From sigidwu at gmail.com Thu May 1 03:53:29 2008 From: sigidwu at gmail.com (sigid@JINLab) Date: Thu, 01 May 2008 10:53:29 +0700 Subject: [Fedora-directory-users] Error when starting to initiate multimaster replication Message-ID: <48193EB9.7020702@gmail.com> Dear all, Currently i'm using FDS 1.0.4 and wanted to migrate all data to new server running FDS 1.1. After migrating the data it fully functional as otentication. But currently i'm having two FDS 1.1 machine and wanted to do multimaster replicating. When running the mmr.pl script i got the error message as shown below: Command: bash-3.2$ ./mmr.pl --host1 jstsvr3.jst.co.id --host2 sys03.jst.co.id --bindpw fdsmanager --host1_id 1 --host2_id 2 --bindpw fdsmanager --repmanpw repmanager --create Error Message: adding to jstsvr3.jst.co.id -> cn=changelog5,cn=config failed to add changelog entry: failed to start changelog; error - 8 at ./mmr.pl line 253, line 342. Why this could happen? and what is the solution to solve this problem Thanks From kgraham at advance.net Thu May 1 16:27:58 2008 From: kgraham at advance.net (Kevin Graham) Date: Thu, 1 May 2008 12:27:58 -0400 Subject: [Fedora-directory-users] FDS: Error in encoding and attribute deletion Message-ID: <1209659278.31353.14.camel@quake.advance.net> An embedded and charset-unspecified text was scrubbed... Name: not available URL: From nhosoi at redhat.com Thu May 1 16:48:44 2008 From: nhosoi at redhat.com (Noriko Hosoi) Date: Thu, 01 May 2008 09:48:44 -0700 Subject: [Fedora-directory-users] FDS: Error in encoding and attribute deletion In-Reply-To: <1209659278.31353.14.camel@quake.advance.net> References: <1209659278.31353.14.camel@quake.advance.net> Message-ID: <4819F46C.1020907@redhat.com> Kevin Graham wrote: > I am having a very unusual error on FDS version 1.0.3. > > > When we use ldapsearch to search for certain attributes we are getting > results back scrambled. > > Upon further investigation we found that the 'scrambled' entries were > the intended entries just base64 encoded. Normally we'd expect the > results back in ascii of course. > > The strange thing is that no matter how many times, and with any client > application, trying to fix the attribute results in no change. > > Deleting the attribute will delete it, but when we re-add the attribute, > (checked for things like trailing spaces.), the entry will reappear as > the base64 entry (with a trailing space when translated back.) > > It just appears 'stuck' and will not change to the intended text. > > Any help or pointers on this would be appreciated. > > > Could you double check your data to be added? This might be happening. http://www.faqs.org/rfcs/rfc2849.html RFC 2849 - The LDAP Data Interchange Format (LDIF) 8) Values or distinguished names that end with SPACE SHOULD be base-64 encoded. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From kgraham at advance.net Thu May 1 17:29:24 2008 From: kgraham at advance.net (Kevin Graham) Date: Thu, 1 May 2008 13:29:24 -0400 Subject: [Fedora-directory-users] FDS: Error in encoding and attribute deletion In-Reply-To: <4819F46C.1020907@redhat.com> References: <1209659278.31353.14.camel@quake.advance.net> Message-ID: <1209662964.31353.24.camel@quake.advance.net> An embedded and charset-unspecified text was scrubbed... Name: not available URL: From michael at stroeder.com Thu May 1 20:19:58 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 01 May 2008 22:19:58 +0200 Subject: [Fedora-directory-users] FDS: Error in encoding and attribute deletion In-Reply-To: <1209662964.31353.24.camel@quake.advance.net> References: <1209659278.31353.14.camel@quake.advance.net> <1209662964.31353.24.camel@quake.advance.net> Message-ID: <481A25EE.2030904@stroeder.com> Kevin Graham wrote: > > The problem we're having is when we try to correct the entry using any > client. It's simply valid LDIF like Noriko already told you. A double colon after attribute type name indicates that you have to base64-decode the attribute value. If you want to process LDIF then use a decent LDIF parser. This has not necessarily to do with the attribute values. It would also be valid data encoded in valid LDIF if all attributes are base64-encoded in lines attrType:: attrValue. > It's a uniqueMember attribute so it's supposed to be ascii. No, it's not supposed to be ASCII at least since it contains DNs which can be UTF-8. Maybe in your case it's supposed to be ASCII but not in general. Ciao, Michael. From rmeggins at redhat.com Thu May 1 20:26:01 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 01 May 2008 14:26:01 -0600 Subject: [Fedora-directory-users] Source for DSML Gateway now available Message-ID: <481A2759.8010008@redhat.com> If you are interested in web services and how to expose LDAP data to them, you will probably be interested in the DSML Gateway. We do not have a binary distribution, but if you are familiar with Java, Ant, and Tomcat, you should be able to build it. See http://directory.fedoraproject.org/wiki/DSML_Gateway for more information. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kgraham at advance.net Thu May 1 21:13:13 2008 From: kgraham at advance.net (Kevin Graham) Date: Thu, 1 May 2008 17:13:13 -0400 Subject: [Fedora-directory-users] FDS: Error in encoding and attribute deletion In-Reply-To: <481A25EE.2030904@stroeder.com> References: <1209659278.31353.14.camel@quake.advance.net> Message-ID: <1209676393.31353.69.camel@quake.advance.net> Okay, I don't understand. Here is the listing of the entry in question, using ldapsearch uniqueMember: uid=user2,ou=People,dc=thisdomain,dc=net uniqueMember:: dWlkPW1xxxxxxxG8sb3U9UGVvcGxlLGRjPWFkdmFuY2XXXXXXXdUs== (i've changed it a little, because it's sensitive) that appears when I search for cn=tech,ou=Groups,dc=thisdomain,dc=net why would the one entry be returned as base64 encoded, when the others aren't? I don't want it to be stored that way. When I use a tool, like ldapvi, or ldapmodify, and delete, then re-add the entry: 'uniqueMember: uid=userX,ou=People,dc=thisdomain,dc=net' (no trailing space,one colon) then do a search for userX, nothing appears. The strange thing is when I look at the entry in say ADs, or jxplorer, it appears as uid=userX... but with a trailing space. I have made sure anytime I've re-added the entry that there is never a '::' or a trailing space. I've even used ADs, and phpldapadmin, and jxplorer to do the delete->add->check cycle and always end up with the same result. I know the letters/numbers are the base64 encoded string I want returned (with a space after it.) I just can't get that one entry to behave like the other attributes. I add it the same exact way I do the other entries in the same group. Why would the directory server think that I want a uniqueMember attribute encoded/stored as a base64 string when I don't tell it to do that, or return the entry as one. I just want the directory server to return the entry as uniqueMember: uid=userX,ou=People,dc=thisdomain,dc=net so when I search for it, it is there. Maybe it was added as a base64 originally, and I just can't update, remove the record? I really think it might be something with the backend? Is there a way to check that? Thank You for your help/. On Thu, 2008-05-01 at 22:19 +0200, Michael Str?der wrote: > Kevin Graham wrote: > > > > The problem we're having is when we try to correct the entry using any > > client. > > It's simply valid LDIF like Noriko already told you. A double colon > after attribute type name indicates that you have to base64-decode the > attribute value. If you want to process LDIF then use a decent LDIF > parser. This has not necessarily to do with the attribute values. It > would also be valid data encoded in valid LDIF if all attributes are > base64-encoded in lines attrType:: attrValue. > > > It's a uniqueMember attribute so it's supposed to be ascii. > > No, it's not supposed to be ASCII at least since it contains DNs which > can be UTF-8. Maybe in your case it's supposed to be ASCII but not in > general. > > Ciao, Michael. -- Kevin Graham System Administrator Advance Internet From maumar at cost.it Fri May 2 11:41:39 2008 From: maumar at cost.it (Maurizio Marini) Date: Fri, 2 May 2008 13:41:39 +0200 Subject: [Fedora-directory-users] beginner question Message-ID: <200805021341.39499.maumar@cost.it> When configuring sw that should authenticate ldap, they ask for ldap admin and password I wonder which is the difference between: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot and cn=Directory Manager. When shoud i use it ot the the other? who is "ldap admin"? tia -m From beyonddc.storage at gmail.com Fri May 2 12:11:10 2008 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Fri, 2 May 2008 08:11:10 -0400 Subject: [Fedora-directory-users] beginner question In-Reply-To: <200805021341.39499.maumar@cost.it> References: <200805021341.39499.maumar@cost.it> Message-ID: <20e4c38c0805020511u79706ff5nddb7c6ce2142ac61@mail.gmail.com> Hi Maurizio, I would use the " uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" instead of "cn=Directory Manager". Here's the copy and pasted information from the Red Hat Directory Server Admin Guide. There are important differences between the Directory Administrator and the Directory Manager: * The administrator cannot create top level entries for a new suffix through an add operation. either adding an entry in the Directory Server Console or using ldapadd, a tool provided with OpenLDAP. Only the Directory Manager can add top-level entries by default. To allow other users to add top-level entries, create entries with the appropriate access control statements in an LDIF file, and perform an import or database initialization procedure using that LDIF file. * Password policies do apply to the administrator, but you can set a user-specific password policy for the administrator. * Size, time, and lookthrough limits apply to the administrator, but you can set different resource limits for this user. For more detail, follow below URL http://www.redhat.com/docs/manuals/dir-server/install/8.0/Installation_Guide-Preparing_for_a_Directory_Server_Installation-Considerations.html#Installation_Guide-Preparing_for_a_Directory_Server_Installation-Directory_Manager - dc On Fri, May 2, 2008 at 7:41 AM, Maurizio Marini wrote: > When configuring sw that should authenticate ldap, they ask for ldap admin > and > password > I wonder which is the difference between: > uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot > and > cn=Directory Manager. > When shoud i use it ot the the other? who is "ldap admin"? > tia > -m > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Fri May 2 15:23:26 2008 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Fri, 02 May 2008 17:23:26 +0200 Subject: [Fedora-directory-users] FDS: Error in encoding and attribute deletion In-Reply-To: <1209676393.31353.69.camel@quake.advance.net> References: <1209659278.31353.14.camel@quake.advance.net> <1209676393.31353.69.camel@quake.advance.net> Message-ID: <481B31EE.5090506@stroeder.com> Kevin Graham wrote: > Okay, I don't understand. Okay, I will try again. ;-) > Here is the listing of the entry in question, using ldapsearch > > uniqueMember: uid=user2,ou=People,dc=thisdomain,dc=net > uniqueMember:: dWlkPW1xxxxxxxG8sb3U9UGVvcGxlLGRjPWFkdmFuY2XXXXXXXdUs== > > (i've changed it a little, because it's sensitive) > > that appears when I search for cn=tech,ou=Groups,dc=thisdomain,dc=net > > why would the one entry be returned as base64 encoded, when the others > aren't? Because most likely it contains NON-ASCII chars (in the DN?). I can't check since Python's base64.decodestring() fails on your example above with "binascii.Error: Incorrect padding". > I don't want it to be stored that way. It is not stored in the directory that way. It's just base64-encoded in the LDIF format which is the output format of command-line tool ldapsearch. > When I use a tool, like ldapvi, or ldapmodify, and delete, then re-add > the entry: > > 'uniqueMember: uid=userX,ou=People,dc=thisdomain,dc=net' (no trailing > space,one colon) > > then do a search for userX, nothing appears. Please elaborate what "search for userX" means for you. Maybe post a search filter? > The strange thing is when > I look at the entry in say ADs, or jxplorer, it appears as uid=userX... > but with a trailing space. Maybe you should try to modify this attribute with jxplorer? > I have made sure anytime I've re-added the > entry that there is never a '::' or a trailing space. I've even used > ADs, and phpldapadmin, and jxplorer to do the delete->add->check cycle > and always end up with the same result. Maybe FDS adds the trailing space because attribute 'uniqueMember' is of LDAP syntax 'Name And Optional UID' (OID 1.3.6.1.4.1.1466.115.121.1.34) which is not only a DN (and this particular syntax is considered to be flawed anyway). Ciao, Michael. From andrew at dingman.org Fri May 2 23:11:03 2008 From: andrew at dingman.org (Andrew C. Dingman) Date: Fri, 02 May 2008 19:11:03 -0400 Subject: [Fedora-directory-users] Express web console In-Reply-To: <4818989E.9060101@redhat.com> References: , <48188217.6040505@redhat.com> <4818989E.9060101@redhat.com> Message-ID: <1209769863.3789.688.camel@phorkys> On Wed, 2008-04-30 at 10:04 -0600, Rich Megginson wrote: > Sigur?ur Bjarnason wrote: > > Yes, > > > > I would like to secure the front page, so you have to type in the > password before you get the first page, The page the list up all the > pages etc .. > > > That page is /usr/share/dirsrv/html/admserv.html. It is generated by > the CGI URL /dist/download. I'm not sure how htaccess works - see > /etc/dirsrv/admin-serv/admserv.conf for more information. .htaccess files are basically blocks stored in the directory they configure, rather than the main Apache configuration. They may have only a subset of the features available in the main config file, depending mostly on the AllowOverride directive in the primary config file. They're great for rapid prototyping of a complicated per-directory configuration in Apache, and widely used in shared hosting Apache environments. However, they have potentially bad implications for security, and definitely bad implications for performance. The performance hit happens just by enabling them, too, not just when the feature is in use (though that can make it worse). Looking at my own instance of FDS, they are quite properly disabled. Admserv.conf is probably the right place for any access control changes. -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3551 bytes Desc: not available URL: From siggi at betware.com Mon May 5 16:33:18 2008 From: siggi at betware.com (=?iso-8859-1?Q?Sigur=F0ur_Bjarnason?=) Date: Mon, 5 May 2008 16:33:18 +0000 Subject: [Fedora-directory-users] Usermod Message-ID: Hi All Is there any way of defineing usermod with FDS ?, Lets say that I am user "siggi" and I need to give him rights to login as user "test" is that possible with FDS ? Regards Siggi -------------- next part -------------- An HTML attachment was scrubbed... URL: From iferreir at personal.com.py Mon May 5 23:42:11 2008 From: iferreir at personal.com.py (Ivan Ferreira) Date: Mon, 5 May 2008 19:42:11 -0400 Subject: [Fedora-directory-users] Usermod In-Reply-To: Message-ID: That has nothing to do with FDS, you can use su or sudo. Para "Fedora-directory-users at redhat.c om" Sigur?ur Bjarnason om> Enviado por: cc fedora-directory-users-b ounces at redhat.com Asunto [Fedora-directory-users] Usermod 05/05/2008 12:33 p.m. Clasificaci?n Uso Interno Por favor, responda a "General discussion list for the Fedora Directory server project." Hi All Is there any way of defineing usermod with FDS ?, Lets say that I am user ?siggi? and I need to give him rights to login as user ?test? is that possible with FDS ? Regards Siggi -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. From valery.fauconnier at atosorigin.com Wed May 7 06:31:13 2008 From: valery.fauconnier at atosorigin.com (FAUCONNIER Valery AWL-IT) Date: Wed, 7 May 2008 08:31:13 +0200 Subject: [Fedora-directory-users] Usermod In-Reply-To: Message-ID: <8B50AA62C37CB448A36B5076F9AB0E380122F30A@eri.winad.be> There is a schema for sudo entries look at http://fci.wikia.com/wiki/Setting_Up_A_Centralised_Authentication_Server_With_Sudo_Access_Using_LDAP You have to modify the given shema to be compatible with fds (a script exists to convert schema): # cat 77sudo.ldif # ################################################################################ # dn: cn=schema # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # ################################################################################ # objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer Entries' SUP top STRUCTURAL MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ description ) ) # ################################################################################ # -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Sigur?ur Bjarnason Sent: Monday 5 May 2008 18:33 To: Fedora-directory-users at redhat.com Subject: [Fedora-directory-users] Usermod Hi All Is there any way of defineing usermod with FDS ?, Lets say that I am user "siggi" and I need to give him rights to login as user "test" is that possible with FDS ? Regards Siggi Atos Worldline SA/NV - Chaussee de Haecht 1442 Haachtsesteenweg - 1130 Brussels - Belgium RPM-RPR Bruxelles-Brussel - TVA-BTW BE 0418.547.872 Bankrekening-Compte Bancaire-Bank Account 310-0269424-44 BIC BBRUBEBB - IBAN BE55 3100 2694 2444 "The information contained in this e-mail and any attachment thereto is confidential and may contain information which is protected by intellectual property rights. This information is intended for the exclusive use of the recipient(s) named above. This e-mail does not constitute any binding relationship or offer toward any of the addressees. If you are not one of the addressees , one of their employees or a proxy holder entitled to hand over this message to the addressee(s), any use of the information contained herein (e.g. reproduction, divulgation, communication or distribution,...) is prohibited. If you have received this message in error, please notify the sender and destroy it immediately after. The integrity and security of this message cannot be guaranteed and it may be subject to data corruption, interception and unauthorized amendment, for which we accept no liability." -------------- next part -------------- An HTML attachment was scrubbed... URL: From igalvarez at gmail.com Wed May 7 17:57:12 2008 From: igalvarez at gmail.com (Israel Garcia) Date: Wed, 7 May 2008 12:57:12 -0500 Subject: [Fedora-directory-users] about redhat ldap server Message-ID: <194a2c240805071057o6ce74635i18ecd43f733127c2@mail.gmail.com> I've used Fedora DS for a long time and it's good for me.. but, I'd like to know if redhat has some commercial ldap product? thanks in advance. regards, Israel From msauton at redhat.com Wed May 7 18:29:42 2008 From: msauton at redhat.com (Marc Sauton) Date: Wed, 07 May 2008 11:29:42 -0700 Subject: [Fedora-directory-users] about redhat ldap server In-Reply-To: <194a2c240805071057o6ce74635i18ecd43f733127c2@mail.gmail.com> References: <194a2c240805071057o6ce74635i18ecd43f733127c2@mail.gmail.com> Message-ID: <4821F516.3000502@redhat.com> Yes, there are some pages at: http://www.redhat.com/products/ http://www.redhat.com/directory_server/ M. Israel Garcia wrote: > I've used Fedora DS for a long time and it's good for me.. but, I'd > like to know if redhat has some commercial ldap product? > > thanks in advance. > regards, > Israel > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From murthy at barc.gov.in Thu May 8 06:00:12 2008 From: murthy at barc.gov.in (C.S.R.C.Murthy) Date: Thu, 08 May 2008 11:30:12 +0530 Subject: [Fedora-directory-users] How to control the BIND operation using ACI Message-ID: <482296EC.4010203@barc.gov.in> Hello all, Iam using directory server for squid ldap authentication. Squid takes username/password, binds the directory server and if the BIND operation is successful it allows the user through proxy. My problem is how to specify an ACI so that BIND operation is allowed only from certain IP address?. ACI allows me to restrict READ/SEARCH/WRITE operations but not BIND operation. Please help. -murthy -------------- next part -------------- A non-text attachment was scrubbed... Name: murthy.vcf Type: text/x-vcard Size: 137 bytes Desc: not available URL: From murthy at barc.gov.in Thu May 8 09:13:43 2008 From: murthy at barc.gov.in (C.S.R.C.Murthy) Date: Thu, 08 May 2008 14:43:43 +0530 Subject: [Fedora-directory-users] deny bind operation from certain group and certain IP address Message-ID: <4822C447.8020200@barc.gov.in> Hello all, I need to deny bind operation when the DN belongs to certain group and the request is coming from certain ip address. How to do it in ACI? -murthy -------------- next part -------------- A non-text attachment was scrubbed... Name: murthy.vcf Type: text/x-vcard Size: 137 bytes Desc: not available URL: From andrey.ivanov at polytechnique.fr Thu May 8 13:04:15 2008 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Thu, 8 May 2008 15:04:15 +0200 Subject: [Fedora-directory-users] How to control the BIND operation using ACI In-Reply-To: <482296EC.4010203@barc.gov.in> References: <482296EC.4010203@barc.gov.in> Message-ID: <1601b8650805080604j7ac42e7cx6ea9a0292fdbe826@mail.gmail.com> You can do it like this, for example : ---------------------------------- aci: (targetattr = "uniqueMember || uidNumber || gidNumber || homeDirectory || loginShell || gecos")(version 3.0; acl "Enable attributes to read for certain ip adresses and to authentified users"; allow (read,search,compare)(((ip="192.168.0.*") or (ip="172.16.191.* ") or (ip="192.168.1.15") or (ip="172.16.126.1")) and (userdn="ldap:///all"));) ------------------------------------ Or you can simply use iptables... 2008/5/8 C.S.R.C.Murthy : > Hello all, > Iam using directory server for squid ldap authentication. Squid takes > username/password, binds the directory server and if the BIND operation is > successful it allows the user through proxy. My problem is how to specify an > ACI so that BIND operation is allowed only from certain IP address?. ACI > allows me to restrict READ/SEARCH/WRITE operations but not BIND operation. > Please help. From siggi at betware.com Thu May 8 13:48:18 2008 From: siggi at betware.com (=?iso-8859-1?Q?Sigur=F0ur_Bjarnason?=) Date: Thu, 8 May 2008 13:48:18 +0000 Subject: [Fedora-directory-users] Usermod In-Reply-To: <8B50AA62C37CB448A36B5076F9AB0E380122F30A@eri.winad.be> References: <8B50AA62C37CB448A36B5076F9AB0E380122F30A@eri.winad.be> Message-ID: Thanks... ..I have however SUDO schema for LDAP allready. But I cant seam to figure out how to allow certain users to login as other users.. :( Should I just allow the users to do su - ... but then they can login as root also right ?.. This is my sudo schema dn: cn=schema attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ description ) X-ORIGIN 'SUDO' ) Regards Siggi From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of FAUCONNIER Valery AWL-IT Sent: 7. ma? 2008 06:31 To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] Usermod There is a schema for sudo entries look at http://fci.wikia.com/wiki/Setting_Up_A_Centralised_Authentication_Server_With_Sudo_Access_Using_LDAP You have to modify the given shema to be compatible with fds (a script exists to convert schema): # cat 77sudo.ldif # ################################################################################ # dn: cn=schema # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # ################################################################################ # objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer Entries' SUP top STRUCTURAL MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ description ) ) # ################################################################################ # -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Sigur?ur Bjarnason Sent: Monday 5 May 2008 18:33 To: Fedora-directory-users at redhat.com Subject: [Fedora-directory-users] Usermod Hi All Is there any way of defineing usermod with FDS ?, Lets say that I am user "siggi" and I need to give him rights to login as user "test" is that possible with FDS ? Regards Siggi Atos Worldline SA/NV - Chaussee de Haecht 1442 Haachtsesteenweg - 1130 Brussels - Belgium RPM-RPR Bruxelles-Brussel - TVA-BTW BE 0418.547.872 Bankrekening-Compte Bancaire-Bank Account 310-0269424-44 BIC BBRUBEBB - IBAN BE55 3100 2694 2444 "The information contained in this e-mail and any attachment thereto is confidential and may contain information which is protected by intellectual property rights. This information is intended for the exclusive use of the recipient(s) named above. This e-mail does not constitute any binding relationship or offer toward any of the addressees. If you are not one of the addressees , one of their employees or a proxy holder entitled to hand over this message to the addressee(s), any use of the information contained herein (e.g. reproduction, divulgation, communication or distribution,...) is prohibited. If you have received this message in error, please notify the sender and destroy it immediately after. The integrity and security of this message cannot be guaranteed and it may be subject to data corruption, interception and unauthorized amendment, for which we accept no liability." -------------- next part -------------- An HTML attachment was scrubbed... URL: From etorres at dap.es Thu May 8 15:30:46 2008 From: etorres at dap.es (Esteban Torres Rodriguez) Date: Thu, 08 May 2008 17:30:46 +0200 Subject: [Fedora-directory-users] Sync AD with FDS Message-ID: <482338C6020000180016451C@gwmta> I synchronized my AD with my FDS. The timing is working properly, I have even set up the synchronization of the password. My problem is that the timing was not added to FDS all the attributes that have users in AD. As I make an exact replica of AD in my SDS? Is it possible? Greetings. Esteban Torres Rodr?guez ?REA DE SOPORTE T?CNICO - Administraci?n de Servidores Subdirecci?n de Sistemas Inform?ticos Empresa P?blica Desarrollo Agrario y Pesquero, email: etorres at dap.es From alex at davz.net Thu May 8 15:33:39 2008 From: alex at davz.net (Alex Davies) Date: Thu, 8 May 2008 17:33:39 +0200 Subject: [Fedora-directory-users] Sync AD with FDS In-Reply-To: <482338C6020000180016451C@gwmta> References: <482338C6020000180016451C@gwmta> Message-ID: <5fb622120805080833i5a645774lbe5498010b30fe5b@mail.gmail.com> Hi, As I understand it, winsync will only sync a certain list of hardcoded attributes from AD. For example, even if you have POSIX UIDs/GIDs in AD, you can't sync these with FDS. If I am wrong, someone please correct me and I would be very happy! Best wishes, Alex On Thu, May 8, 2008 at 5:30 PM, Esteban Torres Rodriguez wrote: > I synchronized my AD with my FDS. The timing is working properly, I have > even set up the synchronization of the password. My problem is that the > timing was not added to FDS all the attributes that have users in AD. > > As I make an exact replica of AD in my SDS? > > Is it possible? > > Greetings. > > > > Esteban Torres Rodr?guez > ?REA DE SOPORTE T?CNICO - Administraci?n de Servidores > Subdirecci?n de Sistemas Inform?ticos > Empresa P?blica Desarrollo Agrario y Pesquero, > email: etorres at dap.es > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Alex Davies This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender immediately by e-mail and delete this e-mail permanently. From alex at davz.net Thu May 8 15:41:19 2008 From: alex at davz.net (Alex Davies) Date: Thu, 8 May 2008 17:41:19 +0200 Subject: [Fedora-directory-users] Error with Replication: Replication error acquiring replica: permission denied Message-ID: <5fb622120805080841id9633f6i2d93bfdf9f7db190@mail.gmail.com> Hi Everyone, I am attempting to setup the following architecture: Active Directory | | [winsync] | | Fedora Directory Server (Master) | | [replication] | | Fedora Directory Server (Slave) I've set the Fedora Directory Server (Master) as a hub, and winsync (including passwords) is working to this machine. When attempting to setup the Slave, i've created the user uid=RManager,cn=replication,cn=config on the Slave, added that string to the "Supplier DN" on the slave. The master, however, returns the following error: "Replication error acquiring replica: permission denied. Error Code: 3" The log files are filled with that error all over the place. Can anyone suggest anything else to try / to look? All help much appreciated. Many thanks, Alex From etorres at dap.es Thu May 8 15:54:52 2008 From: etorres at dap.es (Esteban Torres Rodriguez) Date: Thu, 08 May 2008 17:54:52 +0200 Subject: [Fedora-directory-users] Error with Replication: Replication error acquiring replica: permission denied Message-ID: <48233E6C020000180016452E@gwmta> http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Replication_Scenarios.html#Replication_Scenarios-Single_Master_Replication Esteban Torres Rodr?guez ?REA DE SOPORTE T?CNICO - Administraci?n de Servidores Subdirecci?n de Sistemas Inform?ticos Empresa P?blica Desarrollo Agrario y Pesquero, email: etorres at dap.es >>> "Alex Davies" 05/08/08 5:41 PM >>> Hi Everyone, I am attempting to setup the following architecture: Active Directory | | [winsync] | | Fedora Directory Server (Master) | | [replication] | | Fedora Directory Server (Slave) I've set the Fedora Directory Server (Master) as a hub, and winsync (including passwords) is working to this machine. When attempting to setup the Slave, i've created the user uid=RManager,cn=replication,cn=config on the Slave, added that string to the "Supplier DN" on the slave. The master, however, returns the following error: "Replication error acquiring replica: permission denied. Error Code: 3" The log files are filled with that error all over the place. Can anyone suggest anything else to try / to look? All help much appreciated. Many thanks, Alex -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From glenn at mail.txwes.edu Thu May 8 17:25:45 2008 From: glenn at mail.txwes.edu (Glenn) Date: Thu, 8 May 2008 12:25:45 -0500 Subject: [Fedora-directory-users] Password Change in DSGW Message-ID: <20080508171654.M62292@mail.txwes.edu> Is there a URL in the Directory Server Gateway where users can get a form that will allow them to change their own directory password? The only way I've found to do this is to search for the user first. This requires several steps, and users have difficulty with this. If we could simply put a link to the password change form, it would work better for our users. Thanks for any ideas. -G. From adamaod at gmail.com Thu May 8 17:39:35 2008 From: adamaod at gmail.com (Adam Valenzuela) Date: Thu, 8 May 2008 13:39:35 -0400 Subject: [Fedora-directory-users] changing non SMP kernel fedora install into a SMP kernel fedora install Message-ID: <7d2291380805081039g2a2a0a42r94c36a55eccdbf6@mail.gmail.com> Hello group, I am trying to locate some documentation or user information on how to allow FDS to run on an SMP kernel. The installation directions I have call for a non SMP kernel, but do not mention anything (positive of negative) about running on a SMP kernel. Currently I have a need to consolidate servers, and my FDS install needs to reside on a box that has to use an SMP kernel. I had heard this could be done but I am having trouble locating information on this particular issue. Any help or direction would be greatly appreciated. -- Thank you, Adam A. Valenzuela -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu May 8 18:31:45 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 08 May 2008 12:31:45 -0600 Subject: [Fedora-directory-users] changing non SMP kernel fedora install into a SMP kernel fedora install In-Reply-To: <7d2291380805081039g2a2a0a42r94c36a55eccdbf6@mail.gmail.com> References: <7d2291380805081039g2a2a0a42r94c36a55eccdbf6@mail.gmail.com> Message-ID: <48234711.1090908@redhat.com> Adam Valenzuela wrote: > Hello group, > > I am trying to locate some documentation or user information on > how to allow FDS to run on an SMP kernel. The installation directions > I have call for a non SMP kernel, What installation directions? Fedora DS doesn't care if the kernel is SMP or not - it should run fine either way. > but do not mention anything (positive of negative) about running on a > SMP kernel. Currently I have a need to consolidate servers, and my > FDS install needs to reside on a box that has to use an SMP kernel. > > I had heard this could be done but I am having trouble locating > information on this particular issue. > > Any help or direction would be greatly appreciated. > > -- > Thank you, > Adam A. Valenzuela > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From LACY_S at mercer.edu Thu May 8 20:22:26 2008 From: LACY_S at mercer.edu (Scott Lacy) Date: Thu, 8 May 2008 16:22:26 -0400 Subject: [Fedora-directory-users] admin server dsgw 403 forbidden error Message-ID: <9BF995BC0E47744E9673A41486E24EE205638F48D3@MERCERMAIL.MercerU.local> Hi all, I am making some changes to dsgw.conf to point htmldir, configdir, and gwnametrans to customized html and config directories on FDS's admin server. Everything else seems to work except for clicking on Directory Server Gateway, which gives me: 403 Forbidden error: You don't have permission to access /dsgw/bin/lang on this server. The admin-serv error log shows: [Thu May 08 13:10:41 2008] [error] [client a.b.c.d] client denied by server configuration: /opt/fedora-ds/dsgw, referer: http://foxtrot:5000/clients/dsgw/bin/lang?context=dsgw [Thu May 08 13:10:41 2008] [error] [client a.b.c.d] client denied by server configuration: /opt/fedora-ds/dsgw, referer: http://foxtrot:5000/clients/dsgw/bin/lang?context=dsgw Admserv.conf has: AllowOverride None Options None Order allow,deny Allow from all NESCompatEnv on I've beat my head against the wall until it hurts. Any pointers on where to look next? Thanks, Scott ---------------------- Scott Lacy Unix Systems Manager, Systems and Networks Mercer University 478 301 5509 -------------- next part -------------- An HTML attachment was scrubbed... URL: From murthy at barc.gov.in Fri May 9 04:55:31 2008 From: murthy at barc.gov.in (C.S.R.C.Murthy) Date: Fri, 09 May 2008 10:25:31 +0530 Subject: [Fedora-directory-users] How to control the BIND operation using ACI In-Reply-To: <1601b8650805080604j7ac42e7cx6ea9a0292fdbe826@mail.gmail.com> References: <482296EC.4010203@barc.gov.in> <1601b8650805080604j7ac42e7cx6ea9a0292fdbe826@mail.gmail.com> Message-ID: <4823D943.3040903@barc.gov.in> Dear Andrey, I did not make clear one point here. My exact ACI requirement is like this, I need to deny bind operation when the connecting DN belongs to certain group and the request is coming from certain ip address. How to do it in ACI?. More specifically we have one INTERNET group and one EMAIL group. If a person is in INTERNET group he will be allowed to authenticate (BIND) only from squid proxy server Simillarly if a person belongs to EMAIL grooup he will be allowed to authenticate (BIND) only from email server. We are unable to acheive this type of control using ACI. Please help. regards murthy Andrey Ivanov wrote: > You can do it like this, for example : > > ---------------------------------- > aci: (targetattr = "uniqueMember || uidNumber || gidNumber || > homeDirectory || loginShell || gecos")(version 3.0; acl "Enable > attributes to read for certain ip adresses and to authentified users"; > allow (read,search,compare)(((ip="192.168.0.