`dirsrv_list_var_run',` > gen_require(` > type dirsrv_var_run_t; > ') > > allow $1 dirsrv_var_run_t:dir r_dir_perms; > ') > > ######################################## > ## > ## Manage Directory server var_run files. > ## > ## > ## > ## Domain allowed access. > ## > ## > # > interface(`dirsrv_manage_var_run',` > gen_require(` > type dirsrv_var_run_t; > ') > > allow $1 dirsrv_var_run_t:dir manage_dir_perms; > allow $1 dirsrv_var_run_t:file manage_file_perms; > allow $1 dirsrv_var_run_t:sock_file manage_file_perms; > # Allow creating a dir in /var/run with this type > files_pid_filetrans($1, dirsrv_var_run_t, dir) > ') > > ######################################## > ## > ## Exec Directory server helper programs. > ## > ## > ## > ## Domain allowed access. > ## > ## > # > interface(`dirsrv_run_helper_exec',` > gen_require(` > type dirsrv_helper_exec_t; > ') > > allow $1 dirsrv_helper_exec_t:dir search_dir_perms; > can_exec($1,dirsrv_helper_exec_t) > ') > > ######################################## > ## > ## Manage Directory server helper programs. > ## > ## > ## > ## Domain allowed access. > ## > ## > # > interface(`dirsrv_manage_helper_exec',` > gen_require(` > type dirsrv_helper_exec_t; > ') > > allow $1 dirsrv_helper_exec_t:dir manage_dir_perms; > allow $1 dirsrv_helper_exec_t:file { manage_file_perms rw_file_perms }; > ') > > ######################################## > ## > ## Allow caller to signal dirsrv. > ## > ## > ## > ## Domain to not audit. > ## > ## > # > interface(`dirsrv_signal',` > gen_require(` > type dirsrv_t; > ') > > allow $1 dirsrv_t:process signal; > ') > > > ######################################## > ## > ## Send a null signal to dirsrv. > ## > ## > ## > ## Domain allowed access. > ## > ## > # > interface(`dirsrv_signull',` > gen_require(` > type dirsrv_t; > ') > > allow $1 dirsrv_t:process signull; > ') > -------------- next part -------------- > policy_module(dirsrv,1.0.0) > > ######################################## > # > # Declarations for daemon > # > > ## Create domain for daemon > type dirsrv_t; > domain_type(dirsrv_t) > > ## Type for the daemon > type dirsrv_exec_t; > files_type(dirsrv_exec_t) > # Start from initrc > init_domain(dirsrv_t, dirsrv_exec_t) > init_daemon_domain(dirsrv_t, dirsrv_exec_t) > role system_r types dirsrv_t; > > ## Type for helper programs > type dirsrv_helper_exec_t; > files_type(dirsrv_helper_exec_t); > > ## Type for configuration files > type dirsrv_config_t; > files_config_file(dirsrv_config_t) > > ## Type for db files > type dirsrv_db_t; > files_type(dirsrv_db_t) > > ## Type for lock files > type dirsrv_lock_t; > files_lock_file(dirsrv_lock_t) > files_lock_filetrans(dirsrv_t, dirsrv_lock_t, {file dir}) > > ## Type for log files > type dirsrv_log_t; > logging_log_file(dirsrv_log_t) > > ## Type for var_run file > type dirsrv_var_run_t; > files_pid_file(dirsrv_var_run_t) > files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, {file dir}) > > ######################################## > # > # Declarations for setup programs > # > > ## Domain for setup program > type dirsrv_setup_t; > domain_type(dirsrv_setup_t) > role sysadm_r types dirsrv_setup_t; > > ## Type for setup program > type dirsrv_setupexec_t; > files_type(dirsrv_setupexec_t) > domain_entry_file(dirsrv_setup_t, dirsrv_setupexec_t) > > ## Type for tmp files setup creates > type dirsrv_setuplog_t; > files_tmp_file(dirsrv_setuplog_t) > files_tmp_filetrans(dirsrv_setup_t, dirsrv_setuplog_t, file) > files_tmp_filetrans(dirsrv_t, dirsrv_setuplog_t, file) > > ######################################## > # > # Local policy for the daemon > # > > ## Executable > allow dirsrv_t self:capability { chown dac_override fowner setuid sys_nice setgid }; > allow dirsrv_t self:process { setsched getsched signull }; > allow dirsrv_t self:fifo_file { write read }; > allow dirsrv_t self:sem { create getattr associate unix_read unix_write }; > ## Config > allow dirsrv_t dirsrv_config_t:file { getattr read create_file_perms }; > allow dirsrv_t dirsrv_config_t:dir create_dir_perms; > ## Database files > allow dirsrv_t dirsrv_db_t:dir manage_dir_perms; > allow dirsrv_t dirsrv_db_t:file manage_file_perms; > # Allow search in /var/lib > files_list_var_lib(dirsrv_t) > ## Manage locks > allow dirsrv_t dirsrv_lock_t:dir manage_dir_perms; > allow dirsrv_t dirsrv_lock_t:file manage_file_perms; > ## Logging > allow dirsrv_t dirsrv_log_t:file { create rename setattr manage_file_perms }; > allow dirsrv_t dirsrv_log_t:dir { setattr rw_dir_perms }; > allow dirsrv_t self:unix_dgram_socket create_socket_perms; > # Allow search in /var/log > logging_search_logs(dirsrv_t) > ## var_run > allow dirsrv_t dirsrv_var_run_t:file manage_file_perms; > allow dirsrv_t dirsrv_var_run_t:dir rw_dir_perms; > ## Helper programs > dirsrv_run_helper_exec(dirsrv_t) > ## Setup log > dirsrv_read_setuplog(dirsrv_t) > dirsrvadmin_read_setuplog(dirsrv_t) > ## Files in /tmp, created by setup app > allow dirsrv_t dirsrv_setuplog_t:file manage_file_perms; > > ## When restarted from cgi script the dirsrv need to communicate back > dirsrvadmin_script_stream_rw(dirsrv_t) > # dirsrv need some permissions that has no interface in the apache policy > dirsrv_extend_httpd(dirsrv_t) > dirsrvadmin_manage_httpd_script_tmpfile(dirsrv_t) > > ## Allow networking > corenet_tcp_bind_ldap_port(dirsrv_t) > corenet_tcp_sendrecv_ldap_port(dirsrv_t) > corenet_sendrecv_ldap_server_packets(dirsrv_t) > corenet_tcp_bind_unspec_node(dirsrv_t) > corenet_tcp_bind_inaddr_any_node(dirsrv_t) > kernel_sendrecv_unlabeled_packets(dirsrv_t) > allow dirsrv_t self:tcp_socket create_stream_socket_perms; > allow dirsrv_t self:udp_socket create_socket_perms; > > ## Misc interfaces > # Access to shared libraries > libs_use_ld_so(dirsrv_t) > libs_use_shared_libs(dirsrv_t) > files_exec_usr_files(dirsrv_t) > # Read locale > miscfiles_read_localization(dirsrv_t) > # Read etc > files_read_etc_files(dirsrv_t) > sysnet_read_config(dirsrv_t) > # Allow using syslog > logging_send_syslog_msg(dirsrv_t) > # Search sbin > corecmd_search_sbin(dirsrv_t) > # Allow read urandom > dev_read_urand(dirsrv_t) > # Allow listing /tmp > files_list_tmp(dirsrv_t) > # Allow read /usr/tmp > files_read_usr_symlinks(dirsrv_t) > # Allow stat file system > fs_getattr_xattr_fs(dirsrv_t) > # Allow read proc > kernel_read_system_state(dirsrv_t) > > # Strict policy > ifdef(`strict_policy',` > # Daemon search for plugins in cwd > userdom_dontaudit_search_sysadm_home_dirs(dirsrv_t) > ') > > # In targeted policy > ifdef(`targeted_policy',` > files_read_generic_tmp_files(dirsrv_t) > userdom_dontaudit_search_generic_user_home_dirs(dirsrv_t) > ') > > ######################################## > # > # Local policy for setup programs > # > > ## Transtion into dirsrv domain when running setup > # Should be in userdomain > ifdef(`strict_policy',` > dirsrv_setup_domtrans_strict(sysadm, sysadm_r) > ') > # A similar policy should be in unconfined > ifdef(`targeted_policy',` > dirsrv_setup_domtrans_targeted(unconfined_t) > ') > seutil_use_newrole_fds(dirsrv_setup_t) > > ## Executable > allow dirsrv_setup_t self:capability { sys_nice chown fsetid fowner kill net_bind_service dac_override }; > allow dirsrv_setup_t self:fifo_file { read write getattr ioctl }; > allow dirsrv_setup_t self:process { setsched getsched }; > allow dirsrv_setup_t self:tcp_socket { bind create ioctl }; > > # Start daemon from setup program > dirsrv_domtrans(dirsrv_setup_t) > ## Manage db dir > dirsrv_manage_db(dirsrv_setup_t) > ## Manage configuration > dirsrv_manage_config(dirsrv_setup_t) > ## Manage log dir > dirsrv_manage_log(dirsrv_setup_t) > ## Manage lock dir > dirsrv_manage_lock(dirsrv_setup_t) > ## Manage var_run files > dirsrv_manage_var_run(dirsrv_setup_t) > ## Manage helper programs > dirsrv_manage_helper_exec(dirsrv_setup_t) > dirsrv_run_helper_exec(dirsrv_setup_t) > ## Files in /tmp > allow dirsrv_setup_t dirsrv_setuplog_t:file manage_file_perms; > > ## Networking > # Connect server using ldap > corenet_tcp_bind_inaddr_any_node(dirsrv_setup_t) > corenet_tcp_bind_ldap_port(dirsrv_setup_t) > > ## Misc interfaces > # Access to shared libraries > libs_use_ld_so(dirsrv_setup_t) > libs_use_shared_libs(dirsrv_setup_t) > # Read locale > miscfiles_read_localization(dirsrv_setup_t) > # mtab > files_dontaudit_read_etc_runtime_files(dirsrv_setup_t) > # Execute > corecmd_exec_bin(dirsrv_setup_t) > corecmd_exec_sbin(dirsrv_setup_t) > corecmd_exec_shell(dirsrv_setup_t) > # Read /usr/share > files_read_usr_files(dirsrv_setup_t) > # Allow read urandom > dev_read_urand(dirsrv_setup_t) > # Read proc > kernel_read_net_sysctls(dirsrv_setup_t) > kernel_read_sysctl(dirsrv_setup_t) > kernel_read_system_state(dirsrv_setup_t) > kernel_search_network_sysctl(dirsrv_setup_t) > # Stat shadow > auth_read_shadow(dirsrv_setup_t) > # Exec nsswitch.conf > files_exec_etc_files(dirsrv_setup_t) > # Find dirsrv dirs > files_search_locks(dirsrv_setup_t) > files_search_var_lib(dirsrv_setup_t) > logging_search_logs(dirsrv_setup_t) > # Allow stat file system > fs_getattr_xattr_fs(dirsrv_setup_t) > sysnet_read_config(dirsrv_setup_t) > term_search_ptys(dirsrv_setup_t) > > optional_policy(` > nscd_read_pid(dirsrv_setup_t) > ') > > # Strict policy > ifdef(`strict_policy',` > # Read cwd (/root) > userdom_list_sysadm_home_dirs(dirsrv_setup_t) > ') > > # In targeted policy > ifdef(`targeted_policy',` > term_use_generic_ptys(dirsrv_setup_t) > # Read cwd (/root) > userdom_list_user_home_dirs(user,dirsrv_setup_t) > userdom_search_generic_user_home_dirs(dirsrv_setup_t) > ') > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: dirsrv-admin.te > Type: text/x-java > Size: 8756 bytes > Desc: not available > Url : https://www.redhat.com/archives/fedora-directory-users/attachments/20080311/b721a4c9/dirsrv-admin.bin > -------------- next part -------------- > > -------------- next part -------------- > policy_module(fedora-idm-console,1.0.0) > > ######################################## > # > # Declarations > # > > type fedora-idm-console_t; > domain_type(fedora-idm-console_t) > > ######################################## > # > # Local policy > # > > # In strict policy we need to extend the java domain > ifdef(`strict_policy',` > fedoraidmconsole_extend_java(user) > ## Misc interfaces > # Access to shared libraries > libs_use_ld_so(fedora-idm-console_t) > libs_use_shared_libs(fedora-idm-console_t) > # Read locale > miscfiles_read_localization(fedora-idm-console_t) > ') > -------------- next part -------------- > ## Java based fedora-idm-console > > ######################################## > ## > ## Extend java domain for fedora-idm-console. > ## > ## > ## > ## Prefix of domain allowed access. > ## > ## > # > interface(`fedoraidmconsole_extend_java',` > gen_require(` > type $1_javaplugin_t; > type $1_t, $1_xserver_tmp_t, $1_gconf_home_t, $1_home_ssh_t, $1_mozilla_home_t; > ') > > allow $1_javaplugin_t $1_t:process sigchld; > allow $1_t $1_javaplugin_t:process { signal ptrace }; > allow $1_javaplugin_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; > allow $1_javaplugin_t self:tcp_socket { accept listen }; > allow $1_javaplugin_t $1_xserver_tmp_t:dir search; > allow $1_javaplugin_t $1_xserver_tmp_t:sock_file write; > dirsrv_list_db($1_javaplugin_t) > corecmd_exec_bin($1_javaplugin_t) > corenet_tcp_bind_inaddr_any_node($1_javaplugin_t) > files_read_var_files($1_javaplugin_t) > > # Sun java check out some dirs, there is probably more than this > dontaudit $1_javaplugin_t $1_gconf_home_t:dir getattr; > dontaudit $1_javaplugin_t $1_home_ssh_t:dir getattr; > dontaudit $1_javaplugin_t $1_mozilla_home_t:dir getattr; > ') > > ------------------------------ > > Message: 2 > Date: Wed, 12 Mar 2008 11:44:32 +0000 > From: "Steve Burt" > Subject: [Fedora-directory-users] Problems in adding a second server > into a new > To: fedora-directory-users at redhat.com > Message-ID: > > Content-Type: text/plain; charset=ISO-8859-1 > > Greetings Folks > > I am very new to Fedora-DS and have I think Sucessfully installed a > Directory Server and a server group with a admin server and 1 > Directory Server. > > My Aim is to Install a second directory server, I think this is > basically running the setup-ds-admin.pl on the second server... > > Could anyone help.. > > Yours Humbly > > Steve > > > > ------------------------------ > > Message: 3 > Date: Wed, 12 Mar 2008 07:52:09 -0600 > From: Rich Megginson > Subject: Re: [Fedora-directory-users] Problems in adding a second > server into a new > To: "General discussion list for the Fedora Directory server project." > > Message-ID: <47D7E009.9060605 at redhat.com> > Content-Type: text/plain; charset="iso-8859-1" > > Steve Burt wrote: > > Greetings Folks > > > > I am very new to Fedora-DS and have I think Sucessfully installed a > > Directory Server and a server group with a admin server and 1 > > Directory Server. > > > > My Aim is to Install a second directory server, I think this is > > basically running the setup-ds-admin.pl on the second server... > > > Yes. But read about this bug first - > https://bugzilla.redhat.com/show_bug.cgi?id=431103 > > Could anyone help.. > > > > Yours Humbly > > > > Steve > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/x-pkcs7-signature > Size: 3245 bytes > Desc: S/MIME Cryptographic Signature > Url : https://www.redhat.com/archives/fedora-directory-users/attachments/20080312/c35d1379/smime.bin > > ------------------------------ > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > End of Fedora-directory-users Digest, Vol 34, Issue 24 > ****************************************************** > From iferreir at personal.com.py Wed Mar 12 19:33:30 2008 From: iferreir at personal.com.py (Ivan Ferreira) Date: Wed, 12 Mar 2008 15:33:30 -0400 Subject: [Fedora-directory-users] groups In-Reply-To: <7020fd000803121034v21d63c40u5122aa4d4ad4d2be@mail.gmail.com> Message-ID: >>> I guess FDS doesn't really make use of the UPG scheme that local authentication in redhat has always used? I think UPG is a concept that can be easily acomplished by creating first the group, and then the user. Yes, is an extra step, but the results are the same. >>> If I could say a feature request, it would be a simple way to customise templates for adding users/groups, etc. Probably you are right, but as I said in another reply, you have ldapadmin.exe and phpldapadmin which are great tools for managing LDAP entries (Including SAMBA). Suddenly, I cannot attach screenshots. Para "General discussion list for the Fedora Directory server solarflow99 project." fedora-directory-users-b cc ounces at redhat.com Asunto 12/03/2008 01:34 p.m. [Fedora-directory-users] groups Clasificaci?n Uso Interno Por favor, responda a "General discussion list for the Fedora Directory server project." I guess FDS doesn't really make use of the UPG scheme that local authentication in redhat has always used? If I could say a feature request, it would be a simple way to customise templates for adding users/groups, etc. I don't see any way to add objectcalsses and values, or hashed samba SID and passwords, without doing them manually after the object has already been created. Also, some objectclasses should be changed, for example adding a group uses groupofuniquenames instead of posixgroup. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. From rmeggins at redhat.com Wed Mar 12 19:50:17 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 12 Mar 2008 13:50:17 -0600 Subject: [Fedora-directory-users] Re: Fedora-directory-users Digest, Vol 34, Issue 24 In-Reply-To: References: <20080312160006.E97488E019D@hormel.redhat.com> Message-ID: <47D833F9.5050107@redhat.com> Steve Burt wrote: > Hi Rich, > > Ok so I think I have to create an ldif file > > There is a workaround - if the fqdn is host.example.com, you just have to create > the following entries: > > dn: cn=host.example.com, ou=example.com, o=NetscapeRoot > objectclass: top > objectclass: nsHost > objectclass: groupOfUniqueNames > cn: host.example.com > nsosversion: output of uname -a on the machine > nshardwareplatform: arch e.g. i386 or x86_64 or ... > serverHostName: host.example.com > > dn: cn=Server Group, cn=host.example.com, ou=example.com, o=NetscapeRoot > objectclass: top > objectclass: nsAdminGroup > objectclass: nsDirectoryInfo > objectclass: groupOfUniqueNames > nsAdminGroupName: Server Group > nsDirectoryInfoRef: cn=User Directory, ou=Global Preferences, ou=example.com, > o=NetscapeRoot > > Is that correct > Yes, I think so. I think that's what was reported as the workaround in the bug. > On 12/03/2008, fedora-directory-users-request at redhat.com > wrote: > >> Send Fedora-directory-users mailing list submissions to >> fedora-directory-users at redhat.com >> >> To subscribe or unsubscribe via the World Wide Web, visit >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> or, via email, send a message with subject or body 'help' to >> fedora-directory-users-request at redhat.com >> >> You can reach the person managing the list at >> fedora-directory-users-owner at redhat.com >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of Fedora-directory-users digest..." >> >> >> Today's Topics: >> >> 1. SELinux policy for Fedora Directory Server 1.1.0 (P?r Aronsson) >> 2. Problems in adding a second server into a new (Steve Burt) >> 3. Re: Problems in adding a second server into a new (Rich Megginson) >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Tue, 11 Mar 2008 17:34:09 +0100 >> From: P?r Aronsson >> Subject: [Fedora-directory-users] SELinux policy for Fedora Directory >> Server 1.1.0 >> To: selinux at tycho.nsa.gov, fedora-directory-users at redhat.com >> Message-ID: <200803111734.10289.par.aronsson at telia.com> >> Content-Type: text/plain; charset="utf-8" >> >> Hello, >> >> Attached is a SELinux policy for the Fedora Directory Server 1.1.0. >> It is composed of three parts. >> * dirsrv - directory server and setup programs >> * dirsrv-admin - administration server and setup programs >> * fedora-idm-console - java based console for administration >> >> The policies were developed on a CentOS 5.1 with the following packages: >> fedora-ds-base-1.1.0-3.fc6 >> fedora-ds-admin-1.1.1-1.fc6 >> fedora-ds-console-1.1.0-5.fc6 >> selinux-policy-2.4.6-106.el5_1.3 >> kernel-2.6.18-53.1.4.el5 >> >> I've succesfully tested the policies in targeted and strict mode. >> >> The dirsrv-admin policy requires that the apache policy module is loaded. >> Also run: >> setsebool -P httpd_enable_cgi on >> >> Comment out the following in /usr/sbin/start-ds-admin (line 63-65): >> if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then >> SELINUX_CMD="runcon -t unconfined_t --" >> fi >> >> I had trouble with the replication plugin so I haven't been able to do any >> testing with replication. >> >> Any comments are welcome. >> >> // P?r Aronsson >> -------------- next part -------------- >> ## Administration application for Fedora Directory Server, dirsrv-admin. >> >> ######################################## >> ## >> ## Execute dirsrv-admin setup programs in the dirsrvadmin_setup_t domain >> ## and the system_r role. Strict policy. >> ## >> ## >> ## >> ## Prefix of the domain performing this action. >> ## >> ## >> ## >> ## >> ## The role to allow the domain. >> ## >> ## >> # >> interface(`dirsrvadmin_setup_domtrans_strict',` >> gen_require(` >> type dirsrvadmin_t, dirsrvadmin_setup_t, dirsrvadmin_setupexec_t; >> type $1_t, $1_devpts_t; >> ') >> >> domain_auto_trans($1_t, dirsrvadmin_setupexec_t, dirsrvadmin_setup_t) >> allow dirsrvadmin_setup_t $1_t:fd use; >> allow dirsrvadmin_setup_t $1_t:process sigchld; >> allow dirsrvadmin_setup_t $1_devpts_t:chr_file rw_term_perms; >> role $2 types dirsrvadmin_setup_t; >> role system_r types dirsrvadmin_setup_t; >> role_transition $2 dirsrvadmin_setupexec_t system_r; >> ') >> >> ######################################## >> ## >> ## Execute dirsrv-admin setup programs in the dirsrvadmin_setup_t domain >> ## and the system_r role. Targeted policy. >> ## >> ## >> ## >> ## Prefix of the domain performing this action. >> ## >> ## >> ## >> ## >> ## The role to allow the domain. >> ## >> ## >> # >> interface(`dirsrvadmin_setup_domtrans_targeted',` >> gen_require(` >> type $1, dirsrvadmin_setupexec_t, dirsrvadmin_setup_t; >> ') >> >> domain_auto_trans($1, dirsrvadmin_setupexec_t, dirsrvadmin_setup_t) >> ') >> >> ######################################## >> ## >> ## Read setup log files. >> ## >> ## >> ## >> ## Domain allowed access. >> ## >> ## >> # >> interface(`dirsrvadmin_read_setuplog',` >> gen_require(` >> type dirsrvadmin_setuplog_t; >> ') >> >> files_search_tmp($1) >> allow $1 dirsrvadmin_setuplog_t:file r_file_perms; >> ') >> >> ######################################## >> ## >> ## Manage setup log files. >> ## >> ## >> ## >> ## Domain allowed access. >> ## >> ## >> # >> interface(`dirsrvadmin_manage_setuplog',` >> gen_require(` >> type dirsrvadmin_setuplog_t; >> ') >> >> files_search_tmp($1) >> allow $1 dirsrvadmin_setuplog_t:file manage_file_perms; >> ') >> >> ######################################## >> ## >> ## Extend httpd domain for dirsrv-admin. >> ## >> ## >> ## >> ## Domain allowed access. >> ## >> ## >> # >> interface(`dirsrvadmin_extend_httpd',` >> gen_require(` >> type httpd_t; >> ') >> >> # Allow httpd domain to interact with dirsrv >> dirsrv_manage_config(httpd_t) >> dirsrv_manage_log(httpd_t) >> dirsrv_manage_var_run(httpd_t) >> dirsrvadmin_manage_setuplog(httpd_t) >> dirsrvadmin_manage_config(httpd_t) >> dirsrv_signal(httpd_t) >> dirsrv_signull(httpd_t) >> dirsrv_run_helper_exec(httpd_t) >> files_exec_usr_files(httpd_t) >> corenet_tcp_bind_generic_port(httpd_t) >> corenet_tcp_connect_generic_port(httpd_t) >> >> # Strict policy >> ifdef(`strict_policy',` >> userdom_dontaudit_search_sysadm_home_dirs(httpd_t) >> ') >> ') >> >> ######################################## >> ## >> ## Extend httpd domain for dirsrv-admin cgi. >> ## >> ## >> ## >> ## Domain allowed access. >> ## >> ## >> # >> interface(`dirsrvadmin_script_extend_httpd',` >> gen_require(` >> type httpd_t, httpd_exec_t, httpd_suexec_exec_t, httpd_tmp_t, httpd_var_run_t; >> ') >> >> allow $1 httpd_exec_t:file { read getattr execute_no_trans }; >> allow $1 httpd_suexec_exec_t:file getattr; >> allow $1 httpd_tmp_t:file { read write }; >> allow $1 httpd_t:udp_socket { read write }; >> allow $1 httpd_t:unix_stream_socket { ioctl getattr read write }; >> allow $1 httpd_t:netlink_route_socket { read write }; >> allow $1 httpd_t:fifo_file { write read }; >> allow $1 httpd_var_run_t:file { read getattr }; >> apache_list_modules($1) >> apache_exec_modules($1) >> apache_use_fds($1) >> dirsrvadmin_run_httpd_script_exec(httpd_t) >> ') >> >> ######################################## >> ## >> ## Extend init domain for dirsrv-admin. >> ## The initscript searches in a config file. >> ## >> ## >> ## >> ## Domain allowed access. >> ## >> ## >> # >> interface(`dirsrvadmin_extend_init',` >> gen_require(` >> type initrc_t; >> ') >> >> allow initrc_t dirsrvadmin_config_t:file read; >> ') >> >> ######################################## >> ## >> ## Exec dirsrv-admin programs. >> ## >> ## >> ## >> ## Domain allowed access. >> ## >> ## >> # >> interface(`dirsrvadmin_run_exec',` >> gen_require(` >> type dirsrvadmin_exec_t; >> ') >> >> allow $1 dirsrvadmin_exec_t:dir search_dir_perms; >> can_exec($1,dirsrvadmin_exec_t) >> ') >> >> ######################################## >> ## >> ## Exec cgi programs. >> ## >> ## >> ## >> ## Domain allowed access. >> ## >> ## >> # >> interface(`dirsrvadmin_run_httpd_script_exec',` >> gen_require(` >> type httpd_dirsrvadmin_script_exec_t; >> ') >> >> allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms; >> can_exec($1, httpd_dirsrvadmin_script_exec_t) >> ') >> >> ######################################## >> ## >> ## Manage cgi programs. >> ## >> ## >> ## >> ## Domain allowed access. >> ## >> ## >> # >> interface(`dirsrvadmin_manage_httpd_script_exec',` >> gen_require(` >> type httpd_dirsrvadmin_script_exec_t; >> ') >> >> allow $1 httpd_dirsrvadmin_script_exec_t:dir manage_dir_perms; >> allow $1 httpd_dirsrvadmin_script_exec_t:file manage_file_perms; >> ') >> >> ######################################## >> ## >> ## Read tmp files created by cgi programs. >> ## >> ## >> ## >> ## Domain allowed access. >> ## >> ## >> # >> interface(`dirsrvadmin_read_httpd_script_tmpfile',` >> gen_require(` >> type httpd_dirsrvadmin_script_rw_t; >> ') >> >> allow $1 httpd_dirsrvadmin_script_rw_t:file r_file_perms; >> ') >> >> ######################################## >> ## >> ## Manage tmp files created by cgi programs. >> ## >> ## >> ## >> ## Domain allowed access. >> ## >> ## >> # >> interface(`dirsrvadmin_manage_httpd_script_tmpfile',` >> gen_require(` >> type httpd_dirsrvadmin_script_rw_t; >> ') >> >> allow $1 httpd_dirsrvadmin_script_rw_t:file manage_file_perms; >> ') >> >> ######################################## >> ## >> ## Read dirsrv-adminserver configuration files. >> ## >> ## >> ## >> ## Domain allowed access. >> ## >> ## >> # >> interface(`dirsrvadmin_read_config',` >> gen_require(` >> type dirsrvadmin_config_t; >> ') >> >> allow $1 dirsrvadmin_config_t:dir r_dir_perms; >> allow $1 dirsrvadmin_config_t:file r_file_perms; >> ') >> >> ######################################## >> ## >> ## Manage dirsrv-adminserver configuration files. >> ## >> ## >> ## >> ## Domain allowed access. >> ## >> ## >> # >> interface(`dirsrvadmin_manage_config',` >> gen_require(` >> type dirsrvadmin_config_t; >> ') >> >> allow $1 dirsrvadmin_config_t:dir manage_dir_perms; >> allow $1 dirsrvadmin_config_t:file manage_file_perms; >> ') >> >> ######################################## >> ## >> ## Read and write to cgi program over an unix stream socket. >> ## >> ## >> ## >> ## Domain allowed access. >> ## >> ## >> # >> interface(`dirsrvadmin_script_stream_rw',` >> gen_require(` >> type httpd_dirsrvadmin_script_t; >> ') >> >> allow $1 httpd_dirsrvadmin_script_t:unix_stream_socket { read write }; >> ') >> >> ######################################## >> ## >> ## Read migration inf file in sysadm home dir. >> ## >> ## >> ## >> ## Domain allowed access. >> ## >> ## >> # >> interface(`dirsrvadmin_read_inffile',` >> ifdef(`targeted_policy',` >> gen_require(` >> type user_home_t, user_home_dir_t; >> ') >> >> userdom_list_user_home_dirs(user, $1) >> allow $1 user_home_t:file r_file_perms; >> ',` >> gen_require(` >> type sysadm_home_t; >> ') >> >> userdom_list_sysadm_home_dirs($1) >> allow $1 sysadm_home_t:file r_file_perms; >> ') >> ') >> >> -------------- next part -------------- >> # Start script for daemon (domain entry point) >> /usr/sbin/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) >> /usr/sbin/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) >> /usr/sbin/restart-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) >> # Configuration >> /etc/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0) >> # Log dir >> /var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) >> # Pid >> /var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) >> # cgi >> /usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0) >> # Setup applications >> /usr/sbin/migrate-ds-admin.pl -- gen_context(system_u:object_r:dirsrvadmin_setupexec_t,s0) >> /usr/sbin/setup-ds-admin.pl -- gen_context(system_u:object_r:dirsrvadmin_setupexec_t,s0) >> -------------- next part -------------- >> # Daemon (domain entry point) >> /usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0) >> # Setup applications >> /usr/sbin/migrate-ds.pl -- gen_context(system_u:object_r:dirsrv_setupexec_t,s0) >> /usr/sbin/setup-ds.pl -- gen_context(system_u:object_r:dirsrv_setupexec_t,s0) >> # Helper scripts >> /usr/lib/dirsrv(/slapd-.*)? gen_context(system_u:object_r:dirsrv_helper_exec_t,s0) >> # Configuration >> /etc/dirsrv(/slapd-.*)? gen_context(system_u:object_r:dirsrv_config_t,s0) >> # Db files >> /var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_db_t,s0) >> # Lock files >> /var/lock/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_lock_t,s0) >> # Log files >> /var/log/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_log_t,s0) >> # var_run >> /var/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_run_t,s0) >> -------------- next part -------------- >> ## Fedora Directory server, dirsrv >> >> ######################################## >> ## >> ## Execute dirsrv programs in the dirsrv_t domain. >> ## >> ## >> ## >> ## The type of the process performing this action. >> ## >> ## >> # >> interface(`dirsrv_domtrans',` >> gen_require(` >> type dirsrv_t, dirsrv_exec_t; >> ') >> >> allow $1 dirsrv_t:process signull; >> domain_auto_trans($1, dirsrv_exec_t, dirsrv_t) >> allow dirsrv_t $1:fd use; >> allow dirsrv_t $1:fifo_file rw_file_perms; >> allow dirsrv_t $1:process sigchld; >> ') >> >> ######################################## >> ## >> ## Execute dirsrv setup programs in the dirsrv_setup_t domain >> ## and the system_r role. Strict policy. >> ## >> ## >> ## >> ## Prefix of the domain performing this action. >> ## >> ## >> ## >> ## >> ## The role to allow the domain. >> ## >> ## >> # >> interface(`dirsrv_setup_domtrans_strict',` >> gen_require(` >> type dirsrv_t, dirsrv_setup_t, dirsrv_setupexec_t; >> type $1_t, $1_devpts_t; >> ') >> >> domain_auto_trans($1_t, dirsrv_setupexec_t, dirsrv_setup_t) >> allow dirsrv_setup_t $1_t:fd use; >> allow dirsrv_setup_t $1_t:process sigchld; >> allow dirsrv_setup_t $1_devpts_t:chr_file rw_term_perms; >> role $2 types dirsrv_setup_t; >> role_transition $2 dirsrv_setupexec_t system_r; >> ') >> >> ######################################## >> ## >> ## Execute dirsrv setup programs in the dirsrv_setup_t domain >> ## and the system_r role. Targeted policy. >> ## >> ## >> ## >> ## Prefix of the domain performing this action. >> ## >> ## >> ## >> ## >> ## The role to allow the domain. >> ## >> ## >> # >> interface(`dirsrv_setup_domtrans_targeted',` >> gen_require(` >> type dirsrv_setupexec_t, dirsrv_setup_t; >> ') >> >> domain_auto_trans($1, dirsrv_setupexec_t, dirsrv_setup_t) >> ') >> >> ######################################## >> ## >> ## Extend httpd domain for dirsrv. >> ## >> ## >> ## >> ## Domain allowed access. >> ## >> ## >> # >> interface(`dirsrv_extend_httpd',` >> gen_require(` >> type httpd_t, httpd_tmp_t; >> ') >> >> allow $1 httpd_t:fifo_file { write read }; >> allow $1 httpd_t:unix_stream_socket { ioctl getattr read write }; >> allow $1 httpd_tmp_t:file { read write }; >> apache_use_fds($1) >> ') >> >> ######################################## >> ## >> ## Read setup log files. >> ## >> ## >> ## >> ## Domain allowed access. >> ## >> ## >> # >> interface(`dirsrv_read_setuplog',` >> gen_require(` >> type dirsrv_setuplog_t; >> ') >> >> files_search_tmp($1) >> allow $1 dirsrv_setuplog_t:file r_file_perms; >> ') >> >> ######################################## >> ## >> ## Read the contents of Directory server >> ## database directories. >> ## >> ## >> ## >> ## Domain allowed access. >> ## >> ## >> # >> interface(`dirsrv_list_db',` >> gen_require(` >> type dirsrv_db_t; >> ') >> >> allow $1 dirsrv_db_t:dir r_dir_perms; >> ') >> >> ######################################## >> ## >> ## Manage the contents of Directory server >> ## database directories. >> ## >> ## >> ## >> ## Domain allowed access. >> ## >> ## >> # >> interface(`dirsrv_manage_db',` >> gen_require(` >> type dirsrv_db_t; >> ') >> >> allow $1 dirsrv_db_t:dir manage_dir_perms; >> allow $1 dirsrv_db_t:file manage_file_perms; >> ') >> >> ######################################## >> ## >> ## Read Directory server configuration files. >> ## >> ## >> ## >> ## Domain allowed access. >> ## >> ## >> # >> interface(`dirsrv_read_config',` >> gen_require(` >> type dirsrv_config_t; >> ') >> >> allow $1 dirsrv_config_t:dir r_dir_perms; >> allow $1 dirsrv_config_t:file r_file_perms; >> ') >> >> ######################################## >> ## >> ## Manage Directory server configuration files. >> ## >> ## >> ## >> ## Domain allowed access. >> ## >> ## >> # >> interface(`dirsrv_manage_config',` >> gen_require(` >> type dirsrv_config_t; >> ') >> >> allow $1 dirsrv_config_t:dir manage_dir_perms; >> allow $1 dirsrv_config_t:file manage_file_perms; >> ') >> >> ######################################## >> ## >> ## Read Directory server log files. >> ## >> ## >> ## >> ## Domain allowed access. >> ## >> ## >> # >> interface(`dirsrv_list_log',` >> gen_require(` >> type dirsrv_log_t; >> ') >> >> allow $1 dirsrv_log_t:dir r_dir_perms; >> ') >> >> ######################################## >> ## >> ## Manage Directory server log files. >> ## >> ## >> ## >> ## Domain allowed access. >> ## >> ## >> # >> interface(`dirsrv_manage_log',` >> gen_require(` >> type dirsrv_log_t; >> ') >> >> allow $1 dirsrv_log_t:dir manage_dir_perms; >> allow $1 dirsrv_log_t:file manage_file_perms; >> ') >> >> ######################################## >> ## >> ## Read Directory server lock files. >> ## >> ## >> ## >> ## Domain allowed access. >> ## >> ## >> # >> interface(`dirsrv_list_lock',` >> gen_require(` >> type dirsrv_lock_t; >> ') >> >> allow $1 dirsrv_lock_t:dir r_dir_perms; >> ') >> >> ######################################## >> ## >> ## Manage Directory server lock files. >> ## >> ## >> ## >> ## Domain allowed access. >> ## >> ## >> # >> interface(`dirsrv_manage_lock',` >> gen_require(` >> type dirsrv_lock_t; >> ') >> >> allow $1 dirsrv_lock_t:dir manage_dir_perms; >> allow $1 dirsrv_lock_t:file manage_file_perms; >> ') >> >> ######################################## >> ## >> ## Read Directory server var_run files. >> ## >> ## >> ## >> ## Domain allowed access. >> ## >> ## >> # >> interface(`dirsrv_list_var_run',` >> gen_require(` >> type dirsrv_var_run_t; >> ') >> >> allow $1 dirsrv_var_run_t:dir r_dir_perms; >> ') >> >> ######################################## >> ## >> ## Manage Directory server var_run files. >> ## >> ## >> ## >> ## Domain allowed access. >> ## >> ## >> # >> interface(`dirsrv_manage_var_run',` >> gen_require(` >> type dirsrv_var_run_t; >> ') >> >> allow $1 dirsrv_var_run_t:dir manage_dir_perms; >> allow $1 dirsrv_var_run_t:file manage_file_perms; >> allow $1 dirsrv_var_run_t:sock_file manage_file_perms; >> # Allow creating a dir in /var/run with this type >> files_pid_filetrans($1, dirsrv_var_run_t, dir) >> ') >> >> ######################################## >> ## >> ## Exec Directory server helper programs. >> ## >> ## >> ## >> ## Domain allowed access. >> ## >> ## >> # >> interface(`dirsrv_run_helper_exec',` >> gen_require(` >> type dirsrv_helper_exec_t; >> ') >> >> allow $1 dirsrv_helper_exec_t:dir search_dir_perms; >> can_exec($1,dirsrv_helper_exec_t) >> ') >> >> ######################################## >> ## >> ## Manage Directory server helper programs. >> ## >> ## >> ## >> ## Domain allowed access. >> ## >> ## >> # >> interface(`dirsrv_manage_helper_exec',` >> gen_require(` >> type dirsrv_helper_exec_t; >> ') >> >> allow $1 dirsrv_helper_exec_t:dir manage_dir_perms; >> allow $1 dirsrv_helper_exec_t:file { manage_file_perms rw_file_perms }; >> ') >> >> ######################################## >> ## >> ## Allow caller to signal dirsrv. >> ## >> ## >> ## >> ## Domain to not audit. >> ## >> ## >> # >> interface(`dirsrv_signal',` >> gen_require(` >> type dirsrv_t; >> ') >> >> allow $1 dirsrv_t:process signal; >> ') >> >> >> ######################################## >> ## >> ## Send a null signal to dirsrv. >> ## >> ## >> ## >> ## Domain allowed access. >> ## >> ## >> # >> interface(`dirsrv_signull',` >> gen_require(` >> type dirsrv_t; >> ') >> >> allow $1 dirsrv_t:process signull; >> ') >> -------------- next part -------------- >> policy_module(dirsrv,1.0.0) >> >> ######################################## >> # >> # Declarations for daemon >> # >> >> ## Create domain for daemon >> type dirsrv_t; >> domain_type(dirsrv_t) >> >> ## Type for the daemon >> type dirsrv_exec_t; >> files_type(dirsrv_exec_t) >> # Start from initrc >> init_domain(dirsrv_t, dirsrv_exec_t) >> init_daemon_domain(dirsrv_t, dirsrv_exec_t) >> role system_r types dirsrv_t; >> >> ## Type for helper programs >> type dirsrv_helper_exec_t; >> files_type(dirsrv_helper_exec_t); >> >> ## Type for configuration files >> type dirsrv_config_t; >> files_config_file(dirsrv_config_t) >> >> ## Type for db files >> type dirsrv_db_t; >> files_type(dirsrv_db_t) >> >> ## Type for lock files >> type dirsrv_lock_t; >> files_lock_file(dirsrv_lock_t) >> files_lock_filetrans(dirsrv_t, dirsrv_lock_t, {file dir}) >> >> ## Type for log files >> type dirsrv_log_t; >> logging_log_file(dirsrv_log_t) >> >> ## Type for var_run file >> type dirsrv_var_run_t; >> files_pid_file(dirsrv_var_run_t) >> files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, {file dir}) >> >> ######################################## >> # >> # Declarations for setup programs >> # >> >> ## Domain for setup program >> type dirsrv_setup_t; >> domain_type(dirsrv_setup_t) >> role sysadm_r types dirsrv_setup_t; >> >> ## Type for setup program >> type dirsrv_setupexec_t; >> files_type(dirsrv_setupexec_t) >> domain_entry_file(dirsrv_setup_t, dirsrv_setupexec_t) >> >> ## Type for tmp files setup creates >> type dirsrv_setuplog_t; >> files_tmp_file(dirsrv_setuplog_t) >> files_tmp_filetrans(dirsrv_setup_t, dirsrv_setuplog_t, file) >> files_tmp_filetrans(dirsrv_t, dirsrv_setuplog_t, file) >> >> ######################################## >> # >> # Local policy for the daemon >> # >> >> ## Executable >> allow dirsrv_t self:capability { chown dac_override fowner setuid sys_nice setgid }; >> allow dirsrv_t self:process { setsched getsched signull }; >> allow dirsrv_t self:fifo_file { write read }; >> allow dirsrv_t self:sem { create getattr associate unix_read unix_write }; >> ## Config >> allow dirsrv_t dirsrv_config_t:file { getattr read create_file_perms }; >> allow dirsrv_t dirsrv_config_t:dir create_dir_perms; >> ## Database files >> allow dirsrv_t dirsrv_db_t:dir manage_dir_perms; >> allow dirsrv_t dirsrv_db_t:file manage_file_perms; >> # Allow search in /var/lib >> files_list_var_lib(dirsrv_t) >> ## Manage locks >> allow dirsrv_t dirsrv_lock_t:dir manage_dir_perms; >> allow dirsrv_t dirsrv_lock_t:file manage_file_perms; >> ## Logging >> allow dirsrv_t dirsrv_log_t:file { create rename setattr manage_file_perms }; >> allow dirsrv_t dirsrv_log_t:dir { setattr rw_dir_perms }; >> allow dirsrv_t self:unix_dgram_socket create_socket_perms; >> # Allow search in /var/log >> logging_search_logs(dirsrv_t) >> ## var_run >> allow dirsrv_t dirsrv_var_run_t:file manage_file_perms; >> allow dirsrv_t dirsrv_var_run_t:dir rw_dir_perms; >> ## Helper programs >> dirsrv_run_helper_exec(dirsrv_t) >> ## Setup log >> dirsrv_read_setuplog(dirsrv_t) >> dirsrvadmin_read_setuplog(dirsrv_t) >> ## Files in /tmp, created by setup app >> allow dirsrv_t dirsrv_setuplog_t:file manage_file_perms; >> >> ## When restarted from cgi script the dirsrv need to communicate back >> dirsrvadmin_script_stream_rw(dirsrv_t) >> # dirsrv need some permissions that has no interface in the apache policy >> dirsrv_extend_httpd(dirsrv_t) >> dirsrvadmin_manage_httpd_script_tmpfile(dirsrv_t) >> >> ## Allow networking >> corenet_tcp_bind_ldap_port(dirsrv_t) >> corenet_tcp_sendrecv_ldap_port(dirsrv_t) >> corenet_sendrecv_ldap_server_packets(dirsrv_t) >> corenet_tcp_bind_unspec_node(dirsrv_t) >> corenet_tcp_bind_inaddr_any_node(dirsrv_t) >> kernel_sendrecv_unlabeled_packets(dirsrv_t) >> allow dirsrv_t self:tcp_socket create_stream_socket_perms; >> allow dirsrv_t self:udp_socket create_socket_perms; >> >> ## Misc interfaces >> # Access to shared libraries >> libs_use_ld_so(dirsrv_t) >> libs_use_shared_libs(dirsrv_t) >> files_exec_usr_files(dirsrv_t) >> # Read locale >> miscfiles_read_localization(dirsrv_t) >> # Read etc >> files_read_etc_files(dirsrv_t) >> sysnet_read_config(dirsrv_t) >> # Allow using syslog >> logging_send_syslog_msg(dirsrv_t) >> # Search sbin >> corecmd_search_sbin(dirsrv_t) >> # Allow read urandom >> dev_read_urand(dirsrv_t) >> # Allow listing /tmp >> files_list_tmp(dirsrv_t) >> # Allow read /usr/tmp >> files_read_usr_symlinks(dirsrv_t) >> # Allow stat file system >> fs_getattr_xattr_fs(dirsrv_t) >> # Allow read proc >> kernel_read_system_state(dirsrv_t) >> >> # Strict policy >> ifdef(`strict_policy',` >> # Daemon search for plugins in cwd >> userdom_dontaudit_search_sysadm_home_dirs(dirsrv_t) >> ') >> >> # In targeted policy >> ifdef(`targeted_policy',` >> files_read_generic_tmp_files(dirsrv_t) >> userdom_dontaudit_search_generic_user_home_dirs(dirsrv_t) >> ') >> >> ######################################## >> # >> # Local policy for setup programs >> # >> >> ## Transtion into dirsrv domain when running setup >> # Should be in userdomain >> ifdef(`strict_policy',` >> dirsrv_setup_domtrans_strict(sysadm, sysadm_r) >> ') >> # A similar policy should be in unconfined >> ifdef(`targeted_policy',` >> dirsrv_setup_domtrans_targeted(unconfined_t) >> ') >> seutil_use_newrole_fds(dirsrv_setup_t) >> >> ## Executable >> allow dirsrv_setup_t self:capability { sys_nice chown fsetid fowner kill net_bind_service dac_override }; >> allow dirsrv_setup_t self:fifo_file { read write getattr ioctl }; >> allow dirsrv_setup_t self:process { setsched getsched }; >> allow dirsrv_setup_t self:tcp_socket { bind create ioctl }; >> >> # Start daemon from setup program >> dirsrv_domtrans(dirsrv_setup_t) >> ## Manage db dir >> dirsrv_manage_db(dirsrv_setup_t) >> ## Manage configuration >> dirsrv_manage_config(dirsrv_setup_t) >> ## Manage log dir >> dirsrv_manage_log(dirsrv_setup_t) >> ## Manage lock dir >> dirsrv_manage_lock(dirsrv_setup_t) >> ## Manage var_run files >> dirsrv_manage_var_run(dirsrv_setup_t) >> ## Manage helper programs >> dirsrv_manage_helper_exec(dirsrv_setup_t) >> dirsrv_run_helper_exec(dirsrv_setup_t) >> ## Files in /tmp >> allow dirsrv_setup_t dirsrv_setuplog_t:file manage_file_perms; >> >> ## Networking >> # Connect server using ldap >> corenet_tcp_bind_inaddr_any_node(dirsrv_setup_t) >> corenet_tcp_bind_ldap_port(dirsrv_setup_t) >> >> ## Misc interfaces >> # Access to shared libraries >> libs_use_ld_so(dirsrv_setup_t) >> libs_use_shared_libs(dirsrv_setup_t) >> # Read locale >> miscfiles_read_localization(dirsrv_setup_t) >> # mtab >> files_dontaudit_read_etc_runtime_files(dirsrv_setup_t) >> # Execute >> corecmd_exec_bin(dirsrv_setup_t) >> corecmd_exec_sbin(dirsrv_setup_t) >> corecmd_exec_shell(dirsrv_setup_t) >> # Read /usr/share >> files_read_usr_files(dirsrv_setup_t) >> # Allow read urandom >> dev_read_urand(dirsrv_setup_t) >> # Read proc >> kernel_read_net_sysctls(dirsrv_setup_t) >> kernel_read_sysctl(dirsrv_setup_t) >> kernel_read_system_state(dirsrv_setup_t) >> kernel_search_network_sysctl(dirsrv_setup_t) >> # Stat shadow >> auth_read_shadow(dirsrv_setup_t) >> # Exec nsswitch.conf >> files_exec_etc_files(dirsrv_setup_t) >> # Find dirsrv dirs >> files_search_locks(dirsrv_setup_t) >> files_search_var_lib(dirsrv_setup_t) >> logging_search_logs(dirsrv_setup_t) >> # Allow stat file system >> fs_getattr_xattr_fs(dirsrv_setup_t) >> sysnet_read_config(dirsrv_setup_t) >> term_search_ptys(dirsrv_setup_t) >> >> optional_policy(` >> nscd_read_pid(dirsrv_setup_t) >> ') >> >> # Strict policy >> ifdef(`strict_policy',` >> # Read cwd (/root) >> userdom_list_sysadm_home_dirs(dirsrv_setup_t) >> ') >> >> # In targeted policy >> ifdef(`targeted_policy',` >> term_use_generic_ptys(dirsrv_setup_t) >> # Read cwd (/root) >> userdom_list_user_home_dirs(user,dirsrv_setup_t) >> userdom_search_generic_user_home_dirs(dirsrv_setup_t) >> ') >> -------------- next