*") or (ip="172.16.191.* > ") or (ip="192.168.1.15") or (ip="172.16.126.1")) and > (userdn="ldap:///all"));) > ------------------------------------ > Or you can simply use iptables... > > > 2008/5/8 C.S.R.C.Murthy : > >> Hello all, >> Iam using directory server for squid ldap authentication. Squid takes >> username/password, binds the directory server and if the BIND operation is >> successful it allows the user through proxy. My problem is how to specify an >> ACI so that BIND operation is allowed only from certain IP address?. ACI >> allows me to restrict READ/SEARCH/WRITE operations but not BIND operation. >> Please help. >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: murthy.vcf Type: text/x-vcard Size: 137 bytes Desc: not available URL: From andrey.ivanov at polytechnique.fr Fri May 9 10:15:47 2008 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Fri, 9 May 2008 12:15:47 +0200 Subject: [Fedora-directory-users] How to control the BIND operation using ACI In-Reply-To: <4823D943.3040903@barc.gov.in> References: <482296EC.4010203@barc.gov.in> <1601b8650805080604j7ac42e7cx6ea9a0292fdbe826@mail.gmail.com> <4823D943.3040903@barc.gov.in> Message-ID: <1601b8650805090315ie174014sa5f8d8e6be412fde@mail.gmail.com> Anyway it is better to make the "allow" ACIs, not "deny" ACIs. As for your problem, here is what the ACIs should look like (supposing that your groups are cn=INTERNET,ou=Groups,dc=example,dc=com and cn=EMAIL,ou=Groups,dc=example,dc=com, ip adresses of your squid server are 192.168.0.66 and 172.16.191.66, adresses of your email servers 192.168.1.100 and 192.168.1.101) Delete all the default ACIs (for anonymous/authentified users) and choose the attributes that you want to expose (attr1, attr2...) For INTERNET group : aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable attributes to read for a certain ip adresses and to authentified users";allow (read,search,compare)(((ip="192.168.0.66") or (ip="172.16.191.66")) and (groupdn = "ldap:///cn=INTERNET,ou=Groups,dc=example,dc=com"));) For EMAIL group : aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable attributes to read for a certain ip adresses and to authentified users";allow (read,search,compare)(((ip="192.168.1.100") or (ip="192.168.1.101")) and (groupdn = "ldap:///cn=EMAIL,ou=Groups,dc=example,dc=com"));) 2008/5/9 C.S.R.C.Murthy : > Dear Andrey, > I did not make clear one point here. My exact ACI requirement is like > this, I need to deny bind operation when the connecting DN belongs to > certain group and the request is coming from certain ip address. How to do > it in ACI?. More specifically we have one INTERNET group and one EMAIL > group. If a person is in INTERNET group he will be allowed to authenticate > (BIND) only from squid proxy server Simillarly if a person belongs to EMAIL > grooup he will be allowed to authenticate (BIND) only from email server. We > are unable to acheive this type of control using ACI. Please help. > > regards > murthy > > Andrey Ivanov wrote: >> >> You can do it like this, for example : >> >> ---------------------------------- >> aci: (targetattr = "uniqueMember || uidNumber || gidNumber || >> homeDirectory || loginShell || gecos")(version 3.0; acl "Enable >> attributes to read for certain ip adresses and to authentified users"; >> allow (read,search,compare)(((ip="192.168.0.*") or (ip="172.16.191.* >> ") or (ip="192.168.1.15") or (ip="172.16.126.1")) and >> (userdn="ldap:///all"));) >> ------------------------------------ >> Or you can simply use iptables... >> >> >> 2008/5/8 C.S.R.C.Murthy : >> >>> >>> Hello all, >>> Iam using directory server for squid ldap authentication. Squid takes >>> username/password, binds the directory server and if the BIND operation >>> is >>> successful it allows the user through proxy. My problem is how to specify >>> an >>> ACI so that BIND operation is allowed only from certain IP address?. ACI >>> allows me to restrict READ/SEARCH/WRITE operations but not BIND >>> operation. >>> Please help. >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From murthy at barc.gov.in Fri May 9 11:44:42 2008 From: murthy at barc.gov.in (C.S.R.C.Murthy) Date: Fri, 09 May 2008 17:14:42 +0530 Subject: [Fedora-directory-users] How to control the BIND operation using ACI In-Reply-To: <1601b8650805090315ie174014sa5f8d8e6be412fde@mail.gmail.com> References: <482296EC.4010203@barc.gov.in> <1601b8650805080604j7ac42e7cx6ea9a0292fdbe826@mail.gmail.com> <4823D943.3040903@barc.gov.in> <1601b8650805090315ie174014sa5f8d8e6be412fde@mail.gmail.com> Message-ID: <4824392A.6090600@barc.gov.in> Hi Andrey, As I first step, according to your suggestion, I have removed the default ACIs for anonymous and authenticated users. With this I expected that squid will not be able to BIND to the directory server as the default ACI action should be DENY in case there is no matching rule. But it is able to successfully BIND when I give proper login/password. If I am not able to deny BIND operation when there are no anonymous/authenticated ACI, then I will never be able to control BIND access, I assume. Please clarify. regards murthy Andrey Ivanov wrote: > Anyway it is better to make the "allow" ACIs, not "deny" ACIs. > > As for your problem, here is what the ACIs should look like (supposing > that your groups are cn=INTERNET,ou=Groups,dc=example,dc=com and > cn=EMAIL,ou=Groups,dc=example,dc=com, ip adresses of your squid server > are 192.168.0.66 and 172.16.191.66, adresses of your email servers > 192.168.1.100 and 192.168.1.101) > > Delete all the default ACIs (for anonymous/authentified users) and > choose the attributes that you want to expose (attr1, attr2...) > > For INTERNET group : > aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable > attributes to read for a certain ip adresses and to authentified > users";allow (read,search,compare)(((ip="192.168.0.66") or > (ip="172.16.191.66")) and (groupdn = > "ldap:///cn=INTERNET,ou=Groups,dc=example,dc=com"));) > > > For EMAIL group : > aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable > attributes to read for a certain ip adresses and to authentified > users";allow (read,search,compare)(((ip="192.168.1.100") or > (ip="192.168.1.101")) and (groupdn = > "ldap:///cn=EMAIL,ou=Groups,dc=example,dc=com"));) > > 2008/5/9 C.S.R.C.Murthy : > >> Dear Andrey, >> I did not make clear one point here. My exact ACI requirement is like >> this, I need to deny bind operation when the connecting DN belongs to >> certain group and the request is coming from certain ip address. How to do >> it in ACI?. More specifically we have one INTERNET group and one EMAIL >> group. If a person is in INTERNET group he will be allowed to authenticate >> (BIND) only from squid proxy server Simillarly if a person belongs to EMAIL >> grooup he will be allowed to authenticate (BIND) only from email server. We >> are unable to acheive this type of control using ACI. Please help. >> >> regards >> murthy >> >> Andrey Ivanov wrote: >> >>> You can do it like this, for example : >>> >>> ---------------------------------- >>> aci: (targetattr = "uniqueMember || uidNumber || gidNumber || >>> homeDirectory || loginShell || gecos")(version 3.0; acl "Enable >>> attributes to read for certain ip adresses and to authentified users"; >>> allow (read,search,compare)(((ip="192.168.0.*") or (ip="172.16.191.* >>> ") or (ip="192.168.1.15") or (ip="172.16.126.1")) and >>> (userdn="ldap:///all"));) >>> ------------------------------------ >>> Or you can simply use iptables... >>> >>> >>> 2008/5/8 C.S.R.C.Murthy : >>> >>> >>>> Hello all, >>>> Iam using directory server for squid ldap authentication. Squid takes >>>> username/password, binds the directory server and if the BIND operation >>>> is >>>> successful it allows the user through proxy. My problem is how to specify >>>> an >>>> ACI so that BIND operation is allowed only from certain IP address?. ACI >>>> allows me to restrict READ/SEARCH/WRITE operations but not BIND >>>> operation. >>>> Please help. >>>> >>>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: murthy.vcf Type: text/x-vcard Size: 137 bytes Desc: not available URL: From valery.fauconnier at atosorigin.com Fri May 9 13:50:33 2008 From: valery.fauconnier at atosorigin.com (FAUCONNIER Valery AWL-IT) Date: Fri, 9 May 2008 15:50:33 +0200 Subject: [Fedora-directory-users] Usermod In-Reply-To: Message-ID: <8B50AA62C37CB448A36B5076F9AB0E380122F30F@eri.winad.be> Did you recompile sudo with the --with-ldap flag? -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Sigur?ur Bjarnason Sent: Thursday 8 May 2008 15:48 To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] Usermod Thanks... ..I have however SUDO schema for LDAP allready. But I cant seam to figure out how to allow certain users to login as other users.. L Should I just allow the users to do su - ... but then they can login as root also right ?.. This is my sudo schema dn: cn=schema attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ description ) X-ORIGIN 'SUDO' ) Regards Siggi From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of FAUCONNIER Valery AWL-IT Sent: 7. ma? 2008 06:31 To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] Usermod There is a schema for sudo entries look at http://fci.wikia.com/wiki/Setting_Up_A_Centralised_Authentication_Server_With_Sudo_Access_Using_LDAP You have to modify the given shema to be compatible with fds (a script exists to convert schema): # cat 77sudo.ldif # ################################################################################ # dn: cn=schema # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # ################################################################################ # objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer Entries' SUP top STRUCTURAL MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ description ) ) # ################################################################################ # -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com]On Behalf Of Sigur?ur Bjarnason Sent: Monday 5 May 2008 18:33 To: Fedora-directory-users at redhat.com Subject: [Fedora-directory-users] Usermod Hi All Is there any way of defineing usermod with FDS ?, Lets say that I am user "siggi" and I need to give him rights to login as user "test" is that possible with FDS ? Regards Siggi Atos Worldline SA/NV - Chaussee de Haecht 1442 Haachtsesteenweg - 1130 Brussels - Belgium RPM-RPR Bruxelles-Brussel - TVA-BTW BE 0418.547.872 Bankrekening-Compte Bancaire-Bank Account 310-0269424-44 BIC BBRUBEBB - IBAN BE55 3100 2694 2444 "The information contained in this e-mail and any attachment thereto is confidential and may contain information which is protected by intellectual property rights. This information is intended for the exclusive use of the recipient(s) named above. This e-mail does not constitute any binding relationship or offer toward any of the addressees. If you are not one of the addressees , one of their employees or a proxy holder entitled to hand over this message to the addressee(s), any use of the information contained herein (e.g. reproduction, divulgation, communication or distribution,...) is prohibited. If you have received this message in error, please notify the sender and destroy it immediately after. The integrity and security of this message cannot be guaranteed and it may be subject to data corruption, interception and unauthorized amendment, for which we accept no liability." -------------- next part -------------- An HTML attachment was scrubbed... URL: From Soeren.Malchow at interone.de Fri May 9 14:07:59 2008 From: Soeren.Malchow at interone.de (=?ISO-8859-1?Q?S=F6ren_Malchow?=) Date: Fri, 9 May 2008 16:07:59 +0200 Subject: [Fedora-directory-users] FDS - AD: sync deactivated status Message-ID: Dear all, i have a FDS with synchronization to an AD up and running, everything including password sync is fine, the only attribute that is needed and not synching is whether the user is deactivated or not. I can deactive users seperately in FDS or AD but it does not sync, after alot of research i could not find a solution for that, can someone please point me the way ? Regards Soeren -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri May 9 15:33:19 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 09 May 2008 09:33:19 -0600 Subject: [Fedora-directory-users] FDS - AD: sync deactivated status In-Reply-To: References: Message-ID: <48246EBF.5050408@redhat.com> S?ren Malchow wrote: > > Dear all, > > i have a FDS with synchronization to an AD up and running, everything > including password sync is fine, the only attribute that is needed and > not synching is whether the user is deactivated or not. > > I can deactive users seperately in FDS or AD but it does not sync, > after alot of research i could not find a solution for that, can > someone please point me the way ? That is not currently supported. What is the AD attribute that tells whether a user is active or not? > > > Regards > Soeren > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From andrey.ivanov at polytechnique.fr Fri May 9 18:37:03 2008 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Fri, 9 May 2008 20:37:03 +0200 Subject: [Fedora-directory-users] How to control the BIND operation using ACI In-Reply-To: <4824392A.6090600@barc.gov.in> References: <482296EC.4010203@barc.gov.in> <1601b8650805080604j7ac42e7cx6ea9a0292fdbe826@mail.gmail.com> <4823D943.3040903@barc.gov.in> <1601b8650805090315ie174014sa5f8d8e6be412fde@mail.gmail.com> <4824392A.6090600@barc.gov.in> Message-ID: <1601b8650805091137v3b5219fcwc01c80165114f61e@mail.gmail.com> Yes, i think that there is no way to deny a BIND depending on the group and originating IP condition. You can however deny any other access (read/compare/search). Depending on the filter you define for squid/sendmail/php web page (even the simplest objectClass=*) these conditions are equivalent (the ldapsearch will bind but it will always return an empty set)... 2008/5/9 C.S.R.C.Murthy : > Hi Andrey, > As I first step, according to your suggestion, I have removed the default > ACIs for anonymous and authenticated users. With this I expected that squid > will not be able to BIND to the directory server as the default ACI action > should be DENY in case there is no matching rule. But it is able to > successfully BIND when I give proper login/password. If I am not able to > deny BIND operation when there are no anonymous/authenticated ACI, then I > will never be able to control BIND access, I assume. Please clarify. > > > > regards > murthy > > Andrey Ivanov wrote: > > > Anyway it is better to make the "allow" ACIs, not "deny" ACIs. > > > > As for your problem, here is what the ACIs should look like (supposing > > that your groups are cn=INTERNET,ou=Groups,dc=example,dc=com and > > cn=EMAIL,ou=Groups,dc=example,dc=com, ip adresses of your squid server > > are 192.168.0.66 and 172.16.191.66, adresses of your email servers > > 192.168.1.100 and 192.168.1.101) > > > > Delete all the default ACIs (for anonymous/authentified users) and > > choose the attributes that you want to expose (attr1, attr2...) > > > > For INTERNET group : > > aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable > > attributes to read for a certain ip adresses and to authentified > > users";allow (read,search,compare)(((ip="192.168.0.66") or > > (ip="172.16.191.66")) and (groupdn = > > "ldap:///cn=INTERNET,ou=Groups,dc=example,dc=com"));) > > > > > > For EMAIL group : > > aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable > > attributes to read for a certain ip adresses and to authentified > > users";allow (read,search,compare)(((ip="192.168.1.100") or > > (ip="192.168.1.101")) and (groupdn = > > "ldap:///cn=EMAIL,ou=Groups,dc=example,dc=com"));) > > > > 2008/5/9 C.S.R.C.Murthy : > > > > > > > Dear Andrey, > > > I did not make clear one point here. My exact ACI requirement is like > > > this, I need to deny bind operation when the connecting DN belongs to > > > certain group and the request is coming from certain ip address. How to > do > > > it in ACI?. More specifically we have one INTERNET group and one EMAIL > > > group. If a person is in INTERNET group he will be allowed to > authenticate > > > (BIND) only from squid proxy server Simillarly if a person belongs to > EMAIL > > > grooup he will be allowed to authenticate (BIND) only from email server. > We > > > are unable to acheive this type of control using ACI. Please help. > > > > > > regards > > > murthy > > > > > > Andrey Ivanov wrote: > > > > > > > > > > You can do it like this, for example : > > > > > > > > ---------------------------------- > > > > aci: (targetattr = "uniqueMember || uidNumber || gidNumber || > > > > homeDirectory || loginShell || gecos")(version 3.0; acl "Enable > > > > attributes to read for certain ip adresses and to authentified users"; > > > > allow (read,search,compare)(((ip="192.168.0.*") or (ip="172.16.191.* > > > > ") or (ip="192.168.1.15") or (ip="172.16.126.1")) and > > > > (userdn="ldap:///all"));) > > > > ------------------------------------ > > > > Or you can simply use iptables... > > > > > > > > > > > > 2008/5/8 C.S.R.C.Murthy : > > > > > > > > > > > > > > > > > Hello all, > > > > > Iam using directory server for squid ldap authentication. Squid > takes > > > > > username/password, binds the directory server and if the BIND > operation > > > > > is > > > > > successful it allows the user through proxy. My problem is how to > specify > > > > > an > > > > > ACI so that BIND operation is allowed only from certain IP address?. > ACI > > > > > allows me to restrict READ/SEARCH/WRITE operations but not BIND > > > > > operation. From murthy at barc.gov.in Sat May 10 04:18:07 2008 From: murthy at barc.gov.in (murthy at barc.gov.in) Date: Sat, 10 May 2008 09:48:07 +0530 (IST) Subject: [Fedora-directory-users] How to control the BIND operation using ACI In-Reply-To: <1601b8650805091137v3b5219fcwc01c80165114f61e@mail.gmail.com> References: <482296EC.4010203@barc.gov.in> <1601b8650805080604j7ac42e7cx6ea9a0292fdbe826@mail.gmail.com> <4823D943.3040903@barc.gov.in> <1601b8650805090315ie174014sa5f8d8e6be412fde@mail.gmail.com> <4824392A.6090600@barc.gov.in> <1601b8650805091137v3b5219fcwc01c80165114f61e@mail.gmail.com> Message-ID: <1068.59.184.174.104.1210393087.squirrel@203.197.42.3> Hi, Thanks for the confirmation. . Applications like squid are not doing any read/search/compare to verify authentication, but simply doing BIND operation.I think the directory server may incorporate some form of BIND control feature regards murthy > Yes, i think that there is no way to deny a BIND depending on the > group and originating IP condition. You can however deny any other > access (read/compare/search). Depending on the filter you define for > squid/sendmail/php web page (even the simplest objectClass=*) these > conditions are equivalent (the ldapsearch will bind but it will always > return an empty set)... > > > 2008/5/9 C.S.R.C.Murthy : >> Hi Andrey, >> As I first step, according to your suggestion, I have removed the >> default >> ACIs for anonymous and authenticated users. With this I expected that >> squid >> will not be able to BIND to the directory server as the default ACI >> action >> should be DENY in case there is no matching rule. But it is able to >> successfully BIND when I give proper login/password. If I am not able to >> deny BIND operation when there are no anonymous/authenticated ACI, then >> I >> will never be able to control BIND access, I assume. Please clarify. >> >> >> >> regards >> murthy >> >> Andrey Ivanov wrote: >> >> > Anyway it is better to make the "allow" ACIs, not "deny" ACIs. >> > >> > As for your problem, here is what the ACIs should look like (supposing >> > that your groups are cn=INTERNET,ou=Groups,dc=example,dc=com and >> > cn=EMAIL,ou=Groups,dc=example,dc=com, ip adresses of your squid server >> > are 192.168.0.66 and 172.16.191.66, adresses of your email servers >> > 192.168.1.100 and 192.168.1.101) >> > >> > Delete all the default ACIs (for anonymous/authentified users) and >> > choose the attributes that you want to expose (attr1, attr2...) >> > >> > For INTERNET group : >> > aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable >> > attributes to read for a certain ip adresses and to authentified >> > users";allow (read,search,compare)(((ip="192.168.0.66") or >> > (ip="172.16.191.66")) and (groupdn = >> > "ldap:///cn=INTERNET,ou=Groups,dc=example,dc=com"));) >> > >> > >> > For EMAIL group : >> > aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable >> > attributes to read for a certain ip adresses and to authentified >> > users";allow (read,search,compare)(((ip="192.168.1.100") or >> > (ip="192.168.1.101")) and (groupdn = >> > "ldap:///cn=EMAIL,ou=Groups,dc=example,dc=com"));) >> > >> > 2008/5/9 C.S.R.C.Murthy : >> > >> > >> > > Dear Andrey, >> > > I did not make clear one point here. My exact ACI requirement is >> like >> > > this, I need to deny bind operation when the connecting DN belongs >> to >> > > certain group and the request is coming from certain ip address. How >> to >> do >> > > it in ACI?. More specifically we have one INTERNET group and one >> EMAIL >> > > group. If a person is in INTERNET group he will be allowed to >> authenticate >> > > (BIND) only from squid proxy server Simillarly if a person belongs >> to >> EMAIL >> > > grooup he will be allowed to authenticate (BIND) only from email >> server. >> We >> > > are unable to acheive this type of control using ACI. Please help. >> > > >> > > regards >> > > murthy >> > > >> > > Andrey Ivanov wrote: >> > > >> > > >> > > > You can do it like this, for example : >> > > > >> > > > ---------------------------------- >> > > > aci: (targetattr = "uniqueMember || uidNumber || gidNumber || >> > > > homeDirectory || loginShell || gecos")(version 3.0; acl "Enable >> > > > attributes to read for certain ip adresses and to authentified >> users"; >> > > > allow (read,search,compare)(((ip="192.168.0.*") or >> (ip="172.16.191.* >> > > > ") or (ip="192.168.1.15") or (ip="172.16.126.1")) and >> > > > (userdn="ldap:///all"));) >> > > > ------------------------------------ >> > > > Or you can simply use iptables... >> > > > >> > > > >> > > > 2008/5/8 C.S.R.C.Murthy : >> > > > >> > > > >> > > > >> > > > > Hello all, >> > > > > Iam using directory server for squid ldap authentication. Squid >> takes >> > > > > username/password, binds the directory server and if the BIND >> operation >> > > > > is >> > > > > successful it allows the user through proxy. My problem is how >> to >> specify >> > > > > an >> > > > > ACI so that BIND operation is allowed only from certain IP >> address?. >> ACI >> > > > > allows me to restrict READ/SEARCH/WRITE operations but not BIND >> > > > > operation. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From andrey.ivanov at polytechnique.fr Sat May 10 10:41:21 2008 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Sat, 10 May 2008 12:41:21 +0200 Subject: [Fedora-directory-users] How to control the BIND operation using ACI In-Reply-To: <1068.59.184.174.104.1210393087.squirrel@203.197.42.3> References: <482296EC.4010203@barc.gov.in> <1601b8650805080604j7ac42e7cx6ea9a0292fdbe826@mail.gmail.com> <4823D943.3040903@barc.gov.in> <1601b8650805090315ie174014sa5f8d8e6be412fde@mail.gmail.com> <4824392A.6090600@barc.gov.in> <1601b8650805091137v3b5219fcwc01c80165114f61e@mail.gmail.com> <1068.59.184.174.104.1210393087.squirrel@203.197.42.3> Message-ID: <1601b8650805100341w350d841bh57a6f9772016a988@mail.gmail.com> As far as i can see making a quick google search squid can do authorisation using ldap filters and groups; for example, look at this page : http://linux.com.hk/penguin/man/8/squid_ldap_group.html or here : http://linux.die.net/man/8/squid_ldap_auth 2008/5/10 : > Hi, > Thanks for the confirmation. . Applications like squid are not doing any > read/search/compare to verify authentication, but simply doing BIND > operation.I think the directory server may incorporate some form of BIND > control feature > > regards > murthy > > > > Yes, i think that there is no way to deny a BIND depending on the > > group and originating IP condition. You can however deny any other > > access (read/compare/search). Depending on the filter you define for > > squid/sendmail/php web page (even the simplest objectClass=*) these > > conditions are equivalent (the ldapsearch will bind but it will always > > return an empty set)... > > > > > > 2008/5/9 C.S.R.C.Murthy : > >> Hi Andrey, > >> As I first step, according to your suggestion, I have removed the > >> default > >> ACIs for anonymous and authenticated users. With this I expected that > >> squid > >> will not be able to BIND to the directory server as the default ACI > >> action > >> should be DENY in case there is no matching rule. But it is able to > >> successfully BIND when I give proper login/password. If I am not able to > >> deny BIND operation when there are no anonymous/authenticated ACI, then > >> I > >> will never be able to control BIND access, I assume. Please clarify. > >> > >> > >> > >> regards > >> murthy > >> > >> Andrey Ivanov wrote: > >> > >> > Anyway it is better to make the "allow" ACIs, not "deny" ACIs. > >> > > >> > As for your problem, here is what the ACIs should look like (supposing > >> > that your groups are cn=INTERNET,ou=Groups,dc=example,dc=com and > >> > cn=EMAIL,ou=Groups,dc=example,dc=com, ip adresses of your squid server > >> > are 192.168.0.66 and 172.16.191.66, adresses of your email servers > >> > 192.168.1.100 and 192.168.1.101) > >> > > >> > Delete all the default ACIs (for anonymous/authentified users) and > >> > choose the attributes that you want to expose (attr1, attr2...) > >> > > >> > For INTERNET group : > >> > aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable > >> > attributes to read for a certain ip adresses and to authentified > >> > users";allow (read,search,compare)(((ip="192.168.0.66") or > >> > (ip="172.16.191.66")) and (groupdn = > >> > "ldap:///cn=INTERNET,ou=Groups,dc=example,dc=com"));) > >> > > >> > > >> > For EMAIL group : > >> > aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable > >> > attributes to read for a certain ip adresses and to authentified > >> > users";allow (read,search,compare)(((ip="192.168.1.100") or > >> > (ip="192.168.1.101")) and (groupdn = > >> > "ldap:///cn=EMAIL,ou=Groups,dc=example,dc=com"));) > >> > > >> > 2008/5/9 C.S.R.C.Murthy : > >> > > >> > > >> > > Dear Andrey, > >> > > I did not make clear one point here. My exact ACI requirement is > >> like > >> > > this, I need to deny bind operation when the connecting DN belongs > >> to > >> > > certain group and the request is coming from certain ip address. How > >> to > >> do > >> > > it in ACI?. More specifically we have one INTERNET group and one > >> EMAIL > >> > > group. If a person is in INTERNET group he will be allowed to > >> authenticate > >> > > (BIND) only from squid proxy server Simillarly if a person belongs > >> to > >> EMAIL > >> > > grooup he will be allowed to authenticate (BIND) only from email > >> server. > >> We > >> > > are unable to acheive this type of control using ACI. Please help. > >> > > > >> > > regards > >> > > murthy > >> > > > >> > > Andrey Ivanov wrote: > >> > > > >> > > > >> > > > You can do it like this, for example : > >> > > > > >> > > > ---------------------------------- > >> > > > aci: (targetattr = "uniqueMember || uidNumber || gidNumber || > >> > > > homeDirectory || loginShell || gecos")(version 3.0; acl "Enable > >> > > > attributes to read for certain ip adresses and to authentified > >> users"; > >> > > > allow (read,search,compare)(((ip="192.168.0.*") or > >> (ip="172.16.191.* > >> > > > ") or (ip="192.168.1.15") or (ip="172.16.126.1")) and > >> > > > (userdn="ldap:///all"));) > >> > > > ------------------------------------ > >> > > > Or you can simply use iptables... > >> > > > > >> > > > > >> > > > 2008/5/8 C.S.R.C.Murthy : > >> > > > > >> > > > > >> > > > > >> > > > > Hello all, > >> > > > > Iam using directory server for squid ldap authentication. Squid > >> takes > >> > > > > username/password, binds the directory server and if the BIND > >> operation > >> > > > > is > >> > > > > successful it allows the user through proxy. My problem is how > >> to > >> specify > >> > > > > an > >> > > > > ACI so that BIND operation is allowed only from certain IP > >> address?. > >> ACI > >> > > > > allows me to restrict READ/SEARCH/WRITE operations but not BIND > >> > > > > operation. > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From murthy at barc.gov.in Sun May 11 15:09:51 2008 From: murthy at barc.gov.in (murthy at barc.gov.in) Date: Sun, 11 May 2008 20:39:51 +0530 (IST) Subject: [Fedora-directory-users] How to control the BIND operation using ACI In-Reply-To: <1601b8650805100341w350d841bh57a6f9772016a988@mail.gmail.com> References: <482296EC.4010203@barc.gov.in> <1601b8650805080604j7ac42e7cx6ea9a0292fdbe826@mail.gmail.com> <4823D943.3040903@barc.gov.in> <1601b8650805090315ie174014sa5f8d8e6be412fde@mail.gmail.com> <4824392A.6090600@barc.gov.in> <1601b8650805091137v3b5219fcwc01c80165114f61e@mail.gmail.com> <1068.59.184.174.104.1210393087.squirrel@203.197.42.3> <1601b8650805100341w350d841bh57a6f9772016a988@mail.gmail.com> Message-ID: <1178.59.184.174.74.1210518591.squirrel@203.197.42.3> Hi, Thank you very much for the URLs. This will help me to control users of which group can authenticate using ldap and go through proxy. I will follow this approach. Still there is the case where if the squid proxy server is administered by some other people, they can bypass this restriction as instead of defining filters for ldap operation, they can simply use BIND operation to get authenticated. This can never be controlled at the LDAP server level. For that matter this can be used by any application to bypass group level control. regards murthy > As far as i can see making a quick google search squid can do > authorisation using ldap filters and groups; for example, look at this > page : > http://linux.com.hk/penguin/man/8/squid_ldap_group.html > > or here : > http://linux.die.net/man/8/squid_ldap_auth > > > 2008/5/10 : >> Hi, >> Thanks for the confirmation. . Applications like squid are not doing >> any >> read/search/compare to verify authentication, but simply doing BIND >> operation.I think the directory server may incorporate some form of >> BIND >> control feature >> >> regards >> murthy >> >> >> > Yes, i think that there is no way to deny a BIND depending on the >> > group and originating IP condition. You can however deny any other >> > access (read/compare/search). Depending on the filter you define for >> > squid/sendmail/php web page (even the simplest objectClass=*) these >> > conditions are equivalent (the ldapsearch will bind but it will >> always >> > return an empty set)... >> > >> > >> > 2008/5/9 C.S.R.C.Murthy : >> >> Hi Andrey, >> >> As I first step, according to your suggestion, I have removed the >> >> default >> >> ACIs for anonymous and authenticated users. With this I expected >> that >> >> squid >> >> will not be able to BIND to the directory server as the default ACI >> >> action >> >> should be DENY in case there is no matching rule. But it is able to >> >> successfully BIND when I give proper login/password. If I am not >> able to >> >> deny BIND operation when there are no anonymous/authenticated ACI, >> then >> >> I >> >> will never be able to control BIND access, I assume. Please clarify. >> >> >> >> >> >> >> >> regards >> >> murthy >> >> >> >> Andrey Ivanov wrote: >> >> >> >> > Anyway it is better to make the "allow" ACIs, not "deny" ACIs. >> >> > >> >> > As for your problem, here is what the ACIs should look like >> (supposing >> >> > that your groups are cn=INTERNET,ou=Groups,dc=example,dc=com and >> >> > cn=EMAIL,ou=Groups,dc=example,dc=com, ip adresses of your squid >> server >> >> > are 192.168.0.66 and 172.16.191.66, adresses of your email servers >> >> > 192.168.1.100 and 192.168.1.101) >> >> > >> >> > Delete all the default ACIs (for anonymous/authentified users) and >> >> > choose the attributes that you want to expose (attr1, attr2...) >> >> > >> >> > For INTERNET group : >> >> > aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable >> >> > attributes to read for a certain ip adresses and to authentified >> >> > users";allow (read,search,compare)(((ip="192.168.0.66") or >> >> > (ip="172.16.191.66")) and (groupdn = >> >> > "ldap:///cn=INTERNET,ou=Groups,dc=example,dc=com"));) >> >> > >> >> > >> >> > For EMAIL group : >> >> > aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable >> >> > attributes to read for a certain ip adresses and to authentified >> >> > users";allow (read,search,compare)(((ip="192.168.1.100") or >> >> > (ip="192.168.1.101")) and (groupdn = >> >> > "ldap:///cn=EMAIL,ou=Groups,dc=example,dc=com"));) >> >> > >> >> > 2008/5/9 C.S.R.C.Murthy : >> >> > >> >> > >> >> > > Dear Andrey, >> >> > > I did not make clear one point here. My exact ACI requirement >> is >> >> like >> >> > > this, I need to deny bind operation when the connecting DN >> belongs >> >> to >> >> > > certain group and the request is coming from certain ip address. >> How >> >> to >> >> do >> >> > > it in ACI?. More specifically we have one INTERNET group and one >> >> EMAIL >> >> > > group. If a person is in INTERNET group he will be allowed to >> >> authenticate >> >> > > (BIND) only from squid proxy server Simillarly if a person >> belongs >> >> to >> >> EMAIL >> >> > > grooup he will be allowed to authenticate (BIND) only from email >> >> server. >> >> We >> >> > > are unable to acheive this type of control using ACI. Please >> help. >> >> > > >> >> > > regards >> >> > > murthy >> >> > > >> >> > > Andrey Ivanov wrote: >> >> > > >> >> > > >> >> > > > You can do it like this, for example : >> >> > > > >> >> > > > ---------------------------------- >> >> > > > aci: (targetattr = "uniqueMember || uidNumber || gidNumber || >> >> > > > homeDirectory || loginShell || gecos")(version 3.0; acl >> "Enable >> >> > > > attributes to read for certain ip adresses and to authentified >> >> users"; >> >> > > > allow (read,search,compare)(((ip="192.168.0.