part -------------- >> A non-text attachment was scrubbed... >> Name: dirsrv-admin.te >> Type: text/x-java >> Size: 8756 bytes >> Desc: not available >> Url : https://www.redhat.com/archives/fedora-directory-users/attachments/20080311/b721a4c9/dirsrv-admin.bin >> -------------- next part -------------- >> >> -------------- next part -------------- >> policy_module(fedora-idm-console,1.0.0) >> >> ######################################## >> # >> # Declarations >> # >> >> type fedora-idm-console_t; >> domain_type(fedora-idm-console_t) >> >> ######################################## >> # >> # Local policy >> # >> >> # In strict policy we need to extend the java domain >> ifdef(`strict_policy',` >> fedoraidmconsole_extend_java(user) >> ## Misc interfaces >> # Access to shared libraries >> libs_use_ld_so(fedora-idm-console_t) >> libs_use_shared_libs(fedora-idm-console_t) >> # Read locale >> miscfiles_read_localization(fedora-idm-console_t) >> ') >> -------------- next part -------------- >> ## Java based fedora-idm-console >> >> ######################################## >> ## >> ## Extend java domain for fedora-idm-console. >> ## >> ## >> ## >> ## Prefix of domain allowed access. >> ## >> ## >> # >> interface(`fedoraidmconsole_extend_java',` >> gen_require(` >> type $1_javaplugin_t; >> type $1_t, $1_xserver_tmp_t, $1_gconf_home_t, $1_home_ssh_t, $1_mozilla_home_t; >> ') >> >> allow $1_javaplugin_t $1_t:process sigchld; >> allow $1_t $1_javaplugin_t:process { signal ptrace }; >> allow $1_javaplugin_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; >> allow $1_javaplugin_t self:tcp_socket { accept listen }; >> allow $1_javaplugin_t $1_xserver_tmp_t:dir search; >> allow $1_javaplugin_t $1_xserver_tmp_t:sock_file write; >> dirsrv_list_db($1_javaplugin_t) >> corecmd_exec_bin($1_javaplugin_t) >> corenet_tcp_bind_inaddr_any_node($1_javaplugin_t) >> files_read_var_files($1_javaplugin_t) >> >> # Sun java check out some dirs, there is probably more than this >> dontaudit $1_javaplugin_t $1_gconf_home_t:dir getattr; >> dontaudit $1_javaplugin_t $1_home_ssh_t:dir getattr; >> dontaudit $1_javaplugin_t $1_mozilla_home_t:dir getattr; >> ') >> >> ------------------------------ >> >> Message: 2 >> Date: Wed, 12 Mar 2008 11:44:32 +0000 >> From: "Steve Burt" >> Subject: [Fedora-directory-users] Problems in adding a second server >> into a new >> To: fedora-directory-users at redhat.com >> Message-ID: >> >> Content-Type: text/plain; charset=ISO-8859-1 >> >> Greetings Folks >> >> I am very new to Fedora-DS and have I think Sucessfully installed a >> Directory Server and a server group with a admin server and 1 >> Directory Server. >> >> My Aim is to Install a second directory server, I think this is >> basically running the setup-ds-admin.pl on the second server... >> >> Could anyone help.. >> >> Yours Humbly >> >> Steve >> >> >> >> ------------------------------ >> >> Message: 3 >> Date: Wed, 12 Mar 2008 07:52:09 -0600 >> From: Rich Megginson >> Subject: Re: [Fedora-directory-users] Problems in adding a second >> server into a new >> To: "General discussion list for the Fedora Directory server project." >> >> Message-ID: <47D7E009.9060605 at redhat.com> >> Content-Type: text/plain; charset="iso-8859-1" >> >> Steve Burt wrote: >> > Greetings Folks >> > >> > I am very new to Fedora-DS and have I think Sucessfully installed a >> > Directory Server and a server group with a admin server and 1 >> > Directory Server. >> > >> > My Aim is to Install a second directory server, I think this is >> > basically running the setup-ds-admin.pl on the second server... >> > >> Yes. But read about this bug first - >> https://bugzilla.redhat.com/show_bug.cgi?id=431103 >> > Could anyone help.. >> > >> > Yours Humbly >> > >> > Steve >> > >> > -- >> > Fedora-directory-users mailing list >> > Fedora-directory-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >> >> -------------- next part -------------- >> A non-text attachment was scrubbed... >> Name: smime.p7s >> Type: application/x-pkcs7-signature >> Size: 3245 bytes >> Desc: S/MIME Cryptographic Signature >> Url : https://www.redhat.com/archives/fedora-directory-users/attachments/20080312/c35d1379/smime.bin >> >> ------------------------------ >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> End of Fedora-directory-users Digest, Vol 34, Issue 24 >> ****************************************************** >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From solarflow99 at gmail.com Thu Mar 13 00:27:50 2008 From: solarflow99 at gmail.com (solarflow99) Date: Wed, 12 Mar 2008 16:27:50 -0800 Subject: [Fedora-directory-users] groups In-Reply-To: References: <7020fd000803121034v21d63c40u5122aa4d4ad4d2be@mail.gmail.com> Message-ID: <7020fd000803121727o15fefe49l4eab19f72498a33f@mail.gmail.com> On 3/12/08, Ivan Ferreira wrote: > > > >>> I guess FDS doesn't really make use of the UPG scheme that local > authentication in redhat has always used? > > I think UPG is a concept that can be easily acomplished by creating first > the group, and then the user. Yes, is an extra step, but the results are > the same. > > >>> If I could say a feature request, it would be a simple way to > customise > templates for adding users/groups, etc. > > Probably you are right, but as I said in another reply, you have > ldapadmin.exe and phpldapadmin which are great tools for managing LDAP > entries (Including SAMBA). ya, sad to say I had to resort to using it, and its for windoze too... but even tht can't be customised all that easily. -------------- next part -------------- An HTML attachment was scrubbed... URL: From LACY_S at Mercer.edu Thu Mar 13 14:55:04 2008 From: LACY_S at Mercer.edu (Scott Lacy) Date: Thu, 13 Mar 2008 10:55:04 -0400 Subject: [Fedora-directory-users] LDAP entry not showing up in search Message-ID: <47D94048.8000607@mercer.edu> Hi All, I have an entry this morning that I have added via ldif. ldapmodify gave no errors on the import, and the entry shows up in the backup ldif I made of the database afterward. However, this user does not show up in any searches. It is not an admin user, and is in the same ou as the rest of the users. I did a larger ldif earlier this morning of some additions and deletions, and they all seem to appear fine both in the ldif and in searches. This is in 1.0.4. Any obvious things that I'm missing or suggestions as to the problem? Thanks, Scott Lacy Server Manager Mercer University From LACY_S at Mercer.edu Thu Mar 13 15:06:12 2008 From: LACY_S at Mercer.edu (Scott Lacy) Date: Thu, 13 Mar 2008 11:06:12 -0400 Subject: [Fedora-directory-users] LDAP entry not showing up in search (RESOLVED, USER ERROR) In-Reply-To: <47D94048.8000607@mercer.edu> References: <47D94048.8000607@mercer.edu> Message-ID: <47D942E4.8020401@mercer.edu> It turns out I trusted the LDIF I was given a little too much. An attribute was present that was not given a value. The value is not strictly required in the schema but is checked by acis to determine what fields may be returned in searches. With this field blank, the aci was not allowing the entry to show in searches at all. This is obviously an implementation issue on our end that needs to be fixed. My apologies for cluttering your mailboxes. Scott Scott Lacy wrote: > Hi All, > > I have an entry this morning that I have added via ldif. ldapmodify > gave no errors on the import, and the entry shows up in the backup > ldif I made of the database afterward. However, this user does not > show up in any searches. It is not an admin user, and is in the same > ou as the rest of the users. I did a larger ldif earlier this morning > of some additions and deletions, and they all seem to appear fine both > in the ldif and in searches. This is in 1.0.4. Any obvious things > that I'm missing or suggestions as to the problem? > > > Thanks, > > > Scott Lacy > Server Manager > Mercer University > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From jared.griffith at farheap.com Thu Mar 13 15:56:52 2008 From: jared.griffith at farheap.com (Jared B. Griffith) Date: Thu, 13 Mar 2008 08:56:52 -0700 (PDT) Subject: [Fedora-directory-users] Replication Agreements Message-ID: <31238533.138681205423811999.JavaMail.root@zimbra1.farheap.com> Is it possible to set up new replication agreements without using the console (using ldif file obviously)? -- - Thank you, - Jared B. Griffith - Farheap Solutions, Inc. - Lead Systems Administrator - California IT Department - Email - jared.griffith at farheap.com - Phone - 949.417.1500 ext. 266 - Cell Phone - 949.910.6542 -------------- next part -------------- An HTML attachment was scrubbed... URL: From iferreir at personal.com.py Thu Mar 13 16:09:16 2008 From: iferreir at personal.com.py (Ivan Ferreira) Date: Thu, 13 Mar 2008 12:09:16 -0400 Subject: [Fedora-directory-users] Replication Agreements In-Reply-To: <31238533.138681205423811999.JavaMail.root@zimbra1.farheap.com> Message-ID: Please see: http://directory.fedoraproject.org/wiki/Howto:MultiMasterReplication Para fedora-directory-users Enviado por: Asunto fedora-directory-users-b [Fedora-directory-users] ounces at redhat.com Replication Agreements Clasificaci?n 13/03/2008 11:56 a.m. Uso Interno Por favor, responda a "Jared B. Griffith" ; Por favor, responda a "General discussion list for the Fedora Directory server project." Is it possible to set up new replication agreements without using the console (using ldif file obviously)? -- - Thank you, - Jared B. Griffith - Farheap Solutions, Inc. - Lead Systems Administrator - California IT Department - Email - jared.griffith at farheap.com - Phone - 949.417.1500 ext. 266 - Cell Phone - 949.910.6542-- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. From jared.griffith at farheap.com Thu Mar 13 16:08:49 2008 From: jared.griffith at farheap.com (Jared B. Griffith) Date: Thu, 13 Mar 2008 09:08:49 -0700 (PDT) Subject: [Fedora-directory-users] Replication Agreements In-Reply-To: Message-ID: <15276868.139101205424529002.JavaMail.root@zimbra1.farheap.com> Perfect.... Many thanks. ----- Original Message ----- From: "Ivan Ferreira" To: "Jared B. Griffith" , "General discussion list for the Fedora Directory server project." Cc: "fedora-directory-users" , fedora-directory-users-bounces at redhat.com Sent: Thursday, March 13, 2008 9:09:16 AM (GMT-0800) America/Los_Angeles Subject: Re: [Fedora-directory-users] Replication Agreements Please see: http://directory.fedoraproject.org/wiki/Howto:MultiMasterReplication Para fedora-directory-users Enviado por: Asunto fedora-directory-users-b [Fedora-directory-users] ounces at redhat.com Replication Agreements Clasificaci?n 13/03/2008 11:56 a.m. Uso Interno Por favor, responda a "Jared B. Griffith" ; Por favor, responda a "General discussion list for the Fedora Directory server project." Is it possible to set up new replication agreements without using the console (using ldif file obviously)? -- - Thank you, - Jared B. Griffith - Farheap Solutions, Inc. - Lead Systems Administrator - California IT Department - Email - jared.griffith at farheap.com - Phone - 949.417.1500 ext. 266 - Cell Phone - 949.910.6542-- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. -- - Thank you, - Jared B. Griffith - Farheap Solutions, Inc. - Lead Systems Administrator - California IT Department - Email - jared.griffith at farheap.com - Phone - 949.417.1500 ext. 266 - Cell Phone - 949.910.6542 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Mar 13 16:26:38 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 13 Mar 2008 10:26:38 -0600 Subject: [Fedora-directory-users] Replication Agreements In-Reply-To: <31238533.138681205423811999.JavaMail.root@zimbra1.farheap.com> References: <31238533.138681205423811999.JavaMail.root@zimbra1.farheap.com> Message-ID: <47D955BE.7070607@redhat.com> Jared B. Griffith wrote: > Is it possible to set up new replication agreements without using the > console (using ldif file obviously)? This is now finally documented in the official doc set: See http://tinyurl.com/36njjh and especially http://tinyurl.com/33o3sq > > -- > - Thank you, > - Jared B. Griffith > - Farheap Solutions, Inc. > - Lead Systems Administrator > - California IT Department > - Email - jared.griffith at farheap.com > - Phone - 949.417.1500 ext. 266 > - Cell Phone - 949.910.6542 > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From vaddarapu at gmail.com Fri Mar 14 05:22:52 2008 From: vaddarapu at gmail.com (Anand Vaddarapu) Date: Fri, 14 Mar 2008 16:22:52 +1100 Subject: [Fedora-directory-users] Console issue In-Reply-To: <47C490E0.2010606@redhat.com> References: <47C48B03.7040206@redhat.com> <47C490E0.2010606@redhat.com> Message-ID: Hi, I installed IBM java 1.5 but still having the same issue. Any suggestions appreciated. Thanks. On Wed, Feb 27, 2008 at 9:21 AM, Rich Megginson wrote: > Anand Vaddarapu wrote: > > Hi, > > > > Thats exactly right. Can i install IBM java 1.5 without removing sun > java. > Yes. > > > > Thanks > > > > On Wed, Feb 27, 2008 at 8:56 AM, Rich Megginson > > wrote: > > > > Anand Vaddarapu wrote: > > > Hi, > > > > > > when i turn on SSL i use url as a https. > > > (You still see that same error, but the console works anyway?) > > So, if you turn on SSL engine and use https, you get the X11 Display > > error, and nothing else. If you turn off SSL engine, and use > > http, you > > get the X11 Display error, and it continues and works. > > > > If that's the case, then I'm not really sure what to do, except > > suggest > > that you try the IBM Java 1.5. > > > yes, console works fine when SSL engine turn off. > > > > > > Thanks > > > > > > ------------------------------------------------------------------------ > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at runyanrants.net Fri Mar 14 05:55:34 2008 From: lists at runyanrants.net (Legatus) Date: Fri, 14 Mar 2008 00:55:34 -0500 Subject: Fwd: [Fedora-directory-users] Password Warnings In-Reply-To: <47D1B3D8.2050202@redhat.com> References: <47D1619F.7050207@redhat.com> <47D178B2.9030202@redhat.com> <47D1951E.7070700@redhat.com> <47D1B3D8.2050202@redhat.com> Message-ID: Okay, I have been trying a lot of different things, and I don't see what I need to see. Let me try a slightly different question. Can someone post a working solution that includes password expiration and warnings in their application? Can they post OS and version, Fedora DS version, and the method that they use for detecting expired, and nearly expired passwords? Any configuration settings required? Thanks for the help so far, On Fri, Mar 7, 2008 at 4:30 PM, Rich Megginson wrote: > Legatus wrote: > > On Fri, Mar 7, 2008 at 1:18 PM, Rich Megginson > > wrote: > > > > Legatus wrote: > > > I did that. I know I have done that in the past. I see on one > > account > > > the passwordExpWarned, I don't see passwordExpirationTime. We > > need to > > > be able to give users warnings that the password will expire in N > > > days. Am I looking in the wrong place, or is there a setting I > > > haven't set? I set up a policy that is supposed to expire > passwords, > > > and warn users. > > One thing is that a user who has not had his/her password changed > > since > > password expiration was enabled will not have the > > passwordExpirationTime > > attribute in his/her entry, but you could add it manually. > > > > Another thing - I'm not sure how it is possible that a user could > have > > the passwordExpWarned but not the passwordExpirationTime attribute. > > Just looking at the code, everywhere it sets passwordExpWarned it > also > > sets passwordExpirationTime. > > > > > > That is why I am confused. I thought that was how it was supposed to > > work. > If you update the password, do both attributes appear? > > ------------------------------------------------------------------------ > -------------- next part -------------- An HTML attachment was scrubbed... URL: From solarflow99 at gmail.com Fri Mar 14 09:42:43 2008 From: solarflow99 at gmail.com (solarflow99) Date: Fri, 14 Mar 2008 09:42:43 +0000 Subject: [Fedora-directory-users] Console issue In-Reply-To: References: <47C48B03.7040206@redhat.com> <47C490E0.2010606@redhat.com> Message-ID: <7020fd000803140242m19b48259pde0d33b593aee476@mail.gmail.com> what release of linux do you have? are you running this from an xterm on the host PC? What is the actual error? On 3/14/08, Anand Vaddarapu wrote: > > Hi, > > I installed IBM java 1.5 but still having the same issue. > Any suggestions appreciated. > > Thanks. > > > > On Wed, Feb 27, 2008 at 9:21 AM, Rich Megginson > wrote: > > > Anand Vaddarapu wrote: > > > Hi, > > > > > > Thats exactly right. Can i install IBM java 1.5 without removing sun > > java. > > > > Yes. > > > > > > Thanks > > > > > > On Wed, Feb 27, 2008 at 8:56 AM, Rich Megginson > > > > > wrote: > > > > > > Anand Vaddarapu wrote: > > > > Hi, > > > > > > > > when i turn on SSL i use url as a https. > > > > (You still see that same error, but the console works anyway?) > > > So, if you turn on SSL engine and use https, you get the X11 > > Display > > > error, and nothing else. If you turn off SSL engine, and use > > > http, you > > > get the X11 Display error, and it continues and works. > > > > > > If that's the case, then I'm not really sure what to do, except > > > suggest > > > that you try the IBM Java 1.5. > > > > yes, console works fine when SSL engine turn off. > > > > > > > > Thanks > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > -- > > > > Fedora-directory-users mailing list > > > > Fedora-directory-users at redhat.com > > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ryan.braun at ec.gc.ca Fri Mar 14 12:58:50 2008 From: ryan.braun at ec.gc.ca (Ryan Braun [ADS]) Date: Fri, 14 Mar 2008 12:58:50 +0000 Subject: Fwd: [Fedora-directory-users] Password Warnings In-Reply-To: References: <47D1B3D8.2050202@redhat.com> Message-ID: <200803141258.50966.ryan.braun@ec.gc.ca> On Friday 14 March 2008 05:55, Legatus wrote: I've attached a script we were using on our old operational openldap servers. I haven't updated it much since we started running fds, but it should give you some ideas on how to find out if user's passwords are expiring. Basically, we just run it from cron nightly and it will email each user whose password expiry is withing their shadowWarning threshold, then email the admin all the users that are within their threshold. Ryan > Okay, I have been trying a lot of different things, and I don't see what I > need to see. Let me try a slightly different question. Can someone post a > working solution that includes password expiration and warnings in their > application? Can they post OS and version, Fedora DS version, and the > method that they use for detecting expired, and nearly expired passwords? > Any configuration settings required? > > Thanks for the help so far, > > On Fri, Mar 7, 2008 at 4:30 PM, Rich Megginson wrote: > > Legatus wrote: > > > On Fri, Mar 7, 2008 at 1:18 PM, Rich Megginson > > > wrote: > > > > > > Legatus wrote: > > > > I did that. I know I have done that in the past. I see on one > > > > > > account > > > > > > > the passwordExpWarned, I don't see passwordExpirationTime. We > > > > > > need to > > > > > > > be able to give users warnings that the password will expire in N > > > > days. Am I looking in the wrong place, or is there a setting I > > > > haven't set? I set up a policy that is supposed to expire > > > > passwords, > > > > > > and warn users. > > > > > > One thing is that a user who has not had his/her password changed > > > since > > > password expiration was enabled will not have the > > > passwordExpirationTime > > > attribute in his/her entry, but you could add it manually. > > > > > > Another thing - I'm not sure how it is possible that a user could > > > > have > > > > > the passwordExpWarned but not the passwordExpirationTime attribute. > > > Just looking at the code, everywhere it sets passwordExpWarned it > > > > also > > > > > sets passwordExpirationTime. > > > > > > > > > That is why I am confused. I thought that was how it was supposed to > > > work. > > > > If you update the password, do both attributes appear? > > > > > ----------------------------------------------------------------------- > > >- -------------- next part -------------- A non-text attachment was scrubbed... Name: mail_check.pl Type: application/x-perl Size: 6518 bytes Desc: not available URL: From burt.s.e at gmail.com Fri Mar 14 23:40:13 2008 From: burt.s.e at gmail.com (Steve Burt) Date: Fri, 14 Mar 2008 23:40:13 +0000 Subject: [Fedora-directory-users] Fedora-DS replication issue Message-ID: Hi Folks appreciate your help here at each stage there has been hurdles... Fact 1 : I have added ldap2.hostname.com DS into the Configuration Server on ldap1.hostname.com Fact 2 : I have run the migration script to export all users and groups into an ldif format and imported them into Fedora-DS Fact 3 : I have Enabled Replica on ldap1 setup a Single Master Relation Fact 4 : I have configured ldap2.hostname.com as a Dedicated Consumer Fact 5 : I have set up a Replication Agreement on userRoot DB on ldap1 Fact 6 : I have set up a Base DN for the Replication Manager on ldap2 The errors I am now getting are... they sorta speak for themselves Any Pointers... [13/Mar/2008:16:55:13 +0000] NSMMReplicationPlugin - conn=59 op=3 replica="dc=hostname, dc=com": Unable to acquire replica: error: permission denied [13/Mar/2008:17:00:13 +0000] NSMMReplicationPlugin - conn=60 op=3 replica="dc=hostname, dc=com": Unable to acquire replica: error: permission denied [13/Mar/2008:17:05:13 +0000] NSMMReplicationPlugin - conn=61 op=3 replica="dc=hostname, dc=com": Unable to acquire replica: error: permission denied [13/Mar/2008:17:10:13 +0000] NSMMReplicationPlugin - conn=62 op=3 replica="dc=hostname, dc=com": Unable to acquire replica: error: permission denied [13/Mar/2008:17:15:13 +0000] NSMMReplicationPlugin - conn=63 op=3 replica="dc=hostname, dc=com": Unable to acquire replica: error: permission denied [13/Mar/2008:17:20:13 +0000] NSMMReplicationPlugin - conn=64 op=3 replica="dc=hostname, dc=com": Unable to acquire replica: error: permission denied [13/Mar/2008:17:25:13 +0000] NSMMReplicationPlugin - conn=65 op=3 replica="dc=hostname, dc=com": Unable to acquire replica: error: permission denied [13/Mar/2008:17:30:13 +0000] NSMMReplicationPlugin - conn=66 op=3 replica="dc=hostname, dc=com": Unable to acquire replica: error: permission denied [13/Mar/2008:17:35:13 +0000] NSMMReplicationPlugin - conn=67 op=3 replica="dc=hostname, dc=com": Unable to acquire replica: error: permission denied Kind Regards Steve From marco.strullato at gmail.com Mon Mar 17 16:41:05 2008 From: marco.strullato at gmail.com (Marco Strullato) Date: Mon, 17 Mar 2008 17:41:05 +0100 Subject: [Fedora-directory-users] fedora directory server and ldap authentication for httpd 2.2.x Message-ID: Hi all, I already have two fedora directory servers set up in multi master replica and tls used for linux authentication. Now I have to connect my fds authentication system to the apache web server (httpd 2.2.x). Web traffic btw browser and httpd server will be encrypted with mod_ssl. I added to httpd.conf the following lines LDAPTrustedGlobalCert CA_BASE64 /etc/openldap/cacerts/cacert.pem LDAPTrustedMode TLS and I create a .htaccess file with this content: AuthType Basic AuthName "Restricted Access" AuthLDAPURL ldap://server/c=it?uid?one TLS AuthzLDAPAuthoritative On AuthLDAPEnabled On AuthLDAPBindDN "cn=Directory Manager" AuthLDAPBindPassword "password" Unluckly I can not authenticate and I get [Mon Mar 17 15:45:33 2008] [error] [client 10.0.1.13] access to /4.4 failed, reason: verification of user id 'user' not configured Suggestions? Tnks Marco Strullato -------------- next part -------------- An HTML attachment was scrubbed... URL: From iferreir at personal.com.py Mon Mar 17 18:34:34 2008 From: iferreir at personal.com.py (Ivan Ferreira) Date: Mon, 17 Mar 2008 14:34:34 -0400 Subject: [Fedora-directory-users] fedora directory server and ldap authentication for httpd 2.2.x In-Reply-To: Message-ID: I use something like this in a file under /etc/httpd/conf.d I suggest you to try first without SSL and once it works, then enable SSL. Alias /intranet "/intranet/web" Options Indexes SymLinksIfOwnerMatch AllowOverride None Order allow,deny Allow from localhost 127.0.0.1 redhat.com.py 192.168.0 AuthType basic AuthName Intranet AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPURL ldaps://fds1.redhat.com.py/ou=People,dc=redhat,dc=com,dc=py?uid?sub require valid-user Para fedora-directory-users at redhat.co m "Marco Strullato" cc Asunto Enviado por: [Fedora-directory-users] fedora fedora-directory-users-b directory server and ldap ounces at redhat.com authentication for httpd 2.2.x Clasificaci?n 17/03/2008 12:41 p.m. Uso Interno Por favor, responda a "General discussion list for the Fedora Directory server project." Hi all, I already have two fedora directory servers set up in multi master replica and tls used for linux authentication. Now I have to connect my fds authentication system to the apache web server (httpd 2.2.x). Web traffic btw browser and httpd server will be encrypted with mod_ssl. I added to httpd.conf the following lines LDAPTrustedGlobalCert CA_BASE64 /etc/openldap/cacerts/cacert.pem LDAPTrustedMode TLS and I create a .htaccess file with this content: AuthType Basic AuthName "Restricted Access" AuthLDAPURL ldap://server/c=it?uid?one TLS AuthzLDAPAuthoritative On AuthLDAPEnabled On AuthLDAPBindDN "cn=Directory Manager" AuthLDAPBindPassword "password" Unluckly I can not authenticate and I get [Mon Mar 17 15:45:33 2008] [error] [client 10.0.1.13] access to /4.4 failed, reason: verification of user id 'user' not configured Suggestions? Tnks Marco Strullato-- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. From cgibbons at tahc.state.tx.us Mon Mar 17 18:43:20 2008 From: cgibbons at tahc.state.tx.us (Carol Gibbons) Date: Mon, 17 Mar 2008 13:43:20 -0500 Subject: [Fedora-directory-users] Server-Admin - SSL error blocks ability to configure Admin Server component Message-ID: <6.1.2.0.2.20080317133437.0295eda0@tahc.state.tx.us> Hello there, I have Fedora DS v 1.0.4 installed on a Red Hat 4 workstation system. I added a SSL certificate to the Fedora DS system today via command line. But, the certificate hasn't been activated. The certificate is listed correctly in java GUI Directory Server -> Manage Certificates panel. When I go to the java GUI for the Administration Server and try to launch Config Admin - I get an SSL error: SSL related initialization failed. I also get this error when I click on the Manage Certificates button: Could not open file in admin-serv-mail-cert8.db. I get an SSL error when I click on any of the other admin server buttons. I looked in the error logs for admin and slapd and no details are given. System messages log doesn't have anything listed as expected. Any ideas? Thanks in advance, Carol From kmarsh at gdrs.com Tue Mar 18 11:56:54 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Tue, 18 Mar 2008 07:56:54 -0400 Subject: [Fedora-directory-users] FDS 1.1 console doesn't show DS Message-ID: <5AD9B0E562FEFB4E933861904D7135C5796B46@gdrs-exchange.gdrs.com> Hi, I installed FDS 1.1 on RHEL 5.1 x86-64 using the instructions in http://directory.fedoraproject.org/wiki/Release_Notes . I used the same answers that worked in previous 1.0.4-1 installs, choosing "2" and storing the config data on a 1.0.4-1 server. I used a different Admin port > 9830, using the same port that my other, older FDS systems use. When I started fedora-idm-console, it didn't already know what URL to use. I had to enter it manually (a step backwards from 1.0.4-1 installs). Once entered, a console came up, but under the Servers and Applications tab there are no DS instances to administer. When I try to Admin from the 1.0.4-1 server, I get a Java dump when expanding the Server Group for the 1.1 server. At first empty icons for Administration Server and Directory Server show up, but the DS link does not work. Perhaps it is too much to ask to Admin a 1.1 from an older version, but if I cannot also admin it from itself, what am I to do? I am trying to lever up from three 1.0.4-1 DS to 1.1, and this is the first step in the process. Did I miss something on install or setup, or is there a bug in the RHEL 5.1/Fedora 6 x86_64 version, possibly related to choosing an alternate admin port? -Ken From jazcek at scs.fsu.edu Tue Mar 18 13:06:55 2008 From: jazcek at scs.fsu.edu (Jazcek Braden) Date: Tue, 18 Mar 2008 09:06:55 -0400 Subject: [Fedora-directory-users] Log rotation problems Message-ID: <47DFBE6F.9010107@scs.fsu.edu> I have three FDS 1.0.4 servers, one master and replication clients. On all three of them I have set the log files to rotate everynight at 2am. On the two replica the logs rotate fine as expected, however on the master whenever the log rotates it deletes the old log, which is causing my to lose a lot of accounting information. Is there a way to debug why this is happening? -- Jazcek Braden System Administrator 431 Dirac Science Library Florida State University Tallahassee, FL 32306-4120 Phone 850-644-6490 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From fds at gezi.cs.uni-sb.de Tue Mar 18 13:43:31 2008 From: fds at gezi.cs.uni-sb.de (Alex Fauss) Date: Tue, 18 Mar 2008 14:43:31 +0100 Subject: [Fedora-directory-users] How-To Password Policy/Account Locking/Samba Integration Message-ID: <47DFC703.8090405@gezi.cs.uni-sb.de> Hi List. After reading a lot of topics on the list about password policy and locking and samba integration ..., my brain is burning, because I can't get it working. Can someone point me to the right way? A few words about my actual configuration. OS: CentOS 5.1 FDS: 1.1 Samba: 3.x ldap.conf: pam_lookup_policy yes pam_password exop pam_password clear (for password history matching) smb.conf: encrypt passwords = yes obey pam restrictions = no pam password change = no passwd chat debug = Yes ldap passwd sync = no unix password sync = yes passwd program = /usr/sbin/smbldap-passwd -u %U passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\spassword:* %n\n . fds: Password policy enabled in "data-tab" plus fine-grained for another sub-tree policy, where the users reside. Thx From marco.strullato at gmail.com Tue Mar 18 14:57:00 2008 From: marco.strullato at gmail.com (Marco Strullato) Date: Tue, 18 Mar 2008 15:57:00 +0100 Subject: [Fedora-directory-users] how to plan the directory server? Message-ID: Hi all, I have to set up a directory service storing permissions and users and file locations into ldap. Is there a schema that implements what I need? Do you suggest me any way to procede? Thanks Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: From kmarsh at gdrs.com Tue Mar 18 20:34:18 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Tue, 18 Mar 2008 16:34:18 -0400 Subject: [Fedora-directory-users] Re: FDS 1.1 console doesn't show DS Message-ID: <5AD9B0E562FEFB4E933861904D7135C5796BDE@gdrs-exchange.gdrs.com> Hi again, I think I have a small bug report. I removed all RPM's related to FDS 1.1-4 and admin on my RHEL5.1/x86_64 system, rm -fr /etc/dirsrv/slapd-server, and reinstalled it and ran setup-ds-admin.pl again using 3 for custom and saving the config data locally this time. I couldn't start the Admin Server on my custom port, so I tried 9830 and it worked. I did the grep \^Listen /etc/dirsrv/admin-serv/console.conf command as suggested in the documentation and it came up with 9830. My terminal history was still scrollable and I can see for a fact that I asked for a different port. What's more, it did set that port correctly on the previous attempt when I used "2" and saved data on a different DS. The admin server as desired ran on my custom port. I also did the grep command after the first attempt, and verified that it was running on my custom port. I'm not sure if the bug exerted itself because of the reinstall over the extant /etc/dirsrv/admin-serv directory and/or because I chose 3-custom instead of 2. This is a very small bug as there are two obvious workarounds; either start the Admin console on the default port, or manually edit /etc/dirsrv/admin-serv/console.conf, change it to the desired port, and do a service dirsrv-admin stop and start. -Ken. From rmeggins at redhat.com Tue Mar 18 20:51:02 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 18 Mar 2008 14:51:02 -0600 Subject: [Fedora-directory-users] Re: FDS 1.1 console doesn't show DS In-Reply-To: <5AD9B0E562FEFB4E933861904D7135C5796BDE@gdrs-exchange.gdrs.com> References: <5AD9B0E562FEFB4E933861904D7135C5796BDE@gdrs-exchange.gdrs.com> Message-ID: <47E02B36.6090509@redhat.com> Ken Marsh wrote: > Hi again, > > I think I have a small bug report. > > I removed all RPM's related to FDS 1.1-4 and admin on my RHEL5.1/x86_64 > system, rm -fr /etc/dirsrv/slapd-server, and reinstalled it and ran > setup-ds-admin.pl again using 3 for custom and saving the config data > locally this time. > You should be able to do something like this to remove all of the packages: yum erase svrcore idm-console-framework That should remove those packages and all packages which depend on them. In order to remove all trace of fedora ds, you would need to do something like this, after the yum erase: rm -rf /etc/dirsrv /usr/lib/dirsrv /usr/lib64/dirsrv `find /var -name dirsrv -print` If /etc/dirsrv/admin-serv/adm.conf exists, setup-ds-admin.pl will not work as you would expect - I don't think it will allow you to change the existing admin server port number in that case. If /etc/dirsrv/admin-serv/adm.conf exists, then setup-ds-admin.pl will basically allow you to create another instance of directory server and register it with the configuration DS. > I couldn't start the Admin Server on my custom port, so I tried 9830 and > it worked. I did the grep \^Listen /etc/dirsrv/admin-serv/console.conf > command as suggested in the documentation and it came up with 9830. My > terminal history was still scrollable and I can see for a fact that I > asked for a different port. > > What's more, it did set that port correctly on the previous attempt when > I used "2" and saved data on a different DS. The admin server as desired > ran on my custom port. I also did the grep command after the first > attempt, and verified that it was running on my custom port. > > I'm not sure if the bug exerted itself because of the reinstall over the > extant /etc/dirsrv/admin-serv directory and/or because I chose 3-custom > instead of 2. > > This is a very small bug as there are two obvious workarounds; either > start the Admin console on the default port, or manually edit > /etc/dirsrv/admin-serv/console.conf, change it to the desired port, and > do a service dirsrv-admin stop and start. > > -Ken. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From santangelo.luigi at tiscali.it Wed Mar 19 10:37:42 2008 From: santangelo.luigi at tiscali.it (Luigi Santangelo) Date: Wed, 19 Mar 2008 11:37:42 +0100 (CET) Subject: [Fedora-directory-users] windows sync and password "clear" Message-ID: <23615050.1205923062302.JavaMail.root@ps22> Hi everybody, this is my problem: I configured my Fedora DS and now I can sync the LDAP's users with Windows 2003 Active Directory. Then, I created a new user with this code ldif dn: uid=red,ou=Other,ou=Students,ou=People,dc=xxxxx,dc=xx givenName: red sn: red objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: ntuser uid: red ntUserCreateNewAccount: true ntUserDeleteAccount: true cn: red ntUserDomainId: red userPassword: redpwd creatorsName: uid=root,ou=administrators,ou=topologymanagement, o=netscaperoot modifiersName: uid=root,ou=administrators,ou=topologymanagement, o=netscaperoot createTimestamp: 20080318153555Z modifyTimestamp: 20080318153555Z nsUniqueId: f8f6c801-f50011dc-80ebbfe2-cc3ccdae Note that I wrote the user's password in "clear". Now, I can logon the Windows AD with the username red and the password redpwd. Then I added another user (yellow) with this code ldif dn: uid=yellow,ou=Other,ou=Students,ou=People,dc=xxxxx,dc=xx givenName: yellow sn: yellow objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: ntuser uid: yellow ntUserCreateNewAccount: true ntUserDeleteAccount: true cn: yellow ntUserDomainId: yellow userPassword: {MD5}8cb32079718c657b02bbbb176b97d030 creatorsName: uid=root,ou=administrators,ou=topologymanagement, o=netscaperoot modifiersName: uid=root,ou=administrators,ou=topologymanagement, o=netscaperoot createTimestamp: 20080318153555Z modifyTimestamp: 20080318153555Z nsUniqueId: f8f6c801-f50011dc-80ebbfe2-cc3ccdae Note the MD5(yellowpwd) = 8cb32079718c657b02bbbb176b97d030 Then If I try logon the Windows AD (from Windows) with the username yellow and the password yellowred, I cannot log in. Instead, if I try logon the Windows AD with the username yellow and the password {MD5}8cb32079718c657b02bbbb176b97d030 I can log in. Do you think that this is a problem strictly related to Windows' problem? How can I get over it? Thank you in advance. ______________________________________________ Adotta un bambino a distanza. Avr? vestiti, cibo, scuola?e avr? te! http://social.tiscali.it/promo/C02/sos/ From santangelo.luigi at tiscali.it Wed Mar 19 11:15:44 2008 From: santangelo.luigi at tiscali.it (Luigi Santangelo) Date: Wed, 19 Mar 2008 12:15:44 +0100 (CET) Subject: [Fedora-directory-users] windows sync and password "clear" Message-ID: <11903293.1205925344001.JavaMail.root@ps11> Hi everybody, this is my problem: I configured my Fedora DS and now I can sync the LDAP's users with Windows 2003 Active Directory. Then, I created a new user with this code ldif dn: uid=red,ou=Other,ou=Students,ou=People,dc=xxxxx,dc=xx givenName: red sn: red objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: ntuser uid: red ntUserCreateNewAccount: true ntUserDeleteAccount: true cn: red ntUserDomainId: red userPassword: redpwd creatorsName: uid=root,ou=administrators,ou=topologymanagement, o=netscaperoot modifiersName: uid=root,ou=administrators,ou=topologymanagement, o=netscaperoot createTimestamp: 20080318153555Z modifyTimestamp: 20080318153555Z nsUniqueId: f8f6c801-f50011dc-80ebbfe2-cc3ccdae Note that I wrote the user's password in "clear". Now, I can logon the Windows AD with the username red and the password redpwd. Then I added another user (yellow) with this code ldif dn: uid=yellow,ou=Other,ou=Students,ou=People,dc=xxxxx,dc=xx givenName: yellow sn: yellow objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: ntuser uid: yellow ntUserCreateNewAccount: true ntUserDeleteAccount: true cn: yellow ntUserDomainId: yellow userPassword: {MD5}8cb32079718c657b02bbbb176b97d030 creatorsName: uid=root,ou=administrators,ou=topologymanagement, o=netscaperoot modifiersName: uid=root,ou=administrators,ou=topologymanagement, o=netscaperoot createTimestamp: 20080318153555Z modifyTimestamp: 20080318153555Z nsUniqueId: f8f6c801-f50011dc-80ebbfe2-cc3ccdae Note the MD5(yellowpwd) = 8cb32079718c657b02bbbb176b97d030 Then If I try logon the Windows AD (from Windows) with the username yellow and the password yellowred, I cannot log in. Instead, if I try logon the Windows AD with the username yellow and the password {MD5}8cb32079718c657b02bbbb176b97d030 I can log in. Do you think that this is a problem strictly related to Windows' problem? How can I get over it? Thank you in advance. ______________________________________________ Adotta un bambino a distanza. Avr? vestiti, cibo, scuola?e avr? te! http://social.tiscali.it/promo/C02/sos/ From solarflow99 at gmail.com Wed Mar 19 12:27:44 2008 From: solarflow99 at gmail.com (solarflow99) Date: Wed, 19 Mar 2008 12:27:44 +0000 Subject: [Fedora-directory-users] windows sync and password "clear" In-Reply-To: <11903293.1205925344001.JavaMail.root@ps11> References: <11903293.1205925344001.JavaMail.root@ps11> Message-ID: <7020fd000803190527l1d992ce6j13fc5ac2865663b@mail.gmail.com> I think windows passwords have to hashed differently, so you'd have to reset their password or generate it with the windows password generator included with samba, I think its called ntpwd or something like that. On 3/19/08, Luigi Santangelo wrote: > > Hi everybody, this is my problem: > I configured my Fedora DS and now I can sync the LDAP's users with > Windows 2003 Active Directory. Then, I created a new user with this > code ldif > > dn: uid=red,ou=Other,ou=Students,ou=People,dc=xxxxx,dc=xx > givenName: red > sn: red > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > objectClass: ntuser > uid: red > ntUserCreateNewAccount: true > ntUserDeleteAccount: true > cn: red > ntUserDomainId: red > userPassword: redpwd > creatorsName: uid=root,ou=administrators,ou=topologymanagement, > o=netscaperoot > modifiersName: uid=root,ou=administrators,ou=topologymanagement, > o=netscaperoot > createTimestamp: 20080318153555Z > modifyTimestamp: 20080318153555Z > nsUniqueId: f8f6c801-f50011dc-80ebbfe2-cc3ccdae > > Note that I wrote the user's password in "clear". Now, I can logon > the > Windows AD with the username red and the password redpwd. > Then I added another user (yellow) with this code ldif > > dn: uid=yellow,ou=Other,ou=Students,ou=People,dc=xxxxx,dc=xx > givenName: yellow > sn: yellow > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > objectClass: ntuser > uid: yellow > ntUserCreateNewAccount: true > ntUserDeleteAccount: true > cn: yellow > ntUserDomainId: yellow > userPassword: {MD5}8cb32079718c657b02bbbb176b97d030 > creatorsName: uid=root,ou=administrators,ou=topologymanagement, > o=netscaperoot > modifiersName: uid=root,ou=administrators,ou=topologymanagement, > o=netscaperoot > createTimestamp: 20080318153555Z > modifyTimestamp: 20080318153555Z > nsUniqueId: f8f6c801-f50011dc-80ebbfe2-cc3ccdae > > Note the MD5(yellowpwd) = 8cb32079718c657b02bbbb176b97d030 > Then If I try logon the Windows AD (from Windows) with the username > yellow and the password yellowred, I cannot log in. Instead, if I try > logon the Windows AD with the username yellow and the > password {MD5}8cb32079718c657b02bbbb176b97d030 I can log in. > Do you think that this is a problem strictly related to Windows' > problem? How can I get over it? > Thank you in advance. > > > > > ______________________________________________ > Adotta un bambino a distanza. Avr? vestiti, cibo, scuola?e avr? te! > http://social.tiscali.it/promo/C02/sos/ > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwalsh at redhat.com Tue Mar 18 14:34:43 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 18 Mar 2008 10:34:43 -0400 Subject: [Fedora-directory-users] Re: SELinux policy for Fedora Directory Server 1.1.0 In-Reply-To: <200803111734.10289.par.aronsson@telia.com> References: <200803111734.10289.par.aronsson@telia.com> Message-ID: <47DFD303.4080004@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 P?r Aronsson wrote: > Hello, > > Attached is a SELinux policy for the Fedora Directory Server 1.1.0. > It is composed of three parts. > * dirsrv - directory server and setup programs > * dirsrv-admin - administration server and setup programs > * fedora-idm-console - java based console for administration > > The policies were developed on a CentOS 5.1 with the following packages: > fedora-ds-base-1.1.0-3.fc6 > fedora-ds-admin-1.1.1-1.fc6 > fedora-ds-console-1.1.0-5.fc6 > selinux-policy-2.4.6-106.el5_1.3 > kernel-2.6.18-53.1.4.el5 > > I've succesfully tested the policies in targeted and strict mode. > > The dirsrv-admin policy requires that the apache policy module is loaded. > Also run: > setsebool -P httpd_enable_cgi on > > Comment out the following in /usr/sbin/start-ds-admin (line 63-65): > if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then > SELINUX_CMD="runcon -t unconfined_t --" > fi > > I had trouble with the replication plugin so I haven't been able to do any > testing with replication. > > Any comments are welcome. > > // P?r Aronsson > Just started looking at this policy dirsrv.te looks pretty good, I have never setup a directory server, so I am guessing on some of this stuff. You want logging_search_logs($1) in dirsrv_read_setuplog The fedora-idm-console stuff makes no sense. Looks like you are trying to fix bugs in javaplugin policy. Not sure if you want/need dirserv-admin policy? If this is just stuff to be run in cgi, just extend it. ALso not sure you need dirsrv_setup_t Why not leave in admin context? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkff0wIACgkQrlYvE4MpobPytQCbBlFzyMaq83N79iPxQTbk/G5k /SkAn2TL7xy7VwL1oDaj62isjxNnqd9O =jUQi -----END PGP SIGNATURE----- From rmeggins at redhat.com Wed Mar 19 14:40:44 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 19 Mar 2008 08:40:44 -0600 Subject: [Fedora-directory-users] Announcing Project DogTag - Open Source Certificate System Message-ID: <47E125EC.5070903@redhat.com> Project DogTag is the culmination of many months of work to prepare the code of Red Hat Certificate System to be open sourced. I'm mentioning here because several people on this list have asked about it in the past, and this project is our "sister" project - Certificate System is the second major project to be made open source from Red Hat's Netscape acquisition, and Certificate System uses Fedora DS. Project DogTag wiki - http://pki-svn.fedora.redhat.com/wiki/PKI_Main_Page Press Release - http://www.press.redhat.com/2008/03/19/source-code-for-red-hat-certificate-system-released/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From dennis at ausil.us Wed Mar 19 14:52:56 2008 From: dennis at ausil.us (Dennis Gilmore) Date: Wed, 19 Mar 2008 09:52:56 -0500 Subject: [Fedora-directory-users] Announcing Project DogTag - Open Source Certificate System In-Reply-To: <47E125EC.5070903@redhat.com> References: <47E125EC.5070903@redhat.com> Message-ID: <200803190953.01719.dennis@ausil.us> On Wednesday 19 March 2008, Rich Megginson wrote: > Project DogTag is the culmination of many months of work to prepare the > code of Red Hat Certificate System to be open sourced. I'm mentioning > here because several people on this list have asked about it in the > past, and this project is our "sister" project - Certificate System is > the second major project to be made open source from Red Hat's Netscape > acquisition, and Certificate System uses Fedora DS. > > Project DogTag wiki - http://pki-svn.fedora.redhat.com/wiki/PKI_Main_Page > > Press Release - > http://www.press.redhat.com/2008/03/19/source-code-for-red-hat-certificate- >system-released/ why oh why did you use space at fedora.redhat.com nothing new is supposed to be there. it is supposed to be gone. the only thing still there is download.fedora.redhat.com everything else has been migrated away. https://fedorahosted.org/fedora-infrastructure/ is where you file a ticket to get something under fedoraproject.org or just ask me on irc Dennis -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: From rmeggins at redhat.com Wed Mar 19 18:38:49 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 19 Mar 2008 12:38:49 -0600 Subject: [Fedora-directory-users] Security update for fedora-idm-console package Message-ID: <47E15DB9.3000204@redhat.com> fedora-idm-console 1.1.0 has a security vulnerability - details are in https://bugzilla.redhat.com/show_bug.cgi?id=436101 There is a new version available - fedora-idm-console-1.1.1-1 - which you should install immediately. yum upgrade fedora-idm-console Download instructions are here - http://directory.fedoraproject.org/wiki/Download -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From iferreir at personal.com.py Thu Mar 20 01:27:05 2008 From: iferreir at personal.com.py (Ivan Ferreira) Date: Wed, 19 Mar 2008 21:27:05 -0400 Subject: [Fedora-directory-users] windows sync and password "clear" In-Reply-To: <23615050.1205923062302.JavaMail.root@ps22> Message-ID: I don't know where I read but as far I know you should use only UNIX crypt for password, so don't use MD5. Para Luigi Santangelo cc Asunto Enviado por: [Fedora-directory-users] windows fedora-directory-users-b sync and password "clear" ounces at redhat.com Clasificaci?n Uso Interno 19/03/2008 06:37 a.m. Por favor, responda a Luigi Santangelo ; Por favor, responda a "General discussion list for the Fedora Directory server project." Hi everybody, this is my problem: I configured my Fedora DS and now I can sync the LDAP's users with Windows 2003 Active Directory. Then, I created a new user with this code ldif dn: uid=red,ou=Other,ou=Students,ou=People,dc=xxxxx,dc=xx givenName: red sn: red objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: ntuser uid: red ntUserCreateNewAccount: true ntUserDeleteAccount: true cn: red ntUserDomainId: red userPassword: redpwd creatorsName: uid=root,ou=administrators,ou=topologymanagement, o=netscaperoot modifiersName: uid=root,ou=administrators,ou=topologymanagement, o=netscaperoot createTimestamp: 20080318153555Z modifyTimestamp: 20080318153555Z nsUniqueId: f8f6c801-f50011dc-80ebbfe2-cc3ccdae Note that I wrote the user's password in "clear". Now, I can logon the Windows AD with the username red and the password redpwd. Then I added another user (yellow) with this code ldif dn: uid=yellow,ou=Other,ou=Students,ou=People,dc=xxxxx,dc=xx givenName: yellow sn: yellow objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: ntuser uid: yellow ntUserCreateNewAccount: true ntUserDeleteAccount: true cn: yellow ntUserDomainId: yellow userPassword: {MD5}8cb32079718c657b02bbbb176b97d030 creatorsName: uid=root,ou=administrators,ou=topologymanagement, o=netscaperoot modifiersName: uid=root,ou=administrators,ou=topologymanagement, o=netscaperoot createTimestamp: 20080318153555Z modifyTimestamp: 20080318153555Z nsUniqueId: f8f6c801-f50011dc-80ebbfe2-cc3ccdae Note the MD5(yellowpwd) = 8cb32079718c657b02bbbb176b97d030 Then If I try logon the Windows AD (from Windows) with the username yellow and the password yellowred, I cannot log in. Instead, if I try logon the Windows AD with the username yellow and the password {MD5}8cb32079718c657b02bbbb176b97d030 I can log in. Do you think that this is a problem strictly related to Windows' problem? How can I get over it? Thank you in advance. ______________________________________________ Adotta un bambino a distanza. Avr? vestiti, cibo, scuola?e avr? te! http://social.tiscali.it/promo/C02/sos/ -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. From lukeb at deakin.edu.au Thu Mar 20 02:46:40 2008 From: lukeb at deakin.edu.au (Luke Bigum) Date: Thu, 20 Mar 2008 13:46:40 +1100 Subject: [Fedora-directory-users] Fedora DS version compatibility Message-ID: <47E1D010.2040108@deakin.edu.au> Hi all, I'm looking to upgrade some Fedora DS 1.02 servers to 1.1. We use a master-slave replicated configuration. Before I get too far into it, are there any known compatibility issues between 1.1 and 1.02? I was planning on updating one of the slaves to 1.1 first, leaving our master 1.02 server as it is for the time being. Is this possible or would I have to upgrade the master first? Thanks, -Luke -- Luke Bigum, Unix Administrator, Information Technology Services Division Deakin University, Waterfront Campus, Victoria 3217 Australia. Phone: 03 5227 8691 International: +61 3 5227 8691 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: luke.bigum at deakin.edu.au Website: http://www.deakin.edu.au Deakin University CRICOS Provider Code: 00113B (Vic), 02414F (NSW) Important Notice: The contents of this email transmission, including any attachments, are intended solely for the named addressee and are confidential; any unauthorized use, reproduction or storage of the contents and any attachments is expressly prohibited. If you have received this transmission in error, please delete it and any attachments from your system immediately and advise the sender by return email or telephone. Deakin University does not warrant that this email and any attachments are error or virus free. From santangelo.luigi at tiscali.it Thu Mar 20 09:00:19 2008 From: santangelo.luigi at tiscali.it (Luigi Santangelo) Date: Thu, 20 Mar 2008 10:00:19 +0100 (CET) Subject: [Fedora-directory-users] windows sync and password "clear" Message-ID: <15434034.1206003619597.JavaMail.root@ps9> no, it does'nt work >----Messaggio originale---- >Da: iferreir at personal.com.py >Data: 20/03/2008 2.27 >A: "Luigi Santangelo", "General discussion list for the Fedora Directory server project." >Cc: , >Ogg: Re: [Fedora-directory-users] windows sync and password " clear" > >I don't know where I read but as far I know you should use only UNIX crypt >for password, so don't use MD5. > > > > > > > Para > om> > Luigi Santangelo cc > i.it> Asunto > Enviado por: [Fedora-directory-users] windows > fedora-directory-users-b sync and password "clear" > ounces at redhat.com Clasificaci?n > Uso Interno > 19/03/2008 06:37 a. m. > > > > Por favor, responda a > Luigi Santangelo > i.it>; Por favor, > responda a > "General discussion list > for the Fedora Directory > server project." > redhat. com> > > > > > > >Hi everybody, this is my problem: >I configured my Fedora DS and now I can sync the LDAP's users with >Windows 2003 Active Directory. Then, I created a new user with this >code ldif > >dn: uid=red,ou=Other,ou=Students,ou=People,dc=xxxxx,dc=xx >givenName: red >sn: red >objectClass: top >objectClass: person >objectClass: organizationalPerson >objectClass: inetorgperson >objectClass: ntuser >uid: red >ntUserCreateNewAccount: true >ntUserDeleteAccount: true >cn: red >ntUserDomainId: red >userPassword: redpwd >creatorsName: uid=root,ou=administrators,ou=topologymanagement, >o=netscaperoot >modifiersName: uid=root,ou=administrators,ou=topologymanagement, >o=netscaperoot >createTimestamp: 20080318153555Z >modifyTimestamp: 20080318153555Z >nsUniqueId: f8f6c801-f50011dc-80ebbfe2-cc3ccdae > >Note that I wrote the user's password in "clear". Now, I can logon the >Windows AD with the username red and the password redpwd. >Then I added another user (yellow) with this code ldif > >dn: uid=yellow,ou=Other,ou=Students,ou=People,dc=xxxxx,dc=xx >givenName: yellow >sn: yellow >objectClass: top >objectClass: person >objectClass: organizationalPerson >objectClass: inetorgperson >objectClass: ntuser >uid: yellow >ntUserCreateNewAccount: true >ntUserDeleteAccount: true >cn: yellow >ntUserDomainId: yellow >userPassword: {MD5}8cb32079718c657b02bbbb176b97d030 >creatorsName: uid=root,ou=administrators,ou=topologymanagement, >o=netscaperoot >modifiersName: uid=root,ou=administrators,ou=topologymanagement, >o=netscaperoot >createTimestamp: 20080318153555Z >modifyTimestamp: 20080318153555Z >nsUniqueId: f8f6c801-f50011dc-80ebbfe2-cc3ccdae > >Note the MD5(yellowpwd) = 8cb32079718c657b02bbbb176b97d030 >Then If I try logon the Windows AD (from Windows) with the username >yellow and the password yellowred, I cannot log in. Instead, if I try >logon the Windows AD with the username yellow and the >password {MD5}8cb32079718c657b02bbbb176b97d030 I can log in. >Do you think that this is a problem strictly related to Windows' >problem? How can I get over it? >Thank you in advance. > > >______________________________________________ >Adotta un bambino a distanza. Avr? vestiti, cibo, scuola?e avr? te! >http://social.tiscali.it/promo/C02/sos/ > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >======================================================================================== >AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida >?nicamente a su destinatario. Si usted no es el destinatario original de >este mensaje y por este medio pudo acceder a dicha informaci?n por favor >elimine el mensaje. La distribuci?n o copia de este mensaje est? >estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de >informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como >una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de >e-mails no garantiza que el correo electr?nico sea seguro o libre de error. >Por consiguiente, no manifestamos que esta informaci?n sea completa o >precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. > > This information is private and confidential and intended for the >recipient only. If you are not the intended recipient of this message you >are hereby notified that any review, dissemination, distribution or >copying of this message is strictly prohibited. This communication is for >information purposes only and shall not be regarded neither as a proposal, >acceptance nor as a statement of will or official statement from NUCLEO >S.A. . Email transmission cannot be guaranteed to be secure or error- free. >Therefore, we do not represent that this information is complete or >accurate and it should not be relied upon as such. All information is >subject to change without notice. > ----------------------------------------------------------------------------- Tutto Incluso: ADSL 24h a 8 MB + TELEFONATE gratis in offerta a 4,95 Euro al mese fino al 20/03/08. http://abbonati.tiscali.it/promo/tuttoincluso/ From rmeggins at redhat.com Thu Mar 20 16:16:56 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 20 Mar 2008 10:16:56 -0600 Subject: [Fedora-directory-users] Fedora DS version compatibility In-Reply-To: <47E1D010.2040108@deakin.edu.au> References: <47E1D010.2040108@deakin.edu.au> Message-ID: <47E28DF8.5090005@redhat.com> Luke Bigum wrote: > Hi all, > > I'm looking to upgrade some Fedora DS 1.02 servers to 1.1. We use a > master-slave replicated configuration. Before I get too far into it, > are there any known compatibility issues between 1.1 and 1.02? I was > planning on updating one of the slaves to 1.1 first, leaving our > master 1.02 server as it is for the time being. Is this possible or > would I have to upgrade the master first? 1.0.x can replicate to 1.1 and vice versa, should be no issue there. > > Thanks, > > -Luke > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From david.bogen at icecube.wisc.edu Thu Mar 20 21:22:16 2008 From: david.bogen at icecube.wisc.edu (David Bogen) Date: Thu, 20 Mar 2008 16:22:16 -0500 Subject: [Fedora-directory-users] Fedora DS version compatibility In-Reply-To: <47E1D010.2040108@deakin.edu.au> References: <47E1D010.2040108@deakin.edu.au> Message-ID: <9889346F-9798-4045-ABC3-AD2F46231D8A@icecube.wisc.edu> On Mar 19, 2008, at 9:46 PM, Luke Bigum wrote: > > I'm looking to upgrade some Fedora DS 1.02 servers to 1.1. We use a > master-slave replicated configuration. Before I get too far into it, > are there any known compatibility issues between 1.1 and 1.02? I was > planning on updating one of the slaves to 1.1 first, leaving our > master 1.02 server as it is for the time being. Is this possible or > would I have to upgrade the master first? > We took a few steps down that same road and were less than pleased with the results. Our configuration directory is still running 1.0.2 and a 1.1 slave was unable to register with it despite repeated attempts and some poking around inside the configuration directory. So, we ended up with that slave running without being registered with the configuration directory. From where I sit, it looks like an all-or-nothing affair to upgrade to 1.1. David -- David Bogen :: (608) 263-0168 Unix SysAdmin :: IceCube Project david.bogen at icecube.wisc.edu From michael at stroeder.com Sat Mar 22 18:01:32 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Sat, 22 Mar 2008 19:01:32 +0100 Subject: [Fedora-directory-users] windows sync and password "clear" In-Reply-To: References: Message-ID: <47E5497C.9070500@stroeder.com> Ivan Ferreira wrote: > I don't know where I read but as far I know you should use only UNIX crypt > for password, so don't use MD5. If you're talking about values for attribute userPassword I'd recommend to avoid {CRYPT} password scheme since crypt hashes are OS-specific which might get into your way when migrating to another OS platform. I'd strongly recommend to use a salted SHA-1 hash for userPassword. Ciao, Michael. From stpierre at NebrWesleyan.edu Mon Mar 24 03:59:17 2008 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Sun, 23 Mar 2008 22:59:17 -0500 (CDT) Subject: [Fedora-directory-users] Fedora DS version compatibility In-Reply-To: <47E1D010.2040108@deakin.edu.au> References: <47E1D010.2040108@deakin.edu.au> Message-ID: On Thu, 20 Mar 2008, Luke Bigum wrote: > I'm looking to upgrade some Fedora DS 1.02 servers to 1.1. We use a > master-slave replicated configuration. Before I get too far into it, are there > any known compatibility issues between 1.1 and 1.02? I was planning on > updating one of the slaves to 1.1 first, leaving our master 1.02 server as it > is for the time being. Is this possible or would I have to upgrade the master > first? We've been transitioning our 1.0.4 boxes to 1.1 one at a time. We have four machines in a multimaster setup, and we've been running a mixed cluster for four weeks now, without any replication issues at all. We only use the base DS, though, so I can't comment on any of the configuration directory issues one of the other responders reported. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University From wpfontenot at cox.net Tue Mar 25 15:43:25 2008 From: wpfontenot at cox.net (Paul Fontenot) Date: Tue, 25 Mar 2008 08:43:25 -0700 Subject: [Fedora-directory-users] FDS and Outlook Message-ID: <000001c88e8e$f723d500$e56b7f00$@net> Can anyone recommend a good howto that'll allow Outlook to 'browse' the ldap entries? -------------- next part -------------- An HTML attachment was scrubbed... URL: From phanoko at gmail.com Tue Mar 25 15:57:20 2008 From: phanoko at gmail.com (matt wells) Date: Tue, 25 Mar 2008 08:57:20 -0700 Subject: [Fedora-directory-users] PGP Key Store Message-ID: Has anyone used Fedora Directory Services for a PGP store?? -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Tue Mar 25 16:35:08 2008 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Tue, 25 Mar 2008 17:35:08 +0100 Subject: [Fedora-directory-users] FDS and Outlook In-Reply-To: <000001c88e8e$f723d500$e56b7f00$@net> References: <000001c88e8e$f723d500$e56b7f00$@net> Message-ID: <47E929BC.8090708@stroeder.com> Paul Fontenot wrote: > > Can anyone recommend a good howto that?ll allow Outlook to ?browse? the > ldap entries? Maybe I misunderstood your question: AFAIK Outlook can only search for entries by (partial) name / e-mail address listing the results like address book entries. There's no "LDAP browser" built into Outlook. There are many generic LDAP client tools out there which allow "browsing" (using this term in a broad sense). Ciao, Michael. From david_list at boreham.org Tue Mar 25 16:45:12 2008 From: david_list at boreham.org (David Boreham) Date: Tue, 25 Mar 2008 10:45:12 -0600 Subject: [Fedora-directory-users] FDS and Outlook In-Reply-To: <47E929BC.8090708@stroeder.com> References: <000001c88e8e$f723d500$e56b7f00$@net> <47E929BC.8090708@stroeder.com> Message-ID: <47E92C18.6020401@boreham.org> Michael Str?der wrote: > Paul Fontenot wrote: >> >> Can anyone recommend a good howto that?ll allow Outlook to ?browse? >> the ldap entries? > > Maybe I misunderstood your question: > AFAIK Outlook can only search for entries by (partial) name / e-mail > address listing the results like address book entries. There's no > "LDAP browser" built into Outlook. There are many generic LDAP client > tools out there which allow "browsing" (using this term in a broad > sense). I think Paul is asking about using VLV in FDS with Outlook as the client. The only answer I have is that I'm not sure if Outlook (not outlook express) supports VLV. It may well do (thunderbird does, for example). In fact, this page says that it does: http://technet.microsoft.com/en-us/library/cc179232.aspx Here's an old mailing list thread where someone talks about making it work : http://www.openldap.org/lists/openldap-software/200207/msg00112.html From jbushey at soleocommunications.com Tue Mar 25 18:28:47 2008 From: jbushey at soleocommunications.com (James) Date: Tue, 25 Mar 2008 14:28:47 -0400 Subject: [Fedora-directory-users] Glue Entry Thread Message-ID: <200803251428.47465.jbushey@soleocommunications.com> Hi All, I have a set of directory servers with multi-master replicaiton. On one of the two master servers, I see this log: [25/Mar/2008:14:26:42 -0400] NSMMReplicationPlugin - conn=5 op=6 csn=47cec1700000000c0000: Can't created glue entry uid=soleotester,ou=people,dc=soleocommunications,dc=com uniqueid =96a7eb81-1dd111b2-8016d669-d3980000, error 68 [25/Mar/2008:14:26:42 -0400] NSMMReplicationPlugin - conn=5 op=6 csn=47cec1700000000c0000: Can't created glue entry uid=soleotester,ou=people,dc=soleocommunications,dc=com uniqueid =96a7eb81-1dd111b2-8016d669-d3980000, error 68 The logs is repeated once per second (there are two in this copy/paste). I have a high-level understanding of what a glue entry is, and why one would be created, but why can't this server create one in this instance? And, is there anything I can do to fix this repeated log? Thanks, ~James -- James Bushey Software Engineer Soleo Communications (585) 641-4300 x0050 From nkinder at redhat.com Tue Mar 25 18:46:56 2008 From: nkinder at redhat.com (Nathan Kinder) Date: Tue, 25 Mar 2008 11:46:56 -0700 Subject: [Fedora-directory-users] Glue Entry Thread