*") or >> >> (ip="172.16.191.* >> >> > > > ") or (ip="192.168.1.15") or (ip="172.16.126.1")) and >> >> > > > (userdn="ldap:///all"));) >> >> > > > ------------------------------------ >> >> > > > Or you can simply use iptables... >> >> > > > >> >> > > > >> >> > > > 2008/5/8 C.S.R.C.Murthy : >> >> > > > >> >> > > > >> >> > > > >> >> > > > > Hello all, >> >> > > > > Iam using directory server for squid ldap authentication. >> Squid >> >> takes >> >> > > > > username/password, binds the directory server and if the >> BIND >> >> operation >> >> > > > > is >> >> > > > > successful it allows the user through proxy. My problem is >> how >> >> to >> >> specify >> >> > > > > an >> >> > > > > ACI so that BIND operation is allowed only from certain IP >> >> address?. >> >> ACI >> >> > > > > allows me to restrict READ/SEARCH/WRITE operations but not >> BIND >> >> > > > > operation. >> > >> >> >> > -- >> > Fedora-directory-users mailing list >> > Fedora-directory-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From andrey.ivanov at polytechnique.fr Sun May 11 15:20:03 2008 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Sun, 11 May 2008 17:20:03 +0200 Subject: [Fedora-directory-users] How to control the BIND operation using ACI In-Reply-To: <1178.59.184.174.74.1210518591.squirrel@203.197.42.3> References: <482296EC.4010203@barc.gov.in> <1601b8650805080604j7ac42e7cx6ea9a0292fdbe826@mail.gmail.com> <4823D943.3040903@barc.gov.in> <1601b8650805090315ie174014sa5f8d8e6be412fde@mail.gmail.com> <4824392A.6090600@barc.gov.in> <1601b8650805091137v3b5219fcwc01c80165114f61e@mail.gmail.com> <1068.59.184.174.104.1210393087.squirrel@203.197.42.3> <1601b8650805100341w350d841bh57a6f9772016a988@mail.gmail.com> <1178.59.184.174.74.1210518591.squirrel@203.197.42.3> Message-ID: <1601b8650805110820v4a4ae9a1h521773db42978ed3@mail.gmail.com> If you have a complete control over an application configuration, anyway you can do anything you want, even use/etc/passwd file instead of LDAP :) If you consider however that a bind limitation based on the ACIs could be a useful feature you can request this feature at the bugzilla of Fedora Directory Server (bugzilla.redhat.com). I don't know whether this feature exists in OpenLDAP or Active Directory... 2008/5/11 : > Thank you very much for the URLs. This will help me to control users of > which group can authenticate using ldap and go through proxy. I will > follow this approach. > > > As far as i can see making a quick google search squid can do > > authorisation using ldap fi> Still there is the case where if the squid proxy server is administered > by some other people, they can bypass this restriction as instead of > defining filters for ldap operation, they can simply use BIND operation > to get authenticated. This can never be controlled at the LDAP server > level. For that matter this can be used by any application to bypass > group level control. From romal at gmx.de Sun May 11 18:56:01 2008 From: romal at gmx.de (Robert M. Albrecht) Date: Sun, 11 May 2008 20:56:01 +0200 Subject: [Fedora-directory-users] Installation problem DS 1.1 on F9 Message-ID: <48274141.9080004@gmx.de> Hi, I installed DS 1.1 on F9. The installation works without problems, the server runs but management does not work. I can`t logon with cn=Directory Manager. Trying to start the daemon: [root at nass init.d]# /etc/init.d/dirsrv-admin start Starting dirsrv-admin: grep: /etc/dirsrv/admin-serv/adm.conf: Datei oder Verzeichnis nicht gefunden /var/run/dirsrv is not writable for [FEHLGESCHLAGEN] [root at nass init.d]# [root at nass /]# start-ds-admin ERROR: ld.so: object '/usr/lib/libssl3.so' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/usr/lib/libssl3.so' from LD_PRELOAD cannot be preloaded: ignored. (2)No such file or directory: httpd.worker: could not open error log file /var/log/dirsrv/admin-serv/error. Unable to open logs [root at nass /]# Used Versions: [root at nass init.d]# rpm --query fedora-ds fedora-ds-1.1.1-3.fc9.i386 [root at nass init.d]# cat /etc/fedora-release Fedora release 9 (Sulphur) Is this a known bug ? Should it work, or did I something wrong ? cu romal From Soeren.Malchow at interone.de Sun May 11 20:37:40 2008 From: Soeren.Malchow at interone.de (=?ISO-8859-1?Q?S=F6ren_Malchow?=) Date: Sun, 11 May 2008 22:37:40 +0200 Subject: [Fedora-directory-users] FDS - AD: sync deactivated status In-Reply-To: <48246EBF.5050408@redhat.com> References: <48246EBF.5050408@redhat.com> Message-ID: Hi Rich, first, thanks for the answer. The attribute in the active directory that controls whether the user is active or not is "userAccountControl" the value for active accounts is "512" and for deactivated accounts it is "514" ( both decimal ). There are several more possible values, those can be found here http://support.microsoft.com/kb/305144 I think there are some more interesting values for synchronization, e.g. - PASSWORD_EXPIRED - LOCKOUT if there is a way to synch this values somehow it would be great. Regards Soeren Rich Megginson Sent by: fedora-directory-users-bounces at redhat.com 09.05.2008 17:34 Please respond to "General discussion list for the Fedora Directory server project." To "General discussion list for the Fedora Directory server project." cc Subject Re: [Fedora-directory-users] FDS - AD: sync deactivated status S?ren Malchow wrote: > > Dear all, > > i have a FDS with synchronization to an AD up and running, everything > including password sync is fine, the only attribute that is needed and > not synching is whether the user is deactivated or not. > > I can deactive users seperately in FDS or AD but it does not sync, > after alot of research i could not find a solution for that, can > someone please point me the way ? That is not currently supported. What is the AD attribute that tells whether a user is active or not? > > > Regards > Soeren > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/octet-stream Size: 3245 bytes Desc: not available URL: From jad at jadickinson.co.uk Mon May 12 07:43:21 2008 From: jad at jadickinson.co.uk (John Dickinson) Date: Mon, 12 May 2008 08:43:21 +0100 Subject: [Fedora-directory-users] Synchronization with multiple AD domains Message-ID: <3D68BB0E-21CB-415B-9C25-FE8303D876C1@jadickinson.co.uk> Hi, I am designing a integrated Directory system and as part of it I need to link two Active Directory domains. They both contain the same set of users but exist in different domains for historical reasons. I want to link them so that users created in one domain auto-magically get created in the other. Since you can create multiple Windows Sync Agreements in Fedora DS I guess it could be used to make this work. I plan to test it soon but in the meantime am wondering if anyone else has tried this and knows of any problems or a better way? Thanks John --- John Dickinson From rmeggins at redhat.com Mon May 12 15:41:15 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 12 May 2008 09:41:15 -0600 Subject: [Fedora-directory-users] FDS - AD: sync deactivated status In-Reply-To: References: <48246EBF.5050408@redhat.com> Message-ID: <4828651B.5010605@redhat.com> S?ren Malchow wrote: > > Hi Rich, > > first, thanks for the answer. > > The attribute in the active directory that controls whether the user > is active or not is "userAccountControl" the value for active accounts > is "512" and for deactivated accounts it is "514" ( both decimal ). > > There are several more possible values, those can be found here > > http://support.microsoft.com/kb/305144 > > I think there are some more interesting values for synchronization, e.g. > > - PASSWORD_EXPIRED > - LOCKOUT > > if there is a way to synch this values somehow it would be great. There is not a way right now. However, please file a bug at bugzilla.redhat.com against Fedora Directory Server to request this to be supported. > > Regards > Soeren > > > > > > *Rich Megginson * > Sent by: fedora-directory-users-bounces at redhat.com > > 09.05.2008 17:34 > Please respond to > "General discussion list for the Fedora Directory server project." > > > > > To > "General discussion list for the Fedora Directory server project." > > cc > > Subject > Re: [Fedora-directory-users] FDS - AD: sync deactivated status > > > > > > > > > > S?ren Malchow wrote: > > > > Dear all, > > > > i have a FDS with synchronization to an AD up and running, everything > > including password sync is fine, the only attribute that is needed and > > not synching is whether the user is deactivated or not. > > > > I can deactive users seperately in FDS or AD but it does not sync, > > after alot of research i could not find a solution for that, can > > someone please point me the way ? > That is not currently supported. What is the AD attribute that tells > whether a user is active or not? > > > > > > Regards > > Soeren > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon May 12 15:42:38 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 12 May 2008 09:42:38 -0600 Subject: [Fedora-directory-users] Installation problem DS 1.1 on F9 In-Reply-To: <48274141.9080004@gmx.de> References: <48274141.9080004@gmx.de> Message-ID: <4828656E.2020905@redhat.com> Robert M. Albrecht wrote: > Hi, > > I installed DS 1.1 on F9. The installation works without problems, the > server runs but management does not work. I can`t logon with > cn=Directory Manager. > > Trying to start the daemon: > [root at nass init.d]# /etc/init.d/dirsrv-admin start > Starting dirsrv-admin: > grep: /etc/dirsrv/admin-serv/adm.conf: Datei oder Verzeichnis nicht > gefunden > /var/run/dirsrv is not writable for > [FEHLGESCHLAGEN] > [root at nass init.d]# > > [root at nass /]# start-ds-admin > ERROR: ld.so: object '/usr/lib/libssl3.so' from LD_PRELOAD cannot be > preloaded: ignored. > ERROR: ld.so: object '/usr/lib/libssl3.so' from LD_PRELOAD cannot be > preloaded: ignored. > (2)No such file or directory: httpd.worker: could not open error log > file /var/log/dirsrv/admin-serv/error. > Unable to open logs > [root at nass /]# > > Used Versions: > [root at nass init.d]# rpm --query fedora-ds > fedora-ds-1.1.1-3.fc9.i386 > [root at nass init.d]# cat /etc/fedora-release > Fedora release 9 (Sulphur) > > Is this a known bug ? Should it work, or did I something wrong ? Looks like setup-ds-admin.pl did not complete successfully? Also do rpm -qi fedora-ds-base rpm -qi fedora-ds-admin You might want to just start over again - yum erase fedora-ds-base - and reinstall and try again. > > cu romal > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon May 12 15:47:37 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 12 May 2008 09:47:37 -0600 Subject: [Fedora-directory-users] admin server dsgw 403 forbidden error In-Reply-To: <9BF995BC0E47744E9673A41486E24EE205638F48D3@MERCERMAIL.MercerU.local> References: <9BF995BC0E47744E9673A41486E24EE205638F48D3@MERCERMAIL.MercerU.local> Message-ID: <48286699.70303@redhat.com> Scott Lacy wrote: > > Hi all, > > I am making some changes to dsgw.conf to point htmldir, configdir, and > gwnametrans to customized html and config directories on FDS?s admin > server. Everything else seems to work except for clicking on Directory > Server Gateway, which gives me: > > 403 Forbidden error: You don't have permission to access > /dsgw/bin/lang on this server. > > The admin-serv error log shows: > > [Thu May 08 13:10:41 2008] [error] [client a.b.c.d] client denied by > server configuration: /opt/fedora-ds/dsgw, referer: > http://foxtrot:5000/clients/dsgw/bin/lang?context=dsgw > > [Thu May 08 13:10:41 2008] [error] [client a.b.c.d] client denied by > server configuration: /opt/fedora-ds/dsgw, referer: > http://foxtrot:5000/clients/dsgw/bin/lang?context=dsgw > > Admserv.conf has: > > > > AllowOverride None > > Options None > > Order allow,deny > > Allow from all > > NESCompatEnv on > > > > I?ve beat my head against the wall until it hurts. Any pointers on > where to look next? > I think Apache is trying to tell you that it does not allow CGI programs to be executed from that directory. I suggest you refer to the Apache documentation, especially the ScriptAlias directive and "Options +ExecCGI". > > Thanks, > > Scott > > ---------------------- > > Scott Lacy > > Unix Systems Manager, Systems and Networks > > Mercer University > > 478 301 5509 > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From romal at gmx.de Mon May 12 18:14:00 2008 From: romal at gmx.de (Robert M. Albrecht) Date: Mon, 12 May 2008 20:14:00 +0200 Subject: [Fedora-directory-users] Installation problem DS 1.1 on F9 In-Reply-To: <4828656E.2020905@redhat.com> References: <48274141.9080004@gmx.de> <4828656E.2020905@redhat.com> Message-ID: <482888E8.5020205@gmx.de> Hi Rich, thanks for your response. [root at nass ~]# rpm -qi fedora-ds-base Name : fedora-ds-base Relocations: (not relocatable) Version : 1.1.0.1 Vendor: Fedora Project Release : 4.fc9 Build Date: Mi 16 Apr 2008 20:18:14 CEST Install Date: So 11 Mai 2008 14:00:09 CEST Build Host: xenbuilder4.fedora.phx.redhat.com Group : System Environment/Daemons Source RPM: fedora-ds-base-1.1.0.1-4.fc9.src.rpm Size : 4681159 License: GPLv2 with exceptions Signature : DSA/SHA1, Do 24 Apr 2008 22:26:22 CEST, Key ID b44269d04f2a6fd2 Packager : Fedora Project URL : http://directory.fedoraproject.org/ Summary : Fedora Directory Server (base) Description : Fedora Directory Server is an LDAPv3 compliant server. The base package includes the LDAP server and command line utilities for server administration. [root at nass ~]# rpm -qi fedora-ds-admin Name : fedora-ds-admin Relocations: (not relocatable) Version : 1.1.4 Vendor: Fedora Project Release : 1.fc9 Build Date: Di 15 Apr 2008 19:31:42 CEST Install Date: So 11 Mai 2008 14:00:12 CEST Build Host: xenbuilder4.fedora.phx.redhat.com Group : System Environment/Daemons Source RPM: fedora-ds-admin-1.1.4-1.fc9.src.rpm Size : 1058495 License: GPLv2 Signature : DSA/SHA1, Di 29 Apr 2008 16:06:06 CEST, Key ID b44269d04f2a6fd2 Packager : Fedora Project URL : http://directory.fedoraproject.org/ Summary : Fedora Administration Server (admin) Description : Fedora Administration Server is an HTTP agent that provides management features for Fedora Directory Server. It provides some management web apps that can be used through a web browser. It provides the authentication, access control, and CGI utilities used by the console. [root at nass ~]# setup-ds-admin.pl did not bring any error messages. I will erase the packages and start all over. cu romal Rich Megginson schrieb: > Robert M. Albrecht wrote: >> Hi, >> >> I installed DS 1.1 on F9. The installation works without problems, the >> server runs but management does not work. I can`t logon with >> cn=Directory Manager. >> >> Trying to start the daemon: >> [root at nass init.d]# /etc/init.d/dirsrv-admin start >> Starting dirsrv-admin: >> grep: /etc/dirsrv/admin-serv/adm.conf: Datei oder Verzeichnis nicht >> gefunden >> /var/run/dirsrv is not writable for >> [FEHLGESCHLAGEN] >> [root at nass init.d]# >> >> [root at nass /]# start-ds-admin >> ERROR: ld.so: object '/usr/lib/libssl3.so' from LD_PRELOAD cannot be >> preloaded: ignored. >> ERROR: ld.so: object '/usr/lib/libssl3.so' from LD_PRELOAD cannot be >> preloaded: ignored. >> (2)No such file or directory: httpd.worker: could not open error log >> file /var/log/dirsrv/admin-serv/error. >> Unable to open logs >> [root at nass /]# >> >> Used Versions: >> [root at nass init.d]# rpm --query fedora-ds >> fedora-ds-1.1.1-3.fc9.i386 >> [root at nass init.d]# cat /etc/fedora-release >> Fedora release 9 (Sulphur) >> >> Is this a known bug ? Should it work, or did I something wrong ? > Looks like setup-ds-admin.pl did not complete successfully? Also do > rpm -qi fedora-ds-base > rpm -qi fedora-ds-admin > > You might want to just start over again - yum erase fedora-ds-base - and > reinstall and try again. >> >> cu romal >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From romal at gmx.de Mon May 12 19:35:09 2008 From: romal at gmx.de (Robert M. Albrecht) Date: Mon, 12 May 2008 21:35:09 +0200 Subject: [Fedora-directory-users] Installation problem DS 1.1 on F9 In-Reply-To: <4828656E.2020905@redhat.com> References: <48274141.9080004@gmx.de> <4828656E.2020905@redhat.com> Message-ID: <48289BED.5000507@gmx.de> Hi Rich, I erased all and reinstalled the directory server. setup-ds.pl works. setup-ds-admin.pl fails. If I use the user fedorads it dumps this: ============================================================================== The interactive phase is complete. The script will now set up your servers. Enter No or go Back if you want to change something. Are you ready to set up your servers? [yes]: Creating directory server . . . Could not import LDIF file '/tmp/ldifvPddDG.ldif'. Error: 256. Output: importing data ... Error - Problem accessing the lockfile /var/lock/dirsrv/slapd-nass/lock [12/May/2008:21:21:07 +0200] - Shutting down due to possible conflicts with other slapd processes Error: Could not create directory server instance 'nass'. Exiting . . . Log file is '/tmp/setupwcE4ar.log' [root at nass /]# If I use the user nobody, this happens: ============================================================================== The interactive phase is complete. The script will now set up your servers. Enter No or go Back if you want to change something. Are you ready to set up your servers? [yes]: Creating directory server . . . Your new DS instance 'nass' was successfully created. Creating the configuration directory server . . . Error: failed to open an LDAP connection to host 'nass.vorlon.lan' port '389' as user 'cn=Directory Manager'. Error: unknown. Failed to create the configuration directory server Exiting . . . Log file is '/tmp/setupnRPVCv.log' [root at nass /]# I found this in /var/log/dirsrvr/slapd-nass/error [12/May/2008:21:25:36 +0200] - dblayer_instance_start: pagesize: 4096, pages: 128766, procpages: 7659 [12/May/2008:21:25:36 +0200] - cache autosizing: import cache: 204800k [12/May/2008:21:25:36 +0200] - li_import_cache_autosize: 50, import_pages: 51200, pagesize: 4096 [12/May/2008:21:25:36 +0200] - mkdir_p /var/lib/dirsrv/slapd-nass/db: error -5966 (Access Denied.) [12/May/2008:21:25:36 +0200] - Can't start because the database directory "/var/lib/dirsrv/slapd-nass/db" either doesn't exist, or is not accessible [12/May/2008:21:25:36 +0200] - ERROR: Failed to init database (error -1: Unknown error: -1) [12/May/2008:21:28:35 +0200] - dblayer_instance_start: pagesize: 4096, pages: 128766, procpages: 7659 [12/May/2008:21:28:35 +0200] - cache autosizing: import cache: 204800k [12/May/2008:21:28:35 +0200] - li_import_cache_autosize: 50, import_pages: 51200, pagesize: 4096 [12/May/2008:21:28:35 +0200] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [12/May/2008:21:28:35 +0200] - dblayer_instance_start: pagesize: 4096, pages: 128766, procpages: 7659 [12/May/2008:21:28:35 +0200] - cache autosizing: import cache: 204800k [12/May/2008:21:28:35 +0200] - li_import_cache_autosize: 50, import_pages: 51200, pagesize: 4096 [12/May/2008:21:28:35 +0200] - import userRoot: Beginning import job... [12/May/2008:21:28:35 +0200] - import userRoot: Index buffering enabled with bucket size 100 [12/May/2008:21:28:35 +0200] - import userRoot: Processing file "/tmp/ldifi0UXEb.ldif" [12/May/2008:21:28:35 +0200] - import userRoot: Finished scanning file "/tmp/ldifi0UXEb.ldif" (9 entries) [12/May/2008:21:28:36 +0200] - import userRoot: Workers finished; cleaning up... [12/May/2008:21:28:36 +0200] - import userRoot: Workers cleaned up. [12/May/2008:21:28:36 +0200] - import userRoot: Cleaning up producer thread... [12/May/2008:21:28:36 +0200] - import userRoot: Indexing complete. Post-processing... [12/May/2008:21:28:36 +0200] - import userRoot: Flushing caches... [12/May/2008:21:28:36 +0200] - import userRoot: Closing files... [12/May/2008:21:28:36 +0200] - All database threads now stopped [12/May/2008:21:28:36 +0200] - import userRoot: Import complete. Processed 9 entries in 1 seconds. (9.00 entries/sec) [12/May/2008:21:28:36 +0200] - Fedora-Directory/1.1.0 B2008.107.1816 starting up [12/May/2008:21:28:37 +0200] - I'm resizing my cache now...cache was 209715200 and is now 8000000 [12/May/2008:21:28:37 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests (END) The port 389 is running, so the ldap-server seems to be up. But the admin-console does not work. cu romal Rich Megginson schrieb: > Robert M. Albrecht wrote: >> Hi, >> >> I installed DS 1.1 on F9. The installation works without problems, the >> server runs but management does not work. I can`t logon with >> cn=Directory Manager. >> >> Trying to start the daemon: >> [root at nass init.d]# /etc/init.d/dirsrv-admin start >> Starting dirsrv-admin: >> grep: /etc/dirsrv/admin-serv/adm.conf: Datei oder Verzeichnis nicht >> gefunden >> /var/run/dirsrv is not writable for >> [FEHLGESCHLAGEN] >> [root at nass init.d]# >> >> [root at nass /]# start-ds-admin >> ERROR: ld.so: object '/usr/lib/libssl3.so' from LD_PRELOAD cannot be >> preloaded: ignored. >> ERROR: ld.so: object '/usr/lib/libssl3.so' from LD_PRELOAD cannot be >> preloaded: ignored. >> (2)No such file or directory: httpd.worker: could not open error log >> file /var/log/dirsrv/admin-serv/error. >> Unable to open logs >> [root at nass /]# >> >> Used Versions: >> [root at nass init.d]# rpm --query fedora-ds >> fedora-ds-1.1.1-3.fc9.i386 >> [root at nass init.d]# cat /etc/fedora-release >> Fedora release 9 (Sulphur) >> >> Is this a known bug ? Should it work, or did I something wrong ? > Looks like setup-ds-admin.pl did not complete successfully? Also do > rpm -qi fedora-ds-base > rpm -qi fedora-ds-admin > > You might want to just start over again - yum erase fedora-ds-base - and > reinstall and try again. >> >> cu romal >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From richard at powerset.com Mon May 12 20:49:32 2008 From: richard at powerset.com (Richard Hesse) Date: Mon, 12 May 2008 13:49:32 -0700 Subject: [Fedora-directory-users] Installation problem DS 1.1 on F9 In-Reply-To: <48289BED.5000507@gmx.de> References: <48274141.9080004@gmx.de> <4828656E.2020905@redhat.com> <48289BED.5000507@gmx.de> Message-ID: <84E2AE771361E9419DD0EFBD31F09C4D4F5BE32681@EXVMBX015-1.exch015.msoutlookonline.net> You're running into permissions issues related to installing as two different users. -Uninstall the packages (yum erase fedora-ds-base) -Clean up the various directories left behind (/etc/dirsrv /var/lock/dirsrv /var/run/dirsrv /var/log/dirsrv /usr/lib(64) ) -Reinstall the packages -richard -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Robert M. Albrecht Sent: Monday, May 12, 2008 12:35 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Installation problem DS 1.1 on F9 Hi Rich, I erased all and reinstalled the directory server. setup-ds.pl works. setup-ds-admin.pl fails. If I use the user fedorads it dumps this: ============================================================================== The interactive phase is complete. The script will now set up your servers. Enter No or go Back if you want to change something. Are you ready to set up your servers? [yes]: Creating directory server . . . Could not import LDIF file '/tmp/ldifvPddDG.ldif'. Error: 256. Output: importing data ... Error - Problem accessing the lockfile /var/lock/dirsrv/slapd-nass/lock [12/May/2008:21:21:07 +0200] - Shutting down due to possible conflicts with other slapd processes Error: Could not create directory server instance 'nass'. Exiting . . . Log file is '/tmp/setupwcE4ar.log' [root at nass /]# If I use the user nobody, this happens: ============================================================================== The interactive phase is complete. The script will now set up your servers. Enter No or go Back if you want to change something. Are you ready to set up your servers? [yes]: Creating directory server . . . Your new DS instance 'nass' was successfully created. Creating the configuration directory server . . . Error: failed to open an LDAP connection to host 'nass.vorlon.lan' port '389' as user 'cn=Directory Manager'. Error: unknown. Failed to create the configuration directory server Exiting . . . Log file is '/tmp/setupnRPVCv.log' [root at nass /]# I found this in /var/log/dirsrvr/slapd-nass/error [12/May/2008:21:25:36 +0200] - dblayer_instance_start: pagesize: 4096, pages: 128766, procpages: 7659 [12/May/2008:21:25:36 +0200] - cache autosizing: import cache: 204800k [12/May/2008:21:25:36 +0200] - li_import_cache_autosize: 50, import_pages: 51200, pagesize: 4096 [12/May/2008:21:25:36 +0200] - mkdir_p /var/lib/dirsrv/slapd-nass/db: error -5966 (Access Denied.) [12/May/2008:21:25:36 +0200] - Can't start because the database directory "/var/lib/dirsrv/slapd-nass/db" either doesn't exist, or is not accessible [12/May/2008:21:25:36 +0200] - ERROR: Failed to init database (error -1: Unknown error: -1) [12/May/2008:21:28:35 +0200] - dblayer_instance_start: pagesize: 4096, pages: 128766, procpages: 7659 [12/May/2008:21:28:35 +0200] - cache autosizing: import cache: 204800k [12/May/2008:21:28:35 +0200] - li_import_cache_autosize: 50, import_pages: 51200, pagesize: 4096 [12/May/2008:21:28:35 +0200] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [12/May/2008:21:28:35 +0200] - dblayer_instance_start: pagesize: 4096, pages: 128766, procpages: 7659 [12/May/2008:21:28:35 +0200] - cache autosizing: import cache: 204800k [12/May/2008:21:28:35 +0200] - li_import_cache_autosize: 50, import_pages: 51200, pagesize: 4096 [12/May/2008:21:28:35 +0200] - import userRoot: Beginning import job... [12/May/2008:21:28:35 +0200] - import userRoot: Index buffering enabled with bucket size 100 [12/May/2008:21:28:35 +0200] - import userRoot: Processing file "/tmp/ldifi0UXEb.ldif" [12/May/2008:21:28:35 +0200] - import userRoot: Finished scanning file "/tmp/ldifi0UXEb.ldif" (9 entries) [12/May/2008:21:28:36 +0200] - import userRoot: Workers finished; cleaning up... [12/May/2008:21:28:36 +0200] - import userRoot: Workers cleaned up. [12/May/2008:21:28:36 +0200] - import userRoot: Cleaning up producer thread... [12/May/2008:21:28:36 +0200] - import userRoot: Indexing complete. Post-processing... [12/May/2008:21:28:36 +0200] - import userRoot: Flushing caches... [12/May/2008:21:28:36 +0200] - import userRoot: Closing files... [12/May/2008:21:28:36 +0200] - All database threads now stopped [12/May/2008:21:28:36 +0200] - import userRoot: Import complete. Processed 9 entries in 1 seconds. (9.00 entries/sec) [12/May/2008:21:28:36 +0200] - Fedora-Directory/1.1.0 B2008.107.1816 starting up [12/May/2008:21:28:37 +0200] - I'm resizing my cache now...cache was 209715200 and is now 8000000 [12/May/2008:21:28:37 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests (END) The port 389 is running, so the ldap-server seems to be up. But the admin-console does not work. cu romal Rich Megginson schrieb: > Robert M. Albrecht wrote: >> Hi, >> >> I installed DS 1.1 on F9. The installation works without problems, the >> server runs but management does not work. I can`t logon with >> cn=Directory Manager. >> >> Trying to start the daemon: >> [root at nass init.d]# /etc/init.d/dirsrv-admin start >> Starting dirsrv-admin: >> grep: /etc/dirsrv/admin-serv/adm.conf: Datei oder Verzeichnis nicht >> gefunden >> /var/run/dirsrv is not writable for >> [FEHLGESCHLAGEN] >> [root at nass init.d]# >> >> [root at nass /]# start-ds-admin >> ERROR: ld.so: object '/usr/lib/libssl3.so' from LD_PRELOAD cannot be >> preloaded: ignored. >> ERROR: ld.so: object '/usr/lib/libssl3.so' from LD_PRELOAD cannot be >> preloaded: ignored. >> (2)No such file or directory: httpd.worker: could not open error log >> file /var/log/dirsrv/admin-serv/error. >> Unable to open logs >> [root at nass /]# >> >> Used Versions: >> [root at nass init.d]# rpm --query fedora-ds >> fedora-ds-1.1.1-3.fc9.i386 >> [root at nass init.d]# cat /etc/fedora-release >> Fedora release 9 (Sulphur) >> >> Is this a known bug ? Should it work, or did I something wrong ? > Looks like setup-ds-admin.pl did not complete successfully? Also do > rpm -qi fedora-ds-base > rpm -qi fedora-ds-admin > > You might want to just start over again - yum erase fedora-ds-base - and > reinstall and try again. >> >> cu romal >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From vipulramani at gmail.com Mon May 12 21:42:07 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Mon, 12 May 2008 14:42:07 -0700 Subject: [Fedora-directory-users] netgroup configuration FDS with Sun solaris 10 x86 box Message-ID: Hi all, I am trying to configure FDS as directory server and clients are sun solaris 10 boxes.. ( all are sun solaris 10 x86). bash-3.00# ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=example,dc=com NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411 NS_LDAP_SERVERS= 192.168.109.73 NS_LDAP_SEARCH_BASEDN= dc=example,dc=com NS_LDAP_AUTH= simple NS_LDAP_SEARCH_REF= FALSE NS_LDAP_CACHETTL= 0 NS_LDAP_CREDENTIAL_LEVEL= proxy bash-3.00# ldaplist dn: cn=Directory Administrators, dc=example, dc=com dn: ou=People, dc=example, dc=com dn: ou=Special Users,dc=example, dc=com dn: ou=profile,dc=example,dc=com dn: ou=group, dc=example,dc=com dn: ou=netgroup, dc=example,dc=com dn: ou=Groups, dc=example, dc=com ===ou=netgroup,dc=xxxx,dc=com=========== dn: cn=netgroup2,ou=netgroup,dc=example,dc=com objectClass: top objectClass: nisNetgroup cn: netgroup2 nisNetgroupTriple: (,vipul2,) When i type this command i m getting these error .... Do i need to enable to netgroup database or i need to apply any patch to enable this ??? bash-3.00# getent netgroup QAUsers Unknown database: netgroup usage: getent database [ key ... ] -- Regards Vipul Ramani -------------- next part -------------- An HTML attachment was scrubbed... URL: From gholbert at broadcom.com Mon May 12 21:49:55 2008 From: gholbert at broadcom.com (George Holbert) Date: Mon, 12 May 2008 14:49:55 -0700 Subject: [Fedora-directory-users] netgroup configuration FDS with Sun solaris 10 x86 box In-Reply-To: References: Message-ID: <4828BB83.7090401@broadcom.com> On Solaris at least, the getent command doesn't support netgroup. According to the man page, it supports any of: passwd, group, hosts, ipnodes, services, protocols, ethers, project, networks, netmasks Vipul Ramani wrote: > Hi all, > > I am trying to configure FDS as directory server and clients are sun > solaris 10 boxes.. ( all are sun solaris 10 x86). > > bash-3.00# ldapclient list > NS_LDAP_FILE_VERSION= 2.0 > NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=example,dc=com > NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411 > NS_LDAP_SERVERS= 192.168.109.73 > NS_LDAP_SEARCH_BASEDN= dc=example,dc=com > NS_LDAP_AUTH= simple > NS_LDAP_SEARCH_REF= FALSE > NS_LDAP_CACHETTL= 0 > NS_LDAP_CREDENTIAL_LEVEL= proxy > > bash-3.00# ldaplist > dn: cn=Directory Administrators, dc=example, dc=com > dn: ou=People, dc=example, dc=com > dn: ou=Special Users,dc=example, dc=com > dn: ou=profile,dc=example,dc=com > dn: ou=group, dc=example,dc=com > dn: ou=netgroup, dc=example,dc=com > dn: ou=Groups, dc=example, dc=com > > ===ou=netgroup,dc=xxxx,dc=com=========== > dn: cn=netgroup2,ou=netgroup,dc=example,dc=com > objectClass: top > objectClass: nisNetgroup > cn: netgroup2 > nisNetgroupTriple: (,vipul2,) > > > When i type this command i m getting these error .... Do i need to > enable to netgroup database or i need to apply any patch to enable > this ??? > > bash-3.00# getent netgroup QAUsers > Unknown database: netgroup > usage: getent database [ key ... ] > > > > > > > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From vipulramani at gmail.com Mon May 12 21:59:15 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Mon, 12 May 2008 14:59:15 -0700 Subject: [Fedora-directory-users] netgroup configuration FDS with Sun solaris 10 x86 box In-Reply-To: <4828BB83.7090401@broadcom.com> References: <4828BB83.7090401@broadcom.com> Message-ID: So, Netgroup does not work in solaris 10 ???? :( I want to configured group based access for the servers.. so what should i used ? On Mon, May 12, 2008 at 2:49 PM, George Holbert wrote: > On Solaris at least, the getent command doesn't support netgroup. > According to the man page, it supports any of: > passwd, group, hosts, ipnodes, services, protocols, ethers, project, > networks, netmasks > > > Vipul Ramani wrote: > > > Hi all, > > > > I am trying to configure FDS as directory server and clients are sun > > solaris 10 boxes.. ( all are sun solaris 10 x86). > > > > bash-3.00# ldapclient list > > NS_LDAP_FILE_VERSION= 2.0 > > NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=example,dc=com > > NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411 > > NS_LDAP_SERVERS= 192.168.109.73 > > > > NS_LDAP_SEARCH_BASEDN= dc=example,dc=com > > NS_LDAP_AUTH= simple > > NS_LDAP_SEARCH_REF= FALSE > > NS_LDAP_CACHETTL= 0 > > NS_LDAP_CREDENTIAL_LEVEL= proxy > > > > bash-3.00# ldaplist > > dn: cn=Directory Administrators, dc=example, dc=com > > dn: ou=People, dc=example, dc=com > > dn: ou=Special Users,dc=example, dc=com > > dn: ou=profile,dc=example,dc=com > > dn: ou=group, dc=example,dc=com > > dn: ou=netgroup, dc=example,dc=com > > dn: ou=Groups, dc=example, dc=com > > > > ===ou=netgroup,dc=xxxx,dc=com=========== > > dn: cn=netgroup2,ou=netgroup,dc=example,dc=com > > objectClass: top > > objectClass: nisNetgroup > > cn: netgroup2 > > nisNetgroupTriple: (,vipul2,) > > > > > > When i type this command i m getting these error .... Do i need to > > enable to netgroup database or i need to apply any patch to enable this ??? > > > > bash-3.00# getent netgroup QAUsers > > Unknown database: netgroup > > usage: getent database [ key ... ] > > > > > > > > > > > > > > > > -- > > Regards > > > > Vipul Ramani > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Regards Vipul Ramani -------------- next part -------------- An HTML attachment was scrubbed... URL: From gholbert at broadcom.com Mon May 12 22:09:18 2008 From: gholbert at broadcom.com (George Holbert) Date: Mon, 12 May 2008 15:09:18 -0700 Subject: [Fedora-directory-users] netgroup configuration FDS with Sun solaris 10 x86 box In-Reply-To: References: <4828BB83.7090401@broadcom.com> Message-ID: <4828C00E.5060806@broadcom.com> > So, > Netgroup does not work in solaris 10 ???? :( Solaris 10 doesn't have any specific netgroup problems that I'm aware of, and it has not dropped support for netgroup. But, as in previous Solaris releases, the getent command doesn't talk to the netgroup database. You can still use them, you just can't ask the system about them with getent. Vipul Ramani wrote: > So, > Netgroup does not work in solaris 10 ???? :( > > I want to configured group based access for the servers.. so what > should i used ? > > On Mon, May 12, 2008 at 2:49 PM, George Holbert > wrote: > > On Solaris at least, the getent command doesn't support netgroup. > According to the man page, it supports any of: > passwd, group, hosts, ipnodes, services, protocols, ethers, > project, networks, netmasks > > > Vipul Ramani wrote: > > Hi all, > > I am trying to configure FDS as directory server and clients > are sun solaris 10 boxes.. ( all are sun solaris 10 x86). > > bash-3.00# ldapclient list > NS_LDAP_FILE_VERSION= 2.0 > NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=example,dc=com > NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411 > NS_LDAP_SERVERS= 192.168.109.73 > > > NS_LDAP_SEARCH_BASEDN= dc=example,dc=com > NS_LDAP_AUTH= simple > NS_LDAP_SEARCH_REF= FALSE > NS_LDAP_CACHETTL= 0 > NS_LDAP_CREDENTIAL_LEVEL= proxy > > bash-3.00# ldaplist > dn: cn=Directory Administrators, dc=example, dc=com > dn: ou=People, dc=example, dc=com > dn: ou=Special Users,dc=example, dc=com > dn: ou=profile,dc=example,dc=com > dn: ou=group, dc=example,dc=com > dn: ou=netgroup, dc=example,dc=com > dn: ou=Groups, dc=example, dc=com > > ===ou=netgroup,dc=xxxx,dc=com=========== > dn: cn=netgroup2,ou=netgroup,dc=example,dc=com > objectClass: top > objectClass: nisNetgroup > cn: netgroup2 > nisNetgroupTriple: (,vipul2,) > > > When i type this command i m getting these error .... Do i > need to enable to netgroup database or i need to apply any > patch to enable this ??? > > bash-3.00# getent netgroup QAUsers > Unknown database: netgroup > usage: getent database [ key ... ] > > > > > > > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Regards > > Vipul Ramani > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From vipulramani at gmail.com Mon May 12 22:13:37 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Mon, 12 May 2008 15:13:37 -0700 Subject: [Fedora-directory-users] netgroup configuration FDS with Sun solaris 10 x86 box In-Reply-To: <4828C00E.5060806@broadcom.com> References: <4828BB83.7090401@broadcom.com> <4828C00E.5060806@broadcom.com> Message-ID: Then, how can i configure group based access for specific hosts ???? On Mon, May 12, 2008 at 3:09 PM, George Holbert wrote: > So, > > Netgroup does not work in solaris 10 ???? :( > > > > Solaris 10 doesn't have any specific netgroup problems that I'm aware of, > and it has not dropped support for netgroup. > But, as in previous Solaris releases, the getent command doesn't talk to > the netgroup database. > > You can still use them, you just can't ask the system about them with > getent. > > Vipul Ramani wrote: > > > So, > > Netgroup does not work in solaris 10 ???? :( > > > > I want to configured group based access for the servers.. so what should > > i used ? > > > > On Mon, May 12, 2008 at 2:49 PM, George Holbert > gholbert at broadcom.com>> wrote: > > > > On Solaris at least, the getent command doesn't support netgroup. > > According to the man page, it supports any of: > > passwd, group, hosts, ipnodes, services, protocols, ethers, > > project, networks, netmasks > > > > > > Vipul Ramani wrote: > > > > Hi all, > > > > I am trying to configure FDS as directory server and clients > > are sun solaris 10 boxes.. ( all are sun solaris 10 x86). > > > > bash-3.00# ldapclient list > > NS_LDAP_FILE_VERSION= 2.0 > > NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=example,dc=com > > NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411 > > NS_LDAP_SERVERS= 192.168.109.73 > > > > > > NS_LDAP_SEARCH_BASEDN= dc=example,dc=com > > NS_LDAP_AUTH= simple > > NS_LDAP_SEARCH_REF= FALSE > > NS_LDAP_CACHETTL= 0 > > NS_LDAP_CREDENTIAL_LEVEL= proxy > > > > bash-3.00# ldaplist > > dn: cn=Directory Administrators, dc=example, dc=com > > dn: ou=People, dc=example, dc=com > > dn: ou=Special Users,dc=example, dc=com > > dn: ou=profile,dc=example,dc=com > > dn: ou=group, dc=example,dc=com > > dn: ou=netgroup, dc=example,dc=com > > dn: ou=Groups, dc=example, dc=com > > > > ===ou=netgroup,dc=xxxx,dc=com=========== > > dn: cn=netgroup2,ou=netgroup,dc=example,dc=com > > objectClass: top > > objectClass: nisNetgroup > > cn: netgroup2 > > nisNetgroupTriple: (,vipul2,) > > > > > > When i type this command i m getting these error .... Do i > > need to enable to netgroup database or i need to apply any > > patch to enable this ??? > > > > bash-3.00# getent netgroup QAUsers > > Unknown database: netgroup > > usage: getent database [ key ... ] > > > > > > > > > > > > > > > > -- Regards > > > > Vipul Ramani > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > -- > > Regards > > > > Vipul Ramani > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Regards Vipul Ramani -------------- next part -------------- An HTML attachment was scrubbed... URL: From paolo.barbato at igi.cnr.it Tue May 13 06:50:17 2008 From: paolo.barbato at igi.cnr.it (Paolo Barbato) Date: Tue, 13 May 2008 08:50:17 +0200 Subject: [Fedora-directory-users] FDS - AD: sync deactivated status In-Reply-To: <4828651B.5010605@redhat.com> References: <48246EBF.5050408@redhat.com> <4828651B.5010605@redhat.com> Message-ID: <82C76D71-60ED-4D94-971A-20BA6AE99952@igi.cnr.it> I also "sponsor" to add these values in sync. Actually I simply plan to give the same expiration date both to AD and FD . Regards, Paolo. On 12/mag/08, at 17:41, Rich Megginson wrote: > S?ren Malchow wrote: >> >> Hi Rich, >> >> first, thanks for the answer. >> >> The attribute in the active directory that controls whether the >> user is active or not is "userAccountControl" the value for active >> accounts is "512" and for deactivated accounts it is "514" ( both >> decimal ). >> >> There are several more possible values, those can be found here >> >> http://support.microsoft.com/kb/305144 >> >> I think there are some more interesting values for synchronization, >> e.g. >> >> - PASSWORD_EXPIRED >> - LOCKOUT >> >> if there is a way to synch this values somehow it would be great. > There is not a way right now. However, please file a bug at > bugzilla.redhat.com against Fedora Directory Server to request this > to be supported. >> >> Regards >> Soeren >> >> >> >> >> >> *Rich Megginson * >> Sent by: fedora-directory-users-bounces at redhat.com >> >> 09.05.2008 17:34 >> Please respond to >> "General discussion list for the Fedora Directory server >> project." >> >> >> >> To >> "General discussion list for the Fedora Directory server project." >> >> cc >> >> Subject >> Re: [Fedora-directory-users] FDS - AD: sync deactivated status >> >> >> >> >> >> >> >> >> >> S?ren Malchow wrote: >> > >> > Dear all, >> > >> > i have a FDS with synchronization to an AD up and running, >> everything >> > including password sync is fine, the only attribute that is >> needed and >> > not synching is whether the user is deactivated or not. >> > >> > I can deactive users seperately in FDS or AD but it does not sync, >> > after alot of research i could not find a solution for that, can >> > someone please point me the way ? >> That is not currently supported. What is the AD attribute that tells >> whether a user is active or not? >> > >> > >> > Regards >> > Soeren >> > >> ------------------------------------------------------------------------ >> > >> > -- >> > Fedora-directory-users mailing list >> > Fedora-directory-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users ------------------------------------------------------------------------------------------------ Paolo Barbato email: mailto:paolo.barbato at igi.cnr.it Network Administrator phone: (39-049)-829-5097 (39-049)-829-5000 Corso Stati Uniti,4 www: http://www.igi.cnr.it 35127 Camin-Padova PGP: http://www.igi.cnr.it/wwwpgp/rfx_paolo_barbato.pgp ITALY JabberID: rfx_paolo_barbato at messenger.efda.org ------------------------------------------------------------------------------------------------ From etorres at dap.es Tue May 13 06:52:52 2008 From: etorres at dap.es (Esteban Torres Rodriguez) Date: Tue, 13 May 2008 08:52:52 +0200 Subject: [Fedora-directory-users] FDS - AD: sync deactivated status In-Reply-To: References: Message-ID: <48295762.655F.0018.0@dap.es> Hello everyone: S?ren Malchow, has managed to synchronize all the attributes of AD? I took time trying to synchronize all the attributes of AD to SDS but I have not succeeded. That has managed to synchronize attributes? As you've done? Greetings. Esteban Torres Rodr?guez ?REA DE SOPORTE T?CNICO - Administraci?n de Servidores Subdirecci?n de Sistemas Inform?ticos Empresa P?blica Desarrollo Agrario y Pesquero, email: etorres at dap.es >>> S?ren Malchow 9/5/2008 16:07 >>> Dear all, i have a FDS with synchronization to an AD up and running, everything including password sync is fine, the only attribute that is needed and not synching is whether the user is deactivated or not. I can deactive users seperately in FDS or AD but it does not sync, after alot of research i could not find a solution for that, can someone please point me the way ? Regards Soeren From kenneho.ndu at gmail.com Tue May 13 07:00:10 2008 From: kenneho.ndu at gmail.com (Kenneth Holter) Date: Tue, 13 May 2008 09:00:10 +0200 Subject: [Fedora-directory-users] Directory server connection problems after enabling TLS Message-ID: Hi. I've just set up an Red Hat Directory Server, and it was working fine until I enabled SSL/TLS. The LDAP server and my test LDAP client should be set up correctly according to the manual, but I seem to have missed something. Since enabling TLS I'm no longer allowd to log onto my LDAP client. The error messeage says "Connection closed by 127.0.0.1". However, when issuing the command "ldapsearch -x -H 'ldaps://'" the query is successful. I've installed a CA signed server certificate on the LDAP server, and installed the CA certificate on the LDAP client. As I'm quite new to LDAP I could use som advice on how to debug this. Thanks in advance. Regards, kenneho -------------- next part -------------- An HTML attachment was scrubbed... URL: From Soeren.Malchow at interone.de Tue May 13 09:30:52 2008 From: Soeren.Malchow at interone.de (=?ISO-8859-1?Q?S=F6ren_Malchow?=) Date: Tue, 13 May 2008 11:30:52 +0200 Subject: [Fedora-directory-users] FDS - AD: sync deactivated status In-Reply-To: <48295762.655F.0018.0@dap.es> References: <48295762.655F.0018.0@dap.es> Message-ID: Dear Esteban, no, we have not managed to snyc the attributes between Active Directory and FDS, but as Rich said, i filed a bug in the bugzilla, and hopefully this issue is resolved in the next version Regards Soeren "Esteban Torres Rodriguez" Sent by: fedora-directory-users-bounces at redhat.com 13.05.2008 08:53 Please respond to "General discussion list for the Fedora Directory server project." To cc Subject Re: [Fedora-directory-users] FDS - AD: sync deactivated status Hello everyone: S?ren Malchow, has managed to synchronize all the attributes of AD? I took time trying to synchronize all the attributes of AD to SDS but I have not succeeded. That has managed to synchronize attributes? As you've done? Greetings. Esteban Torres Rodr?guez ?REA DE SOPORTE T?CNICO - Administraci?n de Servidores Subdirecci?n de Sistemas Inform?ticos Empresa P?blica Desarrollo Agrario y Pesquero, email: etorres at dap.es >>> S?ren Malchow 9/5/2008 16:07 >>> Dear all, i have a FDS with synchronization to an AD up and running, everything including password sync is fine, the only attribute that is needed and not synching is whether the user is deactivated or not. I can deactive users seperately in FDS or AD but it does not sync, after alot of research i could not find a solution for that, can someone please point me the way ? Regards Soeren -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From kenneho.ndu at gmail.com Tue May 13 11:06:19 2008 From: kenneho.ndu at gmail.com (Kenneth Holter) Date: Tue, 13 May 2008 13:06:19 +0200 Subject: [Fedora-directory-users] Re: Directory server connection problems after enabling TLS In-Reply-To: References: Message-ID: Solved! Turns out that I had used the LDAP server's ip-address instead of it's FQDN when configuring the client. This is apperantly not correct according to http://www.rfc-editor.org/rfc/rfc2830.txt section 3.6 So the solution was simply to issue "authconfig-tui", and replace the LDAP server's IP address with it's FQDN. On 5/13/08, Kenneth Holter wrote: > > Hi. > > > I've just set up an Red Hat Directory Server, and it was working fine > until I enabled SSL/TLS. The LDAP server and my test LDAP client should be > set up correctly according to the manual, but I seem to have missed > something. > > Since enabling TLS I'm no longer allowd to log onto my LDAP client. The > error messeage says "Connection closed by 127.0.0.1". > > However, when issuing the command "ldapsearch -x -H > 'ldaps://'" the query is successful. > > I've installed a CA signed server certificate on the LDAP server, and > installed the CA certificate on the LDAP client. > > As I'm quite new to LDAP I could use som advice on how to debug this. > Thanks in advance. > > Regards, > kenneho > -------------- next part -------------- An HTML attachment was scrubbed... URL: From kenneho.ndu at gmail.com Tue May 13 13:22:34 2008 From: kenneho.ndu at gmail.com (Kenneth Holter) Date: Tue, 13 May 2008 15:22:34 +0200 Subject: [Fedora-directory-users] SSL/TLS vs SASL in Directory Server solution In-Reply-To: References: Message-ID: Hi. We're planning on deploying Red Hat Directory Server 8.0, and could need some advice on security. The DS supports both TLS and SASL. TLS can be used for both authentication and encryption, and should therefore cover our security needs. SASL is quite new to me, and as of now I don't see the benefit of using it. Which security or functionality features does SASL provide that TLS doesn't? I know that SASL enables integration with Kerberos, but we're most likely not going for a Kerberos based solution. Furthermore, what are the default security features of RHDS 8.0? Is it using SASL by default (is it possible to deactivate it)? Regards, kenneho -------------- next part -------------- An HTML attachment was scrubbed... URL: From david_list at boreham.org Tue May 13 13:31:13 2008 From: david_list at boreham.org (David Boreham) Date: Tue, 13 May 2008 07:31:13 -0600 Subject: [Fedora-directory-users] SSL/TLS vs SASL in Directory Server solution In-Reply-To: References: Message-ID: <48299821.2060006@boreham.org> Kenneth Holter wrote: > The DS supports both TLS and SASL. TLS can be used for both > authentication and encryption, and should therefore cover our security > needs. > > SASL is quite new to me, and as of now I don't see the benefit of > using it. Which security or functionality features does SASL provide > that TLS doesn't? I know that SASL enables integration with Kerberos, > but we're most likely not going for a Kerberos based solution. > SASL is primarily needed to support Kerberos clients. Use TLS unless you already know that you want SASL for some reason. From rnappert at juniper.net Tue May 13 13:54:04 2008 From: rnappert at juniper.net (Reinhard Nappert) Date: Tue, 13 May 2008 09:54:04 -0400 Subject: [Fedora-directory-users] MMR: excessive clock skew Message-ID: <3525C9833C09ED418C6FD6CD9514668C03D67CDB@emailwf1.jnpr.net> Hi, I experienced with a FDS 1.0.4 MMR setup the following issue: After weeks of proper replication, the replication fails with the following error-log entry: [08/May/2008:15:36:05 +0800] NSMMReplicationPlugin - conn=889 op=3 replica="": Unable to acquire re plica: error: excessive clock skew Both boxes are configured with the same NTP server and the clock is in sync. After replication was disabled (deletion of all changelogs) and configuring the MMR from scratch, replication works fine for a while, but eventually the above mentioned issue occurs again. Did anyone expierence the same? Is there are a solution to fix this issue. Thanks, -Reinhard -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue May 13 14:02:47 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 13 May 2008 08:02:47 -0600 Subject: [Fedora-directory-users] MMR: excessive clock skew In-Reply-To: <3525C9833C09ED418C6FD6CD9514668C03D67CDB@emailwf1.jnpr.net> References: <3525C9833C09ED418C6FD6CD9514668C03D67CDB@emailwf1.jnpr.net> Message-ID: <48299F87.5030100@redhat.com> Reinhard Nappert wrote: > > Hi, > > I experienced with a FDS 1.0.4 MMR setup the following issue: After > weeks of proper replication, the replication fails with the following > error-log entry: > > [08/May/2008:15:36:05 +0800] NSMMReplicationPlugin - conn=889 op=3 > replica="": Unable to acquire re > > plica: error: excessive clock skew > > Both boxes are configured with the same NTP server and the clock is in > sync. > After replication was disabled (deletion of all changelogs) and > configuring the MMR from scratch, replication works fine for a while, > but eventually the above mentioned issue occurs again. > > Did anyone expierence the same? Is there are a solution to fix this issue. > There have been two other reports of similar problems. https://bugzilla.redhat.com/show_bug.cgi?id=233642 Are these 64-bit machines? What is the period of time between failures? Do you have any error messages that say what the clock skew is? Has anyone seen these errors with 1.1? We fixed a few 64-bit issues in 1.1. > > Thanks, > -Reinhard > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rnappert at juniper.net Tue May 13 14:06:23 2008 From: rnappert at juniper.net (Reinhard Nappert) Date: Tue, 13 May 2008 10:06:23 -0400 Subject: [Fedora-directory-users] MMR: excessive clock skew In-Reply-To: <48299F87.5030100@redhat.com> References: <3525C9833C09ED418C6FD6CD9514668C03D67CDB@emailwf1.jnpr.net> <48299F87.5030100@redhat.com> Message-ID: <3525C9833C09ED418C6FD6CD9514668C03D67CEA@emailwf1.jnpr.net> This is a 32 bit implementation. I try to get a bit more information about the interval and error logs. This actually happened on life setup. -Reinhard -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson Sent: Tuesday, May 13, 2008 10:03 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] MMR: excessive clock skew Reinhard Nappert wrote: > > Hi, > > I experienced with a FDS 1.0.4 MMR setup the following issue: After > weeks of proper replication, the replication fails with the following > error-log entry: > > [08/May/2008:15:36:05 +0800] NSMMReplicationPlugin - conn=889 op=3 > replica="": Unable to acquire re > > plica: error: excessive clock skew > > Both boxes are configured with the same NTP server and the clock is in > sync. > After replication was disabled (deletion of all changelogs) and > configuring the MMR from scratch, replication works fine for a while, > but eventually the above mentioned issue occurs again. > > Did anyone expierence the same? Is there are a solution to fix this issue. > There have been two other reports of similar problems. https://bugzilla.redhat.com/show_bug.cgi?id=233642 Are these 64-bit machines? What is the period of time between failures? Do you have any error messages that say what the clock skew is? Has anyone seen these errors with 1.1? We fixed a few 64-bit issues in 1.1. > > Thanks, > -Reinhard > > ---------------------------------------------------------------------- > -- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From kenneho.ndu at gmail.com Tue May 13 14:27:53 2008 From: kenneho.ndu at gmail.com (Kenneth Holter) Date: Tue, 13 May 2008 16:27:53 +0200 Subject: [Fedora-directory-users] SSL/TLS vs SASL in Directory Server solution In-Reply-To: <48299821.2060006@boreham.org> References: <48299821.2060006@boreham.org> Message-ID: Thank you for the quick reply. We're going for the TLS based solution. However, I'd like a better understanding of SASL, so let me post these questions: - What can SASL be used for besides Kerberos integration? The RHDS documentation says that TLS can be used as an authentication mechanism, but doesn't provide much details. - How can I check if SASL is enabled on my LDAP server (RHDS)? On 5/13/08, David Boreham wrote: > Kenneth Holter wrote: > > > The DS supports both TLS and SASL. TLS can be used for both > > authentication and encryption, and should therefore cover our security > > needs. > > SASL is quite new to me, and as of now I don't see the benefit of using > > it. Which security or functionality features does SASL provide that TLS > > doesn't? I know that SASL enables integration with Kerberos, but we're most > > likely not going for a Kerberos based solution. > > > > > SASL is primarily needed to support Kerberos clients. > Use TLS unless you already know that you want SASL for some reason. > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue May 13 14:34:56 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 13 May 2008 08:34:56 -0600 Subject: [Fedora-directory-users] SSL/TLS vs SASL in Directory Server solution In-Reply-To: References: <48299821.2060006@boreham.org> Message-ID: <4829A710.4040900@redhat.com> Kenneth Holter wrote: > Thank you for the quick reply. > > We're going for the TLS based solution. However, I'd like a better > understanding of SASL, so let me post these questions: > > * What can SASL be used for besides Kerberos integration? > The SASL mechanism Digest-MD5 is an LDAP standard authentication mechanism. > > * The RHDS documentation says that TLS can be used as an > authentication mechanism, but doesn't provide much details. > You can use an X.509 user certificate (cert) to authenticate to the server. http://directory.fedoraproject.org/wiki/Howto:CertMapping > > * > > > * How can I check if SASL is enabled on my LDAP server (RHDS)? > It is enabled by default. ldapsearch -x -s base -b "" "objectclass=*" supportedsaslmechanisms > > On 5/13/08, *David Boreham* > wrote: > > Kenneth Holter wrote: > > The DS supports both TLS and SASL. TLS can be used for both > authentication and encryption, and should therefore cover our > security needs. > SASL is quite new to me, and as of now I don't see the > benefit of using it. Which security or functionality features > does SASL provide that TLS doesn't? I know that SASL enables > integration with Kerberos, but we're most likely not going for > a Kerberos based solution. > > > SASL is primarily needed to support Kerberos clients. > Use TLS unless you already know that you want SASL for some reason. > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Tue May 13 15:01:56 2008 From: david_list at boreham.org (David Boreham) Date: Tue, 13 May 2008 09:01:56 -0600 Subject: [Fedora-directory-users] SSL/TLS vs SASL in Directory Server solution In-Reply-To: References: <48299821.2060006@boreham.org> Message-ID: <4829AD64.6060207@boreham.org> Kenneth Holter wrote: > We're going for the TLS based solution. However, I'd like a better > understanding of SASL, so let me post these questions: > > * What can SASL be used for besides Kerberos integration? > SASL is a pluggable authentication framework, so it is a bit abstract when you read about it. In theory you can use SASL to support any authentication mechanism you can think of (smart cards, fingerprint scanners, etc etc). In practice, in the context of LDAP it is typically used for Kerberos or as Rich pointed out one of the challenge-response authentication mechanisms that prevent plaintext password exposure, such as Digest-MD5. To be honest I'm not sure how much of either of these is widely deployed. I only ever see SSL/TLS in the wild, outside of hard core Kerberos shops. SASL was originally developed to allow pluggable authentication to be added to protocols that had either no authentication at all, or very weak support for authentication (IMAP and SMTP for example). In the context of LDAP its value is less clear because LDAP already had well developed support for SSL and cert-based auth, that for the most part removes the need for SASL. In addition, since the LDAP server is generally itself the authoritative authentication service, the pluggable SASL server mechanisms really don't make sense most of the time (because the LDAP server doesn't want or need to ask any other entity to take its authentication decisions for it). > > * The RHDS documentation says that TLS can be used as an > authentication mechanism, but doesn't provide much details. > There are two different ways to use TLS to facilitate authentication : 1) Use plain text passwords but with TLS protecting the traffic from eavesdropping, and providing a way for clients to trust servers. This is what is used 99% of the time. 2) Cert-based authentication (similar to SSH keys if you've used that) where the DS authenticates the client based on crypto, derived from the client being in possession of a suitable certificate. This is used mostly in high security environments (with hardware tokens for example). > > * How can I check if SASL is enabled on my LDAP server (RHDS)? > There's a way to get the list of supported SASL mechanisms from the rootDSE. Another way is to attempt a SASL BIND operation with a client and see if it succeeds. I can dig out the details on these later if you can't track them down with Google, if I have some spare time... From memory, the server always has the EXTERNAL (SSL) and digest mechanisms enabled. Kerberos will be enabled if the machine is suitably configured (has Kerberos installed, configured correctly, rubber chicken held above the console while chanting prayers to the security gods, etc). -------------- next part -------------- An HTML attachment was scrubbed... URL: From lyoung at sunyrockland.edu Tue May 13 15:24:32 2008 From: lyoung at sunyrockland.edu (Lin Young) Date: Tue, 13 May 2008 11:24:32 -0400 Subject: [Fedora-directory-users] Fedora-DS Nightly Backup In-Reply-To: <4829AD64.6060207@boreham.org> References: <48299821.2060006@boreham.org> <4829AD64.6060207@boreham.org> Message-ID: <4829B2B0.5000105@sunyrockland.edu> Hi. We are new to the Fedora-DS. I wonder how people setup their nightly backup jobs on Fedora-DS. Is there any backup script available? Or is that something that we could setup in the admin console? Thanks in advance. From rmeggins at redhat.com Tue May 13 15:29:52 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 13 May 2008 09:29:52 -0600 Subject: [Fedora-directory-users] Fedora-DS Nightly Backup In-Reply-To: <4829B2B0.5000105@sunyrockland.edu> References: <48299821.2060006@boreham.org> <4829AD64.6060207@boreham.org> <4829B2B0.5000105@sunyrockland.edu> Message-ID: <4829B3F0.8010509@redhat.com> Lin Young wrote: > Hi. We are new to the Fedora-DS. I wonder how people setup their > nightly backup jobs on Fedora-DS. > Is there any backup script available? > Or is that something that we could setup in the admin console? You probably want to use the command line utilities - db2bak, db2ldif - use db2bak for short term, db2ldif for long term > > Thanks in advance. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From vipulramani at gmail.com Tue May 13 18:12:33 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Tue, 13 May 2008 11:12:33 -0700 Subject: [Fedora-directory-users] Netgroup FDS with solaris 10 x86 Message-ID: hi all, I new to netgroup and I am trying to configure netgroup on FDS and sun solaris 10 as a client . I have host : test1 & 2nd host test2 I have FDS user : vipul2 I have domain : example.com I have netgroup call : testgroup ---------etc./passwd and shadow file ---------- + at testgroup:x::::: -:x::::: -------------------------------------------------------------- Now -----netgroup- inFDS ------------- dn: cn=testgroup, ou=netgroup, dc=example,dc=com objectClass: nisNetgroup objectClass: top nisNetgroupTriple: (test1,vipul2,example.com) cn: testgroup ----------------------------------------------------------------- *now Case 1: *if i set this value :: for nisNetgroupTriple: (test1,vipul2,example) i can login in to test1 and test2 both... i want to user vipul2 can login in test1 only not test2... server. Can any body tell me , M i missing something ...??? 1 more Question .... DOEST NETGROUP REQUIRED ALL FDQN and DNS ENTRY FOR ALL SUB DOMAIN & HOST ??? -- Regards Vipul Ramani -------------- next part -------------- An HTML attachment was scrubbed... URL: From stpierre at NebrWesleyan.edu Wed May 14 02:04:08 2008 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Tue, 13 May 2008 21:04:08 -0500 (CDT) Subject: [Fedora-directory-users] MMR: excessive clock skew In-Reply-To: <48299F87.5030100@redhat.com> References: <3525C9833C09ED418C6FD6CD9514668C03D67CDB@emailwf1.jnpr.net> <48299F87.5030100@redhat.com> Message-ID: On Tue, 13 May 2008, Rich Megginson wrote: > Has anyone seen these errors with 1.1? We fixed a few 64-bit issues in 1.1. I opened the original bug on this; we've been on 1.1 for a few months now and haven't seen any of the many replication issues that plagued us under 1.0.4. That's not to say they're necessarily solved, as we ran on 1.0.4 for a year and half, but things definitely look better. I can certainly heartily recommend the upgrade to anyone experiencing replication issues on 1.0.4. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University From iferreir at personal.com.py Wed May 14 16:20:58 2008 From: iferreir at personal.com.py (Ivan Ferreira) Date: Wed, 14 May 2008 12:20:58 -0400 Subject: [Fedora-directory-users] Fedora-DS Nightly Backup In-Reply-To: <4829B3F0.8010509@redhat.com> Message-ID: You can use something as simple as: LOGFILE=/var/log/DSBackup.log /opt/fedora-ds/slapd-infra1/db2ldif -n netscaperoot > $LOGFILE 2>&1 /opt/fedora-ds/slapd-infra1/db2ldif -n userRoot >> $LOGFILE 2>&1 /opt/fedora-ds/slapd-infra1/db2bak >> $LOGFILE 2>&1 Para "General discussion list for the Fedora Directory server Rich Megginson project." fedora-directory-users-b cc ounces at redhat.com Asunto 13/05/2008 11:29 a.m. Re: [Fedora-directory-users] Fedora-DS Nightly Backup Clasificaci?n Uso Interno Por favor, responda a "General discussion list for the Fedora Directory server project." Lin Young wrote: > Hi. We are new to the Fedora-DS. I wonder how people setup their > nightly backup jobs on Fedora-DS. > Is there any backup script available? > Or is that something that we could setup in the admin console? You probably want to use the command line utilities - db2bak, db2ldif - use db2bak for short term, db2ldif for long term > > Thanks in advance. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users (See attached file: smime.p7s)-- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/octet-stream Size: 3245 bytes Desc: not available URL: From lyoung at sunyrockland.edu Wed May 14 20:28:21 2008 From: lyoung at sunyrockland.edu (Lin Young) Date: Wed, 14 May 2008 16:28:21 -0400 Subject: [Fedora-directory-users] Fedora-DS Nightly Backup In-Reply-To: References: Message-ID: <482B4B65.4010509@sunyrockland.edu> Thank you Rich and Ivan for your replies. I am running my nightly backup using the db2ldif command and it is working!!! Thanks again! Ivan Ferreira wrote: > You can use something as simple as: > > LOGFILE=/var/log/DSBackup.log > /opt/fedora-ds/slapd-infra1/db2ldif -n netscaperoot > $LOGFILE 2>&1 > /opt/fedora-ds/slapd-infra1/db2ldif -n userRoot >> $LOGFILE 2>&1 > /opt/fedora-ds/slapd-infra1/db2bak >> $LOGFILE 2>&1 > > > > > > > Para > "General discussion list for the > Fedora Directory server > Rich Megginson project." > Enviado por: om> > fedora-directory-users-b cc > ounces at redhat.com > Asunto > 13/05/2008 11:29 a.m. Re: [Fedora-directory-users] > Fedora-DS Nightly Backup > Clasificaci?n > Uso Interno > Por favor, responda a > "General discussion list > for the Fedora Directory > server project." > redhat.com> > > > > > > > Lin Young wrote: > >> Hi. We are new to the Fedora-DS. I wonder how people setup their >> nightly backup jobs on Fedora-DS. >> Is there any backup script available? >> Or is that something that we could setup in the admin console? >> > You probably want to use the command line utilities - db2bak, db2ldif - > use db2bak for short term, db2ldif for long term > >> Thanks in advance. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > (See attached file: smime.p7s)-- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ======================================================================================== > AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida > ?nicamente a su destinatario. Si usted no es el destinatario original de > este mensaje y por este medio pudo acceder a dicha informaci?n por favor > elimine el mensaje. La distribuci?n o copia de este mensaje est? > estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de > informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como > una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de > e-mails no garantiza que el correo electr?nico sea seguro o libre de error. > Por consiguiente, no manifestamos que esta informaci?n sea completa o > precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. > > This information is private and confidential and intended for the > recipient only. If you are not the intended recipient of this message you > are hereby notified that any review, dissemination, distribution or > copying of this message is strictly prohibited. This communication is for > information purposes only and shall not be regarded neither as a proposal, > acceptance nor as a statement of will or official statement from NUCLEO > S.A. . Email transmission cannot be guaranteed to be secure or error-free. > Therefore, we do not represent that this information is complete or > accurate and it should not be relied upon as such. All information is > subject to change without notice. > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From solarflow99 at gmail.com Thu May 15 16:09:40 2008 From: solarflow99 at gmail.com (solarflow99) Date: Thu, 15 May 2008 17:09:40 +0100 Subject: [Fedora-directory-users] questions Message-ID: <7020fd000805150909o5ac3ab2dre4a0c8eaae247176@mail.gmail.com> I have a couple of questions about FDS: - Is it possible to set a root user (UID=0) I noticed it doesn't seem to let me log in that way. - If the clients are authenticating to hostname, how does failover work if that host went offline? Having a secondary LDAP instance wouldnt really help would it? Thanks, -------------- next part -------------- An HTML attachment was scrubbed... URL: From mprice at tqhosting.com Thu May 15 17:48:06 2008 From: mprice at tqhosting.com (Mark Price) Date: Thu, 15 May 2008 13:48:06 -0400 Subject: [Fedora-directory-users] mod_nss and FIPS mode Message-ID: <61b6fbec0805151048y3ace5b0p369742c7cc35f480@mail.gmail.com> Hello, I am having trouble getting mod_nss to work in FIPS mode. Summary of the problem: mod_nss works fine before FIPS mode is enabled, then cannot find the certificate after enabling it. Here is my setup: CentOS 5 64-bit Apache 2.2.3 from distro RPM, pre-fork MPM NSS libraries, tools, etc from distro RPMs (3.11.7-1.3) I have tried both mod_nss from distro rpm (1.0.3-4) and 1.0.7 compiled from source Here is the configuration for mod_nss I am using in Apache. It is basically the defaults Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl NSSPassPhraseDialog builtin NSSPassPhraseHelper /usr/sbin/nss_pcache NSSSessionCacheSize 10000 NSSSessionCacheTimeout 100 NSSSession3CacheTimeout 86400 NSSRandomSeed startup builtin LogLevel warn NSSEngine on NSSCipherSuite +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProtocol SSLv3,TLSv1 NSSNickname Server-Cert NSSCertificateDatabase /etc/httpd/alias NSSOptions +StdEnvVars NSSOptions +StdEnvVars This is using the /etc/httpd/alias cert database, that the mod_nss RPM created with a default certificate named Server-Cert. Using that default configuration, the Apache server starts fine and loads mod_nss. However, when I enable FIPS mode in mod_nss (By adding "NSSFIPS on" to Apache config), I can't get it to find the same server certificate [Thu May 15 13:41:21 2008] [info] Init: Initializing NSS library [Thu May 15 13:41:21 2008] [info] Initializing SSL Session Cache of size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. [Thu May 15 13:41:21 2008] [error] The server key database has not been initialized. [Thu May 15 13:41:21 2008] [info] Init: Initializing (virtual) servers for SSL [Thu May 15 13:41:21 2008] [error] Certificate not found: 'Server-Cert' I also tried using modutil to enable FIPS mode on the cert database, but that did not help: # modutil -fips true -dbdir /etc/httpd/alias Using database directory /etc/httpd/alias... FIPS mode enabled. # modutil -chkfips true -dbdir /etc/httpd/alias Using database directory /etc/httpd/alias... FIPS mode enabled. Could someone please clue me in here. Is there some more extensive process I need to go through in converting the certificate database to FIPS mode? I have searched for more relevant info with certutil and modutil but haven't been able to find anything. Thanks, Mark From rcritten at redhat.com Thu May 15 18:49:31 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 15 May 2008 14:49:31 -0400 Subject: [Fedora-directory-users] mod_nss and FIPS mode In-Reply-To: <61b6fbec0805151048y3ace5b0p369742c7cc35f480@mail.gmail.com> References: <61b6fbec0805151048y3ace5b0p369742c7cc35f480@mail.gmail.com> Message-ID: <482C85BB.40307@redhat.com> Mark Price wrote: > Hello, > > I am having trouble getting mod_nss to work in FIPS mode. Summary of > the problem: mod_nss works fine before FIPS mode is enabled, then > cannot find the certificate after enabling it. Your configuration looks ok. > > This is using the /etc/httpd/alias cert database, that the mod_nss RPM > created with a default certificate named Server-Cert. > > Using that default configuration, the Apache server starts fine and > loads mod_nss. > > However, when I enable FIPS mode in mod_nss (By adding "NSSFIPS on" to > Apache config), I can't get it to find the same server certificate > > > [Thu May 15 13:41:21 2008] [info] Init: Initializing NSS library > [Thu May 15 13:41:21 2008] [info] Initializing SSL Session Cache of > size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. > [Thu May 15 13:41:21 2008] [error] The server key database has not > been initialized. > [Thu May 15 13:41:21 2008] [info] Init: Initializing (virtual) servers for SSL > [Thu May 15 13:41:21 2008] [error] Certificate not found: 'Server-Cert' I think part of the problem is "The server key database has not been initialized." I'm not sure what would cause this. > I also tried using modutil to enable FIPS mode on the cert database, > but that did not help: > > # modutil -fips true -dbdir /etc/httpd/alias > > Using database directory /etc/httpd/alias... > FIPS mode enabled. > > > # modutil -chkfips true -dbdir /etc/httpd/alias > Using database directory /etc/httpd/alias... > FIPS mode enabled. You need to let mod_nss set FIPS mode for it to work properly. > Could someone please clue me in here. Is there some more extensive > process I need to go through in converting the certificate database to > FIPS mode? I have searched for more relevant info with certutil and > modutil but haven't been able to find anything. It should be as simple as setting NSSFIPS on. I'm not sure what the problem is. Let me try to duplicate this locally and see what I can find out. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From stpierre at NebrWesleyan.edu Thu May 15 19:23:27 2008 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Thu, 15 May 2008 14:23:27 -0500 (CDT) Subject: [Fedora-directory-users] questions In-Reply-To: <7020fd000805150909o5ac3ab2dre4a0c8eaae247176@mail.gmail.com> References: <7020fd000805150909o5ac3ab2dre4a0c8eaae247176@mail.gmail.com> Message-ID: On Thu, 15 May 2008, solarflow99 wrote: > - Is it possible to set a root user (UID=0) I noticed it doesn't seem to let > me log in that way. Yes, you can add an entry to the directory with uidNumber=0. Whether or not that's a good idea is a different story; personally, I wouldn't want to have root's credentials centrally in LDAP, for a number of reasons. > - If the clients are authenticating to hostname, how does failover work if > that host went offline? Having a secondary LDAP instance wouldnt really > help would it? There are a few ways you can do this: 1. Linux Virtual Server or another load balancer. 2. Poor Man's Load Balancing, a.k.a. DNS "load balancing," and twiddle your CNAMEs when an LDAP server goes down. It's hackish, but it works just dandy. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University From kangks_99 at yahoo.com Fri May 16 04:54:41 2008 From: kangks_99 at yahoo.com (Khoon Seang Kang) Date: Thu, 15 May 2008 21:54:41 -0700 (PDT) Subject: [Fedora-directory-users] aci to disable children when parent entry is disable Message-ID: <949018.57594.qm@web30401.mail.mud.yahoo.com> Hi all, I would like to create a ACI that will deny all children access when an attribute of a parent entry, AccountStatus=False. In another word, how can I build a LDAP match search that match parent attribute? Thank you in advance. Best regards. From j.barber at dundee.ac.uk Fri May 16 07:00:20 2008 From: j.barber at dundee.ac.uk (Jonathan Barber) Date: Fri, 16 May 2008 08:00:20 +0100 Subject: [Fedora-directory-users] questions In-Reply-To: References: <7020fd000805150909o5ac3ab2dre4a0c8eaae247176@mail.gmail.com> Message-ID: <20080516070020.GF25058@flea.lifesci.dundee.ac.uk> On Thu, May 15, 2008 at 02:23:27PM -0500, Chris St. Pierre wrote: > On Thu, 15 May 2008, solarflow99 wrote: > > >- Is it possible to set a root user (UID=0) I noticed it doesn't seem to > >let > >me log in that way. > > Yes, you can add an entry to the directory with uidNumber=0. Whether > or not that's a good idea is a different story; personally, I wouldn't > want to have root's credentials centrally in LDAP, for a number of > reasons. > > >- If the clients are authenticating to hostname, how does failover work if > >that host went offline? Having a secondary LDAP instance wouldnt really > >help would it? > > There are a few ways you can do this: > > 1. Linux Virtual Server or another load balancer. > > 2. Poor Man's Load Balancing, a.k.a. DNS "load balancing," and > twiddle your CNAMEs when an LDAP server goes down. It's hackish, but > it works just dandy. 3. Some clients (nss_ldap/openldap) allow you to specify a list of hosts or LDAP URI's to contact in order, so if a resource is unavailable the next is queried. > Chris St. Pierre > Unix Systems Administrator > Nebraska Wesleyan University > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389 From girishkumar at mtnl.net.in Fri May 16 07:06:51 2008 From: girishkumar at mtnl.net.in (girishkumar at mtnl.net.in) Date: Fri, 16 May 2008 12:06:51 +0500 Subject: [Fedora-directory-users] Not able connect Message-ID: <7ef66615.66157ef6@mtnl.net.in> Hello , Im getting error "host [abcd] did not match pattern [*.abc] -will scan aliases.Please help Girish Kumar .G JTO - Internet From rcritten at redhat.com Fri May 16 14:06:41 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 16 May 2008 10:06:41 -0400 Subject: [Fedora-directory-users] mod_nss and FIPS mode In-Reply-To: <482C85BB.40307@redhat.com> References: <61b6fbec0805151048y3ace5b0p369742c7cc35f480@mail.gmail.com> <482C85BB.40307@redhat.com> Message-ID: <482D94F1.9070701@redhat.com> Rob Crittenden wrote: > Mark Price wrote: >> Hello, >> >> I am having trouble getting mod_nss to work in FIPS mode. Summary of >> the problem: mod_nss works fine before FIPS mode is enabled, then >> cannot find the certificate after enabling it. > > Your configuration looks ok. > >> >> This is using the /etc/httpd/alias cert database, that the mod_nss RPM >> created with a default certificate named Server-Cert. >> >> Using that default configuration, the Apache server starts fine and >> loads mod_nss. >> >> However, when I enable FIPS mode in mod_nss (By adding "NSSFIPS on" to >> Apache config), I can't get it to find the same server certificate >> >> >> [Thu May 15 13:41:21 2008] [info] Init: Initializing NSS library >> [Thu May 15 13:41:21 2008] [info] Initializing SSL Session Cache of >> size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. >> [Thu May 15 13:41:21 2008] [error] The server key database has not >> been initialized. >> [Thu May 15 13:41:21 2008] [info] Init: Initializing (virtual) servers >> for SSL >> [Thu May 15 13:41:21 2008] [error] Certificate not found: 'Server-Cert' > > I think part of the problem is "The server key database has not been > initialized." I'm not sure what would cause this. > >> I also tried using modutil to enable FIPS mode on the cert database, >> but that did not help: >> >> # modutil -fips true -dbdir /etc/httpd/alias >> >> Using database directory /etc/httpd/alias... >> FIPS mode enabled. >> >> >> # modutil -chkfips true -dbdir /etc/httpd/alias >> Using database directory /etc/httpd/alias... >> FIPS mode enabled. > > You need to let mod_nss set FIPS mode for it to work properly. > >> Could someone please clue me in here. Is there some more extensive >> process I need to go through in converting the certificate database to >> FIPS mode? I have searched for more relevant info with certutil and >> modutil but haven't been able to find anything. > > It should be as simple as setting NSSFIPS on. > > I'm not sure what the problem is. Let me try to duplicate this locally > and see what I can find out. Mark and I did a fair bit of follow-up off-list and I created bug https://bugzilla.redhat.com/show_bug.cgi?id=446851 as a result. This appears to be a bug in NSS 3.11 (I'm not sure if it affects 3.11.99/3.12 yet). In the bug I filed is a patch to mod_nss that will work around the problem. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From sanga.c at it-mgt.com Fri May 16 14:36:59 2008 From: sanga.c at it-mgt.com (Sanga M. Collins) Date: Fri, 16 May 2008 10:36:59 -0400 Subject: [Fedora-directory-users] cant lookup unix group Message-ID: <5542485358217A4EB9893C4F12C42BF9D6709C@itm-bb01.exch.it-mgt.net> I have successfully installed Fedora DS 1.0.4 on an Ubuntu 804 server. I am trying to setup samba integration and keep running into the same problem over and over at this step # net groupmap add rid=2512 ntgroup='Domain Admins' unixgroup='Domain Admins' I have searched the net, and this message list for a week trying to find an answer and haven't been successful. I made sure PAM was working and communicating with the LDAP server, as well as created the required groups in FDS (not in /etc/groups). What else do I need to do?? Our company would like to eliminate AD and go with something different. I am hoping the FDS will fulfill our needs. Below is the debug from the command. sanga at ubuntu-fds:~$ sudo net -debuglevel=10 groupmap add rid=2512 ntgroup='Domain Admins' unixgroup='Domain Admins' [sudo] password for sanga: [2008/05/16 10:36:14, 5] lib/debug.c:debug_dump_status(391) INFO: Current debug levels: all: True/10 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 quota: False/0 acls: False/0 locking: False/0 msdfs: False/0 dmapi: False/0 [2008/05/16 10:36:14, 3] param/loadparm.c:lp_load(5063) lp_load: refreshing parameters [2008/05/16 10:36:14, 3] param/loadparm.c:init_globals(1448) Initialising global parameters [2008/05/16 10:36:14, 3] param/params.c:pm_process(572) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2008/05/16 10:36:14, 3] param/loadparm.c:do_section(3802) Processing section "[global]" doing parameter workgroup = facility doing parameter security = user doing parameter passdb backend = ldapsam:ldap://ubuntu-fds.it-mgt.com doing parameter ldap admin dn = cn=Directory Manager doing parameter ldap suffix = dc=it-mgt,dc=com doing parameter ldap user suffix = ou=People doing parameter ldap machine suffix = ou=Computers doing parameter ldap group suffix = ou=Groups doing parameter log file = /var/log/%m.log doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 doing parameter os level = 33 doing parameter domain logons = yes doing parameter domain master = yes doing parameter local master = yes doing parameter preferred master = yes doing parameter wins support = yes doing parameter logon home = \\%L\%u\profiles doing parameter logon path = \\%L\profiles\%u doing parameter logon drive = H: doing parameter template shell = /bin/false doing parameter winbind use default domain = no [2008/05/16 10:36:14, 4] param/loadparm.c:lp_load(5094) pm_process() returned Yes [2008/05/16 10:36:14, 7] param/loadparm.c:lp_servicenumber(5232) lp_servicenumber: couldn't find homes [2008/05/16 10:36:14, 10] param/loadparm.c:set_server_role(4338) set_server_role: role = ROLE_DOMAIN_PDC [2008/05/16 10:36:14, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UCS-2LE [2008/05/16 10:36:14, 5] lib/iconv.c:smb_register_charset(113) Registered charset UCS-2LE [2008/05/16 10:36:14, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UTF-16LE [2008/05/16 10:36:14, 5] lib/iconv.c:smb_register_charset(113) Registered charset UTF-16LE [2008/05/16 10:36:14, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UCS-2BE [2008/05/16 10:36:14, 5] lib/iconv.c:smb_register_charset(113) Registered charset UCS-2BE [2008/05/16 10:36:14, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UTF-16BE [2008/05/16 10:36:14, 5] lib/iconv.c:smb_register_charset(113) Registered charset UTF-16BE [2008/05/16 10:36:14, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UTF8 [2008/05/16 10:36:14, 5] lib/iconv.c:smb_register_charset(113) Registered charset UTF8 [2008/05/16 10:36:14, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UTF-8 [2008/05/16 10:36:14, 5] lib/iconv.c:smb_register_charset(113) Registered charset UTF-8 [2008/05/16 10:36:14, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset ASCII [2008/05/16 10:36:14, 5] lib/iconv.c:smb_register_charset(113) Registered charset ASCII [2008/05/16 10:36:14, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset 646 [2008/05/16 10:36:14, 5] lib/iconv.c:smb_register_charset(113) Registered charset 646 [2008/05/16 10:36:14, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset ISO-8859-1 [2008/05/16 10:36:14, 5] lib/iconv.c:smb_register_charset(113) Registered charset ISO-8859-1 [2008/05/16 10:36:14, 5] lib/iconv.c:smb_register_charset(105) Attempting to register new charset UCS2-HEX [2008/05/16 10:36:14, 5] lib/iconv.c:smb_register_charset(113) Registered charset UCS2-HEX [2008/05/16 10:36:14, 5] lib/charcnv.c:charset_name(82) Substituting charset 'UTF-8' for LOCALE [2008/05/16 10:36:14, 5] lib/charcnv.c:charset_name(82) Substituting charset 'UTF-8' for LOCALE [2008/05/16 10:36:14, 5] lib/charcnv.c:charset_name(82) Substituting charset 'UTF-8' for LOCALE [2008/05/16 10:36:14, 5] lib/charcnv.c:charset_name(82) Substituting charset 'UTF-8' for LOCALE [2008/05/16 10:36:14, 5] lib/charcnv.c:charset_name(82) Substituting charset 'UTF-8' for LOCALE [2008/05/16 10:36:14, 5] lib/charcnv.c:charset_name(82) Substituting charset 'UTF-8' for LOCALE [2008/05/16 10:36:14, 5] lib/charcnv.c:charset_name(82) Substituting charset 'UTF-8' for LOCALE [2008/05/16 10:36:14, 5] lib/charcnv.c:charset_name(82) Substituting charset 'UTF-8' for LOCALE [2008/05/16 10:36:14, 5] lib/charcnv.c:charset_name(82) Substituting charset 'UTF-8' for LOCALE [2008/05/16 10:36:14, 5] lib/charcnv.c:charset_name(82) Substituting charset 'UTF-8' for LOCALE [2008/05/16 10:36:14, 5] lib/charcnv.c:charset_name(82) Substituting charset 'UTF-8' for LOCALE [2008/05/16 10:36:14, 5] lib/charcnv.c:charset_name(82) Substituting charset 'UTF-8' for LOCALE [2008/05/16 10:36:14, 5] lib/charcnv.c:charset_name(82) Substituting charset 'UTF-8' for LOCALE [2008/05/16 10:36:14, 5] lib/charcnv.c:charset_name(82) Substituting charset 'UTF-8' for LOCALE [2008/05/16 10:36:14, 5] lib/charcnv.c:charset_name(82) Substituting charset 'UTF-8' for LOCALE [2008/05/16 10:36:14, 5] lib/charcnv.c:charset_name(82) Substituting charset 'UTF-8' for LOCALE [2008/05/16 10:36:14, 5] lib/charcnv.c:charset_name(82) Substituting charset 'UTF-8' for LOCALE [2008/05/16 10:36:14, 5] lib/charcnv.c:charset_name(82) Substituting charset 'UTF-8' for LOCALE [2008/05/16 10:36:14, 5] lib/charcnv.c:charset_name(82) Substituting charset 'UTF-8' for LOCALE [2008/05/16 10:36:14, 5] lib/charcnv.c:charset_name(82) Substituting charset 'UTF-8' for LOCALE [2008/05/16 10:36:14, 5] lib/charcnv.c:charset_name(82) Substituting charset 'UTF-8' for LOCALE [2008/05/16 10:36:14, 5] lib/charcnv.c:charset_name(82) Substituting charset 'UTF-8' for LOCALE [2008/05/16 10:36:14, 5] lib/charcnv.c:charset_name(82) Substituting charset 'UTF-8' for LOCALE [2008/05/16 10:36:14, 5] lib/charcnv.c:charset_name(82) Substituting charset 'UTF-8' for LOCALE [2008/05/16 10:36:14, 5] lib/util.c:init_names(287) Netbios name list:- my_netbios_names[0]="UBUNTU-FDS" [2008/05/16 10:36:14, 2] lib/interface.c:add_interface(81) added interface ip=10.160.4.145 bcast=10.160.4.255 nmask=255.255.255.0 [2008/05/16 10:36:14, 10] intl/lang_tdb.c:lang_tdb_init(138) lang_tdb_init: /usr/share/samba/en_US.UTF-8.msg: No such file or directory Can't lookup UNIX group Domain Admins [2008/05/16 10:36:14, 2] utils/net.c:main(1046) return code = -1 sanga at ubuntu-fds:~$ Sanga M. Collins Network Engineering ~~~~~~~~~~~~~~~~~~~~~~~ IT Management LLC 6491 Sunset Strip #5, Sunrise Fl, 33313 Tel: (954) 572 7411, Fax: (435) 578 7411 -------------- next part -------------- An HTML attachment was scrubbed... URL: From phanoko at gmail.com Fri May 16 15:11:59 2008 From: phanoko at gmail.com (matt wells) Date: Fri, 16 May 2008 08:11:59 -0700 Subject: [Fedora-directory-users] Inherit information? Message-ID: How can I have my user accounts inherit information from the OU? Like Fax Number? -------------- next part -------------- An HTML attachment was scrubbed... URL: From j.barber at dundee.ac.uk Fri May 16 15:46:27 2008 From: j.barber at dundee.ac.uk (Jonathan Barber) Date: Fri, 16 May 2008 16:46:27 +0100 Subject: [Fedora-directory-users] cant lookup unix group In-Reply-To: <5542485358217A4EB9893C4F12C42BF9D6709C@itm-bb01.exch.it-mgt.net> References: <5542485358217A4EB9893C4F12C42BF9D6709C@itm-bb01.exch.it-mgt.net> Message-ID: <20080516154626.GI25058@flea.lifesci.dundee.ac.uk> On Fri, May 16, 2008 at 10:36:59AM -0400, Sanga M. Collins wrote: > I have successfully installed Fedora DS 1.0.4 on an Ubuntu 804 server. I > am trying to setup samba integration and keep running into the same > problem over and over at this step > > > > # net groupmap add rid=2512 ntgroup='Domain Admins' unixgroup='Domain > Admins' > > > > I have searched the net, and this message list for a week trying to find > an answer and haven't been successful. I made sure PAM was working and > communicating with the LDAP server, as well as created the required > groups in FDS (not in /etc/groups). What else do I need to do?? Our > company would like to eliminate AD and go with something different. I am > hoping the FDS will fulfill our needs. Below is the debug from the > command. > > > > sanga at ubuntu-fds:~$ sudo net -debuglevel=10 groupmap add rid=2512 > ntgroup='Domain Admins' unixgroup='Domain Admins' [snip debug] > Can't lookup UNIX group Domain Admins > > [2008/05/16 10:36:14, 2] utils/net.c:main(1046) > > return code = -1 > > sanga at ubuntu-fds:~$ Are you sure you've added a unix group called "Domain Admins"? What does the following command return? getent group "Domain Admins" -- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389 From rmeggins at redhat.com Fri May 16 15:48:38 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 16 May 2008 09:48:38 -0600 Subject: [Fedora-directory-users] Inherit information? In-Reply-To: References: Message-ID: <482DACD6.40801@redhat.com> matt wells wrote: > How can I have my user accounts inherit information from the OU? > Like Fax Number? Take a look at Class of Service - http://directory.fedoraproject.org/wiki/Howto:ClassOfService > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From phanoko at gmail.com Fri May 16 15:58:03 2008 From: phanoko at gmail.com (matt wells) Date: Fri, 16 May 2008 08:58:03 -0700 Subject: [Fedora-directory-users] Inherit information? In-Reply-To: <482DACD6.40801@redhat.com> References: <482DACD6.40801@redhat.com> Message-ID: Very cool. Thanks On Fri, May 16, 2008 at 8:48 AM, Rich Megginson wrote: > matt wells wrote: > >> How can I have my user accounts inherit information from the OU? >> Like Fax Number? >> > Take a look at Class of Service - > http://directory.fedoraproject.org/wiki/Howto:ClassOfService > >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abliss at brockport.edu Fri May 16 16:03:03 2008 From: abliss at brockport.edu (Aaron Bliss) Date: Fri, 16 May 2008 12:03:03 -0400 Subject: [Fedora-directory-users] question on ldapsearching Message-ID: <482DB037.3000606@brockport.edu> Hi everyone, I'm looking to do an ldapsearch and to display only a subset of the objectclasses and attributes that a list of user has. For example, I'm only interested in seeing the top, person and organizatoinPerson objectclasses and their cn, dn and sn attributes. Any ideas? Thanks. Aaron From rmeggins at redhat.com Fri May 16 16:06:38 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 16 May 2008 10:06:38 -0600 Subject: [Fedora-directory-users] question on ldapsearching In-Reply-To: <482DB037.3000606@brockport.edu> References: <482DB037.3000606@brockport.edu> Message-ID: <482DB10E.1050803@redhat.com> Aaron Bliss wrote: > Hi everyone, > I'm looking to do an ldapsearch and to display only a subset of the > objectclasses and attributes that a list of user has. For example, > I'm only interested in seeing the top, person and organizatoinPerson > objectclasses and their cn, dn and sn attributes. Any ideas? Thanks. for the cn dn and sn, that's easy; ldapsearch .... "(uid=someperson)" cn dn sn For specific objectclass values, I don't think that's possible. > > Aaron > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From sanga.c at it-mgt.com Fri May 16 17:06:33 2008 From: sanga.c at it-mgt.com (Sanga M. Collins) Date: Fri, 16 May 2008 13:06:33 -0400 Subject: [Fedora-directory-users] cant lookup unix group References: <5542485358217A4EB9893C4F12C42BF9D6709C@itm-bb01.exch.it-mgt.net> <20080516154626.GI25058@flea.lifesci.dundee.ac.uk> Message-ID: <5542485358217A4EB9893C4F12C42BF9D670B9@itm-bb01.exch.it-mgt.net> I had manually added the groups into the directory server, but now realized I need to import the LDIF to create them properly with the posix attributes. I had been running the getent group without specifying what to look for and that probably threw me off. Thanks for the quick reply! Sanga M. Collins Network Engineering ~~~~~~~~~~~~~~~~~~~~~~~ IT Management LLC 6491 Sunset Strip #5, Sunrise Fl, 33313 Tel: (954) 572 7411, Fax: (435) 578 7411 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Jonathan Barber Sent: Friday, May 16, 2008 11:46 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] cant lookup unix group On Fri, May 16, 2008 at 10:36:59AM -0400, Sanga M. Collins wrote: > I have successfully installed Fedora DS 1.0.4 on an Ubuntu 804 server. I > am trying to setup samba integration and keep running into the same > problem over and over at this step > > > > # net groupmap add rid=2512 ntgroup='Domain Admins' unixgroup='Domain > Admins' > > > > I have searched the net, and this message list for a week trying to find > an answer and haven't been successful. I made sure PAM was working and > communicating with the LDAP server, as well as created the required > groups in FDS (not in /etc/groups). What else do I need to do?? Our > company would like to eliminate AD and go with something different. I am > hoping the FDS will fulfill our needs. Below is the debug from the > command. > > > > sanga at ubuntu-fds:~$ sudo net -debuglevel=10 groupmap add rid=2512 > ntgroup='Domain Admins' unixgroup='Domain Admins' [snip debug] > Can't lookup UNIX group Domain Admins > > [2008/05/16 10:36:14, 2] utils/net.c:main(1046) > > return code = -1 > > sanga at ubuntu-fds:~$ Are you sure you've added a unix group called "Domain Admins"? What does the following command return? getent group "Domain Admins" -- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389 -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From hyc at symas.com Sat May 17 16:11:45 2008 From: hyc at symas.com (Howard Chu) Date: Sat, 17 May 2008 09:11:45 -0700 Subject: [Fedora-directory-users] question on ldapsearching In-Reply-To: <20080517160007.80B82619E8C@hormel.redhat.com> References: <20080517160007.80B82619E8C@hormel.redhat.com> Message-ID: <482F03C1.3050603@symas.com> > Date: Fri, 16 May 2008 10:06:38 -0600 > From: Rich Megginson > Aaron Bliss wrote: >> Hi everyone, >> I'm looking to do an ldapsearch and to display only a subset of the >> objectclasses and attributes that a list of user has. For example, >> I'm only interested in seeing the top, person and organizatoinPerson >> objectclasses and their cn, dn and sn attributes. Any ideas? Thanks. > for the cn dn and sn, that's easy; > ldapsearch .... "(uid=someperson)" cn dn sn > > For specific objectclass values, I don't think that's possible. >> Aaron Well, there's RFC3876 for specifying a values return filter, to get only the desired values. OpenLDAP supports this, anyway. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From brian.passante at groupekpf.fr Sun May 18 16:11:35 2008 From: brian.passante at groupekpf.fr (Brian PASSANTE) Date: Sun, 18 May 2008 18:11:35 +0200 (CEST) Subject: [Fedora-directory-users] Ldapsearh on dynamic group Message-ID: <17446736.88671211127095631.JavaMail.root@kpfnux6.actinux.com> Hi All, I use dynamic group to organize my users by I don't know how make a ldapsearch request which anwser all the member of a dynamic group. Is is possible to do that ? Does it completely depend on the client side ? My goal is to set a Role of all the members of a dynamic group to be able to ldapsearch with the nsrole attribute. Does anybody already try this ? I do not find any information about that. Thanks for all Regards Brian From mrroussi at gmail.com Mon May 19 15:20:50 2008 From: mrroussi at gmail.com (Nicolas Roussi) Date: Mon, 19 May 2008 11:20:50 -0400 Subject: [Fedora-directory-users] Uninstall FDS In-Reply-To: <20080518160007.0802061A46B@hormel.redhat.com> References: <20080518160007.0802061A46B@hormel.redhat.com> Message-ID: Hi, I installed Fedora Directory on Fedora 9 but I need to completely uninstall it and install it again. I tried searching online as to how to remove it and the only thing I found was: yum erase fedora-ds. That does not uninstall it, it just removes the package. Does anyone know how to uninstall it? Thanks On May 18, 2008, at 12:00 PM, fedora-directory-users- request at redhat.com wrote: > Send Fedora-directory-users mailing list submissions to > fedora-directory-users at redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/fedora-directory-users > or, via email, send a message with subject or body 'help' to > fedora-directory-users-request at redhat.com > > You can reach the person managing the list at > fedora-directory-users-owner at redhat.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Fedora-directory-users digest..." > > > Today's Topics: > > 1. Re: question on ldapsearching (Howard Chu) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sat, 17 May 2008 09:11:45 -0700 > From: Howard Chu > Subject: Re: [Fedora-directory-users] question on ldapsearching > To: fedora-directory-users at redhat.com > Message-ID: <482F03C1.3050603 at symas.com> > Content-Type: text/plain; charset=us-ascii; format=flowed > >> Date: Fri, 16 May 2008 10:06:38 -0600 >> From: Rich Megginson > >> Aaron Bliss wrote: >>> Hi everyone, >>> I'm looking to do an ldapsearch and to display only a subset of the >>> objectclasses and attributes that a list of user has. For example, >>> I'm only interested in seeing the top, person and organizatoinPerson >>> objectclasses and their cn, dn and sn attributes. Any ideas? >>> Thanks. >> for the cn dn and sn, that's easy; >> ldapsearch .... "(uid=someperson)" cn dn sn >> >> For specific objectclass values, I don't think that's possible. >>> Aaron > > Well, there's RFC3876 for specifying a values return filter, to get > only the > desired values. OpenLDAP supports this, anyway. > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ > > > > ------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > End of Fedora-directory-users Digest, Vol 36, Issue 20 > ****************************************************** From rmeggins at redhat.com Mon May 19 15:28:06 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 19 May 2008 09:28:06 -0600 Subject: [Fedora-directory-users] Uninstall FDS In-Reply-To: References: <20080518160007.0802061A46B@hormel.redhat.com> Message-ID: <48319C86.40000@redhat.com> Nicolas Roussi wrote: > Hi, I installed Fedora Directory on Fedora 9 but I need to completely > uninstall it and install it again. I tried searching online as to how > to remove it and the only thing I found was: yum erase fedora-ds. That > does not uninstall it, it just removes the package. Does anyone know > how to uninstall it? yum erase fedora-ds-base idm-console-framework Then, remove all of the directories created find /etc /usr /var -name dirsrv Remove these directories. > > Thanks > > On May 18, 2008, at 12:00 PM, > fedora-directory-users-request at redhat.com wrote: > >> Send Fedora-directory-users mailing list submissions to >> fedora-directory-users at redhat.com >> >> To subscribe or unsubscribe via the World Wide Web, visit >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> or, via email, send a message with subject or body 'help' to >> fedora-directory-users-request at redhat.com >> >> You can reach the person managing the list at >> fedora-directory-users-owner at redhat.com >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of Fedora-directory-users digest..." >> >> >> Today's Topics: >> >> 1. Re: question on ldapsearching (Howard Chu) >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Sat, 17 May 2008 09:11:45 -0700 >> From: Howard Chu >> Subject: Re: [Fedora-directory-users] question on ldapsearching >> To: fedora-directory-users at redhat.com >> Message-ID: <482F03C1.3050603 at symas.com> >> Content-Type: text/plain; charset=us-ascii; format=flowed >> >>> Date: Fri, 16 May 2008 10:06:38 -0600 >>> From: Rich Megginson >> >>> Aaron Bliss wrote: >>>> Hi everyone, >>>> I'm looking to do an ldapsearch and to display only a subset of the >>>> objectclasses and attributes that a list of user has. For example, >>>> I'm only interested in seeing the top, person and organizatoinPerson >>>> objectclasses and their cn, dn and sn attributes. Any ideas? Thanks. >>> for the cn dn and sn, that's easy; >>> ldapsearch .... "(uid=someperson)" cn dn sn >>> >>> For specific objectclass values, I don't think that's possible. >>>> Aaron >> >> Well, there's RFC3876 for specifying a values return filter, to get >> only the >> desired values. OpenLDAP supports this, anyway. >> >> -- >> -- Howard Chu >> CTO, Symas Corp. http://www.symas.com >> Director, Highland Sun http://highlandsun.com/hyc/ >> Chief Architect, OpenLDAP http://www.openldap.org/project/ >> >> >> >> ------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> End of Fedora-directory-users Digest, Vol 36, Issue 20 >> ****************************************************** > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From nicolas.roussi at archimedean.org Mon May 19 15:42:02 2008 From: nicolas.roussi at archimedean.org (Nicolas Roussi) Date: Mon, 19 May 2008 11:42:02 -0400 Subject: [Fedora-directory-users] Uninstall FDS In-Reply-To: <20080518160007.0802061A46B@hormel.redhat.com> References: <20080518160007.0802061A46B@hormel.redhat.com> Message-ID: Hi, I installed Fedora Directory on Fedora 9 but I need to completely uninstall it and install it again. I tried searching online as to how to remove it and the only thing I found was: yum erase fedora-ds. That does not uninstall it, it just removes the package. Does anyone know how to uninstall it? Thanks From playactor at gmail.com Mon May 19 21:34:46 2008 From: playactor at gmail.com (Eric Brown) Date: Mon, 19 May 2008 16:34:46 -0500 Subject: [Fedora-directory-users] Password Syntax Checking Message-ID: I have been trying to get the Password Syntax Checking working with FDS 1.0.4 and am having some trouble with the passwords that it is allowing and the ones that are returning invalid syntax. I started by setting the password policy the way I thought I wanted to use for my environment, but then no passwords would work, so I changed everything down to the minimums that I could find, but I am still getting several passwords rejected due to a syntax error. I am not using the console and I need to be able to set this through an LDIF file. Currently I have these settings for the password policy configuration: passwordInHistory: 2 passwordUnlock: on passwordGraceLimit: 0 passwordMustChange: off passwordWarning: 86400 passwordLockout: on passwordMinLength: 4 passwordMinDigits: 0 passwordMinAlphas: 0 passwordMinUppers: 0 passwordMinLowers: 0 passwordMinSpecials: 0 passwordMin8bit: 0 passwordMaxRepeats: 0 passwordMinCategories: 1 passwordMinTokenLength: 1 passwordMaxFailure: 3 passwordMaxAge: 3888000 passwordResetFailureCount: 120 passwordisglobalpolicy: off passwordChange: on passwordExp: on passwordLockoutDuration: 300 passwordCheckSyntax: on passwordMinAge: 0 passwordStorageScheme: SSHA256 I am getting syntax errors on passwords like the following: spfihykr spfihykr10 qpwoeiru 10293847 cmdjeu37 alskdj37 xnshwy26 doggie doggie12 but things like testpass works just fine. I figure that I have something not configured properly, but I don't know what needs to be changed. And some of the values that I am using were in the User Account Management section of the Administrator's Guide two weeks ago, but they are missing now. Thanks in advance, Eric Brown From iferreir at personal.com.py Mon May 19 22:19:14 2008 From: iferreir at personal.com.py (Ivan Ferreira) Date: Mon, 19 May 2008 18:19:14 -0400 Subject: [Fedora-directory-users] Password Syntax Checking In-Reply-To: Message-ID: What is the policy that you want to apply to your passwords? As far I can see, you have almost all set to 0: passwordMinLength: 4 passwordMinDigits: 0 passwordMinAlphas: 0 passwordMinUppers: 0 passwordMinLowers: 0 passwordMinSpecials: 0 passwordMin8bit: 0 passwordMaxRepeats: 0 I don't know why you get syntax errors on other passwords, ?maybe is remembering them, try with passwordInHistory 0? Para fedora-directory-users at redhat.co m "Eric Brown" cc Enviado por: Asunto fedora-directory-users-b [Fedora-directory-users] ounces at redhat.com Password Syntax Checking Clasificaci?n 19/05/2008 05:34 p.m. Uso Interno Por favor, responda a "General discussion list for the Fedora Directory server project." I have been trying to get the Password Syntax Checking working with FDS 1.0.4 and am having some trouble with the passwords that it is allowing and the ones that are returning invalid syntax. I started by setting the password policy the way I thought I wanted to use for my environment, but then no passwords would work, so I changed everything down to the minimums that I could find, but I am still getting several passwords rejected due to a syntax error. I am not using the console and I need to be able to set this through an LDIF file. Currently I have these settings for the password policy configuration: passwordInHistory: 2 passwordUnlock: on passwordGraceLimit: 0 passwordMustChange: off passwordWarning: 86400 passwordLockout: on passwordMinLength: 4 passwordMinDigits: 0 passwordMinAlphas: 0 passwordMinUppers: 0 passwordMinLowers: 0 passwordMinSpecials: 0 passwordMin8bit: 0 passwordMaxRepeats: 0 passwordMinCategories: 1 passwordMinTokenLength: 1 passwordMaxFailure: 3 passwordMaxAge: 3888000 passwordResetFailureCount: 120 passwordisglobalpolicy: off passwordChange: on passwordExp: on passwordLockoutDuration: 300 passwordCheckSyntax: on passwordMinAge: 0 passwordStorageScheme: SSHA256 I am getting syntax errors on passwords like the following: spfihykr spfihykr10 qpwoeiru 10293847 cmdjeu37 alskdj37 xnshwy26 doggie doggie12 but things like testpass works just fine. I figure that I have something not configured properly, but I don't know what needs to be changed. And some of the values that I am using were in the User Account Management section of the Administrator's Guide two weeks ago, but they are missing now. Thanks in advance, Eric Brown -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. From girishkumar at mtnl.net.in Tue May 20 05:50:04 2008 From: girishkumar at mtnl.net.in (girishkumar at mtnl.net.in) Date: Tue, 20 May 2008 10:50:04 +0500 Subject: [Fedora-directory-users] Uninstall FDS Message-ID: <294c4258d6.258d6294c4@mtnl.net.in> THere may be an uninstall program to completely remove the package. Girish Kumar .G JTO - Internet ----- Original Message ----- From: Nicolas Roussi Date: Monday, May 19, 2008 9:12 pm Subject: [Fedora-directory-users] Uninstall FDS > Hi, I installed Fedora Directory on Fedora 9 but I need to > completely > uninstall it and install it again. I tried searching online as to > how > to remove it and the only thing I found was: yum erase fedora-ds. > That does not uninstall it, it just removes the package. Does > anyone > know how to uninstall it? > > Thanks > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From prabhu.s at mgl.com Tue May 20 11:27:43 2008 From: prabhu.s at mgl.com (Prabhu. S) Date: Tue, 20 May 2008 16:57:43 +0530 Subject: [Fedora-directory-users] Issues in starting the console Message-ID: <001e01c8ba6c$85763510$77f21bac@cosmos.blr> Hi, I installed the fedora-ds successfully. On starting the console, I get the following error messages: [root at neutron fedora-ds]# ./startconsole -u admin -a http://neutron:21821/ GC Warning: Out of Memory! Returning NIL! Exception in thread "main" GC Warning: Out of Memory! Returning NIL! java.lang.LinkageError: unexpected exception during linking: com.netscape.management.client.console.Console GC Warning: Out of Memory! Returning NIL! *** Catastrophic failure while handling uncaught exception. GC Warning: Out of Memory! Returning NIL! Does this indicate that the sytem has insufficient RAM, or is it something else that I am missing. Thanks, Prabhu EMAIL DISCLAIMER : This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorised distribution or copying is strictly prohibited. If you receive this transmission in error, please notify the sender by reply email and then destroy the message. Opinions, conclusions and other information in this message that do not relate to official business of Mascon shall be understood to be neither given nor endorsed by Mascon. Any information contained in this email, when addressed to Mascon clients is subject to the terms and conditions in governing client contract. Whilst Mascon takes steps to prevent the transmission of viruses via e-mail, we can not guarantee that any email or attachment is free from computer viruses and you are strongly advised to undertake your own anti-virus precautions. Mascon grants no warranties regarding performance, use or quality of any e-mail or attachment and undertakes no liability for loss or damage, howsoever caused. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue May 20 13:28:06 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 20 May 2008 07:28:06 -0600 Subject: [Fedora-directory-users] Issues in starting the console In-Reply-To: <001e01c8ba6c$85763510$77f21bac@cosmos.blr> References: <001e01c8ba6c$85763510$77f21bac@cosmos.blr> Message-ID: <4832D1E6.70005@redhat.com> Prabhu. S wrote: > Hi, > > I installed the fedora-ds successfully. On starting the console, I get > the following error messages: > > [root at neutron fedora-ds]# ./startconsole -u admin -a http://neutron:21821/ > GC Warning: Out of Memory! Returning NIL! > Exception in thread "main" GC Warning: Out of Memory! Returning NIL! > java.lang.LinkageError: unexpected exception during linking: > com.netscape.management.client.console.Console > GC Warning: Out of Memory! Returning NIL! > *** Catastrophic failure while handling uncaught exception. > GC Warning: Out of Memory! Returning NIL! > > Does this indicate that the sytem has insufficient RAM, or is it > something else that I am missing. This usually means you are using the wrong java. What platform are you on? java -version See http://directory.fedoraproject.org/wiki/Install_Guide#Installation_Prerequisites > > Thanks, > Prabhu > ------------------------------------------------------------------------ > EMAIL DISCLAIMER : This email and any files transmitted with it are > confidential and intended solely for the use of the individual or > entity to whom they are addressed. Any unauthorised distribution or > copying is strictly prohibited. If you receive this transmission in > error, please notify the sender by reply email and then destroy the > message. Opinions, conclusions and other information in this message > that do not relate to official business of Mascon shall be understood > to be neither given nor endorsed by Mascon. Any information contained > in this email, when addressed to Mascon clients is subject to the > terms and conditions in governing client contract. > > Whilst Mascon takes steps to prevent the transmission of viruses via > e-mail, we can not guarantee that any email or attachment is free from > computer viruses and you are strongly advised to undertake your own > anti-virus precautions. Mascon grants no warranties regarding > performance, use or quality of any e-mail or attachment and undertakes > no liability for loss or damage, howsoever caused. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From sanga.c at it-mgt.com Tue May 20 13:35:41 2008 From: sanga.c at it-mgt.com (Sanga M. Collins) Date: Tue, 20 May 2008 09:35:41 -0400 Subject: [Fedora-directory-users] Uninstall FDS References: <294c4258d6.258d6294c4@mtnl.net.in> Message-ID: <5542485358217A4EB9893C4F12C42BF9D671E7@itm-bb01.exch.it-mgt.net> On my ubuntu804 installation, there is an uninstall in the /opt/fedora-ds/ directory. I just run sudo /opt/fedora-ds/uninstall, and it asks what parts of the server you wish to remove. After completing that step I run sudo apt-get remove fedora-ds to get rid of the remaining directories. You can then re-install clean if you wish Sanga M. Collins Network Engineering ~~~~~~~~~~~~~~~~~~~~~~~ IT Management LLC 6491 Sunset Strip #5, Sunrise Fl, 33313 Tel: (954) 572 7411, Fax: (435) 578 7411 -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of girishkumar at mtnl.net.in Sent: Tuesday, May 20, 2008 1:50 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Uninstall FDS THere may be an uninstall program to completely remove the package. Girish Kumar .G JTO - Internet ----- Original Message ----- From: Nicolas Roussi Date: Monday, May 19, 2008 9:12 pm Subject: [Fedora-directory-users] Uninstall FDS > Hi, I installed Fedora Directory on Fedora 9 but I need to > completely > uninstall it and install it again. I tried searching online as to > how > to remove it and the only thing I found was: yum erase fedora-ds. > That does not uninstall it, it just removes the package. Does > anyone > know how to uninstall it? > > Thanks > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From sanga.c at it-mgt.com Tue May 20 13:49:04 2008 From: sanga.c at it-mgt.com (Sanga M. Collins) Date: Tue, 20 May 2008 09:49:04 -0400 Subject: [Fedora-directory-users] console breaks after installing libnss-ldap and libpam-ldap Message-ID: <5542485358217A4EB9893C4F12C42BF9D671EC@itm-bb01.exch.it-mgt.net> I have successfully installed Fedora ds 1.0.4 on Ubuntu 8.04. I run into some issues when configuring Pam and Nss for the samba portion. On my first test server I was able to complete the setup without an y major problems. On all subsequent servers. I install FDS and successfully start the console and add one posix user. I then begin installing Pam and Libnss by using the auth-client-config to automatically configure the files in /etc/pam.d/ as well as the nssswith.conf. after I do this, I can no longer log in to the console, and the error logs get filled with the following error. [Mon May 19 00:43:26 2008] [notice] child pid 10675 exit signal Segmentation fault (11) Can anyone point me in the right direction? Sanga M. Collins Network Engineering ~~~~~~~~~~~~~~~~~~~~~~~ IT Management LLC 6491 Sunset Strip #5, Sunrise Fl, 33313 Tel: (954) 572 7411, Fax: (435) 578 7411 -------------- next part -------------- An HTML attachment was scrubbed... URL: From playactor at gmail.com Tue May 20 15:12:22 2008 From: playactor at gmail.com (Eric Brown) Date: Tue, 20 May 2008 10:12:22 -0500 Subject: Fwd: [Fedora-directory-users] Password Syntax Checking In-Reply-To: References: Message-ID: I know that I have everything set to 0. I had things set more strictly and I couldn't change to any password. So I set everything to the minimum value that the FDS would let me. But even with those minimal values, virtually every password was rejected due to the syntax issue. I tried to set passwordInHistory to 0, but the minimum required value was 2. So, I have set passwordHistory to off, so the history shouldn't be an issue, on top of the fact that I attempted the password changes in the order that I had them in my original message, all of which failed, the password that my user was set to was testpass. Thanks, Eric ---------- Forwarded message ---------- From: Ivan Ferreira Date: Mon, May 19, 2008 at 5:19 PM Subject: Re: [Fedora-directory-users] Password Syntax Checking To: "General discussion list for the Fedora Directory server project." Cc: fedora-directory-users at redhat.com, fedora-directory-users-bounces at redhat.com What is the policy that you want to apply to your passwords? As far I can see, you have almost all set to 0: passwordMinLength: 4 passwordMinDigits: 0 passwordMinAlphas: 0 passwordMinUppers: 0 passwordMinLowers: 0 passwordMinSpecials: 0 passwordMin8bit: 0 passwordMaxRepeats: 0 I don't know why you get syntax errors on other passwords, ?maybe is remembering them, try with passwordInHistory 0? Para fedora-directory-users at redhat.co m "Eric Brown" cc Enviado por: Asunto fedora-directory-users-b [Fedora-directory-users] ounces at redhat.com Password Syntax Checking Clasificaci?n 19/05/2008 05:34 p.m. Uso Interno Por favor, responda a "General discussion list for the Fedora Directory server project." I have been trying to get the Password Syntax Checking working with FDS 1.0.4 and am having some trouble with the passwords that it is allowing and the ones that are returning invalid syntax. I started by setting the password policy the way I thought I wanted to use for my environment, but then no passwords would work, so I changed everything down to the minimums that I could find, but I am still getting several passwords rejected due to a syntax error. I am not using the console and I need to be able to set this through an LDIF file. Currently I have these settings for the password policy configuration: passwordInHistory: 2 passwordUnlock: on passwordGraceLimit: 0 passwordMustChange: off passwordWarning: 86400 passwordLockout: on passwordMinLength: 4 passwordMinDigits: 0 passwordMinAlphas: 0 passwordMinUppers: 0 passwordMinLowers: 0 passwordMinSpecials: 0 passwordMin8bit: 0 passwordMaxRepeats: 0 passwordMinCategories: 1 passwordMinTokenLength: 1 passwordMaxFailure: 3 passwordMaxAge: 3888000 passwordResetFailureCount: 120 passwordisglobalpolicy: off passwordChange: on passwordExp: on passwordLockoutDuration: 300 passwordCheckSyntax: on passwordMinAge: 0 passwordStorageScheme: SSHA256 I am getting syntax errors on passwords like the following: spfihykr spfihykr10 qpwoeiru 10293847 cmdjeu37 alskdj37 xnshwy26 doggie doggie12 but things like testpass works just fine. I figure that I have something not configured properly, but I don't know what needs to be changed. And some of the values that I am using were in the User Account Management section of the Administrator's Guide two weeks ago, but they are missing now. Thanks in advance, Eric Brown -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From lbigum at iseek.com.au Wed May 21 06:55:27 2008 From: lbigum at iseek.com.au (Luke Bigum) Date: Wed, 21 May 2008 16:55:27 +1000 Subject: [Fedora-directory-users] instance listening on multiple ports Message-ID: <50A3F7088FE1A14FB0CF57A2248738865B667FF58D@EXCHANGE1.intranet.iseek.com.au> Hello, I was wondering if there's a way to get a single FDS instance to listen on more than one port? There's some horrible routing rules I'm trying to dodge in my network by sending replication to one port and normal queries to another. Thanks, -Luke -- Luke Bigum Systems Administrator iseek Communications Pty Ltd Excellence in business data solutions ph 1300 661 668 fax 1300 661 540 www.iseek.com.au -------------- next part -------------- An HTML attachment was scrubbed... URL: From j.barber at dundee.ac.uk Wed May 21 07:47:24 2008 From: j.barber at dundee.ac.uk (Jonathan Barber) Date: Wed, 21 May 2008 08:47:24 +0100 Subject: [Fedora-directory-users] instance listening on multiple ports In-Reply-To: <50A3F7088FE1A14FB0CF57A2248738865B667FF58D@EXCHANGE1.intranet.iseek.com.au> References: <50A3F7088FE1A14FB0CF57A2248738865B667FF58D@EXCHANGE1.intranet.iseek.com.au> Message-ID: <20080521074724.GO25058@flea.lifesci.dundee.ac.uk> On Wed, May 21, 2008 at 04:55:27PM +1000, Luke Bigum wrote: > Hello, > > I was wondering if there's a way to get a single FDS instance to > listen on more than one port? There's some horrible routing rules I'm > trying to dodge in my network by sending replication to one port and > normal queries to another. I don't know if it's possible for FDS, but you could use an iptables nat table prerouting rule. e.g. redirect 1389 to 389 on interface eth0 (untested): iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 1389 -j REDIRECT --to-ports 389 > Thanks, > > -Luke > > -- > Luke Bigum > Systems Administrator > iseek Communications Pty Ltd > Excellence in business data solutions > ph 1300 661 668 fax 1300 661 540 > www.iseek.com.au > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389 From zona.kevin at gmail.com Wed May 21 16:19:10 2008 From: zona.kevin at gmail.com (Kevin Zona) Date: Wed, 21 May 2008 12:19:10 -0400 Subject: [Fedora-directory-users] Replication Issues Message-ID: <9635f6ec0805210919k55472326lcd26e375b33d6685@mail.gmail.com> I am getting the following errors when trying to replicate between four servers in a multimaster configuration. This was working without issue until this morning. We made a minor change one of the directories to the password policy. Any ideas would be a great help. I have verified connection between the two servers and it is fine. -- Begin Log --- [21/May/2008:10:56:37 -0400] NSMMReplicationPlugin - agmt="cn=LDAP Replication (chi01osi116)" (chi01osi116:636): Failed to send extended operation: LDAP error 81 (Can't contact LDAP server) [21/May/2008:10:55:34 -0400] NSMMReplicationPlugin - agmt="cn=LDAP Replication (atl01osi104)" (atl01osi104:636): Failed to send extended operation: LDAP error 81 (Can't contact LDAP server) [21/May/2008:10:51:21 -0400] NSMMReplicationPlugin - agmt="cn=LDAP Replication (chi01osi116)" (chi01osi116:636): Failed to send extended operation: LDAP error 81 (Can't contact LDAP server) [21/May/2008:10:49:27 -0400] NSMMReplicationPlugin - agmt="cn=LDAP Replication (chi01osi117)" (chi01osi117:389): Incremental protocol: fatal error - too much time skew between replicas! --- End Log --- I am also seeing the following: -- Begin -- [21/May/2008:12:15:16 -0400] NSMMReplicationPlugin - agmt="cn=LDAP Replication (atl01osi104)" (atl01osi104:636): Simple bind resumed [21/May/2008:12:15:17 -0400] NSMMReplicationPlugin - agmt="cn=LDAP Replication (atl01osi104)" (atl01osi104:636): Consumer failed to replay change (uniqueid bb9e6e96-1dd111b2-989ca832-f6930000, CSN 4834921c000000010000): DSA is unwilling to perform. Will retry later. -- End -- -Kevin -------------- next part -------------- An HTML attachment was scrubbed... URL: From erlingre at gmail.com Fri May 23 08:17:38 2008 From: erlingre at gmail.com (Erling Ringen Elvsrud) Date: Fri, 23 May 2008 10:17:38 +0200 Subject: [Fedora-directory-users] Trouble registering a new DS instance with an existing Configuration Directory Server Message-ID: <664c5a070805230117n27daae3aod9fc9208ab0a3f98@mail.gmail.com> Hello list, I have/want the following configuration: box1: RHDS master server box2: A read only replica. The installation on box1 completed sucessfully, but some problem has arised on box2. Installation of the RPM-files works well, but running setup-ds-admin.pl is troublesome. As recommended in the docoumentation I want to use the existing Configuration Directory Server on box1 for the replica install on box2, but the installation fails with the following error: Pick a port number between 1024 and 65535 to run your Administration Server on. You should NOT use a port number which you plan to run a web or application server on, rather, select a number which you will remember and which will not be used for anything else. [08/05/20:12:23:04] - [Setup] Info Administration port [08/05/20:12:23:37] - [Setup] Info 9830 [08/05/20:12:23:37] - [Setup] Info The interactive phase is complete. The script will now set up your servers. Enter No or go Back if you want to change something. [08/05/20:12:23:37] - [Setup] Info Are you ready to set up your servers? [08/05/20:12:23:42] - [Setup] Info yes [08/05/20:12:23:42] - [Setup] Info Creating directory server . . . [08/05/20:12:23:46] - [Setup] Info Your new DS instance 'd20dcvl002' was successfully created. [08/05/20:12:23:46] - [Setup] Info Creating the configuration directory server . . . [08/05/20:12:23:46] - [Setup] Info Error adding entry 'cn=Red Hat Directory Server, cn=Server Group, cn=d20dcvl002.internsone2.local, ou=internsone2.local, o=NetscapeRoot'. Error: No such object [08/05/20:12:23:46] - [Setup] Fatal Could not register the directory server with the configuration directory server. [08/05/20:12:23:46] - [Setup] Fatal Exiting . . . Log file is '/tmp/setupCvZ4zW.log' ------------------------------------------------------------------------------------------------------------- SSL/TLS is disabled on box1. The o=NetscapeRoot DIT looks okay, and the branch for box1 seems to be correct and working. Do you have any suggestions for how I can debug this problem? Thanks, Erling Ringen Elvsrud From Dennis.DeMarco at lexisnexis.com Thu May 22 20:16:00 2008 From: Dennis.DeMarco at lexisnexis.com (DeMarco, Dennis) Date: Thu, 22 May 2008 16:16:00 -0400 Subject: [Fedora-directory-users] SNMP Monitoring - What's available In-Reply-To: References: Message-ID: <1946415220FCB3408F01DB0A3D91AC6264C75B@SEISINTMX01> I've got a question I've been trying to hunt down. Is there any way for snmp to monitor connections to the directory server? I see there are entries for snmp to see things like # of entries added since restart.. However are there any good resource summaries I can monitor? Ie the Performance counters in the admin console? Thanks, Dennis This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. From nicolas.carel at inrp.fr Fri May 23 13:55:34 2008 From: nicolas.carel at inrp.fr (Nicolas CAREL) Date: Fri, 23 May 2008 15:55:34 +0200 Subject: [Fedora-directory-users] Trouble registering a new DS instance with an existing Configuration Directory Server In-Reply-To: <664c5a070805230117n27daae3aod9fc9208ab0a3f98@mail.gmail.com> References: <664c5a070805230117n27daae3aod9fc9208ab0a3f98@mail.gmail.com> Message-ID: <4836CCD6.6040003@inrp.fr> Hello, We experienced the same issue... Erling Ringen Elvsrud a ?crit : > Hello list, > > I have/want the following configuration: > > box1: RHDS master server > box2: A read only replica. > > The installation on box1 completed sucessfully, but some problem has arised on > box2. > > [08/05/20:12:23:46] - [Setup] Fatal Could not register the directory > server with the configuration directory server. > [08/05/20:12:23:46] - [Setup] Fatal Exiting . . . > > Erling Ringen Elvsrud > We setted up 2 Fedora Core 8 Virtual machines : vmware-fds1 and vmware-fds2 yum update before installation. On the first one, installation of FDS 1.1 with yum and setup. It works fine. One the second one, copycat. We tried to join the administration domain created in the first one and got the same message. Both Virtual Machines are one the same LAN. The network is OK. Both servers are in NTP sync, this is helpfull. The setup log is in the attached file. Here is the slapd log of vmware-fds1 : * Stage 1 : FDS Startup* Fedora-Directory/1.1.0 B2008.03.27 vmware-fds1.inrp.fr:389 (/etc/dirsrv/slapd-vmware-fds1) [23/May/2008:13:35:50 +0200] conn=0 fd=64 slot=64 connection from 127.0.0.1 to 127.0.0.1 [23/May/2008:13:35:50 +0200] conn=0 op=0 BIND dn="" method=128 version=3 [23/May/2008:13:35:50 +0200] conn=0 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [23/May/2008:13:35:50 +0200] conn=0 op=1 SRCH base="cn=admin-serv-vmware-fds1, cn=Fedora Administration Server, cn= Server Group, cn=vmware-fds1.inrp.fr, ou=inrp.fr, o=NetscapeRoot" scope=2 filter="(nsExecRef=*)" attrs="nsExecRef n sLogSuppress" [23/May/2008:13:35:50 +0200] conn=0 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [23/May/2008:13:35:50 +0200] conn=0 op=2 UNBIND [23/May/2008:13:35:50 +0200] conn=0 op=2 fd=64 closed - U1 [23/May/2008:13:35:51 +0200] conn=1 fd=64 slot=64 connection from 127.0.0.1 to 127.0.0.1 [23/May/2008:13:35:51 +0200] conn=1 op=0 BIND dn="" method=128 version=3 [23/May/2008:13:35:51 +0200] conn=1 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [23/May/2008:13:35:51 +0200] conn=1 op=1 SRCH base="cn=admin-serv-vmware-fds1, cn=Fedora Administration Server, cn= Server Group, cn=vmware-fds1.inrp.fr, ou=inrp.fr, o=NetscapeRoot" scope=2 filter="(nsExecRef=*)" attrs="nsExecRef n sLogSuppress" [23/May/2008:13:35:51 +0200] conn=1 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [23/May/2008:13:35:51 +0200] conn=1 op=2 UNBIND [23/May/2008:13:35:51 +0200] conn=1 op=2 fd=64 closed - U1 * Stage 2 : Setup on vmware-fds2 * Configuration directory server URL : *ldap://vmware-fds1.inrp.fr:389/o=NetscapeRoot* Configuration directory server admin ID *admin* Configuration directory server admin password : ******* Configuration directory server admin domain : *inrp.fr* [23/May/2008:14:31:46 +0200] conn=2 fd=64 slot=64 connection from 195.83.134.21 to 195.83.134.29 [23/May/2008:14:31:46 +0200] conn=2 op=0 BIND dn="" method=128 version=3 [23/May/2008:14:31:46 +0200] conn=2 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [23/May/2008:14:31:46 +0200] conn=2 op=1 SRCH base="o=NetscapeRoot" scope=2 filter="(uid=admin)" attrs="dn" [23/May/2008:14:31:46 +0200] conn=2 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [23/May/2008:14:31:46 +0200] conn=2 op=2 BIND dn="uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRo ot" method=128 version=3 [23/May/2008:14:31:46 +0200] conn=2 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=admin,ou=administrators,ou= topologymanagement,o=netscaperoot" [23/May/2008:14:31:46 +0200] conn=2 op=3 SRCH base="ou=inrp.fr, o=NetscapeRoot" scope=0 filter="(objectClass=*)" at trs="dn" [23/May/2008:14:31:46 +0200] conn=2 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [23/May/2008:14:31:46 +0200] conn=2 op=4 UNBIND [23/May/2008:14:31:46 +0200] conn=2 op=4 fd=64 closed - U1 *Stage 3 : Are you ready to set up your servers? : YES* [23/May/2008:14:38:30 +0200] conn=3 fd=64 slot=64 connection from 195.83.134.21 to 195.83.134.29 [23/May/2008:14:38:30 +0200] conn=3 op=0 BIND dn="" method=128 version=3 [23/May/2008:14:38:30 +0200] conn=3 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [23/May/2008:14:38:30 +0200] conn=3 op=1 SRCH base="o=NetscapeRoot" scope=2 filter="(uid=admin)" attrs="dn" [23/May/2008:14:38:30 +0200] conn=3 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [23/May/2008:14:38:30 +0200] conn=3 op=2 BIND dn="uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRo ot" method=128 version=3 [23/May/2008:14:38:30 +0200] conn=3 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=admin,ou=administrators,ou= topologymanagement,o=netscaperoot" [23/May/2008:14:38:30 +0200] conn=3 op=3 SRCH base="o=NetscapeRoot" scope=0 filter="(objectClass=*)" attrs="* aci" [23/May/2008:14:38:30 +0200] conn=3 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [23/May/2008:14:38:30 +0200] conn=3 op=4 MOD dn="o=NetscapeRoot" [23/May/2008:14:38:30 +0200] conn=3 op=4 RESULT err=0 tag=103 nentries=0 etime=0 [23/May/2008:14:38:30 +0200] conn=3 op=5 SRCH base="cn=Fedora Directory Server, cn=Server Group, cn=vmware-fds2.inr p.fr, ou=inrp.fr, o=NetscapeRoot" scope=0 filter="(objectClass=*)" attrs="* aci" [23/May/2008:14:38:30 +0200] conn=3 op=5 RESULT err=32 tag=101 nentries=0 etime=0 [23/May/2008:14:38:30 +0200] conn=3 op=6 ADD dn="cn=Fedora Directory Server, cn=Server Group, cn=vmware-fds2.inrp.f r, ou=inrp.fr, o=NetscapeRoot" *[23/May/2008:14:38:30 +0200] conn=3 op=6 RESULT err=32 tag=105 nentries=0 etime=0* [23/May/2008:14:38:30 +0200] conn=3 op=7 UNBIND [23/May/2008:14:38:30 +0200] conn=3 op=7 fd=64 closed - U1 HELP ! -- *Nicolas CAREL **Service Commun Informatique *IT Manager Trust my certificate : http://igc.cru.fr/trust.php *Institut National de Recherche P?dagogique *19 all?e de Fontenay - B.P. 17424 - 69347 LYON CEDEX 07 Standard : 04 72 76 61 00 - T?l?copie : 04 72 76 61 10 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: setupuRJ2k2.log URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4503 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri May 23 