In-Reply-To: <200803251428.47465.jbushey@soleocommunications.com> References: <200803251428.47465.jbushey@soleocommunications.com> Message-ID: <47E948A0.1090701@redhat.com> James wrote: > Hi All, > > I have a set of directory servers with multi-master replicaiton. On one of > the two master servers, I see this log: > > [25/Mar/2008:14:26:42 -0400] NSMMReplicationPlugin - conn=5 op=6 > csn=47cec1700000000c0000: > Can't created glue entry > uid=soleotester,ou=people,dc=soleocommunications,dc=com uniqueid > =96a7eb81-1dd111b2-8016d669-d3980000, error 68 > [25/Mar/2008:14:26:42 -0400] NSMMReplicationPlugin - conn=5 op=6 > csn=47cec1700000000c0000: > Can't created glue entry > uid=soleotester,ou=people,dc=soleocommunications,dc=com uniqueid > =96a7eb81-1dd111b2-8016d669-d3980000, error 68 > > The logs is repeated once per second (there are two in this copy/paste). I > have a high-level understanding of what a glue entry is, and why one would be > created, but why can't this server create one in this instance? And, is > there anything I can do to fix this repeated log? > It can't create it because it already exists (error 68). Please file a bug on this issue (https://bugzilla.redhat.com/enter_bug.cgi). You can try to delete the existing glue entry to allow the replication plug-in to re-create it and proceed. -NGK > Thanks, > ~James > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From jbushey at soleocommunications.com Tue Mar 25 21:13:25 2008 From: jbushey at soleocommunications.com (James) Date: Tue, 25 Mar 2008 17:13:25 -0400 Subject: [Fedora-directory-users] Glue Entry Thread In-Reply-To: <47E948A0.1090701@redhat.com> References: <200803251428.47465.jbushey@soleocommunications.com> <47E948A0.1090701@redhat.com> Message-ID: <200803251713.26083.jbushey@soleocommunications.com> Thanks for the suggestion. I have tried searching for the glue entry in the database, and I cant find it: [soleo at mstrldap01 ~]$ ldapsearch -MMxw xxxxx -D "cn=Directory Manager" -b "ou=soleotester,ou=people,dc=soleocommunications,dc=com" -s one -h 10.1.5.211 # extended LDIF # # LDAPv3 # base with scope one # filter: (objectclass=*) # requesting: ALL # with manageDSAit critical control # # search result search: 2 result: 32 No such object matchedDN: ou=people,dc=soleocommunications,dc=com # numResponses: 1 When I first noticed these logs, I did find the original entry present on this server (and on the other master) so I deleted this entry from both servers (and restarted ns-slapd), but that didnt get rid of the log. Also, Ive noticed that after a while of having this error printed out, the server stops allowing me to bind in. Am I doing something wrong in my search? Or, is there something else I can try? Thanks ~James On Tuesday 25 March 2008 14:46:56 Nathan Kinder wrote: > James wrote: > > Hi All, > > > > I have a set of directory servers with multi-master replicaiton. On one > > of the two master servers, I see this log: > > > > [25/Mar/2008:14:26:42 -0400] NSMMReplicationPlugin - conn=5 op=6 > > csn=47cec1700000000c0000: > > Can't created glue entry > > uid=soleotester,ou=people,dc=soleocommunications,dc=com uniqueid > > =96a7eb81-1dd111b2-8016d669-d3980000, error 68 > > [25/Mar/2008:14:26:42 -0400] NSMMReplicationPlugin - conn=5 op=6 > > csn=47cec1700000000c0000: > > Can't created glue entry > > uid=soleotester,ou=people,dc=soleocommunications,dc=com uniqueid > > =96a7eb81-1dd111b2-8016d669-d3980000, error 68 > > > > The logs is repeated once per second (there are two in this copy/paste). > > I have a high-level understanding of what a glue entry is, and why one > > would be created, but why can't this server create one in this instance? > > And, is there anything I can do to fix this repeated log? > > It can't create it because it already exists (error 68). Please file a > bug on this issue (https://bugzilla.redhat.com/enter_bug.cgi). > > You can try to delete the existing glue entry to allow the replication > plug-in to re-create it and proceed. > > -NGK > > > Thanks, > > ~James -- James Bushey Software Engineer Soleo Communications (585) 641-4300 x0050 From nkinder at redhat.com Tue Mar 25 22:26:26 2008 From: nkinder at redhat.com (Nathan Kinder) Date: Tue, 25 Mar 2008 15:26:26 -0700 Subject: [Fedora-directory-users] Glue Entry Thread In-Reply-To: <200803251713.26083.jbushey@soleocommunications.com> References: <200803251428.47465.jbushey@soleocommunications.com> <47E948A0.1090701@redhat.com> <200803251713.26083.jbushey@soleocommunications.com> Message-ID: <47E97C12.3060208@redhat.com> James wrote: > Thanks for the suggestion. I have tried searching for the glue entry in the > database, and I cant find it: > > [soleo at mstrldap01 ~]$ ldapsearch -MMxw xxxxx -D "cn=Directory > Manager" -b "ou=soleotester,ou=people,dc=soleocommunications,dc=com" -s > one -h 10.1.5.211 > # extended LDIF > # > # LDAPv3 > # base with scope one > # filter: (objectclass=*) > # requesting: ALL > # with manageDSAit critical control > # > > # search result > search: 2 > result: 32 No such object > matchedDN: ou=people,dc=soleocommunications,dc=com > > # numResponses: 1 > > When I first noticed these logs, I did find the original entry present on this > server (and on the other master) so I deleted this entry from both servers > (and restarted ns-slapd), but that didnt get rid of the log. > > Also, Ive noticed that after a while of having this error printed out, the > server stops allowing me to bind in. > > Am I doing something wrong in my search? Or, is there something else I can > try? > Your search is searching for "ou=soleotester,ou=people,dc=soleocommunications,dc=com", but the glue entry the server is trying to create is "uid=soleotester,ou=people,dc=soleocommunications,dc=com". Try doing this search instead: ldapsearch -b "ou=people,dc=soleocommunications,dc=com" -s one "uid=soleotester" -NGK > Thanks > > ~James > > On Tuesday 25 March 2008 14:46:56 Nathan Kinder wrote: > >> James wrote: >> >>> Hi All, >>> >>> I have a set of directory servers with multi-master replicaiton. On one >>> of the two master servers, I see this log: >>> >>> [25/Mar/2008:14:26:42 -0400] NSMMReplicationPlugin - conn=5 op=6 >>> csn=47cec1700000000c0000: >>> Can't created glue entry >>> uid=soleotester,ou=people,dc=soleocommunications,dc=com uniqueid >>> =96a7eb81-1dd111b2-8016d669-d3980000, error 68 >>> [25/Mar/2008:14:26:42 -0400] NSMMReplicationPlugin - conn=5 op=6 >>> csn=47cec1700000000c0000: >>> Can't created glue entry >>> uid=soleotester,ou=people,dc=soleocommunications,dc=com uniqueid >>> =96a7eb81-1dd111b2-8016d669-d3980000, error 68 >>> >>> The logs is repeated once per second (there are two in this copy/paste). >>> I have a high-level understanding of what a glue entry is, and why one >>> would be created, but why can't this server create one in this instance? >>> And, is there anything I can do to fix this repeated log? >>> >> It can't create it because it already exists (error 68). Please file a >> bug on this issue (https://bugzilla.redhat.com/enter_bug.cgi). >> >> You can try to delete the existing glue entry to allow the replication >> plug-in to re-create it and proceed. >> >> -NGK >> >> >>> Thanks, >>> ~James >>> > > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From lukeb at deakin.edu.au Wed Mar 26 00:09:42 2008 From: lukeb at deakin.edu.au (Luke Bigum) Date: Wed, 26 Mar 2008 11:09:42 +1100 Subject: [Fedora-directory-users] Fedora DS version compatibility In-Reply-To: <9889346F-9798-4045-ABC3-AD2F46231D8A@icecube.wisc.edu> References: <47E1D010.2040108@deakin.edu.au> <9889346F-9798-4045-ABC3-AD2F46231D8A@icecube.wisc.edu> Message-ID: <47E99446.3060501@deakin.edu.au> Thanks for everyone's reply. David, I too had the same issue, even problems registering with another 1.1 instance. A bit of digging and Googling led me to this Red Hat Bug that has solved my registration problem, it might fix yours: https://bugzilla.redhat.com/show_bug.cgi?id=431103 The problem seems to be the setup script tries to create objects a few levels down without first creating parent objects. The workaround is to create the entries by hand using the template LDIF provided. For an LDIF file, don't forget to add "changetype: add" after the distinguished name line, then: ldapmodify -a -f ~/ldif.txt -x -H ldap://hydra.its.deakin.edu.au:389/ -D "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" -w 'xxxxxx' David Bogen wrote: > On Mar 19, 2008, at 9:46 PM, Luke Bigum wrote: > >> >> I'm looking to upgrade some Fedora DS 1.02 servers to 1.1. We use a >> master-slave replicated configuration. Before I get too far into it, >> are there any known compatibility issues between 1.1 and 1.02? I was >> planning on updating one of the slaves to 1.1 first, leaving our >> master 1.02 server as it is for the time being. Is this possible or >> would I have to upgrade the master first? >> > > We took a few steps down that same road and were less than pleased with > the results. Our configuration directory is still running 1.0.2 and a > 1.1 slave was unable to register with it despite repeated attempts and > some poking around inside the configuration directory. > > So, we ended up with that slave running without being registered with > the configuration directory. > > From where I sit, it looks like an all-or-nothing affair to upgrade to > 1.1. > > David > > -- > David Bogen :: (608) 263-0168 > Unix SysAdmin :: IceCube Project > david.bogen at icecube.wisc.edu > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Luke Bigum, Unix Administrator, Information Technology Services Division Deakin University, Waterfront Campus, Victoria 3217 Australia. Phone: 03 5227 8691 International: +61 3 5227 8691 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: luke.bigum at deakin.edu.au Website: http://www.deakin.edu.au Deakin University CRICOS Provider Code: 00113B (Vic), 02414F (NSW) Important Notice: The contents of this email transmission, including any attachments, are intended solely for the named addressee and are confidential; any unauthorized use, reproduction or storage of the contents and any attachments is expressly prohibited. If you have received this transmission in error, please delete it and any attachments from your system immediately and advise the sender by return email or telephone. Deakin University does not warrant that this email and any attachments are error or virus free. From lukeb at deakin.edu.au Wed Mar 26 03:43:00 2008 From: lukeb at deakin.edu.au (Luke Bigum) Date: Wed, 26 Mar 2008 14:43:00 +1100 Subject: [Fedora-directory-users] Fedora DS version compatibility In-Reply-To: <47E99446.3060501@deakin.edu.au> References: <47E1D010.2040108@deakin.edu.au> <9889346F-9798-4045-ABC3-AD2F46231D8A@icecube.wisc.edu> <47E99446.3060501@deakin.edu.au> Message-ID: <47E9C644.5090507@deakin.edu.au> After I've had a chance to work with this further I don't recommend anyone reregister any 1.1 servers with a 1.0.x configuration directory. While the installation of a new server will not fail, attempting to access the new server from the old console does not work. I'm still messing around, but I think I will have to move down the same path as David and have each replicated node registered with itself. Luke Bigum wrote: > Thanks for everyone's reply. David, I too had the same issue, even > problems registering with another 1.1 instance. A bit of digging and > Googling led me to this Red Hat Bug that has solved my registration > problem, it might fix yours: > > https://bugzilla.redhat.com/show_bug.cgi?id=431103 > > The problem seems to be the setup script tries to create objects a few > levels down without first creating parent objects. The workaround is to > create the entries by hand using the template LDIF provided. For an LDIF > file, don't forget to add "changetype: add" after the distinguished name > line, then: > > ldapmodify -a -f ~/ldif.txt -x -H ldap://hydra.its.deakin.edu.au:389/ -D > "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" -w > 'xxxxxx' > > David Bogen wrote: >> On Mar 19, 2008, at 9:46 PM, Luke Bigum wrote: >> >>> >>> I'm looking to upgrade some Fedora DS 1.02 servers to 1.1. We use a >>> master-slave replicated configuration. Before I get too far into it, >>> are there any known compatibility issues between 1.1 and 1.02? I was >>> planning on updating one of the slaves to 1.1 first, leaving our >>> master 1.02 server as it is for the time being. Is this possible or >>> would I have to upgrade the master first? >>> >> >> We took a few steps down that same road and were less than pleased >> with the results. Our configuration directory is still running 1.0.2 >> and a 1.1 slave was unable to register with it despite repeated >> attempts and some poking around inside the configuration directory. >> >> So, we ended up with that slave running without being registered with >> the configuration directory. >> >> From where I sit, it looks like an all-or-nothing affair to upgrade >> to 1.1. >> >> David >> >> -- >> David Bogen :: (608) 263-0168 >> Unix SysAdmin :: IceCube Project >> david.bogen at icecube.wisc.edu >> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Luke Bigum, Unix Administrator, Information Technology Services Division Deakin University, Waterfront Campus, Victoria 3217 Australia. Phone: 03 5227 8691 International: +61 3 5227 8691 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: luke.bigum at deakin.edu.au Website: http://www.deakin.edu.au Deakin University CRICOS Provider Code: 00113B (Vic), 02414F (NSW) Important Notice: The contents of this email transmission, including any attachments, are intended solely for the named addressee and are confidential; any unauthorized use, reproduction or storage of the contents and any attachments is expressly prohibited. If you have received this transmission in error, please delete it and any attachments from your system immediately and advise the sender by return email or telephone. Deakin University does not warrant that this email and any attachments are error or virus free. From cbruiz at gmail.com Wed Mar 26 07:19:43 2008 From: cbruiz at gmail.com (Carlos Barrales Ruiz) Date: Wed, 26 Mar 2008 08:19:43 +0100 Subject: [Fedora-directory-users] Glue Entry Thread In-Reply-To: <200803251428.47465.jbushey@soleocommunications.com> References: <200803251428.47465.jbushey@soleocommunications.com> Message-ID: <2DE9697E-C8E1-4266-9852-1862F69820C6@gmail.com> El 25/03/2008, a las 19:28, James escribi?: > Hi All, > > I have a set of directory servers with multi-master replicaiton. On > one of > the two master servers, I see this log: > > [25/Mar/2008:14:26:42 -0400] NSMMReplicationPlugin - conn=5 op=6 > csn=47cec1700000000c0000: > Can't created glue entry > uid=soleotester,ou=people,dc=soleocommunications,dc=com uniqueid > =96a7eb81-1dd111b2-8016d669-d3980000, error 68 > [25/Mar/2008:14:26:42 -0400] NSMMReplicationPlugin - conn=5 op=6 > csn=47cec1700000000c0000: > Can't created glue entry > uid=soleotester,ou=people,dc=soleocommunications,dc=com uniqueid > =96a7eb81-1dd111b2-8016d669-d3980000, error 68 > > The logs is repeated once per second (there are two in this copy/ > paste). I > have a high-level understanding of what a glue entry is, and why one > would be > created, but why can't this server create one in this instance? > And, is > there anything I can do to fix this repeated log? Hi James, We had the same problem. It seemed to me that mmr plugin could not create the entry because it was created and specified to be a root-of- replication suffix after it (or another suffix parented to it) was still being replicated. So, in our case, as we had the directory not populated... recreating the tree before starting replication was enougth for us to solve it. Maybe you should get the sucessfull behavior removing manually the changelog, reseting the replication states that affect the non- creatable-entry and reinitializing them, but no warranty. I suppose also that it should be fixed in incremental way by removing the affected entry in the server causing the error (consumer) and force the replication supplier to populate it. I'm not sure either on if problem comes from the local integrity caused by the unique entry id of the entry. Sorry for my bad english. Regards -- Carlos From santangelo.luigi at tiscali.it Wed Mar 26 11:48:58 2008 From: santangelo.luigi at tiscali.it (Luigi Santangelo) Date: Wed, 26 Mar 2008 12:48:58 +0100 (CET) Subject: [Fedora-directory-users] encryption userPassword Message-ID: <1447186.1206532138526.JavaMail.root@ps7> Hi all, With FDS, I created the user red (password red) and this is the code LDIF that I exported from FDS: dn: uid=red,ou=Other,ou=Students,ou=People,dc=xxxxx,dc=xx uid: red givenName: red objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: red cn: red red userPassword: {MD5}valkOsZgFyKijyOHFCdNpA== creatorsName: cn=root modifiersName: cn=root createTimestamp: 20080326114136Z modifyTimestamp: 20080326114136Z nsUniqueId: 73d76881-fb2911dc-8017dffc-71a7a144 But if I create, with the MD5sum utility, the MD5(red), I got 1098e2cb1442f45f8ca2e74e1cd24bd0 Why? It isn't the same algoritme? In the FDS I must have the same value of MD5sum utility. How can I do? Thanks luigi ______________________________________________ Voce Senza Limiti: chiama in tutta Italia a 0 cent. SOLO 9,90 EURO AL MESE fino al 27/03/08! http://abbonati.tiscali.it/promo/vocesenzalimiti_2603/ From iferreir at personal.com.py Wed Mar 26 12:10:47 2008 From: iferreir at personal.com.py (Ivan Ferreira) Date: Wed, 26 Mar 2008 08:10:47 -0400 Subject: [Fedora-directory-users] encryption userPassword In-Reply-To: <1447186.1206532138526.JavaMail.root@ps7> Message-ID: If i'm not wrong, this is because these encription algorithms uses an "initialization vector (IV)". It's a chain used to start the encription process and allows that identical texts results in different ciphred text. Para fedora-directory-users at redhat.co m Luigi Santangelo cc Asunto Enviado por: [Fedora-directory-users] fedora-directory-users-b encryption userPassword ounces at redhat.com Clasificaci?n Uso Interno 26/03/2008 07:48 a.m. Por favor, responda a Luigi Santangelo ; Por favor, responda a "General discussion list for the Fedora Directory server project." Hi all, With FDS, I created the user red (password red) and this is the code LDIF that I exported from FDS: dn: uid=red,ou=Other,ou=Students,ou=People,dc=xxxxx,dc=xx uid: red givenName: red objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: red cn: red red userPassword: {MD5}valkOsZgFyKijyOHFCdNpA== creatorsName: cn=root modifiersName: cn=root createTimestamp: 20080326114136Z modifyTimestamp: 20080326114136Z nsUniqueId: 73d76881-fb2911dc-8017dffc-71a7a144 But if I create, with the MD5sum utility, the MD5(red), I got 1098e2cb1442f45f8ca2e74e1cd24bd0 Why? It isn't the same algoritme? In the FDS I must have the same value of MD5sum utility. How can I do? Thanks luigi ______________________________________________ Voce Senza Limiti: chiama in tutta Italia a 0 cent. SOLO 9,90 EURO AL MESE fino al 27/03/08! http://abbonati.tiscali.it/promo/vocesenzalimiti_2603/ -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. From santangelo.luigi at tiscali.it Wed Mar 26 12:20:33 2008 From: santangelo.luigi at tiscali.it (Luigi Santangelo) Date: Wed, 26 Mar 2008 13:20:33 +0100 (CET) Subject: [Fedora-directory-users] encryption userPassword Message-ID: <25104397.1206534033450.JavaMail.root@ps10> Where I can find this IV? >----Messaggio originale---- >Da: iferreir at personal.com.py >Data: 26/03/2008 13.10 >A: "Luigi Santangelo", "General discussion list for the Fedora Directory server project." >Cc: , >Ogg: Re: [Fedora-directory-users] encryption userPassword > >If i'm not wrong, this is because these encription algorithms uses an >"initialization vector (IV)". It's a chain used to start the encription >process and allows that identical texts results in different ciphred text. > > > > > > > > > Para > fedora-directory- users at redhat.co > m > Luigi Santangelo cc > i.it> Asunto > Enviado por: [Fedora-directory- users] > fedora-directory-users-b encryption userPassword > ounces at redhat.com Clasificaci?n > Uso Interno > 26/03/2008 07:48 a. m. > > > > Por favor, responda a > Luigi Santangelo > i.it>; Por favor, > responda a > "General discussion list > for the Fedora Directory > server project." > redhat. com> > > > > > > >Hi all, >With FDS, I created the user red (password red) and this is the code >LDIF that I exported from FDS: >dn: uid=red,ou=Other,ou=Students,ou=People,dc=xxxxx,dc=xx >uid: red >givenName: red >objectClass: top >objectClass: person >objectClass: organizationalPerson >objectClass: inetorgperson >sn: red >cn: red red >userPassword: {MD5}valkOsZgFyKijyOHFCdNpA== >creatorsName: cn=root >modifiersName: cn=root >createTimestamp: 20080326114136Z >modifyTimestamp: 20080326114136Z >nsUniqueId: 73d76881-fb2911dc-8017dffc-71a7a144 > >But if I create, with the MD5sum utility, the MD5(red), I got >1098e2cb1442f45f8ca2e74e1cd24bd0 >Why? It isn't the same algoritme? In the FDS I must have the same >value of MD5sum utility. How can I do? >Thanks >luigi > > > >______________________________________________ > >Voce Senza Limiti: chiama in tutta Italia a 0 cent. SOLO 9,90 EURO AL MESE >fino al 27/03/08! >http://abbonati.tiscali.it/promo/vocesenzalimiti_2603/ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >======================================================================================== >AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida >?nicamente a su destinatario. Si usted no es el destinatario original de >este mensaje y por este medio pudo acceder a dicha informaci?n por favor >elimine el mensaje. La distribuci?n o copia de