14:17:31 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 23 May 2008 08:17:31 -0600 Subject: [Fedora-directory-users] SNMP Monitoring - What's available In-Reply-To: <1946415220FCB3408F01DB0A3D91AC6264C75B@SEISINTMX01> References: <1946415220FCB3408F01DB0A3D91AC6264C75B@SEISINTMX01> Message-ID: <4836D1FB.5030302@redhat.com> DeMarco, Dennis wrote: > I've got a question I've been trying to hunt down. > > Is there any way for snmp to monitor connections to the directory > server? > > I see there are entries for snmp to see things like # of entries added > since restart.. However are there any good resource summaries I can > monitor? Ie the Performance counters in the admin console? > This might help - *http://tinyurl.com/667xpc* > Thanks, > Dennis > > This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri May 23 14:19:04 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 23 May 2008 08:19:04 -0600 Subject: [Fedora-directory-users] Trouble registering a new DS instance with an existing Configuration Directory Server In-Reply-To: <4836CCD6.6040003@inrp.fr> References: <664c5a070805230117n27daae3aod9fc9208ab0a3f98@mail.gmail.com> <4836CCD6.6040003@inrp.fr> Message-ID: <4836D258.9020406@redhat.com> Nicolas CAREL wrote: > Hello, > > We experienced the same issue... I believe this is a bug - https://bugzilla.redhat.com/show_bug.cgi?id=431103 - the bug gives instructions about how to workaround the problem. > > Erling Ringen Elvsrud a ?crit : >> Hello list, >> >> I have/want the following configuration: >> >> box1: RHDS master server >> box2: A read only replica. >> >> The installation on box1 completed sucessfully, but some problem has arised on >> box2. >> >> [08/05/20:12:23:46] - [Setup] Fatal Could not register the directory >> server with the configuration directory server. >> [08/05/20:12:23:46] - [Setup] Fatal Exiting . . . >> >> Erling Ringen Elvsrud >> > We setted up 2 Fedora Core 8 Virtual machines : vmware-fds1 and > vmware-fds2 > yum update before installation. > On the first one, installation of FDS 1.1 with yum and setup. It works > fine. > One the second one, copycat. > We tried to join the administration domain created in the first one > and got the same message. > Both Virtual Machines are one the same LAN. The network is OK. > > Both servers are in NTP sync, this is helpfull. > > The setup log is in the attached file. > > Here is the slapd log of vmware-fds1 : > * > Stage 1 : FDS Startup* > Fedora-Directory/1.1.0 B2008.03.27 > vmware-fds1.inrp.fr:389 (/etc/dirsrv/slapd-vmware-fds1) > > [23/May/2008:13:35:50 +0200] conn=0 fd=64 slot=64 connection from > 127.0.0.1 to 127.0.0.1 > [23/May/2008:13:35:50 +0200] conn=0 op=0 BIND dn="" method=128 version=3 > [23/May/2008:13:35:50 +0200] conn=0 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="" > [23/May/2008:13:35:50 +0200] conn=0 op=1 SRCH > base="cn=admin-serv-vmware-fds1, cn=Fedora Administration Server, cn= > Server Group, cn=vmware-fds1.inrp.fr, ou=inrp.fr, o=NetscapeRoot" > scope=2 filter="(nsExecRef=*)" attrs="nsExecRef n > sLogSuppress" > [23/May/2008:13:35:50 +0200] conn=0 op=1 RESULT err=0 tag=101 > nentries=0 etime=0 > [23/May/2008:13:35:50 +0200] conn=0 op=2 UNBIND > [23/May/2008:13:35:50 +0200] conn=0 op=2 fd=64 closed - U1 > [23/May/2008:13:35:51 +0200] conn=1 fd=64 slot=64 connection from > 127.0.0.1 to 127.0.0.1 > [23/May/2008:13:35:51 +0200] conn=1 op=0 BIND dn="" method=128 version=3 > [23/May/2008:13:35:51 +0200] conn=1 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="" > [23/May/2008:13:35:51 +0200] conn=1 op=1 SRCH > base="cn=admin-serv-vmware-fds1, cn=Fedora Administration Server, cn= > Server Group, cn=vmware-fds1.inrp.fr, ou=inrp.fr, o=NetscapeRoot" > scope=2 filter="(nsExecRef=*)" attrs="nsExecRef n > sLogSuppress" > [23/May/2008:13:35:51 +0200] conn=1 op=1 RESULT err=0 tag=101 > nentries=0 etime=0 > [23/May/2008:13:35:51 +0200] conn=1 op=2 UNBIND > [23/May/2008:13:35:51 +0200] conn=1 op=2 fd=64 closed - U1 > * > Stage 2 : Setup on vmware-fds2 * > Configuration directory server URL : > *ldap://vmware-fds1.inrp.fr:389/o=NetscapeRoot* > Configuration directory server admin ID *admin* > Configuration directory server admin password : ******* > Configuration directory server admin domain : *inrp.fr* > [23/May/2008:14:31:46 +0200] conn=2 fd=64 slot=64 connection from > 195.83.134.21 to 195.83.134.29 > [23/May/2008:14:31:46 +0200] conn=2 op=0 BIND dn="" method=128 version=3 > [23/May/2008:14:31:46 +0200] conn=2 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="" > [23/May/2008:14:31:46 +0200] conn=2 op=1 SRCH base="o=NetscapeRoot" > scope=2 filter="(uid=admin)" attrs="dn" > [23/May/2008:14:31:46 +0200] conn=2 op=1 RESULT err=0 tag=101 > nentries=1 etime=0 > [23/May/2008:14:31:46 +0200] conn=2 op=2 BIND dn="uid=admin, > ou=Administrators, ou=TopologyManagement, o=NetscapeRo > ot" method=128 version=3 > [23/May/2008:14:31:46 +0200] conn=2 op=2 RESULT err=0 tag=97 > nentries=0 etime=0 dn="uid=admin,ou=administrators,ou= > topologymanagement,o=netscaperoot" > [23/May/2008:14:31:46 +0200] conn=2 op=3 SRCH base="ou=inrp.fr, > o=NetscapeRoot" scope=0 filter="(objectClass=*)" at > trs="dn" > [23/May/2008:14:31:46 +0200] conn=2 op=3 RESULT err=0 tag=101 > nentries=1 etime=0 > [23/May/2008:14:31:46 +0200] conn=2 op=4 UNBIND > [23/May/2008:14:31:46 +0200] conn=2 op=4 fd=64 closed - U1 > > *Stage 3 : Are you ready to set up your servers? : YES* > > [23/May/2008:14:38:30 +0200] conn=3 fd=64 slot=64 connection from > 195.83.134.21 to 195.83.134.29 > [23/May/2008:14:38:30 +0200] conn=3 op=0 BIND dn="" method=128 version=3 > [23/May/2008:14:38:30 +0200] conn=3 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="" > [23/May/2008:14:38:30 +0200] conn=3 op=1 SRCH base="o=NetscapeRoot" > scope=2 filter="(uid=admin)" attrs="dn" > [23/May/2008:14:38:30 +0200] conn=3 op=1 RESULT err=0 tag=101 > nentries=1 etime=0 > [23/May/2008:14:38:30 +0200] conn=3 op=2 BIND dn="uid=admin, > ou=Administrators, ou=TopologyManagement, o=NetscapeRo > ot" method=128 version=3 > [23/May/2008:14:38:30 +0200] conn=3 op=2 RESULT err=0 tag=97 > nentries=0 etime=0 dn="uid=admin,ou=administrators,ou= > topologymanagement,o=netscaperoot" > [23/May/2008:14:38:30 +0200] conn=3 op=3 SRCH base="o=NetscapeRoot" > scope=0 filter="(objectClass=*)" attrs="* aci" > [23/May/2008:14:38:30 +0200] conn=3 op=3 RESULT err=0 tag=101 > nentries=1 etime=0 > [23/May/2008:14:38:30 +0200] conn=3 op=4 MOD dn="o=NetscapeRoot" > [23/May/2008:14:38:30 +0200] conn=3 op=4 RESULT err=0 tag=103 > nentries=0 etime=0 > [23/May/2008:14:38:30 +0200] conn=3 op=5 SRCH base="cn=Fedora > Directory Server, cn=Server Group, cn=vmware-fds2.inr > p.fr, ou=inrp.fr, o=NetscapeRoot" scope=0 filter="(objectClass=*)" > attrs="* aci" > [23/May/2008:14:38:30 +0200] conn=3 op=5 RESULT err=32 tag=101 > nentries=0 etime=0 > [23/May/2008:14:38:30 +0200] conn=3 op=6 ADD dn="cn=Fedora Directory > Server, cn=Server Group, cn=vmware-fds2.inrp.f > r, ou=inrp.fr, o=NetscapeRoot" > *[23/May/2008:14:38:30 +0200] conn=3 op=6 RESULT err=32 tag=105 > nentries=0 etime=0* > [23/May/2008:14:38:30 +0200] conn=3 op=7 UNBIND > [23/May/2008:14:38:30 +0200] conn=3 op=7 fd=64 closed - U1 > > > HELP ! > > -- > *Nicolas CAREL > **Service Commun Informatique > *IT Manager > Trust my certificate : http://igc.cru.fr/trust.php > > *Institut National de Recherche P?dagogique > *19 all?e de Fontenay - B.P. 17424 - 69347 LYON > CEDEX 07 > Standard : 04 72 76 61 00 - T?l?copie : 04 72 76 61 10 > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From fmunoz at hispafuentes.com Fri May 23 16:39:14 2008 From: fmunoz at hispafuentes.com (Fernando =?ISO-8859-1?Q?Mu=F1oz?=) Date: Fri, 23 May 2008 18:39:14 +0200 Subject: [Fedora-directory-users] FDS instance over UDP port (389) Message-ID: <1211560754.9826.12.camel@hispafuentes.vm-windows.maqueta> Hello, I've got a question, Is there any way for raise a LDAP instance over 389 UDP port (CLDAP)? I've been trying to join a WindowsXP machine to a FDS(backend)-SAMBA3(PDC) environment, and I've got a problem: Sniffing a WindowsXP (client) machine traffic, ?I see there are LDAP petitions (connections) through UDP 389 port, and FDS instance run over TCP ports. Thanks, From rmeggins at redhat.com Fri May 23 16:42:25 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 23 May 2008 10:42:25 -0600 Subject: [Fedora-directory-users] FDS instance over UDP port (389) In-Reply-To: <1211560754.9826.12.camel@hispafuentes.vm-windows.maqueta> References: <1211560754.9826.12.camel@hispafuentes.vm-windows.maqueta> Message-ID: <4836F3F1.3010406@redhat.com> Fernando Mu?oz wrote: > Hello, > > > I've got a question, > > Is there any way for raise a LDAP instance over 389 UDP port (CLDAP)? > > I've been trying to join a WindowsXP machine to a > FDS(backend)-SAMBA3(PDC) environment, and I've got a problem: > > Sniffing a WindowsXP (client) machine traffic, ?I see there are LDAP > petitions (connections) through UDP 389 port, and FDS instance run over > TCP ports. > No, Fedora DS does not support UDP (CLDAP). You should check out Samba4. > Thanks, > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Dennis.DeMarco at lexisnexis.com Fri May 23 17:27:53 2008 From: Dennis.DeMarco at lexisnexis.com (DeMarco, Dennis) Date: Fri, 23 May 2008 13:27:53 -0400 Subject: [Fedora-directory-users] SNMP Monitoring - What's available In-Reply-To: <4836D1FB.5030302@redhat.com> References: <1946415220FCB3408F01DB0A3D91AC6264C75B@SEISINTMX01> <4836D1FB.5030302@redhat.com> Message-ID: <1946415220FCB3408F01DB0A3D91AC6264C763@SEISINTMX01> Thanks, I already looked through that information. I can not see any snmp way of asking for # of current connections. That piece of info would work great to monitor for floods or some other problem. The performance counters are stored somewhere, as the admin console displays them. I just need to track where. -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson Sent: Friday, May 23, 2008 10:18 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] SNMP Monitoring - What's available DeMarco, Dennis wrote: > I've got a question I've been trying to hunt down. > > Is there any way for snmp to monitor connections to the directory > server? > > I see there are entries for snmp to see things like # of entries added > since restart.. However are there any good resource summaries I can > monitor? Ie the Performance counters in the admin console? > This might help - *http://tinyurl.com/667xpc* > Thanks, > Dennis > > This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Fri May 23 18:08:12 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 23 May 2008 12:08:12 -0600 Subject: [Fedora-directory-users] SNMP Monitoring - What's available In-Reply-To: <1946415220FCB3408F01DB0A3D91AC6264C763@SEISINTMX01> References: <1946415220FCB3408F01DB0A3D91AC6264C75B@SEISINTMX01> <4836D1FB.5030302@redhat.com> <1946415220FCB3408F01DB0A3D91AC6264C763@SEISINTMX01> Message-ID: <4837080C.9040602@redhat.com> DeMarco, Dennis wrote: > Thanks, > > I already looked through that information. I can not see any snmp way of > asking for # of current connections. > > That piece of info would work great to monitor for floods or some other > problem. > > The performance counters are stored somewhere, as the admin console > displays them. I just need to track where. > Sorry, that information is not available via SNMP afaik. It is available via LDAP in cn=monitor - see *http://tinyurl.com/65tzm8* > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich > Megginson > Sent: Friday, May 23, 2008 10:18 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] SNMP Monitoring - What's available > > DeMarco, Dennis wrote: > >> I've got a question I've been trying to hunt down. >> >> Is there any way for snmp to monitor connections to the directory >> server? >> >> I see there are entries for snmp to see things like # of entries added >> since restart.. However are there any good resource summaries I can >> monitor? Ie the Performance counters in the admin console? >> >> > This might help - *http://tinyurl.com/667xpc* > >> Thanks, >> Dennis >> >> This message (including any attachments) contains confidential >> > information intended for a specific individual and purpose, and is > protected by law. If you are not the intended recipient, you should > delete this message. Any disclosure, copying, or distribution of this > message, or the taking of any action based on it, is strictly > prohibited. > >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From prjctgeek at gmail.com Fri May 23 18:09:22 2008 From: prjctgeek at gmail.com (Doug Chapman) Date: Fri, 23 May 2008 11:09:22 -0700 Subject: [Fedora-directory-users] SNMP Monitoring - What's available In-Reply-To: <1946415220FCB3408F01DB0A3D91AC6264C763@SEISINTMX01> References: <1946415220FCB3408F01DB0A3D91AC6264C75B@SEISINTMX01> <4836D1FB.5030302@redhat.com> <1946415220FCB3408F01DB0A3D91AC6264C763@SEISINTMX01> Message-ID: Even though this page is dated, the cacti section is valid: http://directory.fedoraproject.org/wiki/Howto:SNMPMonitoring The cacti module has Directory binds and searches out of the box. On Fri, May 23, 2008 at 10:27 AM, DeMarco, Dennis wrote: > Thanks, > > I already looked through that information. I can not see any snmp way of > asking for # of current connections. > > That piece of info would work great to monitor for floods or some other > problem. > > The performance counters are stored somewhere, as the admin console > displays them. I just need to track where. > > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich > Megginson > Sent: Friday, May 23, 2008 10:18 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] SNMP Monitoring - What's available > > DeMarco, Dennis wrote: >> I've got a question I've been trying to hunt down. >> >> Is there any way for snmp to monitor connections to the directory >> server? >> >> I see there are entries for snmp to see things like # of entries added >> since restart.. However are there any good resource summaries I can >> monitor? Ie the Performance counters in the admin console? >> > This might help - *http://tinyurl.com/667xpc* >> Thanks, >> Dennis >> >> This message (including any attachments) contains confidential > information intended for a specific individual and purpose, and is > protected by law. If you are not the intended recipient, you should > delete this message. Any disclosure, copying, or distribution of this > message, or the taking of any action based on it, is strictly > prohibited. >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From throck at gmail.com Fri May 23 18:14:07 2008 From: throck at gmail.com (Tom Throckmorton) Date: Fri, 23 May 2008 14:14:07 -0400 Subject: [Fedora-directory-users] SNMP Monitoring - What's available In-Reply-To: <1946415220FCB3408F01DB0A3D91AC6264C763@SEISINTMX01> References: <1946415220FCB3408F01DB0A3D91AC6264C75B@SEISINTMX01> <4836D1FB.5030302@redhat.com> <1946415220FCB3408F01DB0A3D91AC6264C763@SEISINTMX01> Message-ID: <4837096F.7020308@gmail.com> On 5/23/08 1:27 PM, DeMarco, Dennis wrote: > Thanks, > > I already looked through that information. I can not see any snmp way of > asking for # of current connections. > > That piece of info would work great to monitor for floods or some other > problem. > > The performance counters are stored somewhere, as the admin console > displays them. I just need to track where. Dennis, Assuming you've already seen this HowTo: http://directory.fedoraproject.org/wiki/Howto:SNMPMonitoring I was looking for the same thing some time ago, and eventually decided that the objects offered via SNMP weren't cutting it, and so switched to fetching that info directly out of the monitor branch using ldapsearch, which provides, among other interesting bits, currentconnections, totalconnections and connectionpeak, e.g.: > me at somehost% ldapsearch -H ldap://my.ldap.host -b 'cn=monitor' -v -x -LLL cn='monitor' > ldap_initialize( ldap://my.ldap.host ) > filter: cn=monitor > requesting: ALL > dn: cn=monitor > objectClass: top > objectClass: extensibleObject > cn: monitor > connectionpeak: 1260 > version: Sun-Java(tm)-System-Directory/6.2_GP_6597523 B2007.264.1019 > threads: 30 > currentconnections: 199 > totalconnections: 454235 > dtablesize: 65536 > readwaiters: 0 > opsinitiated: 5735651 > opscompleted: 5735650 > request-que-backlog: 0 > entriessent: 1359462 > bytessent: 1148150533 > cache-avail-bytes: 7282450432 > heapmaxhighhits: 0 > heapmaxlowhits: 0 > currenttime: 20080523175805Z > starttime: 20080521135633Z > nbackends: 12 > currentpsearches: 0 ...which is basically what the helper script mentioned on that page is doing. As you can see the example above is against Sun JDS 6, but IIRC, it works the same on FDS (sorry, don't have an instance available at the moment for testing.) HTH, -tt > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich > Megginson > Sent: Friday, May 23, 2008 10:18 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] SNMP Monitoring - What's available > > DeMarco, Dennis wrote: >> I've got a question I've been trying to hunt down. >> >> Is there any way for snmp to monitor connections to the directory >> server? >> >> I see there are entries for snmp to see things like # of entries added >> since restart.. However are there any good resource summaries I can >> monitor? Ie the Performance counters in the admin console? >> > This might help - *http://tinyurl.com/667xpc* >> Thanks, >> Dennis >> >> This message (including any attachments) contains confidential > information intended for a specific individual and purpose, and is > protected by law. If you are not the intended recipient, you should > delete this message. Any disclosure, copying, or distribution of this > message, or the taking of any action based on it, is strictly > prohibited. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From Dennis.DeMarco at lexisnexis.com Fri May 23 20:51:24 2008 From: Dennis.DeMarco at lexisnexis.com (DeMarco, Dennis) Date: Fri, 23 May 2008 16:51:24 -0400 Subject: [Fedora-directory-users] SNMP Monitoring - What's available In-Reply-To: <4837096F.7020308@gmail.com> References: <1946415220FCB3408F01DB0A3D91AC6264C75B@SEISINTMX01> <4836D1FB.5030302@redhat.com> <1946415220FCB3408F01DB0A3D91AC6264C763@SEISINTMX01> <4837096F.7020308@gmail.com> Message-ID: Thank you all. Exactly what I needed. -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Tom Throckmorton Sent: Friday, May 23, 2008 2:14 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] SNMP Monitoring - What's available On 5/23/08 1:27 PM, DeMarco, Dennis wrote: > Thanks, > > I already looked through that information. I can not see any snmp way of > asking for # of current connections. > > That piece of info would work great to monitor for floods or some other > problem. > > The performance counters are stored somewhere, as the admin console > displays them. I just need to track where. Dennis, Assuming you've already seen this HowTo: http://directory.fedoraproject.org/wiki/Howto:SNMPMonitoring I was looking for the same thing some time ago, and eventually decided that the objects offered via SNMP weren't cutting it, and so switched to fetching that info directly out of the monitor branch using ldapsearch, which provides, among other interesting bits, currentconnections, totalconnections and connectionpeak, e.g.: > me at somehost% ldapsearch -H ldap://my.ldap.host -b 'cn=monitor' -v -x -LLL cn='monitor' > ldap_initialize( ldap://my.ldap.host ) > filter: cn=monitor > requesting: ALL > dn: cn=monitor > objectClass: top > objectClass: extensibleObject > cn: monitor > connectionpeak: 1260 > version: Sun-Java(tm)-System-Directory/6.2_GP_6597523 B2007.264.1019 > threads: 30 > currentconnections: 199 > totalconnections: 454235 > dtablesize: 65536 > readwaiters: 0 > opsinitiated: 5735651 > opscompleted: 5735650 > request-que-backlog: 0 > entriessent: 1359462 > bytessent: 1148150533 > cache-avail-bytes: 7282450432 > heapmaxhighhits: 0 > heapmaxlowhits: 0 > currenttime: 20080523175805Z > starttime: 20080521135633Z > nbackends: 12 > currentpsearches: 0 ...which is basically what the helper script mentioned on that page is doing. As you can see the example above is against Sun JDS 6, but IIRC, it works the same on FDS (sorry, don't have an instance available at the moment for testing.) HTH, -tt > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich > Megginson > Sent: Friday, May 23, 2008 10:18 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] SNMP Monitoring - What's available > > DeMarco, Dennis wrote: >> I've got a question I've been trying to hunt down. >> >> Is there any way for snmp to monitor connections to the directory >> server? >> >> I see there are entries for snmp to see things like # of entries added >> since restart.. However are there any good resource summaries I can >> monitor? Ie the Performance counters in the admin console? >> > This might help - *http://tinyurl.com/667xpc* >> Thanks, >> Dennis >> >> This message (including any attachments) contains confidential > information intended for a specific individual and purpose, and is > protected by law. If you are not the intended recipient, you should > delete this message. Any disclosure, copying, or distribution of this > message, or the taking of any action based on it, is strictly > prohibited. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. From hyc at symas.com Sun May 25 02:51:29 2008 From: hyc at symas.com (Howard Chu) Date: Sat, 24 May 2008 19:51:29 -0700 Subject: [Fedora-directory-users] FDS instance over UDP port (389) In-Reply-To: <20080524160006.EEB888E0090@hormel.redhat.com> References: <20080524160006.EEB888E0090@hormel.redhat.com> Message-ID: <4838D431.6000708@symas.com> > Date: Fri, 23 May 2008 10:42:25 -0600 > From: Rich Megginson > Fernando Mu??oz wrote: >> Hello, >> >> >> I've got a question, >> >> Is there any way for raise a LDAP instance over 389 UDP port (CLDAP)? OpenLDAP supports CLDAP. Note that there is no formal spec for this protocol; there was a draft for LDAPv2 that expired long ago. Microsoft's version of CLDAP (naturally) does not conform to that draft. OpenLDAP supports both the expired draft and the Microsoft bastardization thereof, and has done so since at least 2000. But offering LDAP over UDP is a far cry from joining an AD environment. (See PADL's XAD, for instance, which was developed on OpenLDAP and subsequently sold to Novell.) >> I've been trying to join a WindowsXP machine to a >> FDS(backend)-SAMBA3(PDC) environment, and I've got a problem: >> >> Sniffing a WindowsXP (client) machine traffic, ???I see there are LDAP >> petitions (connections) through UDP 389 port, and FDS instance run over >> TCP ports. >> > No, Fedora DS does not support UDP (CLDAP). > > You should check out Samba4. Yes, that would probably be the best route now. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From kenneho.ndu at gmail.com Mon May 26 08:38:47 2008 From: kenneho.ndu at gmail.com (Kenneth Holter) Date: Mon, 26 May 2008 10:38:47 +0200 Subject: [Fedora-directory-users] Unidirectional Windows Sync Message-ID: Hi. We're in a similar situation as the one described in http://www.redhat.com/archives/fedora-directory-users/2008-January/msg00238.html, in that we would like to configure Windows Sync to sync users (but most likely not passwords) from AD to DS, but not the other way around. Does anyone know for sure that this can be done? Is there any documentation out there that describes how to do this? Regards, Kenneth Holter -------------- next part -------------- An HTML attachment was scrubbed... URL: From rnappert at juniper.net Mon May 26 15:15:55 2008 From: rnappert at juniper.net (Reinhard Nappert) Date: Mon, 26 May 2008 11:15:55 -0400 Subject: [Fedora-directory-users] Is it possible to migrate Berkeley 4.2(32bit) based directory to 4.2 (64bit) In-Reply-To: <47F501DF.1040502@redhat.com> References: <3525C9833C09ED418C6FD6CD9514668C039377BB@emailwf1.jnpr.net> <47F501DF.1040502@redhat.com> Message-ID: <3525C9833C09ED418C6FD6CD9514668C03EC01A2@emailwf1.jnpr.net> Rich, I have another question regarding the Berkley 4.2 (32bit) "migration" to 4.2 (64 bit): First of all, the migration process is fine and the new 64 bit Berkley DB handles even the old files. The search performance is more or less the same as it was before. However, the add/delete operation is not good. The performance decreased by 4 times. The entire build process is identical (besides the enable-64bit switch). Can you shed some light on that? Do you have the same experience? Thanks, -Reinhard -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson Sent: Thursday, April 03, 2008 12:12 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Is it possible to migrate Berkeley 4.2(32bit) based directory to 4.2 (64bit) Reinhard Nappert wrote: > > Hi, > > Does anyone know, if that works? > Are you talking about the migration script migrate-ds-admin.pl? If so, then yes. You will first have to export your databases to ldif e.g. for a Fedora DS 1.0.4 installation: cd /opt/fedora-ds/slapd-instance/db ../db2ldif -n userRoot -a `pwd`/userRoot.ldif ../db2ldif -n NetscapeRoot -a `pwd`/NetscapeRoot.ldif ... repeat for each database instance The migration script will look for a file called /opt/fedora-ds/slapd-instance/db/.ldif and use that rather than the binary files. You should also run the migration script with the -x option to force it to use cross platform mode. > > Thanks, > -Reinhard > > ---------------------------------------------------------------------- > -- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From windhamg at email.arizona.edu Mon May 26 22:45:21 2008 From: windhamg at email.arizona.edu (Gary Windham) Date: Mon, 26 May 2008 15:45:21 -0700 Subject: [Fedora-directory-users] Re: MMR: excessive clock skew Message-ID: <89F8E2BC-9610-4474-A68F-0D3FB72D69B4@email.arizona.edu> Sorry for not replying to the original thread, but I just joined this list. On Tue, 13 May 2008, Rich Megginson wrote: > Has anyone seen these errors with 1.1? We fixed a few 64-bit issues in 1.1. I am running two 32-bit FDS 1.1 (fedora-ds-1.1.0-3.fc6) servers, on RHEL 5.1, in an MMR configuration. These servers, which are configured behind a load balancer, act as the University's central authentication service. We have are using the password policy plugin and have the "passwordisglobalpolicy" setting enabled, so there is a substantial amount of write activity due to replication of password- policy-related attributes (e.g., passwordRetryCount, retryCountResetTime, etc). Time on both systems is synchronized via NTP; clocks are in sync. We have the same situation as Reinhard Nappert reported on 5/13/2008: MMR will work fine for a while (usually a few weeks; the longest period we've gone is a month, the shortest time a few hours). Eventually replication will fail with the following sequence of messages in the errors log: [24/May/2008:05:18:54 -0700] - csngen_adjust_time: adjustment limit exceeded; value - 86401, limit - 86400 [24/May/2008:05:18:54 -0700] NSMMReplicationPlugin - conn=1800 op=60262 replica="": Unable to acquire replica: error: excessive clock skew [24/May/2008:05:20:05 -0700] - csngen_adjust_time: adjustment limit exceeded; value - 86401, limit - 86400 [24/May/2008:05:20:05 -0700] NSMMReplicationPlugin - agmt="cn=kif2zapp" (zapp:389): Incremental protocol: fatal er ror - too much time skew between replicas! [24/May/2008:05:20:05 -0700] NSMMReplicationPlugin - agmt="cn=kif2zapp" (zapp:389): Incremental update failed and requires administrator action The "csngen_adjust_time" error message always reports the same value when this occurs (86401). We have also employed the workaround described by Chris St. Pierre in https://bugzilla.redhat.com/show_bug.cgi?id=233642 #c3. This resolves the problem for a short while, but it always reappears. BTW, I was in contact with Chris recently about his experiences with MMR and he said that, in addition to moving to FDS 1.1, he moved a lot of "frequently updated" data out of FDS and into MySQL, and that his problem disappeared afterward; obviously this isn't a solution for us as we are utilizing FDS as an authentication engine. We are desperately trying to find a solution to this issue that will allow us to continue using MMR...we could resort to a traditional passive/active + shared storage HA design, but we want to keep that as a last resort. If there is any additional information I should provide, please let me know. -- Gary Windham Senior Enterprise Systems Architect The University of Arizona, UITS +1 520 626 5981 From beyonddc.storage at gmail.com Tue May 27 15:44:43 2008 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Tue, 27 May 2008 11:44:43 -0400 Subject: [Fedora-directory-users] Which RFC covers Persistent Search Control Message-ID: <20e4c38c0805270844v163640efw93a6f100e2a3f766@mail.gmail.com> Hi all, I know that Fedora LDAP supports Persistent Search Control, but I'm having difficulty to find the exact RFC that covers persistent search control. The closest I can find is http://www.ietf.org/proceedings/01mar/I-D/ldapext-psearch-03.txt But that doesn't have a RFC # tagged on it. Please let me know if you know the RFC that covers the persistent search control. Thank you! - dc -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue May 27 15:48:03 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 27 May 2008 09:48:03 -0600 Subject: [Fedora-directory-users] Which RFC covers Persistent Search Control In-Reply-To: <20e4c38c0805270844v163640efw93a6f100e2a3f766@mail.gmail.com> References: <20e4c38c0805270844v163640efw93a6f100e2a3f766@mail.gmail.com> Message-ID: <483C2D33.2010904@redhat.com> Chun Tat David Chu wrote: > Hi all, > > I know that Fedora LDAP supports Persistent Search Control, but I'm > having difficulty to find the exact RFC that covers persistent search > control. > > The closest I can find is > http://www.ietf.org/proceedings/01mar/I-D/ldapext-psearch-03.txt > > But that doesn't have a RFC # tagged on it. > > Please let me know if you know the RFC that covers the persistent > search control. I don't think the ID was ever pushed through to RFC status. Since that time, both LCUP and LDAP Sync have been proposed as alternatives, but Fedora DS does not support either of them. > > Thank you! > > - dc > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue May 27 15:51:03 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 27 May 2008 09:51:03 -0600 Subject: [Fedora-directory-users] Is it possible to migrate Berkeley 4.2(32bit) based directory to 4.2 (64bit) In-Reply-To: <3525C9833C09ED418C6FD6CD9514668C03EC01A2@emailwf1.jnpr.net> References: <3525C9833C09ED418C6FD6CD9514668C039377BB@emailwf1.jnpr.net> <47F501DF.1040502@redhat.com> <3525C9833C09ED418C6FD6CD9514668C03EC01A2@emailwf1.jnpr.net> Message-ID: <483C2DE7.8010302@redhat.com> Reinhard Nappert wrote: > Rich, > > I have another question regarding the Berkley 4.2 (32bit) "migration" to > 4.2 (64 bit): > > First of all, the migration process is fine and the new 64 bit Berkley > DB handles even the old files. The search performance is more or less > the same as it was before. However, the add/delete operation is not > good. The performance decreased by 4 times. The entire build process is > identical (besides the enable-64bit switch). Can you shed some light on > that? Do you have the same experience? > We have not done comparative performance testing for write operations between 32-bit and 64-bit, and I'm not sure what could be causing that behavior. > Thanks, > -Reinhard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich > Megginson > Sent: Thursday, April 03, 2008 12:12 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Is it possible to migrate Berkeley > 4.2(32bit) based directory to 4.2 (64bit) > > Reinhard Nappert wrote: > >> Hi, >> >> Does anyone know, if that works? >> >> > Are you talking about the migration script migrate-ds-admin.pl? If so, > then yes. You will first have to export your databases to ldif e.g. for > a Fedora DS 1.0.4 installation: > cd /opt/fedora-ds/slapd-instance/db > ../db2ldif -n userRoot -a `pwd`/userRoot.ldif ../db2ldif -n NetscapeRoot > -a `pwd`/NetscapeRoot.ldif ... repeat for each database instance > > The migration script will look for a file called > /opt/fedora-ds/slapd-instance/db/.ldif and use that > rather than the binary files. > > You should also run the migration script with the -x option to force it > to use cross platform mode. > >> Thanks, >> -Reinhard >> >> ---------------------------------------------------------------------- >> -- >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue May 27 15:57:02 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 27 May 2008 09:57:02 -0600 Subject: [Fedora-directory-users] Replication Issues In-Reply-To: <9635f6ec0805210919k55472326lcd26e375b33d6685@mail.gmail.com> References: <9635f6ec0805210919k55472326lcd26e375b33d6685@mail.gmail.com> Message-ID: <483C2F4E.80208@redhat.com> Kevin Zona wrote: > > I am getting the following errors when trying to replicate between > four servers in a multimaster configuration. This was working without > issue until this morning. We made a minor change one of the > directories to the password policy. Any ideas would be a great help. > I have verified connection between the two servers and it is fine. What version of Fedora DS? What platform? This sounds like a bug that was fixed in Fedora DS 1.1. If this is a different problem - what exactly was the change to password policy? > > -- Begin Log --- > [21/May/2008:10:56:37 -0400] NSMMReplicationPlugin - agmt="cn=LDAP > Replication (chi01osi116)" (chi01osi116:636): Failed to send extended > operation: LDAP error 81 (Can't contact LDAP server) > [21/May/2008:10:55:34 -0400] NSMMReplicationPlugin - agmt="cn=LDAP > Replication (atl01osi104)" (atl01osi104:636): Failed to send extended > operation: LDAP error 81 (Can't contact LDAP server) > [21/May/2008:10:51:21 -0400] NSMMReplicationPlugin - agmt="cn=LDAP > Replication (chi01osi116)" (chi01osi116:636): Failed to send extended > operation: LDAP error 81 (Can't contact LDAP server) > [21/May/2008:10:49:27 -0400] NSMMReplicationPlugin - agmt="cn=LDAP > Replication (chi01osi117)" (chi01osi117:389): Incremental protocol: > fatal error - too much time skew between replicas! Note that error 81 is a connection error - either the network connection cannot be made, or the server is down, or possibly it could be SSL related - problem verifying peer cert with the CA cert or with reverse DNS lookup on the FQDN in the server cert subjectDN. If the remote server is up and running, check its access and error logs. > --- End Log --- > > I am also seeing the following: > > -- Begin -- > [21/May/2008:12:15:16 -0400] NSMMReplicationPlugin - agmt="cn=LDAP > Replication (atl01osi104)" (atl01osi104:636): Simple bind resumed > [21/May/2008:12:15:17 -0400] NSMMReplicationPlugin - agmt="cn=LDAP > Replication (atl01osi104)" (atl01osi104:636): Consumer failed to > replay change (uniqueid > bb9e6e96-1dd111b2-989ca832-f6930000, CSN 4834921c000000010000): DSA > is unwilling to perform. Will retry later. > -- End -- > > > > -Kevin > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From beyonddc.storage at gmail.com Tue May 27 15:58:35 2008 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Tue, 27 May 2008 11:58:35 -0400 Subject: [Fedora-directory-users] Which RFC covers Persistent Search Control In-Reply-To: <483C2D33.2010904@redhat.com> References: <20e4c38c0805270844v163640efw93a6f100e2a3f766@mail.gmail.com> <483C2D33.2010904@redhat.com> Message-ID: <20e4c38c0805270858lc6c6e88x3fedcad5aa29db81@mail.gmail.com> I see... Thanks Rich On Tue, May 27, 2008 at 11:48 AM, Rich Megginson wrote: > Chun Tat David Chu wrote: > >> Hi all, >> >> I know that Fedora LDAP supports Persistent Search Control, but I'm having >> difficulty to find the exact RFC that covers persistent search control. >> >> The closest I can find is >> http://www.ietf.org/proceedings/01mar/I-D/ldapext-psearch-03.txt >> >> But that doesn't have a RFC # tagged on it. >> >> Please let me know if you know the RFC that covers the persistent search >> control. >> > I don't think the ID was ever pushed through to RFC status. Since that > time, both LCUP and LDAP Sync have been proposed as alternatives, but Fedora > DS does not support either of them. > >> >> Thank you! >> >> - dc >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nkinder at redhat.com Tue May 27 17:24:49 2008 From: nkinder at redhat.com (Nathan Kinder) Date: Tue, 27 May 2008 10:24:49 -0700 Subject: [Fedora-directory-users] Password Syntax Checking In-Reply-To: References: Message-ID: <483C43E1.2040003@redhat.com> Eric Brown wrote: > I have been trying to get the Password Syntax Checking working with > FDS 1.0.4 and am having some trouble with the passwords that it is > allowing and the ones that are returning invalid syntax. > > I started by setting the password policy the way I thought I wanted to > use for my environment, but then no passwords would work, so I changed > everything down to the minimums that I could find, but I am still > getting several passwords rejected due to a syntax error. I am not > using the console and I need to be able to set this through an LDIF > file. > > Currently I have these settings for the password policy configuration: > > passwordInHistory: 2 > passwordUnlock: on > passwordGraceLimit: 0 > passwordMustChange: off > passwordWarning: 86400 > passwordLockout: on > passwordMinLength: 4 > passwordMinDigits: 0 > passwordMinAlphas: 0 > passwordMinUppers: 0 > passwordMinLowers: 0 > passwordMinSpecials: 0 > passwordMin8bit: 0 > passwordMaxRepeats: 0 > passwordMinCategories: 1 > passwordMinTokenLength: 1 > You should use a larger value for passwordMinTokenLength, such as 3. This setting checks if portions of the attribute values in the users entry are in their password such as a password with your name in it. A setting of 1 is going to be very strict, meaning that any character that is in your name can not be present in your password. See this page for more detail: http://directory.fedoraproject.org/wiki/Password_Syntax -NGK > passwordMaxFailure: 3 > passwordMaxAge: 3888000 > passwordResetFailureCount: 120 > passwordisglobalpolicy: off > passwordChange: on > passwordExp: on > passwordLockoutDuration: 300 > passwordCheckSyntax: on > passwordMinAge: 0 > passwordStorageScheme: SSHA256 > > I am getting syntax errors on passwords like the following: > > spfihykr > spfihykr10 > qpwoeiru > 10293847 > cmdjeu37 > alskdj37 > xnshwy26 > doggie > doggie12 > > but things like testpass works just fine. > > I figure that I have something not configured properly, but I don't > know what needs to be changed. And some of the values that I am using > were in the User Account Management section of the Administrator's > Guide two weeks ago, but they are missing now. > > Thanks in advance, > Eric Brown > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3254 bytes Desc: S/MIME Cryptographic Signature URL: From playactor at gmail.com Tue May 27 21:28:16 2008 From: playactor at gmail.com (Eric Brown) Date: Tue, 27 May 2008 16:28:16 -0500 Subject: Fwd: [Fedora-directory-users] Password Syntax Checking In-Reply-To: <483C43E1.2040003@redhat.com> References: <483C43E1.2040003@redhat.com> Message-ID: Thank you, that worked. I went from there and started tightening down the policy, and I am getting the expected results. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3254 bytes Desc: not available URL: From fmunoz at hispafuentes.com Wed May 28 18:12:45 2008 From: fmunoz at hispafuentes.com (Fernando =?ISO-8859-1?Q?Mu=F1oz?=) Date: Wed, 28 May 2008 20:12:45 +0200 Subject: [Fedora-directory-users] FDS instance over UDP port (389) In-Reply-To: <4838D431.6000708@symas.com> References: <20080524160006.EEB888E0090@hormel.redhat.com> <4838D431.6000708@symas.com> Message-ID: <1211998365.10957.10.camel@hispafuentes.vm-windows.maqueta> Thanks for yours answers, I see PADL XAD, and I've a question about it: Do you know XAD run with a FDS LDAP backend? Thanks, El s?b, 24-05-2008 a las 19:51 -0700, Howard Chu escribi?: > > Date: Fri, 23 May 2008 10:42:25 -0600 > > From: Rich Megginson > > > Fernando Mu??oz wrote: > >> Hello, > >> > >> > >> I've got a question, > >> > >> Is there any way for raise a LDAP instance over 389 UDP port (CLDAP)? > > OpenLDAP supports CLDAP. Note that there is no formal spec for this protocol; > there was a draft for LDAPv2 that expired long ago. Microsoft's version of > CLDAP (naturally) does not conform to that draft. OpenLDAP supports both the > expired draft and the Microsoft bastardization thereof, and has done so since > at least 2000. > > But offering LDAP over UDP is a far cry from joining an AD environment. (See > PADL's XAD, for instance, which was developed on OpenLDAP and subsequently > sold to Novell.) > > >> I've been trying to join a WindowsXP machine to a > >> FDS(backend)-SAMBA3(PDC) environment, and I've got a problem: > >> > >> Sniffing a WindowsXP (client) machine traffic, ???I see there are LDAP > >> petitions (connections) through UDP 389 port, and FDS instance run over > >> TCP ports. > >> > > No, Fedora DS does not support UDP (CLDAP). > > > > You should check out Samba4. > > Yes, that would probably be the best route now. > From rudi at darx.com Thu May 29 00:20:54 2008 From: rudi at darx.com (Rudi J. Heitbaum) Date: Thu, 29 May 2008 10:20:54 +1000 Subject: [Fedora-directory-users] PassSync source code Message-ID: All, I am trying to find the source code for PassSync but am not having any luck could someone please point me in the right direction. Regards Rudi -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu May 29 02:55:39 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 28 May 2008 20:55:39 -0600 Subject: [Fedora-directory-users] PassSync source code In-Reply-To: References: Message-ID: <483E1B2B.9080600@redhat.com> Rudi J. Heitbaum wrote: > All, > > I am trying to find the source code for PassSync but am not having any > luck could someone please point me in the right direction. http://cvs.fedoraproject.org/viewcvs/winsync/passwordsync/?root=dirsec cvs -d :pserver:anonymous at cvs.fedoraproject.org:/cvs/dirsec co winsync/passwordsync > > Regards > > Rudi > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From sigidwu at gmail.com Thu May 29 03:13:38 2008 From: sigidwu at gmail.com (sigid@JINLab) Date: Thu, 29 May 2008 10:13:38 +0700 Subject: [Fedora-directory-users] Multimaster replication Message-ID: <483E1F62.20101@gmail.com> Dear all, Is there any guidance out there on howto configure multimaster replication on fds 1.1 without using the mmr.pl script? Thanks From lbigum at iseek.com.au Thu May 29 03:17:51 2008 From: lbigum at iseek.com.au (Luke Bigum) Date: Thu, 29 May 2008 13:17:51 +1000 Subject: [Fedora-directory-users] Multimaster replication In-Reply-To: <483E1F62.20101@gmail.com> References: <483E1F62.20101@gmail.com> Message-ID: <50A3F7088FE1A14FB0CF57A2248738865B667FF59F@EXCHANGE1.intranet.iseek.com.au> I found the Red Hat manuals were helpful enough: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Replication_Scenarios.html#Replication_Scenarios-Multi_Master_Replication -- Luke Bigum Systems Administrator iseek Communications Pty Ltd Excellence in business data solutions ph 1300 661 668 fax 1300 661 540 www.iseek.com.au -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of sigid at JINLab Sent: Thursday, 29 May 2008 1:14 PM To: General discussion list for the Fedora Directory server project. Subject: [Fedora-directory-users] Multimaster replication Dear all, Is there any guidance out there on howto configure multimaster replication on fds 1.1 without using the mmr.pl script? Thanks -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From sigidwu at gmail.com Thu May 29 07:27:35 2008 From: sigidwu at gmail.com (sigid@JINLab) Date: Thu, 29 May 2008 14:27:35 +0700 Subject: [Fedora-directory-users] Multimaster replication In-Reply-To: <50A3F7088FE1A14FB0CF57A2248738865B667FF59F@EXCHANGE1.intranet.iseek.com.au> References: <483E1F62.20101@gmail.com> <50A3F7088FE1A14FB0CF57A2248738865B667FF59F@EXCHANGE1.intranet.iseek.com.au> Message-ID: <483E5AE7.6040908@gmail.com> Luke Bigum wrote: > I found the Red Hat manuals were helpful enough: > > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Replication_Scenarios.html#Replication_Scenarios-Multi_Master_Replication OK thanks, its worked.. From bogdan.cehan at mediaimage.ro Thu May 29 07:41:16 2008 From: bogdan.cehan at mediaimage.ro (Bogdan Cehan) Date: Thu, 29 May 2008 10:41:16 +0300 Subject: [Fedora-directory-users] problems with pam ldap ? Message-ID: <200805291041.16541.bogdan.cehan@mediaimage.ro> Hello all I'm using the fedora directory server for centralized authentication , and i have made users with posix account and i put them in ou=People like this : --------------------------------------------------------------------------------------------- # alexadu, People, pol.mediaimage.ro dn: uid=alexadu,ou=People,dc=pol,dc=ro givenName: Alexandra sn: Dumitru loginShell: /bin/bash uidNumber: 1069 gidNumber: 100 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount uid: alexadu cn: Alexandra Dumitru homeDirectory: /home/alexadu ------------------------------------------------------------------------------------------ and after that i made some groups in ou=Groups like this : ----------------------------------------------------------------------------------------- # Server1, Groups, pol.ro dn: cn=Server1,ou=Groups,dc=pol,dc=ro description: group for users that have access on server 1 objectClass: top objectClass: groupofuniquenames uniqueMember: uid=lauru,ou=People,dc=pol,dc=ro uniqueMember: uid=alexadu,ou=People,dc=pol,dc=ro cn: Server1 ---------------------------------------------------------------------------------------- and my ldap.conf looks like this : URI ldap://lacatzel.pol.ro port=389 BASE dc=pol,dc=ro host lacatzel.pol.ro TLS_CACERTDIR /etc/openldap/cacerts TLS_REQCERT allow scope sub bind_policy soft #pam_password exop pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberUid pam_groupdn cn=Server1,ou=Groups,dc=pol,dc=ro pam_check_host_attr yes nss_default_attribute_value loginShell /bin/false nss_base_passwd ou=People,dc=pol,dc=ro nss_base_shadow ou=People,dc=pol,dc=ro nss_base_group ou=People,dc=pol,dc=ro --------------------------------------------------------------------------------------------- now i want to restrict some users to servers based on groups but my pam_ldap does not help me to do that , I'm using my old friend "www.google.com" to help me in this problem but with no luck ..... all my users have access to this computer .... so , if i understand wright all i have to do is create users with posix account and after that create groups and put the users in that group but this does not work ..... any ideas ? anyone use FDS for what i intend to do ? Thank you for your time ..... Bogdan From j.barber at dundee.ac.uk Thu May 29 09:23:27 2008 From: j.barber at dundee.ac.uk (Jonathan Barber) Date: Thu, 29 May 2008 10:23:27 +0100 Subject: [Fedora-directory-users] problems with pam ldap ? In-Reply-To: <200805291041.16541.bogdan.cehan@mediaimage.ro> References: <200805291041.16541.bogdan.cehan@mediaimage.ro> Message-ID: <20080529092327.GZ25058@flea.lifesci.dundee.ac.uk> On Thu, May 29, 2008 at 10:41:16AM +0300, Bogdan Cehan wrote: > Hello all > > > > I'm using the fedora directory server for centralized authentication , > and i have made users with posix account and i put them in ou=People > like this : [snip] > now i want to restrict some users to servers based on groups but my pam_ldap > does not help me to do that , I'm using my old friend "www.google.com" to > help me in this problem but with no luck ..... all my users have access to > this computer .... so , if i understand wright all i have to do is create > users with posix account and after that create groups and put the users in > that group but this does not work ..... any ideas ? anyone use FDS for what i > intend to do ? The pam_access module may help you do this depending on what you mean by "restrict". > Thank you for your time ..... > > > > Bogdan -- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389 From bogdan.cehan at mediaimage.ro Thu May 29 09:40:42 2008 From: bogdan.cehan at mediaimage.ro (Bogdan Cehan) Date: Thu, 29 May 2008 12:40:42 +0300 Subject: [Fedora-directory-users] problems with pam ldap ? In-Reply-To: <20080529092327.GZ25058@flea.lifesci.dundee.ac.uk> References: <200805291041.16541.bogdan.cehan@mediaimage.ro> <20080529092327.GZ25058@flea.lifesci.dundee.ac.uk> Message-ID: <200805291240.43158.bogdan.cehan@mediaimage.ro> Let's say i have users : alex , tom , john , joe and bruce and the computers comp1 , comp2 and comp3 and in my ldap i have the users on ou=People with posixaccount and three groups named after the computers like : cn=comp1,ou=Groups .... objectClass: top objectClass: groupOfUniqueNames cn: comp1 ou: groups description: People who can login on comp1 uniqueMember: uid=alex,ou=People,dc=pol,dc=mediaimage,dc=ro uniqueMember: uid=joe,ou=People,dc=pol,dc=mediaimage,dc=ro uniqueMember: uid=bruce,ou=People,dc=pol,dc=mediaimage,dc=ro ----------------------------------------------------------------------------------------- cn=comp2,ou=Groups .... objectClass: top objectClass: groupOfUniqueNames cn: comp3 ou: groups description: People who can login on comp2 uniqueMember: uid=alex,ou=People,dc=pol,dc=mediaimage,dc=ro uniqueMember: uid=tom,ou=People,dc=pol,dc=mediaimage,dc=ro uniqueMember: uid=bruce,ou=People,dc=pol,dc=mediaimage,dc=ro ----------------------------------------------------------------------------------------- cn=comp3,ou=Groups .... objectClass: top objectClass: groupOfUniqueNames cn: comp3 ou: groups description: People who can login on comp3 uniqueMember: uid=john,ou=People,dc=pol,dc=mediaimage,dc=ro uniqueMember: uid=joe,ou=People,dc=pol,dc=mediaimage,dc=ro uniqueMember: uid=bruce,ou=People,dc=pol,dc=mediaimage,dc=ro ----------------------------------------------------------------------------------------- in this schema let's say that i want to be able to "permit " login acces to the computers only to the people i have in their group > On Thu, May 29, 2008 at 10:41:16AM +0300, Bogdan Cehan wrote: > > Hello all > > > > > > > > I'm using the fedora directory server for centralized authentication , > > and i have made users with posix account and i put them in ou=People > > like this : > > [snip] > > > now i want to restrict some users to servers based on groups but my > > pam_ldap does not help me to do that , I'm using my old friend > > "www.google.com" to help me in this problem but with no luck ..... all > > my users have access to this computer .... so , if i understand wright > > all i have to do is create users with posix account and after that create > > groups and put the users in that group but this does not work ..... any > > ideas ? anyone use FDS for what i intend to do ? > > The pam_access module may help you do this depending on what you mean by > "restrict". > > > Thank you for your time ..... > > > > > > > > Bogdan From edlinuxguru at gmail.com Thu May 29 13:09:59 2008 From: edlinuxguru at gmail.com (Edward Capriolo) Date: Thu, 29 May 2008 09:09:59 -0400 Subject: [Fedora-directory-users] problems with pam ldap ? In-Reply-To: <200805291240.43158.bogdan.cehan@mediaimage.ro> References: <200805291041.16541.bogdan.cehan@mediaimage.ro> <20080529092327.GZ25058@flea.lifesci.dundee.ac.uk> <200805291240.43158.bogdan.cehan@mediaimage.ro> Message-ID: There are a few ways. I found the best way is to specify pam_groupdb and pam_member_attribute. This allows you to create a simple ldap object that says who can log into what system. Edward On Thu, May 29, 2008 at 5:40 AM, Bogdan Cehan wrote: > Let's say i have users : alex , tom , john , joe and bruce > and the computers comp1 , comp2 and comp3 > > > > and in my ldap i have the users on ou=People with posixaccount > and three groups named after the computers like : > > > cn=comp1,ou=Groups .... > objectClass: top > objectClass: groupOfUniqueNames > cn: comp1 > ou: groups > description: People who can login on comp1 > uniqueMember: uid=alex,ou=People,dc=pol,dc=mediaimage,dc=ro > uniqueMember: uid=joe,ou=People,dc=pol,dc=mediaimage,dc=ro > uniqueMember: uid=bruce,ou=People,dc=pol,dc=mediaimage,dc=ro > ----------------------------------------------------------------------------------------- > > > cn=comp2,ou=Groups .... > objectClass: top > objectClass: groupOfUniqueNames > cn: comp3 > ou: groups > description: People who can login on comp2 > uniqueMember: uid=alex,ou=People,dc=pol,dc=mediaimage,dc=ro > uniqueMember: uid=tom,ou=People,dc=pol,dc=mediaimage,dc=ro > uniqueMember: uid=bruce,ou=People,dc=pol,dc=mediaimage,dc=ro > ----------------------------------------------------------------------------------------- > > cn=comp3,ou=Groups .... > objectClass: top > objectClass: groupOfUniqueNames > cn: comp3 > ou: groups > description: People who can login on comp3 > uniqueMember: uid=john,ou=People,dc=pol,dc=mediaimage,dc=ro > uniqueMember: uid=joe,ou=People,dc=pol,dc=mediaimage,dc=ro > uniqueMember: uid=bruce,ou=People,dc=pol,dc=mediaimage,dc=ro > ----------------------------------------------------------------------------------------- > > > > in this schema let's say that i want to be able to "permit " login acces to > the computers only to the people i have in their group > > > > > > > > > > > > > > > >> On Thu, May 29, 2008 at 10:41:16AM +0300, Bogdan Cehan wrote: >> > Hello all >> > >> > >> > >> > I'm using the fedora directory server for centralized authentication , >> > and i have made users with posix account and i put them in ou=People >> > like this : >> >> [snip] >> >> > now i want to restrict some users to servers based on groups but my >> > pam_ldap does not help me to do that , I'm using my old friend >> > "www.google.com" to help me in this problem but with no luck ..... all >> > my users have access to this computer .... so , if i understand wright >> > all i have to do is create users with posix account and after that create >> > groups and put the users in that group but this does not work ..... any >> > ideas ? anyone use FDS for what i intend to do ? >> >> The pam_access module may help you do this depending on what you mean by >> "restrict". >> >> > Thank you for your time ..... >> > >> > >> > >> > Bogdan > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From nalin at redhat.com Thu May 29 16:16:05 2008 From: nalin at redhat.com (Nalin Dahyabhai) Date: Thu, 29 May 2008 12:16:05 -0400 Subject: [Fedora-directory-users] problems with pam ldap ? In-Reply-To: <200805291041.16541.bogdan.cehan@mediaimage.ro> References: <200805291041.16541.bogdan.cehan@mediaimage.ro> Message-ID: <20080529161604.GA8088@redhat.com> On Thu, May 29, 2008 at 10:41:16AM +0300, Bogdan Cehan wrote: > I'm using the fedora directory server for centralized authentication , > and i have made users with posix account and i put them in ou=People > like this : [snip] > # Server1, Groups, pol.ro > dn: cn=Server1,ou=Groups,dc=pol,dc=ro > description: group for users that have access on server 1 > objectClass: top > objectClass: groupofuniquenames > uniqueMember: uid=lauru,ou=People,dc=pol,dc=ro > uniqueMember: uid=alexadu,ou=People,dc=pol,dc=ro > cn: Server1 [snip] > and my ldap.conf looks like this : > > URI ldap://lacatzel.pol.ro > port=389 > BASE dc=pol,dc=ro > host lacatzel.pol.ro > TLS_CACERTDIR /etc/openldap/cacerts > TLS_REQCERT allow > scope sub > bind_policy soft > #pam_password exop > pam_filter objectclass=posixAccount > pam_login_attribute uid > pam_member_attribute memberUid > pam_groupdn cn=Server1,ou=Groups,dc=pol,dc=ro [snip] The combination of the pam_groupdn and pam_member_attribute settings you have here instructs pam_ldap to check for the user's DN among the values for the group object's "memberUid" attribute, but the user's DN is stored in the "uniqueMember" attribute. Try changing that (or removing it, because "pam_member_attribute uniquemember" is the default). But if that were the only problem, I'd expect that none of your users would be able to log in. You should probably double-check that your PAM configuration is able to deny users entry when pam_ldap's account management function (which is the part that checks group membership) returns a failure. HTH, Nalin From kmarsh at gdrs.com Thu May 29 18:27:30 2008 From: kmarsh at gdrs.com (Ken Marsh) Date: Thu, 29 May 2008 14:27:30 -0400 Subject: [Fedora-directory-users] Authentication problems between FDS 1.0.1-4 on RHES 4u4 In-Reply-To: <20080529160007.08D2A61A37F@hormel.redhat.com> References: <20080529160007.08D2A61A37F@hormel.redhat.com> Message-ID: <5AD9B0E562FEFB4E933861904D7135C5921B42@gdrs-exchange.gdrs.com> Hi, I have a curious problem where a few (important) users cannot log into the Red Hat Enterprise Server 4 update 4 systems. However, most users (including myself) can log in. These users can log in fine to ldap'd RHES3 Update 6 systems. The FDS logs indicate a normal fetch of the user's attributes with no errors. The /var/log/secure on Red Hat 4 simply says sshd[8898]: Failed password for from ... Yet they can log into other LDAP based systems, including a few other RHE4 systems, that all go back to the same FDS. I have deleted their accounts and recreated them, which usually fixes strange problems like this, but no luck. Some accounts are old (date back to FDS 7.1) and others are new. I examined the DS attributes for these users, and the only difference I could find was the "Object class" attribute was missing the "account" value. So, I added it, but to no avail. I compared /etc/pam.d/system-auth and they are essentially identical between RHES3 and 4 systems. /var/log/secure also has a "error" Could not get shadow information for " but that happens on all users. It seems to be a soft error, but I would like to get rid of it. Can anyone give me a clue where to look? Thanks! Ken From bogdan.cehan at mediaimage.ro Fri May 30 07:41:09 2008 From: bogdan.cehan at mediaimage.ro (Bogdan Cehan) Date: Fri, 30 May 2008 10:41:09 +0300 Subject: [Fedora-directory-users] problems with pam ldap ? In-Reply-To: <20080529161604.GA8088@redhat.com> References: <200805291041.16541.bogdan.cehan@mediaimage.ro> <20080529161604.GA8088@redhat.com> Message-ID: <200805301041.09961.bogdan.cehan@mediaimage.ro> Ok so now my configuration looks like this # Server1, Groups, pol.mediaimage.ro dn: cn=Server1,ou=Groups,dc=pol,dc=ro objectClass: top objectClass: posixgroup cn: Server1 gidNumber: 100 memberUid: alex memberUid: vion and ldap.conf : URI ldap://lacatzel.pol.ro port=389 BASE dc=pol,dc=ro host lacatzel.pol.ro TLS_CACERTDIR /etc/openldap/cacerts TLS_REQCERT allow scope sub bind_policy soft #pam_password exop pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberUid pam_groupdn cn=Server1,ou=Groups,dc=pol,dc=ro pam_check_host_attr yes nss_default_attribute_value loginShell /bin/false nss_base_passwd ou=People,dc=pol,dc=ro nss_base_shadow ou=People,dc=pol,dc=ro nss_base_group ou=People,dc=pol,dc=ro and pam system-auth : auth required pam_env.so auth [success=ignore default=1] pam_localuser.so auth [success=done new_authtok_reqd=done default=1] pam_unix.so likeauth nullok try_first_pass auth sufficient pam_ldap.so try_first_pass auth required pam_deny.so account sufficient pam_unix.so account required pam_access.so account sufficient pam_ldap.so password required pam_cracklib.so difok=2 minlen=2 dcredit=2 ocredit=2 retry=1 password sufficient pam_unix.so nullok md5 shadow use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session required pam_limits.so session required pam_unix.so #Creates the home directories if they do not exist session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session optional pam_ldap.so but with all this all users could login to the system with no problem > On Thu, May 29, 2008 at 10:41:16AM +0300, Bogdan Cehan wrote: > > I'm using the fedora directory server for centralized > > authentication , and i have made users with posix account and i > > put them in ou=People like this : > > [snip] > > > # Server1, Groups, pol.ro > > dn: cn=Server1,ou=Groups,dc=pol,dc=ro > > description: group for users that have access on server 1 > > objectClass: top > > objectClass: groupofuniquenames > > uniqueMember: uid=lauru,ou=People,dc=pol,dc=ro > > uniqueMember: uid=alexadu,ou=People,dc=pol,dc=ro > > cn: Server1 > > [snip] > > > and my ldap.conf looks like this : > > > > URI ldap://lacatzel.pol.ro > > port=389 > > BASE dc=pol,dc=ro > > host lacatzel.pol.ro > > TLS_CACERTDIR /etc/openldap/cacerts > > TLS_REQCERT allow > > scope sub > > bind_policy soft > > #pam_password exop > > pam_filter objectclass=posixAccount > > pam_login_attribute uid > > pam_member_attribute memberUid > > pam_groupdn cn=Server1,ou=Groups,dc=pol,dc=ro > > [snip] > > The combination of the pam_groupdn and pam_member_attribute > settings you have here instructs pam_ldap to check for the user's > DN among the values for the group object's "memberUid" attribute, > but the user's DN is stored in the "uniqueMember" attribute. Try > changing that (or removing it, because "pam_member_attribute > uniquemember" is the default). > > But if that were the only problem, I'd expect that none of your > users would be able to log in. You should probably double-check > that your PAM configuration is able to deny users entry when > pam_ldap's account management function (which is the part that > checks group membership) returns a failure. > > HTH, > > Nalin > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From ebeda at udsm.ac.tz Fri May 30 08:24:23 2008 From: ebeda at udsm.ac.tz (Eric Beda) Date: Fri, 30 May 2008 11:24:23 +0300 (EAT) Subject: [Fedora-directory-users] recovering admin password Message-ID: <37377.196.44.161.242.1212135863.squirrel@mail.udsm.ac.tz> Hi, Forgotten the admin password, how do i recover it, help please From j.barber at dundee.ac.uk Fri May 30 11:14:39 2008 From: j.barber at dundee.ac.uk (Jonathan Barber) Date: Fri, 30 May 2008 12:14:39 +0100 Subject: [Fedora-directory-users] recovering admin password In-Reply-To: <37377.196.44.161.242.1212135863.squirrel@mail.udsm.ac.tz> References: <37377.196.44.161.242.1212135863.squirrel@mail.udsm.ac.tz> Message-ID: <20080530111439.GB25058@flea.lifesci.dundee.ac.uk> On Fri, May 30, 2008 at 11:24:23AM +0300, Eric Beda wrote: > > Hi, > > Forgotten the admin password, how do i recover it, help please Do you mean the "Directory Manager" account, if so see here: http://directory.fedoraproject.org/wiki/Howto:ResetDirMgrPassword -- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389 From iferreir at personal.com.py Fri May 30 15:26:23 2008 From: iferreir at personal.com.py (Ivan Ferreira) Date: Fri, 30 May 2008 11:26:23 -0400 Subject: [Fedora-directory-users] Authentication problems between FDS 1.0.1-4 on RHES 4u4 In-Reply-To: <5AD9B0E562FEFB4E933861904D7135C5921B42@gdrs-exchange.gdrs.com> Message-ID: Check if you have pam_tally configured. Maybe, the user failed it's password and you need to reset the failed login attempts. Para "Ken Marsh" cc Enviado por: Asunto fedora-directory-users-b [Fedora-directory-users] ounces at redhat.com Authentication problems between FDS 1.0.1-4 on RHES 4u4 29/05/2008 02:27 p.m. Clasificaci?n Uso Interno Por favor, responda a "General discussion list for the Fedora Directory server project." Hi, I have a curious problem where a few (important) users cannot log into the Red Hat Enterprise Server 4 update 4 systems. However, most users (including myself) can log in. These users can log in fine to ldap'd RHES3 Update 6 systems. The FDS logs indicate a normal fetch of the user's attributes with no errors. The /var/log/secure on Red Hat 4 simply says sshd[8898]: Failed password for from ... Yet they can log into other LDAP based systems, including a few other RHE4 systems, that all go back to the same FDS. I have deleted their accounts and recreated them, which usually fixes strange problems like this, but no luck. Some accounts are old (date back to FDS 7.1) and others are new. I examined the DS attributes for these users, and the only difference I could find was the "Object class" attribute was missing the "account" value. So, I added it, but to no avail. I compared /etc/pam.d/system-auth and they are essentially identical between RHES3 and 4 systems. /var/log/secure also has a "error" Could not get shadow information for " but that happens on all users. It seems to be a soft error, but I would like to get rid of it. Can anyone give me a clue where to look? Thanks! Ken -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ======================================================================================== AVISO LEGAL: Esta informaci?n es privada y confidencial y est? dirigida ?nicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha informaci?n por favor elimine el mensaje. La distribuci?n o copia de este mensaje est? estrictamente prohibida. Esta comunicaci?n es s?lo para prop?sitos de informaci?n y no debe ser considerada como propuesta, aceptaci?n ni como una declaraci?n de voluntad oficial de NUCLEO S.A. La transmisi?n de e-mails no garantiza que el correo electr?nico sea seguro o libre de error. Por consiguiente, no manifestamos que esta informaci?n sea completa o precisa. Toda informaci?n est? sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. From nalin at redhat.com Fri May 30 16:35:25 2008 From: nalin at redhat.com (Nalin Dahyabhai) Date: Fri, 30 May 2008 12:35:25 -0400 Subject: [Fedora-directory-users] problems with pam ldap ? In-Reply-To: <200805301041.09961.bogdan.cehan@mediaimage.ro> References: <200805291041.16541.bogdan.cehan@mediaimage.ro> <20080529161604.GA8088@redhat.com> <200805301041.09961.bogdan.cehan@mediaimage.ro> Message-ID: <20080530163525.GA17632@redhat.com> On Fri, May 30, 2008 at 10:41:09AM +0300, Bogdan Cehan wrote: > Ok > so now my configuration looks like this > > # Server1, Groups, pol.mediaimage.ro > dn: cn=Server1,ou=Groups,dc=pol,dc=ro > objectClass: top > objectClass: posixgroup > cn: Server1 > gidNumber: 100 > memberUid: alex > memberUid: vion > > and ldap.conf : > [snip] > pam_member_attribute memberUid > pam_groupdn cn=Server1,ou=Groups,dc=pol,dc=ro That's probably not going to work -- pam_ldap is still going to check for the DN of the user's entry in the memberUid attribute, and not the user's name. [snip] > and pam system-auth : [snip] > account sufficient pam_unix.so > account required pam_access.so > account sufficient pam_ldap.so I suspect pam_unix is checking for an expired password (and if you're using nss_ldap, it'll be able to "see" users you've defined in the directory), determining that the user's password has not expired, and returning success. There's also the subtle problem that if a "sufficient" module fails, it doesn't actually cause the whole PAM stack to be counted as a failure, so even if both pam_unix.so and pam_ldap.so failed, the user might still be allowed access. I'd suggest something like this instead: account required pam_unix.so account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_access.so I haven't tried it myself, but I think that'll work. HTH, Nalin