este mensaje est? >estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de >informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como >una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de >e-mails no garantiza que el correo electr?nico sea seguro o libre de error. >Por consiguiente, no manifestamos que esta informaci?n sea completa o >precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. > > This information is private and confidential and intended for the >recipient only. If you are not the intended recipient of this message you >are hereby notified that any review, dissemination, distribution or >copying of this message is strictly prohibited. This communication is for >information purposes only and shall not be regarded neither as a proposal, >acceptance nor as a statement of will or official statement from NUCLEO >S.A. . Email transmission cannot be guaranteed to be secure or error- free. >Therefore, we do not represent that this information is complete or >accurate and it should not be relied upon as such. All information is >subject to change without notice. > ______________________________________________ Voce Senza Limiti: chiama in tutta Italia a 0 cent. SOLO 9,90 EURO AL MESE fino al 27/03/08! http://abbonati.tiscali.it/promo/vocesenzalimiti_2603/ From marco.maccari at unicam.it Wed Mar 26 12:13:41 2008 From: marco.maccari at unicam.it (Marco Maccari) Date: Wed, 26 Mar 2008 13:13:41 +0100 Subject: [Fedora-directory-users] error PassSync Message-ID: We passsync installed on windows 2003 server. We have the following error when passsync part. 03/26/08 12:04:25: PassSync service stopped 03/26/08 12:04:28: PassSync service started 03/26/08 12:04:28: Failed to load entries from file What does this error? Failed to load entries from file What are the entries that should read? Working with what files? Thanks Marco From vinod3942 at gmail.com Wed Mar 26 06:42:52 2008 From: vinod3942 at gmail.com (vinod gupta) Date: Wed, 26 Mar 2008 12:12:52 +0530 Subject: [Fedora-directory-users] skew time error In-Reply-To: <75a3b3850803252340v63c6c83fm8771539754761182@mail.gmail.com> References: <75a3b3850803252340v63c6c83fm8771539754761182@mail.gmail.com> Message-ID: <75a3b3850803252342r48579038wea9187303642b30@mail.gmail.com> hi, we installed FDS 1.04 on red hat linux servers with MMR. Everything seems to be working fine till 4-5 months and suddenly all the MMR broken and says too excessive skew time and replication aborting. I have tried all the possible ways that has been mentioned in some of the posts but it din't help. After some time the same errors come again and again. I have checked my server time they are all in sync. I am clueless now. Can anybody suggest a way to help me out of this problem. Regards Vinod -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Wed Mar 26 13:27:07 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 26 Mar 2008 14:27:07 +0100 Subject: [Fedora-directory-users] encryption userPassword In-Reply-To: References: Message-ID: <47EA4F2B.1070101@stroeder.com> Ivan Ferreira wrote: > If i'm not wrong, this is because these encription algorithms uses an > "initialization vector (IV)". An IV for MD5? I seriously doubt that. Note that MD5 is not reversible encryption. It's a hash algorithm (one-way encryption). Maybe you're talking about adding a salt? But this would be password scheme {SMD5} not {MD5}. BTW: {SSHA} should be preferred! To make things more clear here are good explanations which also apply to FDS: http://www.openldap.org/faq/data/cache/419.html Ciao, Michael. From michael at stroeder.com Wed Mar 26 13:40:06 2008 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Wed, 26 Mar 2008 14:40:06 +0100 Subject: [Fedora-directory-users] encryption userPassword In-Reply-To: <1447186.1206532138526.JavaMail.root@ps7> References: <1447186.1206532138526.JavaMail.root@ps7> Message-ID: <47EA5236.6040203@stroeder.com> Luigi Santangelo wrote: > userPassword: {MD5}valkOsZgFyKijyOHFCdNpA== > [..] > But if I create, with the MD5sum utility, the MD5(red), I got > 1098e2cb1442f45f8ca2e74e1cd24bd0 If everything's correct it should be the same binary MD5 value but differently encoded to be ASCII-clean. The value for userPassword is base64-encoded after the password scheme identifier (here {MD5}). The command-line tool md5sum generates hex-byte encoding. Note that I didn't check whether the values you provided above are actually the same binary MD5 value. Take care of possible line-breaks or other white-space chars when using md5sum. You should probably consider using a decent scripting language instead of command-line tools to generate values for userPassword though. See also (yes, it also applies to FDS): http://www.openldap.org/faq/data/cache/419.html Ciao, Michael. -- Michael Str?der E-Mail: michael at stroeder.com http://www.stroeder.com From nalin at redhat.com Wed Mar 26 15:15:09 2008 From: nalin at redhat.com (Nalin Dahyabhai) Date: Wed, 26 Mar 2008 11:15:09 -0400 Subject: [Fedora-directory-users] encryption userPassword In-Reply-To: <1447186.1206532138526.JavaMail.root@ps7> References: <1447186.1206532138526.JavaMail.root@ps7> Message-ID: <20080326151508.GA919@redhat.com> On Wed, Mar 26, 2008 at 12:48:58PM +0100, Luigi Santangelo wrote: > With FDS, I created the user red (password red) and this is the code > LDIF that I exported from FDS: [snip] > userPassword: {MD5}valkOsZgFyKijyOHFCdNpA== [snip] > But if I create, with the MD5sum utility, the MD5(red), I got > 1098e2cb1442f45f8ca2e74e1cd24bd0 > Why? It isn't the same algoritme? In the FDS I must have the same > value of MD5sum utility. How can I do? Nothing's wrong. The text "valkOsZgFyKijyOHFCdNpA==" is a base64-encoded version of these bytes [1]: bd a9 64 3a c6 60 17 22 a2 8f 23 87 14 27 4d a4 You seem to have given the md5sum utility the text "red\n", which gives me 1098e2cb1442f45f8ca2e74e1cd24bd0. The md5sum of the text "red" is actually bda9643ac6601722a28f238714274da4, which is what the directory server stored. Just a guess, but if you're using echo and piping the text through "md5sum" on the command line to do the calculation, be sure you run echo with the "-n" flag so that it doesn't append a newline to the output. Then the results will match. HTH, Nalin [1] "echo valkOsZgFyKijyOHFCdNpA== | openssl base64 -d | od -t x1" From jbushey at soleocommunications.com Wed Mar 26 16:00:07 2008 From: jbushey at soleocommunications.com (James) Date: Wed, 26 Mar 2008 12:00:07 -0400 Subject: [Fedora-directory-users] Glue Entry Thread In-Reply-To: <47E97C12.3060208@redhat.com> References: <200803251428.47465.jbushey@soleocommunications.com> <200803251713.26083.jbushey@soleocommunications.com> <47E97C12.3060208@redhat.com> Message-ID: <200803261200.07649.jbushey@soleocommunications.com> Whoop! I ran that search in a hurry yesterday just to have something to paste into the email. I had run my search and the one you suggested earlier (correctly) but couldnt see the entry. I did, however, manage to delete the entry which I could not see. The trick was, I had to shut down both masters, then start only the master that had been printing out the errors. At this point, the error-printing master was not printing the error (no replication from the other server pushing this change across). Then, I was able to do an ldapmodify and delete the invisible glue entry. I then started up the other master, and replication resumed as normal, without any error messages. That seemed to work for me. Thanks for all of your help. ~James [soleo at mstrldap01 ~]$ ldapsearch -MMxw xxxx -D "cn=Directory Manager" -b "ou=people,dc=soleocommunications,dc=com" -s one -h 10.1.5.211 '(uid=soleotester)' # extended LDIF # # LDAPv3 # base with scope one # filter: (uid=soleotester) # requesting: ALL # with manageDSAit critical control # # search result search: 2 result: 0 Success # numResponses: 1 On Tuesday 25 March 2008 18:26:26 Nathan Kinder wrote: > James wrote: > > Thanks for the suggestion. I have tried searching for the glue entry in > > the database, and I cant find it: > > > > [soleo at mstrldap01 ~]$ ldapsearch -MMxw xxxxx -D "cn=Directory > > Manager" -b "ou=soleotester,ou=people,dc=soleocommunications,dc=com" -s > > one -h 10.1.5.211 > > # extended LDIF > > # > > # LDAPv3 > > # base with > > scope one # filter: (objectclass=*) > > # requesting: ALL > > # with manageDSAit critical control > > # > > > > # search result > > search: 2 > > result: 32 No such object > > matchedDN: ou=people,dc=soleocommunications,dc=com > > > > # numResponses: 1 > > > > When I first noticed these logs, I did find the original entry present on > > this server (and on the other master) so I deleted this entry from both > > servers (and restarted ns-slapd), but that didnt get rid of the log. > > > > Also, Ive noticed that after a while of having this error printed out, > > the server stops allowing me to bind in. > > > > Am I doing something wrong in my search? Or, is there something else I > > can try? > > Your search is searching for > "ou=soleotester,ou=people,dc=soleocommunications,dc=com", but the glue > entry the server is trying to create is > "uid=soleotester,ou=people,dc=soleocommunications,dc=com". Try doing > this search instead: > > ldapsearch -b "ou=people,dc=soleocommunications,dc=com" -s one > "uid=soleotester" > > -NGK > > > Thanks > > > > ~James > > > > On Tuesday 25 March 2008 14:46:56 Nathan Kinder wrote: > >> James wrote: > >>> Hi All, > >>> > >>> I have a set of directory servers with multi-master replicaiton. On > >>> one of the two master servers, I see this log: > >>> > >>> [25/Mar/2008:14:26:42 -0400] NSMMReplicationPlugin - conn=5 op=6 > >>> csn=47cec1700000000c0000: > >>> Can't created glue entry > >>> uid=soleotester,ou=people,dc=soleocommunications,dc=com uniqueid > >>> =96a7eb81-1dd111b2-8016d669-d3980000, error 68 > >>> [25/Mar/2008:14:26:42 -0400] NSMMReplicationPlugin - conn=5 op=6 > >>> csn=47cec1700000000c0000: > >>> Can't created glue entry > >>> uid=soleotester,ou=people,dc=soleocommunications,dc=com uniqueid > >>> =96a7eb81-1dd111b2-8016d669-d3980000, error 68 > >>> > >>> The logs is repeated once per second (there are two in this > >>> copy/paste). I have a high-level understanding of what a glue entry is, > >>> and why one would be created, but why can't this server create one in > >>> this instance? And, is there anything I can do to fix this repeated > >>> log? > >> > >> It can't create it because it already exists (error 68). Please file a > >> bug on this issue (https://bugzilla.redhat.com/enter_bug.cgi). > >> > >> You can try to delete the existing glue entry to allow the replication > >> plug-in to re-create it and proceed. > >> > >> -NGK > >> > >>> Thanks, > >>> ~James -- James Bushey Software Engineer Soleo Communications (585) 641-4300 x0050 From kmarsh at gdrs.com Wed Mar 26 17:40:02 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Wed, 26 Mar 2008 13:40:02 -0400 Subject: [Fedora-directory-users] skew time error Message-ID: <5AD9B0E562FEFB4E933861904D7135C5796F90@gdrs-exchange.gdrs.com> Vinod, Check the Java JRE on each system for the same revision level. Over the past year, each successive revision of Java has had different Daylight Savings Time rules, some of which may conflict- for example, I had a problem with Oracle's Enterprise Manager due to JRE DST. I suggest getting your different servers to the same O/S patch level and running all your Directory Servers on the same Java Runtime version. Ken Marsh ANS System Administration Lead (410) 876-9200 -------------- next part -------------- An HTML attachment was scrubbed... URL: From vaddarapu at gmail.com Thu Mar 27 04:58:02 2008 From: vaddarapu at gmail.com (Anand Vaddarapu) Date: Thu, 27 Mar 2008 15:58:02 +1100 Subject: [Fedora-directory-users] Console issue In-Reply-To: <7020fd000803140242m19b48259pde0d33b593aee476@mail.gmail.com> References: <47C48B03.7040206@redhat.com> <47C490E0.2010606@redhat.com> <7020fd000803140242m19b48259pde0d33b593aee476@mail.gmail.com> Message-ID: Hi, After i enabled SSL in Ldap server i could not login into console. I have fixed this correcting CA cert listed from Server-Cert to server-cert. Thanks for your Help. On Fri, Mar 14, 2008 at 8:42 PM, solarflow99 wrote: > what release of linux do you have? are you running this from an xterm on > the host PC? What is the actual error? > > > > > On 3/14/08, Anand Vaddarapu wrote: > > > > Hi, > > > > I installed IBM java 1.5 but still having the same issue. > > Any suggestions appreciated. > > > > Thanks. > > > > > > > > On Wed, Feb 27, 2008 at 9:21 AM, Rich Megginson > > wrote: > > > > > Anand Vaddarapu wrote: > > > > Hi, > > > > > > > > Thats exactly right. Can i install IBM java 1.5 without removing sun > > > java. > > > > > > Yes. > > > > > > > > Thanks > > > > > > > > On Wed, Feb 27, 2008 at 8:56 AM, Rich Megginson > > > > > > > wrote: > > > > > > > > Anand Vaddarapu wrote: > > > > > Hi, > > > > > > > > > > when i turn on SSL i use url as a https. > > > > > (You still see that same error, but the console works anyway?) > > > > So, if you turn on SSL engine and use https, you get the X11 > > > Display > > > > error, and nothing else. If you turn off SSL engine, and use > > > > http, you > > > > get the X11 Display error, and it continues and works. > > > > > > > > If that's the case, then I'm not really sure what to do, except > > > > suggest > > > > that you try the IBM Java 1.5. > > > > > yes, console works fine when SSL engine turn off. > > > > > > > > > > Thanks > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > -- > > > > > Fedora-directory-users mailing list > > > > > Fedora-directory-users at redhat.com > > > > > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > -- > > > > Fedora-directory-users mailing list > > > > Fedora-directory-users at redhat.com > > > > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > -- > > > > Fedora-directory-users mailing list > > > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From vaddarapu at gmail.com Thu Mar 27 04:59:29 2008 From: vaddarapu at gmail.com (Anand Vaddarapu) Date: Thu, 27 Mar 2008 15:59:29 +1100 Subject: [Fedora-directory-users] SSL Message-ID: Hi, After enabling SSL with console using the procedure * http://directory.fedoraproject.org/wiki/Howto:SSL#Console_SSL_Information* i am getting these following error messages when i am trying to login into directory server in the console. SSL is enabled in both the admin console & the Ldap server >From logs: [27/Mar/2008:14:56:24 +1100] conn=47 fd=66 slot=66 SSL connection from 10.50.5.81 to 10.50.1.24 [27/Mar/2008:14:56:24 +1100] conn=47 op=-1 fd=66 closed - SSL peer cannot verify your certificate. we are these when starting the Ldap server 27/Mar/2008:14:45:04 +1100] - attrcrypt_unwrap_key: failed to unwrap key for cipher AES [27/Mar/2008:14:45:04 +1100] - Failed to retrieve key for cipher AES in attrcrypt_cipher_init [27/Mar/2008:14:45:04 +1100] - Failed to initialize cipher AES in attrcrypt_init [27/Mar/2008:14:45:04 +1100] - attrcrypt_unwrap_key: failed to unwrap key for cipher AES [27/Mar/2008:14:45:04 +1100] - Failed to retrieve key for cipher AES in attrcrypt_cipher_init [27/Mar/2008:14:45:04 +1100] - Failed to initialize cipher AES in attrcrypt_init [27/Mar/2008:14:45:05 +1100] - slapd started. Listening on All Interfaces port 389 for LDAP requests [27/Mar/2008:14:45:05 +1100] - Listening on All Interfaces port 636 for LDAPS requests Console error message: netscape.ldap.LDAPException:JSSSocketFactory.makeSocket devil.wcg.net.au:636, SSL_ForceHandshake failed: (-8054) unknown error (91) Help Appreciated. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From iferreir at personal.com.py Thu Mar 27 13:09:57 2008 From: iferreir at personal.com.py (Ivan Ferreira) Date: Thu, 27 Mar 2008 09:09:57 -0400 Subject: [Fedora-directory-users] error PassSync In-Reply-To: Message-ID: Check the permissions for the passhook.dat file in the Domain Controller. Para fedora-directory-users at redhat.co m "Marco Maccari" cc Asunto Enviado por: [Fedora-directory-users] error fedora-directory-users-b PassSync ounces at redhat.com Clasificaci?n Uso Interno 26/03/2008 08:13 a.m. Por favor, responda a "General discussion list for the Fedora Directory server project." We passsync installed on windows 2003 server. We have the following error when passsync part. 03/26/08 12:04:25: PassSync service stopped 03/26/08 12:04:28: PassSync service started 03/26/08 12:04:28: Failed to load entries from file What does this error? Failed to load entries from file What are the entries that should read? Working with what files? Thanks Marco -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. From prjctgeek at gmail.com Thu Mar 27 19:17:36 2008 From: prjctgeek at gmail.com (Doug Chapman) Date: Thu, 27 Mar 2008 12:17:36 -0700 Subject: [Fedora-directory-users] ldap2dns schema Message-ID: I'm trying to evaluate ldap2dns, but I'm having trouble loading the schema into FDS 1.1. I used the file http://directory.fedoraproject.org/wiki/94ldap2dns.ldif, but the allowed attributes aren't getting populated- the objectclass is getting created. There are no errors in the directory server log on startup, and I can see all of the attributes in the console under Configuration->schema->attributes. So it's like the MAY line from this entry is getting ignored or thrown out: objectClasses: ( 1.3.6.1.4.1.7222.1.4.20 NAME 'dnsrrset' SUP dnszone MUST ( objectclass $ cn ) MAY ( dnsdomainname $ dnsrr $ dnsclass $ dnstype $ dnsipaddr $ dnscipaddr $ dnscname $ dnspreference $ dnsttl $ dnstimestamp $ owner $ dnssrvpriority $ dnssrvweight $ dnssrvport ) ) What am I missing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From suuuper at messinalug.org Fri Mar 28 10:46:58 2008 From: suuuper at messinalug.org (Giovanni Mancuso) Date: Fri, 28 Mar 2008 11:46:58 +0100 Subject: [Fedora-directory-users] Book on FedoraDS Message-ID: <47ECCCA2.5030706@messinalug.org> Hi to all, there is a book about fedora DS?? I found much books that speak on ldap, but not specific on Fedora DS. Thanks From beyonddc.storage at gmail.com Fri Mar 28 14:26:44 2008 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Fri, 28 Mar 2008 10:26:44 -0400 Subject: [Fedora-directory-users] Book on FedoraDS In-Reply-To: <47ECCCA2.5030706@messinalug.org> References: <47ECCCA2.5030706@messinalug.org> Message-ID: <20e4c38c0803280726p11c04b03s12b2899cc4ea2ae4@mail.gmail.com> I don't think there's any book specifically written for Fedora DS. I would of had it in my hand if I there's one. :-) Your best resource for Fedora DS is probably the Red Hat DS manuals that you can find in http://www.redhat.com/docs/manuals/dir-server/ Use RH DS 8 manuals for Fedora DS 1.1 Use RH DS 7 manuals for any Fedora DS prior 1.1 - dc On Fri, Mar 28, 2008 at 6:46 AM, Giovanni Mancuso wrote: > Hi to all, > there is a book about fedora DS?? > I found much books that speak on ldap, but not specific on Fedora DS. > > Thanks > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Ken.GENOUEL at valeo.com Fri Mar 28 14:30:04 2008 From: Ken.GENOUEL at valeo.com (Ken.GENOUEL at valeo.com) Date: Fri, 28 Mar 2008 15:30:04 +0100 Subject: [Fedora-directory-users] Allow only TLS connections Message-ID: Hello, Is there a way to force Fedora Directory to handle only TLS connections and drop everything else ? Thank Best Regards -- Ken GENOUEL ken.genouel at valeo.com VALEO SYSTEMES THERMIQUES SAS Branche Thermique Habitacle 8 rue Louis Lormand BP513 - LA VERRIERE 78321 LE MESNIL SAINT DENIS RCS Versailles : 331 312 108 VALEO SYSTEMES THERMIQUES SAS Branche Thermique Habitacle 8 rue Louis Lormand BP513 - LA VERRIERE 78321 LE MESNIL SAINT DENIS RCS Versailles : 331 312 108 "This e-mail message is intended only for the use of the intended recipient(s). The information contained therein may be confidential or privileged, and its disclosure or reproduction is strictly prohibited. If you are not the intended recipient, please return it immediately to its sender at the above address and destroy it." -------------- next part -------------- An HTML attachment was scrubbed... URL: From iferreir at personal.com.py Fri Mar 28 14:50:13 2008 From: iferreir at personal.com.py (Ivan Ferreira) Date: Fri, 28 Mar 2008 10:50:13 -0400 Subject: [Fedora-directory-users] Allow only TLS connections In-Reply-To: Message-ID: By now, I think that only with iptables. Para fedora-directory-users at redhat.co m Ken.GENOUEL at valeo.com cc Enviado por: fedora-directory-users-b Asunto ounces at redhat.com [Fedora-directory-users] Allow only TLS connections 28/03/2008 10:30 a.m. Clasificaci?n Uso Interno Por favor, responda a "General discussion list for the Fedora Directory server project." Hello, Is there a way to force Fedora Directory to handle only TLS connections and drop everything else ? Thank Best Regards -- Ken GENOUEL ken.genouel at valeo.com VALEO SYSTEMES THERMIQUES SAS Branche Thermique Habitacle 8 rue Louis Lormand BP513 - LA VERRIERE 78321 LE MESNIL SAINT DENIS RCS Versailles : 331 312 108 VALEO SYSTEMES THERMIQUES SAS Branche Thermique Habitacle 8 rue Louis Lormand BP513 - LA VERRIERE 78321 LE MESNIL SAINT DENIS RCS Versailles : 331 312 108 "This e-mail message is intended only for the use of the intended recipient(s). The information contained therein may be confidential or privileged, and its disclosure or reproduction is strictly prohibited. If you are not the intended recipient, please return it immediately to its sender at the above address and destroy it." -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. From iferreir at personal.com.py Fri Mar 28 14:57:22 2008 From: iferreir at personal.com.py (Ivan Ferreira) Date: Fri, 28 Mar 2008 10:57:22 -0400 Subject: [Fedora-directory-users] encryption userPassword In-Reply-To: <47EA4F2B.1070101@stroeder.com> Message-ID: >>> An IV for MD5? I seriously doubt that. Using google I found: The initialization vector is the value to which the MD5 internal variables are initially set before beginning the hashing process. Para "General discussion list for the Fedora Directory server Michael Str?der project." fedora-directory-users-b cc ounces at redhat.com Asunto 26/03/2008 09:27 a.m. Re: [Fedora-directory-users] encryption userPassword Clasificaci?n Uso Interno Por favor, responda a "General discussion list for the Fedora Directory server project." Ivan Ferreira wrote: > If i'm not wrong, this is because these encription algorithms uses an > "initialization vector (IV)". An IV for MD5? I seriously doubt that. Note that MD5 is not reversible encryption. It's a hash algorithm (one-way encryption). Maybe you're talking about adding a salt? But this would be password scheme {SMD5} not {MD5}. BTW: {SSHA} should be preferred! To make things more clear here are good explanations which also apply to FDS: http://www.openldap.org/faq/data/cache/419.html Ciao, Michael. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. From beyonddc.storage at gmail.com Fri Mar 28 18:53:02 2008 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Fri, 28 Mar 2008 14:53:02 -0400 Subject: [Fedora-directory-users] Fedora DS 1.0.2 and RHEL5.1 Compatibility Message-ID: <20e4c38c0803281153v728d1ddfu2cc6c708e1541423@mail.gmail.com> Hi All, I would like to install Fedora DS 1.0.2 LDAP (64 bits) on RHEL 5.1 (64 bits) using the binary package (fedora-ds-1.0.2-1.FC5.x86_64.opt.rpm) built against the FC5 that can be downloaded from the Fedora DS website ( http://directory.fedoraproject.org/wiki/Download). I installed it, launched the console and ran couple of my Java LDAP tests that use Java Native Directory Interface (JNDI), and it seems to be working happily. When I look at it, it seems like it is compatible. I would like to know if I miss anything obvious that the Fedora DS 1.0.2binary package that built against FC5 will not be compatible with RHEL 5.1? Thanks!! - David -------------- next part -------------- An HTML attachment was scrubbed... URL: From nkinder at redhat.com Fri Mar 28 22:41:32 2008 From: nkinder at redhat.com (Nathan Kinder) Date: Fri, 28 Mar 2008 15:41:32 -0700 Subject: [Fedora-directory-users] windows sync and password "clear" In-Reply-To: <23615050.1205923062302.JavaMail.root@ps22> References: <23615050.1205923062302.JavaMail.root@ps22> Message-ID: <47ED741C.6020509@redhat.com> Luigi Santangelo wrote: > Hi everybody, this is my problem: > I configured my Fedora DS and now I can sync the LDAP's users with > Windows 2003 Active Directory. Then, I created a new user with this > code ldif > > dn: uid=red,ou=Other,ou=Students,ou=People,dc=xxxxx,dc=xx > givenName: red > sn: red > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > objectClass: ntuser > uid: red > ntUserCreateNewAccount: true > ntUserDeleteAccount: true > cn: red > ntUserDomainId: red > userPassword: redpwd > creatorsName: uid=root,ou=administrators,ou=topologymanagement, > o=netscaperoot > modifiersName: uid=root,ou=administrators,ou=topologymanagement, > o=netscaperoot > createTimestamp: 20080318153555Z > modifyTimestamp: 20080318153555Z > nsUniqueId: f8f6c801-f50011dc-80ebbfe2-cc3ccdae > > Note that I wrote the user's password in "clear". Now, I can logon the > Windows AD with the username red and the password redpwd. > Then I added another user (yellow) with this code ldif > > dn: uid=yellow,ou=Other,ou=Students,ou=People,dc=xxxxx,dc=xx > givenName: yellow > sn: yellow > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > objectClass: ntuser > uid: yellow > ntUserCreateNewAccount: true > ntUserDeleteAccount: true > cn: yellow > ntUserDomainId: yellow > userPassword: {MD5}8cb32079718c657b02bbbb176b97d030 > creatorsName: uid=root,ou=administrators,ou=topologymanagement, > o=netscaperoot > modifiersName: uid=root,ou=administrators,ou=topologymanagement, > o=netscaperoot > createTimestamp: 20080318153555Z > modifyTimestamp: 20080318153555Z > nsUniqueId: f8f6c801-f50011dc-80ebbfe2-cc3ccdae > > Note the MD5(yellowpwd) = 8cb32079718c657b02bbbb176b97d030 > Then If I try logon the Windows AD (from Windows) with the username > yellow and the password yellowred, I cannot log in. Instead, if I try > logon the Windows AD with the username yellow and the > password {MD5}8cb32079718c657b02bbbb176b97d030 I can log in. > Do you think that this is a problem strictly related to Windows' > problem? How can I get over it? > You can't pre-hash the password on the client side if you want it to be properly sync'd to AD. The client needs to provide it's password to FDS in the clear, preferably over LDAPS or using a SASL mechanism that provides confidentiality. FDS will then hash it according to the default password hash storage scheme config setting. The clear password will be provided to AD over LDAPS so AD can hash it using the hashing scheme it needs. -NGK > Thank you in advance. > > > ______________________________________________ > Adotta un bambino a distanza. Avr? vestiti, cibo, scuola?e avr? te! > http://social.tiscali.it/promo/C02/sos/ > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From solarflow99 at gmail.com Fri Mar 28 23:29:54 2008 From: solarflow99 at gmail.com (solarflow99) Date: Fri, 28 Mar 2008 23:29:54 +0000 Subject: [Fedora-directory-users] Fedora DS 1.0.2 and RHEL5.1 Compatibility In-Reply-To: <20e4c38c0803281153v728d1ddfu2cc6c708e1541423@mail.gmail.com> References: <20e4c38c0803281153v728d1ddfu2cc6c708e1541423@mail.gmail.com> Message-ID: <7020fd000803281629l65fb05b5w38a90c1cf1e8f539@mail.gmail.com> is there a reason why you can't use 1.1? I have it installed on rhel 5.1and it works well. On Fri, Mar 28, 2008 at 6:53 PM, Chun Tat David Chu < beyonddc.storage at gmail.com> wrote: > Hi All, > > I would like to install Fedora DS 1.0.2 LDAP (64 bits) on RHEL 5.1 (64 > bits) using the binary package (fedora-ds-1.0.2-1.FC5.x86_64.opt.rpm) > built against the FC5 that can be downloaded from the Fedora DS website ( > http://directory.fedoraproject.org/wiki/Download). > > I installed it, launched the console and ran couple of my Java LDAP tests > that use Java Native Directory Interface (JNDI), and it seems to be working > happily. > > When I look at it, it seems like it is compatible. > > I would like to know if I miss anything obvious that the Fedora DS 1.0.2binary package that built against FC5 will not be compatible with RHEL > 5.1? > > Thanks!! > > - David > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Sat Mar 29 00:45:20 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Sat, 29 Mar 2008 01:45:20 +0100 Subject: [Fedora-directory-users] encryption userPassword In-Reply-To: References: Message-ID: <47ED9120.5070409@stroeder.com> Ivan Ferreira wrote: >>>> An IV for MD5? I seriously doubt that. > > Using google I found: > > The initialization vector is the value to which the MD5 internal variables > are initially set before beginning the hashing process. Yes, but you won't have to deal with that when generating values for attribute 'userPassword' based on password scheme {MD5} with the help of some MD5 module for your favourite programming language or the md5sum tool. So my answer might have been unprecise regarding crypto science but was meant as practical help for the original poster. Ciao, Michael. From Duane.Dunston at noaa.gov Mon Mar 31 11:23:37 2008 From: Duane.Dunston at noaa.gov (Duane Dunston) Date: Mon, 31 Mar 2008 07:23:37 -0400 Subject: [Fedora-directory-users] Deleting cached database entries Message-ID: <47F0C9B9.9080203@noaa.gov> Hello, We have a problem where someone entered a hostname into the database with a capital letter in the hostname for a set of users. We want all lowercase entries. We use a web program to update the database. There was a bug in my web application where I didn't force the hostname string to lowercase letters, which has been corrected. We deleted the host entries for the user but when we added the hostnames back with lowercase letters, it still shows up as capital letters only for the users that were entered initially. If we enter a new user for one of the hosts with a lowercase hostname it works fine, meaning the hostname is lowercase for any new user not entered initially. Even if we add in the hostname via the console for the users initially entered, the capital hostname reappears after we apply the changes. It seems those hostnames with capital letters are cached. Is there a way to flush the database cache or permanently remove those cached capital hostname entries for each user? -- Duane Dunston From chee.benny at gmail.com Mon Mar 31 11:41:43 2008 From: chee.benny at gmail.com (Benny Chee) Date: Mon, 31 Mar 2008 19:41:43 +0800 Subject: [Fedora-directory-users] changelog Message-ID: <700685de0803310441p5bbf8d70rbbe2b8bf187a9696@mail.gmail.com> hi all, Not sure if any of you have got the changelog config going with respect to the following changes to it: Based on the docs from: http://www.redhat.com/docs/manuals/dir-server/cli/6.0/config.htm#112114 I have configured the nsslapd-changelogmaxentries variable below, but it has not taken any effect whatsoever. (restart dirsrv doesn't help too). Anyone got something similar going? /etc/dirsrv/slapd-cplusldap/dse.ldif dn: cn=Retro Changelog Plugin,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: Retro Changelog Plugin nsslapd-pluginPath: libretrocl-plugin nsslapd-pluginInitfunc: retrocl_plugin_init nsslapd-pluginType: object nsslapd-pluginEnabled: on nsslapd-plugin-depends-on-type: database nsslapd-plugin-depends-on-named: Class of Service nsslapd-pluginId: retrocl nsslapd-pluginVersion: 1.1.0 nsslapd-pluginVendor: Fedora Project nsslapd-pluginDescription: Retrocl Plugin *nsslapd-changelogmaxentries: 20* modifiersName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot modifyTimestamp: 20080122103752Z -- benny -------------- next part -------------- An HTML attachment was scrubbed... URL: From doug.jantz at texturallc.net Fri Mar 28 18:19:16 2008 From: doug.jantz at texturallc.net (Doug Jantz) Date: Fri, 28 Mar 2008 13:19:16 -0500 Subject: [Fedora-directory-users] FDS Certificates Message-ID: <528FB5ADEC6FFC4280A0210B617D32DD38D3B1@dfdsvw002.texturallc.net> I'm trying to set up SSL using a wildcard cert that I have for my domain, and the system doesn't seem to take the wildcard cert? Is this correct? Is there a way around this? I loaded a UserTrust CA Cert, and tried to load my wildcard cert signed by UserTrust that was purchased a while ago and got a general error of : "Private Key not found", "Either this certificate is for another server, or this certificate was not requested using this server and the selected security device "internal (software)". Any help would be appreciated. -------------- next part -------------- An HTML attachment was scrubbed... URL: From doug.jantz at texturallc.net Sun Mar 30 22:37:53 2008 From: doug.jantz at texturallc.net (Doug Jantz) Date: Sun, 30 Mar 2008 17:37:53 -0500 Subject: [Fedora-directory-users] Fedora DS 1.0.2 and RHEL5.1 Compatibility References: <20e4c38c0803281153v728d1ddfu2cc6c708e1541423@mail.gmail.com> <7020fd000803281629l65fb05b5w38a90c1cf1e8f539@mail.gmail.com> Message-ID: <528FB5ADEC6FFC4280A0210B617D32DD0879A4@dfdsvw002.texturallc.net> I'm trying to use 1.1 on EL5, and I can't get my certificates to enter. When I enter the server cert I get "Either this certificate is for another server or this certificate was not requested using this server and the selected security device "internal (software)". But the fact is that it was requested using the manager.... Anyone have ideas on what could be going on? -------------- next part -------------- A non-text attachment was scrubbed... Name: winmail.dat Type: application/ms-tnef Size: 3499 bytes Desc: not available URL: From beyonddc.storage at gmail.com Mon Mar 31 16:54:24 2008 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Mon, 31 Mar 2008 12:54:24 -0400 Subject: [Fedora-directory-users] Fedora DS 1.0.2 and RHEL5.1 Compatibility In-Reply-To: <7020fd000803281629l65fb05b5w38a90c1cf1e8f539@mail.gmail.com> References: <20e4c38c0803281153v728d1ddfu2cc6c708e1541423@mail.gmail.com> <7020fd000803281629l65fb05b5w38a90c1cf1e8f539@mail.gmail.com> Message-ID: <20e4c38c0803310954p1d719b6v247f7e0bb17904f8@mail.gmail.com> The packaging of Fedora DS 1.1 has a pretty significant change after Fedora DS 1.0.4 and also we haven't run into any stability problem with Fedora DS 1.0.2 so to minimize risk it would be better to stay at the Fedora DS 1.0.2. Do you think I'll run into any problem running Fedora DS 1.0.2 build against Fedora Core 5 on RHEL 5.1? Thanks! David On Fri, Mar 28, 2008 at 7:29 PM, solarflow99 wrote: > is there a reason why you can't use 1.1? I have it installed on rhel 5.1and it works well. > > > On Fri, Mar 28, 2008 at 6:53 PM, Chun Tat David Chu < > beyonddc.storage at gmail.com> wrote: > > > Hi All, > > > > I would like to install Fedora DS 1.0.2 LDAP (64 bits) on RHEL 5.1 (64 > > bits) using the binary package (fedora-ds-1.0.2-1.FC5.x86_64.opt.rpm) > > built against the FC5 that can be downloaded from the Fedora DS website ( > > http://directory.fedoraproject.org/wiki/Download). > > > > I installed it, launched the console and ran couple of my Java LDAP > > tests that use Java Native Directory Interface (JNDI), and it seems to be > > working happily. > > > > When I look at it, it seems like it is compatible. > > > > I would like to know if I miss anything obvious that the Fedora DS 1.0.2binary package that built against FC5 will not be compatible with RHEL > > 5.1? > > > > Thanks!! > > > > - David > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Mar 31 17:50:35 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 31 Mar 2008 11:50:35 -0600 Subject: [Fedora-directory-users] Deleting cached database entries In-Reply-To: <47F0C9B9.9080203@noaa.gov> References: <47F0C9B9.9080203@noaa.gov> Message-ID: <47F1246B.8050304@redhat.com> Duane Dunston wrote: > Hello, > > We have a problem where someone entered a hostname into the database > with a capital letter in the hostname for a set of users. We want all > lowercase entries. We use a web program to update the database. There > was a bug in my web application where I didn't force the hostname string > to lowercase letters, which has been corrected. > > We deleted the host entries for the user but when we added the hostnames > back with lowercase letters, it still shows up as capital letters only > for the users that were entered initially. If we enter a new user for > one of the hosts with a lowercase hostname it works fine, meaning the > hostname is lowercase for any new user not entered initially. Are you using replication? > > Even if we add in the hostname via the console for the users initially > entered, the capital hostname reappears after we apply the changes. It > seems those hostnames with capital letters are cached. > > Is there a way to flush the database cache or permanently remove those > cached capital hostname entries for each user? > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Mar 31 17:52:25 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 31 Mar 2008 11:52:25 -0600 Subject: [Fedora-directory-users] FDS Certificates In-Reply-To: <528FB5ADEC6FFC4280A0210B617D32DD38D3B1@dfdsvw002.texturallc.net> References: <528FB5ADEC6FFC4280A0210B617D32DD38D3B1@dfdsvw002.texturallc.net> Message-ID: <47F124D9.8070203@redhat.com> Doug Jantz wrote: > > I?m trying to set up SSL using a wildcard cert that I have for my > domain, and the system doesn?t seem to take the wildcard cert? Is this > correct? Is there a way around this? I loaded a UserTrust CA Cert, and > tried to load my wildcard cert signed by UserTrust that was purchased > a while ago and got a general error of : > > ?Private Key not found?, > > ?Either this certificate is for another server, or this certificate > was not requested using this server and the selected security device > ?internal (software)?. > > Any help would be appreciated. > How did you generate the directory server cert? Did you generate a CSR and submit that to the CA? If so, how did you generate the CSR? > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Mar 31 17:56:00 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 31 Mar 2008 11:56:00 -0600 Subject: [Fedora-directory-users] ldap2dns schema In-Reply-To: References: Message-ID: <47F125B0.9010209@redhat.com> Doug Chapman wrote: > I'm trying to evaluate ldap2dns, but I'm having trouble loading the > schema into FDS 1.1. I used the file > http://directory.fedoraproject.org/wiki/94ldap2dns.ldif, but the > allowed attributes aren't getting populated- the objectclass is > getting created. > > > There are no errors in the directory server log on startup, and I can > see all of the attributes in the console under > Configuration->schema->attributes. > > So it's like the MAY line from this entry is getting ignored or thrown > out: > objectClasses: ( > 1.3.6.1.4.1.7222.1.4.20 > NAME 'dnsrrset' > SUP dnszone > MUST ( objectclass $ cn ) > MAY ( dnsdomainname $ dnsrr $ dnsclass $ dnstype $ dnsipaddr $ dnscipaddr $ > dnscname $ dnspreference $ dnsttl $ dnstimestamp $ owner $ dnssrvpriority $ > > dnssrvweight $ dnssrvport ) > ) > What am I missing? Not sure. Any information in the error log? /var/log/dirsrv/slapd-instance/errors > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Mar 31 17:57:16 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 31 Mar 2008 11:57:16 -0600 Subject: [Fedora-directory-users] SSL In-Reply-To: References: Message-ID: <47F125FC.9010904@redhat.com> Anand Vaddarapu wrote: > Hi, > > After enabling SSL with console using the procedure > _http://directory.fedoraproject.org/wiki/Howto:SSL#Console_SSL_Information_ > i am getting these following error messages when i am trying to login > into directory server in the console. SSL is enabled in both the admin > console & the Ldap server > > From logs: > [27/Mar/2008:14:56:24 +1100] conn=47 fd=66 slot=66 SSL connection > from 10.50.5.81 to 10.50.1.24 > [27/Mar/2008:14:56:24 +1100] conn=47 op=-1 fd=66 closed - SSL peer > cannot verify your certificate. ls -al ~/.fedora-idm-console certutil -L -d ~/.fedora-idm-console > > we are these when starting the Ldap server > > 27/Mar/2008:14:45:04 +1100] - attrcrypt_unwrap_key: failed to unwrap > key for cipher AES > [27/Mar/2008:14:45:04 +1100] - Failed to retrieve key for cipher AES > in attrcrypt_cipher_init > [27/Mar/2008:14:45:04 +1100] - Failed to initialize cipher AES in > attrcrypt_init > [27/Mar/2008:14:45:04 +1100] - attrcrypt_unwrap_key: failed to unwrap > key for cipher AES > [27/Mar/2008:14:45:04 +1100] - Failed to retrieve key for cipher AES > in attrcrypt_cipher_init > [27/Mar/2008:14:45:04 +1100] - Failed to initialize cipher AES in > attrcrypt_init > [27/Mar/2008:14:45:05 +1100] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > [27/Mar/2008:14:45:05 +1100] - Listening on All Interfaces port 636 > for LDAPS requests > > > > Console error message: > > netscape.ldap.LDAPException:JSSSocketFactory.makeSocket > devil.wcg.net.au:636 , SSL_ForceHandshake > failed: (-8054) unknown error (91) > > Help Appreciated. > > Thanks > > > > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From vaddarapu at gmail.com Mon Mar 31 22:53:16 2008 From: vaddarapu at gmail.com (Anand Vaddarapu) Date: Tue, 1 Apr 2008 09:53:16 +1100 Subject: [Fedora-directory-users] SSL In-Reply-To: <47F125FC.9010904@redhat.com> References: <47F125FC.9010904@redhat.com> Message-ID: Hi, ls -al ~/.fedora-idm-console/ total 12 drwxr-xr-x 2 root root 4096 Feb 26 08:46 . drwxr-x--- 12 root root 4096 Mar 26 16:10 .. certutil -L -d ~/.fedora-idm-console/ certutil: function failed: security library: bad database. Thanks On Tue, Apr 1, 2008 at 4:57 AM, Rich Megginson wrote: > Anand Vaddarapu wrote: > > Hi, > > > > After enabling SSL with console using the procedure > > > _http://directory.fedoraproject.org/wiki/Howto:SSL#Console_SSL_Information_ > > i am getting these following error messages when i am trying to login > > into directory server in the console. SSL is enabled in both the admin > > console & the Ldap server > > > > From logs: > > [27/Mar/2008:14:56:24 +1100] conn=47 fd=66 slot=66 SSL connection > > from 10.50.5.81 to 10.50.1.24 > > [27/Mar/2008:14:56:24 +1100] conn=47 op=-1 fd=66 closed - SSL peer > > cannot verify your certificate. > ls -al ~/.fedora-idm-console > certutil -L -d ~/.fedora-idm-console > > > > we are these when starting the Ldap server > > > > 27/Mar/2008:14:45:04 +1100] - attrcrypt_unwrap_key: failed to unwrap > > key for cipher AES > > [27/Mar/2008:14:45:04 +1100] - Failed to retrieve key for cipher AES > > in attrcrypt_cipher_init > > [27/Mar/2008:14:45:04 +1100] - Failed to initialize cipher AES in > > attrcrypt_init > > [27/Mar/2008:14:45:04 +1100] - attrcrypt_unwrap_key: failed to unwrap > > key for cipher AES > > [27/Mar/2008:14:45:04 +1100] - Failed to retrieve key for cipher AES > > in attrcrypt_cipher_init > > [27/Mar/2008:14:45:04 +1100] - Failed to initialize cipher AES in > > attrcrypt_init > > [27/Mar/2008:14:45:05 +1100] - slapd started. Listening on All > > Interfaces port 389 for LDAP requests > > [27/Mar/2008:14:45:05 +1100] - Listening on All Interfaces port 636 > > for LDAPS requests > > > > > > > > Console error message: > > > > netscape.ldap.LDAPException:JSSSocketFactory.makeSocket > > devil.wcg.net.au:636 , SSL_ForceHandshake > > failed: (-8054) unknown error (91) > > > > Help Appreciated. > > > > Thanks > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: